ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Ayush
Posts: 30
Registered: ‎02-21-2009
0
Accepted Solution

Timing out the connectivity

 Hi ,

I was trying to stop the internet connectivity to my LAN after the regular office timing. I made policy and tried to implement it but it shows no sigh of working. I am suing SSG140. Please help me define the period to provide the internet access in the given time slot. 

Ayush Subedi
Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: Timing out the connectivity

This is how it should work:

 

- Set the clock on the firewall, best with NTP

- Define a schedule in policy elements (objects pre 6.0) menu

- Apply this schedule to the policy in advanced menu

- Make sure the traffic isn't allowed by another policy

 

It never failes, the schedules! 

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Ayush
Posts: 30
Registered: ‎02-21-2009
0

Re: Timing out the connectivity

hi!

 

Thanks a lot for the reply. 

 I'm sorry as i mistakenly clicked on accepted solution.

 

I did as you  suggested but it is not working. I made a schedule time from 10 AM to 5PM and implemented it to the policy. 

Ayush Subedi
Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: Timing out the connectivity

Are you sure you're looking at the right policy? You can verify by generating a session list with "get session dst-ip IP" in CLI and look at the policy:

 

ssg5-serial-> get ses
alloc 6/max 16064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 16058
id 16001/s**,vsys 0,flag 08000000/0000/0001,policy 1,time 180, dip 2 module 0
 if 11(nspflag 801801):10.1.75.250/2447->10.92.1.5/1347,6,00114352bfcb,sess token 4,vlan 0,tun 0,vsd 0,route 3,wsf 0
 if 0(nspflag 10801800):10.92.10.8/2732<-10.92.1.5/1347,6,001422134a4c,sess token 6,vlan 0,tun 0,vsd 0,route 1,wsf 0

It should show the policy ID from the one you placing the schedule on.

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Contributor
Ayush
Posts: 30
Registered: ‎02-21-2009
0

Re: Timing out the connectivity

[ Edited ]

Hi Screenie,

 

Sorry for the late reply. Well as you  guessed it , it is not going from that polciy. It is selecting different policy to move packets.What i did was:

1. I made a address time_test with the IP 192.168.1.51/32

2. I implenented it policy in the place source address.

3. I made a schedule

4. i went to the advance property of policy and added a schedule.

  Here is the config file:

 

set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "DMZ"
set interface "ethernet0/5" zone "Trust"
set interface "ethernet0/6" zone "Untrust"
set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
unset interface vlan1 ip
set interface ethernet0/0 ip 202.52.247.92/29
set interface ethernet0/0 route
set interface ethernet0/1 ip 192.168.10.1/24
set interface ethernet0/1 nat
set interface ethernet0/5 ip 192.168.101.4/24
set interface ethernet0/5 nat
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 nat
set interface ethernet0/0 gateway 202.52.247.89
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface ethernet0/1 ip manageable
set interface ethernet0/5 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/1 manage telnet
set interface ethernet0/1 manage snmp
set interface ethernet0/1 manage web
unset interface ethernet0/5 manage ssh
unset interface ethernet0/5 manage telnet
unset interface ethernet0/5 manage snmp
unset interface ethernet0/5 manage ssl
set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server option gateway 192.168.1.1
set interface bgroup0 dhcp server option netmask 255.255.255.0
set interface bgroup0 dhcp server ip 192.168.1.33 to 192.168.1.126
unset interface bgroup0 dhcp server config next-server-ip
set interface "ethernet0/1" mip 192.168.10.5 host 202.52.247.93 netmask 255.255.255.248 vr "trust-vr"
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set zone "V1-Trust" webauth
set flow tcp-mss
unset flow no-tcp-seq-check
set flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set pki x509 dn state-name "Bagmati"
set pki x509 dn local-name "Nepal"
set pki x509 dn org-name "ISSN"
set pki x509 dn org-unit-name "System"
set pki x509 dn name "Ayush"
set pki x509 dn phone "9841671627"
set pki x509 dn email "amsubedi@gmail.com"
set pki x509 dn ip 202.52.247.92
set pki x509 default send-to "s_ayush@iss-nepal.com"
set dns host dns1 202.52.255.3 src-interface ethernet0/0
set dns host dns2 202.52.255.47 src-interface ethernet0/0
set dns host dns3 0.0.0.0
set dns host schedule 06:28
set address "Trust" "allow1" 192.168.1.100 255.255.255.252
set address "Trust" "allow2" 192.168.1.104 255.255.255.248
set address "Trust" "allow3" 192.168.1.192 255.255.255.248
set address "Trust" "allow4" 192.168.1.112 255.255.255.240
set address "Trust" "allow5" 192.168.1.128 255.255.255.192
set address "Trust" "allow6" 192.168.1.200 255.255.255.255
set address "Trust" "Allowed" 192.168.1.10 255.255.255.255
set address "Trust" "disllowed" 192.168.1.1 255.255.255.0
set address "Trust" "MSN CHAT" 65.54.186.47 255.255.255.0
set address "Trust" "MSN CHAT II" 64.4.13.0 255.255.255.0
set address "Trust" "Roji" 192.168.101.12 255.255.255.255 "on dilip sir's recommend"
set address "Trust" "TIme_test" 192.168.1.51 255.255.255.255
set address "Untrust" "time_test_1" 192.168.1.51 255.255.255.255
set group address "Trust" "Access_2_All"
set group address "Trust" "Access_2_All" add "Allowed"
set group service "group1"
set group service "group1" add "MS-MESSENGER"
set group service "group1" add "YMSG"
set user "Ayush" uid 1
set user "Ayush" ike-id asn1-dn wildcard "CN=,OU=,O=ISSN,L=Teku,ST=Bagmati,C=Nepal,Email=amsubedi@gmail.com,DC=," share-limit 1
set user "Ayush" type  auth ike
set user "Ayush" password "3mIvgS3eNat85LseVFCN2QUkBZnji8/Jgw=="
set user "Ayush" "enable"
set user "issn" uid 2
set user "issn" type  xauth
set user "issn" password "ktn/IZFwNVixf/s1geCLsY3S63nOX413mA=="
unset user "issn" type auth
set user "issn" "enable"
set user-group "Administrators" id 1
set user-group "Administrators" user "Ayush"
set user-group "issn_1" id 2
set user-group "issn_1" user "issn"
set ike respond-bad-spi 1
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set dip sticky
set dip alarm-raise 50 alarm-clear 40
set scheduler "timeout_internet" recurrent sunday start 10:0 stop 12:0 start 12:45 stop 16:0 comment "Testing testing..."
set scheduler "timeout_internet" recurrent monday start 10:0 stop 12:0 start 12:45 stop 16:0 comment "Testing testing..."
set scheduler "timeout_internet" recurrent tuesday start 10:0 stop 12:0 start 12:45 stop 16:0 comment "Testing testing..."
set scheduler "timeout_internet" recurrent wednesday start 10:0 stop 12:44 start 12:45 stop 16:0 comment "Testing testing..."
set scheduler "timeout_internet" recurrent thursday start 10:0 stop 12:0 start 12:45 stop 16:0 comment "Testing testing..."
set scheduler "timeout_internet" recurrent friday start 10:0 stop 12:0 start 12:45 stop 16:0 comment "Testing testing..."
set scheduler "timeout_internet" recurrent saturday start 10:0 stop 12:0 start 12:45 stop 16:0 comment "Testing testing..."
set attack group "CS:Chat Block"
set attack "CS:yahoo" ymsg-alias not "message" severity low
set attack group "CS:blocking_yahoo_chat"
set attack "CS:MSN" msn-sign-in-name not "@hotmail.com" severity critical
set attack group "CS:Chat Block" add "CS:yahoo"
set attack group "CS:Chat Block" add "CS:MSN"
set attack group "CS:Chat Block" add "CS:blocking_yahoo_chat"
set attack group "CS:blocking_yahoo_chat" add "CS:yahoo"
set attack db sigpack client
set attack db mode Update
set attack db schedule daily 10:30
set di service YMSG max_yahoo_message 200
set di service YMSG max_user_name 1
set di service MSN max_user_name 1
set di service MSN max_display_name 1
set di service MSN max_group_name 1
set av http trickling default
set av scan-mgr corrupt-file drop
set url protocol type sc-cpa
set url protocol sc-cpa
set category "Alowed" url "gmail.com/"
set category "Alowed" url "mail.google.com/mail"
set category "Alowed" url "www.gmail.com/"
set category "Alowed" url "www.hotmail.com/"
set category "Alowed" url "www.yahoo.com/"
set category "MSN" url "appdirectory.messenger.msn.com/"
set category "MSN" url "c.msn.com/"
set category "MSN" url "config.messenger.msn.com/"
set category "MSN" url "contacts.msn.com/"
set category "MSN" url "crl.microsoft.com/"
set category "MSN" url "edge.messenger.live.com/"
set category "MSN" url "g.msn.com/"
set category "MSN" url "gateway.messenger.hotmail.com/"
set category "MSN" url "images.messenger.msn.com/"
set category "MSN" url "messenger.hotmail.com/"
set category "MSN" url "messenger.msn.com/"
set category "MSN" url "ows.messenger.msn.com/"
set category "MSN" url "rad.msn.com/"
set category "MSN" url "relay.messenger/"
set category "MSN" url "relay.voice.messenger.msn.com/"
set category "MSN" url "rsi.hotmail.com/"
set category "MSN" url "spaces.live.com/"
set category "MSN" url "sqm.microsoft.com/"
set category "MSN" url "storage.msn.com/"
set category "MSN" url "sup.live.com/"
set category "MSN_2" url "207.46.113.218/"
set category "MSN_2" url "209.73.168.74/"
set category "MSN_2" url "64.4.15.61/"
set category "MSN_2" url "64.54.186.47/"
set category "MSN_2" url "65.54.165.179/"
set category "MSN_2" url "65.54.186.17/"
set category "MSN_2" url "65.54.186.49/"
set category "MSN_2" url "65.54.186.79/"
set category "MSN_2" url "svcs.microsoft.com/svcs/mms/tabs.asp"
set category "MSN_2" url "vp.sip.messenger.msn.com/"
set category "MSN_2" url "www.moviespack.com/"
set profile "Ayush_untrust" "MSN_2" block
set profile "Ayush_untrust" "MSN" block
set profile "Ayush_untrust" "Alowed" permit
set profile "Ayush_untrust" "Games" block
set profile "Ayush_untrust" "Adult/Sexually Explicit" block
set profile "Ayush_untrust" "Hosting Sites" block
set profile "Ayush_untrust" "Gambling" block
set profile "Ayush_untrust" "Advertisements" block
set profile "Ayush_untrust" "Glamour & Intimate Apparel" block
set profile "Ayush_untrust" "Government & Politics" block
set profile "Ayush_untrust" "Lifestyle & Culture" block
set profile "Ayush_untrust" "Remote Proxies" block
set profile "Ayush_untrust" "Sex Education" block
set profile "Ayush_untrust" "Job Search & Career Development" block
set profile "Ayush_untrust" "Chat" block
set profile "Ayush" "Adult/Sexually Explicit" block
set profile "Ayush" "Arts & Entertainment" permit
set profile "Ayush" "Chat" permit
set profile "Ayush" "Computing & Internet" permit
set profile "Ayush" "Criminal Skills" block
set profile "Ayush" "Drugs, Alcohol & Tobacco" block
set profile "Ayush" "Education" permit
set profile "Ayush" "Finance & Investment" permit
set profile "Ayush" "Food & Drink" permit
set profile "Ayush" "Gambling" block
set profile "Ayush" "Games" block
set profile "Ayush" "Glamour & Intimate Apparel" permit
set profile "Ayush" "Government & Politics" permit
set profile "Ayush" "Hacking" block
set profile "Ayush" "Hate Speech" block
set profile "Ayush" "Health & Medicine" permit
set profile "Ayush" "Hobbies & Recreation" permit
set profile "Ayush" "Hosting Sites" permit
set profile "Ayush" "Job Search & Career Development" permit
set profile "Ayush" "Kids Sites" permit
set profile "Ayush" "Lifestyle & Culture" permit
set profile "Ayush" "Motor Vehicles" permit
set profile "Ayush" "News" permit
set profile "Ayush" "Personals & Dating" block
set profile "Ayush" "Photo Searches" permit
set profile "Ayush" "Real Estate" permit
set profile "Ayush" "Reference" permit
set profile "Ayush" "Religion" permit
set profile "Ayush" "Search Engines" permit
set profile "Ayush" "Sex Education" block
set profile "Ayush" "Shopping" permit
set profile "Ayush" "Sports" permit
set profile "Ayush" "Streaming Media" permit
set profile "Ayush" "Travel" permit
set profile "Ayush" "Usenet News" permit
set profile "Ayush" "Violence" block
set profile "Ayush" "Weapons" block
set enable
set log all
set server asia
exit
set anti-spam profile ns-profile
 set sbl default-server enable
exit
set policy id 12 from "Trust" to "Untrust"  "TIme_test" "Any" "ANY" permit schedule "timeout_internet" log url-filter
set policy id 12
set url protocol sc-cpa profile "Ayush_untrust"
exit
set policy id 11 from "Trust" to "Untrust"  "allow1" "Any" "ANY" nat src permit schedule "timeout_internet" log no-session-backup
set policy id 11 av "ns-profile"
set policy id 11 anti-spam ns-profile
set policy id 11
set src-address "Roji"
set log session-init
exit
set policy id 1 from "Untrust" to "Trust"  "Any" "Any" "ANY" permit url-filter
set policy id 1 av "ns-profile"
set policy id 1 anti-spam ns-profile
set policy id 1
set url protocol sc-cpa profile "Ayush_untrust"
exit
set policy id 8 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log url-filter
set policy id 8 attack "INFO:VIRUS:smileyfrustrated:IGS" action drop ip-action "notify" target "serv" timeout 60
set policy id 8
set attack "LOW:smileyfrustrated:PYWARE:smileyfrustrated:IGS" action "drop" ip-action "notify" target "serv" timeout 60
set attack "CRITICAL:HTTP:ANOM" action "drop" ip-action "block" target "serv" timeout 60
set attack "HIGH:VIRUS:smileyfrustrated:IGS" action "drop" ip-action "block" target "serv" timeout 60
set attack "HIGH:smileytongue:OP3:smileyfrustrated:IGS" action "drop" ip-action "block" target "serv" timeout 60
set attack "HIGH:IMAP:smileyfrustrated:IGS" action "drop" ip-action "block" target "serv" timeout 60
set attack "MEDIUM:smileytongue:OP3:smileyfrustrated:IGS" action "drop" ip-action "block" target "serv" timeout 60
set attack "CRITICAL:HTTP:smileyfrustrated:IGS" action "drop" ip-action "block" target "serv" timeout 60
set attack "HIGH:smileyfrustrated:MTP:ANOM" action "drop" ip-action "block" target "serv" timeout 60
set attack "INFO:smileytongue:2P:smileyfrustrated:IGS" action "drop" ip-action "block" target "serv" timeout 60
set attack "HIGH:FTP:smileyfrustrated:IGS" action "drop" ip-action "block" target "serv" timeout 60
set attack "HIGH:TROJAN:smileyfrustrated:IGS" action "drop" ip-action "block" target "serv" timeout 60
exit
set policy id 8 av "ns-profile"
set policy id 8 anti-spam ns-profile
set policy id 8
set url protocol sc-cpa profile "Ayush_untrust"
exit
set policy id 2 from "Trust" to "Untrust"  "Any" "Any" "YMSG" deny
set policy id 2
exit
set policy id 3 from "Trust" to "Untrust"  "disllowed" "Any" "ANY" deny
set policy id 3
exit
set policy id 9 from "Trust" to "Untrust"  "MSN CHAT" "Any" "GNUTELLA" deny
set policy id 9
set service "MS-MESSENGER"
set service "MSN"
set service "YMSG"
exit
set policy id 13 from "Trust" to "Untrust"  "allow6" "Any" "ANY" permit
set policy id 13
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
 

Message Edited by Ayush on 04-01-2009 12:22 AM
Message Edited by Ayush on 04-01-2009 12:24 AM
Ayush Subedi
Distinguished Expert
Screenie
Posts: 1,073
Registered: ‎01-10-2008
0

Re: Timing out the connectivity

As far I can see it, you forgot to block the traffic before it was allowed by trust to untrust any any any pemit.

 

So two choises:

 

Above the any any write a policy to block with in the schedule the block times.

 

or if you write an allow policy (like you did) add one just below it with same source destination and protocol and an explicit deny. Otherwise the policy with schedule won't allow it but last any any any will!

 

Just hope I clear on this?

best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.