Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Policy Using IP address

    Posted 04-27-2016 20:06

    Hi all,

     

    It is possible to set a policy to allow connection from 172.16.25.13 to 172.16.30.7 but reject connection to 172.16.30.6 ,

    and allow connection from 172.16.25.3 to 172.16.30.6 but reject connection to 172.16.30.7?.


    setupp.JPG

    because in my testing when ever I enter the single IP address(eg:172.16.25.3/24), it seems like to allow all from the subnet(172.16.25.0/24)

     

     



  • 2.  RE: Policy Using IP address
    Best Answer

    Posted 04-27-2016 22:10


    There could be two thing:

    1: Probably your policy address has ip with /24 subnet. Please be specific with /32 IP in policy address, if you want to control single hosts.

    e.g set address Trust "test" 10.1.1.0/24 <-- this is for /24 subnet
    set address Trust "test/32" 10.1.1.1/32 <- this is for /32 or for single IP 10.1.1.1

    refer KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB15074&actp=search for more details

    2: Make sure your specific policy are above of generic once.

    e.g. : policy 1 which is for 192.168.0.0/24 <===>192.168.1.0/24 will trigger first than policy 2 which is for 192.168.0.1/32 <===>192.168.1.1/32 though it has more specific IPs. You can move policy 2 on top of policy 1 to work correctly.

    Thanks,
    Vikas



  • 3.  RE: Policy Using IP address

    Posted 04-27-2016 22:22

    KB https://kb.juniper.net/InfoCenter/index?page=content&id=KB15074&actp=search is for site-site VPN,  and can be ignored. rest of the expectations still hold good.



  • 4.  RE: Policy Using IP address

    Posted 04-28-2016 01:23

    Hi Mr Vikassingh,

     

    Thank for the solutions. I totaly mislook on /32 subnet, it totaly cleared that already have default ip address with /32 subnet.

    now Im the policy is working.

     

    Thanks A lot.

     

    regards,

    hazly