Solved

How to block IP subnets on Netscreen 50

Posted on 2010-11-29
3
1,118 Views
Last Modified: 2012-05-10
I have a Juniper Netscreen 50 which was implemented long before I was hired. I've been digging around the web GUI and the CLI and have learned quite a bit but cannot seem to figure out how to block specific subnets/hosts from getting into my network. I'm a Cisco guy and know how to do this on a PIX/ASA/router with ACLs and such but the Juniper way of doing things is a bit confusing. We have a few specific subnets that we need to just deny from accessing our network (FTP dictionary attacks) but I can't seem to figure it out.

It's running ScreenOS 5.4.0r11.0.
There are three virtual routers, trust-vr, untrust-vr, and vpn-vr. We have two different public subnets on this router, one on ethernet2 and one on ethernet3. Our trusted side is on ethernet1. I need to block traffic from specific subnets (193.0.0.0/8 for example) from reaching any host on my network.

Any help would be greatly appreciated. As I've said, I'm a Cisco certified guy and I've been in the networking arena for many years but I'm completely new to Juniper systems. Stepping through the GUI or the CLI is fine by me.
0
Comment
Question by:cmackles
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 34231322
To do this on each VR, add a network object in each external zone you have, ie object called "bad-net" with an address of 193.0.0.0/8

Once we have this object, we can then reference it in a rule.

Note, that screenos uses the concept of zones to allow or deny traffic, so you look for which pair of zones you want involved, ie source zone untrust, destination zone trust.

We can then create the policy as follows:

set pol from untrust to trust bad-net any any deny

(repeat for all pairs of zones)

HTH
0
 

Author Closing Comment

by:cmackles
ID: 34231977
Fantastic! With that help I've managed to get it working. Thanks a million!
0
 
LVL 18

Expert Comment

by:deimark
ID: 34231982
No problem bud.

Welcome to Juniper :P
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-poi…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question