MoonPoint Support Logo


Shop Amazon Warehouse Deals - Deep Discounts on Open-box and Used ProductsAmazon Warehouse Deals

Advanced Search
Sun Mon Tue Wed Thu Fri Sat
23 24 25 26 27 28 29
Jul Aug Sep
Oct Nov Dec

Wed, Aug 10, 2016 10:38 pm

DHCP Reserved Address from NetScreen Firewall

A Juniper Networks NetScreen firewall/router can be configured to function as a DHCP server; for the method to do so from a command line interface (CLI), which you can obtain by a Secure Shell (SSH) connection to the device, see Using a Juniper Networks NetScreen Firewall as a DHCP Server. The system can assign addresses dynamically from a pool of addresses you select or you can have it assign a reserved, i.e., fixed, address based on the media access control (MAC) address of the system requesting a DHCP-assigned IP address.

You can determine what addresses have already been assigned to systems via DHCP using a command in the form get interface <interface> dhcp server ip allocate where interface is a particular interface, e.g., trust, untrust, etc.

ns5xp-> get interface trust dhcp server ip allocate
       IP         	State	     MAC     	Lease Time   	COMMIT	*000d560e185e	3236 minutes   	COMMIT	*4c72b99cb82a	3925 minutes

If I wished to assign the IP address to the system above with MAC address 4c72b99cb82a, I could use the command below:

set interface trust dhcp server ip mac 4c72b99cb82a

[ More Info ]

[/security/firewalls/netscreen] permanent link

Fri, Jul 22, 2016 5:56 pm

Troubleshooting POP3S connections through a NetScreen firewall

A user reported that she was unable to receive email using her Outlook email client. When I checked her system, I found that Outlook 2016 was reporting the following error message:

Task ' - Receiving' reported error (0x80042108): 'Outlook cannot connect to your incoming (POP3) email server. If you continue to receive this message, contact your server administrator or Internet service provider (ISP).'

I verified that I could connect to the email server on the SMTP port, port 25, and the POP3 port, port 110, from external systems and she told me that her husband's system was able to check his email successfully. Since I knew his system was establishing a POP3 connection to the mail server to check email, but her system was establishing an encrypted POP3S connection on port 995, I checked the Linux email server to verify that it was listening for connections on port 995, since there had been a power outage at its location recently that I thought might have caused it to reboot. It was listening on that port.

$ netstat -a | grep -i pop3s
tcp        0      0 *               LISTEN     
tcp6       0      0 [::]:pop3s              [::]:*                  LISTEN

So I thought the problem was likely at a NetScreen firewall between the user and the server. I logged into the firewall via Secure Shell (SSH). I verified that there were no filters currently set for the firewall and then set a filter for destination port 995 with the command set ffilter dst-port 995. I then cleared the debug buffer with clear db and started debugging on the router/firewall with debug flow basic - see NetScreen Debugging Commands for an explanation of the debugging commands. I could see that TCP packets were reaching the firewall, but the firewall was reporting "packet dropped: for self but not interested".

[ More Info ]

[/security/firewalls/netscreen] permanent link

Thu, Jul 07, 2016 9:46 pm

Correcting the time and date on a NetScreen router/firewall via a CLI

If you wish to check or update the date and time on a Juniper NetScreen router/firewall from a command line interface, you can establish a Secure Shell (SSH) connection to the device, provided you have already configured it to permit SSH access. You can then use the get clock command to view the current date and time on the Netscreen device.
ns5gt-> get clock
Date 06/24/1997 07:43:02, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 917 hours 27 minutes 27 seconds Since 17 May 1997 02:15:35
867138182.710668 seconds since 1/1/1970 0:0:0 GMT
GMT time zone area -5:00
GMT time zone offset 4:00

In the above output, I can see that the date and time are not set correctly. I can see that the time offset from Greenwich Mean Time (GMT) is four hours, which is currently correct for this device, though. You can see the current GMT time as well as the times for many major cities throughout the world at The World Clock - Worldwide.

The set clock command can be used to set the date.

ns5gt-> set clock ?
mm/dd/yyyy           month/day/year
dst-off              disable daylight saving time
ntp                  enable network time protocol
timezone             GMT Time zone area

You can specify the month, date, and year in the form mm/dd/yyyy . The time should be specified after the date in the form hh:mm or hh:mm:ss.

[ More Info ]

[/security/firewalls/netscreen] permanent link

Tue, Apr 19, 2016 10:14 pm

Troubleshooting RDP through a NetScreen Firewall

I needed to determine why a Remote Desktop Protocol (RDP) connection could not be established through a NetScreen firewall to a Microsoft Windows system on the trusted side of the firewall , so I logged into the firewall and set a filter to capture traffic on port 3389, the port used for RDP connections. I then turned "snooping" on by issuing the snoop command, which led me to realize that I was trying to connect to the wrong IP address.

I was using the rdesktop program on a Ubuntu Linux system to establish the connection to the Microsoft Windows system. After I realized my error regarding the destination IP address, I was able to establish the RDP connection, but then received a "Connect a smart card" message when I got to the login screen and clicked on the relevant account. I was able to log into the system, however, if I used the -p option with the rdesktop command to supply the password for an account on the Microsoft Windows system.

[ More Info ]

[/security/firewalls/netscreen] permanent link

Sun, Jul 19, 2015 9:57 pm

Configuring a Custom Service from the CLI on a NetScreen Firewall

If you need to configure a custom service from the command line interface (CLI) you obtain by a Secure Shell (SSH) connection to a Juniper NetScreen Firewall running ScreenOS, you can use the set service command. E.g., to create a custom service for an SSH server listening on a non-standard port for SSH, you could use something like the following, if the server is listening on port 2005:

set service "Auburn SSH" protocol tcp src-port 1024-65535 dst-port 2005-2005

The text in quotation marks immediately after set service is just a descriptive name you can give to the service to make the purpose of the custom service more immediately identifiable.

If you have not yet created an address book entry for the system running the custom service, you can use the set address command to create it.

[ More Info ]

[/security/firewalls/netscreen] permanent link

Mon, Jul 06, 2015 10:53 pm

Juniper NetScreen SNMP Information

Juniper NetScreen Firewalls running the ScreenOS operating system, including older models, such as a Netscreen-5GT firewall, can be configured for Simple Network Management Protocol (SNMP) support to monitor bandwidth utilization, etc. SNMP information can be viewed or configured through the web-based interface or via the command line interface (CLI) using get snmp, set snmp and unset snmp commands.

[ More Info ]

[/security/firewalls/netscreen] permanent link

Sun, Jun 28, 2015 9:08 pm

Viewing Policies and Configuring a Policy for FTP

You can check the current policies in a Juniper NetScreen firewall running the ScreenOS operating system, such as a Netscreen-5GT firewall, with get policy all, but you can also display just those policies affecting transmissions from one particular zone to another zone by adding a from from_zone to to_zone to the end of the command. E.g. get policy from untrust to trust would show only those policies that apply to traffic from the untrust zone to the trust zone.

To view only those policies that apply to a particular service, such as FTP, I could use get policy from untrust to trust | include FTP.

ns5gt-> get policy from untrust to trust | include FTP
    24 Untrust  Trust    ACME VPN     VIP(untrust) FTP                  Permit enabled ---X-X
    25 Untrust  Trust    ACI          VIP(untrust) FTP                  Permit enabled ---X-X

Steps are listed here that can be used to create a policy that will allow FTP connectivity from external systems to an internal FTP server behind the firewall.

[/security/firewalls/netscreen] permanent link

Wed, May 13, 2015 9:07 pm

Monitoring Interface Bandwidth Utilization on a NetScreen Firewall

While checking on a performance problem at a site using a NetScreen 5GT firewall, I found that when I accessed the Interface Bandwidth report from the web-based management interface that the report was showing zero Kbps for the utilized bandwidth on all interfaces, which was obviously wrong, since data was flowing through the firewall. I found that I needed to enable traffic shaping mode on the firewall to get that report to actually show the bandwidth being used for the interfaces on the firewall.

Traffic shaping is a mechanism to give certain types of data flows precedence over others with lower priority traffic being buffered. In this case I didn't actually "shape" the traffic, but just enabled traffic shaping mode so that I could see the current bandwidth being used on interfaces.

[ More Info ]

[/security/firewalls/netscreen] permanent link

Tue, May 12, 2015 11:22 pm

Checking and setting NTP information on a NetScreen firewall

While checking the configuration of a Juniper Networks netscreen-5gt firewall, I noticed that the time was incorrect and that it was not set up to query a Network Time Protocol (NTP) server to ensure its time was accurate. To check or set the NTP configuration on a Juniper Networks NetScreen firewall, From the web management interface, you can check and set the Network Time Protocol (NTP) information for a Juniper NetScreen firewall, such as the NetScreen-5GT firewall, by clicking on Date/Time beneath the Configuration option on the menu.

The NTP configuration can also be viewed and set from a command line interface accessible by SSH using get ntp and set ntp commands. Up to three NTP servers can be configured. The time interval for NTP queries can be specified.

[ More Info ]

[/security/firewalls/netscreen] permanent link

Sun, Jan 11, 2015 4:33 pm

Using a Juniper Networks NetScreen Firewall as a DHCP Server

A Juniper Networks NetScreen firewall running the ScreenOS operating system can also serve as a DHCP server. The firewall can be configured through a GUI by accessing the firewall from a browser, but also has a command line interface, which is accessible via a SSH connection. The DHCP configuration provided by the server upon DHCP client requests can be configured via the command line interface where you can set the DNS servers, gateway address, netmask, etc. or enable and disable the DHCP server functionality in the firewall.

[ More Info ]

[/security/firewalls/netscreen] permanent link

Valid HTML 4.01 Transitional

Privacy Policy   Contact

Blosxom logo