Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  SSG-140, Route based VPN: How to deny incoming IKE form specific IP ?

    Posted 09-05-2020 02:18

    Hi Community,

     

    My SSG-140 each 10 seconds has receiving IKE packets (Initial Phase 1 packet) from an unrecognized peer gateway, I see in the event log its source IP. 

    I've tried to implement deny policy from Untrust to Untrust, from Untrust to Global zone, but no success.

     

    Is there any way to deny all incoming traffic from this specific IP?

     

    Thank you in advance,

     

    Dmitry.

     



  • 2.  RE: SSG-140, Route based VPN: How to deny incoming IKE form specific IP ?
    Best Answer

    Posted 09-05-2020 11:21

    Traffic processed by the firewall itself is NOT covered by policies which apply to transit traffic that cross the firewall.  So you cannot apply a policy in this fashion to block the vpn requests.

     

    The limited controls you can apply to self traffic are found under

    configuration > admin

     



  • 3.  RE: SSG-140, Route based VPN: How to deny incoming IKE form specific IP ?

    Posted 09-05-2020 23:58

    Thank you for reply, Steve. 

    So, if I understand correct, there is no way to block the vpn requests from specific IP(s)?

    In the Settings/Admin I've no found something suitable for that.

     

    Dmitry



  • 4.  RE: SSG-140, Route based VPN: How to deny incoming IKE form specific IP ?

    Posted 09-06-2020 12:04

    Yes, this is not an option to block on ScreenOS.

     

    There is an option for these policies with Junos on the SRX.