Screen OS

is there any easy way to check if connection from Host A(Zone A) to Host B(Zone B) is permitted by the policies on the netscreen firewall.

It's very difficult to go through the policies and address book manually to chekc if the traffic is permitted by policy or not.

Hi,

You need to use "debug flow basic" for policy selection. The following post may help:

http://forums.juniper.net/t5/ScreenOS-Firewalls-NOT-SRX/Troubleshooting-Tips-Debug-commands/td-p/6203

Thanks Stac, Is there any other way ?

Hi,

Debugging is the best way.

You could also enable logging on all policies and then go through all the traffic logs and hoping Host A will show up.

Hi,

I always put a Deny policy for Any-Any-Any at the bottom of each policy block and enable logging at session start. This policy logs everything what is not allowed. If there are policies with MIPs and VIPs, a separate Deny policy should be created for these objects because MIPs and VIPs belong to Global zone and do not belong to object Any in other zones.

Thanks echidov.

just to add...  for MIP-related policies, this KB should be helpful --

"How to block traffic with a MIP as destination"

http://kb.juniper.net/InfoCenter/index?page=content&id=KB10891&actp=search&viewlocale=en_US&searchid=1343908163843

Regards,

Sam