ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Subscription updates via proxy

01.04.09   |  
‎01-04-2009 10:13 PM

I'm setting up a couple of new SSG-140 devies running Screen OS 6.2.0.  These devices will be oprating to isolate a couple of network enclaves from our main network.  As such they're located behind our corporate security perimeter, and are unable to connect to the Internet, except via a Proxy server.


I'm new to configuring these devices.  Everything I've read so far, in the doucmentation and knowledge base tells me that the device must have a direct connection to the Internet (not via a proxy) in order to retreive subscription updates from the entitlement server (I've subscribed to AV and DI signatures).  I was wondering if there might be some kind of work-around to enable me to get the updates even though I'm behind a proxy.  I'd be happy with even a kludgey, manual process, if that's what's necessary.


Thanks, in advance.

ScreenOS Firewalls (NOT SRX)

Re: Subscription updates via proxy

[ Edited ]
01.05.09   |  
‎01-05-2009 09:30 PM

This is an excerpt from the user guide regarding this:




1. Downloading the Signature Pack

To save the signature pack to your local server, enter the following URL in the

address field of your browser. See Table 6 on page 125 for a list of predefined

signatures packs and the corresponding URLs.


Save attacks.bin to the local directory “C:\netscreen\attacks-db” (for loading via

the WebUI) or to your TFTP server directory C:\Program Files\TFTP Server

(when you want to use the CLI to load it).


2. Updating the Signature Pack


Configuration > Update > Attack Signature: Enter the following, then click OK:

Deep Inspection Signature Update:

Load File: Enter C:\netscreen\attacks-db\attacks.bin


Click Browse and navigate to that directory, select attacks.bin, then click


If you downloaded the server, client, or worm protection signature packs, then

enter the appropriate filename.


save attack-db from tftp attacks.bin to flash



Updating DI Patterns from a Proxy Server

You can update the DI patterns from a proxy server. This update does not require

Internet connectivity and is done offline.

To configure a proxy server:


Security > Proxy: Set the HTTP and SSL proxy addresses, then click Apply:

HTTP Proxy:

SSL Proxy:


set pattern-update proxy http


NOTE: You cannot configure an HTTPs proxy, because you cannot cache an HTTPs proxy.




The AV update procedure can be found on Pg 81 - Volume 4 of the ScreenOS 6.2 Reference Guide. 


I was once stuck in the same situation as yours while trying to upgrade the license entitlement for an ISG running 5.x code.

The customer was a large university forcing all internet access through a proxy server (non-transparent). What  I did was setup the proxy on my laptop and connected to the internet using wireless. Then I used the 'Internet Connection Sharing' (ICS) feature in Windows XP to let the ISG box access the internet through me. Was pretty annoying to setup, but it worked like a charm. 





Message Edited by fharoon on 01-06-2009 08:32 AM
Message Edited by fharoon on 01-06-2009 09:03 AM
Message Edited by fharoon on 01-06-2009 09:06 AM