ScreenOS Firewalls (NOT SRX)
Reply
Visitor
bimbayo
Posts: 4
Registered: ‎04-02-2012
0

Can I block 1500 unique IPs without overloading ISG2000 ?

Hello.....

 

We utilize a pair of M120 Routers as Internet Gateways and behind them is a pair of ISG2000 Firewalls.

 

As a mobile network, we frequently have up to half a million active sessions.

 

We have received a Security Bullentin indicating some DoS attacks and advising us to block about 1000 unique IP addresses [non-contiguous].

 

We have two options : Firewall Filters on the M120 or add them in the black list of the ISG2000 FIrewalls.

 

My question is; which is a safer option, and do you have any experience with blocking such a large set of IPs.

 

Are these some options that are even better? And is there a shortcut to adding 1000 IPs [maybe uploading a file instead of adding one by one]

 

Thanks

Bayo

Super Contributor
nikolay.semov
Posts: 170
Registered: ‎03-15-2012
0

Re: Can I block 1500 unique IPs without overloading ISG2000 ?

Latter part: transfer to Excel in a column, add CLI commands in other columns, use CONCATENATE to compose whole commands, drag, then save in CSV to "flatten out" the formula, then back in Excel to isolate just column with whole command, then save as TXT. Finally, chop down to edible pieces and serve to device on CLI.

Also, not sure about the ISG, but I do remember seeing something cautionary mentioned in the JUNOS release notes regarding large firewall filters.
Contributor
ed_gpc
Posts: 194
Registered: ‎09-21-2010
0

Re: Can I block 1500 unique IPs without overloading ISG2000 ?

ISG2k will not have a problem with this.  It's not a firewall filter here, it's a security policy.

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.