You can check the current policies in a Juniper NetScreen firewall running
the ScreenOS operating system, such as a
Netscreen-5GT
get policy all. If you want to view just the
policies that affect transmissions between two particular zones, you
can use get policy from from_zone to to_zone,
e.g. get policy from untrust to trust for those policies
that apply to traffic from the untrust zone to the trust zone. If you
only want to find policies between two zones that apply to a particular
service, you can add the pipe character, |, after the command
and put include pattern after it. E.g., suppose I
wanted to check on policies for web traffic. I could use the following
command:
ns5gt-> get policy from untrust to trust | i "HTTP"
13 Untrust Trust Any VIP(untrust) HTTP Permit enabled ---XXX
17 Untrust Trust Any VIP(untrust) HTTPS Permit enabled ----XX"Include" can be shortened to just "i". If you want to exclude policies
matching a certain pattern, you can use exclude, instead of
include. It can be shortened to just e. E.g.,
if I wanted to see all policies from the untrust to trust zone, except for
HTTP and HTTPS ones, I could use get policy from untrust to trust | e
HTTP. Note: the pattern applies not just to the service name, but also
policy numbers. E.g., if I use include 3, I would see policies
where the number of the policy includes the digit 3.
ns5gt-> get policy from untrust to trust | i 3
13 Untrust Trust Any VIP(untrust) HTTP Permit enabled ---XXX
15 Untrust Trust Any VIP(untrust) POP3 Permit enabled ---XXX
23 Untrust Trust Any VIP(untrust) POP3S Permit enabled ---XXXA number of services, such as FTP, are predefined.
ns5gt-> get service ftp Name: FTP Category: remote ID: 0 Flag: Pre-defined Transport Src port Dst port ICMPtype,code Timeout(min) Application tcp 1/65535 21/21 30 FTP
For FTP, there are also FTP-Get and GTP-Put services defined that allow further restrictions to be applied to FTP access. These allow unidirectional FTP transfers.
If I want to allow inbound FTP connectivity to a specific host, but only
from specific IP addresses, I could use a set policy command
like set policy untrust to trust allowed_addresses VIP(untrust)
FTP permit log presuming that I want to allow any system with an IP
address included in the allowed_addresses to access the internal FTP
server and that I want to log the traffic. But if I try specifying the
allowed address range within the command, I will see a "following address(es)
not defined" message. E.g, supposing I wanted to allow access from any system
with an IP address from 172.16.224.0 to 172.16.224.255.
ns5gt-> set policy untrust to trust 172.16.224.0/24 VIP(untrust) FTP permit log
^----------unknown keyword untrust
ns5gt-> set policy from untrust to trust 172.16.224.0/24 VIP(untrust) FTP permi### Zone Untrust->Trust : following address(es) not defined: (src 172.16.224.0/24),
Failed command - set policy from untrust to trust 172.16.224.0/24 VIP(untrust) FTP permit logInstead, I need to add the allowed range of addresses to the address book.
You can see the contents of the address book using get address.
To add the range to the addres book, I can use a set address zone
name address command where zone is the firewall
zone where the address(es) would be located, name is whatever descriptive
name I wish to give to the address book entry, and address can be in
a form as shown below:
ns5gt-> set address untrust name ? <string> Domain Name <a.b.c.d>/<num> IP Address/Netmask <a.b.c.d> IP Address
E.g., supposing I want to name the adress book entry "Acme VPN" and the allowed addresses will be from 172.16.224.0 to 172.16.224.255; I could use the following command:
ns5gt-> set address untrust "ACME VPN" 172.16.224.0/24 ns5gt-> set policy from untrust to trust "Acme VPN" VIP(untrust) FTP permit log policy id = 24 ns5gt->
You can also specify a domain name for an address book entry rather than an IP address or address range.
ns5gt-> set address untrust ACI aci.example.com Domain name "aci.example.com" has been looked up successfully. ns5gt-> set policy from untrust to trust ACI VIP(untrust) FTP permit log policy id = 25 ns5gt->
If you wish to add a specific IP address, put a /32, which
is a subnet mask
specifying one IP address, at the end of the address as shown below.
ns5gt- set address untrust "John Doe IP" 192.168.181.210/32 ns5gt-> set policy from untrust to trust "John Doe IP" VIP(untrust) FTP permit policy id = 26 ns5gt->
When checking the address book, you can specify that you only want to view address book entries for a particular zone.
ns5gt-> get address untrust Total 3 addresses and 0 groups in the address book. Untrust Addresses: Name Address Netmask Flag Comments ACI aci.example.com 01 Any 0.0.0.0 0.0.0.0 02 All Addr ACME VPN 172.16.224.0 255.255.255.0 01 John Doe IP 192.168.181.210 255.255.255.255 01 ns5gt->
I can see the details for the policy I created using the policy id, which in this case was 24 for the first FTP policy I created.
ns5gt-> get policy id 24 name:"none" (id 24), zone Untrust -> Global,action Permit, status "enabled" src "ACME VPN", dst "VIP(untrust)", serv "FTP" Policies on this vpn tunnel: 0 nat off, url filtering : disabled vpn unknown vpn, policy flag 0000, session backup: on traffic shapping off, scheduler n/a, serv flag 00 log yes, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet) 0/0/0 priority 7, diffserv marking Off tadapter: state off, gbw/mbw 0/-1 No Authentication No User, User Group or Group expression set
Since the firewall is performing Network Address Translation (NAT) and I am using "VIP(untrust)" to connect to a specific internal host running the FTP service, I also need to use the command below, which will route the incoming connections to the default FTP port, port 21, to the internal server's IP address, which is 192.168.0.4.
ns5gt-> set interface untrust vip untrust 21 "FTP" 192.168.0.4 ns5gt->
If I later wish to remove a policy, such as policy id 26 which was created above for an individual IP address, which I named "John Doe IP", and the address book entry as well, I could use commands such as the following ones:
ns5gt-> unset policy id 26 ns5gt-> unset address untrust "John Doe IP"
After making configuration changes to the firewall, you need to
issue the save config command to keep the changes from
disappearing the next time the firewall is rebooted.
If FTP connectivity doesn't work or if I want to look more closely at the FTP traffic, I can use the snoop command to troubleshoot the connection.
ns5gt-> snoop filter ip port 21 snoop filter added ns5gt-> clear dbuf ns5gt-> snoop Start Snoop, type ESC or 'snoop off' to stop, continue? [y]/n y ns5gt-> snoop off Snoop off ns5gt->
With the first command above, I've set a filter to look only for traffic
to port 21, which is the default command/control port for FTP. There is also a
data port, TCP port 20, but for the moment I only want to check connectivity
to the command port. Since the data will go
to the debug buffer, I next clear that buffer to eliminate any prior data.
Then the snoop command initiates snooping of the FTP traffic.
The system will prompt you to confirm that you wish to start snooping. The
captured information isn't immediately displayed; I need to attempt an FTP
connection from a remote client and then, after doing so, issue a
snoop off command and a get dbuf command.
If you want to see what filter is currently in effect, you can use the
snoop info command.
ns5gt-> snoop info Snoop: ON Filters Defined: 1, Active Filters 1 Detail: OFF, Detail Display length: 96 Snoop filter based on: id 1(on): IP port 21 dir(B)
I can view the contents of the debug buffer where the snoop command is
storing data with get dbuf info.
ns5gt-> get dbuf info count: 5301, last index: 5301, cur index: 0, size: 32768 start: 0, pause: 0 ns5gt->
I can see that there were 5301 packets transmitted involving port 21. To
see details, I can use the get dbuf stream command.
ns5gt-> get dbuf stream
4062421.0: 2(i):001bfc2f66fd->0010db7d2862/0800
192.168.0.4->10.105.19.135/6, tlen=71
vhl=45, tos=00, id=36439, frag=4000, ttl=64
tcp:ports 21->7324, seq=4063640459, ack=3383.0.407, flag=5018
4062421.0: 1(o):0010db7d2861->503955558937/0800
192.168.0.10->10.105.19.135/6, tlen=71
vhl=45, tos=00, id=36439, frag=4000, ttl=63
tcp:ports 21->7324, seq=4063640467, ack=3383.0.407, flag=5018
4062421.0: 2(i):001bfc2f66fd->0010db7d2862/0800
192.168.0.4->10.105.19.135/6, tlen=70
vhl=45, tos=00, id=36440, frag=4000, ttl=64
tcp:ports 21->7324, seq=4063640490, ack=3383.0.415, flag=5018
4062421.0: 1(o):0010db7d2861->503955558937/0800
192.168.0.10->10.105.19.135/6, tlen=70
vhl=45, tos=00, id=36440, frag=4000, ttl=63
tcp:ports 21->7324, seq=4063640498, ack=3383.0.415, flag=5018
4062421.0: 2(i):001bfc2f66fd->0010db7d2862/0800
192.168.0.4->10.105.19.135/6, tlen=90
--- more ---From the above output, I can see that a system with the IP address of 10.105.19.135 was engaged in FTP communications with the server.
The debug buffer is circular, so new data will overwrite existing data if it
fills. The buffer size can be increased from the default value of 32KB with
set dbuf size <size>. The command
get db info shows the size of the buffer in bytes. If you need to
capture a lot of data, you can set the debug buffer to
the maximum size of 4096 KB (4 MB) using set db size 4096, which is
4194304 bytes as can be seen by the last get db info command below.
You can set the buffer size back to the default value of 32 KB with
set dbuf size 32 or unset db size.
ns5gt-> get db info count: 5301, last index: 5301, cur index: 0, size: 32768 start: 0, pause: 0 ns5gt-> set db size 4096 ns5gt-> get db info count: 0, last index: 0, cur index: 0, size: 4194304 start: 0, pause: 0
References:
Created: Sunday June 28, 2015