Link to home
Start Free TrialLog in
Avatar of John Diaz
John DiazFlag for United States of America

asked on

Juniper SSG 20 Configuration Question

I was wondering if it were possible to configure the SSG 20 we currently have to only filter Web Traffic from our satellite offices and to ignore traffic coming from our corporate office?

We have a MPLS cloud so all six satellite offices come through Corp for INET access
Corp 172.x.1.0
(satellite 1) 172.x.2.0
(satellite 2) 172.x.3.0
etc..

Is it as simple as creating an Address Group, (Satellite Group), with the172.x 2.0 -7.0 addresses then creating a policy Trust to Untrust with source addy (Satellite Group) destination addy (Any) and apply the filter to only this policy or am I wasy off?

Best Regards,
John
Avatar of arcaex
arcaex
Flag of United States of America image

Is that SSG running Websense?
Sorry about that..I typed too soon. Disregard previous.

Try this:

In order to limit URL filtering/blocking from a particular direction of traffic flow, (from a source interface to a destination interface), the following CLI command can be entered to allow the Netscreen to restrict the Websense server from performing URL filtering/blocking in this direction.

set url no-block <src-int> <des-int> [Enter]
Example :Assume you want URL blocking to be performed on the trust zone, but not have URL blocking performed on the DMZ zone:

set url no-block Untrust DMZ[Enter]

Link here:
http://kb.juniper.net/index?page=content&id=KB5786&actp=search&searchid=1241723524632
Avatar of John Diaz

ASKER

Yep running the intergrated webfiltering on the SSG 20.  That is close to what I need Arcaex, however I would like to keep everyone in the trust zone but only apply the filtering to the 2.0 ,3.0 ,4.0 etc subnets.

This is our current network

172.x.2.0-----|ADTRAN|
172.x.3.0-----|ADTRAN|====>ADTRAN|---172.x.1.0--->SSG20--->ADTRAN Router (t1) to Internet
172.x.4.0-----|ADTRAN|
Is it possible to apply the filter to only the traffic from 2.0-7.0 while keeping everyone in the trust zone using a policy setting or is this impossible.  Thanks again for the quick response.

John
ASKER CERTIFIED SOLUTION
Avatar of arcaex
arcaex
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Nope I removed the SSG5s we were using at each of the satellite offices by request of deltacom, so only have the 20 in place.  Indeed the current Policy is Any-Any I was wondering is I could just change the policy to look like this.

First, under "Objects" -> "Addresses"->  "Groups" -> New.  Create an address group named Satellite Group.  Add the 172.x.2.0 through 172.x.7.0 subnets to this group.  Remove the Any - Any policy and add two new policies that look like this.

Satellite Address Group - 80  (intergrated filter applied to this policy)

Corp(172.x.1.0) - 80  (intergrated filter not applied tp this policy).

Still kind of fuzzy on this and not sure if I am making sense, also not sure if the Juniper 20 "Knows" the other subnets are there since the the VPN policies between the SSG5s and SSG 20 were all removed.

Thanks again Arcaex
I'm not sure having the old VPN matters. If you were in the same building and you wanted different subnets that you wouldn't even need VPN obviosuly. What the box does know is that each interface is designated to a specific setting; e.g. 0/0 could be trust, 0/1 could be eth1, 0/2 could be eth two and one of your subnets and then 0/3 could be your final subnet.

You must have outgoing policies for each subnet. If so you can apply whatever filter you want on that source through the edit button. Then choose whatever policy you stated above. So yes you should be able to do exactly what you stated. You can just either do it in a 'global' fashion or on a single level like I stated.