Juniper SSG 20 Configuration Question

I was wondering if it were possible to configure the SSG 20 we currently have to only filter Web Traffic from our satellite offices and to ignore traffic coming from our corporate office?

We have a MPLS cloud so all six satellite offices come through Corp for INET access
Corp 172.x.1.0
(satellite 1) 172.x.2.0
(satellite 2) 172.x.3.0
etc..

Is it as simple as creating an Address Group, (Satellite Group), with the172.x 2.0 -7.0 addresses then creating a policy Trust to Untrust with source addy (Satellite Group) destination addy (Any) and apply the filter to only this policy or am I wasy off?

Best Regards,
John
Pe12f3cT_d12uGAsked:
Who is Participating?
 
arcaexConnect With a Mentor Commented:
Do you have Junipers at the satelltile offices or are you simply using a MPLS router with VPN?

My intitial thought would be simply to create a policy from the trusted subnet to the untrusted interface and only allow what services you need. You can remove standard services or customimzed ones. 80 would certainly be one you will have.

Actually, look at your outgoing policy for that subnet. I assume its ANY-ANY. Can you just remove your ANY-ANY and pick specific services?

I'll keep looking at mine.

0
 
arcaexCommented:
Is that SSG running Websense?
0
 
arcaexCommented:
Sorry about that..I typed too soon. Disregard previous.

Try this:

In order to limit URL filtering/blocking from a particular direction of traffic flow, (from a source interface to a destination interface), the following CLI command can be entered to allow the Netscreen to restrict the Websense server from performing URL filtering/blocking in this direction.

set url no-block <src-int> <des-int> [Enter]
Example :Assume you want URL blocking to be performed on the trust zone, but not have URL blocking performed on the DMZ zone:

set url no-block Untrust DMZ[Enter]

Link here:
http://kb.juniper.net/index?page=content&id=KB5786&actp=search&searchid=1241723524632
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Pe12f3cT_d12uGAuthor Commented:
Yep running the intergrated webfiltering on the SSG 20.  That is close to what I need Arcaex, however I would like to keep everyone in the trust zone but only apply the filtering to the 2.0 ,3.0 ,4.0 etc subnets.

This is our current network

172.x.2.0-----|ADTRAN|
172.x.3.0-----|ADTRAN|====>ADTRAN|---172.x.1.0--->SSG20--->ADTRAN Router (t1) to Internet
172.x.4.0-----|ADTRAN|
Is it possible to apply the filter to only the traffic from 2.0-7.0 while keeping everyone in the trust zone using a policy setting or is this impossible.  Thanks again for the quick response.

John
0
 
Pe12f3cT_d12uGAuthor Commented:
Nope I removed the SSG5s we were using at each of the satellite offices by request of deltacom, so only have the 20 in place.  Indeed the current Policy is Any-Any I was wondering is I could just change the policy to look like this.

First, under "Objects" -> "Addresses"->  "Groups" -> New.  Create an address group named Satellite Group.  Add the 172.x.2.0 through 172.x.7.0 subnets to this group.  Remove the Any - Any policy and add two new policies that look like this.

Satellite Address Group - 80  (intergrated filter applied to this policy)

Corp(172.x.1.0) - 80  (intergrated filter not applied tp this policy).

Still kind of fuzzy on this and not sure if I am making sense, also not sure if the Juniper 20 "Knows" the other subnets are there since the the VPN policies between the SSG5s and SSG 20 were all removed.

Thanks again Arcaex
0
 
arcaexCommented:
I'm not sure having the old VPN matters. If you were in the same building and you wanted different subnets that you wouldn't even need VPN obviosuly. What the box does know is that each interface is designated to a specific setting; e.g. 0/0 could be trust, 0/1 could be eth1, 0/2 could be eth two and one of your subnets and then 0/3 could be your final subnet.

You must have outgoing policies for each subnet. If so you can apply whatever filter you want on that source through the edit button. Then choose whatever policy you stated above. So yes you should be able to do exactly what you stated. You can just either do it in a 'global' fashion or on a single level like I stated.
0
All Courses

From novice to tech pro — start learning today.