Screen OS

 View Only
last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  Allow only 4 IP addresses to access the internet

    Posted 04-21-2010 00:37

    Hi Guys,


    I have a SGG5 firewall and I dont know how to configure it to limit internet access to 4 PC base on IP address. I want to allow only 4 IP address to have internet access.


    Please help me how to confgure it. Or please help me to find documents with that sample setup.


    Thanks in advance,


  • 2.  RE: Allow only 4 IP addresses to access the internet

    Posted 04-21-2010 04:47

    ok, you need to go to Policy > Policy Elements > Addresses > List. Create an address book entry for each of the 4 addresses with a 32 bit mask. Then go to Addresses > Groups and create a group called internet access for example and add all of the address objects to it which you created previously.


    Now go to policies and select from Trust  to Untrust if this is the way your zones are setup. Make sure there is a deny all rule from Trust to Untrust and then above it, create a policy which allows traffic from the group you created to Any and then you can select the protocols you want to allow etc or just leave it to allow anything and that should be it.

  • 3.  RE: Allow only 4 IP addresses to access the internet
    Best Answer

    Posted 04-21-2010 05:04

    This will be controlled by policies.  You will need to create address objects for the four PCs then write a rule that allows their access to the untrust zone.  If the device is already up and allowing all access to the internet now.  You will modify the existing policy to only apply to these PCs.


    • Create address objects under webUI Policy--Policy Objects--List
    • Optionally put all four into a group under Policy--Policy Objects--Groups
    • Create or modify the trust to untrust access policy under Policy--Policies

      If you are Blocking ALL internet access for ALL services


    • select trust to untrust on pull down for a list
    • If the default any source to any destination for any service allow rule exists hit edit
    • Change the source address to your new group
    • If this rule does not exist then create it

      If you are ONLY blocking web sites create these two NEW rules and leave the default alone


      If you are Blocking ALL internet access for ALL services

    • select trust to untrust on pull down for a list
    • Rule 1: Create a new rule to block web ports
    • use any source to any destination choose action deny under services hit multiple and pick http and https
    • Move this rule to before the last allow all rule on the list

    • Rule 2: Create a new rule to allow the four PCs
    • use address group or PC addresses as source to any destination choose action allow under services hit multiple and pick http and https
    • Move this rule to BEFORE Rule 1 for the deny

  • 4.  RE: Allow only 4 IP addresses to access the internet

    Posted 04-24-2010 03:42

    Thanks Guys,


    Your suggestions are all working.

  • 5.  RE: Allow only 4 IP addresses to access the internet

    Posted 04-24-2010 03:45

    Thanks Guys,


    All your suggestion are working...