Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

Juniper Netscreen Firewall 5GT-ADSL running ScreenOS 5.2.0r1-adsl or 5.2.0r2-adsl might be susceptible to policy mismatch under specific configurations.



Article ID: JSA10354 SECURITY_ADVISORIES Last Updated: 09 May 2013Version: 2.0
Legacy Advisory Id:
Product Affected:
NS5GT-ADSL running ScreenOS 5.2.0r1-adsl or 5.2.0r2-adsl
ScreenOS has support for virtual IP (aka VIP). A VIP maps traffic received at one IP address to another address based on the destination port number in the TCP or UDP segment header.

ScreenOS also supports Interface DIP (aka dynamic IP) for incoming VoIP calls.

When a Juniper Netscreen 5GT-ADSL is configured with both an interface DIP (to relay incoming voice over IP calls) and a VIP (to forward specific ports to particular internal servers), traffic explicitly blocked to the VIP might still be permitted by a rule allowing packets to the DIP if placed before the VIP deny rule.

Customers have a number of choices to address the issue:

Option 1: Configuration workaround

By placing an explicit deny rule to the VIP before a permit rule involving the DIP, packets get dropped prior to matching the DIP rule. The following example shows a working configuration snipet.

 -> set policy from "Untrust" to "Trust"  "Permitted SMTP Servers" "VIP(untrust)" "SMTP" permit log
 -> set policy from "Untrust" to "Trust"  "Any" "VIP(untrust)" "SMTP" deny log
 -> set policy from "Untrust" to "Trust"  "Any" "DIP(untrust)" "SIP" permit
Option 2: Upgrade ScreenOS software

A CSP has been made available to customers that fixes the issue.

In addition ScreenOS 5.2.0r3 and above will integrate the same fix.

Severity Level:
Severity Assessment:
This issue affects NS5GT-ADSL and involves ScreenOS versions 5.2.0r1 and 5.2.0r2 only.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search