ScreenOS Firewalls (NOT SRX)
Reply
Visitor
Cookie
Posts: 8
Registered: ‎06-11-2009
0

SSG-140: two problems

Hello! I'm new here and at the moment i have two problems:  

 

1) on one interface (for example ethernet0/5) i have DHCP Service which have Dynamic adresses range starting 192.168.1.50 - 192.168.1.150. How can i make a new entry in the section Policy Elements / List for further use  these range in the Policies?

 

2) How can i make (using my SSG-140) policy so that users, for example 1 ip or ip range (mentioned in above), could not download Torrents??

 

Thanks in advance! 

 

Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008
0

Re: SSG-140: two problems

1. You cannot use range of IP addresses on a normal policy but you can use multi cell policy and speciy each host/subnet to cover from .50 to .150.

2.  You need an IDP solution.

 

 

 

Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: SSG-140: two problems

IDP?  Can't it be done with DI and some custom signatures? DI runs on the 140, IDP takes additional box.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
New User
maraboutingermany
Posts: 4
Registered: ‎06-12-2009
0

Re: SSG-140: two problems

DI only supports a small subset of protocols (ex: ftp, http, etc..)

IDP or any other IPS/IDS product can do this.

Visitor
Cookie
Posts: 8
Registered: ‎06-11-2009
0

Re: SSG-140: two problems

[ Edited ]

 Thanks!

 

Sorry i'm totally novice in screenos. But how i can create two /25 subnets on interface (for example ethernet0/4) or multi cell policy , if my configuration on this interface are 192.168.1.1/24 ??

Message Edited by Cookie on 12-06-2009 02:54 PM
Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: SSG-140: two problems

You can have a /24 on the interface but in the policy config select multiple for source address and add some subnets of the /24. Only traffic from these subnets will be acepted then. Policy end interface setting are separated.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.