Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Email Alerting on an SSG5

    Posted 01-26-2012 16:13

    Hi all,

     

    We have a small problem getting email alerts working on our SSG5's.

     

    We have an SSG140 in our Head Office and a number of VPN's linking our Branch offices using SSG5's.

     

    The branches are all on various Class C subnets and we have no issue with the flow of traffic between the locations.


    Our issue is that when we configure our SSG5's with our email server based in Head Office (using our email servers class C address), we get a "cannot connect..." message in the log and hence no alerting. No such problem on the SSG140 where the email server is on the same internal subnet.

     

    Branch configs are:

    set admin mail alert
    set admin mail server-name "<our email server ip>"
    set admin mail mail-addr1 "<email@oursite.com>"
    set admin mail traffic-log 

     

    We realise this likely a routing and/or policy issue but all our afforts to date would suggest that this SMTP traffic is not traversing the device and is not being blocked by a policy rule. If we use a valid internet based address for a mail server the service appears to connect ok. We can't work out why the device cannot route the traffic through the VPN to Head Office.

     

    Our question is, effectively what interface/zone is the alerting bound to on the SSG5? i.e. if we need to setup a policy which zone or interface does the alerting come from by default? 

     

    We have enabled our email server with the SSG5 addresses to relay mail from these devices. From our faultfinding to date, It would seem the request is not making it to the server.

     

    Any help gratefully received.


    Thanks 



  • 2.  RE: Email Alerting on an SSG5
    Best Answer

    Posted 01-29-2012 11:36

    The packets are sourced from the lowest interface on the device eth0/0.  By default this will be your untrust external interface and not be allowed and routing to the internal zone.  The simpliest solution is to arrange for this interface to be part of a zone that has access to your mail server.



  • 3.  RE: Email Alerting on an SSG5

    Posted 01-29-2012 17:34

     that explains alot.

     

    I looked high and low for that info in the documentation and couldn't find it anywhere.

     

    Thanks alot Steve, much appreciated. 



  • 4.  RE: Email Alerting on an SSG5

    Posted 01-30-2014 11:32

    Hi,

     

    We have far to many ssg's rolled out with very comlicated configs. Is there any way to change the default port used for outgoing log email to a port that is by default in the trust group? It's odd that they did it this way as finding an open relay to use isn't really an option.

     

    I know this is an old thred but if anyone could help i'd apprecite the input.



  • 5.  RE: Email Alerting on an SSG5

    Posted 01-30-2014 14:08

    Unfortunately, changing the outbound port for the smtp is not a configurable option.  Other services like tftp do have a configuration knob for the outbound interface, but not for this smtp option.