Knowledge Search


×
 

ScreenOS FTP-command service in DENY rule

  [JSA10363] Show Article Properties


Legacy Advisory Id:
PSN-2006-04-019
Product Affected:
All ScreenOS based platforms
Problem:

Background:

ScreenOS includes predefined services for FTP-Get and FTP-Put. These services allow unidirectional FTP transfers:
  • If FTP-Get is selected with a PERMIT action, ScreenOS will allow requests to retrieve files from the FTP server but not allow files to be sent.

  • If FTP-Put is selected with a PERMIT action, ScreenOS will allow requests to send files to the FTP server but not allow files to be retrieved.

  • If FTP-Get is selected with a DENY action, ScreenOS will allow requests to send files to the FTP server but not allow files to be retrieved (same as FTP-Put with PERMIT).

  • If FTP-Put is selected with a DENY action, ScreenOS will allow requests to retrieve files from the FTP server but not allow files to be sent (same as FTP-Get with PERMIT).

ScreenOS lets users aggregate services together in "service groups". Those can then be used in defining rule policies applying to groups rather than to individually selected services. Including FTP-Get and/or FTP-Put services in such "service groups" may result in potentially unintended rule action changes.

Problem description:

When a rule referencing a custom service group to DENY user access includes either FTP-Get or FTP-Put, the rule automatically changes to PERMIT. This can be verified from CLI. However, due to a coding error, the change is not reflected in the Web interface.
Solution:

Workaround 1:

Custom service groups referenced by DENY rules should not include the FTP-Put or FTP-Get services. When either of these services is required, create a separate rule that does not incorporate the predefined FTP-command service in a custom service group.

Workaround 2:

To reflect the policy change in a rule that references a custom service group including either of the FTP-command, disable then re-enable the rule (using the checkbox in the enabled column).

Additional information:

While Juniper Networks considers both workarounds viable and safe alternatives, this behavior is not necessarily optimal. Investigations of more elegant and optimal solutions continue and a solution will be included in future releases of ScreenOS.

The Support Knowledge Base contains an article with additional information regarding this situation. The entry can be accessed via the URL listed in the appropriate section of this PSN.

Disclaimer:
Juniper Networks is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. Juniper Networks expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. Juniper Networks may change this notice at any time.
Related Links:
Severity Level:
Low
Severity Assessment:
A viable workaround exists that fixes the rulebase