Security

HI ALL:

I have a firewall of ssg-520m-ssh, and now I want to configure the firewall to transparent mode. n I set the interface e0/0 to v1-trust and e0/2 to v1-untrust zone. And I add some policy to permit some ip address in my network can access the internet. But seem the policy does work. I have a query, if in transparent mode, can not set the policy base the ip address. Because the ip is working in lay 3, and transparent mode can not working in lay 3.

Do you use screenos or junos?

For Junos check http://kb.juniper.net/InfoCenter/index?page=content&id=KB21421 (Configuration Example - Transparent mode on branch end SRX)

and for screenos check page 99 of http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_all.pdf (Concepts & Examples ScreenOS Reference Guide)

When an interface is in transparent mode, the security device filters packets traversing the firewall without modifying any of the source or destination information in the IP packet header. All interfaces behave as though they are part of the same network, with the security device acting much like a Layer 2 switch or bridge. In transparent mode, the IP addresses of interfaces are set at 0.0.0.0, making the presence of the security device transparent (invisible) to users.

You can use ip address objects to create policies in transparent mode.  The policy creation process is just the same as in layer 3 mode.

You can also do source address translation using a dip on the vlan1 interface if needed.

But all the of interfaces in the transparent mode instance have to be in the same broadcast domain.  So this can restrict where you can touch traffic passing through.

You may find my lecture in Lesson 12: Transparent mode on my on-line introductory course useful.  No registration is needed just click enter as a guest.  The lesson section also has links to the command reference and relevant documentation.

http://puluka.com/classes/course/view.php?id=5

Very thank for all reply!

  Now I attached some pic for my configure. My firewall is behind the cisco Router 2920, in order to configure simply,

 I have configured the firewall to transparent mode. And my intranet network is 192.168.40.0/24, I set some policy to filer web

Explore base ip address, But no any policy can work, I am very confused,

If I configure file is not right. I upload my file for your check. Can you kindly help me to check ?

the configure is :

nset key protection enable
set clock timezone 7
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "admin"
set admin password "nLYdKPrIDxuKc52BoscHf4Ltz8LHln"
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "V1-Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "V1-Trust"
set interface vlan1 ip 192.168.40.5/24
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set interface vlan1 broadcast arp
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 202.96.128.166
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "V1-Trust" "ip-002" 192.168.40.2 255.255.255.0
set address "V1-Trust" "ip-003" 192.168.40.3 255.255.255.0
set address "V1-Trust" "ip-004" 192.168.40.4 255.255.255.0
set address "V1-Trust" "ip-005" 192.168.40.5 255.255.255.0
set address "V1-Trust" "ip-006" 192.168.40.6 255.255.255.0
set address "V1-Trust" "ip-007" 192.168.40.7 255.255.255.0
set address "V1-Trust" "ip-008" 192.168.40.8 255.255.255.0
set address "V1-Trust" "ip-009" 192.168.40.9 255.255.255.0
set address "V1-Trust" "ip-010" 192.168.40.10 255.255.255.0
set address "V1-Trust" "ip-011" 192.168.40.11 255.255.255.0
set address "V1-Trust" "ip-012" 192.168.40.12 255.255.255.0
set address "V1-Trust" "ip-015" 192.168.40.15 255.255.255.0
set address "V1-Trust" "ip-023" 192.168.40.23 255.255.255.0
set address "V1-Trust" "ip-029" 192.168.40.29 255.255.255.0
set address "V1-Trust" "ip-030" 192.168.40.30 255.255.255.0
set address "V1-Trust" "ip-036" 192.168.40.36 255.255.255.0
set address "V1-Trust" "ip-037" 192.168.40.37 255.255.255.0
set address "V1-Trust" "ip-038" 192.168.40.38 255.255.255.0
set address "V1-Trust" "ip-041" 192.168.40.41 255.255.255.0
set address "V1-Trust" "ip-044" 192.168.40.44 255.255.255.0
set address "V1-Trust" "ip-048" 192.168.40.48 255.255.255.0
set address "V1-Trust" "ip-056" 192.168.40.56 255.255.255.0
set address "V1-Trust" "ip-070" 192.168.40.70 255.255.255.0
set address "V1-Trust" "ip-081" 192.168.40.81 255.255.255.0
set address "V1-Trust" "ip-188" 192.168.40.188 255.255.255.0
set address "V1-Trust" "ip-200" 192.168.40.200 255.255.255.0
set address "V1-Trust" "ip-212" 192.168.40.212 255.255.255.0
set address "V1-Trust" "ip-251" 192.168.40.251 255.255.255.0
set address "V1-Trust" "mainland net" 192.168.40.0 255.255.255.0 "mainland network"
set address "V1-Untrust" "ip-001" 192.168.40.1 255.255.255.0
set address "V1-Untrust" "macro-net" 192.168.42.0 255.255.255.0 "macro network"
set address "V1-Untrust" "wan net" 0.0.0.0 0.0.0.0 "wan network"
set group address "V1-Trust" "special-group"
set group address "V1-Trust" "special-group" add "ip-023"
set group address "V1-Trust" "special-group" add "ip-038"
set group address "V1-Trust" "special-group" add "ip-048"
set group address "V1-Trust" "special-group" add "ip-188"
set group address "V1-Trust" "stardand-group"
set group address "V1-Trust" "stardand-group" add "ip-002"
set group address "V1-Trust" "stardand-group" add "ip-008"
set group address "V1-Trust" "stardand-group" add "ip-015"
set group address "V1-Trust" "stardand-group" add "ip-029"
set group address "V1-Trust" "stardand-group" add "ip-030"
set group address "V1-Trust" "stardand-group" add "ip-036"
set group address "V1-Trust" "stardand-group" add "ip-037"
set group address "V1-Trust" "stardand-group" add "ip-041"
set group address "V1-Trust" "stardand-group" add "ip-044"
set group address "V1-Trust" "stardand-group" add "ip-056"
set group address "V1-Trust" "stardand-group" add "ip-070"
set group address "V1-Trust" "stardand-group" add "ip-081"
set group address "V1-Trust" "stardand-group" add "ip-200"
set group address "V1-Trust" "stardand-group" add "ip-212"
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol type sc-cpa
set url protocol sc-cpa
set category "block qq website" url "*.qq.com.cn/"
set category "block qq website" url "tv.sohu.com/"
set profile "block qq profile" "block qq website" block
set profile "block qq profile" "Adult/Sexually Explicit" block
set enable
set deny-message "Your page is blocked due to a security policy that prohibits access to $URL_CATEGORY"
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set policy id 6 name "allow mainland to macau" from "V1-Trust" to "V1-Untrust"  "mainland net" "macro-net" "ANY" permit
set policy id 6
set url protocol sc-cpa profile "block qq profile"
exit
set policy id 7 name "allow special group to internet" from "V1-Trust" to "V1-Untrust"  "special-group" "wan net" "ANY" permit
set policy id 7
set url protocol sc-cpa profile "block qq profile"
exit
set policy id 8 name "allow dns" from "V1-Trust" to "V1-Untrust"  "mainland net" "wan net" "DNS" permit
set policy id 8
exit
set policy id 9 name "allow pop and smtp" from "V1-Trust" to "V1-Untrust"  "mainland net" "wan net" "POP3" permit
set policy id 9
set service "SMTP"
exit
set policy id 10 name "allow standard group http" from "V1-Trust" to "V1-Untrust"  "stardand-group" "wan net" "HTTP" permit
set policy id 10
set service "HTTPS"
set url protocol sc-cpa profile "block qq profile"
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 gateway 192.168.40.5
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

This is hard to tell exactly without a scope of the network.  But I think you are trying to do a layer 3 deploy here.  It appears that your two networks are not in the same broadcast domain but two independent class c networks

192.168.40.0/24

192.168.42.0/24

You could open the scope up but right now your vlan1 management interface is inside just the first class c address.  If you want to be transparent between these two addresses you need your transparent scope to include both of the subnets and the management vlan1 address to also reflect that larger scope.

Other Issues

Your default route is pointed to your vlan1 management address instead of whatever your next hop router is on this segment.

All your address objects for the ip-ooX series are the same address.  You appear to be trying to specify hosts but they are all using the subnet mask of 255.255.255.0, I think you wanted them to be 255.255.255.255 host masks.

Your policies 9 and 10 appear to be incomplete.  The names say they have scope for more services than are configured.  You need to add the additional pop service to policy 9 and the http service to policy 10.

Sorry, I think I don’t describe my network Top clearly. My network ip address is 192.168.40.0/24.My firewall now is behind the cisco 2920 router. The firewall vlan ip is 192.168.40.5 . the router e0/0 is 192.168.40.1 ,the e0/0 is connected direct the firewall .And in my router I have a ipsec vpn to remote network (192.168.42.0/24), the vpn is working successfully.

Now I add the firewall working the transparent mode behind the router. And my intranet(192.168.40.0/24) can connect the the network(192.168.42.0/24) after set some policy in the firewall. But have still some problem.

1:now all my computer in my intranet can access internet .so I wrote some base ip policy to permit some ip to access internet. But the policy seem can not work success.    

2:see below the policy setting, I have made five policy.  Seem these policy is not effective. The id 6 policy I made is permit the 192168.40.0/24 to access the macau net(192.168.42.0/24)

The id 7 is full access permition of internet in the special ip group(such as 192.168.40.188) .id 8,9 permit the pop3 and smtp. But now if I enable the id 7, others policy disable. All the intranet ip can access the internet. I only hope ip address of 192.168.40.188 can have the full permittion. I have add the 192.168.40.188 to special group.  Seem in the transparent mode ,the ip lay have not effect in the policy.

Think you have two issues here with the policies.

1- your wan net address object seems to be trying to be a default address 0.0.0.0/0 this should use the "any" option for the zone instead.

2-your policies are too broad to be used.  All your groups have the entire subnet in them.

Remember that policy lists are FIRST match and done.  So as soon as traffic matches a rule no further rules are processed.  Once you change your rule 7 to be any instead of wan net basically no other rules will ever apply.  Your rule 6 and 7 just allow anything to the whole subnet and no further rules will be processed.

BE sure to fix all those server address objects ot have the host mask of 255.255.255.255.

And delete the incorrect default route with one pointed to the 192.168.40.1 router address.

Very thanks for spuluka:

  I have checked my host  ip mask, yes i set the ip host mask 255.255.255.0, so all the the host subnet will be permited , some detail have been neglected , i have be confused by this issue for seveval days.