get address/get group address (GUI: Home > Objects > Addresses >)

Output Analysis:

The command get address <zone> displays the address book entries and address groups for all the zones.

The command get group address <zone> displays the group name and the number of address book entries in each group. In the case below, group name “Allowed IPs” has 11 address book entries and is user-defined.

Configuration:

set address "<Zone>" "<Address Name>" <IP Address> <Mask>

set group address "<Zone>" "<Group Name>"

set group address "<Zone>" "<Group Name>" add "<Address Name>"

Eg:

set address "Tunnels" "207.152.233.151/32" 207.152.233.151 255.255.255.255

set address "Tunnels" "207.152.233.199/32" 207.152.233.199 255.255.255.255

set address "Tunnels" "207.152.233.22/32" 207.152.233.22 255.255.255.255

set group address "Tunnels" "Allowed IPs"

set group address "Tunnels" "Allowed IPs" add "207.152.233.151/32"

set group address "Tunnels" "Allowed IPs" add "207.152.233.199/32"

set group address "Tunnels" "Allowed IPs" add "207.152.233.22/32"

get admin (GUI: Home > Configuration > Admin >)

Terminologies:

Management Port: Ports through which the device can be accessed by the admin

Manager IP: You can administer a NetScreen device from one or multiple addresses of a subnet. By default, any host on the trust interface can administer a NetScreen device. To restrict this ability to specific workstations, you must configure permitted IP addresses.Note: A policy must be added apart from the Manager-IP in case you want to allow a user from WAN to access the device

Output Analysis:

The command get admin displays administrative parameters for the security device.

These parameters determine the following:

Characteristics for each administrator, such as password and privilege level How the device performs administrator authentication Methods administrators can use to access the device An IP address or address range from which one or more administrators can connect

to the device Which port the device uses to detect administrative traffic Whether the device automatically sends generated alerts and traffic alarms via email Whether the device is enabled for reset

Configuration:

To configure username and password

set admin name "<username>"

set admin password "<password>"

set admin user "<username>" password "<password>" privilege "all"

set admin user "<username>" password "<password>" privilege "read-only"

Eg:

set admin name "fiberlink"

set admin password "nN5MGarJIRIBcFWHcs/MjbHtXdLPjn"

set admin user "fccadmin" password "nECGA3r7N2bAcl/EIsiEn2DtdyHsgn" privilege "all"

set admin user "readonly" password "nLm8Azr4DYvCc3QB5s6GCaAtJ+JYhn" privilege "read-only"

To configure manager IP

set admin manager-ip <IP> <mask>

Eg:

set admin manager-ip 208.246.148.0 255.255.255.0

get arp

Terminologies:

VSYS: A virtual system (vsys) or virtual firewall is a logicalfirewall that is contained in a single physical firewall. Firewalls that support virtual systems enable you to create as many virtual firewall as you are licensed for, in case of the 5GT none (Check get license-key)

Output Analysis:

The command get arp lists all current ARP entries for every existing virtual system (vsys).

get clock (GUI: Home > Configuration > Date/Time)

Output Analysis:

The command get clock displays the Device Uptime and the System time:

Up time: indicates the elapsed time (in number of days, hours, minutes, and seconds) since the NetScreen device was first powered on

System time: indicates the set time on the NetScreen device including the date, time (hh:mm:ss) and the GMT time zone (hh:ss)

Configuration:

set clock ntp

set clock timezone -5 (Note: -5 from GMT)

get memory (GUI: Home)

Output Analysis:

The command get memory displays the allocated memory, unused memory and frags.

get config (GUI: Home > Configuration > Update > Config File)

Output Analysis:

The command get config displays the entire configuration on the NetScreen device.

A configuration file contains all the information that administrators configured on the NetScreen device such as system parameters, access policies, VPN configurations, user-defined addresses and services, and user database settings

get counter statistics (GUI: Home > Reports > Counters >)

Output Analysis:

The command get counter <statistics/flow> displays the Interface Statistics report and the Interface Flow Counters.

The Interface Statistics report displays hardware counters to help monitor the NetScreen device. The hardware counters provide information on hardware performance.

The Interface Flow Counters report helps monitor interfaces on the NetScreen device. The report provides information for monitoring the number of packets inspected at the flow level

get dns host settings (GUI: Home > Network > DNS >)

Terminologies:

Domain Name Servers: A Domain Name Server (DNS) keeps a table of the IP addresses associated with domain names. Using DNS makes it possible to reference locations by domain name instead of using the routable IP address.

Output Analysis:

The command get dns host settings displays Primary and Secondary DNS server IP addresses and specifies a daily time (in 24 hour format) or an interval of time at which the NetScreen device resolves DNS settings

Configuration:

set dns host dns1 <Primary DNS IP Address>

set dns host dns2 <Secondary DNS IP Address>

Eg:

set dns host dns1 209.53.200.2

set dns host dns2 209.53.200.3

get dhcp server option (GUI: Home > Network > DNS >)

Terminologies:

DHCP: Dynamic Host Configuration Protocol (DHCP) was designed to reduce the demands on network administrators by automatically assigning the TCP/IP settings for the hosts on a network. Instead of requiring administrators to assign, configure, track, and change (when necessary) all the TCP/IP settings for every machine on a network, DHCP does it all automatically. Furthermore, DHCP ensures that duplicate addresses are not used, reassigns unused addresses, and automatically assigns IP addresses appropriate for the subnet on which a host is connected.

Lease: An IP address supplied by the DHCP server is either Unlimited or leased for a limited period of time. If the lease is limited, you must specify the limitation in days, hours, and minutes.

IP Range (Address Pool): An address pool is a defined range of IP addresses within the same subnet from which a device can draw DHCP address assignment. You can group upto 255 IP addresses in upto 64 address pools.

Output Analysis:

The command get dhcp server ip displays the lease time, address pool, Domain Name, DNS servers IP’s etc.,

Configuration:

To configure and enable DHCP in server mode on an interface

set interface trust dhcp server service

service - Enables the security device to act as a DHCP server agent through the interface.

set interface trust dhcp server enable

enable - Causes the DHCP server to always be on. The DHCP server on the security device always starts when the device is powered on.

To define DHCP gateway

set interface <interface> dhcp server option gateway <IP address>

set interface <interface> dhcp server option netmask <Mask>

Eg:

set interface trust dhcp server option gateway 216.163.226.129

set interface trust dhcp server option netmask 255.255.255.192

To define DNS servers

set interface <interface> dhcp server option dns1 <Primary DNS IP address>

set interface <interface> dhcp server option dns2 <Secondary DNS IP address>

Eg:

set interface trust dhcp server option dns1 207.152.236.2

set interface trust dhcp server option dns2 207.152.233.199

To define a DHCP pool

set interface <interface> dhcp server ip <First IP in range> to <Last IP in range>

Eg:

set interface trust dhcp server ip 216.163.226.143 to 216.163.226.190

get dhcp server ip (GUI: Home > Network > DNS >)

Terminologies:

DHCP Client: Some devices can act as DHCP clients, receiving a dynamically assigned IP address for any physical interface in any zone.

DHCP Server: Some devices can also act as DHCP servers, allocating dynamic IP addresses to hosts (acting as DHCP clients) on any physical or VLAN interface in any zone.

Lease Time: Indicates the time limit for which the IP address (IP address pool or reserved IP address) is leased to the client.

Output Analysis:

The command get dhcp server ip displays the IP’s that are allocated/unallocated from the address pool defined.

Note: The above configuration is only for a DHCP server. To check if DHCP is enabled on a device or

the interface on which it is enabled issue the get dhcp command.

get event (GUI: Home > Reports > System Log > Event)

Output Analysis:

NetScreen provides an Event Log for monitoring system events on the NetScreen device.

The command get event displays system events and helps gather information about hardware or software problems. The Event Log categorizes system events by severity level.

The event log displays the following information for each event:

Date/Time: Indicates the date and time of the system event.

Level: Indicates the severity level of the system event.

Description: Describes the system events or changes and, if applicable, the source of the events.

Command Extension:

get event type <message type>

Few useful <message types> in our environment:

40 - VPN up

41 - VPN down

90 Recovery to primary untrust interface/Failover to secondary untrust

62 - Track IP success/Failure

get failover (GUI: Home > Network > Untrust Failover)

Terminologies:

Track-IP: Layer 3 path monitoring, or IP tracking, sends ICMP requests on a specified interface to monitor up to four IP addresses at user-determined intervals and then checks to see if the targets respond.

IP Address: Identifies the tracked IP address.Interval (sec): Indicates the interval of time between ping requests.Threshold: Indicates the number of consecutive failures to elicit a ping response from a specific IP address required to be considered a failed attempt.Interface: Identifies the interface from which the ping request is sent.Weight: Indicates the weight of the IP address.Method: Indicates that the device uses ping requests to poll the remote device.

Output Analysis:

When there are both primary and backup interfaces bound to the Untrust zone, you can switch traffic from the primary interface to the backup interface, and from the backup to the primary. By default, there is a 30-second interval before the switchover occurs.

You can also configure the NetScreen device to automatically switch to the backup interface if ScreenOS detects a failure on the primary interface connection. When the connection through the primary interface is restored, ScreenOS automatically switches traffic from the backup interface to the primary.

Configuration:

set failover auto

set failover holddown <in secs> (Default 30 sec)

set interface untrust monitor track-ip ip

set interface untrust monitor track-ip ip <IP address> interval <in secs>

set interface untrust monitor track-ip ip <IP address>threshold <value>

set interface untrust monitor track-ip ip <IP address> weight <value>

Eg:

set failover auto

set failover holddown 3

set interface ethernet3 monitor track-ip ip

set interface ethernet3 monitor track-ip ip 12.14.170.77 interval 4

set interface ethernet3 monitor track-ip ip 12.14.170.77 threshold 5

set interface ethernet3 monitor track-ip ip 12.14.170.77 weight 12

get file

Output Analysis:

The command get file displays a list of files in flash memory.

get ike cookies (GUI: Home > VPNs > AutoKey Advanced > Gateway)

Terminologies:

DH Group: Indicates the Diffie-Hellman Group used: Group 1, Group 2, or Group 5. Encrypt/Auth: Indicates the encryption algorithm (3DES-CBC, DES-CBC, or AES-CBC),

and the hash algorithm (MD5 or SHA-1) used. Life Time: Indicates the life of the key, as determined by the amount of time in Sec

(seconds), Min (minutes), Hours, or Days.

Rekey: To keep a security association (SA) active even if there is no other VPN traffic except the ICMP echo requests (pings) sent by the VPN monitoring module a rekey is used. When the key lifetime for a Phase 1 or Phase 2 security association (SA) is about to expire, the rekey option renews the key, resets the key lifetime, and keeps the SA active.

VPN Monitor: The NetScreen device activates its SNMP VPN monitoring objects, which note data on such aspects of the VPN tunnel as the number of active VPN sessions, the time a session began, the SA elements for each session, and session status parameters.

Output Analysis:

The command get ike cookies displays the local and the remote gateways, gateway name and Phase 1 proposals and used to verify if Phase 1 of the VPN is active.

Configuration:

set ike gateway "<Gateway Name>" address <IP address> aggressive local-id "can2665" outgoing-interface "<Interface Name>" preshare "<KEY>" proposal "<Proposal>"

Eg:

set ike gateway "gwWescoCore" address 12.29.179.250 aggressive local-id "can2665" outgoing-interface "untrust" preshare "yA6V+VHwNw6ghBsebnCj9iWIoqn4QZ+mzA==" proposal "pre-g2-3des-sha"

get sa (GUI: Home > VPNs > Monitor Status)

Output Analysis:

The command get sa displays the following information:

HEX ID Remote Gateway UDP Port Phase 2 Proposal SPI(Security Parameter Index) Lifetime in secs Life Size in kb Status(A/U, A/- , I/-, I/I) PID Vsys

get interface (GUI: Home > Network > Interfaces)

Output Analysis:

The command get interface displays a list of the all interfaces on the NetScreen device.

These include physical, VLAN1, tunnel, redundant, virtual security (VSI) interfaces—and for NetScreen devices that support them—aggregate and sub- interfaces. Because there is a physical interface for each port on your NetScreen device, physical interfaces are always listed regardless of whether or not you configure them. By default, ScreenOS creates the VLAN1interface.

The interface list provides the following information on each interface:

Name: Identifies the name of the interface.

IP/Netmask: Identifies the IP address and netmask address of the interface.

Zone: Identifies the zone to which the interface is bound.

MAC: Identifies the MAC address of the interface.

Link: Identifies whether the interface is active, inactive, up or down.

Configuration:

set interface untrust ip <IP address>

set interface untrust <route/NAT>

set interface untrust manage <Enable ping/Web UI/Telnet/SSH/SNMP/SSL for the interface>

Eg:

set interface untrust ip 208.181.126.184/24

set interface untrust route

set interface untrust manage ping

get log traffic (GUI: Home > Reports > Policies > Traffic Log)

Output Analysis:

The command get log traffic displays the following information:

Date/Time: Indicates the date and time of the start of the session for the packet.

Source Address/Port: Indicates the source IP address and port number for the packet.

Destination Address/Port: Indicates the destination IP address and port number for the packet.

Translated Source Address/Port: Indicates the corresponding NetScreen-translated source IP address and port number for the packet.

Translated Destination Address/Port: Indicates the corresponding NetScreen-translated destination IP address and port number for the packet.

Service: Indicates the service associated with the packet.

Duration:  Indicates the time in seconds between the start and end of the session for the packet.

Bytes Sent: The number of bytes transmitted from the source to the destination.

Bytes Received: The number of bytes transmitted from the destination to the source.

get license-key (GUI: Home > Configuration > Update > ScreenOS/Keys)

Output Analysis:

The command get license-key displays the license key information such as:

Sessions Capacity NSRP VPN tunnels Vsys Vrouters Zones VLANs Drp Deep Inspection Deep Inspection Database Expired AV Update server url

get modem (GUI: Home > Network > Interfaces > Edit > Modem)

Output Analysis:

The command get modem displays the ISP Information and the Modem Information.

Modem Name: Name to identify the modem. Init String: Initialization string for the modem. Retry Number: The number of times that device retries the dial-up connection if the

line is busy or there is no response. Retry Interval: The interval, in seconds, between dial-up retries. Inactivity Timeout: The amount of time, in minutes, that the modem can be idle

before device disconnects the modem. Interface Speed: The baud rate for the dial-up connection.

On some NetScreen devices, a dial back-up interface can be configured to the Untrust zone. You can connect an external modem to the RS-232 serial port to allow the NetScreen device to have a dial-up backup interface to the Untrust zone. The serial interface is used if there is a failure on the connection through the primary, Ethernet interface to the Untrust zone.

The NetScreen device can be configured to automatically dial to an ISP account when failover to the serial interface occurs. Up to four modem settings can be configured.

Configuration:

set modem settings "<Modem Name>" active

set modem settings "<Modem Name>" init "<Initialization string for the modem>"

set modem isp "<Primary ISP name>" priority 1

set modem isp "<Primary ISP name>" primary-number "<Primary number to be dialed>" alternative-number "<Secondary number to be dialed>"

set modem isp "<Primary ISP name>" account login "<username>" password "<password>"

set modem isp "<Secondary ISP name>" priority 2

set modem isp "<Secondary ISP name>" account login " " password "<password>"

set modem speed <Speed in BPS>

set modem retry <Number of attempts>

set modem interval <In seconds>

set modem idle-time <In minutes>

Eg:

set modem settings "USR" active

set modem settings "USR" init "AT&F1E1Q0V1S7=60S19=0M1&M4&K1&H1&R1&I0B0X4"

set modem isp "PrimaryISP" priority 1

set modem isp "PrimaryISP" primary-number "5674002" alternative-number "5440024"

set modem isp "PrimaryISP" account login "eb_dial_2882@earthlink.net" password "7FIz+Q7fNdcPTCsEfNCV5623tXnmezyKFw=="

set modem isp "SecondaryISP" priority 2

set modem isp "SecondaryISP" account login " " password "cUhJhRDpNypCo/sEjQCLbuJL00noHCoJxQ=="

set modem speed 115200

set modem retry 2

set modem interval 10

set modem idle-time 0

get policy (GUI: Home > Policies)

Output Analysis:

The command get policy displays the information on policies for specific source-destination zones.

The following information is shown for each policy:

ID: Indicates the number assigned to the policy to identify it.

Source: Indicates the name of the source address in the policy.

Destination: Indicates the name of the destination address in the policy.

Service: Indicates the service associated with the policy.

Action: Indicates the action selected for this policy against traffic that matches the policy criteria such as Permit, Deny and Tunnel.

get pppoe (GUI: Home > Network > PPPoE)

Terminologies:

PPPoE: Point-to-Point Protocol over Ethernet (PPPoE) merges PPP, which is usually used for dialup connections, with the Ethernet protocol, which can connect multiple users at a site to the same customer premises equipment. This allows many users to share the same physical connection, while access control, billing, and type of service is handled on a per-user basis

Output Analysis:

The command get pppoe displays the following information:

PPPoE Instance: Name of the instance. Bound to Interface: Interface to which you want to bind the PPPoE instance. PPPoE Username: User name for the PPPoE connection. PPPoE Password: Password for the PPPoE connection. Access Concentrator (AC): Specifies the AC to be used for the PPPoE connection. Service: Specifies the service for the PPPoE connection. PPP lcp Echo Retries: Specifies the number of unacknowledged LCP Echo requests

that occur before the connection is terminated. Specify a value between 1-30. PPP lcp Echo Timeout: Specifies the number of seconds between LCP echo request

transmissions. Specify a value between 1-1000. Auto-Connect: Specifies the number of seconds before a previously-closed connection

is automatically reinitiated. Specify a value between 0-10000. A value of 0 disables this function.

Idle Disconnect: Specifies the number of minutes that the connection is idle before the NetScreen device terminates the connection. A value of 0 disables this function and the connection is never terminated.

Static IP: Specifies that the connection uses the IP address assigned to the device's interface.

Automatic Update of DHCP Servers DNS Parameters: When you initiate a PPPoE connection, your ISP automatically provides the IP addresses for the Untrust zone interface and the IP addresses for the Domain Name Service (DNS) servers. Enable this option if you want the NetScreen device to overwrite the local settings with the DNS settings it receives via PPPoE.

Configuration:

set pppoe name "<PPPoE instance>"

set pppoe name "<PPPoE instance>" username "<username>" password "<password>"

set pppoe name "<PPPoE instance>" idle <time, in minutes>

set pppoe name "<PPPoE instance>" interface <Interface to be bound to>

Eg:

set pppoe name "untrust"

set pppoe name "untrust" username "n6wesco1@nb.aliant.net" password "0wefxQURNMXLHas7bgC1hwT/UpnMeqseAQ=="

set pppoe name "untrust" idle 0

set pppoe name "untrust" interface untrust

get route (GUI: Home > Network > Routing >)

Output Analysis:

The command get route displays the routing table for all configured virtual routers.

The routes are organized in the table by the virtual router to which each route belongs. A route with an asterisk (*) designation indicates it is the best route for the specified subnet. The route table provides a read-only summary of all routes—organized in the table by the virtual router to which each route belongs—and displays information in the following columns:

 IP/Netmask: The IP address and netmask of the target address to which the route entry leads.

Gateway: Either the IP address of the next hop router or the name of the next hop virtual router to which the NetScreen device forwards traffic destined for the target address.

Interface: The interface (physical or tunnel) through which the NetScreen device must send traffic to reach the target address.

Protocol: The manner in which the route entry is added to the table:

* Indicates the best route for the specified subnet.

S indicates a static route entry, made manually by an administrator.

A indicates an auto-exported route entry, made when a virtual router automatically acquires a route from another virtual router (such as when a route appears in VR-1 because you have defined a security zone interface in Route mode in VR-2, which has route exporting enabled).

C indicates an entry originated by an external router that sent a router advertisement that has an interface with a defined IP address.

I indicates a route entry that the current virtual routing instance imported from a router running a different protocol.

eB indicates a route entry originated by an Exterior Border Gateway Protocol (EBGP) router.

iB indicates a route entry originated by an Interior Border Gateway Protocol (IBGP) router.

O indicates a route entry originated by an Open Shortest Path First (OSPF) router.

E1 indicates a route entry originated by an OSPF router running type 1 metrics.

E2 indicates a route entry originated by an OSPF router running type 2 metrics.

R indicates a route entry originated by a Routing Information Protocol (RIP) router.

Metric: A predefined parameter that defines the priority of the route. All route table entries that are automatically created or acquired when you define an interface (in NAT or Route mode) receive a value of 0, and any user-defined routes are valued at 1.

Vsys: In devices that support virtual systems, the virtual system name appears in the corresponding cell in this column for each route specific to that virtual system. If a route belongs to the root system or is shared by one or more virtual systems and the root system, the corresponding cell in this column for that route remains blank.

get system

Output Analysis:

The command get system provides useful and important information, most of which cannot be found on GUI, like:

Serial Number of the device ScreenOS version Hardware platform, including hardware version, MAC address and type

Chronological and timekeeping information, like device uptime, current date and time etc.,

Displays the number of times the device has been hard reset and the last time device was reset

Current operational mode (transparent, NAT, or route) Configuration port and user IP Interface settings