ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

SSG-140: two problems

06.11.09   |  
‎06-11-2009 10:19 AM

Hello! I'm new here and at the moment i have two problems:  

 

1) on one interface (for example ethernet0/5) i have DHCP Service which have Dynamic adresses range starting 192.168.1.50 - 192.168.1.150. How can i make a new entry in the section Policy Elements / List for further use  these range in the Policies?

 

2) How can i make (using my SSG-140) policy so that users, for example 1 ip or ip range (mentioned in above), could not download Torrents??

 

Thanks in advance! 

 

5 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: SSG-140: two problems

06.11.09   |  
‎06-11-2009 01:22 PM

1. You cannot use range of IP addresses on a normal policy but you can use multi cell policy and speciy each host/subnet to cover from .50 to .150.

2.  You need an IDP solution.

 

 

 

ScreenOS Firewalls (NOT SRX)

Re: SSG-140: two problems

06.11.09   |  
‎06-11-2009 02:59 PM
IDP?  Can't it be done with DI and some custom signatures? DI runs on the 140, IDP takes additional box.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.
ScreenOS Firewalls (NOT SRX)

Re: SSG-140: two problems

06.12.09   |  
‎06-12-2009 01:02 AM

DI only supports a small subset of protocols (ex: ftp, http, etc..)

IDP or any other IPS/IDS product can do this.

ScreenOS Firewalls (NOT SRX)

Re: SSG-140: two problems

[ Edited ]
06.12.09   |  
‎06-12-2009 04:53 AM

 Thanks!

 

Sorry i'm totally novice in screenos. But how i can create two /25 subnets on interface (for example ethernet0/4) or multi cell policy , if my configuration on this interface are 192.168.1.1/24 ??

Message Edited by Cookie on 12-06-2009 02:54 PM
Highlighted
ScreenOS Firewalls (NOT SRX)

Re: SSG-140: two problems

06.12.09   |  
‎06-12-2009 02:53 PM
You can have a /24 on the interface but in the policy config select multiple for source address and add some subnets of the /24. Only traffic from these subnets will be acepted then. Policy end interface setting are separated.
best regards,

Screenie.
Juniper Ambassador,
JNCIA IDP AC WX JNCIS FW SSL JNCIP SEC ENT SP JNCI

If this worked for you please flag my post as an "Accepted Solution" so others can benefit. A kudo would be cool if you think I earned it.