ScreenOS Firewalls (NOT SRX)
Highlighted
ScreenOS Firewalls (NOT SRX)

Config NS5GT for Transparent Mode for DPI

‎07-14-2008 05:09 PM

I have the Wan interface set to 0.0.0.0 and the Work interface 0.0.0.0 The home interface is my admin port.  I have 3 servers on the Tusted Work interface and I have built Policies to work between the Wan and the Work interface.  I looks like it will work.  But can I still get DPI on these interfaces with out ips.

 

Thanks for the help

Rob C 

5 REPLIES 5
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Config NS5GT for Transparent Mode for DPI

‎07-15-2008 10:45 AM

I'm not sure what you are trying to do here. But it looks like you are in home-work mode and not transparent mode. Home-work mode is actually a nat/route mode. Also in home-work mode, you cannot route between home and work zones.

 

Refer to http://kb.juniper.net/KB6122. This KB is old, but the info is still valid. If you want to be in transparent mode, then you must use some other port-mode such as trust-untrust mode or extended mode (requires license).

 

-Richard

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Config NS5GT for Transparent Mode for DPI

‎07-16-2008 04:20 PM

I switched the ns 5gt to trust and untust mode.  and I read doc CE_v2.pdf and followed the instrutions on Transparent mode.   I still can not get it to work.  Can you please help.  I can ping the Vlan interface but I can not ping the server when in Cli of the 5gt.  I can not also ping my WAN router.

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Config NS5GT for Transparent Mode for DPI

‎07-17-2008 02:41 PM

Might be helpful if you could post your configs. Just remember to hide any sensitive parts of the configs like public IPs, etc.

 

-Richard

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Config NS5GT for Transparent Mode for DPI

‎07-17-2008 03:11 PM

Here you go!

 

 

set auth default auth server "Local" set auth radius accounting port 1646 set admin name "netscreen" set admin password "XXXXXXXXXXXXXXXXXXXXXXXX" set admin telnet port XXX set admin http redirect set admin auth timeout 10 set admin auth server "Local" set admin format dos set zone "Trust" vrouter "trust-vr" set zone "Untrust" vrouter "trust-vr" set zone "VLAN" vrouter "trust-vr" set zone "Trust" tcp-rst set zone "Untrust" block unset zone "Untrust" tcp-rst set zone "MGT" block set zone "VLAN" block set zone "VLAN" tcp-rst set zone "Untrust" screen tear-drop set zone "Untrust" screen syn-flood set zone "Untrust" screen ping-death set zone "Untrust" screen ip-filter-src set zone "Untrust" screen land set zone "V1-Untrust" screen tear-drop set zone "V1-Untrust" screen syn-flood set zone "V1-Untrust" screen ping-death set zone "V1-Untrust" screen ip-filter-src set zone "V1-Untrust" screen land set interface "trust" zone "V1-Trust" set interface "untrust" zone "V1-Untrust" set interface vlan1 ip 192.168.XXX.XX/24 set interface untrust mtu 1500 unset interface vlan1 bypass-others-ipsec unset interface vlan1 bypass-non-ip set interface vlan1 ip manageable set flow tcp-mss unset flow tcp-syn-check set hostname ns5gt set dns host dns1 4.1.1.1 set dns host schedule 06:28 set address "V1-Trust" "HTTP_Server" 209.XXX.XXX.XXX 255.255.255.248 set ike respond-bad-spi 1 set pki authority default scep mode "auto" set pki x509 default cert-path partial set url protocol sc-cpa exit set policy id 1 from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit set policy id 1 exit set policy id 2 from "V1-Untrust" to "V1-Trust" "Any" "Any" "ANY" permit set policy id 2 exit set policy id 3 from "V1-Trust" to "V1-Untrust" "Any" "Any" "ANY" permit set policy id 3 exit set policy id 4 from "V1-Untrust" to "V1-Trust" "Any" "HTTP_Server" "HTTP" permit set policy id 4 exit set global-pro policy-manager primary outgoing-interface untrust set global-pro policy-manager secondary outgoing-interface untrust set nsmgmt bulkcli reboot-timeout 60 set ssh version v2 set config lock timeout 5 set dl-buf size 7340032 set modem speed 115200 set modem retry 3 set modem interval 10 set modem idle-time 10 set snmp port listen 161 set snmp port trap 162 set vrouter "untrust-vr" exit set vrouter "trust-vr" unset add-default-route set route 192.168.177.0/24 interface vlan1 gateway 192.168.177.251 exit set vrouter "untrust-vr" exit set vrouter "trust-vr" exit

 

 

 

Highlighted
ScreenOS Firewalls (NOT SRX)

Re: Config NS5GT for Transparent Mode for DPI

‎07-17-2008 03:15 PM

I know that I want to add in the static route 0.0.0.0/0 to your default gateway IP. But is that Desination, Source or Source Interface Routing.