Same-security-traffic permit intra-interface - Juniper Networks 16PORT SRX 240 4PIM SLOT 512MB 1GB FL W PS (SRX240B) Firewall

Assume that the statistics on ping packets from 10.1.1.0/24 need to be collected on the interface Ethernet0/0/1 or GigabitEthernet0/0/1. The configuration is as follows:
# Configuration the acl rule.
[HUAWEI] acl number 3333 [HUAWEI-acl-adv-3333] rule 5 permit icmp source 10.1.1.0 0.0.0.255 [HUAWEI-acl-adv-3333] quit # Configuration the traffic classifier.
[HUAWEI] traffic classifier test [HUAWEI-classifier-test] if-match acl 3333 [HUAWEI-classifier-test] quit
# Configuration the traffic behavior:
[HUAWEI] <strong>traffic behavior test</strong> [HUAWEI-behavior-test] <strong>statistic enable</strong> [HUAWEI-behavior-test] <strong>quit</strong>
# Configuration the traffic policy.
[HUAWEI] traffic policy test [HUAWEI-trafficpolicy-test] classifier test behavior test [HUAWEI-trafficpolicy-test] quit # Apply the traffic policy:

• # Apply the traffic policy test to the S2700 or S3700. [HUAWEI] <strong>interface ethernet0/0/1</strong> [HUAWEI-Ethernet0/0/1] <strong>traffic-policy test inbound</strong>
• # Apply the traffic policy test to the S5700. [HUAWEI] <strong>interface gigabitethernet0/0/1</strong> [HUAWEI-GigabitEthernet0/0/1] <strong>traffic-policy test inbound</strong>

After the configuration, run the display traffic policy statistics interface interface-type interface-number command to view the traffic statistics. To re-collect traffic statistics, run the reset traffic policy statistics interface interface-type interface-number command to clear existing traffic statistics first.
NOTE:

• The S2700 or S3700 can collect statistics only on incoming packets.
• The S5700 can collect statistics on incoming and outgoing packets, but cannot collect statistics on packets sent from its own CPU.

S5700 Switch Thunder link com

After a Traffic Policy Is Applied Globally on an S3700, the Rate Limit Is Invalid When a Traffic Policy Is Applied to Interface If more than 128 ACL rules are configured, a traffic policy must be applied to the interface, VLAN, and globally in sequence. To update ACL rules, delete all traffic policies from the interface, VLAN, and system, and reconfigure traffic policies on the interface, in the VLAN, and globally in sequence

HI,

You shall do the same with MPF. Create a regex filter to identify the types of files you would like to block,

e.g. 1
2
3
4
5 regex archive-type1 ".*\.([Zz][Ii][Pp]'[Tt][Aa][Rr]'[Tt][Gg][Zz]) HTTP/1.[01]"
regex archive-type2 ".*\.([Tt][Aa][Rr].([Gg][Zz]'[Bb][Zz]2)'7[Zz]) HTTP/1.[01]"
regex doc-type1 ".*\.([Dd][Oo][Cc]'[Xx][Ll][Ss]'([Pp]){2}[Tt]) HTTP/1.[01]"
regex doc-type2 ".*\.([Pp][Dd][Ff]'[Oo][Dd][Tt]) HTTP/1.[01]"
regex exe-type1 ".*\.([Ee][Xx][Ee]'[Vv][Bb][Ss]'[Vv][Bb][Aa]) HTTP/1.[01]"
Create regex for Content-Type Application/*

1
2 regex application-header "application/*"
regex content-type "Content-Type"
Classify regex that matches the extension types
class-map type regex match-any ext-types
match regex doc-type1
match regex doc-type2
match regex archive-type2
match regex archive-type1
match regex exe-type1

Capture the http response that contains content-type and application/* header
2
class-map type inspect http match-all http-header-response
match response header regex content-type regex application-header
Capture http request packet that matches the class ext-types
1
2 class-map type inspect http match-all http-request
match request uri regex class ext-types

HTTP is the interesting traffic
1
2
3
4 access-list http-traffic extended permit tcp any any eq www
access-list http-traffic extended permit tcp any any eq 8080
class-map http-traffic-class
match access-list http-traffi

Create policy to prevent download attempt via http request
1
2
3
4
5
6
7 policy-map type inspect http block-http-download
parameters
protocol-violation action drop-connection log
class http-header-response
drop-connection log
class http-request
reset log

Apply policy on the interesting traffic
1
2
3 policy-map inside-http
class http-traffic-class
inspect http block-http-download Apply the policy onto interface to take effect
1 service-policy inside-http interface inside
Hope this would help.

HI,

· Please check the whether the security level for DMZ and outside interface, If DMZ is high security level. Please do the NAT configuration
· If it's having the same security level. Please issue the command "same-security-traffic permit inter-interface "in the global config mode.

HI,

• · Please check the whether the security level for DMZ and outside interface, If DMZ is high security level. Please do the NAT configuration
• · If it's having the same security level. Please issue the command "same-security-traffic permit inter-interface "in the global config mode.

all acl's have an "invisible" deny all statement at the end, so you construct your acl with the denied items first and then a "permit all" at the end.
I'm not familiar with the Motorola syntax, but a Cisco one would be as follows:
access-list 100 deny tcp any any eq 23
access-list 100 permit ip any any
the list is then applied to the interface.

Do the nslookup for the three websites and write an access list to permit the traffic only to the said website ip addresses

Eg.

1. go to dos prompt

2. type "nslookup"

3. type "www.rediff.com

Note : You will get the ip address of the websites

4. Create an object group for these websites

5. Add ip addresses of the websites

6. create an access-control list element to permit the traffic from your circle office to this object group for port tcp 80 and 443

You are done

Remove this line:

static (DMZ,INSIDE) 10.10.0.0 10.10.0.0 netmask 255.255.255.0

You don't need a translation going from a lower security level to a higher one. You will also need a nat line for the dmz so that pc's on the dmz will be translated outbound. The only connection that will work on the dmz is the webserver when he's sending traffic outbound with a source port of 80. Something like:

nat (DMZ) 101 10.10.0.0 255.255.255.0

Other than that, it looks like it should be working. You've got permission, a route, and a translation. Maybe "clear local-host 10.10.0.2" to get rid of any bad xlates and try again. Check debg level syslogs, run packet captures, "clear asp drop" then "show asp drop" after an attempt?

You seem to have the last resort (o.o.o.o) set to VLAN1 which is set as an inside interface.
Is VLAN1 connected to the outside router or internet backbone?
If not, change the last resort to the outside Ethernet port.