Screen OS

I have a working SSG5 and bought a SSG520 and am migrating the config. On my SSG5 I have:

set interface ethernet0/0 phy full 100mb
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6

 and I want to duplicate that setup on the SSG520, only with bgroup0 tied to only 0/2 and 0/3 since the SSG520 has fewer ports, so I tried:

set interface ethernet0/0 phy full 1000mb
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3

 and ports 0/0 and 0/1 work like expected, but bgroup0 (0/2, 0/3) don't seem to be configured, am I doing something wrong? The rest of the config just routes things to bgroup0, so I don't see why it would matter how many ports are in that group?

Per http://kb.juniper.net/InfoCenter/index?page=content&id=KB10747, bgroup interfaces are not supported on the SSG-520/550 on-board interfaces.  They are only supported with the uPIM cards.

Thank you, that helped 🙂 . My config still doesn't route from from 0/2 (Trust 10.1.10.0/24) to 0/0 (Untrust public 1.2.3.4/32) using the same config file which is in production on the SSG5 and passes traffic through that route. Are there other features not supported on SSG520 that are supported on SSG5 which I might be missing?

I just did a search/replace in vi on the SSG5 config text file and replaced bgroup0 with interface0/2, so I'd guess the routing should really be the same? Here's what I have for the interfaces:

set interface ethernet0/0 phy full 100mb
set interface "ethernet0/0" zone "Untrst"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Trust"

 I haven't tried to change 0/0-0/2 to GigE interfaces, would that be somehow related?

Can you provide the output from "debug flow basic"?  http://kb.juniper.net/InfoCenter/index?page=content&id=KB23844#basicdebug

yes, and thanks for the link, this is helping my transition to the CLI, which I need to do anyway 🙂

****** 09252.0: <Trust/ethernet0/2> packet received [84]******
  ipid = 45271(b0d7), @2d5b7910
  packet passed sanity check.
  flow_decap_vector IPv4 process
  ethernet0/2:10.1.10.3/5->1.2.3.4/24867,1(8/0)<Root>
  no session found
  flow_first_sanity_check: in <ethernet0/2>, out <N/A>
  chose interface ethernet0/2 as incoming nat if.
  flow_first_routing: in <ethernet0/2>, out <N/A>
  search route to (ethernet0/2, 10.1.10.3->1.2.3.4) in vr trust-vr for vsd-0/flag-0/ifp-null
PBR lookup params: dst-ip: 1.2.3.4, src-ip: 10.1.10.3, dst-port: 24867, src-port: 5, protocol: 1, dscp: 0
PBR: no route to (1.2.3.4) in vr trust-vr
  [ Dest] 1.route 1.2.3.4->1.2.3.4, to ethernet0/0
  routed (x_dst_ip 1.2.3.4) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.2.3.4, port 9404, proto 1)
  No SW RPC rule match, search HW rule
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Searching global policy.
swrs_search_ip: policy matched id/idx/action = 320000/-1/0x0
  Permitted by policy 320002
  No src xlate   choose interface ethernet0/0 as outgoing phy if
  no loop on ifp ethernet0/0.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in <ethernet0/2>, out <ethernet0/0>
  existing vector list 1-8b5fdc4.
  Session (id:128041) created for first pak 1
  flow_first_install_session======>
  route to 1.2.3.4
  arp entry found for 1.2.3.4
  ifp2 ethernet0/0, out_ifp ethernet0/0, flag 00800800, tunnel ffffffff, rc 1
  outgoing wing prepared, ready
  handle cleartext reverse route
  search route to (ethernet0/0, 1.2.3.4->10.1.10.3) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet0/2
  [ Dest] 5.route 10.1.10.3->10.1.10.3, to ethernet0/2
  route to 10.1.10.3
  arp entry found for 10.1.10.3
  ifp2 ethernet0/2, out_ifp ethernet0/2, flag 00800801, tunnel ffffffff, rc 1
  flow got session.
  flow session id 128041
  flow_main_body_vector in ifp ethernet0/2 out ifp ethernet0/0
  flow vector index 0x1, vector addr 0x19878f0, orig vector 0x19878f0
  post addr xlation: 10.1.10.3->1.2.3.4.

 so why does the section below not find my policy which I have that allows ANY/ANY from Trust -> Untrust on the SSG520 (or am I reading it wrong)?

search route to (ethernet0/2, 10.1.10.3->1.2.3.4) in vr trust-vr for vsd-0/flag-0/ifp-null
PBR lookup params: dst-ip: 1.2.3.4, src-ip: 10.1.10.3, dst-port: 24867, src-port: 5, protocol: 1, dscp: 0
PBR: no route to (1.2.3.4) in vr trust-vr
  [ Dest] 1.route 1.2.3.4->1.2.3.4, to ethernet0/0
  routed (x_dst_ip 1.2.3.4) from ethernet0/2 (ethernet0/2 in 0) to ethernet0/0
  policy search from zone 2-> zone 2
 policy_flow_search  policy search nat_crt from zone 2-> zone 2
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 1.2.3.4, port 9404, proto 1)
  No SW RPC rule match, search HW rule
...

The policy search is from zone 2 to zone 2, which is trust to trust.

policy search from zone 2-> zone 2

  You said that your policy is from trust to untrust.  Check which zone eth0/0 and eth0/2 are in.  The traffic is being sent out, but the source is not translated.  If this is going to a public address, the next hop would drop it, as 10.x.x.x is a private address range.

Yeah, right, I see what you mean, cool...but when I go to change 0/0 to Untrust (as my ssg5 config sets here):

set interface ethernet0/0 phy full 100mb
set interface "ethernet0/0" zone "Untrust"

 it says I have policies bound to it. I wonder why that config file still left it set as zone Trust?

I tried disabling my policies that route to 0/0, but it still says there is something binding to 0/0. I guess I could reset the whole unit to factory and then try to set 0/0 to Untrust, then import my policies from the saved cfg like:

set interface "ethernet0/0" mip 1.2.3.5 host 10.1.10.60 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip 1.2.3.6 host 10.1.10.169 netmask 255.255.255.255 vr "trust-vr"
set interface "ethernet0/0" mip 1.2.3.7 host 10.1.10.180 netmask 255.255.255.255 vr "trust-vr"

 by just cut/paste to command line after the initial config? I have lots of policies, and the SSG5 is pretty much maxed out, so didn't want to redo them all if I can avoid that by just cut/paste somehow...

EDIT: nevermind the cut/paste thing, was just playing around and understand that should be doable, maybe I'll just reset to factory and start building the config that way to get practice (correct me if that's a stupid thing to do for some reason)?

You would need to remove the policies associated with the MIPs (remove, not disable).  After that, remove the MIPs, then the IP from the interface.  Once that is done, you would be able to change the zone.  After the zone change, you would need to add the IPs, MIPs, policies and routes back.

Keep in mind that interface eth0/0 by default has an IP address on it.  If you are trying to change the zone, you will need to unset the IP address first.  This could be why it failed the first time.

Easiest way is to do the configuration in a text document, then upload that to the firewall

Via web:

Configuration -> Update -> Config File, check "Replace Current Configuration", browse for the file, then click "Apply".  It will require the firewall to reboot.

Via CLI (requires TFTP server):

save configuration from tftp x.x.x.x <name> to flash

reset

I edited my config file to a minimal config like this:

unset key protection enable
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit 
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "..."
set admin password "...
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
unset zone "V1-Trust" tcp-rst 
unset zone "V1-Untrust" tcp-rst 
set zone "DMZ" tcp-rst 
unset zone "V1-DMZ" tcp-rst 
unset zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface ethernet0/0 phy full 1000mb
set interface "ethernet0/0" zone "Trust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/2" zone "Trust"
set interface ethernet0/0 ip 1.2.3.4/30
set interface ethernet0/0 route
unset interface vlan1 ip
set interface ethernet0/1 ip 5.6.7.8/27
set interface ethernet0/1 route
set interface ethernet0/2 ip 10.1.10.1/24
set interface ethernet0/2 nat
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/2 ip manageable
set interface ethernet0/1 manage snmp
set interface ethernet0/2 manage mtrace
set interface ethernet0/1 monitor track-ip ip
unset interface ethernet0/1 monitor track-ip dynamic
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set console page 20
set dbuf size 4096
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 0.0.0.0
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set crypto-policy
exit
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set url protocol websense
exit
set syslog enable
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set ssh enable
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server src-interface "ethernet0/2"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set source-routing enable
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 and it still says 0/0 is busy so I can't unset the IP and that it's bound to something, am I missing something?

I couldn't get 0/0 to work as Untrust, so I used vi and did a search and replace and made 0/2 Untrust and 0/0 as trust, and now it passes traffic 🙂

The DMZ routing doesn't work, but at least I feel like I learned something that might help someone else out...

I'll start a separate thread if I find something interesting on the DMZ routing, otherwise thanks for all the help, I appreciate it a lot!