Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Configuring your NetScreen or SSG device for use with an FTP Server

0

0

Article ID: KB4218 KB Last Updated: 27 Dec 2017Version: 7.0
Summary:
Configuring your NetScreen or SSG for use with an FTP Server.  Example used is performed with a VIP.
Solution:

When configuring the Juniper firewall for use with an FTP server, you can use a Virtual IP (VIP) or a Manage IP (MIP) if the server has an internal, private IP address. For more information on VIPs and MIPs, refer to KB4751 - When to Use a Virtual IP and When to Use a Mapped IP.

Also, you will need to have the Trust and Untrust Zones previously configured to an interface. For more information on how to bind an interface to a zone, go to KB4762 - Binding an Interface to a Zone.

Image of example

Note: For this example, we are configuring a VIP address for an FTP server. This article is based on the NetScreen-5GT/5XT/5XP devices using Trust and Untrust as interfaces. NetScreen-25/50/204/208 and SSG-5/20/140/320/350/520/550 devices often use Ethernet interfaces.

 

To configure your Juniper firewall for use with a FTP server using a VIP, perform the following steps:

 

Step one: Open the WebUI. For more information on accessing the WebUI, refer to KB4060 - Accessing Your NetScreen, SSG, or ISG Firewall Using the WebUI


Step two: From the ScreenOS options menu, click Network, and then click Interfaces.

Image of step two

Step three: From the untrust interface, click Edit.

Image of step three

Step four: Click VIP.

Image of step four

Step five: From Virtual IP Address, enter the IP address of the FTP server.

Note: For this example, we have entered 210.1.1.10.

Image of step five and six

Step six: Click Add.

Step seven: Click New VIP Service.

Image of step seven

Step eight: From the Virtual IP drop-down menu, select the Virtual IP address. From Virtual Port, enter the port number. From the Map to Service drop-down menu, select the service. From Map to IP, enter the internal IP address of the FTP server.

Note: For this example, we used a Virtual IP of 210.1.1.10, a Virtual Port of 21, a Map to Service of FTP (21), and a Map to IP of 192.168.1.10. Also, in this example the FTP server will have the following IP settings:
  • IP address 192.168.1.10
  • Subnet mask 255.255.255.0
  • Default gateway 192.168.1.1

Image of step eight and nine

Step nine: Click OK.

Note: The Virtual IP will listen to the Virtual Port. If you have a Virtual Port 21, and a policy with service ANY, all traffic going through port 21 will be passed.

Step ten: From the ScreenOS options menu, click Policies.

Image of step ten

Step eleven: In the From drop-down menu, click to select Untrust. From the To drop-down menu, click to select Trust.

Image of step eleven and twelve

Step twelve: Click New.

Step thirteen: In Source Address, click to select Address Book. From the Address Book drop-down menu, click to select Any.

Image of step thirteen and fourteen

Step fourteen: From Destination Address, click to select Address Book. From the Address Book drop-down menu, click to select Global:VIP(210.1.1.10).
Note: In later releases (ScreenOS 5.3.0 and above), the address book entry appears as "VIP(210.1.1.10)".

Step fifteen: From the Service drop-down menu, click to select FTP. From the Action drop-down menu, click to select Permit.

Image of step fifteen and sixteen

Step sixteen: Click OK.

Note: The FTP service is now configured.

Image of note

The CLI commands for the above implementation is as follows:

set interface untrust ip 210.1.1.1/24
set interface untrust vip 210.1.1.10 21 "FTP" 192.168.1.10
set policy id 0 from "Untrust" to "Trust" "Any" "Global:VIP(210.1.1.10)" "FTP" permit

For newer ScreenOS versions:

set policy id 0 from "Untrust" to "Trust" "Any-IPv4" "VIP(210.1.1.10)" "FTP" permit

Modification History:
2017-12-23: Article reviewed for accuracy. Minor grammatical changes made. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search