1. Home
  2. Networking Firewalls
  3. Two Netscreen Questions

Two Netscreen Questions

According to the documentation, the Netscreen 5GT can filter ActiveX, .exe files, Javascript, etc., out of incoming HTTP connections. It doesn't mention if this setting is global or if it can be set for certain IP addresses or ranges. I'd like to enable this on my network, but only for a single problematic user who always seems to be plagued by viruses and malware. Can I enable this kind of filtering for a single internal IP address only?

Second question... The 5GT only supports a single VIP. I have a VIP set up to redirect several ports to machines on my DMZ zone (in the

172.16.0.0 subnet). I'd like to temporarily change the redirection for one port to a machine on my Trust zone (in the 192.168.0.0 subnet) for testing purposes. Can a single VIP redirect some ports to one zone and another port to a different zone?
Reply to
VistaCruiser1977
Loading thread data ...

I do this with different HTTP rules, one for the general users and one for special users. If you have the problem user setup with a fixed IP in the network (or a reservation), or if you have AD support, you can limit the user via HTTP rule 1 while allowing the others to use HTTP rule 2.

I have not set this up in NS units, but it works that way with WG firewalls.

Reply to
Leythos

Where is it set? IIRC, it's a global setting that you enable or disable in the DI setup, which you can then apply or not apply to a policy. But I don't think you can apply or not apply it selectively from the rest of the DI configs to different policies. I could be wrong though, I havent' played with the DI on those units in a long time.

Yes, VIPs are actually global. It will work. Just set up the VIP like you think it should be, with the correct destination address, and when you make the policy, make it to the right zone, and you'll be fine.

BTW, I think you can do more than one VIP on a GT, just not if you're using PPoE. At least, I've done it on XPs and XTs enough times, and generally the GT's work about the same.

-Russ.

Reply to
Somebody.

According to the documentation, these are two examples of CLI commands to enable HTTP content filtering:

set zone untrust screen component-block jar set zone untrust screen component-block exe

So it looks like this filtering applies to an entire zone and can't be applied to single IP addresses or ranges of addresses.

If anyone has any further info on this, I'd appreciate hearing it.

Reply to
VistaCruiser1977

I can confirm it is for an entire zone. You might be able to get what you want by using deep inspection, if you have a license for that...

For the second question: yes, you can have a VIP redirect to different zones. Just make sure you define your policy using the right zone. Are you sure you can't add a second VIP? You need a separate IP address for that, though.

Reply to
<s>

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.