ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

Web Filter Activation Problem

‎01-17-2011 01:54 AM

My client resently bought web filtering for his NS5gt. His previous WF license had expired so we sold him a 3 year license.

 

My first problem was getting the unit to retrieve the license from nextwave.netscreen.com - it kept on failing with (PKI: Cert has expired (subject name CN=nextwave.netscreen.com,OU=Terms of use at www.verisign.com/rpa (c)05,OU=Information Technology,O=Juniper Networks, Inc.,L=Sunn).

 

 The firewall can ping the site, but cannot connect.

 

So i did some googleing and found that my certificate has expired and that i needed to load a new one (https://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2007-11-005)

so i did that - i followed the instructions and tried again to download the subscriptions, but i got the same error as above.

 

I then went to junipers site, manually downloaded the KEY and managed to upload it onto the unit.

 

 Now i have the licenses on the unit and it clearly shows the WEB FILTERING valid till 2014. If i scroll further down, WEB FILTERING is disabled. With this being DISABLED, i cant enable anything under SECURITY-> WEB FILTERING. All i see under PROTOCOL is

•Redirect (surfControl)
•Redirect (Websense)
i shoulod also see intergrated (something) and i dont.

 

My firewall is currently running ver 6.2.0r8.0

Below is my config

 

Im stuck here - ive done this a million times but this one stumps me.

 

If anyone has any ideas, let me know

 

Andrew

 

Here is my config.....

 

unset key protection enable
set clock dst-off
set clock ntp
set clock timezone 2
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "bla bla bla"
set admin password "sssdskiiiushyyyeyeyyeyee32323"
set admin auth web timeout 10
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet1" zone "Trust"
set interface "ethernet3" zone "Untrust"
set interface "ethernet2" zone "Untrust"
set interface "tunnel.1" zone "Untrust"
set interface "tunnel.2" zone "Untrust"
set interface "tunnel.3" zone "Untrust"
set interface "tunnel.4" zone "Untrust"
set interface ethernet1 ip 111.111.111.8/24
set interface ethernet1 nat
set interface ethernet3 ip x.x.x.x/29
set interface ethernet3 route
set interface ethernet2 ip x.x.x.x/29
set interface ethernet2 route
unset interface vlan1 ip
set interface tunnel.1 mtu 1492
set interface tunnel.2 mtu 1492
set interface tunnel.3 mtu 1492
set interface tunnel.4 mtu 1492
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet1 ip manageable
set interface ethernet3 ip manageable
set interface ethernet2 ip manageable
set interface ethernet3 manage telnet
set interface ethernet2 manage ping
set interface ethernet2 manage telnet
set interface ethernet2 manage web
set interface ethernet3 vip interface-ip 25 "MAIL" 111.111.111.2
set interface ethernet3 vip interface-ip 110 "POP3" 111.111.111.2
set interface "ethernet2" mip 196.37.170.228 host 111.111.111.2 netmask 255.255.255.255 vr "trust-vr"
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set hostname CRMJHB
set dbuf usb filesize 0
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 8.8.8.8
set dns host dns2 0.0.0.0
set dns host dns3 0.0.0.0
set address "Trust" "111.111." 111.111.
set address "Trust" "111.111.111.113/32" 111.111.111.113 255.255.255.255
set address "Trust" "111.111.111.117/32" 111.111.111.117 255.255.255.255
set address "Trust" "111.111.111.131/32" 111.111.111.131 255.255.255.255
set address "Trust" "111.111.111.137/32" 111.111.111.137 255.255.255.255
set address "Trust" "111.111.111.144/32" 111.111.111.144 255.255.255.255
set address "Trust" "111.111.111.171/32" 111.111.111.171 255.255.255.255
set address "Trust" "111.111.111.2/32" 111.111.111.2 255.255.255.255
set address "Trust" "111.111.111.200/32" 111.111.111.200 255.255.255.255
set address "Trust" "111.111.111.32/32" 111.111.111.32 255.255.255.255
set address "Trust" "111.111.111.33/32" 111.111.111.33 255.255.255.255
set address "Trust" "111.111.111.5/32" 111.111.111.5 255.255.255.255
set address "Trust" "111.111.111.69/32" 111.111.111.69 255.255.255.255
set address "Trust" "111.111.111.77/32" 111.111.111.77 255.255.255.255
set address "Trust" "111.111.111.79/32" 111.111.111.79 255.255.255.255
set address "Trust" "JHB" 111.111.111.0 255.255.255.0 "Johannesburg"
set address "Untrust" "CPT" 111.111.113.0 255.255.255.0 "Cape Town"
set address "Untrust" "DBN" 111.111.112.0 255.255.255.0
set address "Untrust" "RHB" 111.111.115.0 255.255.255.0
set address "Untrust" "RST" 111.111.114.0 255.255.255.0
set ippool "VPN DIALUP" 172.111.111.1 172.111.111.50
set user "CPTGen" uid 24
set user "CPTGen" type l2tp
set user "CPTGen" password "qewIKhdmNfrzvxs0HoC0s0pa3ZnCKgY+KQ=="
unset user "CPTGen" type auth
set user "CPTGen" "enable"
set user "DAC" uid 22
set user "DAC" type l2tp
set user "DAC" password "1j0Fm286NXQOETsU2kCRJBxSXunaBzYo4A=="
unset user "DAC" type auth
set user "DAC" "enable"
set user "DBJ" uid 18
set user "DBJ" type l2tp
set user "DBJ" remote ippool "VPN DIALUP"
set user "DBJ" password "oclaJOfeNnF4qZsszRChUU7DsLn14gbgWg=="
unset user "DBJ" type auth
set user "DBJ" "enable"
set user "DBNGen" uid 8
set user "DBNGen" type l2tp
set user "DBNGen" password "Or2+Wmd4Nq+8KIstqGC/39qFQOnDpa9JvQ=="
unset user "DBNGen" type auth
set user "DBNGen" "enable"
set user "Knox" uid 2
set user "Knox" type l2tp
set user "Knox" remote ippool "VPN DIALUP"
set user "Knox" password "20O5Q0B5N8ebgZsyIHCPuUAFGan+5v7SnA=="
unset user "Knox" type auth
set user "Knox" "enable"
set user "Neil" uid 5
set user "Neil" type l2tp
set user "Neil" password "T4Jk2fU8NXLX3hsQ8BCBcNyvjxnwJ1H/5w=="
unset user "Neil" type auth
set user "Neil" "enable"
set user "PumaTech" uid 3
set user "PumaTech" type l2tp
set user "PumaTech" password "QwjhTf5bNh2LLksYi7Ch3dCEhDnkfF5B7g=="
unset user "PumaTech" type auth
set user "PumaTech" "enable"
set user "Rhyno" uid 1
set user "Rhyno" type l2tp
set user "Rhyno" password "P8/RIIN7Nywu+5sgVlCl6IgL9gnFfHSwNw=="
unset user "Rhyno" type auth
set user "Rhyno" "disable"
set user "aviljoen" uid 17
set user "aviljoen" type l2tp
set user "aviljoen" password "co2GXse2Np6DNJsXi2CFSFhU9JnN0uHYsw=="
unset user "aviljoen" type auth
set user "aviljoen" "enable"
set user "cjacobs" uid 26
set user "cjacobs" type l2tp
set user "cjacobs" password "amD1KyrGNgHwLSskuxChpwy1KHn3D0QvQw=="
unset user "cjacobs" type auth
set user "cjacobs" "enable"
set user "dpetersen" uid 13
set user "dpetersen" type l2tp
set user "dpetersen" password "mpBehy3aNyf+uusTYiC9yqc91bnS1qZLtQ=="
unset user "dpetersen" type auth
set user "dpetersen" "enable"
set user "dwepener" uid 23
set user "dwepener" type l2tp
set user "dwepener" password "eSXYGPeGN+mX0yscOWCuW+3ZIKnyC97hHg=="
unset user "dwepener" type auth
set user "dwepener" "enable"
set user "ejoosten" uid 16
set user "ejoosten" type l2tp
set user "ejoosten" password "r2A/S0qiNqrrBUsTaTC+wLYh8FnnnAqZEQ=="
unset user "ejoosten" type auth
set user "ejoosten" "enable"
set user "eugene" uid 12
set user "eugene" type l2tp
set user "eugene" password "W3oRsM8eNJSwDis5TLCouwRASFnwrYr5Uw=="
unset user "eugene" type auth
set user "eugene" "enable"
set user "fbroodryk" uid 14
set user "fbroodryk" type l2tp
set user "fbroodryk" password "4MeGYpFdN7tnOosrUOCbwojy7YnC7fK8KA=="
unset user "fbroodryk" type auth
set user "fbroodryk" "enable"
set user "gesprey" uid 10
set user "gesprey" type l2tp
set user "gesprey" password "jadsQiaJN1KYi4sOh9C0rT/j/0n2hbL3ig=="
unset user "gesprey" type auth
set user "gesprey" "enable"
set user "lwilson" uid 20
set user "lwilson" type l2tp
set user "lwilson" password "O7JVeNibNh7UDTsqcGCLgF/NhHnCjNZW+g=="
unset user "lwilson" type auth
set user "lwilson" "enable"
set user "mmotsoene" uid 11
set user "mmotsoene" type l2tp
set user "mmotsoene" password "XY8tHaGRN0lEcKssxOCjYYDrl2nSiQ6AoQ=="
unset user "mmotsoene" type auth
set user "mmotsoene" "enable"
set user "wmorgado" uid 27
set user "wmorgado" type l2tp
set user "wmorgado" password "aEZTvPb3NhVA3NsTkBCLHMQekAnAwCF0JQ=="
unset user "wmorgado" type auth
set user "wmorgado" "enable"
set crypto-policy
exit
set ike gateway "CPT" address 196.211.117.106 Main outgoing-interface "ethernet2" preshare "CVyRB8D5NdO1cqsp01Cbh9oz1UnMb4vpDA==" sec-level standard
set ike gateway "DBN" address 196.212.0.2 Main outgoing-interface "ethernet2" preshare "EwmJYdCuNpabKEseO0CmNyDcidnXges7Jw==" sec-level standard
set ike gateway "RST" address 196.212.28.18 Main outgoing-interface "ethernet2" preshare "ATDgU77hNye7kfsLw6CXTpGRaln/g9BQ0g==" sec-level standard
set ike gateway "RHB" address 196.212.108.242 Main outgoing-interface "ethernet2" preshare "8082zSgiNQuLm4sdc4CBmChZcDnMbHjYgg==" sec-level standard
set ike gateway "RHB" cert peer-ca all
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "CPT_VPN" gateway "CPT" no-replay tunnel idletime 0 sec-level standard
set vpn "CPT_VPN" monitor rekey
set vpn "CPT_VPN" id 0x1 bind interface tunnel.1
set vpn "DBN_VPN" gateway "DBN" no-replay tunnel idletime 0 sec-level standard
set vpn "DBN_VPN" monitor rekey
set vpn "DBN_VPN" id 0x2 bind interface tunnel.2
set vpn "RST_VPN" gateway "RST" no-replay tunnel idletime 0 sec-level standard
set vpn "RST_VPN" monitor rekey
set vpn "RST_VPN" id 0x3 bind interface tunnel.3
set vpn "RHB_VPN" gateway "RHB" no-replay tunnel idletime 0 sec-level standard
set vpn "RHB_VPN" monitor rekey
set vpn "RHB_VPN" id 0x7 bind interface tunnel.4
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit
set l2tp default dns1 111.111.111.5
set l2tp default dns2 168.210.2.2
set l2tp default ippool "VPN DIALUP"
set l2tp "L2TP_Tunnel" id 2 outgoing-interface ethernet2 keepalive 60
set l2tp "L2TP_Tunnel" remote-setting ippool "VPN DIALUP"
set url protocol websense
exit
set policy id 16 from "Untrust" to "Trust"  "Any" "MIP(196.37.170.228)" "SSH" nat src permit
set policy id 16 disable
set policy id 16
exit
set policy id 15 from "Trust" to "Untrust"  "111.111.111.200/32" "Any" "HTTP" permit
set policy id 15
set src-address "111.111.111.5/32"
set src-address "111.111.111.69/32"
exit
set policy id 12 from "Untrust" to "Trust"  "Any" "VIP(ethernet3)" "POP3" permit log
set policy id 12
set service "SMTP"
exit
set policy id 14 from "Untrust" to "Trust"  "Dial-Up VPN" "Any" "ANY" tunnel l2tp "L2TP_Tunnel" log
set policy id 14
exit
set policy id 11 from "Trust" to "Untrust"  "Any" "Any" "HTTP" permit log url-filter
set policy id 11
exit
set policy id 13 from "Trust" to "Untrust"  "111.111.111.2/32" "Any" "MAIL" permit log
set policy id 13
exit
set policy id 9 from "Trust" to "Untrust"  "JHB" "RHB" "ANY" permit
set policy id 9
exit
set policy id 7 from "Trust" to "Untrust"  "JHB" "RST" "ANY" permit log
set policy id 7
exit
set policy id 6 from "Untrust" to "Trust"  "DBN" "JHB" "ANY" permit log count traffic priority 3
set policy id 6
set log session-init
exit
set policy id 5 from "Trust" to "Untrust"  "JHB" "DBN" "ANY" permit log count traffic priority 3
set policy id 5
set log session-init
exit
set policy id 3 from "Untrust" to "Trust"  "CPT" "JHB" "ANY" permit log
set policy id 3
exit
set policy id 10 from "Untrust" to "Trust"  "RHB" "JHB" "ANY" permit
set policy id 10
exit
set policy id 8 from "Untrust" to "Trust"  "RST" "JHB" "ANY" permit log
set policy id 8
exit
set policy id 2 from "Trust" to "Untrust"  "JHB" "CPT" "ANY" permit log
set policy id 2
exit
set policy id 1 from "Trust" to "Untrust"  "Any" "Any" "ANY" permit log
set policy id 1
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "70.85.16.124"
set ntp server backup1 "0.0.0.0"
set ntp server backup2 "0.0.0.0"
set ntp interval 30
set snmp port listen 161
set snmp port trap 162
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset add-default-route
set route 111.111.113.0/24 interface tunnel.1
set route 111.111.112.0/24 interface tunnel.2
set route 111.111.114.0/24 interface tunnel.3
set route 111.111.115.0/24 interface tunnel.4
set route 0.0.0.0/0 interface ethernet2 gateway 196.37.170.225
set access-list extended 10 src-ip 111.111.111.2/32 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 25-25 protocol tcp entry 1
set access-list extended 10 src-ip 111.111.111.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 80-80 protocol tcp entry 2
set access-list extended 10 src-ip 111.111.111.0/24 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 443-443 protocol tcp entry 3
set access-list extended 10 src-ip 111.111.111.5/32 dst-ip 0.0.0.0/0 src-port 1-65535 dst-port 53-53 protocol any entry 4
set match-group name Internet_Protocols
set match-group Internet_Protocols ext-acl 10 match-entry 1
set action-group name Route_out_89
set action-group Route_out_89 next-interface ethernet3 next-hop 196.212.41.89 action-entry 1
set pbr policy name Force_out_89
set pbr policy Force_out_89 match-group Internet_Protocols action-group Route_out_89 1
exit
set interface ethernet1 pbr Force_out_89
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit

.

Attachments

1 REPLY 1
ScreenOS Firewalls (NOT SRX)

Re: Web Filter Activation Problem

‎01-18-2011 06:16 AM

Hi

 

I got my device to work.....

 

I downgraded from ver 6.2 back to ver 5.4r9 - my licenses is there along with the expected fields.

 

Andrew