We help IT Professionals succeed at work.

Netscreen-25 configuration for port blocking

ragot
ragot asked
on
1,018 Views
Last Modified: 2013-11-16

 How to block ports in Netscreen-25 firewall?
Comment
Watch Question

CERTIFIED EXPERT

Commented:
Which kind of port blocking are you looking for?  Is it physical port or logical port you are meaning?  Ie the physical interface or the application port?

Author

Commented:
hi delmark, its the logical port. i want to block unncessary ports for forest trusting.
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
Are you using a "permit any-any-any" type of setup? That is, have you defined a policy allowing any traffic? By default all traffic crossing zones (Trust and Untrust) is rejected.

Author

Commented:
hi qlemo, for now yes we are allowing any traffic
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
I still have no idea of your config. You can only block traffic crossing zones, because then policies are applied to the traffic. If you want to block traffic from one to another ethernet port in the same zone, you need to use the much more complicated policy-based routing.
Please describe what you want to do, and tell us more about your existing config. Is a VPN involved? Are you crossing zones?
CERTIFIED EXPERT

Commented:
Not true qlemo. You don't need to use PBR to apply a policy on intrazone traffic. Simply tick the box for "intrazone block" on the zone and then you will need to add specific policies ultimate allow the traffic.

@ ragot. Can you give us a but more info on what you are trying to do her?  Please give an example if the policlcies you have already and exactly what you are trying to achieve ie block http from x to y

We can certainly help you here but we need a but more info to advise correctly

Author

Commented:
hi qlemo, delmark

i have policies here that allow all, of course that is not secure. now i want to allow only ports use for forest trusting.

thanks for your replies.

Author

Commented:
@qlemo: yes there is vpn involved. im connected to main office with all traffic allow
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
Do you use a route based or policy based VPN? Anyway, you will have a policy allowing the VPN traffic?! You can just modify that to allow only some ports: Create custom services containing NetBIOS (135, 137-139, each udp and tcp, and 445/tcp) or use the predefined ones.  Than include those as service in your VPN or Permit policy instead of "any".
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:

thanks for both of you on your answers.

 i saw a guide on how to create custom services, there are fields like :

 Source Port : Low and High
 Destination Port : Low and High
 ICMP : Low and High

 from this article : http://support.microsoft.com/kb/179442  there is client and server port. it is the source and destination port field right? but where will i put the port numbers? low or high?

thanks
"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
thanks qlemo for your reply. im reading thru your last 2 posts and i sum it up as this :

create custom service or predefined services and add the services into policy instead of any..

so in this case the firewall will be limited to predefined ports and services which will be secure. am i correct?
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
what if the default policy has been changed to allow all? does it need to be deleted and create a new policy?
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:

 will there be no conflicts on that? thanks a lot qlemo :)
Qlemo"Batchelor", Developer and EE Topic Advisor
CERTIFIED EXPERT
Top Expert 2015

Commented:
No, no conflicts. Policies are applied top-down, so you should define the most specific on top, the most generic on bottom.

Author

Commented:
thanks a lot ! you are very helpful !
thanks to delmark also..

Author

Commented:
awesome!
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.