Screen OS

Hi Guys,

We have a server that we would like to isolate. Thus, we would like to segment if from our network. What are the possible ways to do that in SSG5? Can we put it on another interface, will that work? Please advise.

Thank You,

Arnel

The simplest way to accomplish this would be to use your eth0/1 DMZ interface.

Assign a network range to this interface

Assign an address in this range to the server using the interface as your gateway for the server

Connect the server to this interface

Write polcies to permit access to and from the dmz zone as desired

Thanks Steve! So just to confirm even if we put the server on the DMZ interface we can still set policies as security measures, correct?

Thanks again,

Arnel

Correct, by default on the SSG any traffic from one zone to a second zone is denied.

You will need to create a specific allow policy for any traffic to get from the trust or untrust zone into the dmz zone.

Likewise for the dmz zone server you will need to create policies that allow this communication to leave the dmz zone interface.

Thank you very much Steve! I really appreciate it. 🙂

By the way, with regards to these interfaces (see attached), will it be possible to move eth0/4 and eth0/5 to bgroup1? Can you help me with the steps if this is doable?

Thanks again!

Arnel

To move interfaces in a bgroup

Hit the edit button next to bgroup1

Select the "bind port" tab

Place a check box next to e0/4 & 0/5

Hit the apply button

the interfaces are moved.

Cool! Thanks Steve. 🙂

One last question. If we need to bring down an interface temporarily, is this the right way to do it (see attached)? Choosing "Yes" for the Linkdown option? Please advise.

Thank You!

Arnel

Correct, the link down option will force the link offline until you reverse the setting manually.

Thank you very much Steve!!