Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  Policy between network segments

    Posted 07-12-2012 11:07

    How are you?

     

    I hope I can help solve my problem:

     

    I have an SSG140 with 2 network segments. 172.31.114.0 and 172.31.115.0. I change the policy so that some equipment can be seen between network segments? As I can only specify https and https ports for those network segments? Thus not all ports are open.

     

    I've always used the GUI

     

    thank you very much



  • 2.  RE: Policy between network segments

     
    Posted 07-17-2012 05:04

    What zones are the network segments in? Trust to trust?

     

    Just use the GUI to select the Policy and only allow traffic through on the https protocols.

     

    Remember, the policy application in the GUI does not specify network to network within the actual choices, but zone to zone. Once you open the Policy from zone to zone you can choose the networks or hosts and protocols.



  • 3.  RE: Policy between network segments

    Posted 07-18-2012 07:29

    The two segments I have them in the same SSG140. In an interface is 172.31.114.0 and one for the 172.31.115.0

     

    My network has grown, so I created two network segments.

     

    I need some equipment only see each other, and not all. I have no idea how. I want to do for which there is less network traffic. Also specify the protocols. 

     

    Thank you very much for your support



  • 4.  RE: Policy between network segments

     
    Posted 07-18-2012 07:56

    Okay, I understand the interfaces, however, Policies are designed at the beginning via zones. So, the itnerfaces you mention will be bound to zones..... you can check within the

     

    network / interfaces / list and then look at the zone those interfaces are in. If they are both in the trust zone then you need a "trust-to-trust" policy. Within the policy, choose the network, protocols and anything else you want to allow through.

     

    The default zones are:-

     

    Trust

    Untrust

    DMZ

     

    Your organisation may have created other zones and placed the interfaces within those. You will need th zone names before you can create the Policy.



  • 5.  RE: Policy between network segments

    Posted 07-18-2012 13:02

    AAAHHH, perfect.

     

    You mean I can create several groups (Policy> Policy Elements> Addresses> Groups), add users and within the policy (trust-trust) only allowed to see between groups I choose?

     

    Thank you so much you support Smiley Happy



  • 6.  RE: Policy between network segments
    Best Answer

     
    Posted 07-19-2012 01:00

    Yes, address book entries are perfect for this.

     

    Create the address book entries and then form tidy groups for the entries and then apply to the policy.  🙂



  • 7.  RE: Policy between network segments

    Posted 07-30-2012 09:09

    Perfect.

     

    Really really appreciate you support. Thank you for sharing your time and knowledge Smiley Very Happy

     

    Accepted as a solution