Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  2 very basic questions ? [ from a new juniper enthusiast ]

    Posted 08-11-2011 22:35

    1 > talking about screenos to junos move/conversion , can i covert all of the ISG and SSG devicese to run JUNOS ?

     

    2> is it mandatory in SCREENOS ISG to make addresses in addressbook to commuinicate and make security policies, or it is just to give better understanding about the network, and still i can make security policies without addresses in addressbook ? Please confirm since i cannot test it in any simulator !

     

     

    regards,

     



  • 2.  RE: 2 very basic questions ? [ from a new juniper enthusiast ]

    Posted 08-12-2011 23:59

    1. you can not install junos on SSG series, JunOS is not supported on EX, SRX, J/M/T and ERX series

     

    2. By default "Any" address book entry is by default available in each security zone (e.g. trust, untrust). However, if you dont want to use Any (as want to restrict some ip subnets), then you will have to create new address book entries ...

     

    so it is better to use address book entries to make strict policies, instead of configuring policies with "Any" address book entries

     

    regards



  • 3.  RE: 2 very basic questions ? [ from a new juniper enthusiast ]

    Posted 08-13-2011 03:58

    SSG models in the 300 and 500 series that have the M at the end of their name can be converted to run Junos.  Others cannot.  These are the same hardware as a J-series device and turn the SSG into an SRX.  They are a good choice if you want to run SSG code now and have the ability to convert down the road.

     

    http://kb.juniper.net/InfoCenter/index?page=content&id=KB14032

     

    There are migration instructions posted in the Junos documentation.  You can purchase a migration kit for you model that will have a flash to swap out for the install of the OS.


    #ssgisg


  • 4.  RE: 2 very basic questions ? [ from a new juniper enthusiast ]

    Posted 08-13-2011 10:02

    regarding my address and addressbook point , what i want to ask exactly is that in ASA firewalls such addresses are considered to be called as OBJECTS (different types ) and ALIAS for naming to IP !

     

    well, in ASA it is not mandatory and the results in policies (access-lists) could be achived without naming them or defining objects for them ?

     

     

    can we stll do the same on ISG or SSG ? .... want to know this  for better insight and understanding !

     

     

    waiting ....



  • 5.  RE: 2 very basic questions ? [ from a new juniper enthusiast ]
    Best Answer

    Posted 08-13-2011 10:17

    The address objects are required. 

     

    But you can simply enter the address when you create the policy in the web interface and the system will automatically create the address object using the network segment as the object name.

     

    You will see those newly created addresses here.

     

    Policy--Policy Elements--Addresses



  • 6.  RE: 2 very basic questions ? [ from a new juniper enthusiast ]

    Posted 08-14-2011 17:00

    Yeah, that's what I have noticed as well. If you don't create an address object in advance, you can simply enter the ip address when build a policy, then it appears as an address object in the list. 

    While it works, you could not use multiple address objects in a single policy this way.