Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - muppet

Pages: 1 2 3 4 [5] 6 7 8 9 10 11
81
NetScreen and SSG/ISG Series Firewalls / Re: Url Filtering
« on: January 17, 2008, 03:07:52 am »
You must be blocking the images and other sites.  Make sure you're allowing ALL facebook sites, not just facebook.com.

img.facebook.com and other such hosts.  Put in a *.facebook.com rule.

82
NetScreen and SSG/ISG Series Firewalls / Re: Netscreen 5GT : CRTI level
« on: January 17, 2008, 03:05:38 am »
Something is using all your sessions up, so the NS is complaining about that.  You need to find out what is using them all.

Connect to the netscreen via telnet/ssh/console and run the command "get session"

Look at the output there, find whatever is causing the large number of sessions.  You will probably find one source IP address (from within your network) making lots of outbound connections.  Probably bittorrent or something similar.

The way to fix it is to

a) Stop the source that's using all your sessions

or

b) Set the timeout on protocols much lower, so sessions age quicker.

83
NetScreen and SSG/ISG Series Firewalls / Re: Connection Speed
« on: January 15, 2008, 07:49:10 am »
I have a 5GT with a large number of the options turned on (on the untrust interface only that is)

I can still get some blazing download speeds, so you almost certainly have something else going on.

Do you see anything in the logs when you experience this slow down?  You might be getting heaps of fragmented traffic.

84
nwroot: Sadly I think you've been led down the wrong path with the PBR suggestion.

PBR is just routing traffic a different way, based on policy.  It doesn't change the destination address of the packets it processes, which is what you're asking for above.

So even if you can make traffic arrive at the .12 address, it's going to see packets addressed to .1 and ignore them.  Well, it won't even look at packets that aren't addressed to it directly, unless the interface is in promisc mode.

What you're after is some form of NAT, that rewrites .12 to .1 and then rewrites on it the return.  How go about configuring this I'm sorry I don't know.

I'm 99% sure that PBR isn't the answer here, PBR gives you the option of routing traffic out a different interface/path than what the standard routing table specifies, not the ability to rewrite the destination address.

85
NetScreen and SSG/ISG Series Firewalls / Re: ScreenOS 5.4r8 is out
« on: November 30, 2007, 08:17:49 am »
Ooooh, shiny new things.

Thanks for the heads up.

86
Yes, but it only works in trust-untrust mode, which is what his major complaint is about (I think)

87
NetScreen and SSG/ISG Series Firewalls / Re: How To Block Internet Crap
« on: November 12, 2007, 03:51:15 am »
@MaxPipeline: Thanks for your reply, you have stated what I thought was probably true.

It's not a big deal, it's just annoying in my logs.  It appears to have stopped mostly in the last few days, so, touch wood, I won't have to worry about it too much anymore.

Thanks everyone for your help.

88
The ScreenOS technical docs are helpful to some degree:
http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/index.html
Specifically: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/Msg.pdf

You didn't mention what ScreenOS version, but for 5.4 this is in the Msg.pdf for your message:

Code: [Select]
Critical
Message SCAN-MGR: Check AV pattern file failed with error code: <string>.
Meaning The device was unable to use the specified pattern file. The error string provides
information you need to get help from Juniper Networks technical support.
Action If this error persists, contact Juniper Networks technical support:
Open a support case using the Case Manager link at www.juniper.net/support
Call 1-888-314-JTAC (within the United States) or 1-408-745-9500 (outside the
United States).
(Note: You must be a registered Juniper Networks customer.)

I realise this post wasn't that helpful from a "what's actually causing it" point of view, but based on your error message I think the only people that can answer it properly would be Juniper themselves.

89
NetScreen and SSG/ISG Series Firewalls / Re: If upgrade Screen OS failed...
« on: November 09, 2007, 04:43:55 am »
If it fails for some reason (and I very much doubt that it will) you will have to go visit the device with a console cable.   You can then reboot it and during the bootloader sequence you can set it up so that it gets an image via TFTP.

So to answer your question: No, but you can recover from a failed upgrade.

90
NetScreen and SSG/ISG Series Firewalls / Re: How To Block Internet Crap
« on: November 05, 2007, 07:19:27 am »
Well it was a good idea, but it doesn't work.  The NS is still publishing messages for it in the "root" log, not the policy log.

Any other suggestions?  I'm thinking that it's something that can't be controlled, the NS automatically picks up IPSEC traffic where it's the destination address.

91
NetScreen and SSG/ISG Series Firewalls / Re: How To Block Internet Crap
« on: November 01, 2007, 07:45:50 am »
@kcullimo: Good suggestion, thanks.  I have put an untrust->untrust policy in to deny and log, I'll see how it goes and post back with progress.

92
NetScreen and SSG/ISG Series Firewalls / Re: How To Block Internet Crap
« on: October 31, 2007, 06:38:00 am »
I don't have any VPN rules in, that's the thing.  My ruleset is basically bare.

What type of rule would I make to block it, from Untrust->Trust?  Or in the Global zone?  I already have a deny-deny in the global zone:
Code: [Select]
set policy global id 7 from "Global" to "Global"  "Any-IPv4" "Any-IPv4" "ANY" deny log
set policy id 7

The logs I've posted don't correspond to the above "deny log", that's the problem.  The logs above appear in the usual system log, not the policy log.

I have no doubt that the person/thing trying to establish a VPN to my 5GT is trying to exploit some IPSec hole, all the log messages say it's an invalid IKE header format.

93
NetScreen and SSG/ISG Series Firewalls / How To Block Internet Crap
« on: October 31, 2007, 04:15:37 am »
I'm getting someone trying to connect a tunnel to my 5GT on a very consistant basis.  It's annoying,  mostly because it fills the logs up.  It's the same IP address:
Code: [Select]
2007-10-31 00:54:47 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:54:32 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:54:14 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:53:59 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:53:57 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:53:20 info Received an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500/500. Cookies: 3b0428aec61d953d, 0000000000000000.
2007-10-31 00:53:19 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,400.

Can I put a policy in place to just drop this traffic silently?  I know I can turn off IKE etc logging, but I want the logging, just not for this IP range.

There must be some IPSec vuln out there at the moment, as I'm seeing a lot more bogus traffic.

94
NetScreen and SSG/ISG Series Firewalls / Re: NS 5GT ADSL WIRELESS
« on: October 23, 2007, 09:42:15 am »
Read the knowledge base articles for a guide on how to setup a VPN.

As for running out of sessions, reduce the timeouts on any custom services you created for your VIP.  If you don't do this, you can find when running bittorrent that you quickly run out of session.

95
As I remember, v5.0 didn't support firefox when using the WebUI very well, only IE.

If possible coleman I would look at upgrading to at least 5.3 if not 5.4, WebUI seems to work fine with both Firefox and IE in both SSL and HTTP mode.

Not much help though, was I?

96
No, it will not magically auto-downgrade.
You're writing the upgrade image to the device's flash, which can only hold one firmware image at a time.

Take a backup of all configuration files before you do the upgrade, if you need to downgrade then you will have to reinstall the older firmware onto the device, then restore the configuration you saved (as newer firmwares introduce newer commands that old firmwares don't understand)

By the way, 5.3.0r10 is the latest ScreenOS version of 5.3

97
NetScreen and SSG/ISG Series Firewalls / FYI: 5.4.0r7 released!
« on: October 12, 2007, 07:58:05 am »
Nothing major.

98
NetScreen and SSG/ISG Series Firewalls / Re: NS5GT ADSL PPTP Pass thru
« on: October 07, 2007, 08:16:54 am »
Do this, and we'll see if there's anything obvious

99
NetScreen and SSG/ISG Series Firewalls / Re: NS5GT ADSL PPTP Pass thru
« on: October 06, 2007, 04:06:56 pm »
Your Trust interface must be in NAT mode too, not route.

100
NetScreen and SSG/ISG Series Firewalls / Re: VIP not working; please help
« on: October 04, 2007, 03:07:13 pm »
You are doing something stupid, yes ;)

You need to add a policy with the destination of the VIP.  It should look like this:

set policy id 4 name "SecureWEB" from "Untrust" to "Trust"  "Any" "VIP(untrust)" "HTTPS" permit

The destination isn't the 192.168 address, that is defined when you create the VIP and tell it what the destination IP is.  When you go to create the policy, you will notice that VIP(Untrust) is an option in the "Destination" address book entry pulldown.

More Info:
Code: [Select]
fozzie-> get policy
Total regular policies 6, Default deny.
    ID From     To       Src-address  Dst-address  Service              Action State   ASTLCB
     4 Untrust  Trust    Any          VIP(untrust) HTTPS              Permit enabled -----X

Pages: 1 2 3 4 [5] 6 7 8 9 10 11