the Ucopia device connected to two AP and will act as DHCP server that will manage the users and will rout the trafic to the firewall on F0/0 (10.145.214.13/29) then the firewall will route all the traffic to F0/2 (192.168.1.2/24) which connected to ISP router 192.168.1.1/24.
that's all
Hello,
You can put fe0/0 in trust zone & fe0/2 in untrust zone.
Have a security policy from trust to untrust zone allowing desired internet access.
If NAT is configured on ISP router, your work is even reduced else create a source NAT on SSG140.
Regards,
Rushi
For the connection i have connect as you suggest but the Routing is the issue. i can ping the Ip that connected to Fe0/0 and that connected to fe0/2.
It's first time to configure firewall so i don't aware by the routing configuration on it.
have an SSG 520 running Screen OS 6.2. I used to be able to connect to it via webui, but now, no matter which browser I use, I cannot connect. For firefox, I get "Error code: SSL_ERROR_NO_CYPHER_OVERLAP". With Chrome, I get "x.x.x.x
uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH"
Internet Explorer doesn't work either. I found an article that had me run the following command:
delete pki object-id system
after this I rebooted, and the self signed cert was regenerated by the firewall. But it has not resolved the issue. How do I fix this so I can use a web browser, not sure when it stopped working, I don't manage the firewall very often but really want to get this resolved.
I did a debug ssl and see this output when I try to connect via browser
get db str
ssl server new socket. queue count(0)
SSL master_socket(1)
SSL accept_socket(102)
ssl_state: sslStateCertVerified
SSL Connection Init
SSL set server mode
SSL_accept:before/accept initialization
SSL TLSv1_server_method called.
ssl3_accept start(SSLv3 read client hello A)
ssl3_accept loop(SSLv3 read client hello A)
ssl3_choose_cipher: have
SSL: cipher DES-CBC3-SHA
ssl3_choose_cipher: prefer
SSL: cipher RC4-MD5
SSL: cipher RC2-CBC-MD5
SSL: cipher IDEA-CBC-MD5
SSL: cipher RC4-MD5
ssl3_get_client_hello() failed, no shared cipher
SSL3 alert write:fatal:handshake failure
ssl3_accept end(SSLv3 read client hello C)
SSL_accept:error in SSLv3 read client hello C
SSL_accept:error in SSLv3 read client hello C
handshake failed, Function(138), Reason(193)
NO SHARED CIPHER!!!
sslConnectionInit() refused connection
ssl state sslStateFailedssl close socket(102)
ssl closing accept socket(102)
free ssl sock(102)
ConnectionsActive: --
And here is the self signed cert
get pki x509 cert system (values modified)
CN=0156052006000053,CN=system generated,CN=self-signed,
Expire on 12-27-2026 12:30, Issued By:
CN=0156052006000053,CN=system generated,CN=self-signed,
Serial Number: <3f68ebaa59d6546226d6c5224c9aa506>
finger print (md5) <3245d535 0e4756fb 1f66ab82 38f7cc7d>
finger print (sha) <ea755328 1bb8da2d 76ca1715 fa2e8136 cb74df72>
subject name hash: <d5011b59 a915363e c1683eb8 4a6aa04b 1701931a>
Hello,
I think the cause of the problem is here:
SSL: cipher RC4-MD5
SSL: cipher RC2-CBC-MD5
SSL: cipher IDEA-CBC-MD5
SSL: cipher RC4-MD5
ssl3_get_client_hello() failed, no shared cipher
Firefox or Chrome will not allow connection from weak ciphers.
To resolve this, can you try to generate a self signed certificate with 3DES/SHA1 & 2048 key length and use it for ssl?
Regards,
Rushi
the only other option is to use very old browsers. I end up using an old version of IE to manage these devices.
In 6.3 you are able to change the cipher to 3DES SHA1 and allow the connections. Not sure if this cipher is in 6.2 or not.
set ssl encrypt 3des sha-1
changing it to "3des sha-1" did the trick. Thanks guys, appreciate it
Hi,
Suddenly data related to cpu/memory/session/temp related to netscreen firewall is stopped recording in MPBN report.
The server IP is well reachable.
Community strings and versions are same on firewall and server.
Can you help me how to check whether the mibs are responsing in netscreen as we have command in SRX like show snmp mib walk <oid>.
What is the command in netscreen to check if mibs are responding?
Also share the OID for temp/cpu/memory/session for netscreen firewall
Thanks in advance.
BR//
Swati
Where i need to add the below information which ISP has been sent me:
1) Vlan 1111 - International Traffic
Communication network: 145.148.140.120/29
International Router1, ASN57344, 145.148.140.121/29 <> 145.148.140.126, DoT, ASN4578
International Router2, ASN57344, 145.148.140.122/29 <> 145.148.140.126, DoT, ASN4578
2) Vlan 1122 - UK Peering
Communication network: 145.148.140.128/29
UK Peering Router1, ASN57344, 185.148.140.129/29 <> 185.148.140.134/29, DoT, ASN4577
UK Peering Router2, ASN57344, 185.148.140.130/29 <> 185.148.140.134/29, DoT, ASN4577
Prefix 6300
3) BGP Network: 72.142.56.0/24
There is not an equivelent command on ScreenOS. You would need to do a MIB walk from an external address. I would recommend running a debug snmp all to see what is happening. Also, have you recently upgraded ScreenOS version? Each mainline version (6.0, 6.1, 6.2, 6.3, etc) have their own MIBs.
Hello and thank you in advanced for any advice. Our current setup is a /30 WAN and a /25 LAN handoff from the ISP. Our device is the SSG-350 and have configured the /30 for external and the /25 mapped (mip) to some private ip addresses. Our issues started when our traffic increased over the holiday season that the sessions table filled up a couple of times last month.
We purchased a pair of SRX1500 which will run alongside this setup, with a new upstream from a different provider. With the old SSG still in place, is it possible to forward one of its /25 ip's into this new SRX, without the SSG tracking the session, so in effect just behaving like a plain router?
There is not a way to turn off the statefull aspect of the firewall.
Just as I thought and as it should. Thanks so much.
Example for the one peer. Assign the 145.148.140.121 address to ethernet 0/2
Add the BGP to the VR and set the neighbors
set vr untrust protocol bgp 57344 set vr untrust-vr protocol bgp enable set vrouter "untrust-vr" protocol bgp neighbor 145.148.140.126 remote-as 4578 local-ip 145.148.140.121/32 outgoing-interface ethernet0/2 set vr untrust-vr protocol bgp neighbor 145.148.140.126 enable set interface e0/2 protocol bgp
Export policy added to for route advertisment as desired. This assumes you create a static route for this subnet and forward this on your device. If this is a direct route
set vrouter "untrust-vr" set access-list 1 set access-list 1 permit ip 72.142.56.0/24 1 set route-map name "route-map" permit 1 set match ip 1 exit static route:
set route 72.142.56.0/24 interface ethernet0/x gateway x.x.x.x set vrouter trust-vr protocol bgp redistribute route-map route-map protocol static
direct route: set vrouter trust-vr protocol bgp redistribute route-map route-map protocol direct
Documentation
Chapter 35 on BGP
http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/630_ce_all.pdf
Hi,
There is no upgrade done.
How to check if mib file is present on the node or not?
BR//
Swati
- The MIB files are firmware specific and will be the same for all the ScreenOS devices.
- You can download the MIB files at the link https://www.juniper.net/techpubs/software/screenos/mibs.html.
Monitoring Juniper Firewalls with SNMP.
+ Please find the below mentioned KB articles which gives the information about the OID's.
# Memory Utilization:
https://kb.juniper.net/InfoCenter/index?page=content&id=KB25768
# CPU utilization :
http://kb.juniper.net/InfoCenter/index?page=content&id=KB25797
# Table of All the OID's on FW this also includes the OID for NSRP as well:
http://kb.juniper.net/InfoCenter/index?page=content&id=KB20992
Example:
To monitor memory allocated, memory left, and memory fragment on the firewall, the following OID can be used from server end:
.1.3.6.1.4.1.3224.16.2.1.0 Memory allocated.
.1.3.6.1.4.1.3224.16.2.2.0 Memory left
.1.3.6.1.4.1.3224.16.2.3.0 memory Fragment
Actual output of memory information from the device:
ns5400(M)-> get mem
Memory: allocated 1392974016, left 372823824, frag 27, fail 0
The output from the SNMP walk:
OID: .1.3.6.1.4.1.3224.16.2.1.0
Value: 1392974016
OID: .1.3.6.1.4.1.3224.16.2.2.0
Value: 372823824
OID: .1.3.6.1.4.1.3224.16.2.3.0
Value: 27
I have an SSG-5-SH that was running ScreenOS firmware version 6.1.0r2.0. Everything else was working but I wasn't able to see the menu on the left side of the screen using WebUI so I thought I would try to update the firmware.
I updated the certificate key with a new imagekey.cer downloaded from Juniper website. Then I updated the boot loader to V132. So far so good. I updated the firmware to version 6.3.0r23 downloaded from the Juniper website. When it boots it gets to "System change state to active(1)" and then it crashes, dumps and reboots (over and over).
I tried various revisions of 6.3.0 and even 6.2.0r19 that is available for download on the website.
Does anyone know where I can download an old version 6.1.0r2.0 to roll back to the version that was working?
Or other suggestions?
Thanks.
If you have an account with JTAC you can request no longer posted versions of ScreenOS. But with the update of the key you probably won't be able to boot the old versions now either.
Do you get the loader prompt? If so, you can try the TFTP install process to try to recover that way.
https://kb.juniper.net/InfoCenter/index?page=content&id=KB5519
Thanks for sharing the MIB file.
Can you confirm how to check if MIB file is present in the node?
Is there any command to check the same?
Also share the MIB for session and temperature.
Thanks in advance