Opening a port in Juniper SSG

Posted on 2009-04-26
Last Modified: 2012-05-06
I'm trying to open a port on my firewall so that users from outside the network can use the service of one particular server (say, port 60000)

How would I go about doing this?

I've setup a custom services in policy elements and also added a VIP entry on the interface page. My entry on the services looks like this:
TCP Source 0-65535 Destination 60000-60000
UDP Source 0-65535 Destination 60000-60000
Which doesnt work, and anyhow doesn't make any sense. Shy do I need to set Source as 0-65535  (This was recommended by my network guy) instead of just 60000-60000?

Additionally, I've also tried:
TCP Source 60000-60000 Destination 60000-60000
Which I think is more secure because I dont understand why we need to open all ports when we only need 1port. But this also didnt work

I dont understand why I need to open both TCP and UDP? (On that noe, how do I know which one to open?, the software only ask to open port 60000, didnt say TCP or UDP).

And how would I go about opening this port?
Question by:SW111
    LVL 4

    Accepted Solution

    1) You need to authorize source  0-65535 because in general case, when a TCP connexion is established the source port is random. Actually you may try to use  1024-65535 as source ports under 1023 are considered privileged on Unix systems

    2) If you only need TCP, there is no reason to authorize UDP. These two protocols are independent unless the application really uses both.

    3) On juniper you should pay attention to 2 things
      a) select correct source and destination interfaces when you create the rule
      b) use "route" instead of default "nat" setting in interface properties unless you really need nat.

    4) Of course you should make sure that the routing configuration is correct
     - try pinging both hosts from the firewall


    Author Comment

    Hugetoon, Thanks for the reply. I've tried using source 0-65335 for BOTH TCP and UDP, and destination 60000 for bot. It still doesnt work.

    Is it possible that this is the problem: I also have opened port 50000 on the same computer (, which works without a problem.

    I guess I dont understand how it would work if we specify source port "0-65335" to destination port 60000 AND 50000 on the same computer. How would Juniper know whether to pass traffic to port 60000 or 50000?
    LVL 18

    Assisted Solution

    by:Sanga Collins
    from the command line in the juniper (this can not be done from the webui)

    # set vip multi-port
    # save

    this will allow you to specify addtional ports for your vip

    Author Closing Comment

    Ah, turns out that the problem is I have to also set policy in addition to the route as described by hugetoon. It worked once I set the route

    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    When replacing some switches recently I started playing with the idea of having admins authenticate with their domain accounts instead of having local users on all switches all over the place. Since I allready had an w2k8R2 NPS running for my acc…
    Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now