Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  NS25 - Alerts not written to event log; everything else is.

    Posted 07-09-2009 10:31

    We have a pair of Netscreen 25 firewalls.  FWIW, Firewall A has firmware 5.4.0r3a.0 (Firewall+VPN) and Firewall B has firmware 5.3.0r10.0 (Firewall+VPN).

     

    For logging, the firewalls Log Settings are configured identically.  Log Settings...Alert...Internal is checked.

     

    When we run a port scan on Firewall A, we get alerts written into the event log.  When we do the same thing on Firewall B, no alerts are written to the event log.

     

    The last alert written to the event log was two days ago.  Other things ARE being written to the log.



  • 2.  RE: NS25 - Alerts not written to event log; everything else is.

    Posted 07-10-2009 10:48
    maybe an issue with the screen os since its working fine for the 5.4 version.


  • 3.  RE: NS25 - Alerts not written to event log; everything else is.
    Best Answer

    Posted 07-13-2009 10:48

    Do you have port-scan screening option configured on both devices?

     

    Please perform below commands

    get config | i "screen "

    or 

    get zone <zone-name> screen  attack



  • 4.  RE: NS25 - Alerts not written to event log; everything else is.

    Posted 07-13-2009 12:00

    Cesar,

     

    THAT would be the answer!  Turned on the port-scan screening through the CLI and now it works.

     

    Can you tell me which screen in the Web UI I would see this setting reflected?

     

    Thanks.



  • 5.  RE: NS25 - Alerts not written to event log; everything else is.

    Posted 07-13-2009 13:13

    Security > Screening > Screen > Scan/Spoof/Sweep Defense

     

    You need to select the zone on the top of the web page.



  • 6.  RE: NS25 - Alerts not written to event log; everything else is.

    Posted 07-13-2009 13:25
    Well that is interesting because I've turned it on through the CLI on Firewall B (and am getting alerts), and it does NOT show as checked through the Web UI.  Plus, when I look on Firewall A (which we get port scanning alerts from) it is also NOT checked on that screen in the Web UI.


  • 7.  RE: NS25 - Alerts not written to event log; everything else is.

    Posted 07-13-2009 16:10

    could  it be that you did not configure it correctly? i have seen many ppl who forget to type the enable part eg:

     

    to enable the port scan you would need the below 2 lines:

     

    ssg5-isdn-wlan-> get conf | i scan
    set zone "Untrust" screen port-scan
    set zone "Untrust" screen port-scan threshold 1000

     

    If you only set the threshold, the port scan screen is not actually enabled. the webui will set both automatially for you. so if you dont see it in the webui, its likely that the screen may not be enabled.

     

    How did you enable it in the CLI? I am assuming that its right since you are getting alerts

    Message Edited by WL on 07-13-2009 04:10 PM


  • 8.  RE: NS25 - Alerts not written to event log; everything else is.

    Posted 07-15-2009 05:22

    to set it in the CLI I ran this line: set zone "Untrust" screen port-scan.  I didn't put a threshold.  we are now getting alerts from Firewall B. 

     

    I can see in the Web UI that this is set with the 5000 threshold.

     

    Thanks very much for your help WL.