Category Archives: ScreenOS

Routing traffic to a virtual system (vsys) in ScreenOS

I would like to add a quick note on how to forward some traffic received from one interface to a vsys configured in a netscreen device. From time to time, I need to do this and I always have to search for it again. This may not be the right way of doing or not suitable for production environments but it works just in my testing. In the example, network in the destination vsys is 10.1.1.0/24.

1) In the below example, I am forwarding traffic received in eth1/1 interface which is in untrust zone and trust-vr. This is important as we should use a shared untrust zone for forwarding and trust-vr

Root device interface output

Continue reading

Simple NSRP configuration

A quick NSRP configuration for reference purposes;

VSD: Virtual Security Device, it is a container for VSIs.
VSI: Virtual Security Interface.

NSRP is slightly different than VRRP when it comes to IP floating. In VRRP, nodes have their own IPs and acquire master IP during failover. However in NSRP, there is only one interface IP floating between nodes.

manage-ip: It is node specific and doesn’t float like VSI address.
HA-links: Only a single link is needed indeed but there are advantages of having dual HA links.

Active/Passive NSRP Configuration

First of all connect both firewalls via their eth0/8-eth0/8 and eth0/9-eth0/9 interfaces.

1) Configure HA zones on both firewalls;

2) Activate NSRP, assign a name to cluster and set a VSD (Virtual Security Device) group

As advised by the output we reset FW2.

Continue reading

ScreenOS fetching defaults

Although I am not that familiar with ScreenOS, it is worth of mentioning this hidden command I have found. It is a handy command fetching system defaults such as max number of addresses etc.
host-> get sys-cfg
acl rule mem size number: 16384
ADSL Sub-if limit number: 0
alarm glog number: 128
def apppry scheduler queues number: 1
arp-size number: 1024
AntiSpam Black/White List Size number: 500
AntiSpam SBL Request Queue Size number: 1000
Asic based forwarding supported number: 0
b_list number: 1024
max bgp ext change number: 50
max bgp int change number: 50
bgp max receive packet buffer size number: 8192
bgp minimum netbufs expected before Tx number: 1
max bgp purge rib max number: 50
max routes redistributed into bgp at a time. if there are more they are handled in next iteration number: 55
bgp Tx queue high water mark number: 40000
bgp Tx queue low water mark number: 20000
max bgp fdb change update number: 50
5xt combined mode number: 0
config glog number: 32
default period of timeout in cryptlib number: 200
default h323 call num number: 32