ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
Cookie
Visitor
Cookie
Posts: 8
Registered: ‎06-11-2009
0

SSG-140: two problems

Options

‎06-11-2009 10:19 AM

Hello! I'm new here and at the moment i have two problems:  

 

1) on one interface (for example ethernet0/5) i have DHCP Service which have Dynamic adresses range starting 192.168.1.50 - 192.168.1.150. How can i make a new entry in the section Policy Elements / List for further use  these range in the Policies?

 

2) How can i make (using my SSG-140) policy so that users, for example 1 ip or ip range (mentioned in above), could not download Torrents??

 

Thanks in advance! 

 

Message 1 of 6 (10,120 Views)
 
Reply
Super Contributor
Super Contributor
Cesar
Posts: 141
Registered: ‎11-18-2008
0

Re: SSG-140: two problems

Options

‎06-11-2009 01:22 PM

1. You cannot use range of IP addresses on a normal policy but you can use multi cell policy and speciy each host/subnet to cover from .50 to .150.

2.  You need an IDP solution.

 

 

 

Message 2 of 6 (10,113 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 976
Registered: ‎01-10-2008
0

Re: SSG-140: two problems

Options

‎06-11-2009 02:59 PM

IDP?  Can't it be done with DI and some custom signatures? DI runs on the 140, IDP takes additional box.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 3 of 6 (10,107 Views)
 
Reply
maraboutingermany
New User
maraboutingermany
Posts: 4
Registered: ‎06-12-2009
0

Re: SSG-140: two problems

Options

‎06-12-2009 01:02 AM

DI only supports a small subset of protocols (ex: ftp, http, etc..)

IDP or any other IPS/IDS product can do this.

Message 4 of 6 (10,092 Views)
 
Reply
Cookie
Visitor
Cookie
Posts: 8
Registered: ‎06-11-2009
0

Re: SSG-140: two problems

[ Edited ]
Options

‎06-12-2009 04:53 AM - edited ‎06-12-2009 04:54 AM

 Thanks!

 

Sorry i'm totally novice in screenos. But how i can create two /25 subnets on interface (for example ethernet0/4) or multi cell policy , if my configuration on this interface are 192.168.1.1/24 ??

Message Edited by Cookie on 12-06-2009 02:54 PM
Message 5 of 6 (10,084 Views)
 
Reply
Distinguished Expert
Distinguished Expert
Screenie
Posts: 976
Registered: ‎01-10-2008
0

Re: SSG-140: two problems

Options

‎06-12-2009 02:53 PM

You can have a /24 on the interface but in the policy config select multiple for source address and add some subnets of the /24. Only traffic from these subnets will be acepted then. Policy end interface setting are separated.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Message 6 of 6 (10,064 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.