Re: Upgrade from 6.2 to 6.3 latest firmware
You can upgrade directly, but be sure to verify that you have the new ScreenOS signing key on your device BEFORE the upgrade. If you have the old key and attempt the upgrade the device can fail to...
View ArticleRe: SSG140 Site to Site VPN with ASA Multiple Subnets
after adding line to my setting, the original VPN link between 192.168.70.0 and 192.168.50.0 break. set vpn "Site_B" proxy-id local-ip 192.168.70.0/24 remote-ip 10.10.0.0/16 "ANY" look like my device...
View ArticleRestrict SNMP V3 requests from certain devices - CVE-2008-0960
HiI am trying to mitigate CVE-2008-0960 as it says that the screenos software is vulnerable. They suggest to restrict snmp v3 requests to the SSG firewall to only be allowed from certain devices but I...
View ArticleRe: SSG140 Site to Site VPN with ASA Multiple Subnets
Sounds like you need to upgrade to ScreenOS 6.3 version. Prior versions only supported have one proxy-id pair. With ScreenOS 6.3 you can have multiple pairs at the same time. Be sure to verify that...
View ArticleRe: Restrict SNMP V3 requests from certain devices - CVE-2008-0960
You will add the host access restrictions on the community name level. Then utilize that community for your SNMPv3 setup. These are found in Configuration > Report Settings > SNMP The process is...
View ArticleRe: Restrict SNMP V3 requests from certain devices - CVE-2008-0960
Thanks, I'll take a look. I presume this is the only way to mitigate the CVE, as the latest code still seems vulnerable?
View ArticleRe: SSG140 Site to Site VPN with ASA Multiple Subnets
thanks! this is what I thought. Is there impact on my existing configuration after applying the new firmware ?
View ArticleRe: Restrict SNMP V3 requests from certain devices - CVE-2008-0960
I've had a look at the guide but can't see how to filter SNMP v3 requests. SNMP v3 doesnt use community strings so not sure where to set the filter. Any advice appreciated ThanksRichard
View ArticleRe: Restrict SNMP V3 requests from certain devices - CVE-2008-0960
Yes, I believe you are correct that this CVE is not patched in ScreenOS current releases. SNMPv3 uses VACM to define the access allowed on the device. In ScreenOS you map the desired community with...
View ArticleRe: SSG140 Site to Site VPN with ASA Multiple Subnets
Assuming you have a current configuration in 6.0 - 6.2, there are no issues at all in the upgrade. I have done many of these over the years and the configurations are compatible.
View ArticleRe: Restrict SNMP V3 requests from certain devices - CVE-2008-0960
Thanks, I've had a look but can't see how the link between the community name in snmp v1 links to the snmp v 3 VACM. I have the following config, can you advise what I have wrong? I am trying to...
View ArticleRe: ScreenOS to JUNOS-Enhanced Services VPN configuration
Hi, How many remote identities could you add per tunnel interface? Is there any best practice? Kind regards, Diana Balasa
View ArticleCreating a New Interface Port - SSG140
First off, please forgive my lack of knowledge as we used to have a Network Admin that handled all this however he has since left the company and hasn't been replaced yet... so sadly it falls on me. As...
View ArticleClik here to view.
Re: Creating a New Interface Port - SSG140
Just to further on this I have been digging around a lot and "playing" in the firewall trying to fix it myself (still no luck sadly ) and did verify that there is a Destination Route for: 0.0.0.0/24...
View ArticleClik here to view.
Technical information required: multiple interfaces on SSG550M
Hello Community, Thi sis my first message here and l hope somebody can share thoughts. We are trying to run an Algosec scan of our SSG firewall from a remote site on a different network.The issue is...
View ArticleRe: Creating a New Interface Port - SSG140
Default route should be 0.0.0.0/0. Also, in your policy, do you have NAT src set? Automatic NAT will only happen between trust to untrust. As this is a custom zone, you need to specify NAT src in...
View ArticleRe: Technical information required: multiple interfaces on SSG550M
Looks like you are try to do asymmetric routing. This causes issues with stateful devices (firewalls). I would recommend configuring the path to go either directly back to the SSG from the LAN, or,...
View ArticleRe: Creating a New Interface Port - SSG140
Thank you for the quick reply rseibert, I will answer what I can to the best of my ability: Firstly, I typed incorrect, the route is in fact set as 0.0.0.0/0 --> External ISP (attached a...
View ArticleClik here to view.
Re: Creating a New Interface Port - SSG140
Yes, you would need to set the Source Translate under the advanced settings for the policy. This will translate the traffic from 192.168.55.0 to the IP of eth0/9. 192.168.x.x are private networks and...
View Article