ScreenOS Firewalls (NOT SRX)
Reply
Visitor
spamjoshua
Posts: 1
Registered: ‎10-22-2008
0

Migrating a firewall config...

 

Hello all,

 

I am moving from an old netscreen to a new ISG 1000 and set a few goals for the process:

 

1. To get rid of legacy MIPs and double nat'ing.

2. To clean/simplify policies with more restrictive outbound rules being added later.

3. To use routeable, not RFC1918 addresses for my DMZ.

 

A cleaned/shortened/relevant version of our legacy config is below:

 

 

set clock ntp set clock timezone -8 set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" set auto-route-export exit set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "DMZ" tcp-rst set zone "VLAN" block set zone "VLAN" tcp-rst unset zone "Untrust" screen tear-drop unset zone "Untrust" screen syn-flood unset zone "Untrust" screen ping-death unset zone "Untrust" screen ip-filter-src unset zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set zone "Trust" screen limit-session source-ip-based 3 set zone "Untrust" screen limit-session source-ip-based 24 set zone "Trust" screen limit-session destination-ip-based 3 set zone "Untrust" screen limit-session destination-ip-based 24 set zone "Trust" screen syn-ack-ack threshold 50 set zone "Untrust" screen syn-ack-ack threshold 50 set zone "Trust" screen syn-flood timeout 10 set zone "Trust" screen syn-flood queue-size 5170 set zone "Untrust" screen syn-flood attack-threshold 50 set interface "ethernet1" zone "Trust" set interface "ethernet2" zone "DMZ" set interface "ethernet3" zone "Untrust" set interface "ethernet4" zone "Null" unset interface vlan1 ip set interface ethernet1 ip 10.1.0.254/24 set interface ethernet1 nat set interface ethernet2 ip 10.30.0.1/24 set interface ethernet2 route set interface ethernet3 ip 72.5.115.129/29 set interface ethernet3 route unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1 manage-ip 10.1.0.2 set interface ethernet2 manage-ip 10.30.0.254 unset interface ethernet1 ip manageable unset interface ethernet2 ip manageable set interface ethernet3 ip manageable set interface ethernet2 manage snmp set interface ethernet2 manage web set interface ethernet2 manage ident-reset set interface ethernet3 manage ping set interface ethernet3 manage ssh set interface ethernet3 manage ssl set interface "ethernet3" mip 72.5.164.133 host 10.1.0.50 netmask 255.255.255.255 vr "trust-vr" etc... set flow tcp-mss 1300 set flow all-tcp-mss 1300 set flow path-mtu unset flow tcp-syn-check set console page 0 set domain iwin.com set hostname fw1 set address... set group address... set group service... set vrouter "untrust-vr" set route 0.0.0.0/0 interface ethernet3 gateway 72.5.115.134 exit set vrouter "trust-vr" unset add-default-route set route 10.120.136.0/24 interface ethernet2 gateway 10.30.0.3 preference 5 set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit

 

 

A cleaned/shortened/relevant version of our new config is below:

 

 

set clock ntp set clock timezone -8 set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00 set chassis audible-alarm power-failed set chassis audible-alarm fan-failed set chassis audible-alarm temperature set chassis audible-alarm battery set vrouter trust-vr sharable set vrouter "untrust-vr" exit set vrouter "trust-vr" unset auto-route-export set ignore-subnet-conflict exit set service... unset alg sip enable unset alg mgcp enable unset alg sccp enable unset alg sunrpc enable unset alg msrpc enable unset alg sql enable unset alg appleichat enable unset alg appleichat re-assembly enable unset alg h323 enable unset alg sctp enable set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "DMZ" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Untrust-Tun" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "DMZ" tcp-rst set zone "VLAN" block unset zone "VLAN" tcp-rst unset zone "Untrust" screen tear-drop unset zone "Untrust" screen syn-flood unset zone "Untrust" screen ping-death unset zone "Untrust" screen ip-filter-src unset zone "Untrust" screen land unset zone "V1-Untrust" screen tear-drop unset zone "V1-Untrust" screen syn-flood unset zone "V1-Untrust" screen ping-death unset zone "V1-Untrust" screen ip-filter-src unset zone "V1-Untrust" screen land set zone "Trust" screen limit-session destination-ip-based 1000 set zone "Untrust" screen limit-session destination-ip-based 1000 set zone "DMZ" screen limit-session destination-ip-based 1000 set interface "ethernet1/1" zone "Untrust" set interface "ethernet1/2" zone "DMZ" set interface "ethernet1/3" zone "Trust" set interface "ethernet1/4" zone "HA" unset interface vlan1 ip set interface mgt ip 10.1.0.198/24 set interface ethernet1/1 ip 72.5.115.129/24 set interface ethernet1/1 route set interface ethernet1/2 ip 72.5.164.254/24 set interface ethernet1/2 route set interface ethernet1/3 ip 10.1.0.254/24 set interface ethernet1/3 route unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface ethernet1/1 manage-ip 72.5.115.130 set interface ethernet1/2 manage-ip 72.5.164.252 set interface ethernet1/3 manage-ip 10.1.0.252 unset interface ethernet1/1 ip manageable unset interface ethernet1/2 ip manageable unset interface ethernet1/3 ip manageable unset interface mgt manage telnet set interface ethernet1/1 manage ping unset interface vlan1 manage telnet unset interface vlan1 manage web unset zone V1-Trust manage telnet unset zone V1-Trust manage web set interface mgt ntp-server unset flow no-tcp-seq-check set flow tcp-syn-check unset flow tcp-syn-bit-check set flow syn-proxy syn-cookie set flow mac-cache mgt set flow reverse-route clear-text prefer set flow reverse-route tunnel always set address... set group...set vrouter "untrust-vr" exit set vrouter "trust-vr" exit set icap av-vendor-id symantec-5 set url protocol websense exit set policy... set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route set route 0.0.0.0/0 interface ethernet1/1 gateway 72.5.115.134 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit

 

 When I performed a cut over, I saw significant latency on packets from the 10.1, something was very wrong with my routing, and my site remained down.

 

Any help would be greatly appreciated.

 

My only thoughts thus far have been:

 

1. The subnet conflict of the mgt interface, though I understood this to be independent.

2. auto-route-export

 

Thank you,

Joshua

 

 

Regular Visitor
wongsta
Posts: 5
Registered: ‎10-27-2008
0

Re: Migrating a firewall config...

I see that you had 2 overlapping subnet for your 10.1.x network. Used in management and ethernet1/3.

 

To prove or disprove if packets are being routed to your mgt int, enter the following cli:


get route ip 10.1.0.198

 If should see if it routes to your mgt interface.

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.