Solved

Netscreen WebUI remote admin access fails

Posted on 2007-03-20
6
1,427 Views
Last Modified: 2012-08-13
Netscreen won't allow WebUI read-write admin to make changes yet same user can do them using telnet
0
Comment
Question by:murphymail
6 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 18763986
1. What model of the firewall?

2. Can you post the configuration here ? (After removing passwords and first octect of your public ip)

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:dpmcmull
ID: 18804425
My Netscreen has one "read-only" IP address and one "admin" address.  My admin address is one higher than the read-only address (ie - read-only is 192.168.1.1 and admin is 192.168.1.2).  Try adding one to the current way of accessing this.  I believe this is the way it is set up out of the box, but I also believe that these can be changed.  Did you set it up or did someone else?
0
 

Author Comment

by:murphymail
ID: 18804510
The problem is via www the SSG 140 for some reason doesn't show all the links (ie, where there should be a link to change "edit" interface it come sup with dashes). I also get doesn't have the privilege message yet i'm using admin signon
Config below---
set clock timezone -4
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
unset alg h323 enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin user "mike" password "nEZRCmrUEQmMcLrDAstG77Nt5OFHKn" privilege "all"
set admin auth timeout 10
set admin auth server "Local"
set admin auth remote primary
set admin auth remote root
set admin privilege read-write
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Untrust"
set interface "ethernet0/3" zone "Untrust"
set interface "ethernet0/7" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface ethernet0/0 ip x.x.26.81/24
set interface ethernet0/0 nat unset interface vlan1 ip
set interface ethernet0/7 ip x.x.198.150/27
set interface ethernet0/7 route
set interface tunnel.1 ip unnumbered interface ethernet0/7
set interface ethernet0/7 gateway x.x.198.129
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/7 manage-ip x.x.198.151
set interface ethernet0/0 ip manageable
unset interface ethernet0/7 ip manageable
set interface ethernet0/7 manage ping
set interface ethernet0/7 manage telnet
set interface ethernet0/7 manage web unset flow no-tcp-seq-check
set flow tcp-syn-check
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "0.0.0.0/0" 0.0.0.0 0.0.0.0
set vpn "VPN for Any" monitor
set url protocol websense
exit
set policy id 1 from "Untrust" to "Trust"  "Any" "0.0.0.0/0" "ANY" permit set policy id 1 disable set policy id 1 exit set policy id 2 name "VPNphones" from "Untrust" to "Trust"  "Dial-Up VPN" "Any"
"ANY" tunnel vpn "VPN for Any" id 2 pair-policy 3 log set policy id 2 exit set policy id 3 name "VPNphones" from "Trust" to "Untrust"  "Any" "Dial-Up VPN"
"ANY" tunnel vpn "VPN for Any" id 2 pair-policy 2 log set policy id 3 exit set monitor cpu 100 set firewall log-self set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set config lock timeout 5 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 gateway x.x.198.129 set route x.x.198.0/24 gateway x.x.198.129 set route 10.0.0.0/8 gateway x.x.26.1 set route 172.90.90.0/24 vrouter "untrust-vr" preference 20 metric 1 exit set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
0
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

 
LVL 32

Expert Comment

by:rsivanandan
ID: 18805603
I'll look into it later today, by the way can you also post what version of SOS is running on this one?

Cheers,
Rajesh
0
 
LVL 3

Expert Comment

by:dpmcmull
ID: 18805634
Yes, you're using the admin signon, but not the admin IP.  See http://kb.juniper.net/KB3907.
Or the IP management is turned off (http://kb.juniper.net/KB6422).  
Or the management is restricted to a specific IP on your subnet.  
You can use this page (http://kb.juniper.net/KB3918) to determine what IP is allowed to manage the device.  
Set management IP address - http://kb.juniper.net/KB4035.

You can find more of these by searching the Netscreen KB (http://kb.juniper.net/) for "management IP" (no quotes).
0
 
LVL 5

Accepted Solution

by:
ccreamer_22 earned 500 total points
ID: 20276731
Change the following

set admin privilege read-write
to

set admin privilege "all"
0

Featured Post

Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Telepresence on backup 3 56
SonicWall losing internet when Cradlepoint resets. 18 106
Calyptix AE1200 VLAN Question 3 69
Fortigate Question 5 25
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question