Solved

Juniper SSG 20 Configuration Question

Posted on 2009-05-07
6
1,748 Views
Last Modified: 2012-05-06
I was wondering if it were possible to configure the SSG 20 we currently have to only filter Web Traffic from our satellite offices and to ignore traffic coming from our corporate office?

We have a MPLS cloud so all six satellite offices come through Corp for INET access
Corp 172.x.1.0
(satellite 1) 172.x.2.0
(satellite 2) 172.x.3.0
etc..

Is it as simple as creating an Address Group, (Satellite Group), with the172.x 2.0 -7.0 addresses then creating a policy Trust to Untrust with source addy (Satellite Group) destination addy (Any) and apply the filter to only this policy or am I wasy off?

Best Regards,
John
0
Comment
Question by:Pe12f3cT_d12uG
  • 4
  • 2
6 Comments
 
LVL 2

Expert Comment

by:arcaex
ID: 24329452
Is that SSG running Websense?
0
 
LVL 2

Expert Comment

by:arcaex
ID: 24329488
Sorry about that..I typed too soon. Disregard previous.

Try this:

In order to limit URL filtering/blocking from a particular direction of traffic flow, (from a source interface to a destination interface), the following CLI command can be entered to allow the Netscreen to restrict the Websense server from performing URL filtering/blocking in this direction.

set url no-block <src-int> <des-int> [Enter]
Example :Assume you want URL blocking to be performed on the trust zone, but not have URL blocking performed on the DMZ zone:

set url no-block Untrust DMZ[Enter]

Link here:
http://kb.juniper.net/index?page=content&id=KB5786&actp=search&searchid=1241723524632
0
 

Author Comment

by:Pe12f3cT_d12uG
ID: 24329710
Yep running the intergrated webfiltering on the SSG 20.  That is close to what I need Arcaex, however I would like to keep everyone in the trust zone but only apply the filtering to the 2.0 ,3.0 ,4.0 etc subnets.

This is our current network

172.x.2.0-----|ADTRAN|
172.x.3.0-----|ADTRAN|====>ADTRAN|---172.x.1.0--->SSG20--->ADTRAN Router (t1) to Internet
172.x.4.0-----|ADTRAN|
Is it possible to apply the filter to only the traffic from 2.0-7.0 while keeping everyone in the trust zone using a policy setting or is this impossible.  Thanks again for the quick response.

John
0
Flexible connectivity for any environment

The KE6900 series can extend and deploy computers with high definition displays across multiple stations in a variety of applications that suit any environment. Expand computer use to stations across multiple rooms with dynamic access.

 
LVL 2

Accepted Solution

by:
arcaex earned 500 total points
ID: 24329976
Do you have Junipers at the satelltile offices or are you simply using a MPLS router with VPN?

My intitial thought would be simply to create a policy from the trusted subnet to the untrusted interface and only allow what services you need. You can remove standard services or customimzed ones. 80 would certainly be one you will have.

Actually, look at your outgoing policy for that subnet. I assume its ANY-ANY. Can you just remove your ANY-ANY and pick specific services?

I'll keep looking at mine.

0
 

Author Comment

by:Pe12f3cT_d12uG
ID: 24330229
Nope I removed the SSG5s we were using at each of the satellite offices by request of deltacom, so only have the 20 in place.  Indeed the current Policy is Any-Any I was wondering is I could just change the policy to look like this.

First, under "Objects" -> "Addresses"->  "Groups" -> New.  Create an address group named Satellite Group.  Add the 172.x.2.0 through 172.x.7.0 subnets to this group.  Remove the Any - Any policy and add two new policies that look like this.

Satellite Address Group - 80  (intergrated filter applied to this policy)

Corp(172.x.1.0) - 80  (intergrated filter not applied tp this policy).

Still kind of fuzzy on this and not sure if I am making sense, also not sure if the Juniper 20 "Knows" the other subnets are there since the the VPN policies between the SSG5s and SSG 20 were all removed.

Thanks again Arcaex
0
 
LVL 2

Expert Comment

by:arcaex
ID: 24330309
I'm not sure having the old VPN matters. If you were in the same building and you wanted different subnets that you wouldn't even need VPN obviosuly. What the box does know is that each interface is designated to a specific setting; e.g. 0/0 could be trust, 0/1 could be eth1, 0/2 could be eth two and one of your subnets and then 0/3 could be your final subnet.

You must have outgoing policies for each subnet. If so you can apply whatever filter you want on that source through the edit button. Then choose whatever policy you stated above. So yes you should be able to do exactly what you stated. You can just either do it in a 'global' fashion or on a single level like I stated.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question