Juniper ScreenOS Initial Cleanup Config

I still like the Juniper ScreenOS firewalls such as the SSG 5 or the SSG 140. However, they are End of Everything (EoE) and not used at the customers anymore. But they still do their job in basic networking (static/dynamic routing such as OSPF & BGP, IPv6, NAT), basic firewalling (access policies), and IPsec VPN. Hence I am using a couple of SSGs in my lab when playing with routing protocols and so on.

After a factory reset of those firewalls there are some default settings such as zones at a few interfaces and default IP addresses. Therefore I put the following commands together in order to cleanup the default config to have only IP addresses and default routes which is a good starting point for lab configurations. Let’s go:

Two Juniper SSG 140 firewalls in my lab. Only the last two ports operate at 1 Gpbs.
[I simply call it “blitzdingsen” in German, which is “flashy-thing” in English if I googled it correctly. ;)]

I am using primarily SSG 140 firewalls (1x 19″ RU). They have two 1 Gbps interfaces (eth0/8 and eth0/9). I am almost always using the lowest interface as “untrust”, hence eth0/8. After a factory reset (see here at the bottom for different ways how to do it) I am using a console cable to change the following settings:

  • unset the IPv4 address at eth0/0
  • unset all zone bindings
  • set eth0/8 to zone “Untrust” with IP addresses (IPv6 and legacy IP)
  • enable ping/SSH/HTTPS on eth0/8
  • default routes for both Internet protocols
  • “save” the config to survive a reboot

Furthermore note that IPv6 is not enabled by default. You must enable it manually once per device with the following two commands:

Now here is the template for the SSG 140. You must only adjust the HOSTNAME and the IP addresses:

For an SSG 5 the template is the following. Here I am using eth0/0 as untrust:


Featured image: “untitled-4972.jpg” by Eric Schneider is licensed under CC BY-SA 2.0.

2 thoughts on “Juniper ScreenOS Initial Cleanup Config

  1. Lots of nostalgia reading this post. I rarely work on SSG’s these days but like you still have a couple in my home lab. Configuring them is like putting on your favourite comfy slippers :-)

  2. No SSG20 Password – Please help

    I still have a few ssg20 with no login details.
    I have tried every factory reset method but still unable to log in although the Os boots normally and gets to the login prompt.
    I think all of them have been disabled (reset pinhole, serial number etc)
    Trying safe booting into the Loader also failed: instead of going to the loader prompt, it is trying to configure the loader as follows:

    Boot File Name [n]:
    Self IP Address []:
    TFTP IP Address []:

    Any other way I can reset them to factory default to log in/gain access.

    Many thanks

Leave a Reply

Your email address will not be published. Required fields are marked *