Screen OS

 View Only
last person joined: 6 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  How to prevent access across interfaces?

    Posted 02-20-2014 13:07

    Hi Guys,

     

    We placed our SSG-5 interfaces into different bgroups with different networks in order to segment them (see attached). However, it appears that we are still able to ping and access resources across networks (see attached) . We even tried to disabled PING on bgroup1 and bgroup2 (see attached) but we are still able to PING across. Any idea what could be wrong in our setup? Please advise how we could segment them properly.

     

    Thanks in advanced,

     

    Arnel


    #SSG5
    #ping
    #Access
    #interfaces
    #bgroup


  • 2.  RE: How to prevent access across interfaces?

    Posted 02-20-2014 13:28

    You have all of the interfaces within the trust zone. It has been a while since I worked on the ScreenOS platform but by default traffic within a zone is allowed. Click the "block intra-subnet traffic" option on the I/F and I believe this will fix the issue. You will then need to write trust-to-trust security policies to let traffic flow.



  • 3.  RE: How to prevent access across interfaces?

    Posted 02-20-2014 13:50

    Thanks Kevin. I tried your suggestion but I can still PING and access resources across the networks. Any other trick we could try?

     

    Thank you,

     

    Arnel



  • 4.  RE: How to prevent access across interfaces?

    Posted 02-20-2014 17:18

    What does your policy list look like for 

     

    from zone: trust      to zone: trust

     



  • 5.  RE: How to prevent access across interfaces?

    Posted 02-21-2014 06:22
      |   view attached

    Hi Steve,

     

    We dont have any policy set for Trust to Trust at the moment (see attached).

     

    Thank You!

     

    Arnel 



  • 6.  RE: How to prevent access across interfaces?

    Posted 02-21-2014 06:47
      |   view attached

    Hey Steve, 

     

    I think I get what you are trying to say now. 🙂 We just have to create policies which is simillar to this attached screenshot, correct? If so, may I also ask if this example would be enough, no other option to ticked? Please advise.

     

    Thank You!

     

    Arnel 



  • 7.  RE: How to prevent access across interfaces?

     
    Posted 02-21-2014 15:57

    Hello 

     

    I think Steve would like to see if there is a policy allowing intrazone traffic , as you mentionned that you enabled intrazone block , so how taffic is being forwarded between 2 interfaces in the same zone without security policy,

     

    Intrazone block updates the implicit policy (by default permit) to be deny , so no need to define a deny policy, could you please share your Trust zone configuration

     

    Regards

     



  • 8.  RE: How to prevent access across interfaces?

    Posted 02-22-2014 08:29

    Ah, I see. Thanks Red1. Yes, sure I can show it to you I just dont know where to check the info in the firewall. Could point me where can find the info so I could show it to you guys?

     

    Thanks again,

     

    Arnel



  • 9.  RE: How to prevent access across interfaces?

    Posted 02-22-2014 08:46

    As Red1 mentioned, a lack of policy as you show with intrazone blocking turned on should deny traffic.  So let's recap and confirm some settings.

     

    1. Zone trust has the intrazone blocking checked
    2. The two computers are physically connected to the ports in DIFFERENT bgroup interfaces with the bgroup interface as the default gateway
    3. There is no policy configured to permit traffic

    With this setup the ping should be denied.

     

    You may also want to configure the two explicit deny rules, the same rule you note with the a reverse rule for source and destination.  But ADD the check box for logging the traffic.  This way we can see that the policy is used.

     

    Should nothing show up in the logs we then would need to run a debug flow basic on the ping attempt to see how the ScreenOS is processing the session.

     

    Spoiler

    DEBUG FLOW BASIC :

    ==================

     

    Prepare the tool

    1. undebug all - we are assuring that the debug utility is not already running. 

    2. get ffilter - we would expect to get no response. This tells us we have not set up any flow filters as of yet. If you should see filters listed you can delete them with unset ffilter. 

     

    Setup the capture

    3. set ffilter src-ip x.x.x.x(computer A) dst-ip x.x.x.x(computer B) 

      set ffilter src-ip x.x.x.x(Computer B) dst-ip x.x.x.x(computer A) by doing this we can observe the packets flowing in each direction and where any possible problems may be. Basically we want to define the end points of communication.

     

    Capture the traffic

    5. clear db - this will clear the debugging cache. 

    6. debug flow basic - this turns the debugging utility on. 

    7. initiate the traffic you are interested in capturing. 

     

    Pull the data

    8. undebug all - turns the utility back off.  

    9. get db stream - this is the actual packet capture output that we want. 

     

    Remove the setup

    10.unset ffilter 0 - this will need to be done twice, once for each filter that we set up earlier. 

    11.clear db - this will clear the cache.

     



  • 10.  RE: How to prevent access across interfaces?
    Best Answer

     
    Posted 02-22-2014 09:27

    Hello 

     

    to enable the intrazone block , go to Network > Zones , click edit  zone you'd like to change

     

    I highlighted which option enable you to block intrazone traffic, check it and click OK to apply the change 

     

    intrazone block.PNG


    #zones
    #Intra-zone
    #Block
    #screenos


  • 11.  RE: How to prevent access across interfaces?

    Posted 02-23-2014 07:18

    Oh, so its the Block Intra-Zone traffic option not the Block Intra-Subnet option as Kevin suggested before. But  thats fine, he said its been a while now since he worked with ScreenOS.

     

    After I enabled the Block Intra-Zone traffic option, I can no longer PING across networks and access their resources as well. Thank you very much guys! I really appreciate all your help. 🙂

     

    Regards,

     

    Arnel