Screen OS

I have a question about ScreenOS. Is it possible using junoscript to control the access to my internal network. For example using Perl script to connect to the firewall and to give list if IPs witch can pass the firewall.

And one more question - Is it possble cheap old Juniper models  like IC6000, NETSCREEN NS-050B-001, NetScreen-5XT VPN/Firewall NS-5XT-101 to be controlled by Junoscript? I suppose that the model is not important, the important port is the OS?

Regards!

JUNOSScript runs on JUNOS routers - not the SCreenOS firewalls (with some exceptions in regards to the larger, newer models which can be migrated to run JUNOS)

OK, is it possible to control the ScreenOS with Perl script and to pass the list with IPs? I suppose that its possible connect with the firewall via SSH?

Yes, you can connect to ScreenOS device with ssh. That doesn't make it easy to write an interface for scripting I'm afraid....

Thank you!

           Actually I don't need interface in my case. Would you show me example of ScreenOS commands allowing only traffic from IPs in firewall's list to pass the firewall?

          One more question - how many IPs I can store in ScreenOS (cheap firewall models). What do you think is it going to be a problem if I insert for example 100+ IPs into ScreenOS.

         And something important - how ScreenOS must be configured - new rule for every IP or something less complicated - one rule witch holds list of IPs and everything else is dropped?

Best wishes

Policies in ScreenOS are configured from zone to zone let's say from trust to untrust. You need to create an addressbook entry to use in the policy (rule).

To create an addressbook antry:

set addres <zone> <name> <address>

For the smallest ssgs there are the following max's:

- 125 policies

- 512 addressbook entries per zone

- 32 entries per addressbook group

a policy looks like this:

set policy from <zone> to <zone> <soure zone addressbook entry> <dest zone addressbook entry> <service object> <nat src> permit log

Example: my_host on 172.16.1.1 access to internet. (I'm in trust zone, internet untrust) with source nat and logging

set adress trust my_host 172.16.1.1/32

set pol frim trust to untrust my_host any any nat src permit log

to allow my host from trust to untrust, with source natting

There's a lot more to tell, but this might give you an idea.

Is it possible ScreenOS to count the traffic per IP address - for example to count the traffic for 192.168.1.1 and to send the number using ICMP or SNMP package to mysql server?

You would need to create a policy to capture a specific IP or range of IP's - you could enable the count facilty within the policy.

1. And is it possible to send the traffic trough network using ICMP or other kind of packet to remote server where the traffic can be stored per IP address?