Personal website of Dave Hope » Netscreen

Automatic backup of Netscreen configuration

Dave — Tue, 19 Jan 2010 13:39:07 +0000

I spent some time earlier automating the backups of our appliance configuration to a restricted network share and thought I’d share a simple batch script to backup the configuration from multiple Juniper Netscreen (ScreenOS) firewalls.

@echo off
REM ================================================================
REM CONFIGURATION INFO
REM ================================================================
set USERNAME=backupAccount
set PASSWORD=superSecretPassword
set CFGFILE=BackupList.txt
set DESTDIR=C:\Backups\

REM ================================================================
REM STOP CHANGING HERE OR YOU'LL BREAK SOMETHING
REM ================================================================
SET TIMESTAMP=%date:~-4,4%.%date:~-7,2%.%date:~-10,2%
for /F "tokens=1,2 delims=," %%A in (%CFGFILE%) do (
	IF NOT EXIST "%DESTDIR%%TIMESTAMP%" mkdir "%DESTDIR%%TIMESTAMP%"
	pscp -q -scp -pw %PASSWORD% %USERNAME%@%%B:ns_sys_config "%DESTDIR%%TIMESTAMP%\%%A.cfg"
)

The above will read the details of the firewalls from a CSV file (BackupList.txt) in hostname,ip address format. PSCP is then used to SCP the configuration from the firewall to the location specified in DESTDIR.

You’ll need to make sure SSH + SCP is enabled on your firewalls and that pscp is in the same directory as the script. You can find the latest version of Putty and PSCP here.

Juniper SSG140 PPTP Routing

Dave — Wed, 30 Jul 2008 07:05:00 +0000

At work I’ve just replaced a custom Linux box I’ve been running as our firewall and proxy with a Juniper Netscreen SSG140. I had a few problems forwarding PPTP traffic so thought I’d document the problems I came across and the solutions.

PPTP Forwarding

Firstly, I was having problems even forwarding the PPTP traffic. I’d initially setup a VIP on the external interface forwarding a custom PPTP service :

IP (47) src port: 2048-2048, dst port: 2048-2048
TCP src port: 0-65535, dst port: 1723-1723

I’d then setup a Policy to allow the relevant traffic through. Alas, no such luck. Ditching the VIP and having a fixed IP for VPN traffic seemed to work. To put it simply, use MIP rather than VIP.

Routing PPTP traffic for site to site links

The second problem was a little weird. At the moment we use MS-RAS for site to site links, I’d created a route on the Netscreen which was working, but connections would drop after a very short period of time (say 20 seconds). The routing was as follows (outbound shown in green, reutn shown in red).

Thankfully the solution wasn’t too messy. Since the Netscreen was missing the return traffic it was dropping the connections. The solution is to log into the Netscreen via telnet and issue the following command:

unset flow tcp-syn-check

As if by magic, everything now works.