08-28-2008 04:47 PM
I am running the following:
SSG-5-serial - screenos 6.1.0r3.0~av-k
NSMXpress - 2008.1r1
the problem that i am experiencing is this: after modelling the SSG-5, when i compare the policys on the device with the policys in NSM, they are different. i have two policys that have a MIP as the destination, and they are two different MIPs: x.x.x.16 and y.y.y.215. here they are, from the cli configuration:
set policy id 7 name "Inbound" from "Untrust" to "DZONE1" "Any" "MIP(x.x.x.56)" "POP3" permit
set policy id 16 name "SSL-VPN" from "Untrust" to "DZONE2" "Any" "MIP(y.y.y.215)" "HTTPS" permit log
interface ethernet0/0 is bound to the Untrust zone, and has an address of y.y.y.213/28.
here is the problem, the rules that exist in NSM are as follows:
id from src to dest svc action options
7 untrust any DZONE1 mip(x.x.x.56/32) pop3 permit
16 untrust any DZONE2 mip(x.x.x.56/32) https permit log
as you can see, policy 16 has been modified to include incorrect MIP. when i try use modify the rule in NSM, my y.y.y.215 MIP doesn't appear in the "add addresses" pick-box; however, if, i navigate to Devices->MyDevice->Interfaces->ethernet0/0->Nat->M
so as you can see, i am quite confused.
08-28-2008 04:54 PM
You need to have a global MIP defined on NSM so that it can use it in the polcies otherwise it wont show up in the list.
object manager > nat objects > global MIP > New MIP.
It will get you to reference the MIP on the device so that it can be used in the policy.
For more information have a look in the NSM manual
08-29-2008 09:36 AM
ok, manually adding the 2nd global mip did allow me to fix the firewall rule in NSM, and it no longer shows up in the delta config, but i have not pushed the policy to the SSG-5 yet.
on the firewall, the two mips ARE defined, as below, so i'd really like to know why only one of them was loaded into NSM.
set interface "ethernet0/0" mip x.x.x.56 host z.z.z.200 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip y.y.y.215 host y.y.y.38 netmask 255.255.255.255 vr "trust-vr"
and i guess my next question is: if NSM didnt import it correctly, how do i know it is going to write it to the device correctly???
also, where in the NSM 2008.1 admin guide does it indicate that MIPs are not imported correctly?
08-30-2008 03:00 PM - edited 08-30-2008 03:04 PM
From what you seem to be saying the MIP was imported correcly into NSM for the device config, but what didnt happen was the Global MIP wasn't created so that it couldn't be used for a policy.
Was the MIP being used by a policy on the firewall when you imported it into NSM??
If the MIP wasn't being used then NSM probably didnt create the global MIP as there was no need to at the time because it wasnt being used by a policy.
The delta config shows you what is going to be sent to the device when you do a device update from NSM. So long as your not seeing anything that will be added or removed that you think shouldn't then everything should be fine. If you are concerned, take a backup of the config from the firewall and then update the device.
Just answered my question, the MIP as in use, just re read your first message. Not sure why it wasnt added then, I have not tried Importing a device in 2008.1 yet. Might be worth opening a case with Juniper or seeing if someone else on here can test if they have got 2008.1 setup.
09-26-2008 09:46 AM
The NSM patch 2008.1 "c2" is available for download for customers.
It addresses a few serious regressions which are affecting customers who uses MIP/VIP or customers with two or more 0.0.0.0/0 (default) routes.
The patch is server-only (no need for a new UI client)
The list of ScreenOS device related fixes are:
307611 VIP's not getting imported in NSM properly
308058 NSM 2008.1 - NSM unsetting and setting RIP option on sub interface for every
308481 NSM unsetting default route
309628 SSG520 with multiple mips in policies all have the same mip when imported into
309635 NSM 2008.1r1 is not importing MIP's into Global NAT Objects