O'Reilly logo

ScreenOS Cookbook by Sunil Wadhwa, Joe Kelly, Ken Draper, David Delcourt, Vik Davar, Stefan Brunner

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

19.4. Redirect Traffic to Mitigate Threats

Problem

You want to redirect user traffic to the Intrusion Detection System (IDS) in the DMZ zone, protecting devices in the Trust zone from downloading malware. Also, you have multiple VR configurations to protect the routing table from external attacks.

Solution

You need to redirect traffic for threat mitigation using multiple VRs.

First, configure zones in the different VRs, assign interfaces to the zones, and assign IP addresses to the interfaces:

	set zone "Trust" vrouter "trust-vr"
	set zone "Untrust" vrouter "untrust-vr"
	set zone "DMZ" vrouter "untrust-vr"
	set interface "ethernet0/0" zone "Trust"
	set interface "ethernet0/1" zone "DMZ"
	set interface "ethernet0/2" zone "Untrust"
	set interface ethernet0/0 ip 172.16.1.1/24
	set interface ethernet0/1 ip 2.2.2.1/30
	set interface ethernet0/2 ip 4.4.4.1/30

Next, configure the firewall policy to allow traffic from the Trust zone to the DMZ zone, and from the DMZ zone to the Untrust zone for IDP inspection (note that you would need to configure the IDP device as needed, and IDP device configuration is beyond the scope of this recipe; therefore, consult the IDP documentation that came with your device):

 set address "Trust" "Trust_network" 172.16.1.0 255.255.255.0 set address "DMZ" "Filtered_trust_network" 172.16.1.0 255.255.255.0 set policy id 1 from "Trust" to "DMZ" "Trust_network" "Any" "ANY" permit set policy id 1 set policy id 2 from "DMZ" to "Untrust" "Filtered_trust_network" "Any" "ANY" permit ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required