Solved

Juniper blacklist not working

Posted on 2013-01-09
6
520 Views
Last Modified: 2013-04-23
Hi,

I'm trying for testing to blacklist ip 64.20.227.133 wich is public ip of the well known : http://mxtoolbox.com

I create an adress "blacklist" : 64.20.227.133/32 then i create a rule :

From Global to Global (to be sure) deny "blacklsite" on any services to any adress.

Problem, when i do a port scan to my public ip it's still seeing what is open...
So i suppose that nothing is dropped..

Can you help me please.
Thanks.
0
Comment
Question by:kishkool75
  • 3
  • 2
6 Comments
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38758431
what kind of juniper device are we discussing?
Netscreen
SRX

is traffic originating from that IP into your device?
in order for you to be monitoring it....
0
 

Author Comment

by:kishkool75
ID: 38758480
This is a SSG140 netscreen OS.

Well here a small schema :

MXTOOLBOX (64.20.227.133) ---->PORT SCAN (25)----> JUNIPER SSG140 ---->Mail server
Result is that mxtoolbox see that port 25 is open and i get a log who says :

[Root]system-alert-00016: Port scan! From 64.20.227.133:65194 to XXXXXXX, proto TCP (zone Untrust, int ethernet0/0). Occurred 1 times.

Even with the rule of my previous post, it still see what port is open on the firewall.
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38758623
Ok
1-you can perform global rules on netscreen devices....

2nd MXTOOLBOX is NOT a bad site
it actually checks legitimate sites to help in blacklisting--and other things

3rd - if that port is open - as it legitimately should ... then it will be seen available by any scan

4th that IP is not generating traffic into your org - it is just checking to 'see' if the port is available

5th your rule states what exactly - do not permit zzz?ALL traffic from src xxx to dest yyy - correct
 - is that rule even being hit
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:kishkool75
ID: 38758732
Hi,

Yes i know it's a good site but it was just about testing purpose.
Maybe i'm wrong but if i says :
anything from this is ip must be drop by the FW then it should not be able to get any port scan result...
Same thing with smtp diag on mxtoolbox.
it's still working, it can test my smtp server and do some check but with a rule who say block anything from mxtoolbox IP then i would just receive an error from mxtoolbox.com interface... no?

How can i see if that rule is being hit?
To see current rule look attach picture. (zone : Untrust to Global)

Another thing, if i have a rule who stat : ALL IS PERMIT FROM ANY IP then if i do a rule who says PACKET DENY FROM XXX IP which IP is taking the order?

Thanks
blacklist.JPG
0
 
LVL 12

Expert Comment

by:DarinTCH
ID: 38758776
FW rules get processed in order
so the first it hits in this case

a port scan and fw rule are not necessarily related

fw rule says do not allow traffic from ?anywhere to reach my desktop

a port scan asks if x port is open on the firewall for traffic

so a port scan might get the answer without the traffic being allowed to traverse the firewall - head out the indicated interface and reach a final destination

you can monitor rules usage via - monitoring live or after the fact reports
of even looking at the rule to see if it has an indication it was hit

some of this might be more readily visible from a cmd line then a GUI
search how to monitor a firewall wall rule usage in net screen - there's alot out there
0
 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 38824386
Create the rule as going from Untrust to Trust. IIRC Global to Global will not block traffic.
For testing you should always set the policy to log traffic at session begin. You can remove that later, if you are not interested in logging blocked traffic.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Routers 17 81
export data from ASA 5 48
routing between two sonicwall NSA 2600's connected via patch cable on x2 port 14 41
SonicWall blocking WOL 11 114
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now