How to restrict intra-zone traffic?



  • Hi,

    I’ve got 3 networks setup on the trust zone on my Netscreen 5GT firewall. I have a primary one setup as 192.168.2.0/24 and I’ve setup the other ones as secondary  IPs of 192.168.1.0/24 and 192.168.0.0/24 respectively on the trust interface.

    My problem is that if I send a ping from the .2.0 network to the .1.0 network, it DOES go through, but I DON’T  want it to. I’ve tried turning on “Block intra-zone traffic” on the trust zone but that doesn’t help, I can still ping 192.168.1.1 from the 192.168.2.20 IP for example.

    How can I block this from happening? I’ve tried adding a policy saying FROM .2.0/24 to .1.0/24 ALL DENY but even that doesn’t seem to work.

    Hope you guys can help.

    My original post on this is below, if you need  more background to the setup
    http://www.juniperforum.com/index.php/topic,4316.msg16902.html#msg16902

    Thanks.



  • thanks for the reply, mindwise. I haven’t managed to test this out yet, but will do soon.



  • Hi KJaleel,

    Just activating the intra-zone block should do the trick.

    If you can still ping that can mean 1 of 3 things:

    • You have an ‘intra zone’ policy allowing the traffic through.
    • You have a ‘global’ policy allowing the traffic through
    • You have “unset policy default”-> set the default policy of the device to 'permit"  ( get policy shows “default permit” at the bottom, correct with “set policy default” )

    Easyest way to see which policy allows the traffic:

    start a continues ping ( ping -t ipaddress)

    on the netscreen telnet (console) : get session

    The output shows the policy id,  a ‘get policy id x’ will get you the policy that’s allowing your ping.

    Cheers,

    m


 

22
Online

38.4k
Users

12.7k
Topics

44.5k
Posts