Screen OS

I have read many examples but still can`t make any sense. I have 16 ports interface card and I use two isps on one firewall

I have muliple zones and each zone is bind to an interface I created my own zones so when someone says untrust and trust

it doesnt make any sense

how can I configure my firewall to be connected from another firewall or router via vpn

Im very new on juniper.

my firewall is juniper ssg320m , Fw = 6.0.0r4.0 firewall -vpn

is there any manual which shows it on the webui interface ?

Thanx a lot

Zones are very important to ScreenOS - they control traffic flows so you need to understand how they work. You can certainly create your own zones. Trust and untrust are built in and have certain "default" characteristics in terms of how they work.

A common setup is to have your external I/F (ISP) connected to the untrust zone and an internal I/F connected to the trust. By default traffic is allowed to flow from trust to untrust and gets a NAT address for security purposes.

Setting up a site to site VPN you need to define your phase 1 and phase 2 proposals and then setup your policy (for policy VPN). There is a very good wizard in the WEB GUI that can help get you started.

It is hard to give you more specific advice without more details.

I know the wizard yeah just trying to understand the logic, getting confused with names as u mentioned about zones

yes I have all interfaces have their own zones and all zones I created are trust vr. when I want to change them back to untrust

it askes me to remove the settings and then redo. would that also affect any policies related? or it will just work as before.

also about vpn the case is my firewall has to accept communication from a third party router / network  do I still have to go through all vpn configuration ? I mean it will only be incoming communication.

thanks a lot

1- Yes - before you can remove I/F settings you need to change to null zone. Does not affect policies in place.

2- trust.vr is actually a "virtual router (VR)" and that concept is seperate from zones. Zones exist within a VR. I would not worry about VR's right now. Just make sure everything is in the trust.vr.

3- If you have multiple I/F's in the same zone (example trust) then by default traffic is allowed to flow between them.

4- Otherwise traffic flows between zones require a policy.

5- You do not need a VPN to have the box act as a regular FW/Router. Outbound traffic will flow (example trust to untrust) if policy is enabled. Inbound return traffic that matches an outbound flow will automatically be allowed in.

6- If you want to allow new, inbound traffic you would need to create a policy (example untrust to trust) to allow that traffic in, using the address book and the other policy options to control the flow. Also that is when you get into more of the NAT use.

HI:

I have one question with the the customized Zone, the Zone' features like; Screen, could be set up. However could it inherit the properties from " Trust ","DMZ",  or " Untrust" zone ?  Especially from security level definition?

Thanks for any suggestion.