mohamed.fawzy | 26 Apr 14:18 2011

help

hello everybody

i need your help in my a issue  that is related with monitoring the traffic on juniper ssg520 netscreen firewall because sometimes i found a huge traffic come to me
so i want to monitor in and out of my  firewall devise i want to know who access which site please reply me

thanks


<div>hello everybody
<br><br>i need your help in my a issue &nbsp;that
is related with monitoring the traffic on juniper ssg520 netscreen firewall
because sometimes i found a huge traffic come to me 
<br>so i want to monitor in and out of my
&nbsp;firewall devise i want to know who access which site please reply
me 
<br><br>thanks
<br><br><br>
</div>
eisenpony | 25 Jun 21:47 2009

Strange Routing Behaviour


Hi, I'm quite new to Netscreens and am experiencing what seems to be a
strange routing / policy problem. I have a Netscreen acting as main firewall
and NAT to my internal network 10.0.0.0/24. Netscreens IP is 10.0.0.1

I have several remote networks which service home users.
10.0.50.0/24
10.0.51.0/24
10.0.52.0/24

They use cheap Linksys VPN routers (RVS4000) which have ip address
10.0.XX.1. They are used to open a VPN tunnel to another Linksys router
10.0.0.2.

The Netscreen TrustVR Routing table is configured to such that
10.0.0.0/24 --> ethernet 1
10.0.50.0/24 --> 10.0.0.2 ethernet 1
10.0.51.0/24 --> 10.0.0.2 ethernet 1
10.0.52.0/24 --> 10.0.0.2 ethernet 1

From my workstation on the 10.0.0.0/24 subnet (10.0.0.20) I am able to ping
any of the remote workstations (10.0.XX.20). I'm also able to use the
Microsoft RDP protocol to log in to the remote workstations remotely.
However, if I try to access any domain resources (domain controller for
credential services, File Share, etc...) they are not available.

I know this isn't a lot to go on, but is anyone aware of a reason ping, and
RDP might work, while LDAP, WMI, and File Sharing do not?

I'm quite certain the Netscreen is the problem as the issues first
manifested they day after it was replaced.
--

-- 
View this message in context: http://www.nabble.com/Strange-Routing-Behaviour-tp24209916p24209916.html
Sent from the Netscreen at Compsoc.com mailing list archive at Nabble.com.

DHart | 18 Jun 23:43 2009

SG320 AV logfiles


I'm encountering a situation where the SSG 320 is blocking a program from downloading files from a website.  After investigating I determined that the Antivirus Profile associated with the internet access policy was the culprit.  When I turned this feature off the downloads completed normally.

I would like to find out more information as to why the AV is blocking the downloads from this site but I can not find any log files that pertain to AV anywhere.  Logging is turned on as I see all the other events listed just nothing pertaining to AV.  There must be a way to whitelist this site or make an exception for a particular file extension but it would be helpful to have a log file telling me what is being blocked.

Can anyone point me in the right direction?

thanks in advance.
Darren
<div>
<br>I'm encountering a situation where the
SSG 320 is blocking a program from downloading files from a website. &nbsp;After
investigating I determined that the Antivirus Profile associated with the
internet access policy was the culprit. &nbsp;When I turned this feature
off the downloads completed normally.
<br><br>I would like to find out more information
as to why the AV is blocking the downloads from this site but I can not
find any log files that pertain to AV anywhere. &nbsp;Logging is turned
on as I see all the other events listed just nothing pertaining to AV.
&nbsp;There must be a way to whitelist this site or make an exception for
a particular file extension but it would be helpful to have a log file
telling me what is being blocked.
<br><br>Can anyone point me in the right direction?
<br><br>thanks in advance.
<br>Darren</div>
Dennis Hedman | 8 Apr 16:52 2009
Picon

SSG-5 has gone FUBAR....

Hi list.

I have a SSG5 that I loaded a configure via the web interface and after
i reset the box it got stuck in the start up sequence (see below):

The config file includes/ends with :

.
.
.
save
reset
y

Update the FW doesn't help.
The "reset" button nothing happens!!

Q: How can i reset the box to factory default config?

/Dennis

--------------------------------------------------------------
Version 6.2.0r1.0
Load Manufacture Information ... Done

Initialize FBTL 0........ Done
Load NVRAM Information ... (6.2.0)Done
Install module init vectors
Install modules (01114800,0209deb8) ... 
PPP IP-POOL initiated, 256 pools

Initializing DI 1.1.0-ns
w3g_cfg_init

System config (1528 bytes) loaded

Done.
Load System Configuration .
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
....
Unsupported command - unset interface wireless0/0 dhcp server service
.
Unsupported command - unset interface bgroup0 dhcp server service
.
Unsupported command - unset interface adsl1/0 dhcp server service
.
Unsupported command - unset interface wireless0/0 ip
.
Unsupported command - unset interface adsl1/0 ip
...
Unsupported command - unset interface bgroup0 port ethernet0/2
.
Unsupported command - unset interface bgroup0 port ethernet0/3
.
Unsupported command - unset interface bgroup0 port ethernet0/4
.
Unsupported command - unset interface bgroup0 port ethernet0/5
.
Unsupported command - unset interface bgroup0 port ethernet0/6
...
Unsupported command - unset interface adsl1/0 zone
.
Unsupported command - unset interface wireless0/0 zone
.....................
Unsupported command - set ssh enable
......................
Unsupported command - ----  Support diagnostic tunnel ----
...............
Failed command - unset admin user "support"
...........

-------------------------------------------------------------------

Hi list.

I have a SSG5 that I loaded a configure via the web interface and after
i reset the box it got stuck in the start up sequence (see below):

The config file includes/ends with :

.
.
.
save
reset
y

Update the FW doesn't help.
The "reset" button nothing happens!!

Q: How can i reset the box to factory default config?

/Dennis

--------------------------------------------------------------
Version 6.2.0r1.0
Load Manufacture Information ... Done

Initialize FBTL 0........ Done
Load NVRAM Information ... (6.2.0)Done
Install module init vectors
Install modules (01114800,0209deb8) ... 
PPP IP-POOL initiated, 256 pools

Initializing DI 1.1.0-ns
w3g_cfg_init

System config (1528 bytes) loaded

Done.
Load System Configuration .
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
.
Unsupported command - #
....
Unsupported command - unset interface wireless0/0 dhcp server service
.
Unsupported command - unset interface bgroup0 dhcp server service
.
Unsupported command - unset interface adsl1/0 dhcp server service
.
Unsupported command - unset interface wireless0/0 ip
.
Unsupported command - unset interface adsl1/0 ip
...
Unsupported command - unset interface bgroup0 port ethernet0/2
.
Unsupported command - unset interface bgroup0 port ethernet0/3
.
Unsupported command - unset interface bgroup0 port ethernet0/4
.
Unsupported command - unset interface bgroup0 port ethernet0/5
.
Unsupported command - unset interface bgroup0 port ethernet0/6
...
Unsupported command - unset interface adsl1/0 zone
.
Unsupported command - unset interface wireless0/0 zone
.....................
Unsupported command - set ssh enable
......................
Unsupported command - ----  Support diagnostic tunnel ----
...............
Failed command - unset admin user "support"
...........

-------------------------------------------------------------------

Netscreen light | 19 Mar 17:14 2009
Picon

voip behind Netscreen Firewall

Hi Community,
I'm trying to make my voip network working behind 2 NS 5200. the aim of using Netsreen Fws is to hide my network topology, this way I'm using Nat, but I'm facing a lot of problem because of SDP. will the SIP ALG feature help me ? is there any good documentation on the Net talking about that.
thks,
 
/br
Mounir
<div>
<div>Hi Community,</div>
<div>I'm trying to make my voip network working behind 2 NS 5200. the aim of using Netsreen Fws is to hide my network topology, this way I'm using Nat, but I'm facing a lot of problem because of SDP.&nbsp;will the SIP ALG feature help me ? is there any good documentation on the Net talking about that.</div>

<div>thks,</div>
<div>&nbsp;</div>
<div>/br</div>
<div>Mounir</div>
</div>
Kai Krebber | 11 Dec 09:31 2008
Picon

understanding traffic shaping

Hi!

I'm currently trying to understand traffic shaping on the SSGs and have
a hard time.

Prep for JNCIS FWV has the following question:

You have 4 policies configured for the egress interface with 10Mbps
physical bandwith:
Policy1: Prio0, 1Mbps GBW, 3Mbps MBW
Policy2: Prio1, 1Mbps GBW, 4Mbps MBW
Policy3: Prio1, 2Mbps GBW, 2Mbps MBW
Policy4: Prio0, 2Mbps GBW, 4Mbps MBW

The book states that under full load policy 4 would drop packets first.

I tried to simulate this and got a different result. I assume, my
assumptions are wrong, but I would need help to spot the error:

Let's say a constant stream of 1 Mbit-packets - one fitting each policy
- hits the device with 40Mbps.
I'll name the packtes after the policy-id, they will fit:
1,2,3,4,1,2,3,4,1,2,3,4, and so on.
Since the egress speed is only 10Mbps, the SSG can only send out one
packet for every four packets, it receives.

Lets go:

First packet hit's the device. It's policy 1. Since Policy 1 has 1Mbps
GBW, the packet goes straight out to the egress interface.
Second packet - this time for policy 2. Again 1 Mbps GBW, so the packet
get's straight queued on the interface, since the first packet is still
being put on the wire.
Same with packet 3 and 4.
Now packet 5 arrives- again for policy 1. GBW is exhausted, but MBW is
not even reached, so this packet is been pushed to Queue 0
Meanwhile packet 1 has left the building and packet 2 is been processed
to be put on the wire.

Next packet 6 arrives (policy 2) - again that GBW is exhausted, but not
the MBW, so this packet is placed in Queue 1.
Next packet 7 (policy 3) comes along - here we're even still in the GWB,
so this packet goes straight to the out-queue for the egress interface.
The last bits of packet 2 have just hit the wire.

Packet 8 arrives (policy 4). Again a GBW-Packet, so it joins Pakets 4
and 7 (3 has just started to be put on the wire).
Packet 9 comes in - Policy1 - This packet is just inside the MBW-limit.
It's the third 1Mb-Paket for policy 1 within this second and we got
3Mbps MBW, so that packet joins packet 5 in Queue 0.

Packet 10 comes in - policy 2. Here we've used up 3 of the 4 Mbps MBW,
so that packet goes into Queue 1.

And according to my understanding, packet 11 finally gets dropped, since
this would be 3Mbps for a 2 Mbps - MBW in policy 3.

Where's my mistake?

Cheers,
Kai
F J | 18 Sep 15:10 2008
Picon

IGMP snooping with NetScreen firewall?

Hi,
Does the small NS5-GT support IGMP-snooping?
 
If not, is there another Netscreen model that support IGMP-snooping?
 
If not, does anyone have experience using a small switch that support IGMP-snooping.
I knew the 'small' Extreme Summit200 works fine but I would like to replace that switch
with a smaller one...
 
Best Regards
Fredrik

Get news, entertainment and everything you care about at Live.com. Check it out!
<div>
Hi,<br>Does the small NS5-GT support IGMP-snooping?<br>&nbsp;<br>If not, is there another Netscreen model that support IGMP-snooping?<br>&nbsp;<br>If not, does anyone have experience using a small switch that support IGMP-snooping. <br>I knew the 'small' Extreme Summit200 works fine but I would like to replace that switch <br>with a smaller one...<br>&nbsp;<br>Best Regards<br>Fredrik<br><br>Get news, entertainment and everything you care about at Live.com. <a href="http://www.live.com/getstarted.aspx%20" target="_new">Check it out!</a>
</div>
John Parker | 12 Sep 00:21 2008
Picon

OpenSSH-5.1p1 issue with ScreenOS

Just FYI in case others haven't run into this yet: after upgrading my
OpenSSH client to the latest 5.1-portable, I found to my horror that
ssh sessions to NetScreens (ScreenOS 5.4r10, 6.1.0r3) were immediately
disconnecting.  Looking at the event log through webui showed
successful-auth, but no real error messages.  Same basic symptoms for
both password and pubkey-auth.  Running ssh in verbose mode gave a few
hints, it looks like a new 5.1 security feature isn't being handled
correctly by the NetScreen sshd:

--------------
http://openssh.com/txt/release-5.1
<snip>
New features:
 * Added a no-more-sessions <at> openssh.com global request extension that is
   sent from ssh(1) to sshd(8) when the client knows that it will never
   request another session (i.e. when session multiplexing is disabled).
   This allows a server to disallow further session requests and
   terminate the session in cases where the client has been hijacked.
--------------

I can only venture to guess that, when ScreenOS receives the client
message "no more sessions after this one", it's interpreting as
"...including this one"?  Anyway, by the Edisonian approach  :)   I
discovered that the following option will get you back in:

ControlMaster=ask (or "yes", or "auto" -- anything but the default "no")

As in, "ssh -o ControlMaster=ask me <at> my.firewall.org"

I wouldn't recommend adding this to your ssh_config, unless you can do
it per-host.  It's a good idea to disable where not needed.

FWIW,

John

PS -- If anyone has a less-kludgy workaround, I'd love to hear it.
Kevin Stevens | 28 Aug 02:13 2008
Picon

Unencrypted 6over4 tunnel config?

I'm trying to set up a plain unemcrypted, encapsulated tunnel to my tunnel 
broker (Hurricane).

All the C&E examples deal with using IPSEC tunnels, with NS devices on both 
ends.  Any quick config examples?

KeS
SunnyDay | 18 Aug 10:36 2008
Picon

Policy traffic shaping netscreen

Hello I have an SSG 140 with  screenOS  6.1.0r2.0

And I have a problem with policy traffic shaping which does no seem to work proper.

When I configure a policy with guaranteed bw and maximum bw traffic seems to be matched

at another policy with another source address than the one  configured.

e.g 192.168.40.10 is matched at a policy with source 192.168.40.19

any ideas what causes this kind of behavior?

 

Thank you

<div>

<div class="Section1">

<p class="MsoNormal"><span>Hello I have an SSG
140 with &nbsp;screenOS </span>&nbsp;6.1.0r2.0<span><p></p></span></p>

<p class="MsoNormal"><span>And I have a problem with policy traffic shaping which does no seem to
work proper.<p></p></span></p>

<p class="MsoNormal"><span>When I configure a policy with guaranteed bw and maximum bw traffic seems
to be matched <p></p></span></p>

<p class="MsoNormal"><span>at another policy with another source address than the one &nbsp;configured.<p></p></span></p>

<p class="MsoNormal"><span>e.g 192.168.40.10 is matched at a policy with source 192.168.40.19<p></p></span></p>

<p class="MsoNormal"><span>any ideas what causes this kind of behavior? <p></p></span></p>

<p class="MsoNormal"><span><p>&nbsp;</p></span></p>

<p class="MsoNormal"><span>Thank you <br><br><p></p></span></p>

</div>

</div>
Marc Haber | 17 Aug 23:09 2008
Picon

VPN Tunnel Woes - Again

Hi,

I had this issue in last december and addressed in on this list.
Unfortunately, I failed to properly followup with the replies I
received since I never fully understood what was going on. I apologize.

I am having trouble - again - with a IPSEC tunnel to another company
running a Cisco VPN Concentrator. I do not do netscreen VPN very much
and am therefore at a loss how to debug.

This is how things look:

Network "plan":
--------------------   ---------------------
| 10.101.139.64/30 |   | 10.101.139.100/30 |
--------------------   ---------------------
       |                   |
     ---------------------------
     |    Cisco Concentrator   |
     ---------------------------
       | 172.16.251.112
       |                        untrust
--------------      172.17.0.1  -------------
| Router     |------------------| Netscreen |
--------------                  -------------
       |
       |
--------------
| 10.1.2.7   |
--------------

I have a currenly existing and working tunnel between 10.1.2.0/28 and
10.1.139.64/30 via the Netscreen and the Cisco concentrator.

Netscreen config excerpts:
-> get system
Product Name: NetScreen-NS5GT
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r3a.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Wed Feb 7 19:00:24 PST 2007
Base Mac: 0010.db73.5a50
File Name: screenos_image, Checksum: 51863a99
Box in trust-untrust mode
System in NAT/route mode.

set vpn "myvpn-10-101-139-64-off" gateway "myvpn-172-16-251-112" no-replay tunnel idletime 0
proposal "g2-aes256-sha1"
set vpn "myvpn-10-101-139-64-off" id 22 bind interface tunnel.5
set vpn "myvpn-10-101-139-64-off" proxy-id local-ip 10.1.2.0/28 remote-ip 10.101.139.64/30 "ANY"
set route 10.101.139.64/30 interface tunnel.5 preference 20

set interface "tunnel.5" zone "Untrust"
set interface tunnel.5 ip unnumbered interface untrust

set ike gateway "myvpn-172-16-251-112" address 172.16.251.112 Main outgoing-interface "untrust"
preshare "<snip>" proposal "pre-g2-aes256-sha1"
set ike gateway "myvpn-172-16-251-112" cert peer-ca all

set policy id 1 from "Untrust" to "Untrust"  "Any" "Any" "ANY" permit log

This works just fine. I now need to add a second tunnel which has
10.101.139.100/30 as the remote side. As soon as I add the canonical

set vpn "myvpn-10-101-139-100-off" gateway "myvpn-172-16-251-112" no-replay tunnel idletime 0
proposal "g2-aes256-sha1"
set vpn "myvpn-10-101-139-100-off" id 22 bind interface tunnel.5
set vpn "myvpn-10-101-139-100-off" proxy-id local-ip 10.1.2.0/28 remote-ip 10.101.139.100/30 "ANY"
set route 10.101.139.100/30 interface tunnel.5 preference 20

I lose the connectivity of the first tunnel, and the second does not
seem to come up. This is also the case when I replace tunnel.5 with
tunnel.6 in the second tunnel definition.

Debug info looks like december last year, something along like:

  untrust:10.1.2.7/36462->10.101.139.65/1024,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <untrust>, out <N/A>
  chose interface untrust as incoming nat if.
  flow_first_routing: in <untrust>, out <N/A>
  search route to (untrust, 10.1.2.7->10.101.139.65) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 7.route 10.101.139.65->10.101.139.65, to tunnel.5
  routed (x_dst_ip 10.101.139.65) from untrust (untrust in 0) to tunnel.5
  policy search from zone 1-> zone 1
 policy_flow_search  policy search nat_crt from zone 1-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 10.101.139.65, port 47853,
proto 1)
  No SW RPC rule match, search HW rule
  Permitted by policy 1
  No src xlate ## 2007-12-05 14:58:40 : NHTB entry search no found: vpn none tif tunnel.5 nexthop 10.101.139.65
  packet dropped, no way(tunnel) out

(this is not copied verbatim from the dbuf as it has scrolled out)

Can anybody say what's going wrong with my tunnels? Any hints will be
appreciated. If there is any information missing, I'll happily deliver
what you need to properly diagnose things.

Greetings
Marc

--

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 3221 2323190

Gmane