Knowledge Search


Juniper Netscreen Firewall 5GT-ADSL running ScreenOS 5.2.0r1-adsl or 5.2.0r2-adsl might be susceptible to policy mismatch under specific configurations.

  [JSA10354] Show Article Properties

Legacy Advisory Id:
Product Affected:
NS5GT-ADSL running ScreenOS 5.2.0r1-adsl or 5.2.0r2-adsl
ScreenOS has support for virtual IP (aka VIP). A VIP maps traffic received at one IP address to another address based on the destination port number in the TCP or UDP segment header.

ScreenOS also supports Interface DIP (aka dynamic IP) for incoming VoIP calls.

When a Juniper Netscreen 5GT-ADSL is configured with both an interface DIP (to relay incoming voice over IP calls) and a VIP (to forward specific ports to particular internal servers), traffic explicitly blocked to the VIP might still be permitted by a rule allowing packets to the DIP if placed before the VIP deny rule.

Customers have a number of choices to address the issue:

Option 1: Configuration workaround

By placing an explicit deny rule to the VIP before a permit rule involving the DIP, packets get dropped prior to matching the DIP rule. The following example shows a working configuration snipet.

 -> set policy from "Untrust" to "Trust"  "Permitted SMTP Servers" "VIP(untrust)" "SMTP" permit log
 -> set policy from "Untrust" to "Trust"  "Any" "VIP(untrust)" "SMTP" deny log
 -> set policy from "Untrust" to "Trust"  "Any" "DIP(untrust)" "SIP" permit
Option 2: Upgrade ScreenOS software

A CSP has been made available to customers that fixes the issue.

In addition ScreenOS 5.2.0r3 and above will integrate the same fix.

Related Links:
Risk Level:
Risk Assessment:
This issue affects NS5GT-ADSL and involves ScreenOS versions 5.2.0r1 and 5.2.0r2 only.
Attachment File: