1. Home
  2. Networking Firewalls
  3. NetScreen 5GT Transparent Mode

NetScreen 5GT Transparent Mode

Some advice please for a NetScreen novice ...

I have a client who has a single device on a public IP address in a hosting centre. The ISP has assigned a range of eight static IPs but we only need one for the device (I can use others for management etc. if required)

I have been asked to install a NetScreen firewall merely to block everything except traffic from a small but known range of IP addresses / ports.

The problem that I have is that when I try to configure the NetScreen using the "setup wizard" it all looks great UNTIL the NetScreen reboots and then I can't find a way to get into it to manage it and complete the setup!

I would like to be able to manage the firewall remotely as I can manage the device using certain ports.

My ISP has assigned IPs (these are fictional for obvious reasons):

24.48.96.32 - 24.48.96.39 (eight addresses).

The client's device is set to: 24.48.96.32.

I set my UNTRUSTED IP to 24.48.96.32 => correct?

What do I set the rest of the box to and how can I manage it once it has rebooted?

How do I set it to only pass (untrusted > trusted) traffic from particular addresses / ports?

All advice would be greatly appreciated as I am new to these boxes!

TIA!

-- Dave

Reply to
MHL
Loading thread data ...

First, you're going to love Netscreens once you get the hang, really impressive firewall capabilities.

You don't say what box (NS5GT, NS208, etc) or what ScreenOS you have but Juniper-Netscreen doc is some of the best ...

formatting link
Search on 'transparent' and you'll see all ways to config via GUI or CI.

Doesn't sound like you need to use transparent mode though - consider setting this up layer 3 and put the interfaces into route mode. You can setup VIPs or MIPs (NATs) to access boxes at the data center. Transparent mode introduces all the layer 2 caveats (spanning tree, passing insecure protocols like Cisco's CDP).

alan

Reply to
Alan Strassberg

Hi Alan,

Thanks for your reply. It is a NS5GT running 5.0.0r11.1. I have already become very confused by some of the documentation (particularly the CLI syntax) because when I enter some of the commands in the "User Guide" they have the wrong syntax.

I have also found that the NS5GT behaves differently to the documentation when I try to perform a factory reset!

That being said, I think that I have managed to configure it sort of correctly! I am now able to manage it without using NAT'ed addresses and I have set up some simple policies (all I need is ONE IP address open on all ports and one domain and two other specific IP addresses open on a specific port only).

My next step is to take it to site and see if it works .....

I know that these are great devices but they are not as simple to configure as (say) a NetGear router is!

Thanks again, Dave

Reply to
Dave

If you can recall what doesn't work I'd be interested.

Press button for 3 sec, wait 5 sec, press again - is the doc different?

Can't say for Netear but I've replaced 28 Checkpoint firewalls around the world and for enterprise class Netscreen is clearly the leader. That said, there is a learning curve.

Other resources ...

formatting link
formatting link
alan

Reply to
Alan Strassberg

I'll try to find the sections and let you know what they are - they are all in the Vol 3. Admin guide.

The User Guide (page 11) says to press the button and the status light blinks amber and the power light will flash green - not on my box! After the status flashes amber it then goes back to flashing green but the power light is solid green all the time. I sort of worked it out but the manual is definitely different!

Thanks for these other sources, I will learn about these devices. I hate checkpoint! Every time you upgrade you find that they have changed the UI! Mind you, I used to run them on Nokia IPSO boxes which were very reliable! I am a bit concerned about the long-term durability of the NS5GT power supply but only time will tell!

Thanks again for your help!

-- Dave

Reply to
Dave

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.