Solved

Juniper SSG 20 Configuration Question

Posted on 2009-05-07
6
1,718 Views
Last Modified: 2012-05-06
I was wondering if it were possible to configure the SSG 20 we currently have to only filter Web Traffic from our satellite offices and to ignore traffic coming from our corporate office?

We have a MPLS cloud so all six satellite offices come through Corp for INET access
Corp 172.x.1.0
(satellite 1) 172.x.2.0
(satellite 2) 172.x.3.0
etc..

Is it as simple as creating an Address Group, (Satellite Group), with the172.x 2.0 -7.0 addresses then creating a policy Trust to Untrust with source addy (Satellite Group) destination addy (Any) and apply the filter to only this policy or am I wasy off?

Best Regards,
John
0
Comment
Question by:Pe12f3cT_d12uG
  • 4
  • 2
6 Comments
 
LVL 2

Expert Comment

by:arcaex
Comment Utility
Is that SSG running Websense?
0
 
LVL 2

Expert Comment

by:arcaex
Comment Utility
Sorry about that..I typed too soon. Disregard previous.

Try this:

In order to limit URL filtering/blocking from a particular direction of traffic flow, (from a source interface to a destination interface), the following CLI command can be entered to allow the Netscreen to restrict the Websense server from performing URL filtering/blocking in this direction.

set url no-block <src-int> <des-int> [Enter]
Example :Assume you want URL blocking to be performed on the trust zone, but not have URL blocking performed on the DMZ zone:

set url no-block Untrust DMZ[Enter]

Link here:
http://kb.juniper.net/index?page=content&id=KB5786&actp=search&searchid=1241723524632
0
 

Author Comment

by:Pe12f3cT_d12uG
Comment Utility
Yep running the intergrated webfiltering on the SSG 20.  That is close to what I need Arcaex, however I would like to keep everyone in the trust zone but only apply the filtering to the 2.0 ,3.0 ,4.0 etc subnets.

This is our current network

172.x.2.0-----|ADTRAN|
172.x.3.0-----|ADTRAN|====>ADTRAN|---172.x.1.0--->SSG20--->ADTRAN Router (t1) to Internet
172.x.4.0-----|ADTRAN|
Is it possible to apply the filter to only the traffic from 2.0-7.0 while keeping everyone in the trust zone using a policy setting or is this impossible.  Thanks again for the quick response.

John
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 2

Accepted Solution

by:
arcaex earned 500 total points
Comment Utility
Do you have Junipers at the satelltile offices or are you simply using a MPLS router with VPN?

My intitial thought would be simply to create a policy from the trusted subnet to the untrusted interface and only allow what services you need. You can remove standard services or customimzed ones. 80 would certainly be one you will have.

Actually, look at your outgoing policy for that subnet. I assume its ANY-ANY. Can you just remove your ANY-ANY and pick specific services?

I'll keep looking at mine.

0
 

Author Comment

by:Pe12f3cT_d12uG
Comment Utility
Nope I removed the SSG5s we were using at each of the satellite offices by request of deltacom, so only have the 20 in place.  Indeed the current Policy is Any-Any I was wondering is I could just change the policy to look like this.

First, under "Objects" -> "Addresses"->  "Groups" -> New.  Create an address group named Satellite Group.  Add the 172.x.2.0 through 172.x.7.0 subnets to this group.  Remove the Any - Any policy and add two new policies that look like this.

Satellite Address Group - 80  (intergrated filter applied to this policy)

Corp(172.x.1.0) - 80  (intergrated filter not applied tp this policy).

Still kind of fuzzy on this and not sure if I am making sense, also not sure if the Juniper 20 "Knows" the other subnets are there since the the VPN policies between the SSG5s and SSG 20 were all removed.

Thanks again Arcaex
0
 
LVL 2

Expert Comment

by:arcaex
Comment Utility
I'm not sure having the old VPN matters. If you were in the same building and you wanted different subnets that you wouldn't even need VPN obviosuly. What the box does know is that each interface is designated to a specific setting; e.g. 0/0 could be trust, 0/1 could be eth1, 0/2 could be eth two and one of your subnets and then 0/3 could be your final subnet.

You must have outgoing policies for each subnet. If so you can apply whatever filter you want on that source through the edit button. Then choose whatever policy you stated above. So yes you should be able to do exactly what you stated. You can just either do it in a 'global' fashion or on a single level like I stated.
0

Featured Post

Give your grad a cloud of their own!

With up to 8TB of storage, give your favorite graduate their own personal cloud to centralize all their photos, videos and music in one safe place. They can save, sync and share all their stuff, and automatic photo backup helps free up space on their smartphone and tablet.

Join & Write a Comment

Suggested Solutions

Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now