Solved

How to block IP subnets on Netscreen 50

Posted on 2010-11-29
3
1,098 Views
Last Modified: 2012-05-10
I have a Juniper Netscreen 50 which was implemented long before I was hired. I've been digging around the web GUI and the CLI and have learned quite a bit but cannot seem to figure out how to block specific subnets/hosts from getting into my network. I'm a Cisco guy and know how to do this on a PIX/ASA/router with ACLs and such but the Juniper way of doing things is a bit confusing. We have a few specific subnets that we need to just deny from accessing our network (FTP dictionary attacks) but I can't seem to figure it out.

It's running ScreenOS 5.4.0r11.0.
There are three virtual routers, trust-vr, untrust-vr, and vpn-vr. We have two different public subnets on this router, one on ethernet2 and one on ethernet3. Our trusted side is on ethernet1. I need to block traffic from specific subnets (193.0.0.0/8 for example) from reaching any host on my network.

Any help would be greatly appreciated. As I've said, I'm a Cisco certified guy and I've been in the networking arena for many years but I'm completely new to Juniper systems. Stepping through the GUI or the CLI is fine by me.
0
Comment
Question by:cmackles
  • 2
3 Comments
 
LVL 18

Accepted Solution

by:
deimark earned 500 total points
Comment Utility
To do this on each VR, add a network object in each external zone you have, ie object called "bad-net" with an address of 193.0.0.0/8

Once we have this object, we can then reference it in a rule.

Note, that screenos uses the concept of zones to allow or deny traffic, so you look for which pair of zones you want involved, ie source zone untrust, destination zone trust.

We can then create the policy as follows:

set pol from untrust to trust bad-net any any deny

(repeat for all pairs of zones)

HTH
0
 

Author Closing Comment

by:cmackles
Comment Utility
Fantastic! With that help I've managed to get it working. Thanks a million!
0
 
LVL 18

Expert Comment

by:deimark
Comment Utility
No problem bud.

Welcome to Juniper :P
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Suggested Solutions

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now