Screen OS

I have 3 servers that have static Ip's from my ISP. I have a Netscreen 100 that is in Transparent mode. I like to take the Netscreen 100 out of the network and place the 5GT in place of it. Can I get this NS 5GT in transparent mode or is there a better way in doing it.

It's possible to put NS-5GT in Transparent mode with several limitations, i.e. NAT, PAT, policy based NAT, virtual IP, mapped IP, OSPF, BGP, RIPv2, and IP address assignment won't work.

From my understanding your setup is simple and use none of these features.

In transparent mode will I still be able to deep packet inspection and stop attacks.

---

@demarc wrote:
In transparent mode will I still be able to deep packet inspection and stop attacks.

---

Yes

This is what I have set up

I have Home and Work port mode up and working.

Untrusted eth3 ip is 0.0.0.0

Home eth2 ip is 192.168.177.2 (this is my admin port)

Work eth1 ip is 0.0.0.0

 

I have policys for

Untrust to Work any source any destination and any service

Work to Untrusted any source any destination and any service

 

I am missing something? I read the “man” and it talks about a Route for the trust-vr so I add a route

0.0.0.0 to gateway 209.0.0.0 for interface eth3.

 

 

Am I on the right track.... Or did I realy mess it up.

 

 

demarc,

 

you might want to check this guide: http://www.juniper.net/techpubs/software/screenos/screenos5.4.0/CE_v2.pdf

page 95 and below; it gives a good picture of configuring ScreenOS in Transparent mode

 

Regards,

I looked it offer its the same Doc that I have.  I not worrie about the Vlan manage the unit since I have eth2 ser up but when I tryed to run this command "set interface eth1 zone v1-trust"  I get an error. 

 

Here is what eth1 looks like.

 

Interface ethernet1:
  number 2, if_info 176, if_index 0, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone Work, vr trust-vr
  dhcp client disabled
  PPPoE disabled
  admin mtu 1500
  *ip 0.0.0.0/0   mac 0010.db3e.2102
  *manage ip 0.0.0.0, mac 0010.db3e.2102
  ping enabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled  BGP disabled  RIP disabled  mtrace enabled
  PIM: not configured  IGMP not configured
  bandwidth: physical 100000kbps, configured 0kbps, current 0kbps
             total configured gbw 0kbps, total allocated gbw 0kbps
  DHCP-Relay disabled
  DHCP-server disabled


Can I do transparent mode with the 5GT set to Home and Work mode or will I have to upgrade to extended so that I can have a true DMZ.

 

Ok I tore it down and rebuild it.  It now is in Trust and Untrust mode and I did follow the file that you linked me.  I still can not ping the gate way or the servers from the NS5GT.  Its like the Trust and the Untrust are not linked together.  But I built Policys.  Her is the config and tell me what you think.

 

 

set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "XXXXXXXXXXXXXXXXXXXXXXXX"
set admin telnet port XXX
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
set zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "trust" zone "V1-Trust"
set interface "untrust" zone "V1-Untrust"
set interface vlan1 ip 192.168.XXX.XX/24
set interface untrust mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set flow tcp-mss
unset flow tcp-syn-check
set hostname ns5gt
set dns host dns1 4.1.1.1
set dns host schedule 06:28
set address "V1-Trust" "HTTP_Server" 209.XXX.XXX.XXX 255.255.255.248
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set url protocol sc-cpa
exit
set policy id 1 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
exit
set policy id 2 from "V1-Untrust" to "V1-Trust"  "Any" "Any" "ANY" permit 
set policy id 2
exit
set policy id 3 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "ANY" permit 
set policy id 3
exit
set policy id 4 from "V1-Untrust" to "V1-Trust"  "Any" "HTTP_Server" "HTTP" permit 
set policy id 4
exit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set dl-buf size 7340032
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route  192.168.177.0/24 interface vlan1 gateway 192.168.177.251
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 The XXX is just blocking out.

 

 

Rob C 

 

You shouldnt need a route entry if the vlan1 ip is on the same network as the gateway. Is the firewall plugged into the gateway?

you might want to add in the static route 0.0.0.0/0 to your default gateway IP

When I add the route it only gives me these choices. 

 

 

ns5gt-> set rout 0.0.0.0/0 int ?
vlan1                vlan1 interface
null                 null interface

 

 This does not seem right.  I should be pointing to a the untrust interface or the V1-untrust.  Right!!!

 

 

Hi,

 

-its seems that ur V1-Trust zone subnet (209.XXX.XXX.XXX 255.255.255.248) and V1-untrsut subnet (192.168.XXX.XX/24) is different. In transparent mode its not allowed. whole subnet should be same. 

 

-One thing i noticed policy 1 and 3 are duplicate. U dont need any default route if u want to ping gateway, u should need ip on vlan1 interface in the same subnet as gateway. Try to use command:

 

ping <gateway IP> from <vlan 1 ip>

 

-u cant ping servers bcs their subnet and vlan1 subnet is different.  

-Policies only applied to transit traffic not self generated traffic by firewall.

 

Thanks 

Thanks for your reply.  I did what you ask and this is what I have for testing.

 

 

set clock timezone 0
set vrouter trust-vr sharable
unset vrouter "trust-vr" auto-route-export
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "XXXXXXXXXXXXXXXXX"
set admin telnet port 4646
set admin http redirect
set admin auth timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Trust" tcp-rst 
set zone "Untrust" block 
unset zone "Untrust" tcp-rst 
set zone "MGT" block 
set zone "VLAN" block 
set zone "VLAN" tcp-rst 
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
unset zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
unset zone "V1-Untrust" screen land
set interface "trust" zone "V1-Trust"
set interface "untrust" zone "V1-Untrust"
set interface vlan1 ip 192.168.177.2/24
set interface trust mtu 1500
set interface untrust mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface vlan1 ip manageable
set flow tcp-mss
unset flow tcp-syn-check
set hostname ns5gt
set dns host dns1 4.1.1.1
set dns host schedule 06:28
set address "V1-Trust" "nwd1 server" 209.180.202.6 255.255.255.248
set address "V1-Untrust" "net rout" 209.180.202.4 255.255.255.248
set ike respond-bad-spi 1
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set url protocol sc-cpa
exit
set policy id 1 from "V1-Trust" to "V1-Untrust"  "Any" "Any" "ANY" permit 
set policy id 1
exit
set policy id 2 from "V1-Untrust" to "V1-Trust"  "Any" "Any" "ANY" permit 
set policy id 2
exit
set global-pro policy-manager primary outgoing-interface untrust
set global-pro policy-manager secondary outgoing-interface untrust
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
set dl-buf size 7340032
set modem speed 115200
set modem retry 3
set modem interval 10
set modem idle-time 10
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
set source-routing enable
exit
set vrouter "trust-vr"
set source-routing enable
unset add-default-route
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

 

 This is what I have going on.  I have the 209.180.202.9 that is the ISP gateway that is pluged in to the WWW switch.  then I have th 5Gt that is in transparent mode with the untrust is pluged in to the WWW switch.  I have one port on the Trust of the 5GT pluged into the server switch with the test server209.180.202.6.  I have my Net router 209.180.202.4 plugged into the WWW switch whitch is in front of the Transparent firewall.

The Net router Lan side is 192.168.177.1.  The 5GT Transparent firewall admin port is on the trust port with vlan Ip 192.168.177.2

 

What I am understanding that I have to have the Vlan ip on the same subnet as my ISP router.

 

Rob  

 

Hi Rob,

 

- u r rite vlan interface IP should be in same subnet as ISP router.

-One more thing u have to take care of, by default u can manage the firewall using its vlan interface IP from its trust interface (ping etc). As u mentioned trust interface of firewall is plugged in to server switch so u can manage it from servers but not from LAN behind net router. 

-If u want to manage the firewall LAN behind net router use the command:

 

set int v1-untrust manage

save

 

Hope this helps

 

 

 

Ok I did as you ask. I vlan1 on the same subnet as the ISP gateway router and now it is working. I have a netscreen 100 that I use my DMZ as my admin port on the 192 net.  I thought that I could do the same with the 5gt but as you stated that I can't.  Well you could but I would have to upgrade to Extended services to have a DMZ.  The Netscreen 100 is a great firewall but I dont have deep packet inspection.  Thanks for your help.

 

Rob