ScreenOS Firewalls (NOT SRX)
Reply
Contributor
MuggsyO
Posts: 13
Registered: ‎12-17-2008
0

Can i see the encrypted traffic trought the firewall?

Hi Everybody

 

 

I tried to know if its possible to see the encrypted traffic, on the Juniper ISG 2000?

If it possible how can i see it?

Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: Can i see the encrypted traffic trought the firewall?

If you mean can you see it as decypted traffic - No (Thats why it is encrypted :smileyvery-happy:)

If you mean can you see it as a stream of encrypted traffic - Yes (Thats what hackers/crackers try to break :smileymad:)

Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 789
Registered: ‎07-26-2008
0

Re: Can i see the encrypted traffic trought the firewall?

Actually for the ISG platform, you may not even be able to see the encrypted traffic itself as this is handled in hardware. You will not be able to see even in the debugs.
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Trusted Contributor
Gavrilo
Posts: 279
Registered: ‎07-14-2008
0

Re: Can i see the encrypted traffic trought the firewall?

Good point WL
Contributor
fharoon
Posts: 51
Registered: ‎06-21-2008
0

Re: Can i see the encrypted traffic trought the firewall?

Even if you are able to see the traffic it will be cipher-text, I wonder why you require this? Is it a POC for a customer?

 

Regards

 

Farrukh Haroon

Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008

Re: Can i see the encrypted traffic trought the firewall?

[ Edited ]

MuggsyO,

 

If the encrypted traffic is terminated on the ISG-2000, you can disable the security device from creating a hardware session for a specific traffic via CLI "set no-hw-sess" under policy for troubleshooting purposes. This is supported since ScreenOS 6.1

 

In addition to that, you can use flow and snoop filters on tunnel traffic since ScreenOS 6.2

 

Hope this helps.

Cesar

Message Edited by Cesar on 03-12-2009 10:40 AM
Distinguished Expert
Screenie
Posts: 1,085
Registered: ‎01-10-2008
0

Re: Can i see the encrypted traffic trought the firewall?

Hi Cesar,

 

I thought you could also force transit traffic to go over the CPU and debug it, not only terminated traffic?

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008
0

Re: Can i see the encrypted traffic trought the firewall?

Screenie,

 

You are right, you can also send pass though traffic to CPU via  "set no-hw-sess" but the box will not decrypt encrypted pass-though traffic.

 

Cesar

 

 

 

 

Distinguished Expert
Screenie
Posts: 1,085
Registered: ‎01-10-2008
0

Re: Can i see the encrypted traffic trought the firewall?

Thanks fot your answer Cesar. Of course you can't decrypt the traffic when it's transit. I just wanted to make sure I didn't have it wrong on the debug feature on ISG's. Thanks again.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.