Screen OS

Hi Guys,

We placed our SSG-5 interfaces into different bgroups with different networks in order to segment them (see attached). However, it appears that we are still able to ping and access resources across networks (see attached) . We even tried to disabled PING on bgroup1 and bgroup2 (see attached) but we are still able to PING across. Any idea what could be wrong in our setup? Please advise how we could segment them properly.

Thanks in advanced,

Arnel

You have all of the interfaces within the trust zone. It has been a while since I worked on the ScreenOS platform but by default traffic within a zone is allowed. Click the "block intra-subnet traffic" option on the I/F and I believe this will fix the issue. You will then need to write trust-to-trust security policies to let traffic flow.

Thanks Kevin. I tried your suggestion but I can still PING and access resources across the networks. Any other trick we could try?

Thank you,

Arnel

What does your policy list look like for 

from zone: trust      to zone: trust

Hi Steve,

We dont have any policy set for Trust to Trust at the moment (see attached).

Thank You!

Arnel 

Hey Steve, 

I think I get what you are trying to say now. 🙂 We just have to create policies which is simillar to this attached screenshot, correct? If so, may I also ask if this example would be enough, no other option to ticked? Please advise.

Thank You!

Arnel 

Hello 

I think Steve would like to see if there is a policy allowing intrazone traffic , as you mentionned that you enabled intrazone block , so how taffic is being forwarded between 2 interfaces in the same zone without security policy,

Intrazone block updates the implicit policy (by default permit) to be deny , so no need to define a deny policy, could you please share your Trust zone configuration

Regards

Ah, I see. Thanks Red1. Yes, sure I can show it to you I just dont know where to check the info in the firewall. Could point me where can find the info so I could show it to you guys?

Thanks again,

Arnel

As Red1 mentioned, a lack of policy as you show with intrazone blocking turned on should deny traffic.  So let's recap and confirm some settings.

1. Zone trust has the intrazone blocking checked
2. The two computers are physically connected to the ports in DIFFERENT bgroup interfaces with the bgroup interface as the default gateway
3. There is no policy configured to permit traffic

With this setup the ping should be denied.

You may also want to configure the two explicit deny rules, the same rule you note with the a reverse rule for source and destination.  But ADD the check box for logging the traffic.  This way we can see that the policy is used.

Should nothing show up in the logs we then would need to run a debug flow basic on the ping attempt to see how the ScreenOS is processing the session.

Hello 

to enable the intrazone block , go to Network > Zones , click edit  zone you'd like to change

I highlighted which option enable you to block intrazone traffic, check it and click OK to apply the change 

Oh, so its the Block Intra-Zone traffic option not the Block Intra-Subnet option as Kevin suggested before. But  thats fine, he said its been a while now since he worked with ScreenOS.

After I enabled the Block Intra-Zone traffic option, I can no longer PING across networks and access their resources as well. Thank you very much guys! I really appreciate all your help. 🙂

Regards,

Arnel