Download - NetScreen CLI Reference Guide Version 3.1
���
NetScreen CLI Reference Guide (Pre-Release Version)
�����������������������
Version 3.1.0
�������������� ������������
�
����
his product could void the user’s warranty
d Trademarks, NetScreen-Global Manager, en-Remote, NetScreen-5, nd NetScreen-1000 are registered
etScreen Technologies, Inc.
xchange are trademarks of Adobe egistered trademark of Apple the United State and other
icator is a registered trademark of nd/or other countries. Netscape
r are registered trademarks of orporation and may be ecurID is a registered mics Technologies, Inc. SSH and or registered trademarks of ity, Inc. All rights reserved. istered trademark of Sun ited States and other countries. ark or registered trademark of e United States and other ed trademark in the United xclusively licensed through nse is a registered trademark of ’s product names are either
rvice marks or registered bTrends is a registered rosoft, Windows and Windows NT,
ks or registered trademarks of S.A. and/or other countries. ademarks of Hilgraeve names mentioned in this manual ademarks of their respective
ING THE PRODUCTS IN THIS ANGE WITHOUT NOTICE. ALL
AND RECOMMENDATIONS IN THIS E ACCURATE BUT ARE NTY OF ANY KIND, EXPRESS OR ULL RESPONSIBILITY FOR THEIR
�������������� ������������
Copyright Notice
Copyright © 1998-2001 NetScreen Technologies, Inc. NetScreen Technologies, Inc., the NetScreen logo, NetScreen-5XP, NetScreen-10, NetScreen-100, NetScreen-500, NetScreen-1000, NetScreen-Global Manager, NetScreen-Global PRO, NetScreen-Remote, GigaScreen ASIC, and NetScreen ScreenOS are trademarks and NetScreen is a registered trademark of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.
NetScreen Technologies, Inc. 350 Oakmead Parkway, Suite 500 Sunnyvale, CA 94085 U.S.A.www.netscreen.com
FCC Statement
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a light commercial installation. This equipment generates, uses and can radiate radio frequency energy, and, if not installed and used in accordance with the instruction, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
•Reorient or relocate the receiving antenna.
•Increase the separation between the equipment and receiver.
•Consult the dealer or an experienced radio/TV technician for help.
•Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
Caution: Changes or modifications to tand authority to operate this device.
Licenses, Copyrights, anNetScreen, the NetScreen logoNetScreen-Global Pro, NetScreNetScreen-10, NetScreen-100, atrademarks or trademarks of N
Adobe, Acrobat, and Acrobat ESystems Inc. Macintosh is a rComputer, Inc., registered incountries. Netscape CommunNetscape in the United States aand Netscape CommunicatoNetscape Communications Cregistered outside the U.S. Strademark of Security DynaSecure Shell are trademarksSSH Communications SecurSolaris is a trademark or regMicrosystems, Inc. in the UnSunNet Manager is a trademSun Microsystems, Inc. in thcountries. UNIX is a registerStates and other countries, eX/Open Company, Ltd. WebseWebsense, Inc. and Websensetrademarks, trade names, setrademarks of Websense. Wetrademark of WebTrends. Micand NetMeeting, are trademarMicrosoft Corporation in the U.Hyperterminal is a registered trCorporation. All other product are trademarks or registered trmanufacturers.THE SPECIFICATIONS REGARDMANUAL ARE SUBJECT TO CHSTATEMENTS, INFORMATION, MANUAL ARE BELIEVED TO BPRESENTED WITHOUT WARRAIMPLIED. USERS MUST TAKE F
�
����
and title and interest in and to, and including copyrights, to the emain with NetScreen. You intellectual property in the nd you will not acquire any rights
icense as specifically set forth
rm of the license is for the duration Software. NetScreen may diately without notice if you breach terms and conditions of this n such termination, you will either entation or return all materials to is Agreement, other than the icense Grant”) shall survive
d of ninety (90) days after delivery air or replace any defective stomer, provided it is returned to se within that period. NetScreen product will substantially conform cifications for that product if
ith the procedures described in tScreen. NetScreen’s exclusive conforming product shall be, at the product or use commercially ustomer with a correction of the r the purchase price paid for the be reported to NetScreen in a form n reasonably requested by , diagnose, and correct the defect. mer shall notify NetScreen of any the warranty period, obtain a conforming product, from onforming product to NetScreen’s nt describing the nonconformance. HEREIN TO THE CONTRARY, THE
SOLE AND EXCLUSIVE REMEDY BY NETSCREEN WITH RESPECT
shall not apply to any Product or ified, repaired or altered, except by
�������������� ������������
APPLICATION OF ANY PRODUCTS. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS, ELECTRONIC OR MECHANICAL, FOR ANY PURPOSE, WITHOUT RECEIVING WRITTEN PERMISSION FROM NETSCREEN TECHNOLOGIES INC.
PRODUCT LICENSE AGREEMENTPLEASE READ THIS LICENSE AGREEMENT (“AGREEMENTS”) CAREFULLY BEFORE USING THIS PRODUCT. BY INSTALLING AND OPERATING, YOU INDICATE YOUR ACCEPTANCE OF THE TERMS OF THIS LEGAL AND BINDING AGREEMENT AND ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PART TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT START THE INSTALLATION PROCESS.1. License Grant. This is a license, not a sales agreement, between you, the end user, and NetScreen Technologies, Inc. (“NetScreen”). The term “Software” includes all NetScreen and third party Software provided to you with the NetScreen product, and includes any accompanying documentation, any updates and enhancements of the Software provided to you by NetScreen, at its option. NetScreen grants to you a non-transferable (except as provided in section 3 (“Transfer”) below), non-exclusive license to use the Software in accordance with the terms set forth in this License Agreement. The Software is “in use” on the product when it is loaded into temporary memory (i.e. RAM).2. Limitation on Use. You may not attempt and if you are a corporation, you will use best efforts to prevent your employees and contractors from attempting to, (a) modify, translate, reverse engineer, decompile, disassemble, create, derivative works based on, sublicense, or distribute the Software or the accompanying documentation; (b) rent or lease any rights in the Software or accompanying documentation in any form to any person; or (c) remove any proprietary notice, labels, or marks on the Software, documentation, and containers. 3. Transfer. You may transfer (not rent or lease) the Software to the end user on a permanent basis, provided that: (i) the end user receives a copy of this Agreement and agrees in writing to be bound by its terms and conditions, and (ii) you at all times comply with all applicable United States export control laws and regulations.
4. Proprietary Rights. All rightsall intellectual property rights, software, and documentation, racknowledge that no title to theSoftware is transferred to you ato the Software except for the lherein.5. Term and Termination. The teof NetScreen's copyright in theterminate this Agreement immeor fail to comply with any of theAgreement. You agree that, upodestroy all copies of the documNetScreen. The provisions of thlicense granted in Section 1 (“Ltermination.6. Limited Warranty. For a perioto Customer, NetScreen will repsoftware product shipped to CuNetScreen at Customer’s expenwarrants to Customer that suchwith NetScreen’s published speproperly used in accordance wdocumentation supplied by Neobligation with respect to non-NetScreen’s option, to replace reasonable efforts to provide Cdefect, or to refund to customeunit. Defects in the product willand with supporting informatioNetScreen to enable it to verifyFor returned product, the custononconforming product duringreturn authorization for the nonNetScreen, and return the noncfactory of origin with a statemeNOTWITHSTANDING ANYTHINGFOREGOING IS CUSTOMER’S FOR BREACH OF WARRANTY TO THE PRODUCT.The warranties set forth above Hardware which has been mod
�
����
ING INFORMATION OR L COMPLIANCE WITH ALL UNITED BLE LAWS AND REGULATIONS.Rights. If this Product is being nt, the Product and related omputer Product and
usively at private expense, and (a) if lian agency, shall be subject to the e, and (b) if acquired by or on nt of Defense (“DoD”) shall be rcial computer Software license .
e responsible for the payment of at any time whatsoever on this
f this Agreement are held invalid, full force and effect. The laws of g the application of its conflicts of nse Agreement. This Agreement
ited Nations Convention on the Sale of Goods. This Agreement is he parties as to the subject matter er Technologies, advertisements, t to the Software and t may not be modified or altered,
which expressly refers to this xecuted by both parties.
e read this Agreement, understand terms and conditions.
�������������� ������������
NetScreen, or which has not been maintained in accordance with any handling or operating instructions supplied by NetScreen, or which has been subjected to unusual physical or electrical stress, misuse, abuse, negligence or accidents.THE FOREGOING WARRANTIES ARE THE SOLE AND EXCLUSIVE WARRANTIES EXPRESS OR IMPLIED GIVEN BY NETSCREEN IN CONNECTION WITH THE PRODUCT AND HARDWARE, AND NETSCREEN DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. NETSCREEN DOES NOT PROMISE THAT THE PRODUCT IS ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION.7. Limitation of Liability. IN NO EVENT SHALL NETSCREEN OR ITS LICENSORS BE LIABLE UNDER ANY THEORY FOR ANY INDIRECT, INCIDENTAL, COLLATERAL, EXEMPLARY, CONSEQUENTIAL OR SPECIAL DAMAGES OR LOSSES SUFFERED BY YOU OR ANY THIRD PARTY, INCLUDING WITHOUT LIMITATION LOSS OF USE, PROFITS, GOODWILL, SAVINGS, LOSS OF DATA, DATA FILES OR PROGRAMS THAT MAY HAVE BEEN STORED BY ANY USER OF THE SOFTWARE. IN NO EVENT WILL NETSCREEN’S OR ITS LICENSORS’ AGGREGATE LIABILITY CLAIM BY YOU, OR ANYONE CLAIMING THROUGH OR ON BEHALF OF YOU, EXCEED THE ACTUAL AMOUNT PAID BY YOU TO NETSCREEN FOR SOFTWARE. Some jurisdictions do not allow the exclusions and limitations of incidental, consequential or special damages, so the above exclusions and limitations may not apply to you.8. Export Law Assurance. You understand that the Software is subject to export control laws and regulations. YOU MAY NOT DOWNLOAD OR OTHERWISE EXPORT OR RE-EXPORT THE
SOFTWARE OR ANY UNDERLYTECHNOLOGY EXCEPT IN FULSTATES AND OTHER APPLICA9. U.S. Government Restricted acquired by the U.S. Governmedocumentation is commercial cdocumentation developed exclacquired by or on behalf of civiterms of this computer Softwarbehalf of units of the Departmesubject to terms of this commeSupplement and its successors10. Tax Liability. You agree to bany sales or use taxes imposedtransaction.11. General. If any provisions othe remainder shall continue inthe State of California, excludinlaw rules shall govern this Licewill not be governed by the UnContracts for the International the entire agreement between thereof and supersedes any othor understandings with respecdocumentation. This Agreemenexcept by written amendment, Agreement and which, is duly eYou acknowledge that you havit, and agree to be bound by its
����
!�����" "��� �4���"���)�!�4���
$%��8$!"��%/��3��9��33����� %����������� %����% ���8+�4�8��44!! �83 ��4�8� ����� !)��+/%����/�4����%�������4��:49����4! ��0�+��444!��++�"�$��� ���++:"�"�+��"�������+��"�/4�+�:"" �+��"0" !)�+����/4��%������$��"$! ��+�3��/���+�:��% ���"$%4��)�+���� �+�+�"���+���4��+3��4�/!���!��+3:��!�����+38�"0"�+��7�������"�+��*!���+��
�%����""���%�/�����% %�/���% �%"�+��%�4�+��%���� ��% %�/�+��%��$�+3
������� �
#$!��$!� ����%���$�"�&%��% '��
(�)%��*%��!���
������������� ��%��!�"��
�+��������)���%�����+
,� !���-!��,�)����
!�������)��$������������.�������!��$�����
!������!�"��
��!//%����0��%1�2!�/%��3.�4������0�.� �/����"�35/�������.�4��������"�3��%� %�� ��0�! ���!//%��"�%���2�%����"���%/4 ���0��%1����"���%��!��2!�/%���
��%� %�� ��0�! ���!//%��"6��7���$�"6�%����%��%/����"�8
�+������!//%��"�+
"���%����""��"���%�/����"���% %�/�+�"���% �%"�++"���%�4�+�"���%���� ��% %�/�+�"���%��$�+�"���� !�9���"����!�"! ����"������ ��3"�����% �4�)�!�4��:"�����4���"�����"���"����!/%�����"������%����"��� � ������"��� �4"�/!�����"��� ���7% ��:"��� !7���
"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���"���
�+������!//%��"�+
)��)��)��)��)��)��)��
�!�����"
,!!9���� ����
�"�"�8��"�������8��"�""�!��88�"�/4��+�"!�9������"! �7%���9�0�����������"0" !)����"0"��/��8����$�"�44!��������/4��%�����+�����/���+�+���% ���"$%4��)�+����� � � ����+����"���+�����4�+����4��+�:��4�/!���!��++����!�����+++��"0"�++��7�������"�++��*!���++3
��%�/������% %�/����%�4�3��%���� ��% %�/����%��$�:���!������8����04�!������� �+����$�4�++����"�+��� � ��+����9���!!9���+3�� ��4�+��� ���+:�� !)�+8��/%�� �%��������!��;"�������+
��
)���� !�9�+8)����!� �)�+�)����!�"! ����)����!�������+)�����% �4�)�!�4��3)�����4��:)�����"��8)����!/%�����)������%���+)��� � ����)��� ���7% ���)���)%�����)���) !�% ���)���) !�% �4�!��:)���) !)���)���)�!�4���)���$%���)���$!"��%/����)����9���3)�������� %�����)��������� %��3�)����4�3�)����44!! �3�)��� ��4�33)��� %����3:)��� ���38)��� !)�3�)���/%�� �%�����)���/%"������)���/�/!�0��3)���/�4��:)����%��;9%��8)����"4������ ���)�����4�:�)���!"�:+)���4�� !�/%����:�)���49��:�)���4! ��0�:�)���444!��:8)����!����:�)���"%�8+)���"�$��� ���8�
)��)��)��)��)��)�����)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��
�+�� �%��!//%��"�+
� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%
������
������� �� �%��444!����� �%��"%���� �%��"%�"�%���3� �%��"�""�!����� �%���� ��8
�+��&�"�� %��!�"�!//%��"�+
�1����$�4���1�����"���1���$%�3�1�����4���1���4��)�:�1���49����1���444!��+��1���"%���+��1���"�"�+:�1���"! �7%���9�0�+8�1�����%����!����+��1�����4��)��+��"�����"%�������%����!�����8
��"�����)��$��.�������!2%��!�0�.� %� ��������)"�+
<����2�%����"�+
�������0�=!��"��
����� %��"��
����1�+
�!�����"
,!!9���� ����
������
d manage a NetScreen device NetScreen OS release.
uring a NetScreen device using nd syntax, arguments, and
pters:
o the NetScreen device. It also
rameters and data
cted in various tables, buffers,
g in any other category.
�������������� ������������
��� %��
The NetScreen CLI Reference Guide describes the commands used to configure anfrom a console interface. This manual is an ongoing publication, published with each
#>(��>(<.��5�.��>���&��<�'This document is for system and network administrators who have experience configthe Web interface. Using the command line interface requires familiarity with commavariables.
(�����=���(�
The NetScreen Command Line Reference Guide is organized into the following cha
“Getting Started” includes an introduction and instructions on how to connect a PC texplains the command syntax format used in this Manual.
“Set Commands”describes the commands used to configure the NetScreen device.
“Get Commands” describes the commands used to display system configuration pa
“Clear Commands” describes the commands used to remove or clear the data colleand memory.
“Miscellaneous Commands” includes descriptions for commands that do not beloon
�5���55���<,����(��
Please refer to the following guides for information about your NetScreen products.
��� %���
�������������� ���������������
the concepts behind NetScreen
escription presents the
nged since the last version. It he last version.
ote allows a remote user to
message entry includes the message.
known issues, and suggested
e Data Collectors, Master
creen-Global PRO suite and
nd Crystal Decisions™ Crystal
odule for Micromuse Netcool.
��
NetScreen Concepts & Examples ScreenOS Reference GuideA guide to the ScreenOS™ used to manage NetScreen devices. This guide presents product features, and provides examples illustrating those concepts in practice.
NetScreen CLI Reference GuideA compendium of all the command line interface (CLI) commands. Each command dcommand’s syntax, explains its arguments, and provides examples.
What’s New In ScreenOS 3.10A manual with descriptions of all new CLI commands, and commands that have chaalso lists (without describing) the commands that are unchanged or removed since t
NetScreen-Remote Administrator’s GuideA manual for installing and using the NetScreen-Remote™ software. NetScreen-Remconnect to a NetScreen device via a virtual private network (VPN) tunnel.
NetScreen Message Reference GuideThis manual documents the log messages that appear in ScreenOS 3.0.0. Each logmessage text, its meaning, and any recommended action to take upon receiving the
ScreenOS Release NotesA set of notes containing an overview of new features, lists of addressed issues andbug fixes and work-arounds.
NetScreen-Global PRO Report Manager Installer & User’s GuideA guide to installing and configuring all components of Report Manager, including thControllers, and Consoles.
NetScreen-Global PRO Report Manager Console User’s GuideA guide to using the Report Manager Console to govern the components in the NetSgenerate realtime and historic reports.
NetScreen-Global PRO Historical Reports GuideThis guide explains the out-of-the-box integration between NetScreen-Global PRO aReports™. This allows you to create historical reports.
NetScreen-Global PRO Integration Module for NetcoolA guide for installing, configuring and using the NetScreen-Global PRO Integration M
������
nterprise providers to control offers concurrent centralized nces.
l PRO Netra Server, and
etra Server for Realtime
�������������� ������������
NetScreen-Global Manager User’s GuideA manual for NetScreen-Global Manager™ software. This is a tool for services and esecurity for multi-site networks from a single location. This management application configuration and policy administration for all NetScreen security systems and applia
NetScreen-Global PRO Policy Manager Installer & User’s GuideThis document contains the complete procedures for installing the NetScreen-Globaincludes a tutorial intended to familiarize the user with the Policy Manager software.
NetScreen-Global PRO Express Realtime Monitor Installer & User’s GuideA guide to installing, configuring, and using the Express Realtime Monitor and the NReports.
��� %���
�������������� ���������������
����+
+���
�
e NetScreen device so that you ands at the CLI through a
PC running the Windows
�������������� ������������
�������� ����
This chapter provides information on how to connect a personal computer (PC) to thcan configure the device using the Command Line Interface (CLI). You enter commconsole application such as Telnet. or Hypterterminal.
Note: The examples in this guide display output generated from an IBM-compatibleoperating system.
+�������)���%���� ,� !���-!��,�)��
����
before you start setup:
8 bits, no parity, 1 stop-bit, and
al emulator on that system. The ole from any operating system, g the NetScreen device from a
�������������� ������������
���������������Gain access to the NetScreen device you wish to configure, and obtain these items
• a PC to connect to the NetScreen device
• an RS-232 male-to-female serial cable
• a copy of Microsoft’s Hyperterminal software, available on the PC
To communicate with the NetScreen device using a console, use a 9600 Baud rate, no flow control.
Note: If you are using a different operating system, you need a VT100 terminterminal emulator allows you to configure the NetScreen device using a consincluding Windows™, UNIX™, LINUX™, or Macintosh™. If you are configurinremote location, use Telnet to access the console.
+�������)���%���� !�������)��$������������.�������!��$���
����
running applications on the PC
en device. This port is labeled
�������������� ������������
����������������������������������������It is not necessary power off the either PC or the NetScreen device, or to close any before connecting it to the NetScreen device.
To connect the NetScreen device to the PC:
1. Connect the female end of the RS-232 cable to the serial port on the PC.
2. Connect the male end of the RS-232 cable to the serial port on the NetScre“Diagnostics.”
+�������)���%���� !������!�"
����
L+F or the DOWN ARROW
TRL+B or the UP ARROW key.
e, type a question mark ( ? ).
detected for 10 minutes.
sion on Windows 95, 98, NT, or check box, and click the OK
�������������� ������������
�����������The following conventions apply to all NetScreen commands:
• To remove a single character, press BACKSPACE or CTRL+H.
• To remove an entire line, press CTRL+U.
• To traverse up to 16 lines forward in the command history buffer, press CTRkey.
• To traverse up to 16 lines backward in the command history buffer, press C
• To see the next available keyword or input and a brief description of its usag
• IP addresses are represented by <ip_addr>.
• A subnet mask is represented by <mask>.
• The console times out and the connection is closed if no keyboard activity is
Note: To use the arrow keys for navigating among commands in a Telnet ses2000: On the Terminal menu, click Preferences…, select the VT100 Arrowsbutton.
Note: Items you enter are into the system are in bold text.
+�������)���%���� ��!//%����0��%1�2!�/%�
3���
ntax. This syntax may include ommand descriptions use
ing special characters.
se symbols are essential for
symbols are not essential for affect the outcome.
ymbol appears between two is symbol appears at the end of
in some contexts, and rinciple.
can omit both feature_1 and iters { and } surround not successfully execute the
encies.
�������������� ������������
������ !�������!"���� !�Each CLI command description in this manual reveals some aspect of command syoptions, switches, parameters, and other features. To illustrate syntax rules, some cdependency delimiters.
.�4������0�.� �/����"Each syntax description shows the dependencies between command features by us
• The { and } symbols denote a mandatory feature. Features enclosed by theexecution of the command.
• The [ and ] symbols denote an optional feature. Features enclosed by theseexecution of the command, although omitting such features might adversely
• The | symbol denotes an “or” relationship between two features. When this sfeatures on the same line, you can use either feature (but not both). When tha line, you can use the feature on that line, or the one below it.
5/�������.�4��������"Many CLI commands have embedded dependencies, which make features optionalmandatory in others. The two hypothetical features shown below demonstrate this p
[ feature_1 { feature_2 } ]
In this example, the delimiters [ and ] surround the entire clause. Consequently, youfeature_2, and still execute the command successfully. However, because the delimfeature_2, you must include feature_2 if you include feature_1. Otherwise, you cancommand.
The following example shows some of the set interface command’s feature depend
set interface vlan1 broadcast { flood | arp [ trace-route ] }
+�������)���%���� ��!//%����0��%1�2!�/%�
����
trast, the [ and ] brackets nd might take any of the
y find that certain commands
g to use such a feature usually firm the feature’s availability e set vpn command:
format. This format reveals the
|
�������������� ������������
The { and } brackets indicate that specifyng either flood or arp is mandatory. By conindicate that the arp option’s trace-route switch is not mandatory. Thus, the commafollowing forms:
ns-> set interface vlan1 broadcast floodns-> set interface vlan1 broadcast arpns-> set interface vlan1 broadcast arp trace-route
��%� %�� ��0�! ���!//%��"�%���2�%����"As you execute CLI commands using the syntax descriptions in this manual, you maand command features are unavailable for your NetScreen device model.
Because NetScreen devices treat unavailable features as improper syntax, attemptingenerates the unknown keyword error message. When this message appears, conusing the ? switch. For example, the following commands list available options for th
ns-> set vpn ?ns-> set vpn vpn_name ?ns-> set vpn gateway gate_name ?
�%/4 ���0��%1����"���%��!��2!�/%�This manual displays command syntax using a hierarchical, structured presentationcommand’s syntax, feature dependencies, and basic structure.
The example below shows the syntax description for the set interface command.
set interface{ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3>
{bandwidth <number> |dip <number> [ <ip_addr> [ <ip_addr> [ fix-port ] ] ] ident-reset |ip <ip_addr>/<mask> { tag <id_num> } |manage-ip <ip_addr> |
+�������)���%���� ��!//%����0��%1�2!�/%�
:���
outer <name_str> ] } |
] ] |
mgt | vlan1
4, and assigns to it VLAN tag 3:
�������������� ������������
mip <ip_addr> { host <ip_addr> [ netmask <mask> ] [ vrnat |route |secondary |vip <ip_addr>
[ <port_num> | + [ <name_str> <ip_addr> [ manual ] zone <name_str>} |
ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3> |{ip <ip_addr>/<mask> |manage-ip <ip_addr> |phy { auto | full | half } { 10mb | 100mb }} |
vlan1{broadcast { flood | arp [ trace-route ] |bypass-non-ip |bypass-others-ipsec |vlan { trunk }}
}
The following command gives subinterface ethernet3/1.2 IP address 172.168.40.3/2
ns-> set interface ethernet3/1.2 ip 172.168.40.3/24 tag 3
+�������)���%���� ��%� %�� ��0�! ���!//%��"6��7���$�"6�%����%�%/����"
8���
y find that certain commands
evice, but not on a models, as with the df-bit not on the NetScreen-5xp.
g to use such a feature usually firm the feature’s availability e set vpn command:
�������������� ������������
!�!��!���������������� !���#��$������#�!����!�! �����As you execute CLI commands using the syntax descriptions in this manual, you maand command features are unavailable for your NetScreen device model.
A good example is the set vsys command, which is available on a NetScreen-500 dNetScreen-5xp device. Similarly, some command options are unavailable on certainoption of the set vpn command. This option is available on the NetScreen-500, but
Because NetScreen devices treat unavailable features as improper syntax, attemptingenerates the unknown keyword error message. When this message appears, conusing the ? switch. For example, the following commands list available options for th
ns-> set vpn ?ns-> set vpn vpn_name ?ns-> set vpn gateway gate_name ?
�
+���
you may find that certain l. A good example is the set en-5xp device. Similarly, some
set vpn command. This option
�������������� ������������
�
�����%&& ���
Use the set commands to enter system configuration parameters.
Note: As you execute CLI commands using the syntax descriptions in this chapter,commands and command features are unavailable on your NetScreen device modevsys command, which is available on a NetScreen-500 device, but not on a NetScrecommand options are unavailable on certain models, as with the df-bit option of theis available on a NetScreen-500, but not on a NetScreen-5xp.
������!//%��"
����
���� ������ of a security zone. You use
efault security zones to which you st, Untrust, Global, DMZ, ou can also assign address book
ecurity Zones in USGA
ent line.
�������������� ������������
Description: Use the set address command to define an entry in the address bookaddress book entries to identify addressable entities in policy definitions.
�0��%1set address <zone> <name_str>
{ <dom_name> | <ip_addr> { <mask> } }[ <string> ] |
}
unset address <zone>
��)�/���
.� %� �"
Most zones have the following system-defined Address Book entries:
<zone> The name of the security zone. The dcan bind an address book include TruV1-Trust, V1-Untrust, and V1-DMZ. Yentries to user-defined zones.For more information on zones, see SFeatures
<name_str> The name of the address book entry.
<dom_name> The host domain name.
<ip_addr> The host IP address.
<mask> The host subnet mask.
<string> A character string containing a comm
������!//%��"
����
e zone
IP address 172.16.50.9 and a
dress 172.16.10.1 and a
esktop
�������������� ������������
• Any – any host connected through an interface bound to the zone
• Dial-Up VPN – any dialup hosts connected through an interface bound to th
51%/4 �"
To define an entry named “webserver” in the address book of the DMZ zone, with annetmask 255.255.255.254:
ns -> set address dmz webserver 172.16.50.9 255.255.255.254
To define an entry named “odie” in the address book of the Trust zone, with an IP adnetmask 255.255.255.255, with a comment of “Mary_Desktop”:
ns-> set address trust odie 172.16.10.1 255.255.255.255 Mary_D
To delete an entry named “my-partner” from the address book of the Untrust zone:
ns-> unset address untrust my-partner
����� "!
See the set policy and get address command.
������!//%��"
����
���� �&�rs for the NetScreen device.
} | port <port_num> } |
| read-only } ]
�������������� ������������
Description: Use the set admin command to configure the administrative paramete
�0��%1set admin
{auth
{radius-port <port_num> |secret <shar_secr> | server-name { <name_str> | <ip_addr> } |timeout <number> |type { local | radius} |
device-reset |format { dos | unix } |hw-reset |mail
{alert |mail-addr1 <ip_addr> |mail-addr2 <ip_addr> |server-name { <ip_addr> | <name_str> } |traffic-log} |
manager-ip <ip_addr> [ <mask> ] |name <name_str> |password <pswd_str> |port <port_num> |scs { password { disable | enable { username <name_str> } sys-ip <ip_addr> |telnet port <port_num> |user <name_str> { password <pswd_str> } [ privilege { all }
������!//%��"
3���
} |
fic-log } |
nge of port numbers is from 1024
red and enabled) of the RADIUS
re the NetScreen device he value can be up 999 minutes.
administrative session never
�������������� ������������
unset admin{auth
{ radius-port | secret | server-name | timeout | type device-reset |format |hw-reset |mail
{ alert | mail-addr1 | mail-addr2 | server-name | trafmanager-ip { <ip_addr> | all } |name |password |port |scs port |sys-ip |telnet port |user <name_str>}
��)�/���"
auth radius-port <port_num>Server port for a RADIUS server. The possible rato 65535.
secret <shar_secr>Shared secret for a RADIUS server.
server-name <name_str>The IP address or the server name (DNS configuserver.
timeout <number>Specifies the length of idle time (in minutes) befoautomatically closes the administrative session. TA <number> value of 0 indicates that an inactivetimes out.
������!//%��"
����
abase only.l database. If the admin name is
ermines the format used to device models, you can ard using the CLI, and to a local
ot available on all NetScreen
ng to an email address.
etScreen device. The traffic log tScreen device sends a copy of he mail-addr1 and mail-addr2 ll, or every 24 hours, depending
traffic logs.
d traffic logs.
fer Protocol (SMTP) server that traffic logs.
�������������� ������������
type { local | radius }local: Checks the admin name in the internal datradius: Checks for the admin name in the internanot found, checks in the RADIUS server.
device-reset Enables device reset for asset recovery.
format { dos | unix } Applies to all NetScreen devices. This switch detgenerate a configuration file. On some Netscreendownload this file to a TFTP server or PCMCIA cdirectory using WebUI.
hw-reset Executes a hardware reset for asset recovery. (Ndevice models.)
mail Enables email for sending alerts and traffic logs.
alertCollects system alarms from the device for sendi
traffic-logCollects a log of network traffic handled by the Ncan contain a maximum of 4,096 entries. The Nethe log file to each specified email address (see tswitches below). This happens when the log is fuupon which occurs first.
mail-addr1 <ip_addr>Sets the first email address for sending alert and
mail-addr2 <ip_addr>Sets a second email address for sending alert an
server-name { <ip_addr> | <name_str> }The IP address or name of the Simple Mail Transreceives email notification of system alarms and
������!//%��"
:���
ote host or subnet. The default IP m any workstation. All NetScreen bnets at once.and, specify one or all of the six
n device. The maximum length of except ?. The name is
imum length of the password is 31 ial command character “?”.
hanges when using the web. Use default port number—80. setting the device (see the reset
SCS) utility. SCS allows you to onnection or a dial-in modem, ls.
through which the SCS
tablishes the SCS session. The word authentication. The in user name.
�������������� ������������
manager-ip <ip_addr> | <mask> Restricts management to an IP address for a remaddress is 0.0.0.0, which allows management frodevices allow you to specify up to six hosts or suWhen using the unset admin manager-ip commpossible management IP addresses.
name <name_str> The login name of the root user for the NetScreethe name is 31 characters, including all symbols case-sensitive.
password <pswd_str> Specifies the password of the root user. The maxcharacters, including all symbols except the spec
port <port_num> Sets the port number for detecting configuration cany number between 1024 and 32767, or use theChanging the admin port number might require recommand).
scs Provides access to the Secure Command Shell (administer NetScreen devices from an Ethernet cthus providing CLI access over unsecure channe
port <port_num> Specifies the logical SSH portcommunication occurs.
password Sets the password for the user that esenable | disable switch enables or disables passusername <name_str> option specifies the adm
������!//%��"
8���
en device. If the NetScreen ddress must be in the same u plan to access the system IP
ion.
- administrators and e maximum length of the user ept ?. The user name is
istrator. This administrator can odify the root user or other r cannot change his or her own
administrator. This administrator xit, get, and ping commands.
�������������� ������������
.� %� �"
The default admin name and password are netscreen.
The default manager-ip is 0.0.0.0, and the default subnet mask is 255.255.255.255.
The default sys-ip is 192.168.1.1 (it is 209.125.148.254 before firmware 1.61).
The default privilege for a super-administrator is read only.
The default admin port is 80.
The default mail alert setting is off.
51%/4 �"
To change the root administrator user name to “paul”:
sys-ip <ip_addr> The system IP address for managing the NetScredevice is in NAT or Route mode, the system IP asubnet as the physical interface through which yoaddress.
telnet port <port_num> Provides CLI access through a TELNET connect
user <name_str> The login name of non-root administrators (supersub-administrators) for the NetScreen device. Thname is 31 characters, including all symbols exccase-sensitive.
privilege { all | read-only } Defines the administrative privilege level:
- all sets the level of privilege to super-adminexecute all commands except those that msuper-administrators. A super-administratoname.
- read-only sets the level of privilege to sub-can only execute the enter, trace-route, e
������!//%��"
����
ive issues:
tion:
�������������� ������������
ns-> set admin name paul
To change the root administrator login password to “build4you”:
ns-> set admin password build4you
To assign a level-2 administrator named joe with the password “angel”:
ns-> set admin user joe password angel privilege all
To generate the configuration file in UNIX format:
ns-> set admin format unix
To change the port number for the Web administrative interface to 8000:
ns-> set admin port 8000
To enable email notification for system alarms:
ns-> set admin mail alert
To enable email notification of traffic logging:
ns-> set admin mail traffic-log
To configure [email protected] as the email address to receive updates on administrat
ns-> set admin mail mail-addr1 [email protected]
To specify 172.16.34.100 as the email server to receive administrative email notifica
ns-> set admin mail server-ip 172.16.34.100
To set the administrator password back to netscreen:
ns-> unset admin password
To disable email notification of system alarms:
ns-> unset admin mail alert
����� "!
See the get admin and reset commands.
������!//%��"
+����
���� � �&
�������������� ������������
Description: Use the set alarm command to set alarm parameters.
�0��%1set alarm threshold { CPU <number> | memory <number> }
unset alarm threshold { CPU | memory }
��)�/���"
.� %� �"
Default thresholds are 95% for memory and 90% for CPU utilization.
51%/4 �"
To set the CPU utilization to 90%:
ns-> set alarm threshold CPU 90
����� "!
See the get alarm and clear alarm commands.
threshold CPU <number>Percentage of CPU used (1 to 100%).
memory <num>Percentage of threshold memory used (1 to 100%).
������!//%��"
++���
���� � �
, then execute the command
�������������� ������������
Description: Use the set alias command to create and alias for a CLI command.
�0��%1set alias <name_str> <string>
unset alias <name_str>
��)�/���"
.� %� �"
None
51%/4 �"
The following commands assign an alias to the command get interface ethernet1/1using the alias.
ns-> set alias int_1 "get interface ethernet1/1"ns-> int_1
����� "!
See the get alias command.
<name_str> The name of the CLI command alias.
<string> The CLI command to which you assign the alias.
������!//%��"
+����
���� �' (Address Resolution Protocol)
ry.
information on interfaces, refer to
�������������� ������������
Description: Use the set arp command to create an entry for an interface in the ARPtable.
�0��%1set arp
{<ip_addr> <mac_addr> <interface>age <number> |always-on-dest |no-cache}
unset arp{<ip_addr> |age |always-on-dest |no-cache}
��)�/���"
<ip_addr> Specifies the IP address for the interface in the ARP table entry.
<mac_addr> Specifies the MAC address for the interface in the ARP table ent
<interface> The name of the ARP interface in the ARP table entry. For moreInterfaces in USGA Features.
age <number> Sets the age-out value (in seconds) for ARP entries.
������!//%��"
+����
s 10.1.1.1 and MAC address
MAC address 00201034a98c:
a MAC address for any incoming the device’s MAC address table. load-balancing (SLB) switches or er Redundancy Protocol
�������������� ������������
.� %� �"
The always-on-dest setting is disabled by default.
51%/4 �"
To create an entry in the ARP table for physical interface ethernet4/2 with IP addres00104587bd22:
ns-> set arp 10.1.1.1 00104587bd22 ethernet4/2
To delete an ARP entry for an interface ethernet3/1 with IP address 172.16.9.23 and
ns-> unset arp 172.16.9.23 ethernet3/1
����� "!
See the clear arp and get arp commands.
�!��"
To display the current always-on-dest setting, use the get arp command.
always-on-dest Directs the NetScreen device to send an ARP request and obtainpacket whose heading contains a MAC address not yet listed in This option may be required when packets originate from server from devices using the Hot Standby Router Protocol/Virtual Rout(HSRP/VRRP).
no-cache Turns off the cache capability.
������!//%��"
+����
��� (�)��* � �&ture.
rface module failure, a power fined threshold.
e failure.
ure.
admin-defined threshold.
�������������� ������������
�Description: Use the set audible-alarm command to activate the audible alarm fea
�0��%1set audible-alarm
{all |fan-failed |module-failed |power-failed |temperature}
unset audible-alarm{all |fan-failed |module-failed |power-failed |temperature}
��)�/���"
all Enables the audible alarm in the event of a fan failure, a intesupply failure, or a temperature increase above an admin-de
fan-failed Enables the audible alarm in the event of a fan failure.
module-failed Enables the audible alarm in the event of an interface modul
power-failed Enables the audible alarm in the event of a power supply fail
temperature Enables the audible alarm if the temperature rises above an
������!//%��"
+3���
fan assembly fails:
ar audible-alarm commands.
�������������� ������������
.� %� �"
The audible alarm is inactive by default.
51%/4 �"
To enable the audible alarm to sound in the event that one or more of the fans in the
ns-> set audible-alarm fan-failed
����� "!
See the set temperature-threshold, get temperature, get audible-alarm , and cle
������!//%��"
+����
���� (�+n. The four available methods
unicating properly with the ACE secret so that you can reset.
�������������� ������������
Description: Use the set auth command to specify a method for user authenticatioare:
• a built-in database
• a RADIUS server
• SecurID
• Lightweight Directory Access Protocol (LDAP)
When the NetScreen device is using SecurID to authenticate users and is not commserver, check the clear node_secret command to clear the current SecurID shared
�0��%1set auth
{ldap server-name { <ip_addr> | <name_str> }
{ <port_num> { <name_str> { <name_str> } } } |radius-port <port_num> |secret <shar_secr> |securid
{auth-port <port_num> |duress <number> |encr <number> |master { <ip_addr> | <name_str> } |retries <number> |slave { <ip_addr> | <name_str> } |timeout <number>} |
server-name <serv_name> |timeout <number> | type { 0 | 1 | 2 | 3 }}
������!//%��"
+:���
server.
ectory path where users are listed
server.
e user name in the LDAP server
ge is 1024 to 65535.
n device and the RADIUS server. e two devices.
o use for communications with the
IP address or the name for the
s licensed to use duress mode. e.
for SecurID network traffic. A efault type DES is recommended.
�������������� ������������
unset auth{radius-port |secret |server-name |securid |ldap |timeout |type}
��)�/���"
ldap server-name Defines the RADIUS server for user authentication.
<ip_addr> Specifies the IP address of the RADIUS
<name_str> The LDAP distinguished name (the dirin the LDAP server).
<port_num> The listening port number of the LDAP
<name_str> The LDAP common name identifier (thdirectory)
radius-port <port_num> Specifies the RADIUS server port number. Valid ran
secret <shar_secr> Defines the password shared between the NetScreeIt is used to authenticate all transactions between th
securid auth-port <port_num> Specifies the port number tSecurID server.
slave <ip_addr> | <name_str> Specifies either thesecondary SecurID server.
duress <number> Specifies if the SecurID server iFor <number>, a 0 defines False, and 1 defines Tru
encr <number> Specifies the encryption algorithmvalue of 0 specifies SDI, and 1 specifies DES. The d
������!//%��"
+8���
ient retries is 3 and timeout is 3
00, and using the Data
e IP address or the name for the
llowed for attempting
seconds) that the NetScreen
r name.
rminating authentication status.
0 for the built-in NetScreen d 3 for an LDAP server.
�������������� ������������
.� %� �"
The NetScreen built-in user database is used by default.
The SecurID authentication port is 5500 with DES encryption type. The number of clseconds.
The user authentication idle timeout is 10 minutes.
51%/4 �"
To define the RADIUS shared secret to “mysecret”:
ns-> set auth secret mysecret
To specify the SecurID server’s IP address as 172.16.22.1 with authentication port 5Encryption Standard (DES) algorithm:
ns-> set auth securid master 172.16.22.1ns-> set auth securid auth-port 500ns-> set auth securid encr 1
master <ip_addr> | <name_str> Specifies either thprimary SecurID server.
retries <number> Specifies the number of retries aauthentication with the SecurID server.
timeout <number> Specifies the length of time (in device waits between authentication retry attempts.
server-name <serv_name> Specifies the RADIUS server’s IP address or serve
timeout <number> Specifies the length of idle time in minutes before teValid range is from 0-255 minutes.
type { 0 | 1 | 2 | 3 } Specifies the type of authentication to use. Specify database, 1 for a RADIUS server, 2 for SecurID, an
������!//%��"
+����
unicating properly with the ACE h machines.
�������������� ������������
To use the built-in user database of the NetScreen device for user authentication:
ns-> set auth type 0
�!��"
When the NetScreen device is using SecurID to authenticate users and is not commserver, execute the clear node_secret command to ensure it is set correctly for bot
����� "!
See the clear auth, get auth, and clear node_secret commands.
������!//%��"
�����
����,�%,- device.
.
ur and minutes in the following
ynchronizes computer clocks in
time.
�������������� ������������
Description: Use the set clock command to set the system time on the NetScreen
�0��%1set clock { <date> | dst-off | ntp | timezone <number> }
unset clock { dst-off | ntp | zone }
��)�/���"
.� %� �"
The NetScreen device automatically adjusts its system clock for daylight saving time
51%/4 �"
To define the system time as November 3, 2001 at 1:30PM:
ns-> set clock 11/03/2001 13:30
To turn off daylight saving time:
ns-> set clock dst-off
<date> Specifies the month, day, year, and 24-hour time. Specify the hoformat: (<mm/dd/yyyy hh:mm>).
dst-off Turns off the automatic time adjustment for daylight saving time.
ntp Configures the device for Network Time Protocol (NTP), which sthe Internet.
zone <number> Sets the current time zone offset compared to the GMT standardSet the number between -12 and 12.
������!//%��"
�+���
�������������� ����������������� "!
See the get clock, set ntp, get ntp, and exec ntp commands.
������!//%��"
�����
����,%��%��
are displayed in the console. If essages in a buffer so that you
on.
red to disable access to the es the current login session.
page.
�������������� ������������
Description: Use the set console command to define the console parameters.
When the debug mode is enabled on the NetScreen device, all debugging messagesthis generates too much information at once, use the dbuf parameter to store the mcan later retrieve them with the get dbuf command.
Enable console access with the unset disable command through a Telnet connecti
�0��%1set console
{dbuf |disable |page <number> |timeout <number>}
unset console{dbuf |disable |page |timeout}
��)�/���"
dbuf Stores the console messages in a buffer for later retrieval.
disable Disables access to the console. Two confirmations are requiconsole. Saves the current NetScreen configuration and clos
page <number> An integer value specifying how many lines appear on each
������!//%��"
�����
ore logging out the administrator ng keyboard entries. A value of 0
�������������� ������������
.� %� �"
Access to the console is enabled by default.
The console displays 22 lines per page by default.
The default login timeout is set to 10 minutes.
The NetScreen device sends console messages to the buffer by default.
51%/4 �"
To redirect all debugging messages to the buffer:
ns-> set console dbuf
To disable console access:
ns-> set console disable
To define 20 lines per page displayed on the console:
ns-> set console page 20
To define the console timeout value to 40 minutes:
ns-> set console timeout 40
����� "!
See the get console, clear dbuf, and get dbuf commands.
timeout <number> Determines how much time (in minutes) the device waits beffrom the console session when the administrator stops makimeans the console never times out.
������!//%��"
�����
es in the console. If this in a buffer so that you can
on.
�������������� ������������
�!��"
When debug mode is enabled, the NetScreen device displays all debugging messaggenerates too much information at once, use the dbuf option to store the messagesretrieve them later with the get dbuf command.
Enable console access with the unset disable command through a Telnet connecti
������!//%��"
�3���
�����)(.lly.
�������������� ������������
Description: Use the set dbuf command to adjust the system buffer size dynamica
�0��%1set dbuf size <num>
unset dbuf size
��)�/���"
.� %� �"
The default buffer sizes for the various NetScreen devices are:
The range of value for the buffer size is from 32 to 4096 kilobytes.
51%/4 �"
To change the buffer size to the maximum size allowed:
size <num> Indicates the size of the system buffer in kilobytes
NetScreen-1000 1024 kilobytes
NetScreen-500 1024 kilobytes
NetScreen-100p 1024 kilobytes
NetScreen-100 512 kilobytes
NetScreen-10 128 kilobytes
NetScreen-5 32 kilobytes
������!//%��"
�����
�������������� ������������ns-> set dbuf size 4096
����� "!
See also the get memory command.
������!//%��"
�:���
����� �('*��%('s.
uently, all the group members
name of the user.
the name of the user.
�������������� ������������
Description: Use the set dialup-group command to create a group of remote user
Different platforms can have different numbers of users in a dialup group.
An access policy for a dialup group applies to all the members in the group. Conseqmust be the same kind—either IKE/2TP users, or Manual Key users.
�0��%1set dialup-group <name_str> [ { + | - } <name_str> ]
unset dialup-group <name_str>
��)�/���"
.� %� �"
None.
51%/4 �"
To define a dialup user group called “telecommuters”:
ns-> set dialup-group telecommuters
To add a remote VPN user named “john-home” to the telecommuters group:
ns-> set dialup-group telecommuters + john_home
<name_str> Assigns a name to the dialup group.
{ + <name_str> } Adds a remote VPN user to the group, where <name_str> is the
{ - <name_str> } Deletes a remote VPN user from the group, where <name_str> is
������!//%��"
�8���
uently, all the group members (Manual Key).
�������������� ������������
To delete a remote VPN user named “amy-home” from the telecommuters group:
ns-> set dialup-group telecommuters - amy_home
To delete the telecommuters group:
ns-> unset dialup-group telecommuters
����� "!
See the get dialup-group command.
�!��"
A dialup-group may contain a maximum of 100 remote dialup users.
An Access Policy for a dialup-group applies to all the members in the group. Conseqmust be the same kind—either IKE dynamic peers (Auto Key), or VPN dialup users
������!//%��"
�����
�����'
�������������� ������������
Use the set dip command to set up a Dynamic IP (DIP) pool configuration.
�0��%1set dip
{<ip_addr>-<ip_addr> |<ip_addr> <mask>}
unset dip <id_num>
��)�/���"
.� %� �"
None.
51%/4 �"
To create DIP encompassing an IP range from 172.16.10.10 to 172.16.10.100:
ns-> set dip 172.16.10.10-172.16.10.100
����� "!
See the get dip, set vip, and set interface commands.
<ip_addr>-<ip_addr> A range of addresses to include in the DIP.
<ip_addr> <mask> A range of addresses expressed with subnet mask.
������!//%��"
�����
�������
rameter is hh:dd.
�������������� ������������
Description: Use the set dns command to configure Domain Name Services.
�0��%1set dns
{forward |host
{dns1 <ip_addr> |dns2 <ip_addr> |schedule <string>}
}
unset dns{forward |host { dns1 | dns2 | schedule }}
��)�/���"
forward Sets up forward DNS requests.
host dns1 <ip_addr>Specifies the DNS host.dns2 <ip_addr>Specifies the DNS host.schedule <string>Specifies the time of day to refresh DNS entries. The format of this pa
������!//%��"
�+���
�������������� ������������51%/4 �"
To set up a host as the primary DNS server at 172.16.10.101:
ns-> set dns host dns1 172.16.10.101
To schedule a refresh time at 23:59 each day:
ns-> set dns host schedule 23:59
����� "!
See the get dns, clear dns, and exec dns commands.
������!//%��"
�����
�����%& �en device.
�������������� ������������
Description: Use the set domain command to set the domain name of the NetScre
�0��%1set domain <name_str>
unset domain
��)�/���"
.� %� �"
None.
51%/4 �
To set the domain of the NetScreen device to netscreen:
ns-> set domain netscreen
����� "!
See the get domain and the unset domain commands.
<string> Defines the domain name of the NetScreen device.
������!//%��"
�����
������/ � variables files.
�������������� ������������
Description: Use the set envar command to define the location of the environment
�0��%1set envar <loc_str>
unset envar <loc_str>
��)�/���"
.� %� �"
On the NetScreen-1000, the default slot is slot 1.
51%/4 �"
To define the location of the system configuration as file2.cfg in slot2:
ns-> set envar slot2:file2.cfg
����� "!
See the get envar command.
<loc_str> The location of the environment variables files.
������!//%��"
�����
����..���� These filters allow display only
um> is a value between 0 and
umbers range from 0 to 65535.
ort numbers range from 0 to
�������������� ������������
Description: Use the set ffilter command to create filters for the debug flow output.traffic related to one or a combination of the following:
• a specific source IP address
• destination IP address
• source port
• destination port
• IP protocol
�0��%1set ffilter
[ src-ip <ip_addr> ][ dst-ip <ip_addr> ]
[ ip-proto <ptcl_num> ][ src-port <port_num> ]
[ dst-port <port_num> ]
unset ffilter [ <id_num> ]
��)�/���"
src-ip <ip_addr> Defines the source IP address.
dst-ip <ip_addr> Defines the destination IP address.
ip-proto <ptcl_num> Defines the assigned IP protocol number, where <ptcl_n255.
src-port <port_num> Defines the port number for the source IP address. Port n
dst-port <port_num> Defines the port number for the destination IP address. P65535.
������!//%��"
�3���
.2:
ation IP 192.168.9.77:
rotocol (UDP):
ple, if you have already set a t numbers for the packets.
or example, if you configure a having IP protocol 200, the filters.
�������������� ������������
.� %� �"
None.
51%/4 �"
To create a filter for all traffic from a host with IP address 172.16.10.1:
ns-> set ffilter src-ip 172.16.10.1
To create a filter for all SMTP traffic designated to a host with IP address 192.168.3
ns-> set ffilter dst-ip 192.168.3.2 dst-port 25
To set a filter for all packets between the source IP address 172.16.10.88 and destin
ns-> set ffilter src-ip 172.16.10.88 dst-ip 192.168.9.77
To set a filter for all packets with the IP protocol number 17, for the User Datagram P
ns-> set ffilter ip-proto 17
To erase all filter settings:
ns-> unset ffilter
����� "!
See the get ffilter command.
�!��"
When necessary, you can add more arguments to an existing debug filter. For examfilter for packets between a source IP and a destination IP, you can later specify por
Adding a new argument to an existing filter actually modifies an existing argument. Ffilter to trap IP packets having IP protocol 51, and you then set a trap for IP packets NetScreen device replaces the 51 trap with the 200 trap. To prevent this, create new
������!//%��"
�����
����.'�*&%��ode. In FIPS mode, certain
graphic Module Security Policy
�������������� ������������
Description: Use the set fips-mode command to put a NetScreen device in FIPS msecurity features are disabled. For information on these features, refer to the Cryptomanual.
�0��%1set fips-mode { enable }
unset fips-mode { enable }
.� %� �"
The default mode is non-FIPS mode.
51%/4 �"
To put a NetScreen device in FIPS mode:
ns-> set fips-mode enable
To take a NetScreen device out of FIPS mode:
ns-> unset fips-mode enable
������!//%��"
�:���
����.��0 ��
equently, you configure et interface command.
etScreen device. The ike switch gging of SNMP packets.
�������������� ������������
Description: Use the set firewall command to enable logging of dropped packets.
�0��%1set firewall
{ log-self { ike | snmp } }
unset firewall{ log-self { ike | snmp } }
��)�/���"
.� %� �"
The following firewall features are enabled by default:
• log-self off
• ike on
• snmp off
51%/4 �"
To enable logging of dropped IKE packets:
Note: NetScreen devices perform most firewall services at the interface level. Consindividual interfaces to perform firewall services. For more information, refer to the s
log-self Enables logging of dropped packets and pings received by the Nenables logging of IKE packets, and the snmp switch enables lo
������!//%��"
�8���
�������������� ������������ns-> set firewall log-self ike
To enable logging of dropped SNMP packets:
ns-> set firewall log-self snmp
����� "!
See the get firewall, set interface, and get interface commands.
������!//%��"
�����
����.�%0rent mode, to adjust the initial
�������������� ������������
Description: Use the set flow command, when the NetScreen device is in Transpasession timeout value and avoid packet fragmentation.
�0��%1set flow
{allow-dns-reply |check-session |initial-timeout <number> |mac-flooding |max-frag-pkt-size <number> |no-tcp-seq-check |path-mtu |tcp-mss |tcp-syn-check}
unset flow{allow-dns-reply |check-session |initial-timeout |mac-flooding |max-frag-pkt-size |no-tcp-seq-check |path-mtu |tcp-mss |tcp-syn-check}
��)�/���"
allow-dns-reply Allows DNS reply packet without a matched request.
������!//%��"
�����
minutes:
duplication.
en device keeps an initial session ice receives a FIN or RST packet.
very. If the NetScreen device n ICMP packet suggesting a
the firewall even if its destination
n.
) option. The NetScreen device gmentation caused by the IPSec
�������������� ������������
.� %� �"
The default initial timeout value is 1 minute.
The MAC-flooding feature is enabled by default.
51%/4 �"
To change the length of time that an initial session remains in the session table to 2
ns-> set flow initial-timeout 2
To enable the TCP-MSS feature:
ns-> set flow tcp-mss
check-session Creates lookup session on management slot to avoid
initial-timeout <number> Defines the length of time in minutes that the NetScrein the session table before dropping it, or until the devThe range of time is from 1 to 6 minutes.
path-mtu Enables path-MTU (maximum transmission unit) discoreceives a packet that must be fragmented, it sends asmaller packet size.
mac-flooding Enables the NetScreen device to pass a packet acrossMAC address is not in the MAC learning table.
max-frag-pkt-size <number>
The maximum allowable size for a packet fragment.
no-tcp-seq-check Skips the sequence number check in stateful inspectio
tcp-mss Enables the TCP-MSS (TCP-Maximum Segment Sizemodifies the MSS value in the TCP packet to avoid fraoperation.
tcp-syn-check Checks the tcp syn bit before creating a session.
������!//%��"
�+���
e.
�������������� ������������
�!��"
This command can be configured in any mode, but is active only in Transparent mod
������!//%��"
�����
����.�' to negotiate any data port
that negotiate a data port other cally any data port that the FTP
rvice:
�������������� ������������
Description: Use the set ftp command to allow FTP services for non-port-20 trafficnumber.
In the unset condition, a NetScreen device does not recognize certain FTP servicesthan port 20. When this feature is enabled, it allows FTP servers to negotiate dynamiserver proposes. The session is still metered by the stateful inspection monitor.
�0��%1set ftp { data-port any }
unset ftp { data-port any }
��)�/���"
.� %� �"
The default condition is unset.
51%/4 �
To enable a NetScreen device to negotiate the data port number for a Quick FTP se
ns-> set ftp data-port any
data-port any Specifies any FTP data port except port 20.
������!//%��"
�����
that negotiate a data port other cally any data port that the FTP
�������������� ������������
�!��"
In the unset condition, a NetScreen device does not recognize certain FTP servicesthan port 20. When this feature is enabled, it allows FTP servers to negotiate dynamiserver proposes. The stateful inspection monitor still monitors the session.
������!//%��"
�����
������%('rvices under a single name. policy.
v1-dmz |
p is bound. The default security -Trust, V1-Untrust, and v1-DMZ.
Zones in USGA Features.
address group.
�������������� ������������
Description: Use the set group command to group several addresses or several seThis allows you to reference a group of addresses or services by name in an access
�0��%1set group
{address <zone>
{ <name_str> [ add ] [ <string> ] } |service <name_str>
[ add <name_str> [ comment <string> ] ] |
unset group{address
{trust | untrust | <name_str> | v1-trust | v1-untrust |global | dmz | untrust-tun | null | self | ha | mgt}
<name_str>[ remove <name_str> | clear ] |
service <name_str> [ remove <name_str> | clear ]}
��)�/���"
address Specifies the zone to which the address grouzones include Trust, Untrust, Global, DMZ, V1You can also specify user-defined zones.For more information on zones, see Security
add <name_str> Adds the address named <name_str> to the
comment <string> Adds a comment <string> to the entry.
������!//%��"
�3���
rs:
e address hw-eng to the group:
p:
fines its name.
ervice group.
m the address group. If you do set group address command
rvice group.
m the service group. If you do not roup service command deletes
�������������� ������������
.� %� �"
None.
51%/4 �"
To create an empty address group for the trusted interface and name it headquarte
ns-> set group address trust headquarters
To create an empty service group and name it web-browsing;
ns-> set group service web-browsing
To create an address group named engineering for the trusted interface and add th
ns-> set group address trust engineering add hw-eng
To remove the address for admin-pc from the engineering address group:
ns-> unset group address trust engineering remove admin-pc
To create a service group named inside-sales and add the service AOL to the grou
ns-> set group service inside-sales add AOL
To remove the service PC-Anywhere from the service group named inside-sales:
service <name_str> Defines the group as a service group, and de
add <name_str> Adds the service named <name_str> to the s
remove <name_str> Removes the address named <name_str> fronot specify an address group member, the undeletes the entire address group.
clear Removes all the members of an address or se
remove <name_str> Removes the service named <name_str> frospecify a service group member, the unset gthat entire service group.
������!//%��"
�����
ame group.
ample, you cannot create a not use the same address
you can modify it.
�������������� ������������
ns-> unset group service inside-sales remove PC-Anywhere
To remove the trusted address group named engineering:
ns-> unset group address trust engineering
To remove the service group named inside-sales:
ns-> unset group service inside-sales
����� "!
See the set address, set service, and get group commands.
�!��"
You cannot include addresses for trusted, untrusted and dmz interfaces within the s
Each address group and service group you create must have a unique name. For extrusted group and an untrusted group each named outside-sales. Similarly, you cangroup name as a service group name.
You cannot add the following addresses to a group:
• inside any
• outside any
• dialup vpn
• dmz any
You cannot add the ANY server to a group:
While an access policy references a group, you cannot remove the group, although
You can add only one member to a group at a time.
������!//%��"
�:���
embers for each group varies
p
�������������� ������������
The maximum number of groups that you can create and the maximum number of mwith the NetScreen device model.
����� "!
See the get group command.
NetScreen Device Number of Address Groups Number of Members per Grou
NetScreen-5 16 16
NetScreen-5xp 16 16
NetScreen-10 32 32
NetScreen-100 64 64
NetScreen-204 64 128
NetScreen-208 64 128
NetScreen-500 128 128
NetScreen-5000 16000 1024
������!//%��"
�8���
����+ ) for a NetScreen device.
�������������� ������������
Description: Use the set ha command to enable and configure High Availability (HA
�0��%1set ha
{arp <number> |auth password <pswd> |encrypt { password <pswd> }fast-mode |group <id_num> |interface <name_str> |link-hold-time <number> |monitor <name_str>priority <number> |second-path [ <name_str> ] |session off |track
{ip
[<ip_addr>
[interval <number> |method { arp | ping } |threshold <number> |weight <number>]
] |threshold <number>}
}
������!//%��"
�����
aster unit sends out, notifying
nications authentication using the 6 characters.
unications using the specified ers.
er and a backup) you can quicken his option essentially eliminates candidate to become the master,
, where <number> can be ) is disabled.
faces, refer to Interfaces in
�������������� ������������
unset ha{arp <number> |auth |encrypt |fast-mode |group |interface |link-hold-time |monitor
[ dmz | trust | untrust ] |priority |second-path |session off}
��)�/���"
arp Sets the number of ARP requests that a newly elected mother network devices of its presence. The default is 2.
auth password Specifies that the NetScreen device performs HA commuspecified password. Valid passwords contain from 1 to 1
encrypt password Specifies that the NetScreen device encrypts HA commpassword. Valid passwords contain from 1 to 16 charact
fast-mode When a redundant group has only two members (a mastthe failover procedure by using the fast-mode option. Tthe election process. Because there is only one possiblethere is no need to determine which unit to promote.
group Defines an identification number for the redundant groupbetween 0 and 255. If you specify 0, high availability (HA
interface <name_str> The name of the interface. For more information on interUSGA Features.
link-hold-time Sets the link down time on the backup unit.
������!//%��"
3����
fy for monitoring are as follows.
n USGA Features.
devices in a redundant group
g a failover
master unit
should the primary link fail. The
n USGA Features.
ces to the other members of the
e network connection between a ddress <ip_addr> indicates the
an IP address. You can set the
�������������� ������������
monitor <name_str> Sets the monitor interface. The interfaces you can speci
- ethernet<n>
- ethernet<n1>.<n2>
- ethernet<n1>/<n2>
- ethernet<n1>/<n2>.<n3>
- mgt
For more information on interfaces, refer to Interfaces i
priority Assigns a number to define:
- which unit is the master unit when two NetScreen power up simultaneously
- which backup unit becomes the next master durin
- the unit with the number closest to 1 becomes the
second-path <name_str> Specifies a backup unit interface for HA communication,interfaces you can set up for backup are as follows.
- ethernet<n>
- ethernet<n1>.<n2>
- ethernet<n1>/<n2>
- ethernet<n1>/<n2>.<n3>
- mgt
- ha | ha1 | ha2
For more information on interfaces, refer to Interfaces i
session off Stops the master HA from propagating a session’s serviredundant group.
track ip <ip_addr> Enables path tracking, which is a means for checking thNetScreen interface and that of another device. The IP athe other network device to be checked.
interval <number> Defines the frequency for checking interval between 1 and 200 seconds.
������!//%��"
3+���
path tracking.
ive unanswered requests required rk device.
remote address. A value of 16 , if a NetScreen device fails to get ht of 16, the number of failed
failover. The range is between 1
�������������� ������������
.� %� �"
The default group ID number is 0, which means that HA is disabled.
The default priority number is 100.
The default method for path tracking is pinging.
The default interval for path tracking is 1 second.
The default number of unanswered requests considered as a failed attempt is 3.
The default weight is 1.
The default track threshold required to initiate a failover is 255.
51%/4 �"�
To define the HA group ID as 3:
ns-> set ha group 3
To disable high availability:
ns-> unset ha group
or
method { arp | ping } Determines the method to perform
threshold <number> Specifies the number of consecutto constitute a failed attempt at reaching a remote netwo
weight <number> Assigns an importance to the trackeddenotes the most important, and 1 the least. For example3 consecutive responses from an IP address with a weigattempts is 48.
track threshold <number>
Sets the number of failed attempts required to initiate a and 255.
������!//%��"
3����
master or a backup unit. Green de.
device is in FIPS mode. The e.
�������������� ������������
ns-> set ha group 0
To enable path tracking to IP address 172.16.66.170 every 5 seconds:
ns-> set ha track ip 172.16.66.170 interval 5
�!��"
The color of the Status LED indicates whether a NetScreen device is operating as a indicates the device is running in master mode, and yellow indicates the backup mo
The key <hex_key> and the password <pswd> option are both available when thekey <hex_key> option is unavailable when the NetScreen device is not in FIPS mod
����� "!
See the get ha and exec ha commands.
������!//%��"
3����
����+%��� &� device. This is the name that
�������������� ������������
Description: Use the set hostname command to define the name of the NetScreenappears in the console.
�0��%1set hostname <name_str>
unset hostname
��)�/���"
.� %� �"
For NetScreen-5xp, it is ns5xp.
For NetScreen-10, it is ns10.
For NetScreen-100, it is ns100.
For NetScreen-500, it is ns500.
For NetScreen-1000, it is ns1000.
51%/4 �"
To change the a NetScreen device hostname to acme:
ns-> set hostname acme
To reset the NetScreen device hostname to the default value:
acme-> unset hostname
<name_str> Sets the name of the NetScreen device.
������!//%��"
3����
�������������� ����������������� "!
See the get hostname command.
������!//%��"
33���
����-�nd the gateway for an AutoKey
�������������� ������������
Definition: Use the set ike command to define the Phase 1 and Phase 2 proposals aIKE (Internet Key Exchange) VPN tunnel, and to specify other IKE parameters.
�0��%1
�������������
set ike p1-proposal <name_str>[ DSA-Sig | RSA-Sig | preshare
[ group1 | group2 | group5 ]]
{ esp{ 3des | des | aes128
{ md5 | sha-1[days <number> |hours <number> |minutes <number> |seconds <number>]
}}
}
�������������
set ike p2-proposal <name_str>[ group1 | group2 | group5 | no-pfs ]
{esp { 3des | des | aes128 | null } |ah}
[ md5 | null | sha-1
������!//%��"
3����
�������������� ������������[days <number> |hours <number> |minutes <number> |seconds <number> ]]
[ kbyte <number> ]]
}
������
set ike gateway <name_str>{dialup <name_str> |dynamic <name_str> |heartbeat
{hello <number> |threshold <number>} |
ip <ip_addr> [ id <id_str> ]}
[ aggressive | main ][ local-id <id_str> ]
[ preshare <key_str> ]{ proposal <name_str>
[ <name_str> ][ <name_str> ]
[ <name_str> ]} |
{cert
{my-cert <id_num> |peer-ca <id_num> |peer-cert-type
{
������!//%��"
3:���
�������������� ������������pkcs7 |x509-sig}
} |nat-traversal
[udp-checksum |keepalive-frequency <number>] |
disable-udp-checksum | enable-udp-checksum}
�������������������������
set ike{accept-all-proposal |heartbeat |policy-checking |single-ike-tunnel <name_str> |soft-lifetime-buffer <number> |respond-bad-spi <spi_num> |initiator-set-commit |responder-set-commit |id-mode
{ ip | subnet }}
set ike initial-contact[all-peers |single-gateway <name_str> |single-user <name_str>]
unset ike{accept-all-proposal |gateway |initial-contact |
������!//%��"
38���
ains parameters for creating and urity associations. You can
ce of IKE messages. preshare cryption and decryption that both otiations.igital signatures which are is who he or she claims to be.
rotocol that provides both
P protocol.
�������������� ������������
p1-proposal <name_str> |p2-proposal <name_str> |accept-all-proposal |policy-checking |heartbeat |initial-contact |initiator-set-commit |respond-bad-spi |responder-set-commit |single-ike-tunnel <name_str>}
unset ike gateway <name>[my-cert |peer-ca |peer-cert-type |nat-traversal [ udp-checksum ]]
��)�/���"
p1-proposal <name_str> Names the IKE Phase 1 proposal, which contexchanging session keys and establishing secspecify up to four Phase 1 proposals.
DSA-Sig | RSA-Sig | preshare Specifies the method to authenticate the sourrefers to a Preshared key; that is, a key for enparticipants have before beginning tunnel negRSA-Sig and DSA-Sig refer to two kinds of dcertificates testifying that the certificate holderPreshared key is the default method.
esp Specifies Encapsulating Security Payload, a pencryption and authentication.
des | 3des | aes128 Specifies the encryption algorithm used in ES
������!//%��"
3����
m used in ESP protocol. The two algorithms.
e that allows two parties to edium; such as, the Internet.
pt to renegotiate another security 180 seconds. The default lifetime
es the parameters for creating ociation for securing data to be fy up to four Phase 2 proposals.
the encryption key.r generating each new encryption cting no-pfs turns this feature off, from the key generated in the
, IKE automatically uses PFS ult is Group 2.
otocol—either Authentication r Encapsulating Security Payload entication).
ntication applies. You cannot tion.
kilobytes before NetScreen default value is 0 (infinity).
ay.
�������������� ������������
md5 | null | sha-1 Specifies the authentication (hashing) algorithdefault algorithm is SHA-1, the stronger of the
group1 | group2 | group5 Identifies the Diffie-Hellman group, a techniqunegotiate encryption keys over an insecure mGroup2 is the default group.
days <number>hours <number>minutes <number>seconds <number>
Defines the elapsed time between each attemassociation. The minimum allowable lifetime isis 28800 seconds.
p2-proposal <name_str> Names the IKE Phase 2 proposal, which definand exchanging session key and security asssent through the IPSec tunnel. You can speci
group1 | group2 | group5 | no-pfs Defines how the NetScreen device generatesPerfect Forward Secrecy (PFS) is a method fokey independently from the previous key. Selespecifying that IKE generates the Phase 2 keyPhase 1 exchange.If you specify one of the Diffie-Hellman groupswhen generating the encryption key. The defa
ah | esp In a Phase 2 proposal, identifies the IPSec prHeader (AH), which provides authentication, o(ESP), which provides encryption (and/or auth
null Specifies that either no encryption or no autheselect null for both encryption and authentica
kbytes <number> Indicates the maximum allowable data flow inrenegotiates another security association. The
gateway <name_str> Specifies the name of the remote tunnel gatew
������!//%��"
�����
l parameters.col interval in seconds.ies before the NetScreen device e 2 keys.
o specify a user’s attributes, use oup’s attributes, use the set
mically assigned IP address. mote peer device.
teway.
ature that allows transmission of AT Traversal feature This prevents the NAT device us preventing authentication
DP checksum operation (used for
onds of inactivity the NetScreen .
tification can be in one of the
or example, www.netscreen.com
such as [email protected].
force identifying the peer gateway ecks the peer’s ID payload to see
�������������� ������������
heartbeat Specifies the IKE heartbeat protocohello <number> Sets the IKE heartbeat protothreshold <number> Sets the number of retrforces renegotiation of the Phase 1 and Phas
dialup <name_str> Identifies an IKE dialup user or dialup group. Tthe set user command. To specify a dialup grdialup command.
dynamic <name_str> Specifies that the remote gateway has a dyna<name_str> defines the IKE identity of the re
ip <ip_addr> Defines the static IP address of the remote ga
nat-traversal Enables or disables IPsec NAT-Traversal, a feencrypted traffic through a NAT device. The Nencapsulates ESP packets into UDP packets.from altering ESP packet headers in transit, thfailure on the peer NetScreen device.udp-checksum enables the NAT-Traversal UUDP packet authentication).keepalive-frequency specifies how many secdevice allows before disabling NAT Traversal
id <id_str> (Optional) Identifies the remote gateway. Idenfollowing three forms:
- an IP address
- a fully qualified domain name (FQDN); f
- a RFC822 name; that is, an email name
Include the peer ID only when you want to enwith the specified ID. The NetScreen device chif it matches the specified ID.
������!//%��"
�+���
ns. Use Aggressive mode only e without ID protection such as assigned IP address. Main mode cause it conceals the identities of
l device. Use only when the local IP address (Note: If either of the dress, use Aggressive mode for
1 proposal. (If you use an RSA- or t include this reference).
cify up to four Phase 1 proposals.
PN initiator and receipient.
device has multiple certificates
.
S7 or X509.
to accept only those proposals s.
participants match before
supported between two peer
.0 and earlier, you can disable ured between two peers.
o the same remote peer. (Note: backward compatibility with
peration before the current IPSec
�������������� ������������
aggressive | main Defines the mode used for Phase 1 negotiatiowhen you need to initiate an IKE key exchangwhen one of the participants has a dynamicallyis the recommended key-exchange method bethe parties during the key exchange.
local-id <id_str> Defines the IKE NetScreen identity of the locaNetScreen device has a dynamically assignedparticipants has a dynamically assigned IP adPhase 1).
preshare <key_str> Defines the Preshared key used in the Phase DSA-signature in the Phase 1 proposal, do no
proposal <name_str> Specifies the name of a proposal. You can spe
cert Uses a digital certificate to authenticate the V
my-cert <name_str> Specifies one certificate if the local NetScreenloaded.
peer-ca <name_str> Specifies a preferred certificate authority (CA)
peer-cert-type { pkcs7 | x509 } Specifies a preferred type of certificate—PKC
accept-all-proposal Accepts all incoming proposals. The default ismatching predefined or user-defined proposal
policy-checking Checks if the access policies of the two VPN establishing a connection.Use policy checking when multiple tunnels aregateways. Otherwise, the IKE session fails.For backwards compatibility with ScreenOS 2policy checking when only one policy is config
single-ike-tunnel <name_str> Specifies a single Phase 2 SA for all policies tThis feature has been implemented to ensureScreenOS 2.0.)
soft-lifetime-buffer <number> Sets a time in seconds to initiate a rekeying oSA key lifetime expires.
������!//%��"
�����
curity association are 28,800
data traffic is between two
ith a bad security parameter index
w IPSec SA is established. The rmation is received. The default is
IPSec SA is established before
ange as either a host (IP) address hase 2 ID is sent. If you choose when setting up a VPN tunnel nt 4.0 device. Otherwise, use the
deletes all SAs, and sends an ou do not specify anything, the
fication to all peers during the first system reset.r single-user <string>, the with the specified IKE gateway or tion.
�������������� ������������
.� %� �"
Main mode is the default method for Phase 1 negotiations.
3DES and SHA-1 are the default algorithms for encryption and authentication.
The default time intervals before the NetScreen mechanism renegotiates another seseconds in a Phase 1 proposal, and 3600 seconds in a Phase 2 proposal.
The default ID mode is subnet. (Changing the ID mode to IP is only necessary if thesecurity gateways, one of which is a CheckPoint 4.0 device.)
The default soft-lifetime-buffer size is 10 seconds.
respond-bad-spi <spi_num> Responds to a specified number of packets w(SPI) value after a reboot.
initiator-set-commit Requests the responder to confirm that the neinitiator will not use the new SA until this confiunset.
responder-set-commit Requests the initiator to confirm that the new using it. The default is unset.
id-mode { ike ip | subnet } Defines the IKE ID mode in the Phase 2 exchor a gateway (subnet). If you choose ip, no Psubnet , proxy Phase 2 IDs are sent. (Use IP between a NetScreen device and a CheckPoisubnet option.)
initial-contact { all-peers | single-gateway <name_str> | single-user <user_name> }
By specifying all-peers, the NetScreen deviceinitial contact notification to each IKE peer. If yNetScreen device sends an initial contact notiIKE single-user session with that peer after a By specifying single-gateway <name_str> oNetScreen device deletes all SAs associated IKE user, then sends an initial contact notificaThe default is unset.
������!//%��"
�����
sal.
gorithms
tes 3
minutes 15
L proposal
s section below.
�������������� ������������
By default, the single-ike-tunnel flag is not set.
By default, the commit bit is not set when initiating or responding to a Phase 2 propo
51%/4 �"
To define a Phase 1 proposal named pre-gl-3des-md5 with the following attributes:
• Preshared key and a group 1 Diffie-Hellman exchange
• Encapsulating Security Payload (ESP) protocol using the 3DES and MD5 al
• Lifetime of 3 minutes:
ns-> set ike p1-proposal sf1 preshare group1 esp 3des md5 minu
To define a Phase 2 proposal named g2-esp-3des-null with the following attributes:
• Group 2 Diffie-Hellman exchange
• ESP using 3DES without authentication
• Lifetime of 15 minutes:
ns-> set ike p2-proposal g2-esp-3des-null group2 esp 3des null
To define a remote gateway named “san_fran” with the following attributes:
• Main mode
• Preshared Key with the value bi273T1L
• Reference to the Phase 1 proposal pre-g2-3des-md5
ns-> set ike gateway san_fran ip 172.16.10.11 preshare bi273T1pre-g2-3des-md5
For an example of the complete procedure for setting up a VPN tunnel, see the Note
To enable NAT traversal for a gateway named mktg:
ns-> set ike gateway mktg nat-traversal
To enable the UDP checksum setting:
ns-> set ike gateway mktg nat-traversal udp-checksum
������!//%��"
�����
five steps. To set up one end of eps below.
e VPN tunnel:
lt proposals, you do not need to
�������������� ������������
To disable the UDP checksum setting:
ns-> unset ike gateway mktg nat-traversal udp-checksum
To set the Keepalive setting to 25 seconds:
ns-> set ike gateway mktg nat-traversal keepalive-frequency 25
����� "!
See the clear ike, get ike, set policy, set user, set vpn, and get sa commands.
�!��"
Setting up a VPN tunnel for a remote gateway with a static IP address requires up to a VPN tunnel gateway 1 (GW1) in the illustration for bidirectional traffic, follow the st
1. Set the addresses for the trusted and untrusted parties at the two ends of th
ns-> set address trust host1 10.0.1.1 255.255.255.255ns-> set address untrust host2 10.0.2.1 255.255.255.255
2. Define the IKE Phase 1 proposal and Phase 2 proposal. If you use the defaudefine Phase 1 and Phase 2 proposals.
3. Define the remote gateway:
������!//%��"
�3���
proposal
o five steps.
ommand.)
Note: If you use the default
2-131.
and the VPN tunnel you
�������������� ������������
ns-> set ike gateway gw2 ip 204.0.0.2 preshare netscreenpre-g2-3des-md5
4. Define the VPN tunnel as AutoKey IKE:
ns-> set vpn vpn1 gateway gw2 proposal g2-esp-des-md5
5. Define an outgoing incoming access policy:
ns-> set policy outgoing host1 host2 any tunnel vpn vpn1ns-> set policy incoming host2 host1 any tunnel vpn vpn1
The procedure for setting up a VPN tunnel for a dialup user with IKE constitutes up t
1. Define the trusted address that the user will access. (See the set address c
2. Define the user as an IKE user. See the set user command on page 2-122.
3. Define the IKE Phase 1 proposal, Phase 2 proposal, and remote gateway. (proposals, you do not need to define a Phase 1 or Phase 2 proposal.)
4. Define the VPN tunnel as AutoKey IKE. See the set vpn command on page
5. Define an incoming access policy, with Dial-Up VPN as the source addressconfigured in step 3 specified. See the set policy command on page 2-92.
����� "!
See the get ike and clear ike-cookie commands.
������!//%��"
�����
��������. ,�twork, virtual private network
|
outer <name_str> ] } |
] ] |
mgt | vlan1
�������������� ������������
Description: Use the set interface command to define the interface settings for ne(VPN), High Availability (HA), and administrative traffic.
�0��%1set interface
{ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3>
{bandwidth <number> |dip <number> [ <ip_addr> [ <ip_addr> [ fix-port ] ] ] ident-reset |ip <ip_addr>/<mask> { tag <id_num> } |manage-ip <ip_addr> |mip <ip_addr> { host <ip_addr> [ netmask <mask> ] [ vrnat |route |secondary |vip <ip_addr>
[ <port_num> | + [ <name_str> <ip_addr> [ manual ] zone <name_str>} |
ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3> |{ip <ip_addr>/<mask> |manage-ip <ip_addr> |phy { auto | full | half } { 10mb | 100mb }} |
vlan1{broadcast < flood | arp [ trace-route ] |bypass-non-ip |
������!//%��"
�:���
3> | v1-trust
�������������� ������������
bypass-others-ipsec |vlan { trunk }}
}
�������������
set interface{ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n
dhcp{relay
{server-name { <name_str> | <ip_addr> }service |vpn}
server{ip <ip_addr>
{mac <mac_addr> |to <ip_addr>} |
option{dns1 | dns2 | dns3 | gateway | news |
{ <ip_addr> } |nis1 | nis2 | pop3 | smtp |
{ <ip_addr> } |domainname <name_str> |lease <number> |netmask <mask> |nistag <name_str> |wins1 <ip_addr> |
������!//%��"
�8���
t | v1-dmz
> <number> }
�������������� ������������
wins2 <ip_addr>}
service}
}{
�����������������
set interface{ethernet<n> | ethernet<n1>/<n2> | v1-trust | v1-untrus}
{ident-reset |manage { ping | scs | snmp | ssl | telnet | web } |screen
{component-block |fin-no-ack |icmp-flood { threshold <number> } |icmp-fragment |icmp-large |ip-bad-option |ip-filter-src |ip-loose-src-route |ip-record-route |ip-security-opt |ip-spoofing |ip-stream-opt |ip-strict-src-route |ip-sweep { threshold <number> } |ip-timestamp-opt |land |limit-session [ source-ip-based <number> ] |mal-url { code-red | mal-url <name_str> <id_strping-death |port-scan { threshold <number> } |
������!//%��"
�����
�������������� ������������syn-fin |syn-flood
[alarm-threshold <number>attack-threshold <number>queue-size <number>source-threshold <number>timeout <number>] |
syn-frag |tcp-no-flag |tear-drop |udp-flood { threshold <number> } |unknown-protocol |winnuke}
}}
����� !����"��������������
set interface{ ha | ha1 | ha2 }
{ phy { 10mb | 100mb } }
#$�������������
set interfacetunnel/<n>
{zone <name_str> |ip <ip_addr>/<mask>}
������!//%��"
:����
rfaces, refer to Interfaces in
ter identifies the tunnel interface.
ond for all traffic traversing the
ses the pool to dynamically ress Translation (NAT) to packets um> identifies the DIP pool. The ress range. (Note: A single IP IP address <ip_addr> represents
IP pool:
nouncement in response to an
al interface. The Manage IP r management purposes on a
e specified interface or interface to VLAN tag <id_num>.
o the MIP <ip_addr> is directed to an specify a single one-to-one
her. (Note: Be careful to exclude l IP addresses in the subnet from
ion (NAT) on outbound traffic from performing NAT.
�������������� ������������
��)�/���"�
interface The name of the interface. For more information on inteUSGA Features.
tunnel/<number> The interface for a VPN tunnel. The <number> parame
bandwidth <number> The guaranteed maximum bandwidth in kilobits per secspecified interface.
dip <id_num> <ip_addr> [ <ip_addr> ]
Sets a Dynamic IP (DIP) pool. The NetScreen device uallocate source addresses when it applies Network Addtraversing the specified interface. The ID number <id_nIP address <ip_addr> represents the start of the IP addaddress can comprise an entire DIP pool.) The second the end of the IP address range.Be sure to exclude the following IP addresses from a D
- the interface and gateway IP addresses
- any Virtual IP and Mapped IP addresses
ident-reset Enables the NetScreen device to send a TCP Reset anIDENT request to port 113.
manage-ip <ip_addr> Defines the Manage IP address for the specified physicaddress can be used to access the NetScreen device foper-interface basis.
ip <ip_addr>/<mask> [ tag <id_num> ]
The IP address <ip_addr> and netmask <mask> for thsubinterface. The [ tag <id_num> ] switch assigns the
mip <ip_addr> host <ip_addr> [ netmask <mask> ]
Defines a Mapped IP (MIP) address so that traffic sent tthe host with the IP address <ip_addr>. The netmask cmapping or a mapping of one IP address range to anotthe interface and gateway IP addresses, and any Virtuathe MIP address range.)
nat | route Specifies whether to perform Network Address Translatthe trusted LAN or to route the outbound traffic without
������!//%��"
:+���
ng traffic from a host on one P address.
nterface so you can map routable es. The <port_num> parameter
ddr> parameters specify the g the service, respectively. The e + operator adds another service
r more information on zones, see
on the specified interface. The e at full or half duplex (as required
bility of other devices while the
ood frames received from an parent mode. In the process, the cannot access the destination
erate an Address Resolution the unknown destination IP ith the appropriate MAC address destination device directly, and ng bandwidth. The process of for the first frame.
tScreen device in Transparent ys passed, even if when feature is
vice in Transparent mode. The y but passes the IPSec packets
�������������� ������������
secondary-ip( route-deny )
Prevents the NetScreen device from automatically routisecondary IP address to a host on another secondary I
vip <ip_addr> Defines a Virtual IP (VIP) address (<ip_addr>) for the iIP addresses to internal servers and access their servicspecifies the port number. The <name_str> and <ip_aservice name and the IP address of the server providinmanual switch turns off server auto detection. Using thto the VIP.
zone <name_str> Specifies the zone to which the new interface binds. FoSecurity Zones in USGA Features.
phy { auto | full | half } auto | full | half defines the physical connection mode NetScreen unit automatically decides whether to operatby the network device connected to NetScreen unit).
vlan1 broadcast Controls how the NetScreen device determines reachadevice is in transparent (L2) mode.
• The flood switch instructs the NetScreen device to flunknown host out all other interfaces that are in transdevice might attempt to copy frames out of ports thataddress, thus consuming network bandwidth.
• The arp switch instructs the NetScreen device to genProtocol (ARP) broadcast. If the ARP broadcast findsaddress, the NetScreen device loads its ARP table wand interface. The device uses this entry to reach theonly sends frames through the correct port, thus savigenerating the initial ARP can cause delay, but only
bypass-non-ip Allows non-IP traffic, such as IPX, to pass through a Nemode. (ARP is a special case for non-IP traffic. It is alwadisabled.)
bypass-others-ipsec Openly passes all IPSec traffic through a NetScreen deNetScreen device does not act as a VPN tunnel gatewaonward to other gateways.
������!//%��"
:����
rops Layer-2 frames. The device apply:
nterface.
to MAC addresses.
evice performs. For example, the device to ignore the tags and
Layer-2 switch “trunk port.”
reen device can serve as a DHCP
ain name or IP address of the s the IP addresses and TCP/IP
HCP relay agent through the
a VPN tunnel. You must first set e DHCP server.
he DHCP server assigns a ied by its MAC address
a range of IP addresses to use e starting IP address and the
rt up to 255 IP addresses.
�������������� ������������
vlan { trunk } Determines whether the NetScreen device accepts or dmakes this decision only when the following conditions
- The NetScreen device is in transparent mode.
- The device receives VLAN tagged frames on an i
The device then performs one of two actions.
- Drop the frames because they have tags.
- Ignore the tags and forward the frames according
The vlan { trunk } switch determines which action the dcommand set vlan1 vlan trunk instructs the NetScreenforward the frames. This action closely follows that of a
relay Configures the NetScreen interface such that the NetScrelay agent.
server-name <name_str> | <ip_addr> Defines the domDHCP server from which the NetScreen device receivesettings that it relays to hosts on the trusted LAN.
service Enables the the NetScreen device to act as a Dinterface.
vpn Allows the DHCP communications to pass throughup a VPN tunnel between the NetScreen device and th
server Makes the NetScreen interface a DHCP server.
ip <ip_addr> mac <mac_addr> (In Reserved mode) Tdesignated IP address (<ip_addr>) to a machine specif(<mac_addr>).
ip <ip_addr> to <ip_addr> (In Dynamic mode) Defineswhen the DHCP server is filling client requests. Enter thending IP address.The IP pool can include up to 64 entries, and can suppo
service Enables DHCP operation.
������!//%��"
:����
efine settings.
> Defines the IP addresses of the ce (DNS) servers.
fault trusted gateway used by the
server for receiving and storing
resses of the primary and ution of administrative data within
ffice Protocol version 3 (POP3)
Mail Transfer Protocol (SMTP)
main name of the network.
s for which an IP address supplied , enter 0.
ult gateway on the trusted side.
he Apple® NetInfo database.
address of the primary and ) servers.
lay agent through the interface.
�������������� ������������
optionSpecifies the DHCP server options for which you can d
• dns1 <ip_addr> | dns2 <ip_addr> | dns3 <ip_addrprimary, secondary, and tertiary Domain Name Servi
• gateway <ip_addr> Defines the IP address of the declients.
• news <ip_addr> Specifies the IP address of a newspostings for news groups.
• nis1 <ip_addr> | nis2 <ip_addr> Defines the IP addsecondary NetInfo® servers, which provide the distriba LAN.
• pop3 <ip_addr> Specifies the IP address of a Post Omail server.
• smtp <ip_addr> Defines the IP address of a Simplemail server.
• domainname <name_str> Defines the registered do
• lease <number> Defines the length of time in minuteby the DHCP server is leased. For an unlimited lease
• netmask <ip_addr> Defines the netmask of the defa
• nistag <string> Defines the identifying tag used by t
• wins1 <ip_addr> | wins2 <ip_addr> Specifies the IPsecondary Windows Internet Naming Service (WINS
service Enables the the NetScreen device to act as a DHCP re
������!//%��"
:����
ility through the interface.
ace.
the interface.
ugh the interface.
the interface.
ugh the interface.
the interface
ce.
a or ActiveX components in Web rse on the victim host. A Trojan
access the victim host directly. files, such as .zip, .gzip, and .tar, ponent-block feature blocks all
s.
d rejects packets that have them.
Control Message Protocol (ICMP) casts ICMP echo requests in
ystem to slow down, time out, and f ICMP packets per second the NetScreen device rejects
re Fragments flag set, or with an
h greater the 1024.
e list of IP Options is malformed or
�������������� ������������
manage Enables or disables monitoring and management capab
• ping Enables (or disables) pinging through the interf
• scs Enables (or disables) SCS management through
• snmp Enables (or disables) SNMP management thro
• ssl Enables (or disables) SSL management through
• telnet Enables (or disables) telnet management thro
• web Enables (or disables) web management through
screen Enables or disables firewall services through the interfa
• component-block Attackers can hide malicious Javpages, and these components can install a Trojan HoHorse contains applets that allow an outside party toAttackers can hide these components in compressedas well as in executable (.exe) files. Enabling the comembedded Java and ActiveX applets from Web page
• fin-no-ack Detects an illegal combination of flags, an
• icmp-flood [threshold <number>] Detects Internet floods. An ICMP flood occurs when an attacker broadorder to flood the system with data. This causes the sthen disconnect. The threshold defines the number oallowed to ping the same destination address beforefurther ICMP packets. The range is 1 to 1,000,000.
• icmp-fragment Detects any ICMP frame with the Mooffset indicated in the offset field.
• icmp-large Detects any ICMP frame with an IP lengt
• ip-bad-option Discards all received frames where thincomplete.
������!//%��"
:3���
Option enabled. The Source dress to access a network, and administrator can block all IP Routing , or only those with Loose
source route option enabled.
Route option enabled. With the s information concerning the path ing information about the
Security options set. These option ne various protection levels for ces for forwarding frames
cks occur when unauthorized valid client IP addresses. Using
IP address connections. Only n use this option.
Stream identifier set.
rce route option enabled.
ts an IP Sweep attack. An IP echo requests (pings) to multiple als the target’s IP address to the d 1,000,000 microseconds. Each
cy than this limit, the NetScreen ource address.
tamp option set.
�������������� ������������
• ip-filter-src Blocks all packets with the Source RouteRoute Option can allow a hacker to use a false IP adhave the traffic returned to their real IP address. TheSource Routed frames, only those with Strict Source Source Routing.
• ip-loose-src-route Detects packet IPs with the loose
• ip-record-route Discards all frames with the RecordRecord Route option enabled, attackers might accesbetween the attacker and the target device, thus gainprotected network.
• ip-security-opt Discards all received frames with IP settings conform to RFCs 1038 and 1108, which defiframes, and the configuration of internetworking devithroughout an internetwork.
• ip-spoofing Prevents spoofing attacks. Spoofing attaagents attempt to bypass firewall security by imitatingthe ip-spoofing option invalidates such false sourceNetScreen devices running in NAT or Route mode ca
• ip-stream-opt Discards all frames with the IP SATNET
• ip-strict-src-route Detects frames with the strict sou
• ip-sweep threshold <number> Detects and prevenSweep attack occurs when an attacker sends ICMP destination addresses. If a target host replies, it reveattacker. Set the IP Sweep threshold to between 1 antime ICMP echo requests occur with greater frequendevice drops further echo requests from the remote s
• ip-timestamp-opt Discards all frames with the times
������!//%��"
:����
ood defense mechanism with IP cker sends spoofed IP packets th the source and destination IP
e SYN flag set to any available s with itself, filling its session table
ou define the maximum number of ond by a single source IP address.
hat scans HTTP packets for that contain such URLs. The -red-worm virus. Using the
or in the HTTP packet. Typically, nd GET, followed by at least one en device treats multiple spaces
/” at the start of the URL as a
L before the CR-LF.
gular ICMP packet sizes. packet size, many ping rigger a range of adverse system .
attacks. A port scan attack occurs mbers to scan available services. is attack, the NetScreen device
from a single remote source. For nds (the default threshold setting), , and rejects further packets from er> value determines the
00 milliseconds.
�������������� ������������
• land Prevents Land attacks by combining the SYN flspoofing protection. Land attacks occur when an attawith headers containing the target’s IP address for boaddresses. The attacker sends these packets with thport. This induces the target to create empty sessionand overwhelming its resources.
• limit-session [ source-ip-based <number> ] Lets ysessions the NetScreen device can establish per sec
• mal-URL [ <name_str> | code-red] Sets up a filter tsuspect URLs. The NetScreen device drops packetscode-red-worm switch enables blocking of the code<name_str> option works as follows.
- <name_str> A user-defined identification name.
- <id_str> Specifies the starting pattern to search fthis starting pattern begins with the HTTP commaspace, plus the beginning of a URL. (The NetScrebetween the command “GET” and the character “single space.)
- <number> Specifies a minimum length for the UR
• ping-of-death Detects and rejects oversized and irreAlthough the TCP/IP specification requires a specificimplementations allow larger packet sizes. This can treactions including crashing, freezing, and rebooting
• port-scan threshold <number> Prevents port scan when an attacker sends packets with different port nuThe attack succeeds if a port responds. To prevent thinternally logs the number of different ports scanned example, if a remote host scans 10 ports in 0.05 secothe NetScreen device flags this as a port scan attackthe remote source. The port-scan threshold <numbthreshold setting, which can be from 1000 to 1,000,0
������!//%��"
::���
ers can use to consume sessions ice.
occur when the connecting host ing to the corresponding ACK
er of proxied, half-complete evice makes enteries in the event
ber of SYN packets per second
oxied connection requests held in starts rejecting new connection
ber of SYN packets received (per e NetScreen device executes the
th of time before a half-completed et it between 1 and 50 seconds.
ny packet fragments used for the with SYN packet fragments. The ng packets to arrive so it can onnections that cannot be No further connections are can occur.
alformed flags field.
cks occur when fragmented IP ssemble the packets to crash. The any packets that have such a
�������������� ������������
• syn-fin Detects an illegal combination of flags attackon the target device, thus resulting in a denial of serv
• SYN flood Prevents SYN flood attacks. Such attackscontinuously sends TCP SYN requests without replyresponses. Detects SYN Flood attacks.
- [ alarm-threshold <number> ] defines the numbconnections per second at which the NetScreen dalarm log.
- [ attack_threshold <number> ] defines the numrequired to trigger the SYN proxying mechanism.
- [queue-size <number>] defines the number of prthe proxied connection queue before the system requests.
- [ source-threshold <number>] defines the numsecond) from a single source IP address, before thSYN proxing mechanism.
- [ timeout <number> ] defines the maximum lengconnection is dropped from the queue. You can s
• syn-frag Detects a SYN fragment attack, and drops aattack. A SYN fragment attack floods the target host host caches these fragments, waiting for the remainireassemble them. By flooding a server or host with ccompleted, the host’s memory buffer eventually fills. possible, and damage to the host’s operating system
• tcp-no-flag Drops an illegal packet with missing or m
• tear-drop Blocks the Teardrop attack. Teardrop attapackets overlap and cause the host attempting to reatear-drop option directs the NetScreen device to dropdiscrepancy.
������!//%��"
:8���
interface :
s when UDP packets are sent with that it can no longer process valid per second to the same exceeded, the NetScreen device he valid range is from 1 to
ith protocol numbers greater than ed.
unications, modifies the packet as triggers an attack log entry in the
der. The Port Address Translation
tScreen device forwards packets bnet of the specified interface.
the specified interface or
�������������� ������������
51%/4 �"
To set up the Level-2 interface to perform land attack detection:
ns-> set interface v1-dmz screen land
To bind interface ethernet4/1 to the Trust zone and enable Web management for the
ns-> set interface ethernet4/1 zone trustns-> set interface ethernet4/1 manage web
To bind the ethernet4/2 to the untrusted interface and enable ping for the interface:
ns-> set interface ethernet4/1 zone untrustns-> set interface ethernet4/1 manage ping
To enable the ability to reset ident requests through the ethernet3/2 interface:
• udp-flood threshold <number> UDP flooding occurthe purpose of slowing down the system to the point connection requests. The number of packets alloweddestination IP address/port pair. When this number isgenerates an alarm and drops subsequent packets. T1,000,000.
• unknown-protocol Discards all received IP frames w100. Such protocol numbers are undefined or reserv
• winnuke Detects attacks on Windows NetBios commnecessary, and passes it on. (Each WinNuke attack event alarm log.)
fix-port Keeps the original source port number in the packet hea(PAT) is not applied.
gateway <ip_addr> The IP address for the default gateway to which the Nethat are destined for networks beyond the immediate su
ip <ip_addr>/<mask> [ secondary ]
The IP address <ip_addr> and netmask <ip_addr> forsubinterface.
������!//%��"
:����
zone:
AN tag 3:
erver:
e commands.
asis. When set, the IP address
rface IP is used to manage the
inistrator can use the interface manage-ip.
�������������� ������������
ns-> set interface ethernet4/1 ident-reset
To create a subinterface for physical interface ethernet3/1 and bind it to the Untrust
ns-> set interface ethernet3/1.2 zone untrust
To assign IP address 172.168.40.3/24 to subinterface ethernet3/1.2 and assign it VL
ns-> set interface ethernet3/1.2 ip 172.168.40.3/24 tag 3
To create a tunnel interface named tunnel/2 with IP address 172.10.10.5/24:
ns-> set interface tunnel/2 zone untrustns-> set interface tunnel/2 ip 172.10.10.5/24
To configure interface ethernet3/2 to receive its address dynamically from a DHCP s
ns-> set interface ethernet3/2 dhcp server service
To unset the tunnel interface named tunnel/1:
ns-> unset interface tunnel/1
����� "!
See the get interface, set vsys, set dhcp, exec dhcp, set pppoe, and exec pppo
�!��"
The manage-ip option supersedes the sys-ip option and applies on a per interface bis for managing the device.
If both the per-interface manage-ip and the global sys-ip are set to 0.0.0.0, the intedevice.
Note: The manage-ip takes precedence over sys-ip. If the sys-ip is 0.0.0.0, the admIP address to manage the device, with the exception of those interfaces and set with
������!//%��"
8����
�������������� ������������������!//%��"
8+���
������/� �*�� ..,ffic through a NetScreen
hat traffic can enter the VSYS vices such as authentication or
lan-traffic deny command. To
�������������� ������������
��Description: Use the set intervlan-traffic deny command to disable inter-VLAN tradevice.
It is possible to configure a virtual system (VSYS) with two trusted interfaces, such tthrough one interface and exit through the other without undergoing any security serencryption. This is known as inter-VLAN traffic.
When inter-VLAN traffic poses a security risk, you can disable it using the set intervenable inter-VLAN traffic, use the unset intervlan-traffic command.
�0��%1set intervlan-traffic { deny }
unset intervlan-traffic [ deny ]
��)�/���"
51%/4 �"
To disable inter-VLAN traffic:
ns-> set intervlan-traffic deny
To enable inter-VLAN traffic:
ns-> unset intervlan-traffic deny
set intervlan-traffic deny Disables inter-VLAN traffic.
unset intervlan-traffic deny Disables inter-VLAN traffic.
������!//%��"
8����
�������������� ����������������� "!
See the set vsys and set interface commands.
������!//%��"
8����
����' the TFTP server.
e NetScreen device ends the
erminating an inactive TFTP
�������������� ������������
Description: Use the set ip command to set IP parameters for communication with
�0��%1set ip { tftp }
{retry <number> |timeout <number>}
unset ip tftp
��)�/���"
.� %� �"
The number of retries is 10.
The default timeout period is 2 seconds.
51%/4 �"
To set the number of retries to 7:
ns-> set ip tftp retry 7
To set the timeout period to 15 seconds:
retry <number> The number of times to retry a TFTP communcation before thattempt and generates an error message.
timeout <number> Determines how the long the NetScreen device waits before tconnection.
������!//%��"
8����
�������������� ������������ns-> set ip tftp timeout 15
����� "!
See the get ip tftp command.
������!//%��"
83���
����''%%�range of IP addresses. IP pools col (L2TP).
h 172.16.10.200:
�������������� ������������
Definition: Use the set ippool command to associate the name of an IP pool with a are used when assigning addresses to dialup users via the Layer 2 Tunneling Proto
�0��%1set ippool { <string> <ip_addr> <ip_addr> }
unset ippool <string>
��)�/���"
.� %� �"
None.
51%/4 �"
To configure the IP pool named “office” with the IP addresses 172.16.10.100 throug
ns-> set ippool office 172.16.10.100 172.16.10.200
����� "!
See the get ippool command.
<string> Defines the name of the IP pool.
<ip_addr> Sets the starting IP address in the IP pool.
<ip_addr> Sets the ending IP address in the IP pool.
������!//%��"
8����
�����1�'P settings.
tor.
�������������� ������������
Description: Use the set l2tp command to configure L2TP tunnels and default L2T
This command is available for the root administrator, not a virtual system administra
�0��%1set l2tp
{<string> { [ id <id_num> ] user <name_str> }
[ peer-ip <ip_addr>[ host <string> ]
[ outgoing-interface ]]
[ secret <string> ][ keepalive <number> ] |
default{auth { local | radius } |dns1 <ip_addr> |dns2 <ip_addr> |ippool <string> |ppp-auth
{ any | chap [ pap ] | pap } |radius-port <port_num> |radius-secret <string> |server-name <string> |wins1 <ip_addr> |wins2 <ip_addr>}
}unset l2tp
{<string>default
{
������!//%��"
8:���
entrator (LAC), if it has a static IP
LAC.
els.
etween the L2TP network server nd the LAC.
creen device (LNS) waits before ).
e—the NetScreen internal base.
�������������� ������������
dns1 |dns2 |ippool |ppp-auth
{ any | chap [ pap ] | pap } |radius-portradius-secret |server-name |wins1 |wins2}
}
��)�/���"
l2tp <string> The L2TP tunnel name.
id <id_num> The ID number for the L2TP tunnel.
user <string> The name of the L2TP user.
peer-ip <ip_addr> Specifies the IP address of the L2TP access concaddress.
host <string> Specifies the name of the computer acting as the
outgoing-interface <name_str> Specifies the outgoing interface for the L2TP tunn
secret <string> Defines a shared secret used for authentication b(LNS), which the NetScreen device is asting as, a
keepalive <number> Defines how many seconds of inactivity, the NetSsending a hello message to the dialup client (LAC
default Defines the default L2TP settings.
auth { local | radius } Specifies the type of user authentication databasdatabase (local) or a remote RADIUS server data
dns1 <ip_addr> The IP address of the primary DNS server.
dns2 <ip_addr> The IP address of the secondary DNS server.
������!//%��"
88���
resses are drawn to be assigned
dialup user’s request to make a
ntication Protocol (CHAP), which rd during transmission.
tocol (PAP), which does not use
tiate CHAP and then, if that
he number can be between 1024
and the RADIUS server.
erver.
�������������� ������������
.� %� �"
The default L2TP UDP port number is 1701.
By default, no L2TP secret is used to authenticate the LAC-LNS pair.
The default interval for sending a keepalive message is 60 seconds.
PPP-auth type is any.
51%/4 �"
To create an L2TP tunnel named west_coast for a dialup user named jking:
ns-> set l2tp west_coast user jking
ippool <string> The name of the L2TP IP pool, from which IP addto L2TP users.
ppp-auth { any | chap | pap } Specifies the authentication type in response to aPoint-to-Point Protocol (PPP) link.
- chap specifies Challenge Handshake Autheencrypts the user’s login name and passwo
- pap specifies Password Authentication Proencryption.
- any instructs the NetScreen device to negoattempt fails, PAP.
radius-port <port_num> Defines the port number of the RADIUS server. Tand 65,535.
radius-secret <string> The shared secret used by the NetScreen device
default server-name <string> The IP address or domain name of the RADIUS s
default wins1 <ip_addr> The IP address of the primary WINS server.
default wins2 <ip_addr> The IP address of the secondary WINS server.
������!//%��"
8����
s for a dialup user named dd:
abase, CHAP for L2TP 1, and primary and secondary
�������������� ������������
To create an L2TP tunnel named east_coast with a keep alive value of 120 second
ns-> set l2tp west_coast user dd keepalive 120
To create a set of default L2TP settings, using an IP pool named chiba, the local datauthentication, primary and secondary DNS servers at 192.168.2.1 and 192.168.4.7WINS servers at 10.20.1.16 and 10.20.5.101:
ns-> set l2tp default ippool chibans-> set l2tp default auth localns-> set l2tp default ppp-auth chapns-> set l2tp default dns1 192.168.2.1ns-> set l2tp default dns2 192.168.4.71ns-> set l2tp default wins1 10.20.1.16ns-> set l2tp default wins2 10.20.5.101
����� "!
See the get l2tp, clear l2tp, and set ippool commands.
������!//%��"
�����
�����,�etScreen device.
.
�������������� ������������
Description: Use the set lcd command to activate the LCD on the front panel of a N
�0��%1set lcd { display | key-in }
unset lcd { display | key-in }
��)�/���"
51%/4 �"
To turn off the LCD and lock the control keys:
ns-> unset lcd display
To leave the LCD on but lock the control keys:
ns-> set lcd key-in
To turn on the LCD but leave the control keys locked:
ns-> set lcd display
To turn on the LCD and unlock the control keys:
ns-> unset lcd key
����� "!
See the get lcd command.
display Turns the LCD off or on and locks the control keys.
key Locks and unlocks the control keys, but does not affect the LCD display
������!//%��"
�+���
�����%� destinations.
ring> } } }
string> } } }
rates the log message.
ges. Starting with the most urgent,
�������������� ������������
Description: Use the set log command to generate log messages and specify their
�0��%1set log { module <name_str> { level <string> { destination <st
unset log { module <name_str> { level <string> { destination <
��)�/���"
module <name_str> Specifies the name of the ScreenOS module that gene
level <string> The minimum urgency level of the generated log messathese levels are as follows.
• emergency
• alert
• critical
• error
• warning
• notification
• information
• debugging
������!//%��"
�����
essages that are critical or
rmissable destinations are as
�������������� ������������
51%/4 �"
To generate log messages generated from module system, and to generate only mgreater:
ns-> set log module system level alert destination email
����� "!
See the unset log command.
destination <string> The destination of the generated log messages. The pefollows.
• console
• internal
• snmp
• syslog
• webtrends
• onesecure
• pcmcia
������!//%��"
�����
����& ,(MAC) address for a NetScreen
1 interface:
mmands.
�������������� ������������
Description: Use the set mac command to configure a static Media Access Control interface.
�0��%1set mac <mac_addr> <interface>
unset mac <mac_addr>
��)�/���"
.� %� �"
None.
51%/4 �"
To set the MAC address on an NetScreen device to 111144446666 for the ethernet
ns-> set mac 111144446666 ethernet1
����� "!
See the get mac-learn, clear mac-learn, get mac-count, and clear mac-count co
<mac_addr> Specifies the MAC address.
<interface> Specifies the name of the interface, as with ethernet1.
������!//%��"
�����
����&'IP) configurations.
.16.10.92 to the valid external
16.10.92 to a specific host with
55.255
tarting from 192.168.15.1 to an 55.248:
ped traffic.
�������������� ������������
Definition: Use the set mip command to define and modify Mapped IP address (M
�0��%1set mip <ip_addr1> host <ip_addr2> [ netmask <mask> ]
unset mip <ip_addr> [ netmask <mask> ]
��)�/���"
.� %� �"
The default subnet mask is 255.255.255.255.
51%/4 �"
To define a one-to-one Mapped IP configuration for a server with the IP address 172IP address 192.168.192.1:
ns-> set mip 172.16.10.92 host 192.168.192.1
To define a one-to-one Mapped IP configuration for a machine with IP address 172.an IP address 192.168.175.1:
ns-> set mip 172.16.10.92 host 192.168.175.1 netmask 255.255.2
To define a subnet-to-subnet Mapped IP configuration for a subnet with IP address sactual subnet with IP addresses starting from 10.1.1.1 using a netmask of 255.255.2
<ip_addr1> The MIP address.
host The IP address <ip_addr2> of the host (or subnet) to receive the map
netmask Defines the subnet mask of the mapped IP address.
������!//%��"
�3���
8
t-to-subnet Mapped IP nd the actual IP subnet.
its associated interface IP n its associated interface IP
check Virtual IPs (VIPs) as
�������������� ������������
ns-> set mip 192.168.15.1 host 10.1.1.1 netmask 255.255.255.24
�!��"
Use the unset mip command to delete a Mapped IP configuration.
Mapping is allowed for a one-to-one or subnet-to-subnet relationship. When a subneconfiguration is defined, the subnet mask is applied to both the Mapped IP subnet a
����� "!
See the set interface and get mip commands.
Note: For the Trust and Tunnel interfaces, the MIP must be on the same subnet as address. For the Untrust interface, the MIP may be located on a different subnet thaaddress.
When creating a new MIP, check for overlapping with other MIPs or DIPs. Be sure towell.
������!//%��"
�����
����� ��
�������������� ������������
Description: Use the set natt command to set the NAT-T keepalive frequency.
�0��%1set natt frequency <number>
unset natt frequency
��)�/���"
51%/4 �"
To set the NAT-T keepalive frequency to one hour:
ns-> set natt frequency 6
����� "!
See the unset natt command.
<number> The keepalive frequency expressed in 10-second intervals.
������!//%��"
�:���
������'le Network Time Protocol
updates its clock time by e synchronization interval is from
evice synchronizes time. Replace
umber1> between -12 and 12 h Mean Time). <number2>
�������������� ������������
Description: Use the set ntp command to configure the NetScreen device for Simp(SNTP).
To enable the SNTP feature, use the set clock command.
�0��%1set ntp
{interval <number> |server <ip_addr> |zone <number1> <number2>}
unset ntp { server | interval | zone }
��)�/���"
.� %� �"
This is a list of system defaults:
• The NTP service is off by default.
interval <number> Defines in minutes how often the NetScreen devicesynchronizing with the NTP server. The range for th1 to 300 minutes.
server <ip_addr> Defines the NTP server with which the NetScreen d<ip_addr> with the IP address of the NTP server.
zone <number1> <number2> Defines the Time Zone, expressed as an integer <ninclusive. A value of zero denotes GMT (Greenwicexpresses minutes.
������!//%��"
�8���
s.
).
clock time:
nd is therefore a subset of NTP. TP is adequate for devices that
�������������� ������������
• The IP address for the NTP server is set to 0.0.0.0.
• The frequency (time interval) for synchronizing clock time is every 10 minute
• The Time Zone is set to 0, which translates to GMT (Greenwich Mean Time
51%/4 �"
To enable NTP:
ns-> set clock ntp
To define the NTP server with IP address of 172.10.10.6 with which to synchronize
ns-> set ntp server 172.10.10.6
To configure the NetScreen device to synchronize its clock time every 20 minutes:
ns-> set ntp interval 20
To disable the NTP feature:
ns-> unset clock ntp
To disable the NTP server and set its default IP address back to 0.0.0.0:
ns-> unset ntp server
To set the default synchronization interval back to 10 minutes:
ns-> unset ntp interval
����� "!
See the set clock, get ntp and exec ntp commands.
�!��"
NetScreen’s implementation is based upon Simple Network Time Protocol (SNTP) aIt is used to synchronize computer clocks in the Internet. In its simplified version, SNdo not require a high level of synchronization and accuracy.
������!//%��"
�����
����'-IP and e-mail addresses, to cryption.
�������������� ������������
Definition: Use the set pki command to designate the certificate authority server’s retrieve local certificate requests, and to create new RSA key pairs for public key en
�0��%1set pki
{convert-cert |authority { <id_num> | default }
{cert-status
{crl
{refresh
{daily |default |monthly |weekly} |
url <url_str>}
ocsp{refresh <number> |url <url_str>
[id-type
{certhash |certid |issuer-serial |name |pkcert
������!//%��"
+�����
�������������� ������������}[ l-sign-request ] [ no-nonce ]
[ no-response-type ][ not-verify-resp-cert ]
]} |
revocation-check{noneall |crl |ocsp}
} |scep
{authentication { failed | passed } |ca-cgi <string> |ca-id <name_str> |challenge <pswd_str> |current |mode { auto | manual } |polling-int <number> |ra-cgi <string> |renew-start <number>}
} |ldap
{server-name { <name_str> | <ip_addr> } |crl-url <url_str>} |
x509{default
{cert-path { full | partial } |crl-refresh
{
������!//%��"
+�+���
�������������� ������������daily |default |monthly |weekly} |
send-to <string>} |
dn{country-name <name_str> |email <string> |ip <ip_addr> |local-name <name_str> |name <name_str> |org-name <name_str> |org-unit-name <name_str> |phone <string> |state-name <name_str>} |
raw-cn { enable }}
}
unset pki{authority <id_num>
{cert-status
{crl
{refresh
{daily |default |monthly |weekly |}
������!//%��"
+�����
�������������� ������������url <name_str>}
ocsp{refresh <number> |url <url_str>
[id-type
{certhash |certid |issuer-serial |name |pkcert}
[ l-sign-request ] [ no-nonce ][ no-response-type ]
[ not-verify-resp-cert ]]
}revocation-check
{all |crl |ocsp}
} |scep
{authentication |ca-cgi |ca-id |challenge |current |mode |polling-int |ra-cgi |renew-start}
������!//%��"
+�����
n services.
he revocation-check option y are currently revoked.
ertificate’s revokation status.n device to use both the CRL and
ice checks for revocation.
Certificate Revocation List.
the certificate’s revokation status.
ice uses OCSP to check for
OCSP responder.
�������������� ������������
} |ldap
{crl-url |server-name} |
x509{default |dn |raw-cn}
}
��)�/���"
convert-cert Converts old VSYS certificate to new style.
authority <id_num> Defines how the NetScreen device uses the CA’s authorizatio
cert-status Defines how the NetScreen device verifies certificate status. Tdirects the NetScreen device to check certificates to see if the
crl Uses the Certificate Revocation List (CRL) to determine the cThe both option of the revocation-check directs the NetScreethe OCSP.
The refresh setting determines how often the NetScreen dev
The url <url_str> setting specifies the URL for accessing the
ocsp Uses Online Certificate Status Protocol (OSCP) to determine
The refresh setting determines how often the NetScreen devrevocation.
The url <url_str> setting specifies the URL for accessing the
������!//%��"
+�����
rtificate. The certhash type specifies the certificate sh of the issuer distinguished cate’s serial number. The mber. The name type specifies the entire certificate.
request for revocation verification.
ce value with the request.
ifying an acceptable response
ifying the responder’s certificate.
rs.
failed or passed.
rver.
erver.
rd.
SCEP setting as default.
de for CA’s SCEP server.
nterval (in minutes).
P server.
fore starting the renewal process.
n name or IP address of the for the certificate authority (CA)
cate revocation list (CRL) to be
�������������� ������������
id-type The id-type is the type of certificate ID used to identify the cespecifies the hashing value for the certificate. The certid typeidentification value, which includes the hash algorithm, the haname (DN), the hash of the issuer’s public key, and the certifiissuer-serial type specifies the CA issuer name and serial nuthe general name of the certificate. The pkcert type specifies
l-sign-request Specifies that the NetScreen device signs the
no-nonce Prevents the NetScreen device from sending a non
no-response-type Prevents the NetScreen device from spectype.
not-verify-resp-cert Prevents the NetScreen device from ver
scep Sets Simple Certificate Enrollment Protocol (SCEP) paramete
- authentication sets the result of the CA authentication,
- ca-cgi <url-str> specifies the path to the CA’s SCEP se
- ca-id <string> specifies the identity of the CA’s SCEP s
- challenge <pswd_str> specifies the Challenge passwo
- current directs the NetScreen device to use the current
- mode { auto | manual } specifies the authentication mo
- polling-int <number> Determines the retrieval polling i
- ra-cgi <url_str> specifies the CGI path to the RA’s SCE
- renew-start <number> specifies the number of days be
ldap Specifies settings for the LDAP server.
server-name { <name_str> | <ip_addr> } Defines the domaidefault Lightweight Directory Access Protocol (LDAP) server that validates the X.509 certificate.
crl-url <url-str> Sets the default LDAP URL for the CA certifiused for X.509 CRL retrieval purposes.
������!//%��"
+�3���
.509 certificate settings.
he full | partial option determines r only a part of the path.
. The default option uses the
re the PKCS10 certificate request
r whom the certificate is being
09 certificate subject name of the
een device administrator as the
its X.509 certificate subject name.
09 certificate subject name of the
X.509 certificate subject name. th the same RSA key, but issued
certificate subject name of the
he X.509 certificate subject name
reen device administrator as the
icate subject name of the
�������������� ������������
x509 Specifies settings for the x509 certificate.
default Specifies a type of digital certificate with the default X
The cert-path option configures the path to the X.509 CRL. Tif the NetScreen device uses the full path to the X.509 CRL o
crl-refresh Sets the refreshment frequency of the X.509 CRLvalidation date decided by each CRL.
send-to <string> Assigns the destination e-mail address whefile is sent.
dn Specifies a distinguished name to uniquely identify the user forequested.
country-name <name_str> Sets the country name as the X.5NetScreen device.
email <string> Sets the contact e-mail address of the NetScrX.509 certificate subject name of the NetScreen device.
ip <ip_addr> Sets the IP address of the NetScreen device as
local-name <string> Sets the name of the locality as the X.5NetScreen device.
name <string> Sets the name of the NetScreen device as itsThis name uniquely identifies NetScreen X.509 certificates wiby different Certificate Authorities.
org-name <string> Sets the organization name as the X.509NetScreen device.
org-unit-name <string> Sets the organization unit name as tof the NetScreen device.
phone <string> Sets the contact phone number of the NetScX.509 certificate subject name of the NetScreen device.
state-name <string> Sets the state name as the X.509 certifNetScreen device.
������!//%��"
+�����
CS10 certificate request:
Technologies in Santa Clara,
cate from a certificate authority.
i x509 dn name <name_str>, N.
�������������� ������������
.� %� �"
The RSA key length is set to 1024 bits.
51%/4 �"
To identify 162.128.20.12 as the CA server’s IP address:
ns-> set pki ldap server-name 162.128.20.12
To specify the destination e-mail address where the NetScreen device sends the PK
ns-> set pki x509 default send-to [email protected]
To refresh the certificate revocation list on a daily basis:
ns-> set pki x509 default crl-refresh daily
To define a distinguished name for Ed Jones, who works in marketing at NetScreenCalifornia:
ns-> set pki x509 dn country-name “US”ns-> set pki x509 dn state-name CAns-> set pki x509 dn local-name “santa clara”ns-> set pki x509 dn org-name “netscreen technologies”ns-> set pki x509 dn org-unit-name marketingns-> set pki x509 dn name “ed jones”
You use the set pki, get pki, and exec pki commands to request an x509 CA certifiThe following commands provide a typical example:
raw-cn { enable } Enables the raw common name (CN).You specify the certificate’s raw-cn with the command set pkwhere <name_str> is a string of characters comprising the C
������!//%��"
+�:���
isign.com
isign.com
A does not exist, use the value
y, a prompt appears presenting
t CA certificate.
ministrator to approve the local
cord the index number
rver to pass a user request to ypertext Transfer Protocol
�������������� ������������
1. Specify a certificate authority CA CGI path.
set pki auth -1 scep ca-cgi “http://pilotonsiteipsec.ver/cgi-bin/pkiclient.exe”
2. Specify a registration authority RA CGI path
set pki auth -1 scep ra-cgi “http://pilotonsiteipsec.ver/cgi-bin/pkiclient.exe”
Note: You must specify an RA CGI path even if the RA does not exist. If the Rspecified for the CA CGI.
3. Generate an RSA key pair, specifying a key length of 1024 bits.
exec pki rsa new 1024
4. Initiate the SCEP operation to request a local certificate.
exec pki x509 scep -1
5. If this is the first attempt to apply for a certificate from this certificate authorita fingerprint value for the CA certificate. (Otherwise, go on to Step 6.)
You need to contact the certificate authority to confirm that this is the correc
Execute the following command to get the device’s authentication mode.
get pki auth default scep
If the authentication mode is auto, go on to Step 6. Otherwise, execute:
set pki auth default scep auth passed
6. When the confirmation prompt appears, contact your certificate authority adcertificate request.
7. (Optional) Display a list of pending certificates. This allows you to see and reidentifying the certificate.
Note: The Common Gateway Interface (CGI) is a standard way for a web sean application program, and to receive data back. CGI is part of the web’s H(HTTP).
������!//%��"
+�8���
btained in Step 7) to identify the
e certificate automatically from period depends upon how you
�������������� ������������
get pki x509 list pending-cert
8. (Optional) Obtain the local certificate from the CA (using the index number ocertificate.
exec pki x509 scep 1
If you do not execute Steps 7 and 8, the NetScreen device will still retrieve ththe CA. However, there will be a time delay of at least 15 minutes. This delayconfigured the device. The configuration command for this feature is:
set pki auth -1 scep polling-int <number>
where <number> is time in minutes. The minimum is 15.
����� "!
See the get pki and exec pki commands.
������!//%��"
+�����
����'%�,2ork and VPN traffic.
name_str> }]
}
]e | enable }
�������������� ������������
Description: Use the set policy command to define access policies to control netw
�0��%1set policy
{id <id_num> [ disable ] |[ id <id_num> ] [ before <pol_num> ]
[ name <name_str> ]{ from <zone1> to <zone2> <addr_str1> <addr_str2> <
[ nat [ dip-id <id_num> [ fix-port ] ] }
{tunnel
{l2tp <name_str> |vpn-dialup <name_str> |vpn <name_str> | vpn-tunnel <name_str>
[ id <id_num> ] [ l2tp <name_str> ]} [ auth ] |
deny | permit [ auth ]}
[ schedule <name_str> ][ log [ alert ]
[ count[ alarm <number> <number> ]
]]
[ traffic { gbw <number>{ priority <number> }
{ mbw [ <number> dscp { disabl
}] |
move <number>
������!//%��"
++����
s control list (ACL) before another
.
n USGA Features.
cies.
This number can be between 4
�������������� ������������
{before <id_num> |after <id_num>} |
default-permit-all |}
unset policy{[ id ] <id_number> [ disable ] |default-permit-all}
��)�/���"
id <id_num> Specifies an access policy ID number.
disable Disables the policy.
before <pol_num> Specifies the position of the access policy in the accespolicy.
name <name_str> Names the access policy.
from <zone1> to <zone2> <addr_str1> <addr_str2> <name_str>
Specifies two zones between which the policies apply<zone1> is the name of the source security zone.<zone2> is the name of the destination security zone.<addr_str1> is the name of the source address.<addr_str2> is the destination address.<name_str> is the name of the service.For more information on zones, see Security Zones i
nat Enables or disables Network Address Translation poli
dip-id <id_num> Specifies the ID number of the Dynamic IP (DIP) pool.and 255.
������!//%��"
+++���
eader; that is, Port Address
ecapsulates and decrypts
y vpn-dialup and the name of the
f the VPN tunnel. For the VPN tunnel) and l2tp (and the
ource address across the firewall
rd to authenticate his or her
pecified schedule.
policy applies. alert enables the
h the access policy is applied.
. You must enter the number of per minute (<number>) required
er second. The NetScreen device rity, without performing traffic
affic falls between the guaranteed ice passes traffic with higher is no higher priority traffic.
�������������� ������������
fix-port Keeps the original source port number in the packet hTranslation (PAT) is not applied.
tunnel Encapsulates and encrypts outgoing IP packets, and dincoming IP packets.
l2tp <id_num> Specifies a Layer 2 Tunneling Protocol (L2TP) tunnel.
vpn-dialup <name_str> For an incoming dialup VPN tunnel connection, specifdialup user or dialup group.
vpn [ l2tp <name_str> ] For an IPSec VPN tunnel, specify vpn and the name oIPSec-over-L2TP, specify both vpn (and the name of name of the L2TP tunnel).
vpn-tunnel Specifies an active tunnel.
permit | deny permit allows the specified service to pass from the sto the destination address.deny blocks the service at the firewall.
auth Requires the user to provide a login name and passwoidentity before access to cross the firewall is granted.
schedule <name_str> Applies the access policy only at times defined in the s
log [ alert ] Maintains a log of all connections to which the accessSyslog alert feature.
count Maintains a count in bytes of all network traffic to whic
alarm <number> <number>
Enables the alarm feature so that you can view alarmsbytes per second (<number>) and the number of bytesto trigger an alarm.
traffic gbw <number> Defines the guaranteed bandwidth (GBW) in kilobits ppasses traffic below this threshold with the highest prioshaping.
priority <number> Specifies one of the eight traffic priority levels. When trand maximum bandwidth settings, the NetScreen devpriority first. Lower priority traffic is passed only if there
������!//%��"
++����
tunnel name is “home2office” ffice”:
tunnel vpn home2office
rk using NAT and the DIP pool
dip-id 7 permit
7 fix
te telephony endpoint host with e public side.
second. Traffic beyond this limit is
ity levels to the Differentiated
re or after another policy with
(ACL) for a matching policy.
uration.
�������������� ������������
51%/4 �"
To define an incoming access policy for an IPSec-over-L2TP tunnel (where the VPNand the L2TP tunnel name is “home-office”) for a dialup VPN group named “home_o
ns-> set policy from untrust to trust dialup_vpn our_side any l2tp home_office
To create an outgoing access policy from the Sales department on the trusted netwowith ID #7:
ns-> set policy from trust to untrust sales out_there any nat
To define the DIP with a fixed port on the trusted interface:
ns-> set policy outgoing 10.1.1.9 10.150.42.41 any nat dip-id
The following example configures a NetScreen device to allow traffic between a privaan H.323 gatekeeper through a NetScreen device to telephony endpoint hosts on th
����� %��"�?��������0�=!��"
1. set interface ethernet1 zone trust
2. set interface ethernet1 ip 10.10.1.1/24
3. set interface ethernet1 nat
4. set interface ethernet3 zone untrust
mbw <number> Defines the maximum bandwidth (mbw) in kilobits per throttled and dropped.
dscp { enable | disable } Enables or disables a mapping of the NetScreen priorServices Codepoint (DSCP) marking system.
move <id_num> { before | after } <id_num>
Repositions an access policy with one ID number befoanother ID number in the access control list (ACL).
default-permit-all Allows access without checking the access control list
disable Disables the policy without removing it from the config
������!//%��"
++����
0
t traffic-shaping commands.
�������������� ������������
5. set interface ethernet3 ip 210.10.1.1/24
�����""�"
6. set address trust IP_Phone1 10.10.1.2/32
7. set address trust gatekeeper 10.10.1.10/32
8. set address untrust IP_Phone2 200.20.1.2/32
&%44�����������""�"
9. set interface ethernet3 mip 210.10.1.2 host 10.10.1.2
10. set interface ethernet3 mip 210.10.1.10 host 10.10.1.10
�!���"
11. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr
12. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22.3.2
�! ����"
13. set policy from trust to untrust IP_Phone1 IP_Phone2 h.323 permit
14. set policy from trust to untrust gatekeeper IP_Phone2 h.323 permit
15. set policy from untrust to trust IP_Phone2 mip(210.10.1.2) h.323 permit
16. set policy from untrust to trust IP_Phone2 mip (210.10.1.10) h.323 permit
17. save
����� "!
See the get policy, set address, set vpn, set l2tp, set user, set schedule, and se
������!//%��"
++����
����'''%�
ified AC.
�������������� ������������
Description: Use the set pppoe command to configure PPPoE.
�0��%1set pppoe
{ac <name_str> |authentication { CHAP | PAP | any } |auto-connect <number> |idle-interval <number> |interface [ <name_str> ] |ppp
{lcp-echo-retries <number> |lcp-echo-timeout <number>} |
service <name_str> |static-ip |username <name_str> { password <string> } |}
unset pppoe{ac |authentication { CHAP | PAP } |idle-interval |interface [ <name_str> ] |service|static-ip |username |}
��)�/���"
ac <name_str> Allows the interface to connect only to the spec
������!//%��"
++3���
default idle timeout is 30
, or both. The default of o set authentication to CHAP only, .
efore automatic re-initiation of a ge is 0-10000. (0 to disable.)
minutes) before the NetScreen ecifying 0 turns off the idle timeout
n.
p Echo requests before connection
een transmission of two Lcp Echo
ified service.
resses assigned by the AC.
�������������� ������������
.� %� �"
The command is disabled by default. The default authentication method is any. The minutes.
51%/4 �"
To set the username to “Phred”, and Phred’s password to “!@%)&&”:
ns-> set pppoe username Phred password !@%)&&
authentication { CHAP | PAP | any } Sets the authentication methods to CHAP, PAPauthentication is any (both CHAP and PAP). Tfirst execute unset pppoe authenticaton PAP
auto-connect <number> Specifies the number of seconds that elapse bpreviously-closed connection occurs. Valid ran
idle-interval <number> Sets the idle timeout, which is time elapsed (indevice terminates a tunnel due to inactivity. Spand the device never terminates the tunnel.
interface <name_str> Specifies the interface for PPPoE encapsulatio
ppp Specifies
• lcp-echo-retries the number of unacked Lcis terminated. Valid range is 1-30.
• lcp-echo-timeout the time that elapses betwrequests. Valid range is 1-1000 seconds.
service <name_str> Allows the interface to connect only to the spec
static-ip Specifies that your connection uses the IP add
username <name_str> Sets the user name and password.
������!//%��"
++����
�������������� ����������������� "!
See get pppoe, clear pppoe, and exec pppoe commands.
������!//%��"
++:���
�����,+��(���edules are used to enforce
d minute defined, and stopping on
�������������� ������������
Description: Use the set scheduler command to create or modify a schedule. Schaccess policies at certain times.
�0��%1set scheduler <name_str>
[once
{ start <date> <time> stop <date> <time> }[ comment <string> ] |
recurrent{monday |tuesday |wednesday |thursday |friday |saturday |sunday}
{ start <time> stop <time> }[ start <time> stop <time> ]
[ comment <string> ]]
unset scheduler <name_str>
��)�/���"
<name_str> Defines a name for the schedule.
once Apply the schedule once, starting on the day, month, year, hour, anthe month, day, year, hour, and minute defined.
start Defines when to start the schedule.
������!//%��"
++8���
AM and ends on 2/12/1999 at
/1999 19:00
at 5:00 PM and repeats every
17:00:00
he defined day of the week, hour,
�������������� ������������
.� %� �"
None.
51%/4 �"
To create a schedule definition named “mytime” which starts on 1/10/1999 at 11:00 7:00 PM:
ns-> set scheduler mytime once start 1/10/1999 11:00 stop 2/12
To create a schedule definition named “weekend” which starts at 8:00 AM and endsSaturday and Sunday:
ns-> set scheduler weekend recurrent saturday start 8:00 stop ns-> set scheduler weekend recurrent sunday start 8:00 stop 17
stop Defines when to stop the schedule.
<date> Defines the day, month, and year in USA format (mm/dd/yyyy).
<time> Defines the hour and minutes in the 24-hour clock format (hh:mm).
recurrent Directs the NetScreen device to repeat the schedule according to tand minutes.
monday Repeat every Monday.
tuesday Repeat every Tuesday.
wednesday Repeat every Wednesday.
thursday Repeat every Thursday.
friday Repeat every Friday.
saturday Repeat every Saturday.
sunday Repeat every Sunday.
������!//%��"
++����
�������������� ����������������� "!
See the get scheduler command.
������!//%��"
+�����
�����,�o display information or
�������������� ������������
Description: Use the set scs command to enable a secure command shell (SCS) tconfigure a NetScreen device from a remote system.
�0��%1set scs
{enable |key-gen-time <number> |pka-rsa
{tftp
{file name |username <name_str> file-name <filename>}
{ ip-addr <ip_addr> }[ username <name_str> ] key <number> <number> <number>} |
}unset scs
{enable |hash <name_str> <name_str> |key-gen-time |pka-rsa
{all |username <name_str>
{all |index <id_num>} |
}}
������!//%��"
+�+���
ey to the current user. The ent, and the modulus,
ion.r to bind the PKA key. file-name d to the user.
t/VSYS. Admin users and
bound to the specified user, but ser. Read-only users cannot execute
d by <id_num>. This option (identified by user <name_str>).
�������������� ������������
��)�/���"
.� %� �"
This feature is disabled by default.
The default key generation time is 60 minutes.
51%/4 �"
To enable Secure Command Shell (SCS) on a NetScreen device:
ns-> set scs enable
enable Enables the Secure Command Shell (SCS) shell.
key-gen-time <number> Specifies the SCS key regenerating time (in minutes).
pka-rsa Public Key Authenticaion (PKA) using RSA.
tftp Loads and binds the PKA key using TFTP.key <number> <number> <number> Binds a PKA k<number> values represent the key length, the exponrespectively. Read-only users cannot execute this optusername <name_str> Specifies the name of the use<filename> Specifies the file containing the key to bin
unset scs pka-rsa Unsets Public Key Authenticaion (PKA) using RSA.
all Deletes all keys bound to all users in the active rooread-only users cannot execute this option.
username <name_str> Unbinds and deletes all keys only if <name_str> is the name of the current admin uthis option.
The index option unbinds and deletes the key identifieallows the root admin user to unbind a key for any userRead-only users cannot execute this option.
������!//%��"
+�����
956054093391935033213724077837089019119296718115
�������������� ������������
To set the key regeneration time to 15 minutes:
ns-> set scs key-gen-time 15
To bind a hypothetical key to a user named “chris”:
ns-> set scs pka-rsa username chris key 512 65537687527248844895807161558279681375742271564397062612879336559999265828980111611537652715311887359071551679
����� "!
See the get scs and exec scs commands.
������!//%��"
+�����
�������/,�cess Policies.
�������������� ������������
Description: Use the set service command to create custom services for use in Ac
�0��%1set service <name_str>
[+
{ <number> | tcp | udp{ src <number>-<number>
{ dst <number>-<number> }}
}protocol { <number> | tcp | udp }
[ src-port <number>-<number> ][ dst-port <number>-<number> ]
[ timeout { <number> | never } ][ group
[email |info |remote |security |other]
] |group
{email |info |remote |security |other}
{ <number> | tcp | udp{ src <number>-<number>
������!//%��"
+�����
ices list.
wing groups, or categories:
receiving e-mail; for example,
etrieving information; for example,
cess; for example, FTP or R
elated traffic such as encryption, ample, HTTPS and PPTP.
han that covered by the other four rk management.
service.
lid for the service. For example,
�������������� ������������
{ dst <number>-<number> }}
}timeout { <number> | never }clear]
unset service <name_str>
��)�/���"
<string> Defines a name for the service.
+ Appends a service entry to the custom serv
group { email | info | other | remote | security }
Assigns the service entry to one of the follo
- email: Services used for sending andIMAP and POP 3.
- info: Services used for seeking and rHTTP and DNS.
- remote: Services used for remote acLOGIN.
- security: Services used for security-rdecryption, and authentication; for ex
- other: Services used for traffic other tgroups; for example, SNMP for netwo
protocol Defines the service by IP protocol.
<ptcl_num> Defines a protocol number for the specified
tcp Defines a TCP-based service.
udp Defines a UDP-based service.
src <number> <number> Defines a range of source port numbers va100 to 250.
������!//%��"
+�3���
1001-1001
d that uses tcp with a port
10115
s that receive the service request.
rvice in minutes or as “never.”
tom services list.
�������������� ������������
.� %� �"The default timeout for TCP connections is 30 minutes.
The default timeout for UDP connections is 1 minute.
51%/4 �"
To clear all service entries named “test”:
ns-> set service test clear
To set a service named “ipsec” that uses protocol 50:
ns-> set service ipsec protocol 50
To set a service named “test1” that uses destination tcp port 1001:
ns-> set service test1 protocol tcp src-port 0-65535 dst-port
To set a service named “test2” that is categorized as a service for remote access annumber 10115:
ns-> set service test2 group remote tcp src 0-65535 dst 10115-
ns-> set service test2 + udp src 0-65535 dst 10115-10115
To set a service named “telnet” with a timeout value of 10 minutes:
ns-> set service telnet timeout 10
To unset a service named “test”:
dst <number> <number> Defines a range of destination port numberFor example. 300 to 400.
clear Clears all service entries.
timeout {<number> | never} Defines the session timeout value for the se
unset service <name_str> Removes the specified service from the cus
������!//%��"
+�����
�������������� ������������ns-> unset service test
����� "!
See the get service command.
�!��"
The maximum timeout value for TCP connections is 40 minutes.
The maximum timeout value for UDP connections is 40 minutes.
������!//%��"
+�:���
������&'mple Network Management eive notification when events of
�������������� ������������
Description: Use the set snmp command to configure the NetScreen device for SiProtocol (SNMP) to gather statistical information from the NetScreen device and recinterest occur.
�0��%1set snmp
{auth-trap { enable } |community <name_str>
{ read-only | read-write }[trap-off |trap-on [ traffic ]] |
contact <name_str> |host <name_str> <ip_addr> |location <string> |name <name_str> |port
{listen [ <port_num> ] |trap [ <port_num> ]} |
vpn}
unset snmp{auth-trap { enable } |community <name_str> |contact |host <name_str> <ip_addr> |location |name |
������!//%��"
+�8���
ormation Base II (MIB II) data,
ntication traps.
um 3 communities in all products.
�������������� ������������
port{listen [ <port_num> ] |trap [ <port_num> ]} |
vpn}
��)�/���"
51%/4 �"
To configure a community named “public” that allows hosts to read Management Infas defined in RFC-1213, and to receive traps:
auth-trap enable Enables Simple Network Management Protocol (SNMP) authe
community Defines the name for the SNMP community. It supports maxim
read-only Defines the permission for the community as “read-only.”
read-write Defines the permission for the community as “read-write.”
trap-on Enables SNMP traps for the community.
traffic Includes traffic alarms as SNMP traps.
trap-off Disables SNMP traps for the community.
contact Defines the system contact.
host Defines the IP address of the SNMP host.
host ip Sets the host’s IP address.
location Defines the physical location of the system.
name Defines the name of the system.
port { listen | trap } Specifies the SNMP listen and trap port.
vpn SNMP VPN encryption
������!//%��"
+�����
public”:
etscreen” with read and write
s HP OpenView™) is required. nternet.
�������������� ������������
ns-> set snmp community public read-only trap-on
To configure an SNMP host with IP address 10.20.25.30 for the community named “
ns-> set snmp host public 10.20.25.30
To configure an SNMP host with IP address 10.40.40.15 for a community named “npermission, and allow traps to be sent to all hosts in this community:
ns-> set snmp community netscreen read-write trap-onns-> set snmp host netscreen 10.40.40.15
����� "!
See the get snmp command.
�!��"
To browse the MIB II data and receive traps, an SNMP manager applications (such aMany shareware and freeware SNMP manager applications are available from the I
Note: The community must exist before a host may be added to it.
������!//%��"
+�����
�������ction.
�������������� ������������
Description: Use the set ssl command to configure a Secure Sockets Layer conne
�0��%1set ssl
{cert <number> |enable |encrypt
{3des { sha-1 } |des { sha-1} |rc4 { md5 } |rc4-40 { md5 }}
port <port_num>}
unset ssl { cert | enable | encrypt | port }
��)�/���"
cert <number> Specifies that the named certificate is required.
enable Turns on SSL.
encrypt Enables encryption over the SSL connection.
3des Set the 3DES security level.
des Sets the DES security level.
rc4 md5 Sets the RC4 MD3 security level.
rc4-40 md5 Sets the RC4-40 MD3 security level.
port Specifies the SSL port number.
������!//%��"
+�+���
�������������� ������������.� %� �"
The default SSL port is 443.
51%/4 �"
To change the SSL port to 11533:
ns-> set ssl port 11533
To specify triple-DES encryption with SHA-1 authentication hashing:
ns-> set ssl encrypt 3des sha-1
����� "!
See the get ssl command.
������!//%��"
+�����
�����2��%�nd traffic and event messages
�������������� ������������
Description: Use the set syslog command to configure the NetScreen device to seto the Syslog host.
�0��%1set syslog
{VPN |config { <name_str> | <ip_addr> }
{AUTH/SEC |local0 |local1 |local2 |local3 |local4 |local5 |local6 |local7}
{AUTH/SEC |local0 |local1 |local2 |local3 |local4 |local5 |local6 |local7}
enable |port <port_num> |traffic}
������!//%��"
+�����
gh a VPN tunnel to the Syslog
ough the Untrusted interface. log traffic through the Trusted is traffic. If the policy specifies e policy’s VPN configuration
evice to the default behavior.
evice.
vel. The security facility classifies ted actions such as attacks. The unrelated to security, such as
Syslog host.
Syslog host.
s the User Datagram Protocol
�������������� ������������
unset syslog{<string> |VPN |config |enable |hostname |port |traffic}
��)�/���"
VPN Allows the NetScreen device to send Syslog traffic throuserver.By default, the NetScreen device sends syslog traffic thrExecuting the VPN option directs the device to send sysinterface. The device uses a security policy to secure thencryption, the device encrypts the traffic according to thbefore transmission.Executing the unset syslog VPN command resets the d
config Defines the configuration settings for the Syslog utility.
<name_str> | <ip_addr> Defines the name or the IP address of the Syslog host d
AUTH/SEC | local0…7 Defines the security facility level and the regular facility leand sends messages to the Syslog host for security-relaregular facility classifies and sends messages for eventsuser logins and logouts, and system status reports.
enable Enables the NetScreen device to send messages to the
traffic Enables the NetScreen device to send traffic logs to the
port Defines the port number on the Syslog host that receive(UDP) packets from the NetScreen device.
������!//%��"
+�����
efault WebTrends port number
�������������� ������������
.� %� �"
This feature is disabled by default. The default Syslog port number is 514, and the dis 514.
51%/4 �"
To set the Syslog host configuration with the ability to report all logs:
ns-> set syslog config 172.16.20.249 AUTH/SEC local0 debug
To turn on the Syslog feature:
ns-> set syslog enable
To change the Syslog port number to 911:
ns-> set syslog port 911
����� "!
See the get syslog command.
Note: The Syslog host must be enabled before you can enable Syslog.
������!//%��"
+�3���
� �(��*�+���+%��evere temperature thresholds
larm, which increases the vent log.
�������������� ������������
������&'�Description: Use the set temperature-threshold command to set the normal and sfor triggering temperature alarms.
�0��%1set temperature-threshold
{alarm { celsius <number> | fahrenheit <number> } |severe { celsius <number> | fahrenheit <number> }}
unset temperature-threshold{alarm { celsius <number> | fahrenheit <number> } |severe { celsius <number> | fahrenheit <number> }}
��)�/���"
51%/4 �"
To set the normal temperature alarm threshold at 150° Fahrenheit:
ns-> set temperature-threshold alarm fahrenheit 150
To set the severe temperature alarm threshold at 70° Celsius:
ns-> set temperature-threshold severe celsius 70
severe { celsius <number> | fahrenheit <number> }
Defines the temperature required to trigger a severe afrequency of audible alarms and entries to the alarm e
������!//%��"
+�����
�������������� ����������������� "!
See the get temperature command.
������!//%��"
+�:���
�����&��matically execute a
expired.
action. Date is in <mm/dd/yyyy>
ction. Time is in <hh:mm> format.
me.
gs generated by the set timer
�������������� ������������
Description: Use the set timer command to configure the NetScreen device to automanagement or diagnosis functionality at a specified time.
All timer settings remain in the configuration script even after the specified time has
�0��%1set timer <date_str> <time_str> action reset
unset timer <id_num>
��)�/���"
.� %� �"
None.
51%/4 �"
To configure NetScreen to reset at a given time and date:
ns-> set timer 1/31/2000 19:00 action reset
<date_str> Specifies the date when the NetScreen device executes the defined format.
<time_str> Specifies the time when the NetScreen device executes the defined a
action Defines the event that the command triggers at the given date and ti
reset Resets the timer.
<number> Identifies the specific action by its ID number in the list of timer settincommand.
������!//%��"
+�8���
�������������� ����������������� "!
See the get timer command.
������!//%��"
+�����
���� ..,*�+ '�� system with the traffic-shaping
S) mapping. Each setting should
aping function. If you select auto, there is at least one policy in the ically sets the mode to on. If there
�������������� ������������
��Description: Use the set traffic-shaping command to determine the settings for thefunction.
�0��%1set traffic-shaping
{ip_precedence <number> <number> <number>
<number> <number> <number> <number> <number> |mode { auto | off | on }}
unset traffic-shaping mode { ip_precedence | mode }
��)�/���"
.� %� �"
By default, the traffic shaping function is set up to automatic mode.
51%/4 �"
To turn on the traffic shaping function:
ns-> set traffic-shaping mode on
ip_precedence Specifies the Priorities 0 through 7 for IP precedence (TObe a single-digit value.
mode { auto | off | on } Defines the mode settings for the system with the traffic-shthe system automatically determines the mode settings. Ifsystem with traffic-shaping turned on, the system automatis no such policy, the auto mode default setting is off.
������!//%��"
+�����
�������������� ����������������� "!
See the get traffic-shaping command.
������!//%��"
+�+���
����(��ided by a Websense server.
�������������� ������������
Description: Use the set url command to enable URL filtering. URL filtering is prov
�0��%1set url
{config
{disable |enable} |
fail-mode{block |permit} |
message <string> |msg-type <number> |no-block <name_str> <name_str> |server { <name_str> | <ip_addr> }
{ <port_num> <number> }}
unset url{config |fail-mode |message |msg-type |server}
������!//%��"
+�����
vior is to block all HTTP that user access to a URL is
bsense server.
, this either blocks or permits all
characters in length, to send to L.
e server. A 1 uses the evice.
e_str1>) to another interface
rver with a domain name using port number ber> in seconds. The timeout ice waits for a response from the ermits traffic to the URL.
�������������� ������������
��)�/���"
.� %� �"
The default port number for a Websense server is 15868. The default failmode beharequests. The Websense server is the default source of a message which indicates blocked.
51%/4 �"
To disable blocking from interface ethernet3/1 to interface ethernet4/2:
ns-> set url no-block ethernet3/1 ethernet4/2
To enable the URL blocking feature:
ns-> set url config enable
config { enable | disable } Enables or disables URL filtering by the We
fail-mode { block | permit } If connection to the Websense server is lostHTTP requests.
message <string> Defines a custom message, fewer than 220the client who is blocked from reaching a UR
msg-type <number> A 0 uses the message sent by the Websensuser-defined message from the NetScreen d
no-block <name_str1> <name_str2> Disables blocking from one interface (<nam(<name_str2>).
server <name_str> | <ip_addr> Defines communication with a Websense se(www.abc.com) or IP address <ip_addr>, <port_number> with a timeout value <numvalue specifies how long the NetScreen devWebsense server before it either blocks or p
������!//%��"
+�����
6 at port 15868 and a timeout
�������������� ������������
To define the URL blocking message to “This site is blocked”:
ns-> set url message “This site is blocked”
To use the message from the NetScreen device:
ns-> set url msg-type 1
To specify communication with a Websense server with the IP address 172.16.150.value of 10 seconds:
ns-> set url server 172.16.150.6 15868 10
����� "!
See the get url and get url-filter commands.
������!//%��"
+�����
����(���ntication database. There are
�������������� ������������
Description: Use the set user command to create entries in the internal user authethe four basic categories of users:
• Dialup users (for using Manual Key VPNs)
• Authentication users (for using network connections)
• IKE users (for using AutoKey IKE VPNs)
• Authentication/IKE users
�0��%1set user <name_str>
{dialup <spi_num> <spi_num>
{ah { md5 | sha-1 }
{ key <key_hex> | password <pswd_str> } |esp
{3des | des | aes128
{ key <key_hex> | password <pswd_str> } |null
[ auth{ md5 | sha-1
{key <key_hex> |password <pswd_str>}
}]
}outgoing-interface <interface>} |
disable |enable |
������!//%��"
+�3���
al and remote security parameter a particular encrypted tunnel from imal value between 1000 and s as the remote SPI number at the
�������������� ������������
ike-id{ip <ip_addr> |fqdn <name_str> |u-fqdn <name_str> |asn1-dn
{[ container <name_str> ]
{ wildcard <name_str> }[ share-limit <number> ] |
password <pswd-str> |remote-settings
{dns1 <ip_addr> |dns2 <ip_addr> |ipaddr <ip_addr> |ippool <name_str> |wins1 <ip_addr> |wins2 <ip_addr>} |
type{ [ auth ] [ ike ] [ l2tp ] }
}
unset user <string> [ type { auth [ ike ] } ]
��)�/���"
user <name_str> Defines the user’s name.
dialup <spi_num> <spi-num> For Manual Key VPN method only. Defines locindex (SPI) numbers that uniquely distinguish any others. This parameter must be a hexidec2fffffff. The local SPI number at one end serveother end and vice-versa.
������!//%��"
+�����
ines the use of the Encapsulating
(3DES) algorithm.
AES), 128-bit encryption.
3DES algorithm. This value must
xidecimal key. The NetScreen based upon the password string
DES algorithm.
rotocol.
hoices are MD5 or SHA-1. (Note: -1.)
(AH) protocol. Choices are MD5 o not support SHA-1.)
rsion 5 (MD5) algorithm for
e MD5 algorithm.
ithm (SHA-1) algorithm for
e SHA-1 algorithm.
lowing: authentication, IKE, L2TP, ntication/IKE/L2TP, or IKE/L2TP.
tabase. By default, the user is
�������������� ������������
esp For VPN dialup users and dynamic peers. DefSecurity Payload (ESP) protocol.
3des Specifies the Triple Data Encryption Standard
aes128 Specifies the Advanced Encryption Standard (
key <key_hex> Defines the 192-bit hexidecimal key used in thebe between 1000 and 2fffffff.
password <pswd_str> Defines a password for the generation of a hedevice creates a hexidecimal key for the user that the user provides.
des Specifies the DES encryption algorithm.
key <key_hex> Defines the 64-bit hexidecimal key used in the
null Defines “no encryption method” for the ESP p
auth Defines the use of an authentication method. CSome NetScreen devices do not support SHA
ah Defines the use of the Authentication Header and SHA-1. (Note: Some NetScreen devices d
md5 Sets the device to use the Message Digest veauthentication.
key <key_hex> Defines the 16-byte hexidecimal key used in th
sha-1 Sets the device to use the Secure Hash Algorauthentication.
key <key_hex> Defines the 20-byte hexidecimal key used in th
type { [ auth ] [ ike ] [ l2tp ] } Sets the user type, which can be one of the folauthentication/IKE, authentication/L2TP, authe
disable | enable Disables or enables the user in the internal daenabled.
������!//%��"
+�:���
.
ser.
in Name, the complete string,
r identity, usually equivalent to an
s the user certificate distinguished r identity.
ommunication with any user s. The NetScreen device does not
concurrently using this identity is f the VPN gateway uses so only a single user can log in
r authentication/L2TP users, the authentication.
le entry. The interfaces you can
terfaces in USGA Features.
�������������� ������������
ike-id { <ip_addr> | <name_str> } Adds and defines an AutoKey IKE dialup user
• ip <ip_addr> The IP address of the dialup u
• fqdn <name_str> The Fully Qualified Domasuch as www.netscreen.com.
• u-fqdn <name_str> Specifies the dialup useemail address, such as [email protected].
• asn1-dn { wildcard <name_str> } Specifiename fields and field values that define use
Example: “o=ACME,ou=Marketing”This user identity automatically allows tunnel chaving a certificate containing these field valuecheck any fields not defined here.The number of users that can establish tunnelsset by the share-limit <number> parameter. Ipreshared keys, the share limit is limited to 1, with that identity.
password <pswd_str> The password used for user authentication. Fosame password is for both network and L2TP
outgoing-interface <interface> The name of the ARP interface in the ARP tabuse for the ARP interface are as follows.
- ethernet<n>
- ethernet<n1>/<n2>
- ethernet<n1>.<n2>
- ethernet<n1>/<n2>.<n3>
- v1-trust
- v1-untrust
- v1-dmz
For more information on interfaces, refer to In
������!//%��"
+�8���
with the password JnPc3g12:
ipsecmaryj, and with a
yj
at supersede the default L2TP
igned to an L2TP user.
ssigned to an L2TP user.
.
me_str>.
signed to an L2TP user.
assigned to an L2TP user.
�������������� ������������
.� %� �"
Users are enabled by default.
51%/4 �"
To create an authentication user in the NetScreen internal database for user guest
ns-> set user guest password JnPc3g12
To change the user guest to an authentication/L2TP user:
ns-> set user guest type auth l2tp
To create a dialup user named maryj using DES encryption based on the passwordlocal-spi defined as 3456 and remote-spi defined as 7890:
ns-> set user maryj dialup 3456 7890 esp des password ipsecmar
To create an IKE user named branchsf with the IKE-ID number 2.2.2.2:
ns-> set user branchsf ike-id 2.2.2.2
To delete the user named jane:
ns-> unset user jane
remote settings Defines user-specific remote L2TP settings thsettings.
dns1 <ip_addr> The IP address of the primary DNS server ass
dns2 <ip_addr> The IP address of the secondary DNS server a
idaddr <ip_addr> Assigns a specific IP address to an L2TP user
ippool <name_str> Specifies the L2TP IP pool with the name <na
wins1 <ip_addr> The IP address of the primary WINS server as
wins2 <ip_addr> The IP address of the secondary WINS server
������!//%��"
+�����
ssessing certificates containing
arketing” share-limit
definition.
�������������� ������������
To create a new user definition named “marketing” that recognizes up to 10 hosts po“ACME” in the O field, and “Marketing” in the OU field:
ns-> set user “marketing” ike-id asn1-dn wildcard “o=ACME,ou=M10
This command uses Group IKE ID, which allows multiple hosts to use a single user
����� "!
See the get user, set ike, set l2tp, set ippool, and set vpn commands.
������!//%��"
+3����
����/'�unnel.
y. AutoKey IKE (Internet Key user-defined intervals. By ipants change them explicitly.
ort it generates the error
ssage AutoKey VPN is not
�������������� ������������
Description: Use the set vpn command to create a Virtual Private Network (VPN) t
NetScreen devices support two key methods for VPNs, AutoKey IKE and Manual KeExchange) is a standard protocol that automatically regenerates encryption keys at contrast, Manual Key VPNs use predefined keys that are unchanged until the partic
Attempting to use the SHA-1 parameter with a NetScreen device that does not suppmessage This device doesn’t support SHA-1 Authentication.
Entering the set vpn <name_str> trust gateway command generates the error mesupported on trust interface.
�0��%1set vpn <name_str>
[ trust ]{monitor |gateway { <name_str> | <ip_addr> }
{[ replay | no-replay ]
[ transport | tunnel ][ idletime <number> ]
[ proposal[ <name_str>
[ <name_str>[ <name_str>
[ <name_str> ]]
]]
]} |
manual <32_bit_hex> <32_bit_hex>{ gateway { <ip_addr> }
������!//%��"
+3+���
�������������� ������������{[ nat-traversal
[ keepalive-frequency <number> ][ udp-checksum ]
[ ip-gateway-public <ip_addr> ]{ port-gateway-public <number> }
][ outgoing-interface <interface> ]
{ah { md5 | sha-1 } |
{key <16_byte_hex> |password <pswd-str>}
esp {3des
{key <192-bit_hex> |password <pswd_str>}
des{key <64-bit_hex> |password <pswd_str>}
aes128{key <128-bit_hex> |password <pswd_str>
null[ auth
md5 | sha-1{key <16_byte_hex> |password <pswd-str>}
]{
������!//%��"
+3����
ay. (This can be a NetScreen unit
lt setting is no-replay.
tive IP packet is encapsulated. In l mode is appropriate when both
y devices. Transport mode is
an remain inactive before the
�������������� ������������
}}
proxy-id <name_str>{ local-ip <ip_addr>/<mask> }
{ remote-ip <ip_addr>/<mask> }{ <name_str> } |
df-bit{clear |copy |set} |
bind{interface <interface> |zone <name_str>}
}
unset vpn <vpn_name> [ monitor ]
��)�/���"
vpn <name_str> Defines a name for the VPN.
trust Specifies the Trusted interface.
gateway <name_str> Specifies the name of the remote security gatewor any other IPSec-compatible device).
replay | no-replay Enables or disables replay protection. The defau
transport | tunnel Defines the IPSec mode. In tunnel mode, the actransport mode, no encapsulation occurs. Tunneof end points in an exchange lie beyond gatewaappropriate when either end point is a gateway.
idletime<number> The length of time in minutes that a connection cNetScreen device terminates it.
������!//%��"
+3����
2 proposal determines how a
en device is in Manual mode, you sword.l and remote specurity ber uniquely distinguishes a ch must be a hexidecimal value
the other end of the tunnel, and
security gateway. This can be a evice.
authenticate IP packet content.
vice.
for authentication.
tScreen device uses to produce a age.
(SHA-1) algorithm for
ayload (ESP) protocol, which the ate IP packets. Encryption no encryption”).
DES) encryption algorithm.
ryption.
ncryption algorithm.
tion.
ES), 128-bit encryption.
�������������� ������������
proposal <name_str> Defines up to four Phase 2 proposals. A Phase NetScreen device sends VPN session traffic.
manual <32_bit_hex> <32_bit_hex>
Specifies a Manual Key VPN. When the NetScrecan encrypt and authenticate by HEX key or pas<32_bit_hex> and <32_bit_hex> are 32-bit locaparameters index (SPI) numbers. Each SPI numparticular tunnel from any other active tunnel. Eabetween 3000 and 2fffffff.The local SPI corresponds to the remote SPI at vice-versa.
gateway <ip_addr> Defines the Untrusted IP address of the remote NetScreen unit or any other IPSec-compatible d
ah Specifies Authentication Header (AH) protocol toHashing algorithm choices are MD5 and SHA-1.
local-interface Specifies the local interface of the NetScreen de
md5 Specifies the Message Digest 5 (MD5) algorithm
key <16_byte_hex> Defines a 16-byte hexidecimal key, which the Ne128-bit message digest (or hash) from the mess
sha-1 Specifies the Secure Hash Algorithm (version) 1authentication.
esp Specifies the use of the Encapsulating Security PNetScreen device uses to encrypt and authenticalgorithm choices are DES, 3DES and Null (for “
3des Specifies the Triple Data Encryption Standard (3
key <192_bit_hex> Defines a 192-bit hexadecimal key for 3DES enc
des Specifies the Data Encryption Standard (DES) e
key <64-bit hex> Defines a 64-bit hexidecimal key for DES encryp
aes128 Specifies the Advanced Encryption Standard (A
������!//%��"
+3����
ption.
ethod.” When used with auth,
uses to generate an encryption or
eer gateway’s public IP address.
e keepalive frequency.
e peer gateway’s public IKE port
DP checksum.
es you can use for the outgoing
rfaces in USGA Features.
�������������� ������������
key <128-bit hex> Defines a 128-bit hexidecimal key for DES encry
null When used with ESP, specifies “no encryption mspecifies “no authentication method.”
password <pswd_str> Specifies a password that the NetScreen deviceauthentication key automatically.
nat-traversal Configures the VPN to work with NAT.
• ip-gateway-public <ip_addr> Specifies the p
• keepalive-frequency <number> Specifies th
• port-gateway-public <number> Specifies thnumber.
• udp-checksum Enables the NAT-Traversal U
outgoing-interface <interface> The name of the outgoing interface. The interfacinterface are as follows.
- ethernet<n>
- ethernet<n1>.<n2>
- ethernet<n1>/<n2>
- ethernet<n1>/<n2>.<n3>
- v1-trust
- v1-untrust
- v1-dmz
For more information on interfaces, refer to Inte
������!//%��"
+33���
dresses used by the VPN tunnel,
nd subnet mask of the local
s of the remote subnet.
s FTP, TELNET, DNS or HTTP.
ethod. The available choices are t support SHA-1. See below for
3 data and traps to an SNMP
the Don’t Fragment (DF) bit in the
eader.
er.
interface to use for VPN binding.
one to use for VPN binding.
�������������� ������������
.� %� �"
The key lifetime is set to 3600 seconds.
The ESP authentication algorithm is NONE when not specified otherwise.
proxy-id Specifies the combination of local and remote adand specifies the service provided.
• local-ip <ip_addr>/<mask> The IP address asubnet.
• remote-ip <ip_addr>/<mask> The IP addres
• <name_str> The name of the service, such a
auth Specifies the use of an authentication (hashing) mMD5 or SHA-1. (Some NetScreen devices do nomore information.)
monitor Monitors the specified VPN sending SNMP MIBcommunity.
df-bit Determines how the NetScreen device handles outer header.
• clear clears (disables) DF bit from the outer h
• copy copies the DF bit to the outer header.
• set sets (enables) the DF bit in the outer head
bind Performs VPN binding.
- interface <interface> specifies the tunnel
- zone <name_str> specifies the security z
������!//%��"
+3����
esp des password
68.2.2/24 prx_main
mand)
es-sha
ection contains the complete
�������������� ������������
51%/4 �"
To create a manual VPN named “judy” with the following features:
• local and remote SPIs defined as 00001111 and 00002222
• the remote gateway IP address set at 172.16.33.2
• ESP with DES and MD5 using keys generated from the password “judyvpn”
ns-> set vpn judy manual 00001111 00002222 gateway 172.16.33.2judyvpn auth md5 password judyvpn
To specify a vpn proxy configuration named prx_main:
ns-> set vpn x proxy-id local-ip 172.16.1.1/24 remote-ip 192.1
To create an AutoKey IKE VPN named “tuval” with the following features:
• remote gateway “funaf” (previously specified using the set ike gateway com
• replay protection enabled
• a Phase 2 proposal consisting of a Diffie-Hellman Group 2 exchange
• ESP with Triple DES and SHA-1
ns-> set vpn tuval gateway funaf.com replay proposal g2-esp-3d
����� "!
See the get vpn, set vpnmonitor, and set ike commands. The set ike command ssteps for setting up a VPN tunnel.
������!//%��"
+3:���
����/'�&%��%�
gth in seconds is <number>
�������������� ������������
Description: Use the set vpnmonitor command to set the monitor frequency.
�0��%1set vpnmonitor frequency { <number> }
unset vpnmonitor frequency
��)�/���"
.� %� �"
None.
51%/4 �"
To set a vpnmonitor with a frequency of 30 seconds:
ns-> set vpnmonitor frequency 3
����� "!
See the get vpnmonitor, get vpn, and set ike commands.
frequency <number> Specifies the monitor frequency interval. The interval lenmultiplied by 10.
������!//%��"
+38���
����/�%(���
ifies which addresses the t (deny). The <ip_addr>/<mask> al router.
rtual router.
�������������� ������������
Description: Use the set vrouter command to configure a virtual router.
�0��%1set vrouter <name_str>
[access-list <number>
{ deny | permit }{ ip <ip_addr>/<mask> } |
auto-route-export |import-from | export-to
{ vrouter <name_str> }{ ip <ip_addr>/<mask> } |
id <number> |max-routes <number> |route <ip_addr>/<mask>
{[ interface <interface> ]
gateway <ip_addr> [ metric <number> ] |vrouter <name_str>} |
router-id <number> | <ip_addr> ]
unset config
��)�/���"
access-list <number> Adds IP addresses to the virtual router, and specNetScreen device routs (permit) and does not rouvalue identifies the IP address to place in the virtu
auto-route-export Exports public interface routes to the untrust-vr vi
������!//%��"
+3����
router untrust-vr.
92.168.2.3/24
t-from) or exports routes to ame_str> parameter identifies mask> value identifies the IP
ber>.
allowed in the vrouter.
�������������� ������������
51%/4 �"
To create a new virtual router named Out_Route, with ID number 1035:
ns-> set vrouter Out_Route id 1035
To import a route with IP address 192.168.2.3/24 to vrouter Out_Route from virtual
ns-> set vrouter Out_Route import-from vrouter untrust-vr ip 1
����� "!
See the get vrouter command.
import-from | export-to Imports routes from another virtual router (imporanother virtual router (export-to). The vrouter <nthe other virtual router by name. The <ip_addr>/<address route to import or export.
id <number> Creates a new virtual router with ID number <num
max-routes <number> Specifies the maximum number of routing entries
route <ip_addr>/<mask> Configures a route in the virtual routing table.
router-id <number> | <ip_addr> Specifies the virtual router ID for ospf/bgp.
������!//%��"
+�����
����/�2�el of a NetScreen device.
virtual system:
each a unique security domain
root level admin within the virtual al system.
�������������� ������������
Description: Use the set vsys command to create virtual systems from the root lev
�0��%1set vsys <name_str>
unset vsys <name_str>
��)�/���"
.� %� �"
The default condition is no virtual systems configured.
51%/4 �"
To create a virtual system named organization3 and switch the console to the new
ns-> set vsys organization3
����� "!
See the get vsys, set interface and enter vsys commands.
�!��"
The NetScreen-500 and -1000 provide multi-tenant services through virtual systems,with its own settings and management.
<name_str> Defines the name of a virtual system and automatically places thesystem. Subsequent commands configure the newly created virtu
������!//%��"
+�+���
te that you are now operating
et vsys command to remove a
l system software_key feature.
stems.
�������������� ������������
When you execute the set vsys command, the command prompt changes to indicawithin a virtual system.
To access an existing virtual system, execute the enter vsys command.Use the unsspecific virtual system and all its settings.
Note: The number of virtual systems depends on the quantity obtained via the virtua
The virtual system user software_key only allows you to configure up to 25 virtual sy
������!//%��"
+�����
����0�)������
�������������� ������������
Description: Use the set webtrends command to configure WebTrends.
�0��%1set webtrends
{VPNenablehost-name <name_str>port <port_num>}
unset webtrends{VPNenablehost-name <name_str>port <port_num>}
��)�/���"
��%� %�� ��0
This feature is supported on all NetScreen devices.
vpn Enables WebTrends VPN encryption.
enable Enables WebTrends.
host-name <name_str> Specifies the WebTrends host name.
port <port_num> Specifies the WebTrends host port.
������!//%��"
+�����
�������������� ������������.� %� �"
None.
51%/4 �"
To set the WebTrends VPN encryption:
ns-> set webtrends vpn
To enable WebTrends:
ns-> set webtrends enable
����� "!
See the set vsys-traffic command.
������!//%��"
+�����
����3%��
d zone names, see Security
ayer-2 zones when you need to
nnel zone.
�������������� ������������
Description: Use the set zone command to create or configure a security zone.
�0��%1set zone
{id <id_num> | <name_str>
{ block | vrouter <name_str> } |name <zone>
{L2 <id_num> |tunnel <name_str>}
}
unset zone <interface>[ name <name_str> ]
��)�/���"
id <id_num> The identification number of the zone.
<name_str> The name of the zone. For more information on zones anZones in USGA Features.
block Imposes intra-zone blocking.
vrouter <name_str> Binds the zone to a virtual router.
name <zone> Creates a new zone with name <zone>.
• L2 <id_num> specifies that the zone is Layer-2. Use Lrun the NetScreen device in Transparent Mode.
• tunnel <name_str> specifies that the zone is a VPN tu
������!//%��"
+�3���
�������������� ������������51%/4 �"
To create a new Layer-2 zone named Marketing, with VLAN ID number 3:
ns-> set zone name Marketing L2 3
To impose inter-zone blocking on the Trust zone:
ns-> set zone trust block
To create a tunnel zone named Engineering:
ns-> set zone name Engineering tunnel Tunn_Zone
����� "!
See the get zone and set config commands.
������!//%��"
+�����
�������������� �������������
+���
�
console.
nter a greater-than sign ( > ) for
d that certain commands and the get vsys command, which is command options are unavailable terface command are available on
�������������� ������������
����%&& ���
Use the get commands to display system configuration parameters and data on the
If you wish to redirect the output of a get command to a TFTP server as a text file, eevery get command.
get address > tftp <ip_addr> <filename>
�4 &'��ns-> get address > tftp 172.16.3.4 addr.txt
• As you execute CLI commands using the syntax descriptions in this chapter, you may fincommand features are unavailable on your NetScreen device model. A good example is available on a NetScreen-500 device, but not on a NetScreen-208 device. Similarly, someon certain models. For example, the ha1 and ha2 switches under the get counter flow inthe NetScreen-500 but not on the NetScreen-208.
������!//%��"
����
���� ������signed to security zones.
n the TFTP server:
more information on zones, see
ss group within the address book.
ame> on the TFTP server
�������������� ������������
Description: Use the get address command to display the address book entries as
�0��%1get address <zone> [ group <name_str> ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display only Address Book entries for the Trusted interface:
ns-> get address trust
To display a specific address group named “sales” on the Trusted interface:
ns-> get address trust group sales
To direct Address Book entries for the Untrusted interface to a file named genr.otp o
ns-> get address untrust > tftp 172.16.10.10 genr.otp
����� "!
See the set address command.
zone The address book’s security zone. ForSecurity Zones in USGA Features.
group <name_str> specifies an addre
> tftp <ip_addr> <filename> Directs generated output to a file <filen<ip_addr>.
������!//%��"
����
g, and comments for the entry.
�������������� ������������
�!��"
The display for each Address Book entry shows the name, IP address, netmask, fla
������!//%��"
����
���� �&�ameters.
, or domain name, flag, and
. (Compare this lays the authentication
can use the internal ation, you can use the erver.
one entering the
gement workstation.
�������������� ������������
Description: Use the get admin command to display the system administration par
The display for each address book entry shows the name, IP address, and netmaskcomments for the entry.
�0��%1get admin
[auth [ settings ] |current-user |manager-ip |user
[cache |login] |
scs { all }]
[ > tftp <ip_addr> <filename> ]
��)�/���"
auth [ settings ] Displays authentication settings for administratorscommand with the get auth command, which dispsettings for users.) For admin authentication, youdatabase or a RADIUS server. For user authenticinternal database, a RADIUS server or an LDAP s
current-user Lists only the name of the current user; that is, thecommand.
manager-ip Displays the IP address and netmask of the mana
������!//%��"
3���
ation parameters:
tification
e:
re SCS password
the TFTP server
�������������� ������������
51%/4 �"
To show all the administrative parameters for the NetScreen device:
ns-> get admin
To show the names of the administrators:
ns-> get admin user
����� "!
See the set admin command.
�!��"
The get admin command displays the following system administration and configur
• The system IP address and port number for Web management
• The e-mail alert status
• The e-mail server IP address or server name
• The remote e-mail address or addresses for the recipients of e-mail alerts
• The remote e-mail address or addresses for the recipients of e-mail alert no
• The configuration format—DOS or UNIX
user Lists the names of the administrators for the deviccache: Lists all remote admin users.login: Lists current users of all login sessions.
scs { all } Lists all admin users, and indicates which users aauthentication (PWA) enabled.
> tftp <ip_addr> <filename> Directs generated output to a file (<filename>) on(<ip_addr>).
������!//%��"
����
���� � �&
ing> ]ng> ] |
r> ]
ing> ]
] ]
�������������� ������������
Description: Use the get alarm command to display alarm entries.
�0��%1�get alarm
{event
[type <number> [ -<number> ] |module { system | all-modules } |
[ level{emergency |alert |critical |error |warning |notification |information |debugging |all-levels}
[ type ]]
][ start-time <string> ] [ end-time <str
[ include <string> ] [ exclude <stritraffic
[ policy { <pol_num> [ -<pol_num> ] } ][ service <name_str> ]
[ src-address <ip_addr> ] [ dst-address <ip_add[ detail
[ start-time <string> ] [ end-time <str[ minute | second
[ threshold <number> [ -<number>
������!//%��"
:���
] ]
display. The all-levels option
the ScreenOS module that
a range of types.
a specified alarm event.
arm entries that occurred at and r <string> is:
is the default), or express the year The hour, minute, and second are and the time can be a space, a
e the detail specified.
e the detail specified.
�������������� ������������
[ rate <number> [ -<number> ]
] |threshold}
[ > tftp <ip_addr> <filename> ]
��)�/���"
event Specifies event alarm entries.
level Specifies the security level of alarms to display all security levels.
module Specifies alarms to display according togenerated them.
type <number> [ -<number> ] Message type. Enter a specific type, or
begin <string> Displays event alarm entries that follow
end-time <string> Displays event alarm entries or traffic albefore the time specified. The format fomm/dd[/yy-hh:mm:ss.You can omit the year (the current year using the last two digits or all four digits.optional. The delimiter between the datedash, or an underscore:12/31/2001-23:59:0012/31/2001_23:59:00
exclude <string> Displays event alarm entries that exclud
include <string> Displays event alarm entries that includ
������!//%��"
8���
arm entries that occurred at the tring> is:
is the default), or express the year The hour, minute, and second are and the time can be a space, a
ss Policy specified by its ID ecified by a range of ID numbers.
en 0 and the total number of range, enter the starting and
fied Service, such as TCP, ICMP, e <name_str> value Any.) The example, both TC and CP are t specify a Service group, note
HTTP, and TFTP, entering TP of these Services.
from a specified IP address or e_Any or Outside_Any.
r a specified IP address or for a or outside_any.
ccess Policy, including all traffic licy. If you omit this option, the and the time of the most recent
�������������� ������������
start-time <string> Displays event alarm entries or traffic alspecified time or after. The format for <smm/dd[/yy-hh:mm:ss.You can omit the year (the current year using the last two digits or all four digits.optional. The delimiter between the datedash, or an underscore:12/31/2001-23:59:0012/31/2001_23:59:00
traffic Specifies traffic alarm entries.
policy { <pol_num> | <pol_num> | <pol_num> }
Displays traffic alarm entries for an Accenumber or for several Access Policies spThe ID number can be any value betweestablished Access Policies. To define aending ID numbers as follows: <pol_num> - <pol_num>
service <name_str> Displays traffic alarm entries for a specior FTP. (To display all services, make thname does not have to be complete; forrecognized as TCP. Although you cannothat because TP is recognized as FTP, displays traffic alarm entries for all three
src-address <ip_addr> Displays traffic alarm entries originatingfrom a specified direction, such as Insid
dst-address <ip_addr> Displays traffic alarm entries destined fospecified direction, such as inside_any
detail Displays detailed information for each Aalarm entries that occurred under the pooutput contains only general informationalarm for each policy.
������!//%��"
����
larm entries and Access Policy get alarm traffic command
0:
Policies with threshold settings at
Policies with threshold settings at nge.
Policies with a flow rate at a ge.
ame> on the TFTP server
�������������� ������������
.� %� �"
If you execute get alarm without options or parameters, the command displays all ainformation. The get alarm event command displays all event alarm entries, and thedisplays all traffic alarm entries.
51%/4 �"
To display all alarm entries:
ns-> get alarm
To show event alarm entries:
ns-> get alarm event
To show all traffic alarm entries:
ns-> get alarm traffic
To show traffic alarm entries for an Access Policy with ID number 4:
ns-> get alarm traffic policy 4
To show all event alarm entries from 1:30 P.M. on February 28, 2000:
ns-> get alarm event start-time 02/28/2000-13:30
To show all event alarm entries from 1:30 P.M. to 1:39:59 P.M. on February 28, 200
second | minute Displays traffic alarm entries for Accessbytes/second or bytes/minute.
threshold { <number> | <number>-<number> }
Displays traffic alarm entries for Accessa specified value or within a specified ra
rate { <number> | <number>-<number> } Displays traffic alarm entries for Accessspecified value or within a specified ran
> tftp <ip_addr> <filename> Directs generated output to a file <filen<ip_addr>.
������!//%��"
+����
13:39:59
0 except for Access Policy
13:39:59 exclude
dress 172.16.1.24:
m thresholds set within the
tics:
nts for the Trusted as well as exclude untrust string.
�������������� ������������
ns-> get alarm event start-time 02/28/00_13:30 end-time 02/28_
To show all event alarm entries from 1:30 P.M. to 1:39:59 P.M. on February 28, 200changes:
ns-> get alarm event start-time 02/28/00_13:30 end-time 02/28_“policy change”
To show all event alarm entries on traffic originating from the Trusted side:
ns-> get alarm event include trust exclude untrust
To show traffic alarm entries for HTTP service:
ns-> get alarm traffic service http
To show traffic alarm entries for all traffic originating from the Untrusted side:
ns-> get alarm traffic src outside_any
To show traffic alarm entries for all incoming traffic destined for the server with IP ad
ns-> get alarm traffic src outside_any dst 172.16.1.24
To show emergency-level alarms:
ns-> get alarm event level emergency
To show detailed information on all traffic alarm entries:
ns-> get alarm traffic detail
To show detailed information on traffic alarm entries for all Access Policies with alarrange of 1000 to 20,000 bytes/second:
ns-> get alarm traffic detail second threshold 1000-20000
To show detailed information on all traffic alarm entries with the following characteris
• outgoing traffic
Note: Because strings are not considered whole words, include trust shows all eveUntrusted interfaces. To restrict the display to events from the Trusted side, add the
������!//%��"
++���
etail start-time
maintain and the current
ystem on the NetScreen-1000, l Systems do not appear.
�������������� ������������
• using TCP
• operating under Access Policies
• within the ID range of 3 to 7
• on May 27, 2000 from 4:00 P.M. to 4:59:59 P.M
ns-> get alarm traffic policy 3-7 service TCP src inside_any d05/27/00_16:00 end-time 05/27_16:59:59
����� "!
See the clear alarm command.
�!��"
The console displays the maximum number of alarms that the NetScreen device cannumber of entries in the table.
When you executie get alarm from within a Virtual System or from within the main sthe command displays only entries from that system. Alarm entries from other Virtua
������!//%��"
+����
���� � �s.
�������������� ������������
Description: Use the get alias command to list aliases representing CLI command
�0��%1get alias
��)�/���"
None.
.� %� �"
None
51%/4 �"
The following command lists all alias assignments.
ns-> get alias
����� "!
See the set alias command.
������!//%��"
+����
���� �'tion Protocol (ARP) table.
device
the TFTP server <ip_addr>.
�������������� ������������
Description: Use the get arp command to display the entries in the Address Resolu
The get arp command displays the following information for each entry:
• The IP address of the system sending network traffic through the NetScreen
• The system’s MAC address
• The name of the interface connected to the system
• The age of the entry in seconds
The ARP table contains a maximum of 256 entries.
�0��%1get arp
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all the entries in the arp table:
ns-> get arp
����� "!
See the set arp and clear arp commands.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on
������!//%��"
+����
��� (�)��* � �&s on a NetScreen device.
TFTP server <ip_addr>.
�������������� ������������
�Description: Use the get audible-alarm command to view the audible alarm setting
�0��%1get audible-alarm
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To view the audible alarm settings:
ns-> get audible-alarm
����� "!
See the set audible-alarm and clear audible-alarm commands.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+3���
���� (�+ation settings.
erver to authenticate users. be processed.
ation method.et auth settings displays the
thentication requests originate, ic deletion. Also displays whether
e TFTP server <ip_addr>.
�������������� ������������
Description: Use the get auth command to display the user authentication configur
�0��%1get auth
[history |queue |settings |table]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the authentication queue:
ns-> get auth queue
history Displays the authentication history.
queue Applies only if using a RADIUS server or SecurID sDisplays a list of authentication requests waiting to
settings Displays settings according to the current authenticWhen the NetScreen internal database is in use, gtimeout value for the authenticated entry.
table Displays a table of IP addresses from which the auand how much time each entry has before automatauthentication attempt is successful or not.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on th
������!//%��"
+����
entry in the NetScreen xpires, the device deletes the
the NetScreen device rejects
the authenticated entry, the IP in use, get auth settings
ed
�������������� ������������
To display the authentication settings:
ns-> get auth settings
To display the authentication table:
ns-> get auth table
����� "!
See the set auth and clear auth commands.
�!��"
When a user authentication attempt is successful, the NetScreen device creates an authentication table, and assigns the entry a timeout value. When the timeout limit eentry, and any newly initiated traffic requires new authentication.
NetScreen supports a maximum of 4096 entries in this table. When the table is full, any new authentication attempts until a current entry expires.
When the RADIUS server is in use, get auth settings displays the timeout value foraddress for the RADIUS server, and the shared secret. When the SecurID server is displays the following values:
• The authentication port number
• The SecurID Master server name, and the SecurID Slave server name, if us
• Whether duress is used
• The type of encryption
• The maximum number of retries
• The communication timeout value
• The authenticated entry timeout value
������!//%��"
+:���
imeout value, the IP address of d name and common name
�������������� ������������
When the LDAP server is in use, get auth settings displays the authenticated entry tthe LDAP server, and its listening port. The command also displays the distinguisheidentifier.
������!//%��"
+8���
����,�%,-een device.
since 1/1/1970 GMT. The
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get clock command to display the system time on the NetScr
�0��%1get clock
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �
To display the system time for the NetScreen device:
ns-> get clock
����� "!
See the set clock command.
�!��"
The display includes the current date in calendar format and the number of secondsdisplay also includes the NetScreen device’s uptime since the last power-up.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+����
����,%�.�tion settings for a NetScreen
9:
ory.
the TFTP server <ip_addr>.
�������������� ������������
Description: Use the get config command to display the current or saved configuradevice.
�0��%1get config [ saved ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the current runtime configuration on the console:
ns-> get config
To display the configuration that has been saved in the flash memory:
ns-> get config saved
To download a configuration file named new_cnfg from a TFTP server at 172.16.54.
ns-> get config > tftp 172.16.54.9 new_cnfg
����� "!
See the save command.
saved Displays the configuration file saved in flash mem
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on
������!//%��"
�����
����,%��%��
ole or Telnet, and the duration
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get console command to display the console parameters.
�0��%1get console
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all the console parameters:
ns-> get console
����� "!�
See the set console command.
�!��"
The get console command displays this console configuration information:
• The timeout value
• The number of lines to display per screen
• Where the debug messages are displayed
• The number of active connections to the NetScreen device through the consof these connections
• For a Telnet connection, the IP address for the client machine.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�+���
����,%(����n on the NetScreen interfaces.
the flow level. A flow-level acket to gauge its nature and
rs for packets inspected at the checks for packet errors and stablished threshold settings. Interfaces in USGA Features.
�������������� ������������
Description: Use the get counter command to display system and traffic informatio
�0��%1get counter
{flow | statistics | screen
[ interface <name_str> ] |policy <pol_num>
{day |hour |minute |month |second}
}[ > tftp <ip_addr> <filename> ]
��)�/���"
flow Specifies counters for packets inspected atinspection examines various aspects of a pintent.
statistics Displays the counter statistics.
screen Displays screen counter statistics.
interface <name_str> The name of the interface. Specifies counteinterface level. An interface-level inspectionmonitors the quantity of packets in light of eFor more information on interfaces, refer to
������!//%��"
�����
P) packets received
te option
ed
Address Translation (NAT)
(DIP) addresses
trusted side
g the administrator to monitor the
raffic permitted by a particular
> on the TFTP server <ip_addr>.
�������������� ������������
51%/4 �
To list the counters for the Truster interface:
ns-> get counter flow interface trust
�!��"
This command is used only for technical support.
This system information is displayed for flow-level counters:
• tiny frag – the number of tiny fragmented packets received
• tear drop – the number of oversize Internet Control Message Protocol (ICM
• src route – the number of packets dropped because of the filter source rou
• pingdeath – the number of suspected ping-of-death attack packets received
• addr spf – the number of suspected address spoofing attack packets receiv
• land att – the number of suspected land attack packets received
• no route – the number of unroutable packets received
• no conn – the number of packets dropped because of unavailable Networkconnections
• poli deny – the number of packets denied by a defined access policy
• auth fail – the number of times user authentication failed
• no dip – the number of packets dropped because of unavailable Dynamic IP
• no map – the number of packets dropped because there was no map to the
policy <pol_num> Identifies a particular access policy, allowinamount of traffic it permits.
day | hour| minute | month | second Specifies the period of time for monitoring taccess policy.
> tftp <ip_addr> <filename> Directs generated output to a file <filename
������!//%��"
�����
syn flood protection or user
could not be found
Translation (NAT) connection
RP) packets attempting to
kets
ooped back
SA) was defined
associated with an SA
el counters:
unknown MAC address
RC) error
ream
�������������� ������������
• url block – the number of HTTP requests that were blocked
• tcp proxy – the number of packets dropped from using a tcp proxy such asauthentication
• no gate – the number of packets dropped because no gate was available
• no parent – the number of packets dropped because the parent connection
• no g-gate – the number of packets dropped because the Network Address was unavailable for the gate
• nvec err – the number of packets dropped because of NAT vector error
• trmn drp – the number of packets dropped by traffic management
• trmng que – the number of packets waiting in the queue
• big bkstr – an excessively large number of Address Resolution Protocol (Auncover the Media Access Control (MAC) address for an IP address
• enc fai – the number of failed Point to Point Tunneling Protocol (PPTP) pac
• lpbk deny – the number of packets dropped because the packets can’t be l
• no sa – the number of packets dropped because no Security Associations (
• no sapoli – the number of packets dropped because no access policy was
• sa inact – the number of packets dropped because of an inactive SA
• sapoli dn – the number of packets denied by an SA policy
• illegal – the number of packets dropped because they are illegal packets
The get counter command displays the following traffic information for interface-lev
• in pak – the number of packets received
• in vpn – the number of IPSec packets received
• out pak – the number of packets sent
• out bpak – the number of packets held in back store while searching for an
• in crc – the number of incoming packets with a cyclic redundancy check (C
• in alg – the number of incoming packets with an alignment error in the bit st
������!//%��"
�����
ers
received
P address
�������������� ������������
• in nobuf – the number of unreceivable packets because of unavailable buff
• in short – the number of incoming packets with an in-short error
• in err – the number of incoming packets with at least one error
• in coll – the number of incoming collision packets
• out unr – the number of transmitted underrun packets
• early fr – counters used in an ethernet driver buffer descriptor management
• late fr – counters used in an ethernet driver buffer descriptor management
• in icmp – the number of Internet Control Message Protocol (ICMP) packets
• in self – the number of packets addressed to the NetScreen Management I
• in unk – the number of UNKNOWN packets received
• connection – the number of sessions established since the last boot
������!//%��"
�3���
���� �('*��%('uration parameters.
mber of members for all the
up with ID <id_num>. The rs and their SPI ID-type for the the IKE dialup user.
TFTP server <ip_addr>.
�������������� ������������
�Description: Use the get dialup-group command to display the dialup group config
�0��%1get dialup-group
{all |id <id_num>}
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all the dialup-group configurations:
ns-> get dialup-group all
To display the configuration settings for the dialup-group with ID number 4:
ns-> get dialup-group id 4
all Displays the dialup group ID, name, and the total nuconfigured dialup groups.
id <id_num> Displays detailed information for a specific dialup groinformation includes the names of the group membevalues for the manual key dialup user, or the ID and
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
�������������� ����������������� "!
See the set dialup-group command.
������!//%��"
�:���
�����'ttings for a NetScreen device:
bers.
ool for a particular interface.
e TFTP server <ip_addr>.
�������������� ������������
Description: Use the get dip command to display the following dynamic IP (DIP) se
• the DIP pool ID number
• the range of IP addresses in the DIP pool
• the interface to which the pool is associated
• whether the pool supports Port Address Translation (PAT) or fixed port num
�0��%1get dip [ all ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all DIP configurations:
ns-> get dip
To display all DIP configurations and direct the output to a file on the TFTP server:
ns-> get dip > tftp 172.16.10.10 outp.txt
����� "!
See the set interface command, which is the command to use to configure a DIP p
all Displays all DIPs for every virtual system (VSYS).
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on th
������!//%��"
�8���
������� settings on the NetScreen
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get dns command to verify the Domain Name Service (DNS)device.
�0��%1get dns
{forward |host
{cache |report |settings} |
name <name_str>}
[ > tftp <ip_addr> <filename> ]
��)�/���"
forward Shows the DNS forwarding information.
host cacheDisplays the DNS cache table.
reportDisplays the DNS lookup table.
settingsDisplays the DNS settings.
name <string> Specifies the domain name.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
�������������� ������������51%/4 �
To get the DNS host report information on a NetScreen device:
ns-> get dns host report
����� "!
See the set dns command.
������!//%��"
�����
�����%& �reen device.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get domain command to view the domain name of the NetSc
�0��%1get domain
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �
To get the domain name of the NetScreen device:
ns-> get domain
����� "!
See the set domain command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�+���
������/ �gs.
and:
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get envar command to display the environment variable settin
�0��%1get envar
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �
To display the environment variable settings you specified with the set envar comm
ns-> get envar
����� "!
See the set envar command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
����.��flash memory.
ry.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get file command to display information for files stored in the
�0��%1get file [ <filename> | info ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the configuration files stored in flash memory:
ns-> get file
To display information for the file named corpnet from the flash card memory:
ns-> get file corpnet
����� "!
See the clear file and save commands.
<filename> Defines the file name stored in the flash card memo
info Displays the base sector and address.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
����.��0 ��nd to note which features are
wall command, showing if each
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get firewall command to display firewall protection settings aenabled.
�0��%1get firewall
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the firewall protection settings:
ns-> get firewall
����� "!
See the set firewall command.
�!��"
The output from the get firewall command lists elements configured with the set fireis enabled. On means the feature is enabled. Off means the feature is disabled.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
����� ��etScreen device, or if all are in
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get gate command to check if any gates are available on the Nuse.
�0��%1get gate
[ > tftp <ip_addr> <filename> ]
��)�/���"
.� %� �"
The default number of gates on NetScreen devices are:
51%/4 �"
To display the number of gates on the NetScreen device:
ns-> get gate
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
NetScreen-5xp 256
NetScreen-5 256
NetScreen-10 256
NetScreen-100 1024
NetScreen-500 1024
NetScreen-1000 4096
������!//%��"
�3���
e creates the gate first. When
�������������� ������������
�!��"
Gates are holes in the firewall for FTP and similar applications. The NetScreen devicthe real data traffic occurs, the device converts the gate to an actual session.
If the system reports alloc failed, all gates are currently in use.
������!//%��"
�����
������%) �er settings.
n
orting port
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get global command to display the NetScreen-Global Manag
�0��%1get global
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �
To display the NetScreen-Global Manager configuration and reporting settings:
ns-> get global
�!��"
The get global command displays:
• Whether the NetScreen-Global Manager feature is enabled or not
• The IP address or the server name of the NetScreen-Global Manager statio
• The NetScreen-Global Manager server configuration port and the server rep
• The local listening port for the NetScreen device
• Whether the VPN encryption feature is enabled or not
• The type of reports that the NetScreen-Global Manager station requests
����� "!
See the set global command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�:���
������%) �*'�%O settings.
ttings.
ution settings in bytes or in
ution settings for user-defined
e TFTP server <ip_addr>.
�������������� ������������
Description: Use the get global-pro command to display the NetScreen-Global PR
�0��%1get global-pro
{config |proto-dist
{table
{bytes |packets} |
user-service}
}[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the firewall protection settings:
config Display the NetScreen-Global PRO configuration se
proto-dist table Displays the NetScreen-Global PRO protocol distribpackets.
proto-dist user-service Displays the NetScreen-Global PRO protocol distribservices.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on th
������!//%��"
�8���
�������������� ������������ns-> get global-pro
����� "!
See the set global-pro command.
������!//%��"
�����
������%�e.
tal number of entries in the file
e TFTP server <ip_addr>.
�������������� ������������
Description: Use the get glog command to display the contents of the global log fil
�0��%1get glog
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all log entries in the global log file:
ns-> get glog
�!��"
Log entries of all categories go to the global log file initially. The display shows the toand the category to which each entry belongs.
����� "!
See the set glog command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on th
������!//%��"
�����
������%('e groups configured on the
k of a security zone.
rity zone. For more information on Features.
address group.
and specifies its name. If you do command displays all service
name> on the TFTP server
�������������� ������������
Description: Use the get group command to display the address groups and servicNetScreen device.
�0��%1get group
{address { <zone> <name_str> }service [ <name_str> ]}
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display a trusted address group named engineering:
ns-> get group address trust engineering
To display a service group named inside-sales:
address Assigns the group to the address boo
<zone> The name of the address book’s secuzones, see Security Zones in USGA
<name_str> specifies the name of the
service Defines the group as a service group,not include a service group name, thegroups.
> tftp <ip_addr> <filename> Directs generated output to a file <file<ip_addr>.
������!//%��"
�+���
ands.
�������������� ������������
ns-> get group service inside-sales
To display all untrusted address groups:
ns-> get group address untrust
To display all service groups:
ns-> get group service
����� "!
See the set group, set address, get address, set service, and get service comm
������!//%��"
�����
����+ gs for high availability (HA).
HA packets.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get ha command to display the status and configuration settin
�0��%1get ha [ counter | detail | track ip ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the high availability group information:
ns-> get ha
�!��"
The get ha command displays:
• The software version
• The redundant group to which the NetScreen device belongs
• Whether the NetScreen device is designated as master or slave
• The MAC addresses for all devices in the group
• Whether encryption and authentication are enabled or not
counter Displays the number of sent, received, and dropped
detail Displays general high availability information.
track ip Displays the path tracking status and settings.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
�������������� ������������• The arp count
• The monitor port(s)
• The ha mode
• The session synchronization
• The slave linkup
����� "!
See the set ha and exec ha commands.
������!//%��"
�����
����+%��� &�creen device.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get hostname command to display the hostname of the NetS
�0��%1get hostname
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the name of the NetScreen device:
ns-> get hostname
����� "!
See the set hostname command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�3���
����-�xchange (IKE).
�������������� ������������
Description: Use the get ike command to display various settings for Internet Key E
�0��%1get ike
{accept-all-proposal |ca-and-type |cert |conn-entry |cookies |gateway [ <ip_addr> | <name_str> ] |heartbeat |id-mode |initial-contact
[all-peers |single-gateway [ <name_str> ] |single-user <name_str>] |
initiator-set-commit |p1-proposal <name_str> |p2-proposal <name_str> |policy-checking |respond-bad-spi |responder-set-commit |single-ike-tunnel <name_str> |soft-lifetime-buffer}
[ > tftp <ip_addr> <filename> ]
������!//%��"
�����
proposals, or only specified
tScreen device.
device.
de
lo interval and the number of
ay (subnet).
tact notification to its IKE peers
2 proposal.
�������������� ������������
��)�/���"
accept-all-proposal Shows if the NetScreen device accepts all incoming preconfigured ones.
ca-and-type Displays the types of certificates supported by the Ne
cert Displays all local certificates loaded in the NetScreen
conn-entry Displays the current IKE connections.
cookies Displays all IKE cookies.
gateway [ <string> ] Shows the following details for all remote gateways:gateway ID numbergateway namegateway IP address, if it uses Main or Aggressive mothe preshared key (if used)all Phase 1 proposalsSpecifying a gateway name displays more details.
heartbeat Displays IKE heartbeat information, including the helheartbeat retries before expiration.
id-mode Shows if the IKE ID mode uses a host (IP) or a gatew
initial-contact Displays if the NetScreen device sends an initial conwhen it reboots.
initiator-set-commit Notes if the commit bit is set when initiating a Phase
������!//%��"
�:���
als or just for the proposal specified:
als or just for the proposal specified:
iffie-Hellman exchangepsulating Security Payload (ESP)
ts must match before a VPN
esponds to a remote peer with a
evice responds to a Phase 2
connections with the specified
TFTP server <ip_addr>.
�������������� ������������
p1-proposal [ <string> ] Shows the following details of all the Phase 1 proposProposal ID numberProposal nameAuthentication method – preshared key, RSA signature, or DSA signatureDiffie-Hellman Group – 1, 2, or 5ESP encryption algorithm – DES or 3DESESP authentication algorithm – MD5 or SHA-1Key lifetime
p2-proposal [ <string> ] Shows the following details of all the Phase 1 proposProposal ID numberProposal nameDiffie-Hellman Group – 1, 2, or 5; 0 indicates noPerfect Forward Secrecy (PFS), and so there is no DIPSec protocol – Authentication Header (AH) or EncaEncryption algorithm – DES or 3DESAuthentication algorithm – MD5 or SHA-1Key lifetime (in seconds)Key lifesize (in kilobytes)
policy-checking Shows if the access policies for both VPN participanconnection is established.
respond-bad-spi Displays the number of times the NetScreen device rbad security parameter index (SPI).
responder-set-commit Shows if the commit bit is set when the NetScreen dproposal.
single-ike-tunnel Notes if the single-ike-tunnel flag is enabled for VPNremote gateway.
soft-lifetime-buffer Displays the soft-lifetime buffer size (in seconds).
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�8���
�������������� ������������51%/4 �"
To display all the details of the Phase 1 proposal “sf1”:
ns-> get ike p1-proposal sf1
To display all the currently running IKE connections:
ns-> get ike conn-entry
To display all IKE cookies:
ns-> get ike cookies
����� "!
See the set ike and clear ike commands.
������!//%��"
�����
��������. ,�erface settings for the
interfaces, refer to Interfaces in
�������������� ������������
Description: Use the get interface command to display the physical and logical intNetScreen device.
�0��%1get interface <name_str>
[dhcp
{relay |server
{ip { allocate | idle } |option}
}screen
[all |attack |counter |info |]
secondary] |
[ > tftp <ip_addr> <filename> ]
��)�/���"
<interface> The name of the interface. For more information on USGA Features.
������!//%��"
3����
or virtual system) in which you
agent.
er. The ip allocate suboption CP server. The ip idle suboption ding IP address, state, MAC
splays all DHCP options.
rs.
ters.
.
TFTP server <ip_addr>.
�������������� ������������
51%/4 �"
To display general information for all physical and logical interfaces at the level (rootissue the command:
ns-> get interface
To display detailed information for the trusted interface:
ns-> get interface trust
To display information on secondary interfaces for the DMZ interface:
ns-> get interface dmz secondary
To display information on the DHCP server for interface ethernet2/1:
ns-> get interface ethernet2/1 dhcp server
dhcp Lists DHCP information for the specified interface.
- relay Displays information on the DHCP relay
- server Displays information on the DHCP servdisplays the IP addresses allocated by the DHdisplays information on the DHCP idle IP, incluaddress, and lease time. The option switch di
screen Lists screen information for the specified interface.
- all Lists all screen information.
- attack Displays the screen attack type counte
- counter Displays all screen counters.
- info Displays the screen information type coun
secondary Displays the secondary IP for the specified interface
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
3+���
�������������� ����������������� "!
See the set interface command.
������!//%��"
3����
��������/� � enabled or denied.
the TFTP server:
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get intervlan command to show if intervlan traffic is currently
�0��%1get intervlan
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �
To display the current intervlan enable/disable status and send the output to a file on
ns-> get intervlan > tftp 172.16.10.10 outp.txt
����� "!
See the set intervlan-traffic command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
3����
����'on with the TFTP server. These
evice ends the attempt and
connection.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get ip tftp command to display IP parameters for communicatiparameters include:
• The number of times to retry a TFTP communcation before the NetScreen dgenerates an error message.
• The length of time before the NetScreen device terminates an inactive TFTP
�0��%1get ip { tftp }
[ > tftp <ip_addr> <filename> ]
��)�/���"
.� %� �"
The default number of retries is 10.
The default timeout period is 2 seconds.
51%/4 �
To display IP parameters for TFTP server communication:
ns-> get ip tftp
����� "!
See the set ip tftp command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
3����
����''%%� pools that can be used for
wing its ID number, its name, and
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get ippool command to display information about all of the IPassigning addresses via the Layer 2 Tunneling Protocol (L2TP).
�0��%1get ippool [ <name_str> ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the values for all the IP pools:
ns-> get ippool
����� "!
See the set ippool command.
<name_str> Returns information about the specified IP pool, shoits starting and ending IP addresses.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
ID IP Pool Start IP End IP
1 pool 1 10.1.1.1 10.1.1.10
2 pool 2 10.1.1.11 10.1.1.20
������!//%��"
33���
�����1�'
address, peer host name, L2TP ecified L2TP tunnel.P tunnel.
address, peer host name, L2TP L2TP tunnel.els.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get l2tp command to view the L2TP status and settings.
�0��%1get l2tp
{<string> | all
[ active ] |default}
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the current state of an L2TP tunnel named “home2work”:
ns-> get l2tp home2work active
To display the L2TP default settings:
ns-> get l2tp default
<string> Displays the ID number, tunnel name, user, peer IPtunnel shared secret, and keepalive value for the spactive displays the current state of the specified L2T
all Displays the ID number, tunnel name, user, peer IPtunnel shared secret, and keepalive value for every active displays the current state of all the L2TP tunn
default Displays all the default L2TP settings.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
3����
�������������� ����������������� "!
See the set l2tp, clear l2tp, and get ippool commands.
������!//%��"
3:���
����� �,� for the 10/100 MAC chips on a
ce command.
e TFTP server <ip_addr>.
�������������� ������������
Description: Use the get lance { info } command to get internal debug informationNetScreen device.
�0��%1get lance { info }
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To view 10/100 MAC chip-specific debug information:
ns-> get lance info
�!��"
You can also see the initial part of the get lance info output by using the get interfa
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on th
������!//%��"
38���
�����,�ol keys on a NetScreen device.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get lcd command to view the status of the LCD and the contr
�0��%1get lcd
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To view the status of the LCD and control keys:
ns-> get lcd
����� "!
See the set lcd command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
3����
�����%�
�������������� ������������
Description: Use the get log command to display all the entries in the log table.
�0��%1get log
{device-reset |event
[type <number> [ -<number> ] |module { system | all-modules } |
[ level{emergency |alert |critical |error |warning |notification |information |debugging |all-levels}
][ start-time <string> ]
[ end-time <string> ][ include <string> ]
[ exclude <string> ]] |
self | traffic [ policy <pol_num> | <pol_num>-<pol_num> ][ start-time <string> ] [ end-time <string> ]
[ min-duration <string> ] [ max-duration <string> ][ service <name_str> ]
[ src-ip <ip_addr> [ -<ip_addr> ] [ src-netmask <mask> ]
������!//%��"
�����
]
. The all-levels option display all
reenOS module that generated
types.
the time specified— the year, in which case the ite the year with either just the last ond can be omitted. Separate the
erscore:
ore the time specified.
ecified.
pecified.
ent.
�������������� ������������
[ src-port <port_num> ]]
[ dst-ip <ip_addr> [ -<ip_addr> [ dst-netmask <mask> ]
][ no-rule-displayed ] |
system [ reversely | saved ] |setting [ module { system | all } ]}
[ > tftp <ip_addr> <filename> ]
��)�/���"
event Specifies event log entries.
level Specifies the security level of log entries to displaysecurity levels.
module Specifies log entries to display according to the Scthem.
type <number> [ -<number> ] Message type. Enter a specific type, or a range of
start time <string> Displays event log entries that occurred at or after day/month/year hour:minute:second. You can omitcurrent year is assumed, and you can choose to wrtwo digits or with all four. The hour, minute, and secdate from the time with a space, a dash, or an und12/31/2001-23:59:0012/31/2001_23:59:00
end-time <string> Displays event log entries that occurred at and bef
include <string> Displays event log entries that include the detail sp
exclude <string> Displays event log entries that exclude the detail s
begin <string> Displays event log entries that follow a specified ev
traffic Specifies traffic log entries.
������!//%��"
�+���
cified by its ID number or for numbers. The ID number can be lished Access Policies. To define
using this syntax:
was longer than or equal to the
was shorter than or equal to the
uch as TCP, ICMP, FTP, or Any. ple, both TC and CP are Service group, note that because ng TP displays log entries for all
address or range of source IP P address to display traffic entries cified source IP address.ot be specified simultaneously.
ber or range of source port
n IP address or range of net mask for a destination IP nge and destination subnet mask
cess Policy information.
e TFTP server <ip_addr>.
ing> value specifies the name of
�������������� ������������
policy { <pol_num> | <pol_num> - <pol_num> }
Displays traffic log entries for an Access Policy speseveral Access Policies specified by a range of ID any value between 0 and the total number of estaba range, enter the starting and ending ID numbers<pol_num> - <pol_num>
min-duration <string> Displays traffic log entries for traffic whose durationminimum duration specified.
max-duration <string> Displays traffic log entries for traffic whose durationmaximum duration specified.
service <name_str> Displays traffic log entries for a specified Service, sThe name does not have to be complete; for examrecognized as TCP. Although you cannot specify aTP is recognized as FTP, HTTP, and TFTP, enterithree Services.
src-ip { <ip_addr> [ <ip_addr> - <ip_addr> ] }
Displays traffic log entries for a specified source IPaddresses. Include the subnet mask for a source Ifor all IP addresses in the same subnet as the speA source IP range and a source subnet mask cann
src-port { <port_num> | <port_num> - <port_num> }
Displays traffic log entries for a specified port numnumbers.
dst-ip { <ip_addr> [ <ip_addr> - <ip_addr> ] }
Displays traffic log entries for a specified destinatiodestination IP addresses. You can specify the subaddress, but you cannot specify a destination IP rasimultaneously.
no-rule-displayed Displays traffic log entries, but does not display Ac
system Displays current system log information.
system saved Displays saved system log information.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on th
setting Displays log setting information. The module <strthe module for which the log settings apply.
������!//%��"
�����
rch 6:
:59:59
00
72.16.20.200:
�������������� ������������
.� %� �"
If no arguments are entered, the get log command displays all log entries.
51%/4 �"
To display all entries in the log table:
ns-> get log
To display the entries in the traffic log table for an Access Policy with ID 3:
ns-> get log traffic policy 3
To display event log entries from 3:00 P.M. on March 4, 2001:
ns-> get log event start-time 03/04/01_15:00
To display event log entries from 3:00 P.M. on March 4, 2001 to 2:59:59 P.M. on Ma
ns-> get log event start-time 03/04/01_15:00 end-time 03/06_14
To display traffic log entries for traffic for a period between 5 minutes and 1 hour:
ns-> get log traffic min-duration 00:05:00 max-duration 01:00:
To display traffic log entries for the range of destination IP addresses 172.16.20.5–1
ns-> get log traffic dst-ip 172.16.20.5-172.16.20.200
To display traffic log entries from the source port 8081:
ns-> get log traffic src-port 8081
To display traffic log entries without displaying Access Policy information:
ns-> get log traffic no-rule-displayed
����� "!
See the clear log command.
������!//%��"
�����
����& ,*�� ��rning table.
ransparent mode.
�������������� ������������
Description: Use the get mac-learn command to display the entries in the MAC lea
�0��%1get mac-learn [ trust | untrust ]
��)�/���"
51%/4 �"
To display all entries in the MAC learning table:
ns-> get mac-learn
To display the MAC learning table entries on the Trusted interface only:
ns-> get mac-learn trust
.� %� �"
None.
����� "!
See the clear mac-learn, get mac-count, and clear mac-count commands.
trust Specifies the trust interface.
untrust Specifies the untrust interface.
Note: This command is available only when the NetScreen-10 device is running in T
������!//%��"
�����
����& ����on. You can use this command
TFTP server <ip_addr>.
�������������� ������������
Use the get master command to display the master device’s configuration informationly on a slave device.
�0��%1get master { config }
[ > tftp <ip_addr> <filename> ]
��)�/���"
.� %� �"
None.
51%/4 �"
To display information about the master device configuration:
ns-> get master config
����� "!
See the get system command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�3���
����&�&%�2s.
umber>.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get memory command to display the memory allocation statu
�0��%1get memory
[<id_num> |all |error |free |mempool |used]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the memory usage status:
<id_num> Displays the task ID number.
all Displays memory fragments.
error Displays erroneous memory fragments.
free Displays free memory.
mempool Displays pooled memory.
used Displays used memory.
minsize <number> Show all memory fragments that are larger than <n
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
ted, the amount remaining, and
�������������� ������������
ns-> get memory
To display all erroneous memory fragments:
ns-> get memory error
�!��"
The get memory command displays information about the amount of memory allocathe number of fragments.
������!//%��"
�:���
����&'ons.
t mask address for the Mapped
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get mip command to display the Mapped IP (MIP) configurati
The get mip command displays the IP address, the host IP address, and the subneIP.
�0��%1get mip [ all ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �
To display all MIP configurations and direct the output to a file on the TFTP server:
ns-> get mip all > tftp 172.16.10.10 outp.txt
����� "!
See also the set mip command.
all Shows all Mapped IPs for all virtual systems.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�8���
����� ��5- such as the current VPN
�������������� ������������
Description: Use the get natt_ka command to list the NATT keepalive parameters,monitory frequency.
�0��%1get natt_ka
��)�/���"
None.
.� %� �"
None
51%/4 �"
The following command lists the current VPN monitor frequency.
ns-> get natt_ka
����� "!
See the get vpn command.
������!//%��"
�����
������'*�(����
lue <number>. The value must
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get nsp-tunnel command to get the flow tunnel information.
�0��%1get nsp-tunnel [ info <number> ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the flow tunnel information:
ns-> get nsp-tunnel info 0x3
����� "!
See the set nsp-tunnel command.
info <number> Specifies the flow tunnel information with the info vastart with 0x, as with 0x2.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
:����
������' Protocol (NTP).
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get ntp command to display the settings for the Network Time
�0��%1get ntp
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the settings for NTP on the NetScreen device:
ns-> get ntp
����� "!
See the set ntp and exec ntp commands.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
:+���
����%�evice operating system.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get os command to display mail and task information for the d
Syntax
get os { mail | task <name_str> }[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the operating system information:
ns-> get os
����� "!
See the set os command.
mail Displays the mail information.
task <name_str> Displays the task information.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
:����
���'��.%�& �,�formation on the NetScreen
on the TFTP server:
TFTP server <ip_addr>.
�������������� ������������
�Description: Use the get performance cpu command to retrieve CPU utitlization indevice.
�0��%1get performance { cpu }
[ detail ][ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the CPU utilization for the NetScreen device and send the output to a file
ns-> get performance cpu > tftp 170.16.10.10 outp.txt
����� "!
See the get system command.
detail Displays cpu performance detail.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
:����
����'-’s IP address and e-mail
�������������� ������������
Description: Use the get pki command to show the CA (certificate authority) serveraddress, the certificate administrator’s e-mail address, and the RSA key length.
�0��%1get pki
{authority <id_num>
{cert-status |scep} |
ldap |x509
{cert-path |crl-refresh |dn |list
{ca-cert |cert |local-cert} |
ns-cert |pkcs10 |raw-cn}
}[ > tftp <ip_addr> <filename> ]
������!//%��"
:����
ty (CA). The cert-status option scep option displays information
ss and the default LDAP URL for
n (ITU-T) X.509/PKCS digital
validation level.
cy rate.
en X.509 digital certificate.
creen device.
certificates currently loaded in the
in the NetScreen device.
.
icate.
d generates the file in that ndard.)
enabled or disabled.mand set pki x509 dn name comprising the CN.
TFTP server <ip_addr>.
�������������� ������������
��)�/���"
authority <id_num> Shows authority references for the Certificat Authoridisplays information on the x509 CA certificate. the on the SCEP server.
ldap Shows the default certificate authority server’s addrethe certificate revocation list (CRL) retrieval.
x509 Specifies an International Telecommunications Uniocertificate for these types:
cert-path Displays the default X509 certificate path
crl-refresh Displays the X.509 CRL refresh frequen
dn Displays the distinguished name on the NetScre
list Displays the X.509 object list loaded in the NetS
ca-cert Displays the certificate authority (CA) X.509 NetScreen device.
cert Displays the X.509 certificates currently loaded
local-cert Displays the local (non-CA) X.509 certificates currently loaded in the NetScreen device
ns-cert Displays the NetScreen device’s X509 certif
pkcs10 Shows the destination of the PKCS10 file anlocation. (PKCS is the Public Key Cryptography Sta
raw-cn Shows if the raw-certificate name feature is The raw-cn is the CN value you specify with the com<name_str>, where <name_str> is a string of characters
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
:3���
LDAP server:
ice:
�������������� ������������
51%/4 �"
To display the URL and the IP address or name of the default certificate authority’s
ns-> get pki ldap
To display a list of certificate authority (CA) certificates loaded in the NetScreen dev
ns-> get pki x509 list ca-cert
����� "!
See the set pki command.
������!//%��"
:����
����'%�,2formation.
cy with the ID number <id_num>.
two specified security zones
the TFTP server <ip_addr>.
�������������� ������������
Description: Use the get policy command to display access policy configuration in
�0��%1get policy
[id <id_num> |from <name_str> to <name_str>]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all access policy configurations:
ns-> get policy
To display all incoming access policy configurations:
ns-> get policy from trust to untrust
To display detailed information for an access policy with ID number 5:
ns-> get policy id 5
id <id_num> Displays detailed information for the access poli
from <name_str> to <name_str> Displays a summary of access policies between(<name_str> and <name_str>).
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on
������!//%��"
::���
�������������� ����������������� "!
See the set policy command.
������!//%��"
:8���
����'''%�
�������������� ������������
Description: Use the get pppoe command to configure PPPoE.
�0��%1get pppoe [ configuration | statistics ]
��)�/���"
.� %� �"
None.
51%/4 �"
To get the PPPoE configuration:
ns-> get pppoe configuration
To get the PPPoE statistics:
ns-> get pppoe statistics
����� "!
See the set pppoe, clear pppoe, and exec pppoe commands.
configuration Specifies the configuration options.
statistics Specifies the statistics information.
������!//%��"
:����
�����%(��.
ar target IP address is specified.
:
ress <ip_addr>.
d_num>.
e TFTP server <ip_addr>.
�������������� ������������
Description: Use the get route command to display entries in the static route table
�0��%1get route
[id <id_num> |ip <ip_addr>]
[ > tftp <ip_addr> <filename> ]
��)�/���"
.� %� �"
The get route command displays all entries in the static route table unless a particul
51%/4 �"
To display all the entries in the static route table:
ns-> get route
To display the static route information to a machine with the IP address 172.16.60.1
ns-> get route ip 172.16.60.1
To display the static route information for a route with ID number 477:
ip <ip_addr> Displays a specific static route for the target IP add
id <id_num> Displays a specific static route for the ID number <i
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on th
������!//%��"
8����
IP address and interface
of a specified IP address
is format:
ith a particular IP address to the
�������������� ������������
ns-> get route id 477
����� "!
See the set route command.
�!��"
The get route command displays:
• The IP address, netmask, interface, gateway, metric, and flag
• The Flag value is 8000 for a well-known route generated from the interface gateway
• The Flag value is 0000 if the entry uses the gateway from the interface listed
When you specify an IP address in the get route command, the output appears in th
ns-> <ip-addr> => <interface>/<gateway>, <metric>
Use the get route command to find out if the NetScreen device is routing a packet wcorrect interface.
������!//%��"
8+���
����� A) only when you define VPN
entry with the ID number.
g and outgoing packets.thentication has failed.rror conditions other than those
tgoing traffic
e TFTP server <ip_addr>.
�������������� ������������
Description: Use the get sa command to display the IPSec security associations (Spolicies for a manual VPN.
�0��%1get sa
[id <id_num> |[ active | inactive ] [ stat ]]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all the IPSec SA entries:
id <number> Displays a specific IPSec Security Association (SA)
active | inactive Displays only active or inactive SAs.
stat Shows the SA statistics for the device.Displays these statistics for all incoming / outgoing SA pairs:Fragment: The total number of fragmented incominAuth-fail: The total number of packets for which auOther: The total number of miscellaneous internal elisted in the auth-fail category.Total Bytes: The amount of active incoming and ou
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on th
������!//%��"
8����
�������������� ������������ns-> get sa
To display a specific IPSec SA entry with ID number 5:
ns-> get sa id 5
����� "!
See the set vpn, set ike, and clear sa-statistics commands.
������!//%��"
8����
�����,+��(��� for the NetScreen device.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get scheduler command to display the schedules configured
�0��%1get scheduler
[name <name_str> |once |recurrent]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all the schedule definitions:
ns-> get scheduler all
To display a specific schedule definition with ID number 0:
ns-> get scheduler id 0
����� "!
See the set scheduler command.
name Displays the schedule of the specified device.
once Displays all one-time schedules.
recurrent Displays all recurrent schedules.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
8����
�����,�a secure command shell to a
tive root/VSYS, including the
ey Authenticaion (PKA) using
u must be the root user to execute execute this command.
�������������� ������������
Description: Use the get scs command to display the SCS keys used to establish NetScreen device from a remote system.
�0��%1get scs
[ host-key ] |[ pka-rsa ]
[all |username <name_str> [ index <number> ]
[ > tftp <ip_addr> <filename> ]]
��)�/���"
scs Displays these items:If SCS is enabled or notSCS statusKey regeneration timeCurrent number of SCS connectionsDetails of current connections
host-key Shows the SCS host key (RSA public key) for the acfingerprint of the host key.
pka-rsa Shows current user-specific information on Public KRSA.
all Shows all PKA public keys bound to all users. Yothis option; admin users and read-only users cannot
������!//%��"
83���
device:
ecified user <name_str>. Admin nly if <name_str> identifies the
ser and read-only user to view the s the root user to view the details
TFTP server <ip_addr>.
�������������� ������������
51%/4 �"
To display all users and keys for the secure command shell feature on a NetScreen
ns-> get scs pka-rsa all
To display PKA public keys for a user named “chris”:
ns-> get scs pka-rsa username chris
����� "!
See the set scs command.
username Shows all PKA public keys bound to a spusers and read-only users can execute this option ocurrent admin user or read-only user. The index <number> parameter allows the admin udetails of a key bound to the user name. It also allowof a key bound to the specified user.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
8����
�������/,�.
er-defined, and service group
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get service command to display the entries in the service list
�0��%1get service
[<name_str>group <name_str> |pre-defined |user]
[ > tftp <ip_addr> <filename> ]
��)�/���"
.� %� �"
Using the get service command without any arguments displays all pre-defined, usinformation in the service book.
51%/4 �"
To display all entries in the service book:
<name_str> The name of a specific service.
group Displays all service groups.
pre-defined Displays all the pre-defined services.
user Displays all user-defined services.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
8:���
�������������� ������������ns-> get service
To display all user-defined entries in the service book:
ns-> get service user
To display a specific service named “ftp:”
ns-> get service ftp
����� "!
See the set service command.
������!//%��"
88���
��������%�ble.
um> ] ]
> ]
cific session with Session
sions intitated by packets r example, <ip_addr> could be
packet.
sions intitated by packets >.
sions intitated by packets r>.
�������������� ������������
Description: Use the get session command to display the entries in the session ta
�0��%1get session
[id <id_num> |fragment |[ tunnel ]
[ src-ip <ip_addr> [ netmask <mask> ] ][ dst-ip <ip_addr> [ netmask <mask> ] ]
[ src-mac <mac_addr> ] [ dst-mac <mac_addr> ][ protocol <ptcl_num> [ <ptcl_num> ] ]
[ src-port <port_num> [ <port_num> ] ][ dst-port <port_num> [ <port_n
][ > tftp <ip_addr> <filename
��)�/���"
id <id_num> Directs the NetScreen device to clear a speIdentification number <id_num>.
fragment Displays fragment sessions.
tunnel Displays VPN tunnel sessions.
src-ip <ip_addr> Directs the NetScreen device to clear all sescontaining source IP address <ip_addr>. Fothe source IP address in the first TCP SYN
dst-ip <ip_addr> Directs the NetScreen device to clear all sescontaining destination IP address <ip_addr
src-mac <mac_addr> Directs the NetScreen device to clear all sescontaining source MAC address <mac_add
������!//%��"
8����
l entries in the session table by
rough 5:
sions intitated by packets addr>.
sions that use protocol
ange (<ptcl_num> <ptcl_num>).
sions intitated by packets that in the layer 4 protocol header. port within a range (<port_num>
sions intitated by packets that um> in the layer 4 protocol
port within a range (<port_num>
�������������� ������������
.� %� �"
If no arguments are specified, the get session command displays information for aldefault.
51%/4 �"
To display all the entries in the session table:
ns-> get session
To display all the entries in the session table for a specific source IP address:
ns-> get session src-ip 172.16.10.92
To display all the entries in the session table for port 80:
ns-> get session dst-port 80
To display all the entries in the session table for protocol 5 and for source ports 2 th
dst-mac <mac_addr> Directs the NetScreen device to clear all sescontaining destination MAC address <mac_
protocol <ptcl_num> [ <ptcl_num> ] Directs the NetScreen device to clear all ses<ptcl_num>.You can also specify any protocol within a r
src-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all sescontain the layer 4 source port <port_num>You can also specify any layer 4 destination<port_num>).
dst-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all sescontain the layer 4 destination port <port_nheader.You can also specify any layer 4 destination<port_num>).
������!//%��"
�����
�������������� ������������ns-> get session protocol 5 src-port 2 5
To display the session table entry for the session with ID 5116:
ns-> get session id 5116
����� "!
See the clear session command.
�!��"
The get session command displays:
• The Network Address Translation (NAT) mode
• The sessions in the normal session table
• The sessions in the external session table
• The packets coming into the session’s trusted IP address
• The packets going out of the untrusted IP address
• The currently active normal and external sessions
• The session’s ID number in the session table.
• The pseudo port, flag, and PID for the session
• The load-balancing server index
• The vector ID (VID)
• The session timeout specification
• The Gateway IP address
• The session’s security association
������!//%��"
�+���
������&' for Simple Network
MP community.
ame and physical location of the
Disabled).
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get snmp command to display the NetScreen device settingsManagement Protocol (SNMP).
�0��%1get snmp
{auth-trap |community <name_str> |settings |vpn}
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the settings for an SNMP community named “public:”
ns-> get snmp community public
To display the settings for all the communities:
ns-> get snmp all
auth-trap Displays the status of SNMP authentication traps.
community <name_str> Displays the permissions assigned to the named SN
settings Displays the name of the contact person, and the nNetScreen device.
vpn Displays SNMP VPN encryption status (Enabled or
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
NetScreen device:
�������������� ������������
To display the name of the contact person and the name and physical location of the
ns-> get snmp settings
����� "!
See the set snmp command.
������!//%��"
�����
�����%,-��creen device.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get socket command to display socket information on a NetS
�0��%1get socket [ id <id_num> ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
��%� %�� ��0
All NetScreen device models support this feature.
51%/4 �"
To display socket information:
ns-> get socket
To display the information concerning socket 3001:
ns-> get socket id 3001
����� "!
See the set socket command.
id Displays the socket ID value.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
�����%.�0 ��*-�2ation on the NetScreen device.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get software-key command to display the software-key inform
�0��%1get software-key
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the software key on a Netscreen device:
ns-> get software-key
����� "!
See the set software-key command.
�!��
The get software-key command displays this information:
• VSYS key
• NSRP key
• Maximum number of virtual systems allowed
• Whether NSRP is enabled
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�3���
�������on a NetScreen device.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get ssl command to display the Secure Socket Layers (SSL)
�0��%1get ssl [ cert-list ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the SSL information on a NetScreen device:
ns-> get ssl
To display the SSL certicate list:
ns-> get ssl cert-list
����� "!
See the set ssl command.
cert-list Displays currently available certificates.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
�����2��%�
r virtual private network.
or not.
log server.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get syslog command to display the syslog configuration.
�0��%1get syslog
[VPN |config enable |port |traffic]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all syslog configuration information:
ns-> get syslog
To display whether the syslog mechanism has been configured or not:
vpn Shows if syslog encryption is enabled for a particula
config Shows whether the syslog mechanism is configured
enable Shows whether syslog is enabled or not.
port Displays the port used to communicate with the sys
traffic Indicates whether the traffic log is sent to syslog.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�:���
�������������� ������������ns-> get syslog config
To display whether the syslog mechanism is enabled or not:
ns-> get syslog enable
To display the port used to communicated with the syslog server:
ns-> get syslog port
To display if sending the traffic log through syslog is enabled or not:
ns-> get syslog traffic
To display if communication with the Webtrends server is enabled or not:
ns-> get syslog webtrends
����� "!
See the set syslog command.
������!//%��"
�8���
�����2���&
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get system command to display general system information.
�0��%1get system
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the general system information:
ns-> get system
����� "!
See the set admin and set interface commands.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
�����
������,+*�(''%�� troubleshooting the NetScreen
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get tech-support command to display system information fordevice.
�0��%1get tech-support
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display information for troubleshooting purposes:
ns-> get tech-support
����� "!
See the get system command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+�����
������&'�� �(��rature, and the normal and
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get temperature command to view the current system tempesevere temperature thresholds for triggering temperature alarms.
�0��%1get temperature
[ > tftp <ip_addr> <filename> ]
��)�/���"
.� %� �"
The default temperature thresholds in Fahrenheit and Celsius are as follows:
• Normal alarm temperature threshold: 113° Fahrenheit, 50° Celsius
• Severe alarm temperature threshold: 122° Fahrenheit, 60° Celsius
51%/4 �"
To view the temperature settings:
ns-> get temperature
�!��
The output is displayed as shown below:
Current system temperature is 113’F, 45’C.The normal alarm temperature is 122’F, 50’C.The severe alarm temperature is 140’F, 60’C.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+�+���
�����&��
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get timer command to display the current timer settings.
�0��%1get timer
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the timer settings:
ns-> get timer
����� "!
See the set timer command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+�����
���� ..,*�+ '��nformation device interfaces. If
�������������� ������������
��Description: Use the get traffic-shaping command to display traffic management ino interface name is specified, the information for all interfaces is displayed.
�0��%1get traffic-shaping
{interface [ <name_str> ] |ip_precedence |mode}
��)�/���"
51%/4 �"
To display traffic management information for all interfaces:
ns-> get traffic-shaping interface
����� "!
See the get interface command.
<name_str> Defines the name of the interface.
interface Displays the traffic shaping info for an interface.
ip_precedence Displays the priority to IP precedence (TOS) mapping.
mode Displays the traffic shaping mode.
������!//%��"
+�����
����(��*.����ion settings.
ebsense server does not g in the status line of the CLI,
er the request is received. The
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get url-filter command to display the URL blocking configurat
�0��%1get url-filter
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display information about the URL blocking settings:
ns-> get url-filter
����� "!
See the set url command.
�!��"
NetScreen monitors the status of the Websense server once a minute. When the Wrespond, this is reported in the WebUI. Also, an entry is added to the Event Alarm loand all URL requests are blocked.
All sessions waiting to be acknowledged by the Websense server are listed in the ordwaiting queue can have a maximum of 256 requests.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+�����
����(���e.
>:
domain name
ternal user database:
domain name
�������������� ������������
Description: Use the get user command to display the user authentication databas
�0��%1get user { <name_str> | all | id <id_num> }
[ > tftp <ip_addr> <filename> ]
��)�/���"
<name_str> Displays this information with the name <name_str
- User ID number
- User name
- Status (enabled or disabled)
- Type: manual, auth, ike 12tp, auth/ike, auth/12tp, auth/ike/12tp, ike/12tp
- IKE ID types – email address, IP address, or
- IKE identities
- Manual Key settings
- Remote L2TP settings
all Displays a this information for all the entries in the in
- User ID number
- User name
- Status (enabled or disabled)
- User type
- IKE ID types – email address, IP address, or
- IKE identities
- Manual Key settings
������!//%��"
+�3���
r <name_str> option.
TFTP server <ip_addr>.
�������������� ������������
51%/4 �"
To display a particular user named “roger”:
ns-> get user roger
To display all the users in the NetScreen internal database:
ns-> get user all
To display a particular user with user ID “10”:
ns-> get user id 10
����� "!
See the set user command.
id <id_num> Displays the same information as does the get use
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+�����
����/'settings.
Ps by default.
traffic to VIPs.
s balanced distribution of currently
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get vip command to display the Virtual IP (VIP) configuration
�0��%1get vip
[server |session]
[ > tftp <ip_addr> <filename> ]
��)�/���"
.� %� �"
If no server or session is specified, the get vip command displays all configured VI
51%/4 �"
To display all the configured VIPs:
ns-> get vip
����� "!
See the set vip command.
server Displays the load balance status of servers receiving
session Displays the load balance session table, which showactive VIP sessions.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+�:���
����/'�nfigurations.
Key IKE VPN with the name
ng the VPN
losed
ation about the VPN. For
�������������� ������������
Description: Use the get vpn command to display Virtual Private Network (VPN) co
�0��%1get vpn
[<name_str> [ detail ] |auto |manual |proxy-id]
[ > tftp <ip_addr> <filename> ]
��)�/���"
<name_str> Displays the following information for a specific Auto<name_str>:
- VPN name and VPN gateway name
- IPSec mode—tunnel or transport
- Replay protection (enabled or disabled)
- Phase 2 proposals
- VPN monitoring (enabled or disabled)
- The number of access policies using the VPN
- The number of security associations (SAs) usi
- The idle timeout value after which the VPN is c
- A 16-bit VPN flag that provides internal informdebugging purposes only.
������!//%��"
+�8���
ual Key VPN with the name
PI) numbers
ng the VPN
debugging purposes
ncapsulating Security Payload
s employed, any passwords used eys, and the keys themselves
encryption and authentication of the incoming and outgoing
ation consists of local and remote services provided.
TFTP server <ip_addr>.
�������������� ������������
51%/4 �"
To display all VPN definitions:
ns-> get vpn
To display a VPN named “branch”:
ns-> get vpn branch
To display all AutoKey IKE VPNs:
ns-> get vpn auto
Displays the following information for a specific Man<string>:
- Local and remote security parameter index (S
- The number of security associations (SAs) usi
- An 8-bit flag indicating internal information for
- The IPSec protocol used in the VPN—either E(ESP) or Authentication Header (AH)
- The encryption and/or authentication algorithmto generate encryption and/or authentication k
- VPN monitoring (enabled or disabled)
detail Provides a detailed profile of the VPN, including the keys, its current state of activity, and the ID numbersaccess policies that reference the VPN.
manual Displays all Manual Key VPNs.
auto Displays all AutoKey IKE VPNs.
proxy-id Displays proxy-id configurations. A proxy-id configuraddresses used by a VPN tunnel, and specifies the
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+�����
�������������� ������������To display all Manual Key VPNs:
ns-> get vpn manual
To display all proxy-id configurations:
ns-> get vpn proxy-id
����� "!
See the set vpn command.
������!//%��"
++����
����/'�&%��%�s.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get vpnmonitor command to display VPN Monitor parameter
�0��%1get vpnmonitor
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the firewall protection settings:
ns-> get vpnmonitor
����� "!
See the set vpnmonitor command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
+++���
����/�%(���
<id_num> parameter displays the parameter displays the route
�������������� ������������
Description: Use the set vrouter command to configure a virtual router.
�0��%1get vrouter
[<name_str>
[interface |route
{id <id_num> |ip <ip_addr>} |
rule |zone]
]
unset config
��)�/���"
<name_str> The name of the virtual router.
interface Displays the interface entries in the virtual router.
route Displays the contents of the routing table. The id route identified by an ID number. The <ip_addr> identified by an IP address.
rule Displays the import and export rules.
zone Displays the zones bound to the virtual router.
������!//%��"
++����
�������������� ������������51%/4 �"
To display the interface entries in a virtual router named Marketing:
ns-> get vrouter Marketing interface
To display the route with ID of 1 in the untrust-vr virtual router:
ns-> get vrouter untrust-vr route id 1
����� "!
See the set vrouter command.
������!//%��"
++����
����/�2�he virtual systems on a
ted with the SIF, and the IP
m with the name <name_str>.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get vsys command to display a specific virtual system or all tNetScreen device.
�0��%1get vsys [ <name_str> ]
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display all virtual systems on the NetScreen-1000 device:
ns-> get vsys
To display the sub-interface (SIF) identifying number, the name of the VLAN associaaddress and netmask for a virtual system named “organization3”:
ns-> get vsys organization3
����� "!
See the set interface, set vsys, enter vsys, and exit commands.
<name_str> Displays the configuration settings for a virtual syste
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
++����
����0�)������ttings.
TFTP server <ip_addr>.
�������������� ������������
Description: Use the get webtrends command to display the WebTrends server se
�0��%1get webtrends
[ > tftp <ip_addr> <filename> ]
��)�/���"
51%/4 �"
To display the WeTrends server settings:
ns-> get webtrends
����� "!
See the set webtrends command.
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the
������!//%��"
++3���
����3%��s.
e Security Zones in USGA
�������������� ������������
Description: Use the get zone command to display information about security zone
�0��%1get zone [ id <id_num> | <name_str> | all ]
��)�/���"
51%/4 �"
To create a new Layer-2 zone named Marketing, with VLAN ID number 3:
ns-> set zone name Marketing L2 3
To impose inter-zone blocking on the Trust zone:
ns-> set zone trust block
To create a tunnel zone named Engineering:
ns-> set zone name Engineering tunnel Tunn_Zone
����� "!
See the get config command.
id <id_num> The identification number of the zone.
<name_str> The name of the zone. For more information on zones, seFeatures.
all Displays information on all zones.
������!//%��"
++����
�������������� �������������
+���
�
ored in memory, and remove
you may find that certain l. A good example is the clear reen-500 device.
�������������� ������������
��� ���%&& ���
Use the clear commands to remove data stored in log tables, remove information stinformation stored on the flash card.
Note: As you execute CLI commands using the syntax descriptions in this chapter,commands and command features are unavailable on your NetScreen device modepppoe command, which is available on a NetScreen-208 device, but not on a NetSc
�� �%��!//%��"
����
,�� �� �&�ation.
�������������� ������������
Description: Use the clear admin command to remove remote administrator inform
�0��%1clear admin { user { cache | login } }
��)�/���"
51%/4 �"
To clear the profiles for all remote administrators:
ns-> clear admin user cache
����� "!
See the get admin command.
cache Remote admin users
login Current users of all the login sessions
�� �%��!//%��"
����
,�� �� � �&
cified. The format for <string> is:
ress the year with using the last nal. The delimiter between the
y specified by its ID number or for The ID number can be any value ies. To define a range, enter the um>
�������������� ������������
Description: Use the clear alarm command to clear the entries in the alarm table.
�0��%1clear alarm
{event [ end-time <string> ] |traffic
[ policy { <id_num> [ -<id_num> ] } ][ end-time <string> ]
}
��)�/���"
event Specifies entries in the event alarm table.
traffic Specifies entries in the traffic alarm table.
end-time <string> Clears alarm entries that occurred at and before the time spemm/dd[/yy-hh:mm:ss.You can omit the year (the current year is the default), or exptwo digits or all four. The hour, minute, and second are optiodate and the time can be a dash or an underscore:12/31/2001-23:59:0012/31/2001_23:59:00
policy Clears entries from the traffic alarm table for an Access Policseveral Access Policies specified by a range of ID numbers.between 0 and the total number of established Access Policstarting and ending ID numbers as follows: <id_num>-<id_n
�� �%��!//%��"
����
h the event alarm table and the
ble:
c alarm table:
ble:
�������������� ������������
.� %� �"
If you specify no arguments, the clear alarm command removes all entries from bottraffic alarm table.
51%/4 �"
To clear all entries in the event alarm table:
ns-> clear alarm event
To clear all entries in the traffic alarm table:
ns-> clear alarm traffic
To clear alarm entries for an Access Policy with ID number 4 from the traffic alarm ta
ns-> clear alarm traffic policy 4
To clear alarm entries for Access Policies within the ID range of 5 to 8 from the traffi
ns-> clear alarm traffic policy 5-8
To clear alarm entries at or before July 15, 2000 11:00 A.M. from the traffic alarm ta
ns-> clear alarm traffic end-time 07/15/00-11:00
����� "!
See the get alarm command.
�� �%��!//%��"
3���
,�� �� �' Protocol (ARP) table.
�������������� ������������
Description: Use the clear arp command to clear entries in the Address Resolution
�0��%1clear arp
��)�/���"
None.
51%/4 �"
To clear the entries in the ARP table:
ns-> clear arp
����� "!
See the get arp command.
�� �%��!//%��"
����
�� (�)��* � �&on a NetScreen device.
�������������� ������������
,�� Description: Use the clear audible-alarm command to turn off an alarm sounding
�0��%1clear audible-alarm
��)�/���"
None.
51%/4 �"
To turn off an audible alarm:
ns-> clear audible-alarm
����� "!
See the set audible-alarm and get audible-alarm commands.
�� �%��!//%��"
:���
,�� �� (�+ stores the ongoing
nts and timeout values.
�������������� ������������
Description: Use the clear auth command to clear the authentication queue whichauthentication process.
�0��%1clear auth [ history ]
��)�/���"
51%/4 �"
To clear all entries in the authentication table:
ns-> clear auth
To clear user authentication history:
ns-> clear auth history
����� "!
See the get auth and set auth commands.
history Clears the authentication history which stores the authenticated eve
�� �%��!//%��"
8���
,�� ��,%(����
vailability (HA) link between two the number of packets and packet
rameter specifies the name of a er to Interfaces in USGA
�������������� ������������
Description: Use the clear counter command to clear interface and flow counters.
�0��%1clear counter
{all |hascreen [ interface <interface> ]}
��)�/���"
51%/4 �"
To clear the ha counter:
ns-> clear counter ha
����� "!
See the get counter command.
ha Specifies counters for packets transmitted across a high-aNetScreen devices. An HA-level inspection keeps count of errors.
screen Clears the screen counters. The interface <interface> paparticular interface. For more information on interfaces, refFeatures.
�� �%��!//%��"
����
,�� ��,�2'�% key) as FIPS requires when
�������������� ������������
Description: Use the clear crypto command to delete the crypto file (image signingyou want to reset the whole NetScreen device.
�0��%1clear crypto { auth-key | file }
��)�/���"
51%/4 �"
To clear the crypto authentication key:
ns-> clear crypto auth-key
To clear the crypto file:
ns-> clear crypto file
����� "!
See the ping crypto and trace-route crypto commands.
auth-key Deletes the image authentication key.
file Deletes all crypto files.
�� �%��!//%��"
+����
,�� ���)(.r.
�������������� ������������
Description: Use the clear dbuf command to clear the contents of the debug buffe
�0��%1clear dbuf
��)�/���"
None.
51%/4 �"
To clear the contents of the debug buffer:
ns-> clear dbuf
����� "!
See the get dbuf and set console commands.
�� �%��!//%��"
++���
,�� ���+,'n device is using for its can also use clear dhcp to l of IP addresses, or to return all
r:
device untrusted interface.
information on interfaces, refer to
�������������� ������������
Description: Use the clear dhcp command to release the IP address the NetScreeuntrusted interface. The device obtains this IP address from the DHCP server. You return a specific IP address to the Dynamic Host Configuration Protocol (DHCP) pooIP addresses to the pool.
�0��%1clear dhcp
{client |server { <interface> }}
��)�/���"
51%/4 �"
To release the IP address that the NetScreen device obtained from the DHCP serve
ns-> clear dhcp client
To return the IP address for interface ethernet1 to the DHCP server pool:
ns-> clear dhcp server ethernet1
To return the IP address for interface ethernet3/1 to the DHCP server pool:
ns-> clear dhcp server ethernet3/1
client Clears the DHCP client IP which obtained by the NetScreen
server <interface> Clears the IP in the DHCP server IP address pool. For more Interfaces in USGA Features.
�� �%��!//%��"
+����
�������������� ����������������� "!
See the set dhcp, unset dhcp, get dhcp, and exec dhcp client commands.
�� �%��!//%��"
+����
,�� �����
�������������� ������������
Description: Use the clear dns command to clear the DNS cache table.
�0��%1clear dns
��)�/���"
None.
51%/4 �"
To clear the dns cache table:
ns-> clear dns
����� "!
See the set dns, unset dns, get dns, and exec dns commands.
�� �%��!//%��"
+����
,�� ��.�� memory.
h card memory.
�������������� ������������
Description: Use the clear file command to delete a specific file from the flash card
�0��%1clear file <dev_name>:<filename>
��)�/���"
51%/4 �"
To delete a file named myconfig in the flash memory on the memory board:
ns-> clear file flash:myconfig
����� "!
See the get file command.
<dev_name>:<filename> Deletes the file with the name <filename> from the flas
�� �%��!//%��"
+3���
,�� ��-�*,%%-� Key Exchange (IKE) cookie
�������������� ������������
Description: Use the clear ike-cookie command to clear the entries in the Internettable.
�0��%1
clear ike-cookie { <ip_addr> | all }
��)�/���"
51%/4 �"
To clear all entries in the IKE cookie table:
ns-> clear ike-cookie all
To clear entries for IP address 100.2.30.1 in the IKE cookies table:
ns-> clear ike-cookie 100.2.30.1
����� "!
See the set ike, unset ike, and get ike commands.
<ip_addr> Clear the entries for IP address <ip_addr> in the IKE cookie table.
all Clears all entries in the IKE cookie table.
�� �%��!//%��"
+����
,�� ���1�'r a specific L2TP tunnel whose
�������������� ������������
Description: Use the clear l2tp command to remove all of the active L2TP tunnels opeer is at specified IP addresses.
�0��%1clear l2tp { all | ip <ip_addr> }
��)�/���"
51%/4 �"
To clear all active L2TP tunnels:
ns-> clear l2tp all
To clear the l2tp tunnel whose peer is at IP 1.1.1.1:
ns-> clear L2TP ip 1.1.1.1
����� "!
See the set l2tp, unset l2tp, get l2tp, and unset l2tp commands.
all Clears all active L2TP tunnels.
ip <ip_addr> Specifies the peer IP address.
�� �%��!//%��"
+:���
,�� ����� red to signal that alarm attack. an event alarm or a firewall
�������������� ������������
Description: When either an event alarm or a firewall attack occurs, the LED glowsUse the clear led command to return an ALARM or FW (firewall) LED to green afterattack occurs.
�0��%1clear led { alarm | firewall }
��)�/���"
51%/4 �"
To return the FW LED to green after a firewall attack occurs:
ns-> clear led firewall
To change the ALARM LED to green after an event alarm occurs:
ns-> clear led alarm
alarm Specifies the ALARM LED.
firewall Specifies the firewall (FW) LED.
�� �%��!//%��"
+8���
,�� ���%�
efore the time specified. The
is the default), or express the year he hour, minute, and second are
and the time can be a dash or an
�������������� ������������
Description: Use the clear log command to clear the entries in the log table.
�0��%1clear log
{event [ end-time <string> ] |self [ end-time <string> ] |system [ saved ] |traffic
[ policy { <id_num>-<id_num> | <id_num> } ][ end-time <string> ]
}
��)�/���"
event Clears event entries from the log.
self Clears self-log entries from the log.
traffic Clears traffic entries from the log.
end-time <string> Clears log entries that occurred at and bformat for <string> is:mm/dd[/yy-hh:mm:ss.You can omit the year (the current year with using the last two digits or all four. Toptional. The delimiter between the dateunderscore:12/31/2001-23:59:0012/31/2001_23:59:00
�� �%��!//%��"
+����
ccess policies ranging from ID
for the access policy with ID
the range of specified ID numbers.
�������������� ������������
51%/4 �"
To clear entries in the event log:
ns-> clear log event
To clear all entries in the traffic log:
ns-> clear log traffic
To clear all entries for an access policy with ID number 4 in the traffic log:
ns-> clear log traffic policy 4
To clear event log entries that occurred at or before 5:00 P.M. April 10, 2000:
ns-> clear log event end-time 04/10/00-17:00
To clear traffic log entries that occurred at or before 3:15 P.M. on June 3, 2001 for a5–10:
ns-> clear log traffic policy 5-10 end-time 06/03/01_15:15
����� "!
See the get log command.
policy <id_num>-<id_num> | <id_num> Clears the traffic entries in the log table number <id_num> - <id_num> or <id_num>, or for access policies within
�� �%��!//%��"
�����
,�� ��& ,*�� ��ccess Control (MAC) learning ode.
�������������� ������������
Description: Use the clear mac-learn command to clear the entries in the Media Atable. This command functions only when the NetScreen device is in Transparent m
�0��%1clear mac-learn [ stats ]
��)�/���"
51%/4 �"
To clear the statistics in the MAC learning table:
ns-> clear mac-learn stats
����� "!
See the get mac-learn, get mac-count, and clear mac-count commands.
stats Clears the MAC learning table statistics.
�� �%��!//%��"
�+���
� ���%��5��,���sing SecurID to authenticate
erface IP address changes, it is ACE server.
server:
g with the ACE Server. If this lid. Use the clear node_secret
e SecurID server.
�������������� ������������
,�Description: Use the clear node_secret command when the NetScreen device is uusers and is not communicating properly with the ACE Server. If the system IP or intnecessary to clear and reset the node secret on both the NetScreen device and the
�0��%1clear node_secret
[ ipaddr <ip_addr> ]
��)�/���"
.� %� �"
None.
51%/4 �"
To clear and prompt the NetScreen device to request the node secret from the ACE
ns-> clear node_secret
�!��"
If you remove, move, or reconfigure a NetScreen device, it might stop communicatinhappens, the ACE Server log displays a message saying that the node secret is invacommand to resynchronize communication between the two.
ipaddr <ip_addr> Specifies the outgoing IP address for communication with th
�� �%��!//%��"
�����
s possible. When the first he NetScreen device stores the
, the unset all command does not
IP address or if the ACE server
�������������� ������������
The node secret bit tells the ACE server to negotiate an encryption secret as soon asuccessful authentication occurs, the ACE server negotiates an encryption secret. Tnode secret in nonvolatile memory.
Caution
Because the node secret does not reside in the configurationclear it.Reset the node secret whenever you change the NetScreen administrator deletes and recreates the client.
�� �%��!//%��"
�����
,�� ��'''%�
�������������� ������������
Description: Use the clear pppoe command to reset PPPoE statistical registers.
�0��%1clear pppoe
��)�/���"�
None.
51%/4 �"
To reset the statistics for the PPPoE connection:
ns-> clear pppoe
����� "!
See set pppoe, unset pppoe, get pppoe, and exec pppoe commands.
�� �%��!//%��"
�����
,�� ��� curity Association (SA).
�������������� ������������
Description: Use the clear sa command to clear the IKE value for the specified Se
�0��%1clear sa { <number> }
��)�/���"
51%/4 �"
To clear the IKE value for SA 2:
ns-> clear sa 2
����� "!
See the clear sa-statistics and the get sa commands.
<number> Specifies the SA index number.
�� �%��!//%��"
�3���
,�� ��� *�� �h as number of fragmentations VPN tunnel.
�������������� ������������
Description: Use the clear sa-stat command to clear all statistical information (sucand total bytes through the tunnel) in a Security Association (SA) for an AutoKey IKE
�0��%1clear sa-stat [ id <id_num> ]
��)�/���"
51%/4 �"
To clear the SA statistics for SA 2:
ns-> clear sa-stat id 2
To clear the SA statistics for all security associations:
ns-> clear sa-stat
����� "!
See the clear sa and the get sa commands.
id <id_num> Clears statistics in a particular Security Association.
�� �%��!//%��"
�����
,�� ������%�ice’s session table.
ssions.
cific session with Session
ssions intitated by packets or example, <ip_addr> could be packet.
ssions intitated by packets >.
ssions intitated by packets r>.
ssions intitated by packets addr>.
�������������� ������������
Description: Use the clear session command to clear entries in the NetScreen dev
�0��%1clear session
[all |id <id_num> |[ src-ip <ip_addr> [ netmask <mask> ] ]
[ dst-ip <ip_addr> [ netmask <mask> ] ][ src-mac <mac_addr> ] [ dst-mac <mac_addr> ]
[ protocol <ptcl_num> [ <ptcl_num> ] ][ src-port <port_num> [ <port_num> ] ]
[ dst-port <port_num> [ <port_num> ] ][ vsd-id <id_num> ]
]
��)�/���"
all Directs the NetScreen device to clear all se
id <id_num> Directs the NetScreen device to clear a speIdentification number <id_num>.
src-ip <ip_addr> Directs the NetScreen device to clear all secontaining source IP address <ip_addr>. Fthe source IP address in the first TCP SYN
dst-ip <ip_addr> Directs the NetScreen device to clear all secontaining destination IP address <ip_addr
src-mac <mac_addr> Directs the NetScreen device to clear all secontaining source MAC address <mac_add
dst-mac <mac_addr> Directs the NetScreen device to clear all secontaining destination MAC address <mac_
�� �%��!//%��"
�:���
address 172.16.10.12:
ssions that use protocol
ange (<ptcl_num> <ptcl_num>).
ssions intitated by packets that in the layer 4 protocol header. port within a range (<port_num>
ssions intitated by packets that um> in the layer 4 protocol
port within a range (<port_num>
ssions that belong the VSD group
�������������� ������������
51%/4 �"
To clear all entries in the session table:
ns-> clear session
To clear all sessions belonging to VSD group 2001, and initiated from the host at IP
ns-> clear session src-ip 172.16.10.12 vsd-id 2001
����� "!
See the get session command.
protocol <ptcl_num> [ <ptcl_num> ] Directs the NetScreen device to clear all se<ptcl_num>.You can also specify any protocol within a r
src-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all secontain the layer 4 source port <port_num>You can also specify any layer 4 destination<port_num>).
dst-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all secontain the layer 4 destination port <port_nheader.You can also specify any layer 4 destination<port_num>).
vsd-id <id_num> Directs the NetScreen device to clear all se<id_num>.
�� �%��!//%��"
�8���
,�� ��(��air.
erface> <interface>.
�������������� ������������
Description: Use the clear url command to disable URL blocking for an interface p
�0��%1clear url { no-block { <interface> { <interface> } } }
��)�/���"
51%/4 �"
To remove URL blocking for the interfaces ethernet1 and ethernet2:
ns-> clear url no-block ethernet1 ethernet2
����� "!
See the get file command.
no-block <interface> <interface> Disables URL blocking for the inteface pair <int
3
+���
�
ies.
you may find that certain l. A good example is the exec reen-500 device.
�������������� ������������
�,��� ��%(���%&& ���
This chapter contains miscellaneous commands that do not fit into the other categor
Note: As you execute CLI commands using the syntax descriptions in this manual,commands and command features are unavailable on your NetScreen device modepppoe command, which is available on a NetScreen-208 device, but not on a NetSc
3�&�"�� %��!�"�!//%��"
����
�4�,��+,'m a DHCP server.
�������������� ������������
Description: Use the exec dhcp command to renew the lease for an IP address fro
�0��%1exec dhcp
{client { renew } |server { sync }}
��)�/���"
51%/4 �"
To renew a lease for an IP address from the DHCP server immediately:
ns-> exec dhcp client renew
����� "!
See the set dhcp, get dhcp, and clear dhcp commands.
client Executes the DHCP client.
server Executes the DHCP server.
renew Renews the DHCP client lease.
sync Syncs the DHCP server IP allocation (for HA).
3�&�"�� %��!�"�!//%��"
����
s, the system administrator can boots. The NetScreen device
�������������� ������������
�!��"
The exec dhcp command can be useful if the DHCP server fails. When this happenrequest a new lease for the NetScreen device immediately after the DHCP server remay or may not be assigned the same IP address it used on the previous lease.
3�&�"�� %��!�"�!//%��"
����
�4�,����
�������������� ������������
Description: Use the exec dns command to refresh all DNS entries.
�0��%1exec dns { refresh }
��)�/���"
51%/4 �"
To refresh all DNS entries:
ns-> exec dns refresh
����� "!
See the set dns, unset dns, get dns, and clear dns commands.
refresh Refreshes all DNS entries.
3�&�"�� %��!�"�!//%��"
3���
�4�,�+ unit. Execute this command in
er unit to a backup unit. Executing files.
�������������� ������������
Description: Use the exec ha command to copy files from a master unit to a backupthe master unit.
�0��%1exec ha { file-sync [ <filename> ] }
��)�/���"
51%/4 �"
To copy all files from the master unit to a backup unit:
ns-> exec ha file-sync
To copy the environment variable records from the master unit to a backup unit:
ns-> exec ha file-sync envar.rec
The command cannot take effect until you reboot the backup unit.
ns-> rebootns-> configuration modified, save? [y]/n nns-> system reset, are you sure? y/[n] y
����� "!
See the set ha, unset ha, and get ha commands.
file-sync <filename> Specifies the name of a particular file to copy from the mastthis command without specifying a file name copies all the
3�&�"�� %��!�"�!//%��"
����
�4�,���'ice clock using Network Time
the time setting on an NTP server.
�������������� ������������
Description: Use the exec ntp command to immediately update the NetScreen devProtocol (NTP).
�0��%1exec ntp { update }
��)�/���"
51%/4 �"
To update the NetScreen device time by synchronizing it with the NTP server:
ns-> exec ntp update
����� "!
See the set ntp, unset ntp, and get ntp commands.
update Updates the time setting on a NetScreen device to synchronize it with
3�&�"�� %��!�"�!//%��"
:���
�4�,�'��her system.
<name_str>.
formation on interfaces, refer to
�������������� ������������
Description: Use the exec ping command to check the network connection to anot
�0��%1exec ping [ <ip_addr> | <name_str> ]
[ count <number> [ size <number> [ time-out <number> ] ] ][ from <interface> ]
��)�/���"
51%/4 �"
To ping a host with IP address 172.16.11.2:
ns-> exec ping 172.16.11.2
To ping a host with IP address 192.168.11.2 and have the results sent to 10.1.1.3:
ns-> exec ping 192.168.11.2 from mip 10.1.1.3
To ping a host with IP address 172.16.11.2 from interface ethernet2:
ns-> exec ping 172.16.11.2 from ethernet2
<ip_addr> | <name_str> Pings the host with the IP address <ip_addr> or name
count <number> The ping count.
size <number> The packet size for each ping.
time-out <number> The ping timeout in seconds.
from <interface> The source interface for an extended ping. For more inInterfaces in USGA Features.
3�&�"�� %��!�"�!//%��"
8���
usted network from any of the
�������������� ������������
�!��"
An extended ping (using the from option) allows the user to ping a host on the UntrMIPs or from the Trusted interface IP address.
3�&�"�� %��!�"�!//%��"
����
�4�,�'- X.509 certificate requests and
d bit length. Key length is 512,
d bit length. Key length is 512,
en device.
quest for the NetScreen device.
�������������� ������������
Description: Use the exec pki commands to manage RSA key pair generation andremovals for public-key infrastructure (PKI).
�0��%1exec pki
{convert-cert |dsa new-key <key_num> |rsa new-key <key_num> |x509
{delete <number> |pkcs10 |tftp <ip_addr>
{cert-name <name_str> |crl-name <name_str>} |
scep <number>}
}
��)�/���"
convert-cert Moves the local certificate to the VSYS environment.
dsa new-key Generates a new DSA public/private key pair with a specifie786, 1024, or 2048.
rsa new-key Generates a new RSA public/private key pair with a specifie786, 1024, or 2048.
x509 delete: Deletes a specified X.509 certificate from a NetScre
pkcs10: Generates a PKCS10 file for an X.509 certificate re
3�&�"�� %��!�"�!//%��"
+����
ates:
sign.com
sign.com
bits.
x number identifying the
cified TFTP server. The TFTP
) operation to retrieve certificates
�������������� ������������
51%/4 �"
To create a new RSA key pair with a length of 1024 bits:
ns-> exec pki rsa new-key 1024
To remove an X.509 certificate with the ID number 3 from the NetScreen device:
ns-> exec pki x509 delete 3
To obtain an x509 CA certificate from a certificate authority to sign your local certific
ns-> set pki auth -1 scep ca-cgi “http://pilotonsiteipsec.veri/cgi-bin/pkiclient.exe”ns-> set pki auth -1 scep ra-cgi “http://pilotonsiteipsec.veri/cgi-bin/pkiclient.exe”ns-> exec pki rsa new 1024ns-> exec pki x509 scep -1ns-> get pki x509 list pending-certns-> exec pki x509 scep 1
These commands perform the following operations:
1. Specify CA and RA CGI paths to a certificate authority (CA) server.
2. Execute RSA private/pulic key configuration, specifying a key length of 1024
3. Initiate the SCEP operation to retrieve certificates.
4. Display a list of pending certificates, allowing you to see and record the indecertificate.
tftp: Uploads the specified certificate or CRL file for the speserver is identified by its IP address <ip_hddr>.
scep: Initiates Simple Certificate Enrollment Protocol (SCEPfrom a certificate authority server.
cert-name <string> Specifies the name of the certificate.
crl-name <string> Specifies the name of the revocation list.
3�&�"�� %��!�"�!//%��"
++���
d in Step 4) to identify the
�������������� ������������
5. Obtain a CA certificate from the CA server (using the index number obtainecertificate.
����� "!
See also the set pki, unset pki, and get pki commands.
3�&�"�� %��!�"�!//%��"
+����
�4�,�'''%�ection.
�������������� ������������
Description: Use the exec pppoe command to set up or take down a PPPoE conn
�0��%1exec pppoe { connect | disconnect }
��)�/���"
51%/4 �"
To setup a PPPoE connection:
ns-> exec pppoe connect
����� "!
See set pppoe, unset pppoe, get pppoe, and clear pppoe commands.
connect Starts PPPoE connection.
disconnect Takes down a PPPoE connection.
3�&�"�� %��!�"�!//%��"
+����
�4�,�� /�tion settings either to the flash sted interface on the NetScreen
�������������� ������������
Description: Use the exec save command to save the NetScreen device configuracard memory or to a Trivial File Transfer Protocol (TFTP) server connected to the trudevice.
�0��%1exec save
[config
[[ from
{flash |slot1 <name_str> |tftp <ip_addr> <name_str>}
][append |to {
flash |slot1 <name_str> |tftp <ip_addr> <name_str>}
] |all-virtual-system |ha-master] |
softwarefrom
{flash |slot1 <name_str> |tftp <ip_addr> <name_str>}
3�&�"�� %��!�"�!//%��"
+����
onfigurations.
nds to the current configuration.
TFTP server with the IP address ation to the current configuration
e slave unit console, use this rom the Master unit to the slave on settings are passed.
s to the current configuration.
TP server with the IP address
cifically from the TFTP <ip_addr>
�������������� ������������
to{flash |slot1 <name_str> |tftp <ip_addr> <name_str>} |
image-key { tftp <ip_addr> <filename> }]
��)�/���"
config Saves configurations according to argument:all-virtual-system: Saves all virtual system cfrom: Saves from the specified source.flash: Saves from flash, and if selected, appeslot1: Saves from the pccard in slot 1.tftp: Saves the configuration settings from a <ip_addr>. Appends the configuration informfile on the NetScreen device.ha-master: Saves master configuration. At thcommand to pass the configuration settings funit. Reset the slave unit after the configuratito: Saves to following destination type:flash: Saves to flash, and if selected, appendslot1: Saves to pccard in slot1.tftp: Saves the configuration settings to a TF<ip_addr>.
image-key Loads image key from TFTP server, and speif specified.
software Saves software.
3�&�"�� %��!�"�!//%��"
+3���
rver with IP address
address 172.16.30.10 and
6.20.10 to flash:
h
ed ns_cnfg5 in a TFTP server
_cnfg
ed nskey.cer on a TFTP server
server with the IP address
ifically from the TFTP <ip_addr>,
�������������� ������������
51%/4 �"
To save the current configuration settings to the flash memory:
ns-> exec save
To save the current configuration settings to a file named “my_config” on a TFTP se192.16.11.9:
ns-> exec save config to tftp 192.16.11.9 my_config
To download a configuration file named “my_config” from a TFTP server with the IPoverwrite the current saved configuration settings on the NetScreen device:
ns-> exec save config from tftp 172.16.30.10 my_config
To download the software file ns5.165 from a TFTP server with the IP address 172.1
ns-> exec save software from tftp 172.16.20.10 ns5.165 to flas
To copy a configuration file named cnfg5 from the PCMCIA card in slot 1 to a file namat 172.16.156.9:
ns-> exec save config from slot1 cnfg5 to tftp 172.16.156.9 ns
To load an authentication key on a FIPS-compliant NetScreen device from a file namat 10.10.1.2:
ns-> exec save image-key tftp 10.10.1.2 nskey.cer
from Saves the software from the source:flash: Downloads system image from flashslot1: Downloads system image from slot 1tftp: Downloads system image from the TFTP<ip_addr> to the NetScreen device.
image { tftp <ip_addr> <filename> } Loads image key from TFTP server, and specfile name <filename> if specified.
3�&�"�� %��!�"�!//%��"
+����
�������������� ����������������� "!
See the get config command.
3�&�"�� %��!�"�!//%��"
+:���
�4�,��,�r and bind the key to a user.
rom a server at IP address
p-addr 172.16.10.11
sa key from a file.
ic user.
inds the key to the current user, d specifies the file name
�������������� ������������
Description: Use the exec scs command to load a key from a file on a TFTP serve
�0��%1exec scs
{ tftp {pka-rsa }[ username <name_str> ]
{ file-name <filename> ip-addr <ip_addr> }
��)�/���"
51%/4 �"
To load and bind a key contained in a file named “key_file” to a user named “chris” f172.16.10.11:
ns-> exec scs tftp pka-rsa username chris file-name key_file i
����� "!
See the set scs and get scs commands.
tftp { pka-rsa } Specifies a TFTP server from which to load and bind a pka-r
username <name_str> Loads and binds the key to a specif
file-name <filename> and ip-addr <ip_addr> Loads and bspecifies the IP address (<ip_addr>) of the TFTP server, an(<filename>) of the file containing the key.
3�&�"�� %��!�"�!//%��"
+8���
4�,��%.�0 ��*-�2 their options.
�������������� ������������
�Description: Use the exec software-key command to upgrade device features and
�0��%1exec software-key
{vpn <key_str> |vsys <key_str> |zone <key_str> }
��)�/���"
51%/4 �"
To upgrade zone capability:
ns-> exec software-key zone 2d2b340097de5000
To upgrade the VPN feature:
ns-> exec software-key vpn 3d2c340187de5401
����� "!
See the get software-key command.
vpn <key_str> Specifies the key for VPN capability upgrade.
vsys <key_str> Specifies the VSYS capability upgrade.
zone <key_str> Specifies key for zone capability upgrade.
3�&�"�� %��!�"�!//%��"
+����
�4�,��� ,�*�%(��
yhost”:
me-out interval of 10 seconds:
efore abandoning the trace-route
tScreen device abandons tha
�������������� ������������
Description: Use the trace-route command to obtain the host name.
�0��%1exec trace-route { <name_str> | <ip_addr> }
[ hop <number> [ time-out <number> ] ]
��)�/���"
51%/4 �"
To execute the trace-route command from the NetScreen device to a host named “m
ns-> trace-route myhost
To execute the trace-route through up to 3 hops to a host named “ourhost”:
ns-> trace-route ourhost hop 3
To execute the trace-route through up to 5 hops to a host named “thishost,” with a ti
ns-> trace-route thishost hop 3 time-out 10
����� "!
See the ping and exec trace-route commands.
<name_str> | <ip_addr> Specifies the name or IP address of the host to trace.
hop <number> Specifies the number of gateway devices to traverse battempt.
time-out <number> Specifies the length of time, in seconds, before the Netrace-route attempt.
3�&�"�� %��!�"�!//%��"
�����
�4�rface.
o configure a NetScreen device.
�������������� ������������
Description: Use the exit command to exit from the console and command-line inte
�0��%1exit
��)�/���"None.
51%/4 �"
To log off the console:
ns-> exit
�!��"
After issuing the exit command at the console, you must log back in to the console t
After issuing the exit command as root, you remain logged in to the console.
3�&�"�� %��!�"�!//%��"
�+���
'��stem.
<name_str>.
formation on interfaces, refer to
�������������� ������������
Description: Use the ping command to check the network connection to another sy
�0��%1ping [ <ip_addr> | <name_str> ]
[ count <number> [ size <number> [ time-out <number> ] ] ][ from <interface> ]
��)�/���"
51%/4 �"
To ping a host with IP address 172.16.11.2:
ns-> ping 172.16.11.2
To ping a host with IP address 192.168.11.2 and have the results sent to 10.1.1.3:
ns-> ping 192.168.11.2 from mip 10.1.1.3
To ping a host with IP address 172.16.11.2 from interface ethernet2:
ns-> ping 172.16.11.2 from ethernet2
<ip_addr> | <name_str> Pings the host with the IP address <ip_addr> or name
count <number> The ping count.
size <number> The packet size for each ping.
time-out <number> The ping timeout in seconds.
from <interface> The source interface for an extended ping. For more inInterfaces in USGA Features.
3�&�"�� %��!�"�!//%��"
�����
usted network from any of the
�������������� ������������
�!��"
An extended ping (using the from option) allows the user to ping a host on the UntrMIPs or from the Trusted interface IP address.
3�&�"�� %��!�"�!//%��"
�����
�����
�������������� ������������
Description: Use the reset command to reboot the NetScreen device.
�0��%1reset
[no-prompt |save-config
{ no | yes }[ no-prompt ]
]
��)�/���"
51%/4 �"
To reboot a NetScreen device:
ns-> reset
no-prompt Indicates no confirmation.
save-config { no | yes } Saves the configurations:no: Does not save configurationyes: Saves the configurationsno-prompt: Does not display a confirmation.
3�&�"�� %��!�"�!//%��"
�����
� /�ettings either to the flash card interface on the NetScreen
�������������� ������������
Description: Use the save command to save the NetScreen device configuration smemory or to a Trivial File Transfer Protocol (TFTP) server connected to the trusteddevice.
�0��%1save
[config
[[ from
{flash |slot1 <name_str> |tftp <ip_addr> <name_str>}
][append |to {
flash |slot1 <name_str> |tftp <ip_addr> <name_str>}
] |all-virtual-system |ha-master] |
softwarefrom
{flash |slot1 <name_str> |tftp <ip_addr> <name_str>}
3�&�"�� %��!�"�!//%��"
�3���
onfigurations.
nds to the current configuration.
TFTP server with the IP address ation to the current configuration
e slave unit console, use this rom the Master unit to the slave on settings are passed.
s to the current configuration.
TP server with the IP address
cifically from the TFTP <ip_addr>
�������������� ������������
to{flash |slot1 <name_str> |tftp <ip_addr> <name_str>} |
image-key { tftp <ip_addr> <filename> }]
��)�/���"
config Saves configurations according to argument:all-virtual-system: Saves all virtual system cfrom: Saves from the specified source.flash: Saves from flash, and if selected, appeslot1: Saves from the pccard in slot 1.tftp: Saves the configuration settings from a <ip_addr>. Appends the configuration informfile on the NetScreen device.ha-master: Saves master configuration. At thcommand to pass the configuration settings funit. Reset the slave unit after the configuratito: Saves to following destination type:flash: Saves to flash, and if selected, appendslot1: Saves to pccard in slot1.tftp: Saves the configuration settings to a TF<ip_addr>.
image-key Loads image key from TFTP server, and speif specified.
software Saves software.
3�&�"�� %��!�"�!//%��"
�����
rver with IP address
address 172.16.30.10 and
address 172.16.30.10 and
6.20.10 to flash:
ed ns_cnfg5 in a TFTP server
server with the IP address
ifically from the TFTP <ip_addr>,
�������������� ������������
51%/4 �"
To save the current configuration settings to the flash memory:
ns-> save
To save the current configuration settings to a file named “my_config” on a TFTP se192.16.11.9:
ns-> save config to tftp 192.16.11.9 my_config
To download a configuration file named “my_config” from a TFTP server with the IPoverwrite the current saved configuration settings on the NetScreen device:
ns-> save config from tftp 172.16.30.10 my_config
To download a configuration file named “my_config” from a TFTP server with the IPappend the current configuration settings on the NetScreen device:
ns-> save config from tftp 172.16.30.10 my_config append
To download the software file ns5.165 from a TFTP server with the IP address 172.1
ns-> save software from tftp 172.16.20.10 ns5.165 to flash
To copy a configuration file named cnfg5 from the PCMCIA card in slot 1 to a file namat 172.16.156.9:
ns-> save config from slot1 cnfg5 to tftp 172.16.156.9 ns_cnfg
from Saves the software from the source:flash: Downloads system image from flashslot1: Downloads system image from slot 1tftp: Downloads system image from the TFTP<ip_addr> to the NetScreen device.
image { tftp <ip_addr> <filename> } Loads image key from TFTP server, and specfile name <filename> if specified.
3�&�"�� %��!�"�!//%��"
�:���
ed nskey.cer on a TFTP server
�������������� ������������
To load an authentication key on a FIPS-compliant NetScreen device from a file namat 10.10.1.2:
ns-> save image-key tftp 10.10.1.2 nskey.cer
����� "!
See the get config command.
3�&�"�� %��!�"�!//%��"
�8���
�� ,�*�%(��
the route trace.
�������������� ������������
Description: Use the trace-route command to obtain the host name.
�0��%1trace-route <name_str>
[ hop { <number> [ time-out <number> ] } ]
��)�/���"
51%/4 �"ns-> trace-route
<name_str> The host name.
hop <number> The number of trace route hops to
time-out <number> Specifies the amount of time to elapse before abandoning
�
+���
creen device to its default perform this operation, you LI Reference Guide and the
unset admin device-reset atically disabled.
to factory defaults, clearing all
of the device will be erased. In has been reset. This is your last ory default configuration, which uld you like to continue? y/[n]
rd.
�������������� ������������
$SSHQGL[�$
����������+����/,���%� ,�%�2���. (����������
If the admin password is lost, you can use the following procedure to reset the NetSsettings. The configurations will be lost, but access to the device will be restored. Toneed to make a console connection, which is described in detail in the NetScreen Cinstaller’s guides.
By default the device recovery feature is enabled. You can disable it by entering thecommand. Also, if the NetScreen-100 is in FIPS mode, the recovery feature is autom
1. At the login prompt, type the serial number of the device.2. At the password prompt, type the serial number again.
The following message appears:
!!! Lost Password Reset !!! You have initiated a command to reset the devicecurrent configuration, keys and settings. Would you like to continue? y/[n]
3. Press the y key.
The following message appears:
!! Reconfirm Lost Password Reset !! If you continue, the entire configurationaddition, a permanent counter will be incremented to signify that this device chance to cancel this command. If you proceed, the device will return to factis: System IP: 192.168.1.1; username: netscreen; password: netscreen. Wo
4. Press the y key to rest the device.
You can now login in using netscreen as the default username and passwo
�44����1�����"�����)��$��.�������!�2%��!�0�.� %� ��������)"
����
�������������� ������������,
+���
Gateway Architecture (USGA).
�������������� ������������
$SSHQGL[�%
��!��� �(���This appendix contains information on features of the NetScreen Universal SecurityThese features include the following.
• Security zones
• Interfaces
�44����1�,�<����2�%����" �������0�=!��"
����
pecial-purpose items. These
operates in Transparent mode.
sical interfaces that communicate
ts physical interfaces that
Z physical interface.
security zone. (You create such mand.)
operates in NAT mode or Router
nterfaces (and logical rk space.
ical interfaces (and logical ork space.
storage area for mapped IP (MIP) to these addresses is mapped to interface.
hysical interface.
security zone. (You create such nd.)
creen security devices.
osts VPN tunnels.
ne. (You create such zones using
�������������� ������������
���������6����NetScreen devices use zones to host physical and logical interfaces, tunnels, and szones are as follows.
Layer-2 security zones Use Layer-2 security zones when the NetScreen device
• v1-trust specifies the V1-Trust zone, which hosts phywith trusted network space.
• v1-untrust specifies the V1-Untrust zone, which hoscommunicate with untrusted network space.
• v1-dmz specifies the DMZ zone, which hosts the DM
• name <name_str> specifies a user-defined Layer-2 zones using the set zone name <name_str> L2 com
Layer-3 security zones Use Layer-3 security zones when the NetScreen devicemode.
• trust specifies the Trust zone, which hosts physical isub-interfaces) that communicate with trusted netwo
• untrust specifies the Untrust zone, which hosts physsub-interfaces) that communicate with untrusted netw
• global specifies the Global zone, which serves as a and virtual IP (VIP) addresses. Because traffic goingother addresses, the Global zone does not require an
• dmz specifies the DMZ zone, which hosts the DMZ p
• name <name_str> specifies a user-defined Layer-2 zones using the set zone name <name_str> comma
Tunnel zones Use tunnel zones to set up VPN tunnels with other NetS
• untrust-tun specifies the Untrust-Tun zone, which h
• name <name_str> specifies a user-defined tunnel zothe set zone name <name_str> tunnel command.)
�44����1�,�<����2�%����" �������0�=!��"
����
ary storage for any interfaces that
for remote management etScreen device via HTTP, SCS,
ability interfaces, HA1 and HA2.
band management interface,
�������������� ������������
Function zones Use function zones as described below.
• null specifies the Null zone, which serves as temporare not currently bound to another zone.
• self specifies the Self zone, which hosts the interfaceconnections. For example, when you connect to the Nor Telnet, you connect to the Self zone.
• ha specifies the HA zone, which hosts the high-avail
• mgt specifies the MGT zone, which hosts the out-of-MGT.
�44����1�,�<����2�%����" ����� %��"
����
h physical interfaces or logical
ce, denoted by an interface port
denoted by an interface port ies the logical interface.
interface, denoted by an interface
face, denoted by an interface slot entifies the logical interface.
ile the NetScreen device is in
e Trust zone. Use this interface
the Untrust zone. Use this .
DMZ zone. Use this interface
interface for VPN traffic.
e.
.
�������������� ������������
������!���Most security zones exchange traffic with other zones (or with other devices) througsub-interfaces. The interfaces are as follows.
Ethernet interfaces - ethernet<n> specifies a physical ethernet interfa<n> and no slots.
- ethernet<n1>.<n2> specifies a logical interface, (<n1>) with no slots. The .<n2> parameter identif
- ethernet<n1>/<n2> specifies a physical ethernetslot (<n1>) and a port (<n2>).
- ethernet<n1>/<n2>.<n3> specifies a logical inter(<n1>) and a port (<n2>). The .<n3> parameter id
Layer-2 interfaces - vlan1 specifies the interface used in for VPNs whtransparent mode.
- v1-trust specifies a Layer-2 interface bound to thwhen the device is in Transparent mode.
- v1-untrust specifies a Layer-2 interface bound tointerface when the device is in Transparent mode
- v1-dmz specifies a Layer-2 interface bound to thewhen the device is in Transparent mode.
Tunnel interfaces - tunnel.<n> specifies a tunnel interface. Use this
Function interfaces - mgt specifies an interface bound to the MGT zon
- ha | ha1 | ha2 the name of the dedicated HA port
+���
r active-user 2
r alarm 3
r arp 5
r audible-alarm 6
r auth 7
r counter 8, 9, 16
r dbuf 10
r dhcp client ip 11, 13
r file 14, 28
r ike cookie 15
r led 17
r log 18
r mac-learn 20
r node_secret 21
r session 26
entions 4
dhcp client renew 2, 4, 17, 18
ha file-sync 5
ntp 6
pki 9
20
larm 6
rp 13
udible-alarm 14
uth 15
lock 18
onfig 19
onsole 20
ounter 21
ialup-group 25
ip 27
ile 32
������� �
����1�access policies
defining 109
displaying 76
ACE Server 21
ACE Server log 21
Address Bookentries, default 2, 81, 85
address bookadding entries 2, 81
address book entry 4
domain name 4
flag 4
IP address 4
name 4
netmask 4
Address Resolution Protocol (ARP) 13, 23
addressesentering 2, 81
grouping 44, 40
admin authentication 4
administration parameters 4
aggressive mode 46
alarms, clearing 3
alarms, displaying 6
all 86
append 26
ARP (Address Resolution Protocol) table 13
ARP table, clearing 5
authentication table 15
authentication, users 16
,back store 23
bit stream 23
buffer, clearing 10
CA (certificate authority) 73
CGI path 107
cAH 106
CheckPoint 62
clear 5, 8
Address Resolution Protocol (ARP) table 5
flow counters 8
interface counters 8
clear commandsactive-user 2
alarm 3
arp 5
audible-alarm 6
auth 7
counter 8, 9, 16
dbuf 10
dhcp client ip 11, 13
file 14, 28
ike cookie 15
led 17
log 18
mac-learn 20
session 26
clearing alarms 3
CLI 103
command
cleacleacleacleacleacleacleacleacleacleacleacleacleacleacleaconvexecexecexecexecexitget aget aget aget aget cget cget cget cget dget dget f
�����1
,!!9���� ����
imer 137
raffic-shaping mode 139
rl 141
ser 144
pn 83, 150, 53
sys 160
ication requirements, console 2
ation settings, saving 19
laying configuration 20
ng 20
ack 20
meters, defining 22
nd command-line interface 20
20
ommunication requirements 2
arameters 20
ons 4
ble 15
environment variable records 5
files 5
8
ffer 10
ddress Book entries 2, 81, 85
edule 117
rvice 123
ss policies 109
ole parameters 22
s for authentication 144
t IP address, clearing 11, 13
t, renewing an IP address 2, 4, 17, 18
�
get firewall 33, 34, 37, 69, 71, 93, 94, 95, 110, 114
get global 36
get glog 39
get group 40
get ha 42
get hostname 44
get ike 45
get interface 49
get ippool 54
get l2tp 55
get lance info 57
get lcd 58
get log 59
get mac-learn 63
get mip 67, 73
get ntp 70
get policy 76
get route 79
get sa 81
get scheduler 83
get service 86
get session 88
get snmp 91
get ssh 84
get syslog 96
get system 98
get tech-support 99
get temperature 100
get timer 101
get traffic-shaping interface 102
get url 103
get user 104
get vip 106
get vpn 107
get vsys 113
ping 7, 21
reset 23
save 13, 24
set address 2, 11, 81, 12, 68
set admin 4
set arp 12
set audible-alarm 14
set auth 16
set clock 20
set console 22
set dbuf 25
set dialup-group 27
set domain 32
set envar 33
set ffilter 34
set firewall 36, 37
set flow 39
set ftp data-port any 42
set group 44
set ha 48
set hostname 53
set ike 55
set interface 66
set ippool 85
set l2tp 86
set lcd 90
set mip 94, 99
set ntp 97
set policy 109
set proto-dist 114, 78
set scheduler 117
set service 123
set snmp 127
set ssh 120
set syn-threshold 130
set syslog 132
set temperature-threshold 135
set tset tset uset uset vset v
communconfigurconsole
dispexitilog bpara
console aexit
console cconsole pconventicookie tacopying copying counter
.debug budefault Adefining
a scha Seacceconsuser
DHCPclienclien
����
ters 8
l 21
l counters 22
l counters, system information 22
IP address 90
nformation, displaying 98
n command 4
lay system administration parameters 4
command 6
lay alarm entries 6
mands 1
lay data on the console 1
lay system configuration parameters 1
rect the output of a Get command 1
andsm 6
13
ble-alarm 14
15
18
ig 19
ole 20
ter 21
p-group 25
27
32
all 33, 34, 37, 69, 71, 93, 94, 95, 110, 114
al 36
39
p 40
2
name 44
������� �
DHCP client 2
DHCP client lease 2
DHCP server 2
DHCP server IP allocation 2
DHCP server reboot 3
dialup groupconfiguration parameters 25
defining 27
display 2
displayingaccess policies 76
alarms 6
console configuration 20
dynamic IP settings 27
entries in the log table 59
entries in the MAC table 63
files in flash card memory 32
firewall settings 33, 34, 37, 69, 71, 93, 94, 95,
110, 114
general system information 98
high availability settings 42
IKE information 45
interface settings 49
mapped IPs 67, 73
NetScreen-Global Manager settings 36
schedules 83
security associations 81
service entries 86
syslog configuration 96
system time 18
the global log file 39
the hostname of the NetScreen device 44
the sessions table 88
the static route table 79
the user authentication table 15
traffic information 21
URL blocking 103
user database 104
VIP settings 106
VPN information 107
DNS cache 13
DNS entries 4, 17
refresh 4
Dynamic Host Configuration Protocol (DHCP) 11
dynamic IP 27
Dynamic IP (DIP) 22
5encryption secret 22
entries in the alarm table 3
environment variable 31
Event Alarm log 103
event entries 18
exec dhcp client renew command 2, 4, 17, 18
exec ha file-sync command 5
exec ntp command 6
exec pki command 9
exit command 20
Extended ping 8, 22
2filter source route 22
filtering traffic 34
firewall protection 33
firewall settings, displaying 33, 34, 37, 69, 71, 93,
94, 95, 110, 114
flash cardclearing files 14, 28
memory 32
flash card memory 14, 13, 24
flash memory 19
flow counflow leveflow-leveflow-leve
�Gatewaygeneral iget 2, 4
get admidisp
get alarmdisp
Get comdispdispredi
get commalararpaudiauthclockconfconscoundialudipfilefirewglobgloggrouha 4
host
�����1
,!!9���� ����
dress 13
rning table 20
lering 20
laying 63
de 46
VPN 81
IP (MIP) 67
IPsting 94
laying 67, 73
nit 14, 25
ccess Control (MAC) 23, 20
allocation status 65
usage status 65
22
neous commands 1
tor error 23
n devicelaying hostname 44
ng the hostname 53
n-Global Manager 36
laying settings 36
Address Translation (NAT) 22
connection check 7, 21
7, 21
Time Protocol (NTP) 70, 6
traffic 13
ret 21
ile memory 22
�
ike 45
interface 49
ippool 54
l2tp 55
lance info 57
lcd 58
log 59
mac-learn 63
mip 67, 73
ntp 70
policy 76
route 79
sa 81
scheduler 83
service 86
session 88
snmp 91
ssh 84
syslog 96
system 98
tech-support 99
temperature 100
timer 101
traffic-shaping interface 102
url 103
user 104
vip 106
vpn 107
vsys 113
global log file, displaying 39
Groupuser dialup 149
groupingaddresses 44, 40
remote users 27
services 44, 40
>high availability
defining a group 48
displaying 42
hostname 53
�id-mode 62
IKE (Internet Key Exchange) 55
IKE cookie table 15
IKE cookie table, clearing 15
IKE ID 104
IKE information, displaying 45
inactive SA 23
in-short error 24
InterfaceWeb User 103
interface counter 8
interface settings, displaying 49
interface-level counters 23
interface-level counters, traffic information 23
internal database 4
Internet Control Message Protocol (ICMP) 22
Internet Key Exchange (IKE) 45, 15
IP address 90
IP pools 54
IPSec security associations (SA) 81
load balance session table 106
log table, displaying 59
logical interface 50
logs, clearing 18
&MAC adMAC leaMAC tab
cleadisp
main momanual Mapped mapped
creadisp
Master uMedia Amemory memory MIPs 8,
miscella
�NAT vecNetScree
dispsetti
NetScreedisp
Networknetwork
pingNetworknetworknode secnonvolatNTP 6
3���
P 4
IUS 4
nfiguration port 36
porting port 36
6
ps 86
defined 86
ific 86
-defined 86
ntries, displaying 86
ting custom 123
ping 44, 40
ablering 26
laying 88
able, entries 88
andsess 2, 11, 81, 12, 68
in 4
12
ble-alarm 14
16
20
ole 22
25
p-group 27
ain 32
r 33
r 34
all 36, 37
39
ata-port any 42
p 44
������� �
(overwrite 15, 26
�packet errors 21
packets 22
Address Resolution Protocol (ARP) 23
address spoofing attack 22
collision 24
Control Message Protocol (ICMP) 22
denied 22
dropped 22
fragmented 22
illegal 23
incoming 23
Internet Control Message Protocol (ICMP) 24
IPSec 23
land attack 22
Network Address Translation (NAT) 22
ping-of-death attack 22
Point to Point Tunneling Protocol (PPTP) 23
received 23
transmitted underrun 24
UNKNOWN 24
unreceivable 24
unroutable 22
parent connection 23
PCMCIA card 15, 26
physical interface 50
ping command 7, 21
Point to Point Tunneling Protocol (PPTP) 23
pool of IP addresses 11
PPPoE connection 12
set up 12
take down 12
PPPoE statistical registers 23
preshared key 46
ProtocolESP 106
pseudo port 90
�RADIUS server 4
reboot NetScreen device 23
reset 23
remote gateway 46
remove 2
data stored in log tables 1
information stored in memory 1
information stored on the flash card 1
remote administrator profile 2
renewing the lease 2
reset command 23
resetting a device 23
RSA key length 73
�SA policy 23
save command 13, 24
saving a configuration file 13, 24
schedulecreating or modifying 117
displaying 83
secure shell 120, 84
SecurID, resetting communication 21
Security Association (SA) 24
Security Associations (SA) 23
security associations, displaying 81
self-log entries 18
Server 4
serverLDARAD
server coserver reservice 8
groupre-specuser
service eServices
creagrou
Session tcleadisp
session tset comm
addradmarpaudiauthclockconsdbufdialudomenvaffiltefirewflowftp dgrou
�����1
,!!9���� ����
d interface 11
NetScreen device clock 6
ckinglaying 103
ling 141
cking configuration 103
cking setting 103
henticationring 7
ting entries 16
laying table 15
hentication configuration settings 15
abase, displaying 104
eating 144
90
ings, displaying 106
P (VIP) 106
rivate Network (VPN) 107
ystemting 160
laying 113
ng 20
rtual Private Network) 83, 150, 53
ryption 36
rmation, displaying 107
icies 81
ds 141
ds server 97
�
ha 48
hostname 53
ike 55
interface 66
ippool 85
l2tp 86
lcd 90
mip 94, 99
ntp 97
policy 109
proto-dist 114, 78
scheduler 117
service 123
snmp 127
ssh 120
syn-threshold 130
syslog 132
temperature-threshold 135
timer 137
traffic-shaping mode 139
url 141
user 144
vpn 83, 150, 53
vsys 160
setting system time 20
Simple Network Management Protocol (SNMP) 91
Slave unit console 14, 25
SNMP 91
displaying configuration 91
enabling 127
SNTP 97
source route 22
static route table 79
static route table, displaying 79
subnet 46
subnet mask 67
syn flood protection 23
synchronizing 6
Syslog 132
syslog configuration 96
syslog configuration, displaying 96
syslog mechanism 96
system administration configuration parameters 5
addresses for the recipients of e-mail alerts 5
configuration format 5
domain name 5
e-mail alert status 5
e-mail server IP address 5
port number for Web management 5
remote e-mail address 5
system IP address 5
system timedisplaying 18
setting 20
�TCP proxy 23
tftp server 1
timer settings 101
traffic entries 18
traffic information 21
traffic information, displaying 21
traffic management information 102
traffic, filtering 34
traffic-shaping interface 102
Transparent mode 63, 20
Trivial File Transfer Protocol (TFTP) 13, 24
troubleshooting 99
trusted interface 50
<untrusteupdatingURL blo
dispenab
URL bloURL blouser aut
cleacreadisp
user autuser datusers, cr
@vector IDVID 90
VIP 106
VIP settVirtual IVirtual Pvirtual s
creadispexiti
VPN (ViVPN encVPN infoVPN pol
#WebTrenWebTren