Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Pls explain [set zone "MGT" block ] command

    Posted 02-20-2014 01:48

    Pls explain this command: 

    set zone "MGT" block 



  • 2.  RE: Pls explain [set zone "MGT" block ] command

    Posted 02-20-2014 03:31

    The block setting on a zone turns ON INTRA zone blocking.  This setting is required for the functional zone management.

     

    The default behaviour of a zone in ScreenOS is to PERMIT traffic between hosts in the same zone.

     

    The block command reverses this behavior and BLOCKS traffic between hosts in the same zone so that you must create security policies to permit the traffic.



  • 3.  RE: Pls explain [set zone "MGT" block ] command

    Posted 02-20-2014 19:35

    this is mean: if "set zone "Untrust" block " command.

    and zone 2 interface: eth0/0 and eth0/1.

    If this command enabled, traffic from eth0/0 not forward to eth0/1. to traffic from eth0/0 to eth0/1, must configure policy? configure policy by way? 

     

    And  INTRA zone is mean?

     

     

    sory, i am not English. Pls try to know me.



  • 4.  RE: Pls explain [set zone "MGT" block ] command

    Posted 02-20-2014 19:37

    and, to access configuration mode by way from "user$>"



  • 5.  RE: Pls explain [set zone "MGT" block ] command

     
    Posted 02-20-2014 19:49

    in ScreenOS , there is one mode for all (config and operational) , use "set " command to configure anything , example 

     

    set interface e0/1 ip 10.0.0.1/32 

     

    you configure ip address for interface ethernet 0/1

     

    Regards



  • 6.  RE: Pls explain [set zone "MGT" block ] command
    Best Answer

     
    Posted 02-20-2014 20:05

    INTRA Zone , means same zone traffic , so traffic coming from one interface and going to another interface , and both interface are member of the same zone. by default INTRA zone traffic is permitted , no need for security policy

     

    INTER Zone , means different zones traffic , so traffic coming from one interface and going to another interface , and each interface is member of separate/different zone. by default INTER zone traffic is blocked ,you need to define security policies to permit traffic

     

    if you enable INTRA Zone block , so you need to define security policies to permit traffic in the same zone , find below an example :  Trust is the zone name , you need to define address book first, I defined PC1 and PC2 addresses which are connected to zone Trust

     

    set address Trust PC1 192.168.1.11 255.255.255.255

    set address Trust PC2 192.168.1.12 255.255.255.255

     

    set policy name allow-ping from Trust to Trust PC1 PC2 ping permit

     

    //this policy named allow-ping , allow icmp traffic initiated from PC1 to PC2 (same zone Trust) , action permit , allow traffic .. so from zone Trust to zone Trust , from PC1 to PC2 , application ping , action permit

     

    Regards