←January→
Sun |
Mon |
Tue |
Wed |
Thu |
Fri |
Sat |
|
|
|
1 |
2 |
3 |
4 |
5 |
6 |
7 |
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
|
| ←2025→Months |
Jan | Feb |
Mar |
Apr |
May |
Jun |
Jul |
Aug |
Sep |
Oct |
Nov |
Dec |
|
Wed, Aug 10, 2016 10:38 pm
DHCP Reserved Address from NetScreen Firewall
A
Juniper Networks NetScreen firewall/router can be configured to function
as a
DHCP
server; for the method to do so from a command line interface
(CLI), which you can obtain by a
Secure Shell (SSH)
connection to the device,
see
Using a Juniper Networks NetScreen Firewall as a DHCP Server.
The system can assign addresses dynamically from a pool of addresses you select
or you can have it assign a reserved, i.e., fixed, address based on the
media access control (MAC) address of the system requesting a DHCP-assigned
IP address.
You can determine what addresses have already been assigned to systems
via DHCP using a command in the form get interface <interface>
dhcp server ip allocate
where interface is a particular interface,
e.g., trust, untrust, etc.
ns5xp-> get interface trust dhcp server ip allocate
IP State MAC Lease Time
192.168.0.34 COMMIT *000d560e185e 3236 minutes
192.168.0.35 COMMIT *4c72b99cb82a 3925 minutes
ns5xp->
If I wished to assign the IP address 192.168.0.7 to the system above with
MAC address 4c72b99cb82a, I could use the command below:
set interface trust dhcp server ip 192.168.0.7 mac 4c72b99cb82a
[ More Info ]
[/security/firewalls/netscreen]
permanent link
Fri, Jul 22, 2016 5:56 pm
Troubleshooting POP3S connections through a NetScreen firewall
A user reported that she was unable to receive email using her Outlook email
client. When I checked her system, I found that Outlook 2016 was reporting
the following error message:
Task 'nell@example.com - Receiving' reported error (0x80042108): 'Outlook
cannot connect to your incoming (POP3) email server. If you continue to receive
this message, contact your server administrator or Internet service provider
(ISP).'
I verified that I could connect to the email server on the
SMTP port, port 25, and the
POP3
port, port 110, from external systems and she told me that
her husband's system was able to check his email successfully. Since I knew
his system was establishing a POP3 connection to the mail server to check
email, but her system was establishing an encrypted POP3S connection
on port 995, I checked the Linux email server to verify that it was
listening for connections on port 995, since there had been a power
outage at its location recently that I thought might have caused it to
reboot. It was listening on that port.
$ netstat -a | grep -i pop3s
tcp 0 0 0.0.0.0:pop3s 0.0.0.0:* LISTEN
tcp6 0 0 [::]:pop3s [::]:* LISTEN
So I thought the problem was likely at a NetScreen firewall between the
user and the server. I logged into the firewall via
Secure Shell (SSH).
I verified that there were no filters currently set for the firewall and
then set a filter for destination port 995 with the command
set ffilter dst-port 995
. I then cleared the debug buffer with
clear db
and started debugging on the router/firewall with
debug flow basic
- see
NetScreen Debugging
Commands for an explanation of the debugging commands. I could see
that TCP packets were reaching the firewall, but the firewall
was reporting "packet dropped: for self but not interested".
[ More Info ]
[/security/firewalls/netscreen]
permanent link
Thu, Jul 07, 2016 9:46 pm
Correcting the time and date on a NetScreen router/firewall via a CLI
If you wish to check or update the date and time on a
Juniper NetScreen router/firewall from a command line interface, you can
establish a
Secure Shell (SSH) connection to the device, provided you have already
configured it to permit SSH access. You can then use the
get clock
command to view the current date and time on the Netscreen device.
ns5gt-> get clock
Date 06/24/1997 07:43:02, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 917 hours 27 minutes 27 seconds Since 17 May 1997 02:15:35
867138182.710668 seconds since 1/1/1970 0:0:0 GMT
GMT time zone area -5:00
GMT time zone offset 4:00
ns5gt->
In the above output, I can see that the date and time are not set
correctly. I can see that the time offset from
Greenwich Mean Time (GMT) is four hours, which is currently correct for
this device, though. You can see the current GMT time as well as the times for
many major cities throughout the world at
The World Clock - Worldwide.
The set clock
command can be used to set the date.
ns5gt-> set clock ?
mm/dd/yyyy month/day/year
dst-off disable daylight saving time
ntp enable network time protocol
timezone GMT Time zone area
ns5gt->
You can specify the month, date, and year in the form mm/dd/yyyy
. The time should be specified after the date in the form hh:mm
or hh:mm:ss
.
[ More Info ]
[/security/firewalls/netscreen]
permanent link
Tue, Apr 19, 2016 10:14 pm
Troubleshooting RDP through a NetScreen Firewall
I needed to determine why a Remote Desktop Protocol (RDP) connection could not
be established through a NetScreen firewall to a Microsoft Windows system
on the trusted side of the firewall , so I logged into the firewall and set a
filter to capture traffic on port 3389, the port used for RDP connections.
I then turned "snooping" on by issuing the
snoop command, which led
me to realize that I was trying to connect to the wrong IP address.
I was using the rdesktop program on a Ubuntu Linux system to establish
the connection to the Microsoft Windows system. After I realized my error
regarding the destination IP address, I was able to establish the RDP
connection, but then received a
"Connect a smart card" message
when I got to the login screen and clicked on the relevant account. I
was able to log into the system, however, if I used the -p
option
with the rdesktop command to supply the password for an account on the
Microsoft Windows system.
[ More
Info ]
[/security/firewalls/netscreen]
permanent link
Sun, Jul 19, 2015 9:57 pm
Configuring a Custom Service from the CLI on a NetScreen Firewall
If you need to configure a custom service from the command line interface
(CLI) you obtain by a Secure Shell (SSH) connection to a Juniper NetScreen
Firewall running ScreenOS, you can use the
set service
command. E.g., to create a custom service for an SSH server listening on
a non-standard port for SSH, you could use something like the following,
if the server is listening on port 2005:
set service "Auburn SSH" protocol tcp src-port 1024-65535
dst-port 2005-2005
The text in quotation marks immediately after set service
is just a descriptive name you can give to the service to make the purpose
of the custom service more immediately identifiable.
If you have not yet created an address book entry for the system
running the custom service, you can use the
set address
command to create it.
[ More Info ]
[/security/firewalls/netscreen]
permanent link
Mon, Jul 06, 2015 10:53 pm
Juniper NetScreen SNMP Information
Juniper NetScreen Firewalls running the ScreenOS operating system, including
older models, such as a
Netscreen-5GT
firewall, can be configured for
Simple Network Management Protocol (SNMP) support to monitor bandwidth
utilization, etc. SNMP information can be viewed or
configured through the web-based interface or via the command line interface
(CLI) using
get snmp
,
set snmp
and
unset
snmp
commands.
[ More Info ]
[/security/firewalls/netscreen]
permanent link
Sun, Jun 28, 2015 9:08 pm
Viewing Policies and Configuring a Policy for FTP
You can check the current policies in a Juniper NetScreen firewall running
the ScreenOS operating system, such as a
Netscreen-5GT
firewall,
with
get policy all
, but you can also display just those
policies affecting transmissions from one particular zone to another zone
by adding a
from from_zone to to_zone
to the end
of the command. E.g.
get policy from untrust to trust
would show
only those policies that apply to traffic from the untrust zone to the trust
zone.
To view only those policies that apply to a particular service, such
as FTP, I could use get policy from untrust to trust | include FTP
.
ns5gt-> get policy from untrust to trust | include FTP
24 Untrust Trust ACME VPN VIP(untrust) FTP Permit enabled ---X-X
25 Untrust Trust ACI VIP(untrust) FTP Permit enabled ---X-X
ns5gt->
Steps are listed here
that can be used to create a policy that will allow FTP connectivity
from external systems to an internal FTP server behind the firewall.
[/security/firewalls/netscreen]
permanent link
Wed, May 13, 2015 9:07 pm
Monitoring Interface Bandwidth Utilization on a NetScreen Firewall
While checking on a performance problem at a site using a NetScreen 5GT
firewall, I found that when I accessed the Interface Bandwidth report from
the web-based management interface that the report was showing zero Kbps
for the utilized bandwidth on all interfaces, which was obviously wrong, since
data was flowing through the firewall. I found that I needed to enable traffic
shaping mode on the firewall to get that report to actually show the bandwidth
being used for the interfaces on the firewall.
Traffic shaping is a mechanism to give certain types of data flows
precedence over others with lower priority traffic being buffered. In this
case I didn't actually "shape" the traffic, but just enabled traffic shaping
mode so that I could see the current bandwidth being used on interfaces.
[ More Info ]
[/security/firewalls/netscreen]
permanent link
Tue, May 12, 2015 11:22 pm
Checking and setting NTP information on a NetScreen firewall
While checking the configuration of a Juniper Networks netscreen-5gt
firewall, I noticed that the time was incorrect and that it was not
set up to query a Network Time Protocol (NTP) server to ensure its time was
accurate. To check or set the NTP configuration on a Juniper Networks
NetScreen firewall, From the web management interface, you can check and
set the Network Time Protocol (NTP) information for a Juniper NetScreen
firewall, such as the NetScreen-5GT firewall, by clicking on Date/Time
beneath the Configuration option on the menu.
The NTP configuration can also be viewed and set from a command line
interface accessible by SSH using get ntp
and set ntp
commands. Up to three NTP servers can be configured. The time interval for
NTP queries can be specified.
[ More Info ]
[/security/firewalls/netscreen]
permanent link
Sun, Jan 11, 2015 4:33 pm
Using a Juniper Networks NetScreen Firewall as a DHCP Server
A Juniper Networks NetScreen firewall running the ScreenOS operating system
can also serve as a DHCP server. The firewall can be configured through
a
GUI by accessing
the firewall from a browser, but also has a command line interface, which
is accessible via a
SSH connection.
The DHCP configuration provided by the server upon DHCP client requests can
be configured via the command line interface where you can set
the DNS servers, gateway address, netmask, etc. or enable and disable the
DHCP server functionality in the firewall.
[ More Info ]
[/security/firewalls/netscreen]
permanent link
Privacy Policy
Contact