Screen OS

Hi ,

 

I want to setup something really basic for the moment. 

 

1-allow all outgoing

2-deny all incoming + log failed attempt 

 

Later I will add port forwarding. So far everything work except the logging. It doesnt show anything regarding denied connection. 

 

Can someone tell me how to enable logging for untrust --> trust zone. Any other recommandations are welcome 😉 

 

Thank

 

 

Here is my config file:

 

set clock ntp
set clock timezone -5
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nFGVMxrCNHhGcvHPwsDA1dGtPhOoWn"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen icmp-flood
set zone "Untrust" screen udp-flood
set zone "Untrust" screen ip-sweep
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "Untrust" screen syn-frag
set zone "Untrust" screen tcp-no-flag
set zone "Untrust" screen unknown-protocol
set zone "Untrust" screen ip-bad-option
set zone "Untrust" screen ip-record-route
set zone "Untrust" screen ip-timestamp-opt
set zone "Untrust" screen ip-security-opt
set zone "Untrust" screen ip-loose-src-route
set zone "Untrust" screen ip-strict-src-route
set zone "Untrust" screen ip-stream-opt
set zone "Untrust" screen icmp-fragment
set zone "Untrust" screen icmp-large
set zone "Untrust" screen syn-fin
set zone "Untrust" screen fin-no-ack
set zone "Untrust" screen limit-session source-ip-based
set zone "Untrust" screen syn-ack-ack-proxy
set zone "Untrust" screen block-frag
set zone "Untrust" screen limit-session destination-ip-based
set zone "Untrust" screen icmp-id
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 1.1.1.1/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 nat
set interface ethernet0/0 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
unset interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssh
set interface bgroup0 manage mtrace
set interface ethernet0/0 dhcp client enable
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow syn-proxy syn-cookie
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 24.200.241.37
set dns host dns2 24.200.241.37
set dns host dns3 0.0.0.0
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" deny log count
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set syslog src-interface ethernet0/0
unset log module system level emergency destination email
unset log module system level alert destination email
unset log module system level critical destination email
unset log module system level notification destination email
unset log module system level emergency destination snmp
unset log module system level alert destination snmp
unset log module system level critical destination snmp
unset log module system level emergency destination syslog
unset log module system level alert destination syslog
unset log module system level critical destination syslog
unset log module system level error destination syslog
unset log module system level warning destination syslog
unset log module system level notification destination syslog
unset log module system level information destination syslog
unset log module system level debugging destination syslog
unset log module system level emergency destination webtrends
unset log module system level alert destination webtrends
unset log module system level critical destination webtrends
unset log module system level notification destination webtrends
unset log module system level emergency destination NSM
unset log module system level alert destination NSM
unset log module system level critical destination NSM
unset log module system level error destination NSM
unset log module system level warning destination NSM
unset log module system level notification destination NSM
unset log module system level information destination NSM
unset log module system level debugging destination NSM
unset log module system level emergency destination usb
unset log module system level alert destination usb
unset log module system level critical destination usb
unset log module system level error destination usb
unset log module system level warning destination usb
unset log module system level notification destination usb
unset log module system level information destination usb
unset log module system level debugging destination usb
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set ntp server "132.205.1.1"
set ntp server src-interface "ethernet0/0"
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
 

I believe that logging under policy shows session start and end. Policy deny is an event and should always be seen under the event log if I recall correctly.

I have changed it to this : 

 

set policy id 2 from "Untrust" to "Trust"  "Any" "Any" "ANY" deny log count
set policy id 2
set log session-init

 

 

Still no luck 😕

get log traffic ?  will show the way.....

By the way session init logging on a deny action ? What session would be there if your action is deny?

ssg5-serial-> get log traffic
No entry matched.

 

Nothing is logged 😕

 

All I want is to see what get deny from untrust ---> trusted zone. That should be pretty straighforward for a firewall  .....

Sorry for my stupid reply earlier. It is Friday and my brain is tired. You are not seeing anything as based on your setup there is no access from untrust to trust so nothing to log. Everything stops @ untrust by the deny so nothing moves from a session setup.

 

Establish a MIP on the outside I/F that points to an inside address. then modify your deny rule to point to the MIP as the destination on the trust side. Then try and access it and you will see the deny being logged. Hope that makes sense.

Hey no problem 😉

 

Let me be stupid  too. A MIP ? I/F ? 

 

Im a unix/linux sysadmin so bare with me ;D

 

Can you post more detail on how to do this 

 

Thank 

Not stupid - just new 🙂

 

What I was saying was that you don't see anything logged cause there is no traffic passing. If you wanted to see traffic pass what you could do was create a MIP (mapped address) on the I/F (your external interface - eth0/0) The MIP would map your external IP to an internal IP. Go to your eth0.0 I/F and select MIP. Your mapped IP would be the external and the host would be a valid internal IP.

 

That way you would have a destination on the trust side for an untrust resource to go after. Then create a policy of "untrust / trust" - "any to MIP" - "deny" - "enable logging". You would then see the attempts to get to the trusted resource in the log file.

 

Make sense?

This is what ive done ,

Most likely its not OK since im not seeing anything 😞 

 

arrrrrrggggg

 

 

set interface "ethernet0/0" mip 1.1.1.1 host 192.168.1.250 netmask 255.255.255.255 vr "untrust-vr"

 

set policy id 2 from "Untrust" to "Trust"  "Any" "MIP(1.1.1.1)" "ANY" deny log count
set policy id 2

Ok got it , ive changed it from untrust-vr to trusted-vr . NOW I see the light !!!

 

While being stupid, I might as well ask, is this thing secure ? 

 

From my understanding what I have done is basicly map the wan ip to a lan ip, thus denying the traffic. Its not less secure right ?

 

If so, from this point, can I just ignore the MIB, create forwarding rules and whenever I need to troubleshoot something I can take a look at the MIB logging ? 

 

Am I correct ? 

 

 

No - it is not unsecure at all. There is obviously no reason to do a policy like this in real life - but it is a good example of using MIP and logging but not allowing for any network penetration from the outside world so that you can get an understanding of how some of this stuff works. I would recommend the "Juniper Networks Netsceen and SSG Firewall" book from Syngress or the ScreenOS cook book from O'Reilly if you are not a big fan of manuals and want some good documentation with examples.

I find this really usefull tho.I will have a look at that Oreilly book !

 

Thanks for all the help Kevin ! 

Glad to help - welcome to the Juniper Forum!

Why would you not want a policy like this in real life? I would think that seeing attacks from IP's and port scans and all types of other things is good. Without seeing what the firewall is blocking is kind of a strange notion to me. Is creating a MIP and denying all traffic the only way to do this? All other firewalls I have worked with make it a point of being able to report on things like this. Our management likes stats that we can generate from the firewall that shows how many access attempts were blocked, unique IP's attempting to access network, etc...