help

<div>hello everybody
<br><br>i need your help in my a issue &nbsp;that
is related with monitoring the traffic on juniper ssg520 netscreen firewall
because sometimes i found a huge traffic come to me 
<br>so i want to monitor in and out of my
&nbsp;firewall devise i want to know who access which site please reply
me 
<br><br>thanks
<br><br><br>
</div>

Strange Routing Behaviour

Hi, I'm quite new to Netscreens and am experiencing what seems to be a
strange routing / policy problem. I have a Netscreen acting as main firewall
and NAT to my internal network 10.0.0.0/24. Netscreens IP is 10.0.0.1

I have several remote networks which service home users.
10.0.50.0/24
10.0.51.0/24
10.0.52.0/24

They use cheap Linksys VPN routers (RVS4000) which have ip address
10.0.XX.1. They are used to open a VPN tunnel to another Linksys router
10.0.0.2.

The Netscreen TrustVR Routing table is configured to such that
10.0.0.0/24 --> ethernet 1
10.0.50.0/24 --> 10.0.0.2 ethernet 1
10.0.51.0/24 --> 10.0.0.2 ethernet 1
10.0.52.0/24 --> 10.0.0.2 ethernet 1

From my workstation on the 10.0.0.0/24 subnet (10.0.0.20) I am able to ping
any of the remote workstations (10.0.XX.20). I'm also able to use the
Microsoft RDP protocol to log in to the remote workstations remotely.
However, if I try to access any domain resources (domain controller for
credential services, File Share, etc...) they are not available.

I know this isn't a lot to go on, but is anyone aware of a reason ping, and
RDP might work, while LDAP, WMI, and File Sharing do not?

I'm quite certain the Netscreen is the problem as the issues first
manifested they day after it was replaced.
--

-- 
View this message in context: http://www.nabble.com/Strange-Routing-Behaviour-tp24209916p24209916.html
Sent from the Netscreen at Compsoc.com mailing list archive at Nabble.com.

SG320 AV logfiles

<div>
<br>I'm encountering a situation where the
SSG 320 is blocking a program from downloading files from a website. &nbsp;After
investigating I determined that the Antivirus Profile associated with the
internet access policy was the culprit. &nbsp;When I turned this feature
off the downloads completed normally.
<br><br>I would like to find out more information
as to why the AV is blocking the downloads from this site but I can not
find any log files that pertain to AV anywhere. &nbsp;Logging is turned
on as I see all the other events listed just nothing pertaining to AV.
&nbsp;There must be a way to whitelist this site or make an exception for
a particular file extension but it would be helpful to have a log file
telling me what is being blocked.
<br><br>Can anyone point me in the right direction?
<br><br>thanks in advance.
<br>Darren</div>

SSG-5 has gone FUBAR....

Hi list.

I have a SSG5 that I loaded a configure via the web interface and after
i reset the box it got stuck in the start up sequence (see below):

The config file includes/ends with :

.
.
.
save
reset
y

Update the FW doesn't help.
The "reset" button nothing happens!!

Q: How can i reset the box to factory default config?

/Dennis

--------------------------------------------------------------
Version 6.2.0r1.0
Load Manufacture Information ... Done

Initialize FBTL 0........ Done
Load NVRAM Information ... (6.2.0)Done
Install module init vectors
Install modules (01114800,0209deb8) ... 
PPP IP-POOL initiated, 256 pools

Initializing DI 1.1.0-ns
w3g_cfg_init

System config (1528 bytes) loaded

Done.
Load System Configuration .
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
....
Unsupported command - unset interface wireless0/0 dhcp server service
.
Unsupported command - unset interface bgroup0 dhcp server service
.
Unsupported command - unset interface adsl1/0 dhcp server service
.
Unsupported command - unset interface wireless0/0 ip
.
Unsupported command - unset interface adsl1/0 ip
...
Unsupported command - unset interface bgroup0 port ethernet0/2
.
Unsupported command - unset interface bgroup0 port ethernet0/3
.
Unsupported command - unset interface bgroup0 port ethernet0/4
.
Unsupported command - unset interface bgroup0 port ethernet0/5
.
Unsupported command - unset interface bgroup0 port ethernet0/6
...
Unsupported command - unset interface adsl1/0 zone
.
Unsupported command - unset interface wireless0/0 zone
.....................
Unsupported command - set ssh enable
......................
Unsupported command - ----  Support diagnostic tunnel ----
...............
Failed command - unset admin user "support"
...........

-------------------------------------------------------------------

Hi list.

I have a SSG5 that I loaded a configure via the web interface and after
i reset the box it got stuck in the start up sequence (see below):

The config file includes/ends with :

.
.
.
save
reset
y

Update the FW doesn't help.
The "reset" button nothing happens!!

Q: How can i reset the box to factory default config?

/Dennis

--------------------------------------------------------------
Version 6.2.0r1.0
Load Manufacture Information ... Done

Initialize FBTL 0........ Done
Load NVRAM Information ... (6.2.0)Done
Install module init vectors
Install modules (01114800,0209deb8) ... 
PPP IP-POOL initiated, 256 pools

Initializing DI 1.1.0-ns
w3g_cfg_init

System config (1528 bytes) loaded

Done.
Load System Configuration .
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
....
Unsupported command - unset interface wireless0/0 dhcp server service
.
Unsupported command - unset interface bgroup0 dhcp server service
.
Unsupported command - unset interface adsl1/0 dhcp server service
.
Unsupported command - unset interface wireless0/0 ip
.
Unsupported command - unset interface adsl1/0 ip
...
Unsupported command - unset interface bgroup0 port ethernet0/2
.
Unsupported command - unset interface bgroup0 port ethernet0/3
.
Unsupported command - unset interface bgroup0 port ethernet0/4
.
Unsupported command - unset interface bgroup0 port ethernet0/5
.
Unsupported command - unset interface bgroup0 port ethernet0/6
...
Unsupported command - unset interface adsl1/0 zone
.
Unsupported command - unset interface wireless0/0 zone
.....................
Unsupported command - set ssh enable
......................
Unsupported command - ----  Support diagnostic tunnel ----
...............
Failed command - unset admin user "support"
...........

-------------------------------------------------------------------

voip behind Netscreen Firewall

<div>
<div>Hi Community,</div>
<div>I'm trying to make my voip network working behind 2 NS 5200. the aim of using Netsreen Fws is to hide my network topology, this way I'm using Nat, but I'm facing a lot of problem because of SDP.&nbsp;will the SIP ALG feature help me ? is there any good documentation on the Net talking about that.</div>

<div>thks,</div>
<div>&nbsp;</div>
<div>/br</div>
<div>Mounir</div>
</div>

understanding traffic shaping

Hi!

I'm currently trying to understand traffic shaping on the SSGs and have
a hard time.

Prep for JNCIS FWV has the following question:

You have 4 policies configured for the egress interface with 10Mbps
physical bandwith:
Policy1: Prio0, 1Mbps GBW, 3Mbps MBW
Policy2: Prio1, 1Mbps GBW, 4Mbps MBW
Policy3: Prio1, 2Mbps GBW, 2Mbps MBW
Policy4: Prio0, 2Mbps GBW, 4Mbps MBW

The book states that under full load policy 4 would drop packets first.

I tried to simulate this and got a different result. I assume, my
assumptions are wrong, but I would need help to spot the error:

Let's say a constant stream of 1 Mbit-packets - one fitting each policy
- hits the device with 40Mbps.
I'll name the packtes after the policy-id, they will fit:
1,2,3,4,1,2,3,4,1,2,3,4, and so on.
Since the egress speed is only 10Mbps, the SSG can only send out one
packet for every four packets, it receives.

Lets go:

First packet hit's the device. It's policy 1. Since Policy 1 has 1Mbps
GBW, the packet goes straight out to the egress interface.
Second packet - this time for policy 2. Again 1 Mbps GBW, so the packet
get's straight queued on the interface, since the first packet is still
being put on the wire.
Same with packet 3 and 4.
Now packet 5 arrives- again for policy 1. GBW is exhausted, but MBW is
not even reached, so this packet is been pushed to Queue 0
Meanwhile packet 1 has left the building and packet 2 is been processed
to be put on the wire.

Next packet 6 arrives (policy 2) - again that GBW is exhausted, but not
the MBW, so this packet is placed in Queue 1.
Next packet 7 (policy 3) comes along - here we're even still in the GWB,
so this packet goes straight to the out-queue for the egress interface.
The last bits of packet 2 have just hit the wire.

Packet 8 arrives (policy 4). Again a GBW-Packet, so it joins Pakets 4
and 7 (3 has just started to be put on the wire).
Packet 9 comes in - Policy1 - This packet is just inside the MBW-limit.
It's the third 1Mb-Paket for policy 1 within this second and we got
3Mbps MBW, so that packet joins packet 5 in Queue 0.

Packet 10 comes in - policy 2. Here we've used up 3 of the 4 Mbps MBW,
so that packet goes into Queue 1.

And according to my understanding, packet 11 finally gets dropped, since
this would be 3Mbps for a 2 Mbps - MBW in policy 3.

Where's my mistake?

Cheers,
Kai

IGMP snooping with NetScreen firewall?

<div>
Hi,<br>Does the small NS5-GT support IGMP-snooping?<br>&nbsp;<br>If not, is there another Netscreen model that support IGMP-snooping?<br>&nbsp;<br>If not, does anyone have experience using a small switch that support IGMP-snooping. <br>I knew the 'small' Extreme Summit200 works fine but I would like to replace that switch <br>with a smaller one...<br>&nbsp;<br>Best Regards<br>Fredrik<br><br>Get news, entertainment and everything you care about at Live.com. <a href="http://www.live.com/getstarted.aspx%20" target="_new">Check it out!</a>
</div>

OpenSSH-5.1p1 issue with ScreenOS

Just FYI in case others haven't run into this yet: after upgrading my
OpenSSH client to the latest 5.1-portable, I found to my horror that
ssh sessions to NetScreens (ScreenOS 5.4r10, 6.1.0r3) were immediately
disconnecting.  Looking at the event log through webui showed
successful-auth, but no real error messages.  Same basic symptoms for
both password and pubkey-auth.  Running ssh in verbose mode gave a few
hints, it looks like a new 5.1 security feature isn't being handled
correctly by the NetScreen sshd:

--------------
http://openssh.com/txt/release-5.1
<snip>
New features:
 * Added a no-more-sessions <at> openssh.com global request extension that is
   sent from ssh(1) to sshd(8) when the client knows that it will never
   request another session (i.e. when session multiplexing is disabled).
   This allows a server to disallow further session requests and
   terminate the session in cases where the client has been hijacked.
--------------

I can only venture to guess that, when ScreenOS receives the client
message "no more sessions after this one", it's interpreting as
"...including this one"?  Anyway, by the Edisonian approach  :)   I
discovered that the following option will get you back in:

ControlMaster=ask (or "yes", or "auto" -- anything but the default "no")

As in, "ssh -o ControlMaster=ask me <at> my.firewall.org"

I wouldn't recommend adding this to your ssh_config, unless you can do
it per-host.  It's a good idea to disable where not needed.

FWIW,

John

PS -- If anyone has a less-kludgy workaround, I'd love to hear it.

Re: Policy traffic shaping netscreen

<div>

<div class="Section1">

<p class="MsoNormal"><span lang="EN-GB">Hi, Praveen!<p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-GB">You can download the
NSRemote from the Juniper-Site (Support / Download Software)<p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB">You have to log in, choose
&lsquo;NetScreen Remote VPN Client&rsquo; and then enter the serial-Number from
your bought NS-Remote to be able to download the current version.<p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-GB">In case you havent&rsquo;t
bougth the client yet &ndash; it&rsquo;s really cheap (I guess about 10 Dollars
when bought in a pack of 100).<p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-GB">Cheers,<p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB">&nbsp; Kai <p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB"><p>&nbsp;</p></span></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p class="MsoNormal"><span>Von:</span><span> Praveen Sankar
[mailto:praveen.sankar <at> flytxt.com] <br><span>Gesendet:</span> Dienstag, 2. September
2008 07:15<br><span>An:</span> Kai Krebber<br><span>Cc:</span> nn <at> compsoc.com<br><span>Betreff:</span> RE: [nn] Policy traffic
shaping netscreen</span><p></p></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">Hi Kai,<p></p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">Tried below
mentioned software , but no luck. <p></p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">Getting error
message as &ldquo;Tunnel &nbsp;Disabled&rdquo;. I used to connect vpn to IKE
authentication. <p></p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">Do you/anyone know
from where I can download Net screen Remote VPN client Ver. 9.0 .&nbsp; It is
quite urgent for me to set vpn for<p></p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">Marketing guys who
is travelling with in two days. Please help .<p></p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">Thanks ,<p></p></span></p>

<p class="MsoNormal"><span lang="EN-US">Praveen.<p></p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<div>

<div>

<p class="MsoNormal"><span lang="EN-US">From:</span><span lang="EN-US">
Kai Krebber [mailto:Kai.Krebber <at> krick.net] <br><span>Sent:</span> Wednesday, August 27, 2008
11:55 AM<br><span>To:</span> Praveen Sankar<br><span>Cc:</span> nn <at> compsoc.com<br><span>Subject:</span> AW: [nn] Policy traffic
shaping netscreen<p></p></span></p>

</div>

</div>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span><a href="http://www.shrew.net/"><span lang="EN-GB">http://www.shrew.net/</span></a></span><span lang="EN-GB"><p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-GB">Didn&rsquo;t try it yet,
but supposed to work just fine.<p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-GB">Cheers,<p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB">Kai<p></p></span></p>

<p class="MsoNormal"><span lang="EN-GB"><p>&nbsp;</p></span></p>

<div>

<div class="MsoNormal" align="center"><span>

</span></div>

<p class="MsoNormal"><span>Von:</span><span>
nn-bounces <at> compsoc.com [mailto:nn-bounces <at> compsoc.com] <span>Im Auftrag von </span>Praveen Sankar<br><span>Gesendet:</span> Mittwoch, 27. August
2008 08:17<br><span>An:</span> 'Juniper-Nsp'; nn <at> compsoc.com<br><span>Betreff:</span> Re: [nn] Policy traffic
shaping netscreen</span><p></p></p>

</div>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">Hi All, <p></p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">I m looking for
vpn_client_juniper software which is suitable for Windows Vista. <p></p></span></p>

<p class="MsoNormal"><span lang="EN-US">I m having the
software which is suitable for XP , and it is working well too. <p></p></span></p>

<p class="MsoNormal"><span lang="EN-US">In coming week, I
need to configure VPN for vista user. I would be grateful if anyone can provide
me the link where I can get the software. &nbsp;&nbsp;<p></p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">Looking forward to
hearing from you.<p></p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US"><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span lang="EN-US">Thanks and regards,<p></p></span></p>

<p class="MsoNormal"><span lang="EN-US">Praveen. &nbsp;<p></p></span></p>

</div>

</div>

Unencrypted 6over4 tunnel config?

I'm trying to set up a plain unemcrypted, encapsulated tunnel to my tunnel 
broker (Hurricane).

All the C&E examples deal with using IPSEC tunnels, with NS devices on both 
ends.  Any quick config examples?

KeS

Policy traffic shaping netscreen

<div>

<div class="Section1">

<p class="MsoNormal"><span>Hello I have an SSG
140 with &nbsp;screenOS </span>&nbsp;6.1.0r2.0<span><p></p></span></p>

<p class="MsoNormal"><span>And I have a problem with policy traffic shaping which does no seem to
work proper.<p></p></span></p>

<p class="MsoNormal"><span>When I configure a policy with guaranteed bw and maximum bw traffic seems
to be matched <p></p></span></p>

<p class="MsoNormal"><span>at another policy with another source address than the one &nbsp;configured.<p></p></span></p>

<p class="MsoNormal"><span>e.g 192.168.40.10 is matched at a policy with source 192.168.40.19<p></p></span></p>

<p class="MsoNormal"><span>any ideas what causes this kind of behavior? <p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Thank you <br><br><p></p></span></p>

</div>

</div>