Are you looking for my non-technical blog?

This is now my technical-only blog, my non-technical blog is here.

26 September 2005

Basic NetScreen Firewall Configuration

Juniper NetScreen firewalls are one of the most popular firewalls when it comes to High End firewalls. They are installed in the major ISPs and Large Data Centers worldwide. So here is a basic intro to configuring a NetScreen firewall.

You first need a console and the default username and password are "netscreen"/"netscreen". Then you have to determine if you are going to install it in Layer-II mode or LayerIII. We are going to consider the Layer-II (Transparent) mode configuration.

First, put all the interfaces in Layer-II zones (V1-Trust, V1-Untrust, V1-DMZ)
set interface [interface-name] zone [zone-name]
Eg. set interface e1 zone V1-Trust
Then configure an IP address to VLAN1 interface (The management interface in case of Transparent mode operation)
set interface vlan1 ip [ip-address]/[subnet-mask]
Eg. set interface vlan1 ip 10.0.0.1/24
Now after adding the interfaces to different zones, there must be policies in order to allow traffic to cross the different zones ... policies is how you are going to decide who is allowed to communicate with who and with whcih TCP/UDP services
set police from [source-zone] to [destination-zone] [src-ip] [dst-ip] [service] {permit|deny} [log]
Eg. set policy from V1-Trust to V1-Untrust 10.0.0.10 10.0.0.2 FTP permit
Network Configuration
PC1: 10.0.0.10/24 (V1-Trust)
PC2: 10.0.0.2/24 (V1-Untrust)
VLAN1: 10.0.0.1/24

[PC1]------------[Firewall]------------[PC2]

Notes:
  1. In Transparent mode the firewall acts as a bridge in the way the traffic is forwarded, so it is normal for the hosts connected to the different interfaces to have IP addresses from the same subnet.
  2. The default behavior of the firewall is to block traffic between different zones, so you have to create policies in order to path traffic. However this default can be changed.
Tags: , , , ,