Screen OS

Hello,

I'm a newbie when it comes to firewall interfacing and routes, so forgive the simplicity/vagueness of this question. I'm also using a SSG-140 running 5.4.0r3a.0.

I have two PC's each connected to an interface (one to eth0/2 and one to eth0/9). Each interface has an IP in seperate subnets, each PC is within it's interface subnet. Both interfaces are set to route and both have "Manageable" unchecked and no "Manage IP". The ping service is enabled. When I try to ping the interface IP from it's corresponding PC I get a "Request time out". I've tried about every configuration I can think of and the only way I can get it to ping the interface is if I set the "Manage IP" to something within the IP range for the interface and ping that address. Is there a way to just ping the interface IP or does it have to have a "Manage IP"?

I know this a pretty simple question, but in the bigger scheme of things my goal is to set a policy between the two interfaces to allow one-way SMB and ICMP-Any. I tried setting the policy first and started with pinging the destination IP but no luck. That's when I started back tracking my pinging and discovered what's listed above.

Any help would be greatly appreciated!

-Bryan

You need to have "manageable" enabled for the interface, and then you select which management services you want to allow, in your case, you'd have "ping" enabled.

I tried that as well and it didn't work. It made my "Manage IP" address the same as my interface address and put a star after "Manage IP". I've had the ping service enabled since the beginning.

Just because you have a "manage IP" address does not mean that the device is managable through that I/F. The device will only be managable if you select an appropriate service - IE - web, ssh, telnet. The ScreenOS always duplicates the interface IP into the manage IP bucket if the I/F is managable. In this case the address is one and the same and the only thing you can do is ping (assuming all else is blank).

Ignore the "Manage IP."  Make it blank.  When you click "Apply" or "OK", it will fill in automatically.

Check the box next to the interface IP address / netmask that says "Manageable"

Then, check the box further down for "Ping"

Make sure you don't have "Block Intra-Subnet Traffic" checked.  If you're trying to ping from a host/network that's in a different zone from the interface IP you're trying to ping, make sure you have a security policy configured to allow ping between the zones.

Under Network > Interfaces > Your Interface check 'Ping' under 'Service Options'.

If this is not selected the firewall will not respond to pings to its interface.

You do not need to set the Manage IP to a unique value unless you are running a Netscreen cluster. In that case (cluster) you would need to give each cluster node a unique management IP as the actual interface IP would float between the cluster members.

You could also set a management IP if you wanted to use a different address than the interface address for management (assuming a management protocol like SSH or HTTPS was enabled for the interface).

Folks,

First off, thanks for all your suggestions and the timeliness of responses. I wasn't expecting to hear back from so many people this quickly!

I think NateK hit the nail on the head. I failed to mention what I'm actually trying to do is on a redundant pair of SSG-140 in production, I've just been doing my testing on a spare with a configuration file from the secondary production firewall. It would make sense that a unique address is required because that's the only way I've been able to ping it before, and I'm using eth0 as a management interface (for the Web UI) which had the "Manage IP" uniquely set already (I took over the management of these firewalls from someone recently and he left in a hurry so I've kind of been training on-the-fly).

Thanks again for all the responses!

-Bryan