Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - foo727

Pages: [1] 2
1
IDP / IDP on ISG performances
« on: June 23, 2009, 03:41:49 am »
Hi all,

i'm looking for informations about IDP on ISG1000 (with 1 or 2 cards) : performances, throughput... there are not a lot of things in the admin guide.
Thanks for your help.

2
NSM / NSMXpress webui access forbidden
« on: May 29, 2009, 08:15:23 am »
Hi all,

i have this problem on a NSMXpress 2008.2.r1 : when i log in, i can't see any pages; the only thing is : "You don't have permission to access /admin/nsm-inst-cm/ on this server."
I used the admin account.
Any idea ?
Thanks for your help.

3
NetScreen and SSG/ISG Series Firewalls / syslog session
« on: March 19, 2009, 10:06:34 am »
Hi all,

i noticed something weird, and i'd like to know if somebody can explain this behavior.

My SSG5 sends syslog messages to a server in the trust zone. Everything works fine.

A get session shows :

id 8052/s**,vsys 0,flag 00000040/0080/0021,policy 320000,time 6, dip 0 module 0
 if 3(nspflag 2002011):10.1.1.1/54430->10.1.1.5/514,17,000000000000,sess token 5,vlan 0,tun 0,vsd 0,route 0
 if 5(nspflag 800600):10.1.1.1/54430<-10.1.1.5/514,17,0014223d92fb,sess token 3,vlan 0,tun 0,vsd 0,route 3

I don't understand why I can see a return packet in the session table when we all know that syslog messages are sent to the server with 514/udp and the syslog server never sends any response back....
any idea ? thanks....

4
IDP / IDP on ISG
« on: February 24, 2009, 03:52:48 am »
Hi, i'm looking for a documentation about IDP on ISG. I looked in different pdf files without fnding anything about it. I know there is a CLI you can use with standard IDP but what about an integrated IDP (i heard about the exec sm x ksh, but most of the time it fails...)

Thanks for your help.


ISG1000 is version 6.1.r4

5
IDP / IDP profiler on integrated ISG
« on: February 24, 2009, 03:51:15 am »
Hi,

i'm trying to use the profiler on an ISG but nothing appears in the profiler section.
I already used it before on an IDP200 without any problem, but it doesn't seem to work.
Any idea ?

Thanks.

ISG1000 with 6.1.r4

6
NetScreen and SSG/ISG Series Firewalls / PBR policy with 2 VRs
« on: January 08, 2009, 09:06:06 am »
Hi all,

i'd like to use a PBR policy with 2 VRs. Here is the config :

2 vrs :
- private-vr (zone trust)
- trust-vr (zone untrust  + zone dmz)

Default route for private-vr is trust-vr
Default route  for trust-vr is our ISP.

So all traffic passes by untrust interface.
I want to pass ftp traffic through the dmz zone (in which there is a router which leads to another site)

I tried to create a pbr policy on the ingress VR (private-vr) but the problem is that i don't know what to specify for next-hop or next-interface : i tried the dmz next-hop router ip on dmz, i tried the dmz interface ip but everything fails during the route lookup (i can see in the debug flow basic : the pbr policy is matched but it can't find any route)

Any ideas ?

thanks for your help.

7
NetScreen and SSG/ISG Series Firewalls / failed to update license key
« on: December 17, 2008, 08:53:29 am »
Hi,

i'm trying to update my license-key, but it fails. DNS is ok. Internet connection is ok.
ScreenOs is 6.1.0.R4.

See below :

xxxxxx:SSG1(M)-> exec license-key update
The device was unable to reach the entitlement server to retrieve license keys

Failed command - exec license-key update
xxxxxx:SSG1(M)-> ping www.google.fr
Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to www.google.fr [209.85.129.147], timeout is 1 seconds
!!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=17/18/19 ms


Do you have any idea ?
Thanks for your help.

8
NetScreen and SSG/ISG Series Firewalls / track-ip on vlan interface
« on: December 17, 2008, 03:52:21 am »
Hi all,

i'm trying to set track-ip on a vlan interface, but i have a problem with the syntax...
Is it possible ? it seems that it's impossible !!

9
Hi folks,

i need your help.

I have an established route-based VPN between two SSGs.
When i try to ping a machine from one site to the other one, it does'nt work. What i see is :
- The packet goes through the tunnel (i can see it with a debug)
- the packet reaches the destination computer which answers back.
- the back packet arrives on the SSG and here is what i see with debug flow basic :

****** 22853.0: <Trust/ethernet0/0.1> packet received [128]******
  ipid = 50480(c530), @2d652114
  packet passed sanity check.
  ethernet0/0.1:172.20.3.2/1024->10.0.203.254/23400,1(0/0)<Root>
  existing session found. sess token 3
  flow got session.
  flow session id 255286
  vsd 0 is active
  prepare route
  search route to (ethernet0/0.1, 172.20.3.2->10.0.203.254) in vr untrust-vr for vsd-0/flag-3000/ifp-tunnel.1
  no route to (172.20.3.2->10.0.203.254) in vr untrust-vr/0
  route to 0.0.0.0
  route failed to 10.0.203.254, nspflag=0x801
  ifp2 tunnel.1, out_ifp N/A, flag 00000801, tunnel 40000003, rc -1

I've never seen such an error message. Do you have any idea how to handle this ? I'm running out of ideas !
FYI, i just upgraded the SSG with version 6.1.0.r4.0.
Thanks for your help.

10
NetScreen and SSG/ISG Series Firewalls / Deep inspection sigpack
« on: December 04, 2008, 04:54:07 am »
Hi all,

i wonder how the signature packs are working ? i mean, to make deep inspection work, it seems that i have to buy a "signature pack" (base, server, client, worm). Can i buy several packs or only one ? how do you choose between the packs ?
Thanks for your answers.

11
NetScreen and SSG/ISG Series Firewalls / ESP in p1-proposal ???
« on: November 14, 2008, 06:12:08 am »
Hi all,

does anybody know why i have the possibility to create a p1-proposal with esp ??? I thought esp is negociated only during phase 2 !!!!!
Thanks for your help.

12
NSM / Job in progess
« on: October 30, 2008, 05:23:31 am »
Hi all,

let's say i'm running an 'update' job. The problem is that the boxes are not reachable.
I'd like to stop the job but there is no way to do it.
How can i stop or delete a job which is in progress ?
Is there any timeout ?

Thanks

13
NSM / template question
« on: October 30, 2008, 04:14:37 am »
Hi all,

i have a SSG5 on which i set up an ip on untrust interface and enabled ssh on it (for management purpose)
I add/import it in my NSMXpress and everything works fine.

Now i want to add a new route to the trust-vr and i decide to do this through a template.
So i create a new template, with a VR (named trust-vr), a zone (untrust), an interface (named ethernet0 which is the outgoing interface) with an ip, and a route in the VR.
When i update the device with the new template, it seems that i lose the NSM connection and the box reboots...
How can i do that ??
Thanks for your help.

14
NSM / NSMXpress upgrade
« on: October 30, 2008, 03:28:34 am »
Hi guys,

i have a question about the reinstall option on NSMXpress.
When I use the reinstall option, a 2007.2.r1 version is installed, so I have to upgrade it all the time.
Is it possible to update the version on the "backup partition" so that when i use the reinstall option, it restores a 2007.3r1 for example ?

thanks for your help.


15
NetScreen and SSG/ISG Series Firewalls / Understanding ALGs
« on: July 30, 2008, 06:55:47 am »
Hi all,

i'd like to understand something.
Imagine i have an application running on port 2000.
We all know that port tcp/2000 is used by SCCP.
If i set up a rule any any any permit, how will my application be handled ? i mean, will it be handled by the SCCP ALG ? if so, will it be dropped because it's not SCCP but another service ?
Thanks for your help.

16
NetScreen and SSG/ISG Series Firewalls / Meshed VPN
« on: March 06, 2008, 12:02:51 pm »
Hi all,

I want to setup a VPN between 3 ssg20 using only 1 tunnel interface on each firewall (with NHTB)

First i tried with a hub&spoke topology : one central site (with 1 tunnel interface, + routes with gateways) and 2 spokes.
This configuration works fine.

But when i try to setup a meshed topology, it doesn't work.
It seems like only one site to work fine. On the other sites all tunnels are down; on these sites, if I unbind the tunnel interface from one the Vpns, one of the vpn works fine. ???

I wonder if nhtb works with a meshed topology....
Any idea ? thanks for your help.

17
NSM / NSM xpress 2007.2r1 updates
« on: February 28, 2008, 07:01:36 am »
Hi all,

for the first time, i try to use the nsm xpress box.
I see in the nsm_setup that i can update the device :

Quote
NSMXpress Settings Menu

1> Change Password
2> Set Interfaces
3> Set Routing
4> Change Hostname
5> Set DNS Servers
6> Change Time Options
7> Forward Local Status Emails
8> System Security Update
9> Reconfigure NSM Regional Server

After configuring ip address, dns, routes, etc.... i tried but it didn't work :

Quote
Choice [1-9,Q,R]: 8
1> Check for and Install security updates now.
2> Disable automatic security updates.
3> Check for and Install new NSMXpress version.
4> Set Proxy for security update check

M> Return to Main Menu
R> Redraw menu

Choice [1-4,M,R]: 3

This check will occur immediately. Continue? [y/N] Setting up Upgrade Process
Setting up repositories
Reading repository metadata in from local files
Could not find update match for nsmxpress-release
No Packages marked for Update/Obsoletion
Setting up Upgrade Process
Setting up repositories
Reading repository metadata in from local files
No Packages marked for Update/Obsoletion
Press [Enter] to continue

I checked the internet connection and also the actual version of nsm :

Quote
[admin@NSMXpress ~]$ /usr/netscreen/DevSvr/bin/devSvr.sh version
/bin/sed: can't read /usr/netscreen/HaSvr/var/haSvr.cfg: Permission denied
Retrieving version information...
devSvrDbSvr PostgreSQL 8.1.7
devSvrManager 2007.2r1 (Build LGB8z1eo)
devSvrLogWalker 2007.2r1 (Build LGB8z1eo)
devSvrDataCollector 2007.2r1 (Build LGB8z1eo) 07/20/07
devSvrDirectiveHandler 2007.2r1 (Build LGB8z1eo) 07/20/07
devSvrProfilerMgr 2007.2r1 (Build LGB8z1eo)
devSvrStatusMonitor 2007.2r1 (Build LGB8z1eo)
[admin@NSMXpress ~]$

Maybe i should update it manually ? if yes, what is the purpose of the update option  through the nsm_setup ?
Any idea ?

Thanks for your help !

18
NetScreen and SSG/ISG Series Firewalls / NSRP Lite
« on: February 25, 2008, 04:03:31 am »
Hi all,

i already setup nsrp but never nsrp lite.
I know sessions are not synced with nsrp lite, and i read that you HAVE to use 2 differents ISPs for untrust interface.
Is it true ? or can i use 2 untrust interfaces in the same subnet ?

This is an emergency. Thanks for your answers...

19
NetScreen and SSG/ISG Series Firewalls / session not synced
« on: January 30, 2008, 11:15:31 am »
Hi all,

i set up two ISG 2000 with nsrp. Everything works fine except when i run a ftp transfert, i remove a cable, and the session is broken.
I issue a get session on the master (which is now ineligible) and i see the ftp sessions.
On the backup (which is now master) : no ftp sessions !!

I think my config is ok. NSRP runs with vsd 0.  I set up the rto-mirror.

Could it be a licence problem ? Here is what i get with a "get licence" :

MASTER :

Model:              Advanced
Sessions:           524288 sessions
Capacity:           unlimited number of users
NSRP:               ActiveActive
VPN tunnels:        10000 tunnels
Vsys:               None
Vrouters:           3 virtual routers
Zones:              34 zones
VLANs:              2000 vlans
Drp:                Enable
Deep Inspection:    Enable
Deep Inspection Database Expire Date: Disable
Signature pack:     Signature update key is missing
IDP:                Disable
AV:                 Enable(1)
Anti-Spam:          Disable(0)
Url Filtering:      Disable



BACKUP :


Model:              Baseline
Sessions:           262144 sessions
Capacity:           unlimited number of users
NSRP:               ActivePassive
VPN tunnels:        1000 tunnels
Vsys:               None
Vrouters:           3 virtual routers
Zones:              34 zones
VLANs:              100 vlans
Drp:                Disable
Deep Inspection:    Disable
Deep Inspection Database Expire Date: Disable
Signature pack:     N/A
IDP:                Disable
AV:                 Enable(1)
Anti-Spam:          Disable(0)
Url Filtering:      Disable



Here is the config :

MASTER :


set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
unset alg sip enable
unset alg mgcp enable
unset alg sccp enable
unset alg sunrpc enable
unset alg msrpc enable
unset alg sql enable
unset alg h323 enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1/1" zone "Trust"
set interface "ethernet1/2" zone "DMZ"
set interface "ethernet1/3" zone "Untrust"
set interface "ethernet1/4" zone "HA"
unset interface vlan1 ip
set interface mgt ip 192.168.1.1/24
set interface ethernet1/1 ip 1.1.1.1/24
set interface ethernet1/1 route
set interface ethernet1/2 ip 2.2.2.1/24
set interface ethernet1/2 route
set interface ethernet1/3 ip 3.3.3.1/24
set interface ethernet1/3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1/1 manage-ip 1.1.1.11
unset interface ethernet1/1 ip manageable
set interface ethernet1/2 ip manageable
set interface ethernet1/3 ip manageable
set interface ethernet1/1 manage mtrace
set interface ethernet1/3 manage ping
set interface ethernet1/3 manage ssh
set interface ethernet1/3 manage telnet
set interface ethernet1/3 manage snmp
set interface ethernet1/3 manage ssl
set interface ethernet1/3 manage web
set interface ethernet1/3 manage mtrace
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp rto-mirror session non-vsi
set nsrp vsd-group id 0 priority 50
set nsrp vsd-group id 0 preempt
set nsrp monitor interface ethernet1/1
set nsrp monitor interface ethernet1/2
set nsrp monitor interface ethernet1/3
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set icap av-vendor-id symantec-5
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet1/3 gateway 3.3.3.254
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit


BACKUP :

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
unset alg sip enable
unset alg mgcp enable
unset alg sccp enable
unset alg sunrpc enable
unset alg msrpc enable
unset alg sql enable
unset alg h323 enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1/1" zone "Trust"
set interface "ethernet1/2" zone "DMZ"
set interface "ethernet1/3" zone "Untrust"
set interface "ethernet1/4" zone "HA"
unset interface vlan1 ip
set interface mgt ip 192.168.1.1/24
set interface ethernet1/1 ip 1.1.1.1/24
set interface ethernet1/1 route
set interface ethernet1/2 ip 2.2.2.1/24
set interface ethernet1/2 route
set interface ethernet1/3 ip 3.3.3.1/24
set interface ethernet1/3 route
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1/1 manage-ip 1.1.1.22
unset interface ethernet1/1 ip manageable
set interface ethernet1/2 ip manageable
set interface ethernet1/3 ip manageable
set interface ethernet1/1 manage mtrace
set interface ethernet1/3 manage ping
set interface ethernet1/3 manage ssh
set interface ethernet1/3 manage telnet
set interface ethernet1/3 manage snmp
set interface ethernet1/3 manage ssl
set interface ethernet1/3 manage web
set interface ethernet1/3 manage mtrace
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp rto-mirror session non-vsi
set nsrp vsd-group id 0 priority 100
set nsrp monitor interface ethernet1/1
set nsrp monitor interface ethernet1/2
set nsrp monitor interface ethernet1/3
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set icap av-vendor-id symantec-5
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit log
set policy id 2
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet1/3 gateway 3.3.3.254
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit



Thnx for your help

20
NetScreen and SSG/ISG Series Firewalls / proxy arp : set arp nat-dst
« on: December 19, 2007, 08:13:59 am »
Hi,

i set up nat dst on a firewall with 2 zones :
trust zone
test zone
I have a PC in trust zone, and i want it to be reachable from the test zone.
I set up nat-dst but it doesn't work.

I set up the "set arp nat-dst" but it still doesn't work.
If i add an entry in arp cache with the translated ip (vip) associated with the firewall mac address, it works fine.

Do you know why this ***** command "set arp nat-dst' doesn't work ? is it because the proxy arp is not on the untrsut interface but another one ?

thx for your help

Pages: [1] 2