-
Run the command 'get interface vlan1
' to check if the desired application service (i.e. Telnet, SSH, SNMP, etc) is enabled on the VLAN1 interface:
ns-> get int vlan1
Interface vlan1:
description vlan1
number 15, if_info 15120, if_index 0, VLAN tag 1, mode nat
link up, phy-link up/full-duplex
vsys Root, zone VLAN, vr trust-vr
*ip 1.1.1.2/24 mac 0005.857f.130f
*manage ip 1.1.1.2, mac 0005.857f.130f
pmtu-v4 disabled
ping enabled, telnet enabled, SSH enabled, SNMP enabled
web enabled, ident-reset disabled, SSL enabled
DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
NHRP disabled
unknown mac address resolve method: FLOOD
vlan trunk: Off
bypass others IPSEC: Off
bypass non IP: multicast
In backup mode, only traffic from V1-Trust can manage the box
Number of SW session: 128063, hw sess err cnt 0
If the desired application service is disabled, enable the service with the command 'set interface vlan1 manage <service>'
.
-
Run the command 'get interface <int>'
to check if the desired application service (i.e. Telnet, SSH, SNMP, etc) is enabled on the incoming physical interface of the firewall. The services need to be enabled on both the VLAN1 interface (step 1) and the incoming physical interface.
ns-> get int eth3/1
Interface ethernet3/1:
description ethernet3/1
number 9, if_info 9072, if_index 0, mode xparent, port vlan 1
link up, phy-link up/full-duplex
vsys Root, zone V1-Untrust, vr trust-vr
*ip 0.0.0.0/0 mac 0005.857f.1309
pmtu-v4 disabled
ping disabled, telnet disabled, SSH enabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
webauth disabled
NHRP disabled
bandwidth: physical 100000kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Number of SW session: 128063, hw sess err cnt 0
If the desired application service is disabled, enable the service with the command 'set interface <int> manage <service>'
.
Note: If you enabled services on the interface in the V1-Untrust zone, you may want to specify the permitted IPs that manage your firewall. This is done with the 'set admin manager-ip'
command. Be aware that once set, only hosts from those networks can manage the firewall. For more information on 'Permitted IP Addresses', refer to KB3905 - [ScreenOS] How to restrict management access to specific IP addresses (manager-IP or Permitted IP addresses).
-
View the routing table 'get route'
or run the command 'get route ip <client ip>'
to confirm that a route exists to the client that is trying to manage the firewall. If your client is on a different network, then a route will be needed. If a route does not exist, use the command 'set route'
command to add a static route.
-
If you still cannot manage the firewall, run the 'get interface vlan1
' command. Make sure the manage IP address of the VLAN1 interface is not set to 0.0.0.0 and you are specifying the manage IP address of the VLAN1 interface to manage the firewall. For more information on configuring a manage IP address, refer to KB4059 - [ScreenOS] Configuring a Manage IP Address on Juniper firewall .
If the firewalls are configured using NSRP, the manage IP address of the VLAN1 interface should be different for each firewall.
Also, if you are trying to manage the backup firewall, refer to KB6264 - Managing the Backup device in an NSRP in Transparent mode.