ScreenOS Firewalls (NOT SRX)
Reply
Visitor
DrewCooper
Posts: 5
Registered: ‎01-04-2009
0

Subscription updates via proxy

I'm setting up a couple of new SSG-140 devies running Screen OS 6.2.0.  These devices will be oprating to isolate a couple of network enclaves from our main network.  As such they're located behind our corporate security perimeter, and are unable to connect to the Internet, except via a Proxy server.

 

I'm new to configuring these devices.  Everything I've read so far, in the doucmentation and knowledge base tells me that the device must have a direct connection to the Internet (not via a proxy) in order to retreive subscription updates from the entitlement server (I've subscribed to AV and DI signatures).  I was wondering if there might be some kind of work-around to enable me to get the updates even though I'm behind a proxy.  I'd be happy with even a kludgey, manual process, if that's what's necessary.

 

Thanks, in advance.

Contributor
fharoon
Posts: 51
Registered: ‎06-21-2008
0

Re: Subscription updates via proxy

[ Edited ]

This is an excerpt from the user guide regarding this:

 

---------------

 

1. Downloading the Signature Pack

To save the signature pack to your local server, enter the following URL in the

address field of your browser. See Table 6 on page 125 for a list of predefined

signatures packs and the corresponding URLs.

https://services.netscreen.com/restricted/sigupdates/5.4/ns200/attacks.bin?s

n=0043012001000213

Save attacks.bin to the local directory “C:\netscreen\attacks-db” (for loading via

the WebUI) or to your TFTP server directory C:\Program Files\TFTP Server

(when you want to use the CLI to load it).

 

2. Updating the Signature Pack

WebUI

Configuration > Update > Attack Signature: Enter the following, then click OK:

Deep Inspection Signature Update:

Load File: Enter C:\netscreen\attacks-db\attacks.bin

Or

Click Browse and navigate to that directory, select attacks.bin, then click

Open.

If you downloaded the server, client, or worm protection signature packs, then

enter the appropriate filename.

CLI

save attack-db from tftp 10.1.1.5 attacks.bin to flash

 

 

Updating DI Patterns from a Proxy Server

You can update the DI patterns from a proxy server. This update does not require

Internet connectivity and is done offline.

To configure a proxy server:

WebUI

Security > Proxy: Set the HTTP and SSL proxy addresses, then click Apply:

HTTP Proxy: 10.0.0.5:8080

SSL Proxy: 10.0.0.5:443

CLI

set pattern-update proxy http 10.0.0.5:8080

save

NOTE: You cannot configure an HTTPs proxy, because you cannot cache an HTTPs proxy.

 

------------

 

The AV update procedure can be found on Pg 81 - Volume 4 of the ScreenOS 6.2 Reference Guide. 

 

I was once stuck in the same situation as yours while trying to upgrade the license entitlement for an ISG running 5.x code.

The customer was a large university forcing all internet access through a proxy server (non-transparent). What  I did was setup the proxy on my laptop and connected to the internet using wireless. Then I used the 'Internet Connection Sharing' (ICS) feature in Windows XP to let the ISG box access the internet through me. Was pretty annoying to setup, but it worked like a charm. 

 

Regards

 

Farrukh

Message Edited by fharoon on 01-06-2009 08:32 AM
Message Edited by fharoon on 01-06-2009 09:03 AM
Message Edited by fharoon on 01-06-2009 09:06 AM
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.