Solved

Netscreen SSG5 Firewall

Posted on 2015-02-19
16
154 Views
Last Modified: 2015-03-02
I have been using Netscreen devices at the Enterprise level for a few years but only in the area of editing existing policies created by the corporate gurus of firewalls, which brings me to my question. I have an SSG5 for my home firewall, currently it has only one policy in place. That is to allow any traffic from the untrusted zone to the trusted zone. 2 things are happening that I can't get my head wrapped around. First issue is after 20 days or so, FTP traffic will cease to flow out bound. I get a time out error. The fix seems to be to reset the SSG5 and all is well again. Second is that TCP port 5001 traffic is being blocked somehow and I am not sure why. I admit to being new at creating the policies and I am looking for some guidance.
0
Comment
Question by:EICBOB
  • 6
  • 5
  • 4
16 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 40619676
The FTP issue sounds like a bug, not cleaning the firewalls session table from old connections. Check if you can get a more recent firmware.
In regard of port 5001, is that outbound or inbound?
0
 

Author Comment

by:EICBOB
ID: 40619729
The firmware is at the last version supported by Juniper, the 5001 traffic is used to access a Slingbox streaming system. From what I gather at Slingbox support, it is an inbound request to the box to open a session to the client system.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40619743
Normally SSG devices block all traffic by default. Having just one policy from untrust to trust seems strange since you would not be able to send any traffic outbound.

2nd point is a policy from untrusted to trusted will not work unless you have a mapped ip (MIP) or virtual ip (VIP). inbound traffic will not actually reach any device on your network with just this policy.

For the outbound FTP traffic. You should have a policy from trust zone to untrust, can you paste that here so we can take a look at it? And for the port 5001 being blocked, is this inbound or outbound? That will help determine where to trouble shoot.
0
 

Author Comment

by:EICBOB
ID: 40619759
I was taught that too, all traffic is blocked and you have to allow what you want. I will post what is currently on the system when I get home tonight. I currently do not have remote access to the device enabled.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40619764
not a problem, We are here to assist so whenever you get a chance.
0
 

Author Comment

by:EICBOB
ID: 40621007
Here is the current config file from the my SSG5: (Public IPs edited)
set clock ntp
set clock timezone -5
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "Sling" protocol tcp src-port 5000-5001 dst-port 5000-5001 
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
set zone "VLAN" block 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen winnuke
set zone "Untrust" screen port-scan
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ip-spoofing
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen block-frag
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 72.12.X.X/22
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.0.1/24
set interface bgroup0 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface ethernet0/0 manage telnet
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface ethernet0/0 dhcp client enable
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option domainname  xxxxx
set interface bgroup0 dhcp server option dns1 69.49.X.X 
set interface bgroup0 dhcp server option dns2 72.55.X.X 
set interface bgroup0 dhcp server ip 192.168.0.33 to 192.168.0.126 
unset interface bgroup0 dhcp server config next-server-ip
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
set domain xxxxxxxxxx
set hostname RMS-FW02
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 69.49.X.X src-interface ethernet0/0
set dns host dns2 72.55.X.X src-interface ethernet0/0
set dns host dns3 0.0.0.0
set dns host schedule 06:28 interval 4
set address "Trust" "192.168.0.254/24" 192.168.0.254 255.255.255.0
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log 
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
set ntp server "129.6.15.30 "
set ntp server src-interface "ethernet0/0"
set ntp server backup1 "206.246.122.250 "
set ntp server backup2 "0.0.0.0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

Open in new window

0
 

Author Comment

by:EICBOB
ID: 40621070
Thank you, I apologize for not formatting it correctly
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 68

Expert Comment

by:Qlemo
ID: 40621110
You only have one policy, Trust to Untrust, allow all. There is nothing for inbound traffic, and hence traffic will only flow if it is initiated from your LAN, and kept active within 30 minutes (the TCP default session timeout for SSG devices).

Please also make sure you have FTP ALG active (in WebUI: Security » ALG).

I'm not sure about the Slingbox, so add a policy Untrust to Trust, permit, for the Sling service you've definded, and with session logging ("at Session Beginning"). Then try access, and monitor the logs of both policies to see the traffic.
0
 
LVL 18

Accepted Solution

by:
Sanga Collins earned 350 total points
ID: 40621118
For the port 5000-5001 traffic you will need to create a MIP or VIP that basically maps your public IP address to the device that will be receiving the traffic. Then you need to create an untrust to trust policy with the MIP/VIP as the destination to allow that traffic through the firewall.

If you do not have a block of public IP's a VIP will be the best course of action. The juniper KB has a great article with steps for creating one.

http://kb.juniper.net/InfoCenter/index?page=content&id=KB4740

bookmark, kb.juniper.net It has great articles on how to do almost anything on their devices with pictures good descriptions and accounts for variables in different setups.
0
 

Author Comment

by:EICBOB
ID: 40626391
Ok, I will try your suggestions, as I recall in the Juniper world best practices dictate the final policy should be from the un-trust to trust with a deny all?
0
 
LVL 68

Assisted Solution

by:Qlemo
Qlemo earned 150 total points
ID: 40626417
Yes, you should have an explicit deny policy as last one for each zone.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40626617
Hi Qlemo, I usually make the last policy global to global:deny all. Is this incorrect or accomplishes the same as explicit policies for each zone?
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 40626639
The reason for separate explicit policies is that you can enable logging and change position in a more specific way.
0
 
LVL 18

Expert Comment

by:Sanga Collins
ID: 40626652
Ahh, that makes sense. I normally use NSM so the filters take care of that for me. Sorry for Hijacking the thread.
0
 

Author Closing Comment

by:EICBOB
ID: 40640305
While I have not been able to actually put into place the expert's suggestions. They did reinforce what I had been taught many years ago but due to centralization I have long since forgotten how to do these things.  I will post additional follow up questions if necessary.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Introduction Many times we come across a slowness or instability between two hosts, and almost always we blame the poor networking guys, just because they're an easy target.  Sometimes we forget that other factors including disk bottlenecks, CPU …
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now