Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to check for and enable/disable/block a service for device management (Ping, Telnet, SSH, WebUI, SSL, HTTP, or HTTPS)

0

0

Article ID: KB11369 KB Last Updated: 17 Mar 2020Version: 8.0
Summary:

This article talks about ways to check and enable/disable/block a service for managing NetScreen devices.

 

Symptoms:

Users are unable to manage services such as Ping, Telnet, SSH, WebUI, SSL, HTTP, or HTTPS from behind a firewall because the service is not enabled. How do you check and how do you enable services?

 

Solution:

In order to check if the attempted services are enabled on the interface, run the command 'get interface <int name>'.

For example, let's say you want to manage the firewall with Telnet and WebUI via the VSI interface eth0/0.

Enter the command "get interface eth0/0" to see the services enabled:

SSG520(M)-> get int e0/0         
Interface ethernet0/0(VSI):
  description ethernet0/0
  number 0, if_info 0, if_index 0, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone Trust, vr trust-vr, vsd 0
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  ip 172.19.51.182/23   mac 0010.dbff.2000
  manage ip 172.19.51.136, mac 0017.cb46.5f00
  route-deny disable
  pmtu-v4 disabled
  ping disabled, telnet disabled, SSH disabled, SNMP disabled
  web disabled, ident-reset disabled, SSL disabled

  DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
  PIM: not configured  IGMP not configured
  NHRP disabled
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
  DHCP-Relay disabled at interface level
  DHCP-server disabled
Number of SW session: 128063, hw sess err cnt 0
SSG520(M)->

Then execute the following commands to enable Telnet and HTTP on eth0/0.

SSG520(M)-> set int eth0/0 manage telnet
SSG520(M)-> set int eth0/0 manage web
SSG520(M)->
SSG520(M)-> get int eth0/0
Interface ethernet0/0(VSI):
  description ethernet0/0
  number 0, if_info 0, if_index 0, mode nat
  link up, phy-link up/full-duplex
  vsys Root, zone Trust, vr trust-vr, vsd 0
  dhcp client disabled
  PPPoE disabled
  admin mtu 0, operating mtu 1500, default mtu 1500
  ip 172.19.51.182/23   mac 0010.dbff.2000
  manage ip 172.19.51.136, mac 0017.cb46.5f00
  route-deny disable
  pmtu-v4 disabled
  ping disabled, telnet enabled, SSH disabled, SNMP disabled
  web enabled, ident-reset disabled, SSL disabled
  DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
  OSPF disabled  BGP disabled  RIP disabled  RIPng disabled  mtrace disabled
  PIM: not configured  IGMP not configured
  NHRP disabled
  bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
             configured ingress mbw 0kbps, current bw 0kbps
             total allocated gbw 0kbps
  DHCP-Relay disabled at interface level
  DHCP-server disabled
Number of SW session: 128063, hw sess err cnt 0
SSG520(M)->

Similarly you can enable SSH or SSL or any required management services on the interface.

 

Note: In case you want to enable all the services on an interface in one go, execute the following command:

set interface <interface-name> manage

 

To disable a service, unset the service with the following command, unset int <int name> manage <service>.  The following commands will block ping, Telnet and web to the eth0/0 interface:

  • SSG520(M)-> unset int eth0/0 manage telnet
  • SSG520(M)-> unset int eth0/0 manage web
  • SSG520(M)-> unset int eth0/0 manage ping

Note: To disable all the services on an interface in one go, you can issue the following command:

unset interface <interface-name> manage

 

Modification History:

2020-03-17: Minor changes made; content and all links are valid

2017-11-29: Article reviewed for accuracy. No changes made. Article is correct and complete.

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search