Log in to ask questions, share your expertise, or stay connected to content you value. Don’t have a login? Learn how to become a member.
We placed our SSG-5 interfaces into different bgroups with different networks in order to segment them (see attached). However, it appears that we are still able to ping and access resources across networks (see attached) . We even tried to disabled PING on bgroup1 and bgroup2 (see attached) but we are still able to PING across. Any idea what could be wrong in our setup? Please advise how we could segment them properly.
Thanks in advanced,
You have all of the interfaces within the trust zone. It has been a while since I worked on the ScreenOS platform but by default traffic within a zone is allowed. Click the "block intra-subnet traffic" option on the I/F and I believe this will fix the issue. You will then need to write trust-to-trust security policies to let traffic flow.
Thanks Kevin. I tried your suggestion but I can still PING and access resources across the networks. Any other trick we could try?
What does your policy list look like for
from zone: trust to zone: trust
We dont have any policy set for Trust to Trust at the moment (see attached).
I think I get what you are trying to say now. 🙂 We just have to create policies which is simillar to this attached screenshot, correct? If so, may I also ask if this example would be enough, no other option to ticked? Please advise.
I think Steve would like to see if there is a policy allowing intrazone traffic , as you mentionned that you enabled intrazone block , so how taffic is being forwarded between 2 interfaces in the same zone without security policy,
Intrazone block updates the implicit policy (by default permit) to be deny , so no need to define a deny policy, could you please share your Trust zone configuration
Ah, I see. Thanks Red1. Yes, sure I can show it to you I just dont know where to check the info in the firewall. Could point me where can find the info so I could show it to you guys?
As Red1 mentioned, a lack of policy as you show with intrazone blocking turned on should deny traffic. So let's recap and confirm some settings.
With this setup the ping should be denied.
You may also want to configure the two explicit deny rules, the same rule you note with the a reverse rule for source and destination. But ADD the check box for logging the traffic. This way we can see that the policy is used.
Should nothing show up in the logs we then would need to run a debug flow basic on the ping attempt to see how the ScreenOS is processing the session.
DEBUG FLOW BASIC :
Prepare the tool
1. undebug all - we are assuring that the debug utility is not already running.
2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter.
Setup the capture
3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B)
set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A) by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.
Capture the traffic
5. clear db - this will clear the debugging cache.
6. debug flow basic - this turns the debugging utility on.
7. initiate the traffic you are interested in capturing.
Pull the data
8. undebug all - turns the utility back off.
9. get db stream - this is the actual packet capture output that we want.
Remove the setup
10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier.
11.clear db - this will clear the cache.
to enable the intrazone block , go to Network > Zones , click edit zone you'd like to change
I highlighted which option enable you to block intrazone traffic, check it and click OK to apply the change
Oh, so its the Block Intra-Zone traffic option not the Block Intra-Subnet option as Kevin suggested before. But thats fine, he said its been a while now since he worked with ScreenOS.
After I enabled the Block Intra-Zone traffic option, I can no longer PING across networks and access their resources as well. Thank you very much guys! I really appreciate all your help. 🙂