ScreenOS Firewalls (NOT SRX)
Reply
Contributor
emoralesa
Posts: 107
Registered: ‎09-14-2009
0
Accepted Solution

Policy between network segments

How are you?

 

I hope I can help solve my problem:

 

I have an SSG140 with 2 network segments. 172.31.114.0 and 172.31.115.0. I change the policy so that some equipment can be seen between network segments? As I can only specify https and https ports for those network segments? Thus not all ports are open.

 

I've always used the GUI

 

thank you very much

Contributor
adgwytc
Posts: 81
Registered: ‎08-09-2010
0

Re: Policy between network segments

What zones are the network segments in? Trust to trust?

 

Just use the GUI to select the Policy and only allow traffic through on the https protocols.

 

Remember, the policy application in the GUI does not specify network to network within the actual choices, but zone to zone. Once you open the Policy from zone to zone you can choose the networks or hosts and protocols.

Contributor
emoralesa
Posts: 107
Registered: ‎09-14-2009
0

Re: Policy between network segments

The two segments I have them in the same SSG140. In an interface is 172.31.114.0 and one for the 172.31.115.0

 

My network has grown, so I created two network segments.

 

I need some equipment only see each other, and not all. I have no idea how. I want to do for which there is less network traffic. Also specify the protocols. 

 

Thank you very much for your support

Contributor
adgwytc
Posts: 81
Registered: ‎08-09-2010
0

Re: Policy between network segments

Okay, I understand the interfaces, however, Policies are designed at the beginning via zones. So, the itnerfaces you mention will be bound to zones..... you can check within the

 

network / interfaces / list and then look at the zone those interfaces are in. If they are both in the trust zone then you need a "trust-to-trust" policy. Within the policy, choose the network, protocols and anything else you want to allow through.

 

The default zones are:-

 

Trust

Untrust

DMZ

 

Your organisation may have created other zones and placed the interfaces within those. You will need th zone names before you can create the Policy.

Contributor
emoralesa
Posts: 107
Registered: ‎09-14-2009
0

Re: Policy between network segments

AAAHHH, perfect.

 

You mean I can create several groups (Policy> Policy Elements> Addresses> Groups), add users and within the policy (trust-trust) only allowed to see between groups I choose?

 

Thank you so much you support :smileyhappy:

Contributor
adgwytc
Posts: 81
Registered: ‎08-09-2010
0

Re: Policy between network segments

Yes, address book entries are perfect for this.

 

Create the address book entries and then form tidy groups for the entries and then apply to the policy.  :smileyhappy:

Contributor
emoralesa
Posts: 107
Registered: ‎09-14-2009
0

Re: Policy between network segments

Perfect.

 

Really really appreciate you support. Thank you for sharing your time and knowledge :smileyvery-happy:

 

Accepted as a solution

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.