Screen OS

 View Only
last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.
  • 1.  SSG 20 Quick Questions.

    Posted 11-19-2009 15:21



    I have some questions regarding the configuration for SSG 20:


    1- I have denied all traffic from untrust to trust, and thats worked fine.

    2- I have tried to Deny all traffic from trust to untrust, and make a new policy for allowing http, HTTPS and VOIP but no traffic goes out, So I am wondering what is the problem..?

    3- On web management I have redirect http to https, But when I tried to access the web management for the SSG, I receive a message that this is untust website, What do I need to correct this (maybe I need to create a certificate or something).

    4- how do I log every connection that connects to the ssg from the internet.

    5- Any more Ideas for hardening the ssg would be appreciated.


    Thanking your collaboration on advance.




  • 2.  RE: SSG 20 Quick Questions.
    Best Answer

    Posted 11-20-2009 07:11

    1- fine

    2- you have to move the new policy before the deny policy. Policies will be searched in top-down order.

    3- the ssg has a self signed certificate for https which is not trusted by your browser.It is ok if you tust it.

        Otherwise you need to buy a certificate from a trust authority.

    4- check the logging checkbox on every policy, where you want to log traffic

    5- the default settings on the untrust zone are already set to harden the ssg.

        change the default username and password

       don't allow managment of the ssg from outside unless really needed.


    best regards


    If this worked for you please flag my post as an "Accepted Solution" so others can benefit.
    A kudo would be cool if you think I earned it.


  • 3.  RE: SSG 20 Quick Questions.

    Posted 11-20-2009 11:28

    Dear Thorsten,


    Your instructions works fine with me, you efforts are appreciated.


    Thanks a lot.




  • 4.  RE: SSG 20 Quick Questions.

    Posted 09-20-2011 23:52



    I need help in configuring new router ssg20. I reset the previouse data. And i put new configuration which is:

    i) Port 0 connect to internet connection WAN

    ii) Port 2 for LAN


    I change all the configuration using GUI netscreen. I set bgroup 0 as a trust zone IP address (static IP).

    Ethernet 0 obtain IP using DHCP since WAN connection is DHCP and assign as a trust zone. Wireless 0/0 set as a trust zone and IP and all port is in NAT interface mode.


    Is it i need to bind all port ( ethernet 0 and wireless 0/0) into bgroup0? or i miss any step that important?


    Need your opinion