Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - muppet

Pages: [1]
1
Suggestions/Feedback / Thank You (for reporting spam)
« on: March 03, 2011, 03:36:10 pm »
Hi,

I just want to take a minute to thank those people that report spam.

It makes moderating it so much easier, as we don't always remember to check the forum each day!

If you see a spam, please let us know by reporting the post.

Thanks very much to all those who do already.

Tim

2
Upgrades at the ready!

3
NetScreen and SSG/ISG Series Firewalls / Intra Zone Confusion!
« on: December 17, 2008, 09:50:57 am »
I'm a bit confused and I'm hoping a guru can help me.

I have a 5GT, running 6.2.0r1

I have a Trust zone and the Trust ethernet ports are in this zone.  I have allocated 192.160.1.0/24 to the Trust interface and I have a host, 192.168.1.50

I also have a Wireless2 Interface (10.1.1.0/24), which is WPA2 enabled.  It too has been put into the Trust zone.

I have checked my Trust Zone settings and "Block Intra-Zone Traffic" is not checked.

However, I still need to create a Policy "from Trust to Trust" with a permit statement, before my Wireless devices can access the 192.168.1.50 server.

Does anyone know why this is?  I could understand the need to create the Trust->Trust Allow policy if Intra Zone blocking was enabled, but it's not.

Is it due to the Global ANY->ANY Deny I have in place?

Also, is there a list somewhere of how the policies are evaluated (i.e. where in the chain the global policy is examined, where the intra-zone blocking is examined etc)

4
Lots of bugfixes.

Share and enjoy.

Tim

5
NetScreen and SSG/ISG Series Firewalls / 5.4.0r9 is released
« on: February 28, 2008, 04:48:16 am »
Share and enjoy.

6
NetScreen and SSG/ISG Series Firewalls / How To Block Internet Crap
« on: October 31, 2007, 04:15:37 am »
I'm getting someone trying to connect a tunnel to my 5GT on a very consistant basis.  It's annoying,  mostly because it fills the logs up.  It's the same IP address:
Code: [Select]
2007-10-31 00:54:47 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:54:32 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:54:14 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:53:59 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:53:57 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,80.
2007-10-31 00:53:20 info Received an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500/500. Cookies: 3b0428aec61d953d, 0000000000000000.
2007-10-31 00:53:19 info Rejected an IKE packet on untrust from 81.184.17.196:500 to 81.100.171.87:500 with cookies e238adc4d12455ee and 0000000000000000 because the peer used an invalid IKE header format. packet length:,400.

Can I put a policy in place to just drop this traffic silently?  I know I can turn off IKE etc logging, but I want the logging, just not for this IP range.

There must be some IPSec vuln out there at the moment, as I'm seeing a lot more bogus traffic.

7
NetScreen and SSG/ISG Series Firewalls / FYI: 5.4.0r7 released!
« on: October 12, 2007, 07:58:05 am »
Nothing major.

8
NetScreen and SSG/ISG Series Firewalls / 5.3.0r10 is out
« on: September 13, 2007, 04:01:46 pm »
For those following the 5.3.0 train of code.  Share and enjoy.

9
NetScreen and SSG/ISG Series Firewalls / 5.4 can't poll SNMP
« on: November 11, 2006, 05:52:18 pm »
I have a 5GT-ADSL-Wireless I use at home.

Since upgrading to FW 5.4r2, I can no longer poll it for SNMP stats (basically I just run MRTG on it)

Here's the relevant bit of config:
Code: [Select]
fozzie-> get conf | inc snmp
unset interface wireless2 manage snmp
set snmp community "graphs" Read-Write Trap-on  traffic version v2c
set snmp host "graphs" 192.168.1.250 255.255.255.255 src-interface trust trap v2

I try and poll it from my machine 192.168.1.250 using cfgmaker (an MRTG tool)

Code: [Select]
rowlf:~> cfgmaker graphs@192.168.1.254:::::2
--base: Get Device Info on graphs@192.168.1.254:::::2
SNMP Error:
no response received
SNMPv2c_Session (remote host: "192.168.1.254" [192.168.1.254].161)
                   community: "graphs"
                  request ID: 1267933733
                 PDU bufsize: 8000 bytes
                     timeout: 2s
                     retries: 5
                     backoff: 1)
 at /usr/share/perl5/SNMP_util.pm line 627

Here's the debug from the 5GT (debug snmp process)

Code: [Select]
fozzie-> get db stream
snmp_api=>Parsing SNMPv2 message...
recv=>SNMPv2c message
recv snmp version: 1
recv=>community: graphs
skip authenticator.. need add this module for snmpV1/2c.
recv=>PDU ...
pdu parse:
        pdu message type 165
        request_id 1267933733
        error status 0
        error index 12
        VarBindList=> type 48 length 12
                snmp_parse_var_op

1.3.6.1.2.1.1.
                VarBind:type 5 val_len 0 value 5
                NULL
snmp_pdu_parse end.
snmp_parse_pdu no error

PROCESSCING RECEIVED SNMP PACKET.....
        need create an agent session
        snmp view check...
snmp_call_callbacks:
        start calling callbacks for maj=1 min=5
vacm view check: ver=1, community=graphs
debug snmp_udp_getSecName:
        resolve <"graphs", "192.168.1.250">
        compare <"graphs">
 found community graphs
        compare <"graphs",192.168.1.250/255.255.255.255>
 found 192.168.1.250255.255.255.255
vacm_in_view: ver=1, model=2, level=1,secName=192.168.1.250255.255.255.255
found security group group_192.168.1.250255.255.255.25
missing access
callback=>END calling callbacks for maj=1 min=5 (1 called)
access control check failed.

Does anyone have any idea why this no longer works?  If I roll back to 5.3 I can graph it without a problem.
I would love to know what the missing access line means.  Do I need a policy now to make this work??

It doesn't matter if I use snmpv1 or v2, neither seems to work.  Have I hit a bug do you think?

10
NetScreen and SSG/ISG Series Firewalls / 5.3.0r5 is out
« on: October 20, 2006, 12:40:33 am »
Just FYI!

I'm still hanging out for 5.4.0r2 though...

11
NetScreen and SSG/ISG Series Firewalls / 5.3.0r4 is out
« on: August 20, 2006, 05:43:25 pm »
And has been for a couple of weeks I think.  I guess most of you know this, but I thought I'd post this for those who don't know.

It doesn't include a fix for the ADSL PPPoA LCP keepalives being ignored, even though they have a 5.3.0r3+patch firmware available that fixes it.

I hope it makes it into 5.4.0r2 or 5.3.0r5!

Tim

12
NetScreen and SSG/ISG Series Firewalls / 5GT and Zones
« on: May 21, 2006, 07:01:25 pm »
The more I work with these 5GT's the more I both love and hate them at the same time.

I wish to setup a network like looks something like this:

                                     (Internet - Untrusted)
                                                       |
                                                       |
 (Bunch of Servers)-------------[5GT]--------------------------------(Bunch of PCs)


We need to be able to put rules between the PCs and the servers, both talking to each other and the 'net.

I ruled out using the "Untrust-Trust" of the 5GT because I wanted to put the servers and the PCs in different zones.  I thought the "Home-Work" mode would work nicely, I get 3 zones then (Untrusted, Work, Home) but there's a nice problem, in Home-Work mode there is a "Deny all traffic from Home->Work" which can't be removed, nor can rules be inserted above it.

How the hell do I do this?  I have only the basic license.

5GT-> get license-key
Sessions:           2064 sessions
Capacity:           10 users
NSRP:               Disable
VPN tunnels:        10 tunnels
Vsys:               None
Vrouters:           3 virtual routers
Zones:              7 zones
VLANs:              10 vlans

According to that, I can have up to 7 zones!  I can create a new zone, but I can only put it in L2 or Tunnel mode, that doesn't help.

I *must* be missing something am I?  Or do I need to upgrade to the Advanced license and use the DMZ zone?

It really frustrates me that the Home-Work zone has that stupid Deny All - That *has* to be there simply to cripple the box doesn't it?

13
[Apologies to those who read the qorbit netscreen mailing list, you will already have seen this.]

Hello,

I have a 5GT-ADSL (running factory 5.0.0r6.e firmware)

I am not currently using the ADSL interface, instead I am using the
Untrust Ethernet port.  The ADSL port is unplugged and this seems to be
my problem.

Everything's working fine, but I can't find a way to disable the ADSL
interface fully.  I've put it into the Null zone (you have to do this
for the Untrust port to work correctly) but that doesn't stop it putting
this in the log file every few minutes:

Code: [Select]
2006-04-13 11:50:08 notif ADSL Line Waiting for Activating.
2006-04-13 11:50:06 notif ADSL Line Down.
2006-04-13 11:50:06 notif ADSL Line Closed.

There's no way I can see to set the physical to down:

Code: [Select]
5gt-> set int adsl1 phy ?
operating-mode       ADSL operating mode
5gt-> set int adsl1 phy operating-mode ?
ansi-dmt             use ANSI T1.413 Issue 2 mode
auto                 auto negotiating with DSLAM
glite                use G.Lite mode
itu-dmt              use ITU G.992.1 mode


I've tried removing any pvc information:

Code: [Select]
unset interface adsl1 pvc
But it just returns it to the default (and doesn't stop the log messages):

Code: [Select]
5gt-> get config | inc adsl
set interface "adsl1" pvc 8 35 mux llc  zone "Null"

I've had a search on google and I can't find anything, so at the moment
I'm assuming that everyone who has a 5GT-ADSL is using the ADSL
interface (which would make sense really!)

Thanks,

Tim

14
Hello,

I've done a lot of searching but I can't find an answer to this one.

How well does the Netscreen handle Dynamic IP's on the Untrusted Interface?
My experience so far is not very good.

I have a 5GT ADSL Wireless that I'm using at home to teach myself all things NetScreen.  I'm trying to setup the simple things first of all and it's proving to be a bit of a challenge!

Here's my simple network "diagram":

ISP------[adsl]--------|Untrust Interface [[Netscreen]] Work Interface|-------------[wireless]-------PC

The IP on the Untrust Interface (The ADSL one) is assigned dynamically by my provider.  Each time I reboot the Netscreen, the IP changes.

If I start with no VIP config, reboot the box and setup a simple VIP so that traffic coming from port 7005 and 9981 is forwarded to the PC, all works well.  Here's the relevant config:
Code: [Select]
set service "BitTorrent" protocol tcp src-port 0-65535 dst-port 9981-9981
set service "BitTorrent" + udp src-port 0-65535 dst-port 9981-9981
set service "Skype" protocol tcp src-port 0-65535 dst-port 7005-7005
set service "Skype" + udp src-port 0-65535 dst-port 7005-7005

set interface adsl1 ip manageable
set interface adsl1 vip untrust 9981 "BitTorrent" 10.254.254.100
set interface adsl1 vip untrust 7005 "Skype" 10.254.254.100

set policy id 5 name "BT and Skype" from "Untrust" to "Work"  "Any" "VIP(adsl1)" "BitTorrent" permit
set policy id 5

It works great!  I can talk to my PC on 7005 and 9981 via the IP address of the ADSL interface on the same ports.  All well and good....Until I reboot!

Then I get this message in the log:

Warning:adsl1 still have VIP defined in old subnet.

And everything stops working.  These two lines dissappear from the config all together:
Code: [Select]
set interface adsl1 vip untrust 9981 "BitTorrent" 10.254.254.100
set interface adsl1 vip untrust 7005 "Skype" 10.254.254.100

I have to delete the Policy and the VIP config, then recreate it before it'll start working again.

I must be doing something wrong, because I can't believe that a device with an ADSL interface wouldn't be more flexible when it comes to dynamic IP addresses.  In the config I do not see anywhere where the VIP command mentions the IP Address, the only command really is the "set adsl1vip", but that to me says it takes it's config from whatever the IP address currently assigned to adsl1 is.

Has anyone had this problem before? Am I doing about this in the wrong way?  I need to be able to reboot the box/have the dynamically assigned IP change without having to redo config all the time.

A bit more info about the box:
Code: [Select]
port_mode=home-work
Product Name: NetScreen-5GTADSL
Serial Number: 0127032005001273, Control Number: 00000000
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.3.0r2.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Fri Dec 9 19:25:48 PST 2005

15
NetScreen and SSG/ISG Series Firewalls / ADSL Packet Loss
« on: March 20, 2006, 03:27:35 am »
Hello,

I have a newly purchased NetScreen-5GTADSL (Wireless) that I'm just getting to grips with.  I'm planning on taking the Juniper Netscreen Exam (forget what it's called, the first one) once I've had a lot of hands on.

I have the box up and working fine, doing everything I want without problems except for the fact that after it's been up and running for a while, the ADSL (PPPoA) interface (Untrust) starts to drop packets.  The first time I noticed it, the packet loss was really bad (~70%), the second time ~20% and I have just again noticed it at only ~10%

When I see it happen, I try disconnecting and reconnecting the PPPoA via the web GUI, but this doesn't fix it.  In fact I haven't found anything that does fix it, apart from reset or pulling the power.  I haven't tried unplugging the ADSL cable, but I'll try that next time.

I have seen this both with the FW the device shipped with (5.0.0r6) and having just upgraded it to 5.3.0r2

My questions:

1) Has anyone seen anything like this before?
2) What are some suggested things to try to fix it?
3) What are some good commands to run that I can show people here that might help pinpoint the problem?

I should also mention I have another ADSL box here that has worked flawlessly for the last 6 months, so I very much doubt it's a problem with my ADSL line/ISP, though that is something I haven't fully ruled out.  I'm using exactly the same phone cable etc as I always have, the only "new" thing in the network is the 5GT.

I'm worried that I have some werid hardware fault.  I hope not though, because even though I only bought the box 2 days ago, it actually shipped from Juniper to the supplier I purchased it from.  So Juniper won't help me if I DO have any problems.  It was hard enough getting ScreenOS 5.3!

Any help/suggestions appreciated.

Pages: [1]