I still like the Juniper ScreenOS firewalls such as the SSG 5 or the SSG 140. However, they are End of Everything (EoE) and not used at the customers anymore. But they still do their job in basic networking (static/dynamic routing such as OSPF & BGP, IPv6, NAT), basic firewalling (access policies), and IPsec VPN. Hence I am using a couple of SSGs in my lab when playing with routing protocols and so on.
After a factory reset of those firewalls there are some default settings such as zones at a few interfaces and default IP addresses. Therefore I put the following commands together in order to cleanup the default config to have only IP addresses and default routes which is a good starting point for lab configurations. Let’s go:
[I simply call it “blitzdingsen” in German, which is “flashy-thing” in English if I googled it correctly. ;)]
I am using primarily SSG 140 firewalls (1x 19″ RU). They have two 1 Gbps interfaces (eth0/8 and eth0/9). I am almost always using the lowest interface as “untrust”, hence eth0/8. After a factory reset (see here at the bottom for different ways how to do it) I am using a console cable to change the following settings:
- unset the IPv4 address at eth0/0
- unset all zone bindings
- set eth0/8 to zone “Untrust” with IP addresses (IPv6 and legacy IP)
- enable ping/SSH/HTTPS on eth0/8
- default routes for both Internet protocols
- “save” the config to survive a reboot
Furthermore note that IPv6 is not enabled by default. You must enable it manually once per device with the following two commands:
1 2 |
set envar ipv6=yes reset |
Now here is the template for the SSG 140. You must only adjust the HOSTNAME and the IP addresses:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
unset interface ethernet0/0 ip unset interface ethernet0/0 zone unset interface ethernet0/1 zone unset interface ethernet0/2 zone set interface "ethernet0/8" zone "Untrust" set interface ethernet0/8 ip 192.168.1.10/24 set interface ethernet0/8 route set interface "ethernet0/8" ipv6 mode "router" set interface "ethernet0/8" ipv6 ip 2001:db8::cafe/64 set interface "ethernet0/8" ipv6 enable set interface ethernet0/8 ip manageable set interface ethernet0/8 manage ping set interface ethernet0/8 manage ssh set interface ethernet0/8 manage ssl set hostname HOSTNAME set clock timezone 1 set admin auth web timeout 300 set ssh version v2 set ssh enable set ssl encrypt 3des sha-1 set vrouter "trust-vr" set route 0.0.0.0/0 interface ethernet0/8 gateway 192.168.1.1 permanent set route ::/0 interface ethernet0/8 gateway 2001:db8::1 permanent exit save |
For an SSG 5 the template is the following. Here I am using eth0/0 as untrust:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
unset interface bgroup0 port eth0/2 unset interface bgroup0 port eth0/3 unset interface bgroup0 port eth0/4 unset interface bgroup0 port eth0/5 unset interface bgroup0 port eth0/6 unset interface bgroup0 ip unset interface bgroup0 zone unset interface wireless0/0 ip unset interface wireless0/0 zone unset interface ethernet0/1 zone set interface ethernet0/0 ip 192.168.1.10/24 set interface ethernet0/0 route set interface "ethernet0/0" ipv6 mode "router" set interface "ethernet0/0" ipv6 ip 2001:db8::cafe/64 set interface "ethernet0/0" ipv6 enable set interface ethernet0/0 ip manageable set interface ethernet0/0 manage ping set interface ethernet0/0 manage ssh set interface ethernet0/0 manage ssl set hostname HOSTNAME set clock timezone 1 set admin auth web timeout 300 set ssh version v2 set ssh enable set ssl encrypt 3des sha-1 set vrouter "trust-vr" set route 0.0.0.0/0 interface ethernet0/0 gateway 192.168.1.1 permanent set route ::/0 interface ethernet0/0 gateway 2001:db8::1 permanent exit save |
Ciao.
Featured image: “untitled-4972.jpg” by Eric Schneider is licensed under CC BY-SA 2.0.
Lots of nostalgia reading this post. I rarely work on SSG’s these days but like you still have a couple in my home lab. Configuring them is like putting on your favourite comfy slippers :-)
No SSG20 Password – Please help
I still have a few ssg20 with no login details.
I have tried every factory reset method but still unable to log in although the Os boots normally and gets to the login prompt.
I think all of them have been disabled (reset pinhole, serial number etc)
Trying safe booting into the Loader also failed: instead of going to the loader prompt, it is trying to configure the loader as follows:
Boot File Name [n]:
Self IP Address [192.168.11.21]:
TFTP IP Address [192.168.11.116]:
Any other way I can reset them to factory default to log in/gain access.
Many thanks