Solved

Netscreen WebUI remote admin access fails

Posted on 2007-03-20
6
1,432 Views
Last Modified: 2012-08-13
Netscreen won't allow WebUI read-write admin to make changes yet same user can do them using telnet
0
Comment
Question by:murphymail
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18763986
1. What model of the firewall?

2. Can you post the configuration here ? (After removing passwords and first octect of your public ip)

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:dpmcmull
ID: 18804425
My Netscreen has one "read-only" IP address and one "admin" address.  My admin address is one higher than the read-only address (ie - read-only is 192.168.1.1 and admin is 192.168.1.2).  Try adding one to the current way of accessing this.  I believe this is the way it is set up out of the box, but I also believe that these can be changed.  Did you set it up or did someone else?
0
 

Author Comment

by:murphymail
ID: 18804510
The problem is via www the SSG 140 for some reason doesn't show all the links (ie, where there should be a link to change "edit" interface it come sup with dashes). I also get doesn't have the privilege message yet i'm using admin signon
Config below---
set clock timezone -4
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
unset alg h323 enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin user "mike" password "nEZRCmrUEQmMcLrDAstG77Nt5OFHKn" privilege "all"
set admin auth timeout 10
set admin auth server "Local"
set admin auth remote primary
set admin auth remote root
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Untrust"
set interface "ethernet0/7" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface ethernet0/0 ip x.x.26.81/24
set interface ethernet0/0 nat unset interface vlan1 ip
set interface ethernet0/7 ip x.x.198.150/27
set interface ethernet0/7 route
set interface tunnel.1 ip unnumbered interface ethernet0/7
set interface ethernet0/7 gateway x.x.198.129
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/7 manage-ip x.x.198.151
set interface ethernet0/0 ip manageable
unset interface ethernet0/7 ip manageable
set interface ethernet0/7 manage ping
set interface ethernet0/7 manage telnet
set interface ethernet0/7 manage web unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "0.0.0.0/0" 0.0.0.0 0.0.0.0
set vpn "VPN for Any" monitor
set url protocol websense
exit
set policy id 1 from "Untrust" to "Trust"  "Any" "0.0.0.0/0" "ANY" permit set policy id 1 disable set policy id 1 exit set policy id 2 name "VPNphones" from "Untrust" to "Trust"  "Dial-Up VPN" "Any"
"ANY" tunnel vpn "VPN for Any" id 2 pair-policy 3 log set policy id 2 exit set policy id 3 name "VPNphones" from "Trust" to "Untrust"  "Any" "Dial-Up VPN"
"ANY" tunnel vpn "VPN for Any" id 2 pair-policy 2 log set policy id 3 exit set monitor cpu 100 set firewall log-self set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 gateway x.x.198.129 set route x.x.198.0/24 gateway x.x.198.129 set route 10.0.0.0/8 gateway x.x.26.1 set route 172.90.90.0/24 vrouter "untrust-vr" preference 20 metric 1 exit set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
Are You Headed to Black Hat USA 2017?

Getting ready for Black Hat next week? Kick things off with the WatchGuard Badge Challenge and test your puzzle and cipher skills. Do you have what it takes to earn our limited edition Firebox Badge? Get started today - https://crimsonthorn.net

 
LVL 32

Expert Comment

by:rsivanandan
ID: 18805603
I'll look into it later today, by the way can you also post what version of SOS is running on this one?

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:dpmcmull
ID: 18805634
Yes, you're using the admin signon, but not the admin IP.  See http://kb.juniper.net/KB3907.
Or the IP management is turned off (http://kb.juniper.net/KB6422).  
Or the management is restricted to a specific IP on your subnet.  
You can use this page (http://kb.juniper.net/KB3918) to determine what IP is allowed to manage the device.  
Set management IP address - http://kb.juniper.net/KB4035.

You can find more of these by searching the Netscreen KB (http://kb.juniper.net/) for "management IP" (no quotes).
0
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 500 total points
ID: 20276731
Change the following

set admin privilege read-write
to

set admin privilege "all"
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question