Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - foo727

Pages: [1] 2 3 4 5 6
1
IDP / IDP on ISG performances
« on: June 23, 2009, 03:41:49 am »
Hi all,

i'm looking for informations about IDP on ISG1000 (with 1 or 2 cards) : performances, throughput... there are not a lot of things in the admin guide.
Thanks for your help.

2
NSM / NSMXpress webui access forbidden
« on: May 29, 2009, 08:15:23 am »
Hi all,

i have this problem on a NSMXpress 2008.2.r1 : when i log in, i can't see any pages; the only thing is : "You don't have permission to access /admin/nsm-inst-cm/ on this server."
I used the admin account.
Any idea ?
Thanks for your help.

3
NetScreen and SSG/ISG Series Firewalls / Re: syslog session
« on: April 15, 2009, 08:25:08 am »
Thanks Tim... that's what i thought but you confirmed !

4
NetScreen and SSG/ISG Series Firewalls / syslog session
« on: March 19, 2009, 10:06:34 am »
Hi all,

i noticed something weird, and i'd like to know if somebody can explain this behavior.

My SSG5 sends syslog messages to a server in the trust zone. Everything works fine.

A get session shows :

id 8052/s**,vsys 0,flag 00000040/0080/0021,policy 320000,time 6, dip 0 module 0
 if 3(nspflag 2002011):10.1.1.1/54430->10.1.1.5/514,17,000000000000,sess token 5,vlan 0,tun 0,vsd 0,route 0
 if 5(nspflag 800600):10.1.1.1/54430<-10.1.1.5/514,17,0014223d92fb,sess token 3,vlan 0,tun 0,vsd 0,route 3

I don't understand why I can see a return packet in the session table when we all know that syslog messages are sent to the server with 514/udp and the syslog server never sends any response back....
any idea ? thanks....

5
IDP / Re: IDP on ISG
« on: March 09, 2009, 05:39:27 am »
I know already these commands which are supported on IDP standalone.
With integrated IDP, you must add the exec sm # ksh "....

My problem is that when I run these commands, i get nothing.

In fact, this is a bug corrected by a patch (you just have to ask JTAC) : if you do a Control-C while the result of a command is displayed, something happens and results are not displayed anymore, even the webui is not working fine.

6
IDP / IDP on ISG
« on: February 24, 2009, 03:52:48 am »
Hi, i'm looking for a documentation about IDP on ISG. I looked in different pdf files without fnding anything about it. I know there is a CLI you can use with standard IDP but what about an integrated IDP (i heard about the exec sm x ksh, but most of the time it fails...)

Thanks for your help.


ISG1000 is version 6.1.r4

7
IDP / IDP profiler on integrated ISG
« on: February 24, 2009, 03:51:15 am »
Hi,

i'm trying to use the profiler on an ISG but nothing appears in the profiler section.
I already used it before on an IDP200 without any problem, but it doesn't seem to work.
Any idea ?

Thanks.

ISG1000 with 6.1.r4

8
NetScreen and SSG/ISG Series Firewalls / PBR policy with 2 VRs
« on: January 08, 2009, 09:06:06 am »
Hi all,

i'd like to use a PBR policy with 2 VRs. Here is the config :

2 vrs :
- private-vr (zone trust)
- trust-vr (zone untrust  + zone dmz)

Default route for private-vr is trust-vr
Default route  for trust-vr is our ISP.

So all traffic passes by untrust interface.
I want to pass ftp traffic through the dmz zone (in which there is a router which leads to another site)

I tried to create a pbr policy on the ingress VR (private-vr) but the problem is that i don't know what to specify for next-hop or next-interface : i tried the dmz next-hop router ip on dmz, i tried the dmz interface ip but everything fails during the route lookup (i can see in the debug flow basic : the pbr policy is matched but it can't find any route)

Any ideas ?

thanks for your help.

9
Ok so there is something i can't understand.
Why do i get a "route failed" when routes are available; i mean there is at least the default route !!

10
NetScreen and SSG/ISG Series Firewalls / Re: failed to update license key
« on: December 18, 2008, 09:31:01 am »
??? i don't understand your answer... i don't want to generate a license-key. I just want to know why i can't reach the juniper servers...

11
NetScreen and SSG/ISG Series Firewalls / Re: track-ip on vlan interface
« on: December 18, 2008, 07:31:23 am »
Should i understand that nobody knows if track-ip works with sub-interface ??

12
NetScreen and SSG/ISG Series Firewalls / Re: failed to update license key
« on: December 18, 2008, 07:30:17 am »
SSG550M in a NSRP cluster. why this question ?

13
NetScreen and SSG/ISG Series Firewalls / failed to update license key
« on: December 17, 2008, 08:53:29 am »
Hi,

i'm trying to update my license-key, but it fails. DNS is ok. Internet connection is ok.
ScreenOs is 6.1.0.R4.

See below :

xxxxxx:SSG1(M)-> exec license-key update
The device was unable to reach the entitlement server to retrieve license keys

Failed command - exec license-key update
xxxxxx:SSG1(M)-> ping www.google.fr
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to www.google.fr [209.85.129.147], timeout is 1 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=17/18/19 ms


Do you have any idea ?
Thanks for your help.

14
NetScreen and SSG/ISG Series Firewalls / Re: track-ip on vlan interface
« on: December 17, 2008, 05:18:36 am »
no one knows ???

15
NetScreen and SSG/ISG Series Firewalls / track-ip on vlan interface
« on: December 17, 2008, 03:52:21 am »
Hi all,

i'm trying to set track-ip on a vlan interface, but i have a problem with the syntax...
Is it possible ? it seems that it's impossible !!

16
Hi,

i found a command which solved the problem : set flow reverse-route tunnel prefer
Does anybody can explain me why the firewall tries to route lookup for a back packet ???

17
Hi folks,

i need your help.

I have an established route-based VPN between two SSGs.
When i try to ping a machine from one site to the other one, it does'nt work. What i see is :
- The packet goes through the tunnel (i can see it with a debug)
- the packet reaches the destination computer which answers back.
- the back packet arrives on the SSG and here is what i see with debug flow basic :

****** 22853.0: <Trust/ethernet0/0.1> packet received [128]******
  ipid = 50480(c530), @2d652114
  packet passed sanity check.
  ethernet0/0.1:172.20.3.2/1024->10.0.203.254/23400,1(0/0)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 255286
  vsd 0 is active
  prepare route
  search route to (ethernet0/0.1, 172.20.3.2->10.0.203.254) in vr untrust-vr for vsd-0/flag-3000/ifp-tunnel.1
  no route to (172.20.3.2->10.0.203.254) in vr untrust-vr/0
  route to 0.0.0.0
  route failed to 10.0.203.254, nspflag=0x801
  ifp2 tunnel.1, out_ifp N/A, flag 00000801, tunnel 40000003, rc -1

I've never seen such an error message. Do you have any idea how to handle this ? I'm running out of ideas !
FYI, i just upgraded the SSG with version 6.1.0.r4.0.
Thanks for your help.

18
NetScreen and SSG/ISG Series Firewalls / Deep inspection sigpack
« on: December 04, 2008, 04:54:07 am »
Hi all,

i wonder how the signature packs are working ? i mean, to make deep inspection work, it seems that i have to buy a "signature pack" (base, server, client, worm). Can i buy several packs or only one ? how do you choose between the packs ?
Thanks for your answers.

19
Thanks for the explanations. For the first I can understand the meaning of set arp-always-on-dst.

20
NetScreen and SSG/ISG Series Firewalls / Re: CLI
« on: December 02, 2008, 04:31:28 am »
Correction : default ip is 192.168.1.1 ;) on trust interface or mgt interface (depending on the platform)

Pages: [1] 2 3 4 5 6