Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

How to block IP subnets on Netscreen 50

Posted on 2010-11-29
3
1,115 Views
Last Modified: 2012-05-10
I have a Juniper Netscreen 50 which was implemented long before I was hired. I've been digging around the web GUI and the CLI and have learned quite a bit but cannot seem to figure out how to block specific subnets/hosts from getting into my network. I'm a Cisco guy and know how to do this on a PIX/ASA/router with ACLs and such but the Juniper way of doing things is a bit confusing. We have a few specific subnets that we need to just deny from accessing our network (FTP dictionary attacks) but I can't seem to figure it out.

It's running ScreenOS 5.4.0r11.0.
There are three virtual routers, trust-vr, untrust-vr, and vpn-vr. We have two different public subnets on this router, one on ethernet2 and one on ethernet3. Our trusted side is on ethernet1. I need to block traffic from specific subnets (193.0.0.0/8 for example) from reaching any host on my network.

Any help would be greatly appreciated. As I've said, I'm a Cisco certified guy and I've been in the networking arena for many years but I'm completely new to Juniper systems. Stepping through the GUI or the CLI is fine by me.
0
Comment
Question by:cmackles
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
ID: 34231322
To do this on each VR, add a network object in each external zone you have, ie object called "bad-net" with an address of 193.0.0.0/8

Once we have this object, we can then reference it in a rule.

Note, that screenos uses the concept of zones to allow or deny traffic, so you look for which pair of zones you want involved, ie source zone untrust, destination zone trust.

We can then create the policy as follows:

set pol from untrust to trust bad-net any any deny

(repeat for all pairs of zones)

HTH
0
 

Author Closing Comment

by:cmackles
ID: 34231977
Fantastic! With that help I've managed to get it working. Thanks a million!
0
 
LVL 18

Expert Comment

by:deimark
ID: 34231982
No problem bud.

Welcome to Juniper :P
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question