Screen OS

Hi all -

We've recently swapped out our old firewall (SonicWall) and replaced it with an SSG5.  I have been struggling with one thing though, hopefully you guys have some insight or suggestions that can help.  The problem seems to be with our smarthost that we setup awhile back due to some machines sending out spam and causing us to be adding to DNS blacklists.  With the sonicwall we just added the range 208.83.76.1 - 208.83.76.255  and permitted traffic.

Being fairly new to the Juniper hardware, I am having a hard time finding a similar way of doing this.  I have tried several different policies, but I think the problem lies in me not being able to specify a range.  Also, we able to send out just fine (trust to untrust - any any.)  

Any ideas?

Welcome to Juniper.  I also recently converted from Sonicwall and am in the process of rolling out new sites.

You are in the right area.  Policies are the equivilent of the Sonicwall Firewall rules.  They also work the same way as the Enhanced OS in Sonicwall in that they use address objects.  If the rule does not apply to "any" address in the zone you need to create an address object to use in the Policy.

Address objects are found in the web UI under Policies--Policy Objects--Addresses--List.  

Second difference is all address objects in Juniper are in CIDR notation instead of address subnet mask.  And Juniper does not support arbitrary ranges.  So you have to find the closest CIDR match to make the object.

Once the object is created it will appear on the policy pick list for the zone.

Thanks for the guidance.  I figured that was the right thing to do, but am still having trouble.  I received an email from the company that provides the spam protection and they gave me the ranges in CIDR notation so I went and added those and pointed to them both ANY and 10.1.1.3 (Exchange Server) but still no luck.  Here is the config...I can't imagine what I'm missing at this point.

set clock timezone 0
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set service "smarthost" protocol tcp src-port 25-25 dst-port 25-25
set service "smarthost" + udp src-port 25-25 dst-port 25-25
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "nKVUM2rwMUzPcrkG5sWIHdCtqkAibn"
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
set zone "DMZ" tcp-rst
set zone "VLAN" block
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 68.65.89.42/24
set interface ethernet0/0 route
set interface bgroup0 ip 10.1.1.1/24
set interface bgroup0 nat
set interface ethernet0/0 gateway 68.65.89.41
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface bgroup0 manage mtrace
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set address "Trust" "sbserver" 10.1.1.3 255.255.255.0
set address "Untrust" "208.83.76.0/24" 208.83.76.0 255.255.255.0
set address "Untrust" "66.45.16.0/25" 66.45.16.0 255.255.255.128
set address "Untrust" "68.157.78.240/29" 68.157.78.240 255.255.255.248
set address "Untrust" "70.43.22.192/26" 70.43.22.192 255.255.255.192
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set url protocol websense
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit
set policy id 1
exit
set policy id 2 name "test" from "Untrust" to "Trust"  "Any" "Any" "ANY" permit
set policy id 2
exit
set policy id 3 name "SMARTHOST1" from "Untrust" to "Trust"  "208.83.76.0/24" "sbserver" "SMTP" permit
set policy id 3 application "SMTP"
set policy id 3
exit
set policy id 4 name "SMARTHOST2" from "Untrust" to "Trust"  "66.45.16.0/25" "sbserver" "SMTP" permit
set policy id 4 application "SMTP"
set policy id 4
exit
set policy id 5 name "SMARTHOST3" from "Untrust" to "Trust"  "70.43.22.192/26" "sbserver" "SMTP" permit
set policy id 5 application "SMTP"
set policy id 5
exit
set policy id 6 name "SMARTHOST4" from "Untrust" to "Trust"  "68.157.78.240/29" "sbserver" "SMTP" permit
set policy id 6 application "SMTP"
set policy id 6
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 Anymore suggestions?

It looks like your Policy rules are correct for the smtp hosts.  But you should remove the "test" policy 2.  As it appears before the others it will over ride them.

what you appear to be missing is the inbound NAT for the mail server. Just as on the Sonicwall NAT is separate from the Firewall rules.  There are a lot of options that come into play.  This tech note runs you through the Q&A to pick the setup for your situation.

Inbound NAT

 The long version is in Volume 8 of Concepts and Examples:

ScreenOS Documentation

Well, I was able to get it work with VIP...which I am not completely satisfied with, but can live with until at least this weekend.  Thanks to everyone who chipped in and guided me - "Volume 8" was helpful in explaining the concepts between how Juniper's treat NAT at least, but I will say the manuals could be alot more clear by using default configs out of the box, every example had different zones at a different interface which tripped me up slightly.  Overall though, thanks to everyone!

Time to sleep.