ScreenOS Firewalls (NOT SRX)
Reply
Contributor
Abdul
Posts: 18
Registered: ‎10-16-2008
0

experiencing some issue with firewall (SSG-140) as some of the web sites e.g

Hi All

we are experiencing some issue with firewall (SSG-140) as some of the web sites e.g. www.ssa.gov are not browse able through firewall and the same website is brows able if we bypass the firewall.

 

 

Thanks

 

Abdul

Contributor
jun_net
Posts: 20
Registered: ‎05-07-2008
0

Re: experiencing some issue with firewall (SSG-140) as some of the web sites e.g

Abdul,

 

So what we can help you please upload a debug from the firewall. You want to run a DEBUG FLOW BASIC, adding filters for the source address and destination address will make it easier to find the issue. If you are not sure about setting up DEBUGS or Filters please see http://forums.juniper.net/jnet/board/message?board.id=Firewalls&thread.id=2719

 

 

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: experiencing some issue with firewall (SSG-140) as some of the web sites e.g

So can we assume that some websites work and some do not? Or do all websites fail? Based on the subject of your thread I would assume that some websites do work. Can you name some sites in particular that do work?

 

One thing that I have found to resolve similar issues is to adjust TCP mss size. There could be a problem with fragmentation between the SSG and the upstream router (perhaps mismatched MTU). Try this setting via CLI:

 

set flow all-tcp-mss 1300

 

See if that resolves the issue. If so then you probably do have some sort of fragmentation issue. If that doesn't resolve the issue then run debug flow basic (see AndyC's troubleshooting thread at the top of the Firewall forum).

 

-Richard

Regular Visitor
atkinsonr
Posts: 7
Registered: ‎11-07-2007
0

Re: experiencing some issue with firewall (SSG-140) as some of the web sites e.g

We occasionally run across the same problems with some web sites. In our case it is usually the HTTP ALG that is blocking the web site.

 

Try creating a rule above your standard web browsing rule with the destination sites in it and the standard HTTP services that you need, then under Application (Misc. in NSM) set it to IGNORE (Ignoredtype in NSM) and see if it works.

 

Ron

 

Contributor
Abdul
Posts: 18
Registered: ‎10-16-2008
0

Re: experiencing some issue with firewall (SSG-140) as some of the web sites e.g

Hi All,

 
here is list those website which are not working through firewall, yes they will once if i bypass(these websites trafic) from core router.

  . mail.undppartners.org.pk
. www.pcssa.com.pk
. www.ssa.gov

Distinguished Expert
rkim
Posts: 755
Registered: ‎11-06-2007
0

Re: experiencing some issue with firewall (SSG-140) as some of the web sites e.g

So did you try setting tcp-mss per my previous post? What about some sites that work? Did you run debug flow basic?

 

-Richard

Contributor
Abdul
Posts: 18
Registered: ‎10-16-2008
0

Re: experiencing some issue with firewall (SSG-140) as some of the web sites e.g

Hi All,

 

 

i have tried both options.

 

1 setting policy on the top

2. set flow  all-tcp-mss 1300

 

 

but website is not accessable, 

 

Thanks

Abdul 

 

log is attach with this post. 

 

Trusted Contributor
Munpe_Q
Posts: 192
Registered: ‎10-02-2008
0

Re: experiencing some issue with firewall (SSG-140) as some of the web sites e.g

[ Edited ]

Abdul,

 

Did you try simply doing some basic troubleshooting?  Like a telnet to port 80 to that website by name and then (ie...telnet 1.1.1.1 80)  by IP?  If it responds to the telnet type in: HEAD / HTTP/1.0 and hit enter 2-3 times.  You should see the web server banner.  If you get that, then the firewall is passing the traffic.  Then you would have to look at it from a standpoint of ALG, DPI, or something similar, whereby a pattern may be matching to something in the HTML payload.

 

Run a debug on it also where the IP:

 

fw-> set ffilter dst-ip 1.1.1.1 dst-port 80

fw-> debug flow basic 

 [browse the website from multiple machines] 

fw-> {hit ESC to end debug}

fw-> get db stream

 

 

 

 Setting the TCP-MSS doesn't affect MTU.  But the previous post should be considered and make sure you have all devices running their default MTU of 1500.  If not, that could cause problems, but that would be seen for most if not all traffic.

 

 

Message Edited by Munpe_Q on 10-22-2008 02:17 AM
-=Q
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.