[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Netscreen-25 configuration for port blocking

Posted on 2010-09-03
20
Medium Priority
?
1,002 Views
Last Modified: 2013-11-16

 How to block ports in Netscreen-25 firewall?
0
Comment
Question by:ragot
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 10
  • 7
  • 3
20 Comments
 
LVL 18

Expert Comment

by:deimark
ID: 33600682
Which kind of port blocking are you looking for?  Is it physical port or logical port you are meaning?  Ie the physical interface or the application port?
0
 

Author Comment

by:ragot
ID: 33601589
hi delmark, its the logical port. i want to block unncessary ports for forest trusting.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 33602935
Are you using a "permit any-any-any" type of setup? That is, have you defined a policy allowing any traffic? By default all traffic crossing zones (Trust and Untrust) is rejected.
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:ragot
ID: 33605894
hi qlemo, for now yes we are allowing any traffic
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 33605915
I still have no idea of your config. You can only block traffic crossing zones, because then policies are applied to the traffic. If you want to block traffic from one to another ethernet port in the same zone, you need to use the much more complicated policy-based routing.
Please describe what you want to do, and tell us more about your existing config. Is a VPN involved? Are you crossing zones?
0
 
LVL 18

Expert Comment

by:deimark
ID: 33606939
Not true qlemo. You don't need to use PBR to apply a policy on intrazone traffic. Simply tick the box for "intrazone block" on the zone and then you will need to add specific policies ultimate allow the traffic.

@ ragot. Can you give us a but more info on what you are trying to do her?  Please give an example if the policlcies you have already and exactly what you are trying to achieve ie block http from x to y

We can certainly help you here but we need a but more info to advise correctly
0
 

Author Comment

by:ragot
ID: 33608459
hi qlemo, delmark

i have policies here that allow all, of course that is not secure. now i want to allow only ports use for forest trusting.

thanks for your replies.
0
 

Author Comment

by:ragot
ID: 33608463
@qlemo: yes there is vpn involved. im connected to main office with all traffic allow
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 33610672
Do you use a route based or policy based VPN? Anyway, you will have a policy allowing the VPN traffic?! You can just modify that to allow only some ports: Create custom services containing NetBIOS (135, 137-139, each udp and tcp, and 445/tcp) or use the predefined ones.  Than include those as service in your VPN or Permit policy instead of "any".
0
 
LVL 18

Assisted Solution

by:deimark
deimark earned 500 total points
ID: 33610754
Have a look at the below link here

http://www.juniper.net/techpubs/software/screenos/screenos6.0.0/index.html

This is a great one stop shop for how to's and examples on how to achieve certain goals.

Have a look at volume 2, the fundamentals which gives a great grounding on what zones and policies are as well as volume 5, the VPN doc.

0
 

Author Comment

by:ragot
ID: 33624718

thanks for both of you on your answers.

 i saw a guide on how to create custom services, there are fields like :

 Source Port : Low and High
 Destination Port : Low and High
 ICMP : Low and High

 from this article : http://support.microsoft.com/kb/179442  there is client and server port. it is the source and destination port field right? but where will i put the port numbers? low or high?

thanks
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 1500 total points
ID: 33624783
The source port is always from the sender / requester of a service, the destination port always to the receiver. Most of the time only the destination port is fixed. For example, if we monitor a RDP connection, it is:
Source requests to open destination port 3389, source port is dynamic.
The appropriate service entry would look exactly like that. "low" and "high" are the boundaries of your service ports, and in this case they are 3389 & 3389 (source), 0 & 65535 (destination, no restriction).

However, you should not need to create custom services in this case, all services should be predefined already. You need destination porst 135, 137-139, 445, 389 (ldap, for Active Directory).
If you are uncertain about whether you can restrict the source port or udp/tcp, just allow for more general traffic, and switch on logging in the policy for a short period of time. You will see a detailled log of connection attempts including ports and protocols.
0
 

Author Comment

by:ragot
ID: 33625045
thanks qlemo for your reply. im reading thru your last 2 posts and i sum it up as this :

create custom service or predefined services and add the services into policy instead of any..

so in this case the firewall will be limited to predefined ports and services which will be secure. am i correct?
0
 
LVL 71

Assisted Solution

by:Qlemo
Qlemo earned 1500 total points
ID: 33626121
Yes. The default policy (invisible) is deny-all, so anything you do not allow is denied.
0
 

Author Comment

by:ragot
ID: 33633001
what if the default policy has been changed to allow all? does it need to be deleted and create a new policy?
0
 
LVL 71

Assisted Solution

by:Qlemo
Qlemo earned 1500 total points
ID: 33634379
Just create a deny or reject policy for all addresses as last one.
0
 

Author Comment

by:ragot
ID: 33634461

 will there be no conflicts on that? thanks a lot qlemo :)
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 33634479
No, no conflicts. Policies are applied top-down, so you should define the most specific on top, the most generic on bottom.
0
 

Author Comment

by:ragot
ID: 33634494
thanks a lot ! you are very helpful !
thanks to delmark also..
0
 

Author Closing Comment

by:ragot
ID: 33634508
awesome!
0

Featured Post

Tech or Treat!

Submit an article about your scariest tech experience—and the solution—and you’ll be automatically entered to win one of 4 fantastic tech gadgets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Suggested Courses

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question