ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

SSG-5 in L2 Mode - How to manage from Untrust?

10.11.10   |  
‎10-11-2010 03:07 AM


Hi there,


I have an SSG-5 running 6.3.0r5.0 set up in L2 mode, with a simple Untrust/Trust configuration.


I have assigned an IP to the vlan1 interface, and i can manage the firewall no problem from the Trusted interface, but cannot find a way of getting it to respond on the Untrusted interface.


I would like to be able to manage the firewall from the untrust side, is this possible?


Ideally i would like to create a seperate VLAN for management but you do not seem to be able to change the tag for the vlan1 interface, or create another vlan interface.


"get system" shows that the unit is in L2 mode.


Many thanks for your help.


Here is the Zone setup:

ssg5-serial-> get zone
Total 14 zones created in vsys Root - 8 are policy configurable.
Total policy configurable zones for Root is 8.
  ID Name                             Type    Attr    VR          Default-IF   VSYS
   0 Null                             Null    Shared untrust-vr   serial0/0    Root
   1 Untrust                          Sec(L3) Shared trust-vr     null         Root
   2 Trust                            Sec(L3)        trust-vr     null         Root
   3 DMZ                              Sec(L3)        trust-vr     null         Root
   4 Self                             Func           trust-vr     self         Root
   5 MGT                              Func           trust-vr     null         Root
   6 HA                               Func           trust-vr     null         Root
  10 Global                           Sec(L3)        trust-vr     null         Root
  11 V1-Untrust                       Sec(L2) Shared trust-vr     v1-untrust   Root
  12 V1-Trust                         Sec(L2) Shared trust-vr     v1-trust     Root
  13 V1-DMZ                           Sec(L2) Shared trust-vr     v1-dmz       Root
  14 VLAN                             Func    Shared trust-vr     vlan1        Root
  15 V1-Null                          Sec(L2) Shared trust-vr     l2v          Root
  16 Untrust-Tun                      Tun            trust-vr     hidden.1     Root

ScreenOS Firewalls (NOT SRX)

Re: SSG-5 in L2 Mode - How to manage from Untrust?

10.11.10   |  
‎10-11-2010 05:19 AM

in transparent mode the management services are enabled/disabled per zone instead of

per interface in l3 mode.


check the l1-untrust zone config and activate the management as needed.

l1-trust allows management by default.


it's recommended to configure the manager ip to restrict management to only some source IPs.

ScreenOS Firewalls (NOT SRX)

Re: SSG-5 in L2 Mode - How to manage from Untrust?

10.11.10   |  
‎10-11-2010 05:24 AM


Thanks for that, all now working.


Yep, i've set a restriction on which IP's can connect to the admin address.