netscreen cli reference guide - juniper networks
TRANSCRIPT
���
�������������� ������������
�
������������
� ��������������
������
�������������
������������������
���
nce with NetScreen’s installation e with radio and television reception. This d to comply with the limits for a Class B specifications in part 15 of the FCC rules. provide reasonable protection against allation. However, there is no guarantee rticular installation.
interference to radio or television y turning the equipment off and on, the e interference by one or more of the
ing antenna.
en the equipment and receiver.
ienced radio/TV technician for help.
utlet on a circuit different from that to d.
o this product could void the user's device.
ITED WARRANTY FOR THE ET FORTH IN THE INFORMATION PRODUCT AND ARE INCORPORATED OU ARE UNABLE TO LOCATE THE
WARRANTY, CONTACT YOUR OR A COPY.
������������ NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from
NetScreen Technologies, Inc. 350 Oakmead Parkway Sunnyvale, CA 94085 U.S.A. www.netscreen.com
����� � �The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency
energy. If it is not installed in accordainstructions, it may cause interferencequipment has been tested and foundigital device in accordance with the These specifications are designed tosuch interference in a residential instthat interference will not occur in a pa
If this equipment does cause harmfulreception, which can be determined buser is encouraged to try to correct thfollowing measures:
• Reorient or relocate the receiv
• Increase the separation betwe
• Consult the dealer or an exper
• Connect the equipment to an owhich the receiver is connecte
Caution: Changes or modifications twarranty and authority to operate this
�������� �THE SOFTWARE LICENSE AND LIMACCOMPANYING PRODUCT ARE SPACKET THAT SHIPPED WITH THEHEREIN BY THIS REFERENCE. IF YSOFTWARE LICENSE OR LIMITED NETSCREEN REPRESENTATIVE F
���������
������
�
�
�����������������������������������������������::��������������������������������������������������� :�
! ����������������������������������������������� ��
��������������������������������������������������� ��
��������������������������������������������������� ��
��������������������������������������������������� �9
������������������������������������������������� ��
��������������������������������������������������� 7�
��������������������������������������������������� 7�
��������������������������������������������������� 76
��������������������������������������������������� 7:
��������������������������������������������������� 7�
��������������������������������������������������� 79
��������������������������������������������������� 7�
��������������������������������������������������� 9�
��������������������������������������������������� �6
��������������������������������������������������� �:
��������������������������������������������������� �9
��������������������������������������������������� ��
�������������������������������������������������
��" ��5���������������������������������
������������������������������������������������:
������������������������������������������������
�������������������������������������������������
������������������������������������������������
����������������������������������������������:
��������
��������
��� "��
#
)
�
,
������*
/
�
�
4"!!��
"
"
"
"
"
"
"
"
�������� ���������!�
!!���������������������������������������������������������������������������6
!����������������������������������������������������������������������������
%"���������������������������������������������������������������������������
%�"���������������������������������������������������������������������������6�
%% �����������������������������������������������������������������������������67
�8����������������������������������������������������������������������������69
�$ ����������������������������������������������������������������������������
�$������� �����������������������������������������������������������������
�3��$����+"���� �������
�%��- �������������������������
4��� �*5��$��*$�4������%"��
��� �* ������������������������
�����%������������������������
����������������������������
!� ���������������������������
!�"%8�*��8 ��������������
�������
������������������������������������������������������������������������ ���
$���$�%!���"!�&$���'"�"%( �����������������������������������
�*"��+"���������������������������������������������������������������������
�����������%��"������������������������������������������������������
��!�"�-���������������������������������������������������������������������
���"���! ������������������������������������������������������������� �.
� ����0��/�*�� �������������������������������������������������������� .
��������*��$������������1����������$����������������� .
���������� �������������������������������������������������������������� .�����2�3����-���$������ ������������������������������������������������ .������"��"�%������������������������������������������������������������������ .�
������"�!��3��". �������������������������������������������������.����!�������� �����������������������������������������������������������������.��,�%�����* �����������������������������������������������������������������������.��
�5��$��*$�4�%��-5 ����������������������������������������������
�*8 ���������������������������"**��*"�� ��������������
"%;"3����8"����
"��8"�$�"������%��� ��
�����3�%��� ���������
��� �!��"���� ���������
"!��������!� "%����
��"�%� ��������������������
%"8�!"8��*����������
$�%!���������������������
��<����!� "%������ �
-��8"%��� ����������������
%��"%�8�� ����������������
�!�������������������������
���*$��� �����������������
���;��-��������������������
��!�������� ��������������
�� %������������������������
���������
�����
���������������������������������������������6��
���������������������������������������������66�
���������������������������������������������66�
���������������������������������������������66�
��������������������������������������������66�
���������������������������������������������669
���������������������������������������������6�7
��������������������������������������������6�9
���������������������������������������������6��
��������������������������������������������6:�
���������������������������������������������6:6
��������������������������������������������6:�
���������������������������������������������6::
���������������������������������������������67�
���������������������������������������������67:
���������������������������������������������67�������������������������������������������������� 67�
������������������������������������������������� 69�
������������������������������������������������� 69�
������������������������������������������������� 69:
������������������������������������������������� 69�
������������������������������������������������� 6��
������������������������������������������������� 6��
������������������������������������������������� 6��
������������������������������������������������� 6�:
������������������������������������������������� 6�7
������������������������������������������������� 6�9
������������������������������������������������� 6��
���������������� ���������!�
�-������������������������������������������������������������������������������7
�-�����-��������������������������������������������������������������������
����� "���������������������������������������������������������������������6
������%"����" �� �������������������������������������������������������6��
4�85��$��*$�48�%��35 ��������������������������������������������������6��
�8 ����������������������������������������������������������������������������6�7
�8��%"��� ��"�����������������������������������������������������������6��
�88��% ���������������������������������������������������������������������6��
"����%��-�����������������
��� �*����������������������
!"�"�"�� ����������������
��"�%� ��������������������
$�%%���$���$�%!���������
����� "��������������������
%�"��$���$�%! ������������
���*$��� �����������������
��!�������� ��������������
��<����!� "%������ �
!�8����������������������������������������������������������������������������7
!�������������������������������������������������������������������������������
!�"������������������������������������������������������������������������
���"� ������������������������������������������������������������������������6
����� ������������������������������������������������������������������������:
�.������������������������������������������������������������������������������9
�%������������������������������������������������������������������������������
�%�����������������������������������������������������������������������������6�
�8���!� ����������������������������������������������������������������6�
���;"%% ���������������������������������������������������������������������6:
%�;��������������������������������������������������������������������������67
�8 ������������������������������������������������������������������������������
*"����������������������������������������������������������������������������:
*%��"%�8�� �����������������������������������������������������������������
*%�*�������������������������������������������������������������������������:7
*��8�����������������������������������������������������������������������:9
*��8��.8��������������������������������������������������������������
$����"� ������������������������������������������������������������������
%6�8 ����������������������������
%"������ � ������������������
%�! �����������������������������
%�! �����������������������������
%�������-�3 �����������������
%�* �����������������������������
"����������������������������
"��%�"�� ������������������
���3 ���������������������
��!�=������ ���������������
���8 ����������������������������
��8�����%�������������������
���8����������������������������
��8 �����������������������������
���������������������������������
���� ���������������������������"!��������!� �������
�� � ������������������������
���������
����
������������������������������������������������
������������������������������������������������
�����������������������������������������������
�����������������������������������������������
����������������������������������������������:
������������������������������������������������
�����������������������������������������������9
������������������������������������������������
���������������������������������������������:��
���������������������������������������������:��
���������������������������������������������:��
���������������������������������������������:�9
���������������������������������������������:6�
���������������������������������������������:��
���������������������������������������������:�:
���������������������������������������������:�7
���������������������������������������������:��
���������������������������������������������:��
��������������������������������������������:��
���������������������������������������������:�9
���������������������������������������������:7�
������������������������������������������?��
������������������������������������������������� ��
����������������������������������������������� ��
������������������������������������������ /��
���������������� ���������!�
�"���"������������������������������������������������������������������������
�"����������������������������������������������������������������������������:
��$�!%�� ������������������������������������������������������������������
��� ���������������������������������������������������������������������������76
����������������������������������������������������������������������������79
������� ���������������������������������������������������������������������9�
��8 �����������������������������������������������������������������������9�
���-�������������������������������������������������������������������������:
;��"�$ ��������������������
;������!��������������������
."�$ �������������������������
+��� ��������������������������
>��?�,�"���� �������������������
������3�@�����"���
����� "����"�����������
��"�!�?�"�%"��%��3 �������
� ������ ��������������������������������������������������������������������6��
��������!�������� �����������������������������������������������������6��
�%�����!����������������������������������������������������������������6�6
��"����������������������������������������������������������������������������6��
������������������������������������������������������������������������������6�:
�"�3��8�����������������������������������������������������������6��
�%��-���������������������������������������������������������������������������6�9
����*$��� ��������������������������������������������������������������������
8�� ��"��� �������������������������������������������������������������
8��*��������������������������������������������������������������������������6
8-� �����������������������������������������������������������������������������
8�%��3 ����������������������������������������������������������������������66
4888��5��$��*$�4+���5 ����������������������������������������������9
888�� �����������������������������������������������������������������������
8��.3��! �������������������������������������������������������������������::
������������������������������������������������������������������������������:7
���� ������������������������������������������������������������������������:9
�"�����������������������������������������������������������������������������:�
�"� �%��������������������������������������������������������������������������
��%�������������������������������
�3���%��-��������������������
�3�%�*��������������������������
�3����������������������������
���$��88��� ���������������
���� ��������������������������
��"������� ����������������
��" ����$"8��* �����������
�% ������������������������������
�������������������������������
����*��8�����������������
��8 �����������������������������
�8� ����������������������������
�8��*��8 �����������������
�8������� ����������������
������ �����������������������
��3� ����������������������������
���������
����������� ���������!� �����
.���������������������������������������������������������������������������:��
�����
��!�
������
d manage a NetScreen device NetScreen OS release.
uring a NetScreen device using nd syntax, arguments, and
es contain the following items:
ts of all volumes.
art Number, and the Rev
esented in alphabetical order
rfaces, which are important A).
all volumes.
eface, plus Getting Started, an device. It also explains the
���������������� ���������!�
��� "��
The NetScreen CLI Reference Guide describes the commands used to configure anfrom a console interface. This manual is an ongoing publication, published with each
��������������� �!�����"This document is for system and network administrators who have experience configthe Web interface. Using the command line interface requires familiarity with commavariables.
��#�� $�� ��
The NetScreen Command Line Reference Guide consists of four volumes. All volum
• A Table of Contents. The Table of Contents in each volume lists the conten
• A title page, which displays the range of commands described, the volume Pnumber.
• Commands, an alphabetized compendium of CLI command descriptions, pr
• USGA Features, an appendix that lists and briefly describes zones and intecomponents of NetScreen’s Universal Security Gateway Architecture (USG
• An alphabetized Index. The Index in each volume contains index listings for
The volumes in this manual are as follows:
Volume 1 describes CLI commands address through clock. It also contains this printroductory chapter providing instructions on how to connect a PC to the NetScreencommand syntax format used throughout this Manual.
Volume 2 describes CLI commands config through intervlan-traffic.
��� "�� ������������%��"�����
�������
om/support/manuals.html. To ccess archived documentation
lease notes document for that are Download. Select the
ered user.)
e-mail address below:
t to document all of the ou find any errors or omissions
���������������� ���������!�
Volume 3 describes CLI commands ip through policy.
Volume 3 describes CLI commands pppoe through zone.
���������%�&� ��� ���
To obtain technical documentation for any NetScreen product, visit www.netscreen.caccess the latest NetScreen documentation, see the Current Manuals section. To afrom previous releases, see the Archived Manuals section.
To obtain the latest technical information on a NetScreen product release, see the rerelease. To obtain release notes, visit www.netscreen.com/support and select Softwproduct and version, then click Go. (To perform this download, you must be a regist
If you find any errors or omissions in the following content, please contact us at the
����&��'
This version of the NetScreen Message Log Reference Guide marks the first attempScreenOS messages. As it stands, this effort continues to be an ongoing project. If yin the following content, please contact us at the e-mail address below:
�.���
e NetScreen device so that you ands at the CLI through a
PC running the Windows
���������������� ���������!�
# ������ (
This chapter provides information on how to connect a personal computer (PC) to thcan configure the device using the Command Line Interface (CLI). You enter commconsole application such as Telnet. or Hypterterminal.
Note: The examples in this guide display output generated from an IBM-compatibleoperating system.
�������*���"���! /� ����0��/�*��
.���
before you start setup:
8 bits, no parity, 1 stop-bit, and
running applications on the PC
en device. This port is labeled
al emulator on that system. The ole from any operating system, g the NetScreen device from a
���������������� ���������!�
&�����)��&�# �
Gain access to the NetScreen device you wish to configure, and obtain these items
• a PC to connect to the NetScreen device
• an RS-232 male-to-female serial cable
• a copy of Microsoft’s Hyperterminal software, available on the PC
To communicate with the NetScreen device using a console, use a 9600 Baud rate, no flow control.
������� �#��������������* �������%�It is not necessary power off the either PC or the NetScreen device, or to close any before connecting it to the NetScreen device.
To connect the NetScreen device to the PC:
1. Connect the female end of the RS-232 cable to the serial port on the PC.
2. Connect the male end of the RS-232 cable to the serial port on the NetScre“console.”
Note: If you are using a different operating system, you need a VT100 terminterminal emulator allows you to configure the NetScreen device using a consincluding Windows™, UNIX™, LINUX™, or Macintosh™. If you are configurinremote location, use Telnet to access the console.
�������*���"���! �����������
.����
L+F or the DOWN ARROW
TRL+B or the UP ARROW key.
e, type a question mark ( ? ).
detected for 10 minutes.
e of command execution. ay include names,
es.
For example, the set arp
sion on Windows 95, 98, NT, or check box, and click the OK
���������������� ���������!�
���*��� ���
The following conventions apply to all NetScreen commands.
����2�3����-���$������• To remove a single character, press BACKSPACE or CTRL+H.
• To remove an entire line, press CTRL+U.
• To traverse up to 16 lines forward in the command history buffer, press CTRkey.
• To traverse up to 16 lines backward in the command history buffer, press C
• To see the next available keyword or input and a brief description of its usag
• The console times out and the connection is closed if no keyboard activity is
�����"��"�%��Most NetScreen CLI commands have changeable parameters that affect the outcomNetScreen documention represents these parameters as variables. Such variables midentification numbers, IP addresses, subnet masks, numbers, dates, and other valu
�"��"�%�����"����
The variable notation used in this manual consists of italicized parameter identifiers.command uses four identifiers, as shown here:
Note: To use the arrow keys for navigating among commands in a Telnet ses2000: On the Terminal menu, click Preferences…, select the VT100 Arrowsbutton.
Note: Items you enter are into the system are in bold text.
�������*���"���! �����������
.�����
et2 is a physical interface.
���������������� ���������!�
set arp { ip_addr mac_addr interface age number | always-on-dest | no-cache }
where
• ip_addr represents an IP address.
• mac_addr represents a MAC address.
• interface represents a physical or logical interface.
• number represents a numerical value.
Thus, the command might take the following form:
ns-> set arp 172.16.10.11 00e02c000080 ethernet2
where 172.16.10.11 is an IP address, 00e02c000080 is a MAC address, and ethern
�������*���"���! �����������
.������
nd destination IP address.
ice group.
.
���������������� ���������!�
����������"��"�%���"��
The following list shows the CLI variable names used in NetScreen documents.
comm_name The community name of a host or other device.
date_str A date value.
dev_name A device name, as with flash card memory.
dom_name A domain name, such as “acme” in www.acme.com.
dst_addr A destination address, as with a policy definition that defines a source a
filename The name of a file.
fqdn Fully-qualified domain name, such as www.acme.com.
grp_name The name of a group, such as an address group or service group.
interface A physical or logical interface.
id_num An identification number.
ip_addr An IPv4 address.
ipv6_addr An IPv6 address.
key_str A key, such as a session key, a private key, or a public key.
key_hex A key expressed as a hexadecimal number.
loc_str A location of a file or other resource.
mac_addr A MAC address.
mbr_name The name of a member in a group, such as an address group or a serv
mask A subnet mask, such as 255.255.255.224 or /24.
name_str The name of an item, such as an address book entry.
number A numeric value, usually an integer, such as a threshold or a maximum
pol_num A policy number.
�������*���"���! �����������
.�����
riables may be numbered to ariables, each numbered for
ntax. This syntax may include ommand descriptions use atory, and in which contexts.
estination IP address.
���������������� ���������!�
Some commands contain multiple variables of the same type. The names of such vaidentify each individually. For example, the set dip command contains two id_num veasy identification:
set dip group id_num1 [ member id_num2 ]
������"�!��3��".Each CLI command description in this manual reveals some aspect of command syoptions, switches, parameters, and other features. To illustrate syntax rules, some cdependency delimiters. Such delimiters indicate which command features are mand
port_num A number identifying a logical port.
pref_len A number identifying the prefix length for an IPv6 address.
pswd_str A password.
ptcl_num A number uniquely identifying a protocol, such as TCP, IP, or UDP.
serv_name The name of a server.
shar_secret A shared secret value.
spi_num A Security Parameters Index (SPI) number.
src_addr A source address, as with a policy definition that defines a source and d
string A character string, such as a comment.
svc_name The name of a service, such at HTTP or MAIL.
time_str A time value.
tunn_str The name of a tunnel, such as an L2TP tunnel.
url_str A URL, such as www.acme.com.
usr_str A user, usually an external entity such as a dialup user.
vrouter A local virtual router, such as trust-vr or untrust-vr.
zone The name of a security zone.
�������*���"���! �����������
.����
ing special characters.
e symbols are essential for
symbols are not essential for affect the outcome.
ymbol appears between two is symbol appears at the end of
me contexts, and mandatory in
e_1, feature_2, and feature_3, s surround feature_2 and Otherwise, you cannot
command.
}
trast, the [ and ] brackets ight take any of the following
���������������� ���������!�
1�8��!���3�1�%������
Each syntax description shows the dependencies between command features by us
• The { and } symbols denote a mandatory feature. Features enclosed by thesexecution of the command.
• The [ and ] symbols denote an optional feature. Features enclosed by theseexecution of the command, although omitting such features might adversely
• The | symbol denotes an “or” relationship between two features. When this sfeatures on the same line, you can use either feature (but not both). When tha line, you can use the feature on that line, or the one below it.
�����!�1�8��!������
Many CLI commands have nested dependencies, which make features optional in soothers. The three hypothetical features shown below demonstrate this principle.
[ feature_1 { feature_2 | feature_3 } ]
The delimiters [ and ] surround the entire clause. Consequently, you can omit featurand still execute the command successfully. However, because the { and } delimiterfeature_3, you must include either feature_2 or feature_3 if you include feature_1.successfully execute the command.
The following example shows some of the feature dependencies of the set interface
set interface vlan1 broadcast { flood | arp [ trace-route ]
The { and } brackets indicate that specifyng either flood or arp is mandatory. By conindicate that the trace-route option for arp is not mandatory. Thus, the command mforms:
ns-> set interface vlan1 broadcast flood
ns-> set interface vlan1 broadcast arp
ns-> set interface vlan1 broadcast arp trace-route
�������*���"���! �����������
.�����
y find that certain commands
x, attempting to use such a ge appears, confirm the ailable options for the set vpn
nsole using a get command. TFTP server, or filter output to
r-than ( > ) switch. The general
ddr.txt on a TFTP sever at IP
bol ( | ) switch. The general
���������������� ���������!�
?�"�%"��%��3�� �������"�!��"�!�,�"����
As you execute CLI commands using the syntax descriptions in this manual, you maand command features are unavailable for your NetScreen device model.
Because NetScreen devices treat unavailable command features as improper syntafeature usually generates the unknown keyword error message. When this messafeature’s availability using the ? switch. For example, the following commands list avcommand:
ns-> set vpn ?
ns-> set vpn vpn_name ?
ns-> set vpn gateway gate_name ?
Redirecting and Filtering Console Output
Most configurable ScreenOS features have settings that you can display on your coEach get command has switches that allow you to redirect the command output to ainclude or exclude lines containing certain character strings.
��!��������To direct the output of a get command to a text file on a TFTP server, use the greateformat for such redirection is as follows:
get keyword > tftp ip_addr filename
For example, to direct the output of the get address command to a text file named aaddress 172.16.3.4:
get address > tftp 172.16.3.4 addr.txt
,�%�����*To include or exclude output lines generated by a get command, use the piping symformat for such filtering is:
�������*���"���! �����������
.������
that contain “eth”:
Null”:
���������������� ���������!�
get keyword | include string
get keyword | exclude string
For example, to filter the output of the get interface command, displaying only lines
get interface | include “eth”
To filter the output of the get interface command, displaying any line that contains “
get interface | include “Null”
�������*���"���! �����������
.�������
���������������� ���������!��
����
s address through clock.
you may find that certain l. A good example is the vsys xp device. Similarly, some vpn command. This option is
���������������� ���������!�
�
+�((� ��,���-��+����.,
This volume lists and describes NetScreen Command Line Interface (CLI) command
Note: As you execute CLI commands using the syntax descriptions in this chapter,commands and command features are unavailable on your NetScreen device modecommand, which is available on a NetScreen-500 device, but not on a NetScreen-5command options are unavailable on certain models, as with the df-bit option of theavailable on a NetScreen-500, but not on a NetScreen-5xp.
�4"!!����5��$��*$�4�%��-5
6���
�((� ��security zone. You use address
ng ]
���������������� ���������!�
Description: Use the address commands to define entries in the address book of a book entries to identify addressable entities in policy definitions.
�3��".
���
get address zone [ group name_str | name name_str ]
���
set address zone name_str { dom_name | ip_addr mask } [ stri
�����
unset address zone name_str
�4"!!����5��$��*$�4�%��-5
����
top
t zone:
you can bind an address book MZ. You can also assign address
e A-II.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�"��"�%���"�"�����
Examples: The following command:
• defines an entry named “webserver” in the address book of the DMZ zone
• assigns the entry IP address 172.16.50.9 and netmask 255.255.255.254
set address dmz webserver 172.16.50.9 255.255.255.255
The following command:
• defines an entry (odie) in the address book of the Trust zone
• assigns the entry IP address 172.16.10.1 and netmask 255.255.255.255
• assigns the entry a comment string “Mary_Desktop”
set address trust odie 172.16.10.1 255.255.255.255 Mary_Desk
The following command deletes an entry (odie) from the address book of the Trus
unset address trust my-partner
zone The name of the security zone. The default security zones to whichinclude Trust, Untrust, Global, DMZ, V1-Trust, V1-Untrust, and V1-Dbook entries to user-defined zones.For more information on zones, see “Security Zone Names” on pag
dom_name The host domain name.
ip_addr The host IP address.
mask The host subnet mask.
string A character string containing a comment line.
�4"!!����5��$��*$�4�%��-5
:���
ed Sales_Group:
ss group in a security policy
ss group in a security policy
���������������� ���������!�
�����
get address zone group name_str
Example: The following command displays information for an address group nam
get address trust group Sales_Group
����
Example: The following command displays a
get address zone name name_str
group The name of a group of address book entries. You can use an addredefinition to specify multiple addresses.
name name_str The name of an individual address book entry. You can use an addredefinition to specify a single address.
�4"!!����5��$��*$�4�%��-5
����
�(���eters for the NetScreen device.
���������������� ���������!�
Description: Use the admin commands to configure or display administrative param
�3��".
�����
clear [ cluster ] admin user { cache | login }
���
get admin [ auth [ banner | settings ] | current-user | manager-ip | scs all | user [ cache | login ] ]
���
set admin { auth
{ banner { console | telnet } login string | server name_str | timeout number | } |
device-reset |
�4"!!����5��$��*$�4�%��-5
7���
only } ]
���������������� ���������!�
format { dos | unix } | hw-reset | mail
{ alert | mail-addr1 ip_addr | mail-addr2 ip_addr | server-name { ip_addr | name_str } | traffic-log } |
manager-ip ip_addr [ mask ] | name name_str | password pswd_str | port port_num | privilege { get-external | read-write } | scs
{ password { disable | enable } username name_str | port port_num }
telnet port port_num | user name_str password pswd_str [ privilege { all | read-}
�����
unset admin { auth
{ banner { console | telnet } login | server | timeout | } |
�4"!!����5��$��*$�4�%��-5
9���
ffic-log } |
���������������� ���������!�
device-reset | format | hw-reset | mail
{ alert | mail-addr1 | mail-addr2 | server-name | tramanager-ip { ip_addr | all } | name | password | port | scs [ port ] | telnet port | user name_str }
�4"!!����5��$��*$�4�%��-5
����
new Telnet sessions (for
ss.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�����
set admin mail alert
����
get admin auth [ banner | settings ]
set admin auth { banner { console | telnet } login string | server name_str | timeout number | }
unset admin auth { banner { console | telnet } login | server | timeout | }
Example: The following command creates a login banner “Telnet Login Here” for managing the NetScreen device):
set admin auth banner telnet login “Telnet Login Here”
alert Collects system alarms from the device for sending to an email addre
auth Configures admin authentication settings for the NetScreen device.
�4"!!����5��$��*$�4�%��-5
����
Management Console":
t Console"
he and propagates this change
le port (console) or a Telnet
minstrative users.
r.
���������������� ���������!�
������
get admin auth banner
set admin auth banner { console | telnet } login string
unset admin auth banner { console | telnet } login
Example: The following command creates a console login banner "Hyperterminal
set admin auth banner console login "Hyperterminal Managemen
�����
clear [ cluster ] admin user cache
get admin user cache
�������
clear cluster admin user { cache | login }
Example: The following command clears remote adminstrative users from the cacto other devices in a NSRP cluster:
clear cluster admin user cache
banner Specifies the banner (string) displayed during login through the consosession (telnet).
cache Clears or displays the memory cache containing all current remote ad
cluster Propagates the clear operation to all other devices in a NSRP cluste
�4"!!����5��$��*$�4�%��-5
�����
:
e generates the configuration file. FTP server or PCMCIA card using
���������������� ���������!�
������� ����
get admin current-user
��!��� �����
set admin device-reset
unset admin device-reset
�����
set admin format { dos | unix }
unset admin format
Example: The following command generates the configuration file in UNIX format
set admin format unix
�" �����
set admin hw-reset
unset admin hw-reset
current-user Displays the user for the current administrative session.
device-reset Enables device reset for asset recovery.
format Determines the format (dos or unix) used when the NetScreen devicOn some Netscreen device models, you can download this file to a Tthe CLI, or to a local directory using WebUI.
hw-reset Enables hardware reset for asset recovery.
�4"!!����5��$��*$�4�%��-5
�����
o receive updates concerning
to receive updates concerning
���������������� ���������!�
�����
clear [ cluster ] admin user login
get admin user login
����
set admin mail { ... }
unset admin mail { ... }
Example: The following command configures the email address [email protected] tadministrative issues:
set admin mail mail-addr1 [email protected]
���� ����#
set admin mail mail-addr1 ip_addr
Example: The following command configures the email address [email protected] issues:
set admin mail mail-addr1 [email protected]
login Clears or displays all current administrative users.
mail Enables email for sending alerts and traffic logs.
mail-addr1 ip_addr Sets the first email address for sending alert and traffic logs.
�4"!!����5��$��*$�4�%��-5
�6���
acme.com to receive updates
ddress 172.16.10.100:
aul”:
is 0.0.0.0, which allows to specify up to six hosts or
The maximum length of the name nsitive.
���������������� ���������!�
���� ����$
set admin mail mail-addr2 ip_addr
Example: The following command configures the secondary email address pat@concerning administrative issues:
set admin mail mail-addr2 [email protected]
������� ��
get admin manager-ip
set admin manager-ip ip_addr [ mask scs [ port ]
unset admin manager-ip { ip_addr | all }
Example: The following command restricts management to a single host with IP a
set admin manager-ip 72.16.10.100 255.255.255.255
����
set admin name name_str
unset admin name
Example: The following command changes the root administrator user name to “p
mail-addr2 Sets the secondary email address for sending alert and traffic logs.
manager-ip Restricts management to a host or a subnet. The default IP address management from any workstation. All NetScreen devices allow you subnets at once.
name The login name (name_str) of the root user for the NetScreen device.is 31 characters, including all symbols except ?. The name is case-se
�4"!!����5��$��*$�4�%��-5
�����
to “build4you”:
rative interface to 8000:
gth of the password is 31 ter “?.”
when using the web. Use any ). Changing the admin port
���������������� ���������!�
set admin name paul
����"���
set admin password pswd_str
unset admin password
Example: The following command changes the root administrator login password
set admin password build4you
����
set admin port port_num
unset admin port
Example: The following command changes the port number for the Web administ
set admin port 8000
password Specifies the password (pswd_str) of the root user. The maximum lencharacters, including all symbols except the special command charac
port Sets the port number (port_num) for detecting configuration changesnumber between 1024 and 32767, or use the default port number (80number might require resetting the device (see the reset command).
�4"!!����5��$��*$�4�%��-5
�:���
h”:
ser privileges externally from the
and ignores the privilege returned
ows you to administer NetScreen ing secure CLI access over
session. The enable | disable me_str specifies the admin user
S communication occurs.
���������������� ���������!�
���!������
set admin privilege ( get-external | read-write }
���
get admin scs all
set admin scs { password { disable | enable } username name_str | port port_num }
unset admin scs [ port ]
Example: The following command enables the password for a user named “rsmit
set admin scs password enable username rsmith
privilege Defines the administrative privilege level:
• get-external Instructs the NetScreen device to obtain the admin uRADIUS server.
• read-write Gives the RADIUS administrator read-write privileges, from the RADIUS server.
scs Provides access to the Secure Command Shell (SCS) utility. SCS alldevices from an Ethernet connection or a dial-in modem, thus providunsecured channels.
• password Sets the password for the user that establishes the SCSswitch enables or disables password authentication. username naname.
• port port_num Specifies the logical SSH port through which the SC
�4"!!����5��$��*$�4�%��-5
�����
keting_Admin_AuthS”:
.10.10:
users.
server. This server receives email
setting and the admin user type
���������������� ���������!�
���!��
set admin auth server name_str
unset admin auth server
Example: The following command specifies an authentication server named “Mar
set admin auth server Marketing_Admin_AuthS
���!�� ����
set admin mail server-name ip_addr
Example: The following command specifies a SMTP server at IP address 172.16
set admin mail server-name 172.16.10.10
��������
get admin auth settings
������
set admin telnet port port_num
server The name of the authentication server used for authenticating admin
server-name The IP address or name of the Simple Mail Transfer Protocol (SMTP)notification of system alarms and traffic logs.
settings Displays admin authentication settings, including the current timeout (local or remote).
�4"!!����5��$��*$�4�%��-5
�7���
our:
nge of port_num is 1024 - 32767.
vice automatically closes the web 0 specifies no timeout.ires. You set this interval using the
The traffic log can contain a e log file to each specified email is full, or every 24 hours,
���������������� ���������!�
unset admin telnet port
�������
set admin auth timeout number
unset admin auth timeout
Example: The following command sets an authentication timeout interval of one h
set admin auth timeout 60
��� �� ���
set admin mail traffic-log
unset admin mail traffic-log
telnet port Provides CLI access through a Telnet connection. The acceptable ra
timeout Specifies the length of idle time (in minutes) before the NetScreen deadministrative session. The value can be up 999 minutes. A value of (Telnet admin sessions time out after the console timeout interval expset console timeout command.)
traffic-log Generates a log of network traffic handled by the NetScreen device. maximum of 4,096 entries. The NetScreen device sends a copy of thaddress (see mail-addr1 and mail-addr2). This happens when the logdepending upon which occurs first.
�4"!!����5��$��*$�4�%��-5
�9���
| read-only } ]
h”, with password “swordfish”:
5.
ub-administrator). The maximum e user name is case-sensitive.
read-only).
���������������� ���������!�
����
get admin user [ cache | login ]
set admin user name_str password pswd_str [ privilege { all
unset admin user name_str
Example: The following command creates a non-root administrator named “rsmit
set admin user rsmith password swordfish privilege all
1� "%��
The default admin name and password are netscreen.
The default manager-ip is 0.0.0.0, and the default subnet mask is 255.255.255.25
The default privilege for a super-administrator is read-only.
The default admin port is 80.
The default mail alert setting is off.
The default for device reset is on.
user Creates or displays a non-root administrator (super-administrator or suser name length is 31 characters, including all symbols except ?. ThThe privilege switch determines the privilege level of the user (all or
�4"!!����5��$��*$�4�%��-5
�����
�����
]
g ]
]
���������������� ���������!�
Description: Use the alarm commands to set alarm parameters.
�3��".
�����
clear [ cluster ] alarm traffic [ policy pol_num1 [ -pol_num2 ] ]
[ end-time string ]
���
get alarm { threshold | traffic
[ policy { pol_num1 [ -pol_num2 ] } ] [ service name_str ]
[ src-address ip_addr ] [ dst-address ip_addr [ detail
[ start-time string ] [ end-time strin[ minute | second
[ threshold number [ -number ] [ rate number [ -number ] ]
] ] |
}
�4"!!����5��$��*$�4�%��-5
�����
���������������� ���������!����
set alarm threshold { cpu number | memory number | session { count number | percent number } }
�����
unset alarm threshold { CPU | memory | session }
�4"!!����5��$��*$�4�%��-5
6����
ropagates the change to other
that occur on or after January 1,
r.
ffic alarm entries that occurred ral information and the time of the
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�������
clear cluster alarm traffic [ ... ]
Example: The following command clears the alarm table entries for policy 4 and pdevice in a NSRP cluster:
clear cluster alarm traffic policy 4
������
get alarm traffic [ ... ] detail [ ... ]
Example: The following command displays event alarm entries or traffic alarm entries2003:
get alarm traffic detail start-time 01/01/2003
cluster Propagates the clear operation to all other devices in a NSRP cluste
detail Displays detailed information for each Access Policy, including all traunder the policy. If you omit this option, the output contains only genemost recent alarm for each policy.
�4"!!����5��$��*$�4�%��-5
6����
er
ies at (or after) 11:59pm,
time
] [ ... ]
:
tries that occurred at or before the affic alarm entries that occurred at ss] year using the last two digits or all etween the date and the time can
number or for several access ny value between 0 and the total tarting and ending ID numbers as
���������������� ���������!�
��� �����%������ ����
clear [ cluster ] alarm traffic policy [ ... ] end-time numb
get alarm traffic [ ... ] end-time number
get alarm traffic [ ... ] start-time number
Example: The following command performs a detailed display of traffic alarm entrDecember 31, 2003 and at or before 12:00am, December 31, 2004:
get alarm traffic detail start-time 12/31/2003-23:59:00 end-12/31/2004-24:00:00
�����&
clear [ cluster ] alarm traffic policy pol_num1 [ -pol_num2
get alarm traffic policy pol_num
Example: The following command clears the entries for policy 2 in the alarm table
clear alarm traffic policy 2
start-timeend-time
The start-time option displays event alarm entries or traffic alarm entime specified. The end-time option displays event alarm entries or tror after the time specified. The format for string is mm/dd[/yy-hh:mm:You can omit the year (the current year is the default), or express thefour digits. The hour, minute, and second are optional. The delimiter bbe a dash or an underscore:12/31/2002-23:59:0012/31/2002_23:59:00
policy Displays traffic alarm entries for an Access Policy specified by its ID policies specified by a range of ID numbers. The ID number can be anumber of established access policies. To define a range, enter the sfollows: pol_num1-pol_num2
�4"!!����5��$��*$�4�%��-5
66���
reshold settings at bytes per
ice:
s at bytes per second or bytes per
access policies with a flow rate at
tries for access policies with a
s TCP, ICMP, or FTP. (To display to be complete; for example, both rvice group, note that because TP larm entries for all three of these
���������������� ���������!�
�������%�������
get alarm traffic [ ... ] detail
Example: The following command displays traffic alarm entries for policies with thsecond:
get alarm traffic detail second
���!���
get alarm traffic [ ... ] service name_str [ ... ]
Example: The following command displays traffic alarm entries for the HTTP serv
get alarm traffic service http
second | minute Displays traffic alarm entries for access policies with threshold settingminute.
• The rate number [ -number ] option displays traffic alarm entries fora specified value or within a specified range.
• The threshold number [ -number ] option displays traffic alarm enthreshold at a specified value or within a specified range.
service Displays traffic alarm entries for a specified service (name_str), such aall services, make the name_str value Any.) The name does not haveTC and CP are recognized as TCP. Although you cannot specify a Seis recognized as FTP, HTTP, and TFTP, entering TP displays traffic aServices.
�4"!!����5��$��*$�4�%��-5
6����
address 172.16.9.9 and
10.10
ions:
ip_addr) or from a specified
ddr) or for a specified direction,
s at a specified value or within a
cifies how many sessions can ption specifies what percentage of .
���������������� ���������!�
��� ��������%���� ����
get alarm traffic [ ... ] src-address ip_addr [ ... ]
get alarm traffic [ ... ] dst-address ip_addr [ ... ]
Example: The following command displays traffic alarm entries originating from IPdestined for IP address 172.16.10.10:
get alarm traffic src-address 172.16.9.9 dst-address 172.16.
���������
get alarm threshold
get alarm traffic [ ... ] threshold number [ -number ]
set alarm threshold { ... }
unset alarm threshold { CPU | memory | session }
Example: The following command sets the session limit threshold to 75,000 sess
set alarm threshold session count 75000
src-address Displays traffic alarm entries originating from a specified IP address (direction, such as inside_any or outside_any.
dst-address Displays traffic alarm entries destined for a specified IP address (ip_asuch as inside_any or outside_any.
threshold Displays traffic alarm entries for access policies with threshold settingspecified range.
• cpu number sets the cpu threshold.
• memory number sets the memory threshold.
• session sets the session threshold. The count number option speexist before the device generates an alarm. The percent number othe session limit is allowable before the device generates an alarm
�4"!!����5��$��*$�4�%��-5
6:���
ies originating from IP address
10.10 detail
���������������� ���������!�
��� ��
clear [ cluster ] alarm traffic [ ... ]
get alarm traffic [ ... ]
Example: The following command performs a detailed display of traffic alarm entr172.16.9.9 and destined for IP address 172.16.10.10:
get alarm traffic src-address 172.16.9.9 dst-address 172.16.
traffic Specifies traffic alarm entries.
�4"!!����5��$��*$�4�%��-5
6����
�����esenting CLI commands. After .
ethernet1/1 command, then
���������������� ���������!�
Description: Use the alias commands to create, remove, or list named aliases reprcreating an alias, you can use the alias name to execute the represented command
�3��".
���
get alias
���
set alias name_str string
�����
unset alias name_str
2�3;��!��"�!��"��"�%��
���������'���������
Example: The following commands create an alias representing the get interfaceexecute the command using the alias:
set alias int_1 "get interface ethernet1/1"
int_1
name_str The name of the CLI command alias.
string The CLI command to which you assign the alias.
�4"!!����5��$��*$�4�%��-5
67���
���actory default values.
eset the device.
”
default settings.
are you sure? y / [n] n”
ginal factory default settings.
���������������� ���������!�
Description: Use the unset all command to return all configuration settings to the f
�3��".
�����
unset all
2�3;��!��"�!��"��"�%��
None.
A."8%�In the following example, you reset the device to its factory default settings and r
1. Execute the unset all command.
unset all
The following prompt appears: “Erase all system config, are you sure y / [n]?
2. Press the Y key. This action returns the system configuration to the factory
3. Execute the reset command.
reset
The following prompt appears: “Configuration modified, save? [y] / n”
4. Press the N key. This action generates the following prompt: “System reset,
5. Press the Y key. This action reboots the system. The device now has its ori
�4"!!����5��$��*$�4�%��-5
69���
���e Address Resolution Protocol
���������������� ���������!�
Description: Use the arp commands to create, remove, or list interface entries in th(ARP) table.
�3��".
�����
clear [ cluster ] arp
���
get arp
���
set arp { ip_addr mac_addr interface age number | always-on-dest }
�����
unset arp { ip_addr [ interface ] | age | always-on-dest }
�4"!!����5��$��*$�4�%��-5
6����
interface ethernet4 with IP
rmation on interfaces, see
ng packet with a heading table. This may be necessary from devices using the Hot /VRRP).
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
set arp ip_addr mac_addr interface
Example: The following command creates an entry in the ARP table for physical address 10.1.1.1 and MAC address 00104587bd22:
set arp 10.1.1.1 00104587bd22 ethernet4
���
set arp age number
��"�&� �� ����
set arp always-on-dest
ip_addr The IP address for the interface in the ARP table entry.
mac_addr The MAC address for the interface in the ARP table entry.
interface The name of the ARP interface in the ARP table entry. For more info“Interface Names” on page A-IV.
age Sets the age-out value (in seconds) for ARP entries.
always-on-dest Directs the NetScreen device to send an ARP request for any incomicontaining a MAC address not yet listed in the device’s MAC addresswhen packets originate from server load-balancing (SLB) switches orStandby Router Protocol/Virtual Router Redundancy Protocol (HSRP
�4"!!����5��$��*$�4�%��-5
6����
r.
���������������� ���������!�
�������
clear [ cluster ] arp
cluster Propagates the clear operation to all other devices in a NSRP cluste
�4"!!����5��$��*$�4�%��-5
�����
�-� four available methods are:
n problems occur with the ACE executing the clear
���������������� ���������!�
Description: Use the auth commands to specify a user authentication method. The
• a built-in database
• a RADIUS server
• SecurID
• Lightweight Directory Access Protocol (LDAP)
�3��".
�����
clear [ cluster ] auth [ history | queue | table [ id id_num | ip ip_addr ] ]
Note: If the NetScreen device uses SecurID to authenticate users, and communicatioserver, clear the current SecurID shared secret from the device (and the server) by node_secret command.
�4"!!����5��$��*$�4�%��-5
�����
���������������� ���������!����
get auth [ banner | history [ id id_num | ip ip_addr ] | queue | settings | table [ id id_num | ip ip_addr ] ]
���
set auth { banner { ftp | http | telnet }
{ fail string | login string | success string }
default auth server name_str }
�����
unset auth { banner { ftp | http | telnet }
{ fail | login | success }
default auth server }
�4"!!����5��$��*$�4�%��-5
�6���
:
se banners to report success or
fails.
attempt occurs.
gin attempt is successful.
r.
���������������� ���������!�
?�*����
������
get auth banner
set auth banner { ftp | http | telnet }
unset auth banner { ftp | http | telnet }
Example: The following command defines a banner for a failed FTP login attempt
set auth banner ftp fail "FTP login attempt failed"
�������
clear [ cluster ] auth [ ... ]
banner Defines or displays firewall banners. The NetScreen device uses thefailure of login requests.
• ftp Reports on the success or failure of FTP login requests.
• http Reports on the success or failure of HTTP login requests.
• telnet Reports on the success or failure of Telnet login requests.
- fail string Specifies a message string to display a login attempt
- login string Specifies a message string to display when a login
- success string Specifies a message string to display when a lo
cluster Propagates the clear operation to all other devices in a NSRP cluste
�4"!!����5��$��*$�4�%��-5
�����
h_Server):
Screen device uses this server ication server.
creen device.
s the same display as the get
���������������� ���������!�
�� ����
set auth default auth server name_str
unset auth default auth server
Example: The following command identifies the default authentication server (Aut
set auth default auth server Auth_Server
������&
clear [ cluster ] auth history
get auth history [ id id_num | ip ip_addr ]
(����
clear [ cluster ] auth queue
get auth queue
��������
get auth settings
default auth server
Specifies a default firewall authentication server (name_str). The Netwhen a security policy does not explicitly identify a particular authent
history Clears or displays the history of users authenticated through the NetS
queue Clears or displays the internal user authentication queue.
settings Displays default user authentication server settings. (This option yieldauth command.
�4"!!����5��$��*$�4�%��-5
�:���
ble:
rce IP 172.16.10.10:
entication), or displays such
lays all table entries.
ddress (ip_addr).
���������������� ���������!�
�����
clear [ cluster ] auth table [ id id_num | ip ip_addr ]
get auth table [ id id_num | ip ip_addr ]
Examples: The following command clears entry 7 from the user authentication ta
clear auth table id 7
The following command displays authentication details from a table entry with sou
get auth table ip 172.16.10.10
table Clears entries from the user authentication table (thus forcing reauthentries. Entries in the user authentication table can represent:
• Users currently authenticated
• Users currently undergoing authentication
• Users denied authentication
Without parameters (described below), the table option clears or disp
• id id_num Clears or displays a particular entry by ID (id_num).
• ip ip_addr Clears or displays all entries with a common source IP a
�4"!!����5��$��*$�4�%��-5
�����
�-�/� �0 �r user authentication with a TH configurations use these
|
���������������� ���������!�
Description: Use the auth-server commands to configure the NetScreen device fospecified authentication server. Access policies, VPN tunnel specifications, and XAUserver specifications to gain access to the appropriate resources.
�3��".
���
get auth-server { string | all | id id_num }
���
set auth-server name_str { account-type { [ admin ] | [ auth ] [ l2tp ] [ xauth ] } backup1 name_str | backup2 name_str | id id_num | ldap
{ cn name_str | dn name_str | port port_num | server-name name_str } |
�4"!!����5��$��*$�4�%��-5
�7���
���������������� ���������!�radius-port port_num | secret shar_secret | securid
{ auth-port port_num | duress number | encr id_num | retries number | timeout number } |
server-name name_str | timeout number | type { ldap | radius | securid } }
�����
unset auth-server { string
[ account-type
{ admin | [ auth ] [ ike ] [ l2tp ] [ xauth ] }
backup1 | backup2 | radius-port | timeout | type ]
id id_num }
�4"!!����5��$��*$�4�%��-5
�9���
ecifies type RADIUS:
[ l2tp ] [ xauth ] }
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
set auth-server name_str [ ... ]
Example: The following command creates a server object name (radius1) and sp
set auth-server radius1 type radius
���
get auth-server all
������� �&��
set auth-server name_str account-type { [ admin ] | [ auth ]
name_str The object name of the authentication server.
all Specifies all configured authentication servers.
account-type Specifies the kinds of users authenticated by the server (name_str).
• admin specifies admin users.
• auth specifies firewall users.
• l2tp specifies Layer 2 Tunneling Protocol (L2TP) users.
• xauth specifies XAUTH users.
�4"!!����5��$��*$�4�%��-5
�����
tr }
server (Reserve_1) and a
uthentication server
���������������� ���������!�
���)��#�%����)��$
set auth-server name_str { backup1 name_str | backup2 name_s
unset auth-server name_str { backup1 | backup2 }
Example: The following commands create an auth server, with a primary backup secondary backup server (Reserve_2):
set auth-server Our_Server backup1 Reserve_1
set auth-server Our_Server backup2 Reserve_2
��
get auth-server id id_num
set auth-server name_str id id_num
unset auth-server id id_num
Example: The following command creates an identification number (200) for the a(Our_Server):
set auth-server Our_Server id 200
backup1 The IP address or name of the primary backup server.
backup2 The IP address or name of the secondary backup server.
id The identification number (id_num) of the authentication server.
�4"!!����5��$��*$�4�%��-5
�����
n page 43.
on page 42.
ation.
er.
with the LDAP server.
IUS server.
���������������� ���������!�
����
set auth-server name_str ldap { cn name_str | dn name_str | port port_num | server-name name_str }
Example: For an example of this option, see “Defining an LDAP Server Object” o
������ ����
set auth-server name_str radius-port port_num
unset auth-server name_str radius-port
Example: For an example of this option, see “Defining a RADIUS Server Object”
ldap Configures the NetScreen device to use a LDAP server for authentic
• cn name_str The Common Name identifier for the LDAP server.
• dn name_str The Distinguished Name identifier for the LDAP serv
• port port_num Specifies the port number to use for communication
• server-name name_str The DNS name or IP of the LDAP server.
radius-port Specifies the logical port (port_num) for communication with the RAD
�4"!!����5��$��*$�4�%��-5
:����
on page 42.
n page 42.
tication.
ications with the SecurID server.
uress mode. A value of 0 means an enter a special duress PIN signal to the SecurID server, er will.
traffic. A value of 0 specifies SDI,
or authentication.
NetScreen device waits between
���������������� ���������!�
������
set auth-server name_str secret shar_secret
Example: For an example of this option, see “Defining a RADIUS Server Object”
�������
set auth-server name_str securid { auth-port port_num | duress number | encr id_num | retries number | timeout number }
Example: For an example of this option, see “Defining a SecurID Server Object” o
secret Specifies the RADIUS shared secret (shar_secret).
securid Configures the NetScreen device to use a SecurID server for authen
• auth-port port_num Specifies the port number to use for commun
• duress { 0 | 1 } Specifies if the SecurID server is licensed to use dFalse, and 1 means True. When duress mode is active, the user cnumber. The NetScreen device allows the transaction, but sends aindicating that someone is forcing the user to login against his or h
• encr { 0 | 1 } Specifies the encryption algorithm for SecurID networkand 1 specifies DES. The default type DES is recommended.
• retries number Specifies the number of retries between requests f
• timeout number Specifies the length of time (in seconds) that the authentication retry attempts.
�4"!!����5��$��*$�4�%��-5
:����
n page 42.
on page 42.
user’s last session before
The unset command sets
���������������� ���������!�
���!�� ����
set auth-server name_str server-name ip_addr | name_str
�������
set auth-server name_str timeout number
unset auth-server name_str timeout
Example: For an example of this option, see “Defining a SecurID Server Object” o
�&��
set auth-server name_str type { ldap | radius | securid }
Example: For an example of this option, see “Defining a RADIUS Server Object”
server-name The IP address or name of the authentication server.
timeout Specifies how many minutes (number) elapse after termination of thethe user needs to reauthenticate.
type Specifies the type of authentication server (ldap, radius or securid).type to radius.
�4"!!����5��$��*$�4�%��-5
:6���
US server after executing these
���������������� ���������!�
1� ����*�"��?1�>���������)�<���
The following commands define an auth-server object for a RADIUS server:
set auth-server radius1 type radius
set auth-server radius1 account-type auth l2tp xauth
set auth-server radius1 server-name 10.20.1.100
set auth-server radius1 backup1 10.20.1.110
set auth-server radius1 backup2 10.20.1.120
set auth-server radius1 radius-port 4500
set auth-server radius1 timeout 30
set auth-server radius1 secret A56htYY97kl
save
If you are using vendor-specific attributes, load the netscreen.dct file on the RADIcommands.
1� ����*�"������1��������)�<���
The following commands define an auth-server object fo a RADIUS server:
set auth-server securid1 type securid
set auth-server securid1 server-name 10.20.2.100
set auth-server securid1 backup1 10.20.2.110
set auth-server securid1 timeout 60
set auth-server securid1 account-type admin
set auth-server securid1 securid retries 3
set auth-server securid1 securid timeout 10
set auth-server securid1 securid auth-port 15000
set auth-server securid1 securid encr 1
set auth-server securid1 securid duress 0
save
�4"!!����5��$��*$�4�%��-5
:����
���������������� ���������!�1� ����*�"���1?���������)�<���
The following commands define an auth-server object for an LDAP server:
set auth-server ldap1 type ldap
set auth-server ldap1 account-type auth
set auth-server ldap1 server-name 10.20.3.100
set auth-server ldap1 backup1 10.20.3.110
set auth-server ldap1 backup2 10.20.3.120
set auth-server ldap1 timeout 40
set auth-server ldap1 ldap port 15000
set auth-server ldap1 ldap cn cn
set auth-server ldap1 ldap dn c=us;o=netscreen;ou=marketing
save
The following command lists all auth-server settings:
get auth-server all
�4"!!����5��$��*$�4�%��-5
::���
1��device.
me that vrouter is the trust-vr
creen device as the default route
egates. addresses into a single route gates can reduce the size of the ition, aggregates can reduce the
���������������� ���������!�
Description: Use the bgp context to configure a BGP virtual router in a NetScreen
�����.�������"����
Initiating the bgp context requires two steps:
1. Enter the vrouter context by executing the set vrouter command:
set vrouter vrouter
where vrouter is the name of the virtual router. (For all examples that follow, assuvirtual router.)
2. Enter the bgp context by executing the set protocol bgp command.
ns(trust-vr)-> set protocol bgp
/�����"�!�
The following commands are executable in the bgp context.
advertise-default-route Use the advertise default-route commands to send the NetSfor all peer devices.Command options: set, unset
aggregate Use agggregate commands to create, display, or delete aggrAggregation is a technique for summarizing a range of routingentry, expressed as an IP address and a subnet mask. Aggrerouting table, while maintaining its level of connectivity. In addnumber of advertised addresses, thus reducing overhead.Command options: get, set, unset
�4"!!����5��$��*$�4�%��-5
:����
, or display the current the NetScreen device compares lti-Exit Discriminator (MED). The e.
play a regular expression in an
. The NetScreen device can the regular expressions contained .
nity list, to remove a router from
nity attribute. This attribute is an riterion. All routes with the same munity. Routers can use the ertised routes in the same way.
to remove a confederation, or to
ub-ASs and grouping them. Using AS, simplifying the routing
p-damping setting.the route becomes stable. Flap bility at an AS border router,
���������������� ���������!�
always-compare-med Use the always-compare-med commands to enable, disablealways-compare-med setting. When you enable this setting,paths from different autonomous systems (ASs) using the MuMED determines the most suitable route to the neighbor devicCommand options: get, set, unset
as-path-access-list Use as-path-access-list commands to create, remove, or disAS-Path access list.An AS-path access list serves as a packet filtering mechanismconsult such a list and permit or deny BGP packets based on in the list. The system can have up to 99 AS-path access listsCommand options: get, set, unset
community-list Use community-list commands to enter a router in a commuthe list, or to display the list.A community consists of routes containing the same coummuidentifier that classifies the routes according to some useful ccommunity attribute are said to be members of the same comcommunity attribute when they need to treat two or more advCommand options: get, set, unset
confederation Use the confederation commands to create a confederation,display confederation information.Confederation is a technique for dividing an AS into smaller sconfederations reduces the number of connections inside an matrices created by meshes.Command options: get, set, unset
enable Use the enable commands to enable or disable BGP.Command options: get, set, unset
flap-damping Use the flap-damping commands to enable or disable the flaEnabling this setting blocks the advertisement of a route until damping allows the NetScreen device to prevent routing instaadjacent to the region where instability occurs.Command options: get, set, unset
�4"!!����5��$��*$�4�%��-5
:7���
um amount of time (in seconds) he BGP neighbor.
in seconds) that elapses between that the TCP connection between
GP router. The LOCAL_PREF references for one set of paths
xit Discriminator (MED) ID point when there are multiple S).
uration parameters for the local stablishing a BGP connection to
ork and subnet entries. The BGP t first requiring redistribution into
by external routers that use tion settings.
���������������� ���������!�
hold-time Use the hold-time commands to specify or display the maximthat can elapse between keepalive messages received from tCommand options: get, set, unset
keepalive Use the keepalive commands to specify the amount of time (keepalive packet transmissions. These transmissions ensure the local BGP router and a neighbor router is up.Command options: get, set, unset
local-pref Use this command to configure a LOCAL_PREF value on a Battribute is the metric most often used in practice to express pover another for IBGP.Command options: get, set, unset
med Use the med commands to specify or display the local Multi-Enumber. The MED determines the most suitable entry or exit exit/entry points to the same neighbor autonomous system (ACommand options: get, set, unset
neighbor Use the neighbor commands to set or display general configBGP virtual router. The device uses these parameters while eanother autonomous system (AS).Command options: clear, exec, get, set, unset
network Use the network commands to create, display, or delete netwvirtual router advertises these entries to peer devices, withouBGP (as with static routing table entries).Command options: get, set, unset
redistribute Use the redistrubute commands to import routes advertised protocols other than BGP, or to display the current redistribuCommand options: get, set, unset
�4"!!����5��$��*$�4�%��-5
:9���
uter to serve as a route reflector.arned routes to specified IBGP
n a full mesh to talk to every other to the entire autonomous system
r display the reject-default-route ore default route advertisements
n with Interior Gateway Protocol
���������������� ���������!�
reflector Use the reflector commands to allow the local BGP virtual roA route reflector is a router that passes Interior BGP (IBGP) leneighbors (clients), thus eliminating the need for each router irouter. The clients use the route reflector to readvertise routes(AS).Command options: get, set, unset
reject-default-route Use the reject-default-route commands to enable, disable, osetting. Enabling this setting makes the NetScreen device ignfrom the BGP peer router.Command options: get, set, unset
synchronization Use the synchronization command to enable synchronizatio(IGP).Command options: set, unset
�4"!!����5��$��*$�4�%��-5
:����
���� ��
route entry. Each aggregate is s can reduce the size of a tion can reduce the number of
(See “Context Initiation” on
]
���������������� ���������!�
Description: Use aggregate commands to create, display, or delete aggregates.
Aggregation is a technique for summarizing a range of routing addresses into a singlean address range expressed as an IP address and a subnet mask value. Aggregaterouter’s routing table, while maintaining its level of connectivity. In addition, aggregaadvertised addresses, thus reducing overhead.
Before you can execute an aggregate command, you must initiate the bgp context.page 44.)
�3��".
���
get aggregate
���
set aggregate [ ip ip_addr/mask ] [ as-set ] [ summary-only
�����
unset aggregate [ ip ip_addr/mask ]
�4"!!����5��$��*$�4�%��-5
:����
r local router:
utes:
prise the new aggregate.
E.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��
set aggregate ip ip_addr/mask
Example: The following command creates an aggregate router entry in the trust-v
set aggregate ip 192.168.10.0/24
�� ���
set aggregate [ ... ] as-set [ ... ]
Example: The following command configures the aggregate for AS-SET:
set aggregate ip 192.168.10.0/24 as-set
������& ���&
set aggregate [ ... ] summary-only
Example: The following command configures the aggregate to filter out specific ro
set aggregate ip 192.168.10.0/24 summary-only
ip Specifies the IP address (ip_addr) and subnet mask (mask) that com
as-set Specifies that the aggregate uses AS-SET instead of AS-SEQUENC
summary-only Filters out more specific routes from updates.
�4"!!����5��$��*$�4�%��-5
�����
�/������ /� (lay the current compares paths from each ines the most suitable route to
gp context. (See “Context
���������������� ���������!�
��2��Description: Use the always-compare-med commands to enable, disable, or dispalways-compare-med setting. When you enable this setting, the NetScreen deviceautonomous system (AS) using the Multi-Exit Discriminator (MED). The MED determthe neighbor device.
Before you can execute an always-compare-med command, you must initiate the bInitiation” on page 44.)
�3��".
���
get always-compare-med
���
set always-compare-med
�����
unset always-compare-med
2�3;��!��"�!��"��"�%��
None.
�4"!!����5��$��*$�4�%��-5
�����
/���/��� ��/���lar expression in an AS-Path
ce can consult such a list and
context. (See “Context
���������������� ���������!�
��Description: Use as-path-access-list commands to create, remove, or display a reguaccess list.
An AS-path access list serves as a packet filtering mechanism. The NetScreen devipermit or deny BGP packets based on the regular expressions contained in the list.
Before you can execute an as-path-access-list command, you must initiate the bgpInitiation” on page 44.)
�3��".
���
get as-path-access-list
���
set as-path-access-list id_num { deny | permit } string
�����
unset as-path-access-list id_num { deny | permit } string
�4"!!����5��$��*$�4�%��-5
�6���
th access list with ID number
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
set as-path-access-list id_num { deny | permit } string
unset as-path-access-list id_num { deny | permit } string
���&�%�������
set as-path-access-list id_num { deny | permit } string
unset as-path-access-list id_num { deny | permit } string
Example: The following command places the regular expression “23” in an AS-Pa10:
ns(trust-vr/bgp)-> set as-path-access-list 10 permit 23
id_num The identification number of the access list (range 1 - 99 inclusive).
string The regular expression used for BGP packet filtering.
deny | permit Denies or permits BGP packets containing the regular expression.
�4"!!����5��$��*$�4�%��-5
�����
����-���/���to remove a router from the list,
bute is an identifier that munity attribute are said to be ey need to treat two or more
ext. (See “Context Initiation” on
���������������� ���������!�
Description: Use community-list commands to enter a router in a community list, or to display the list.
A community consists of routes containing the same coummunity attribute. This attriclassifies the routes according to some useful criterion. All routes with the same commembers of the same community. Routers can use the community attribute when thadvertised routes in the same way.
Before you can execute a community-list command, you must initiate the bgp contpage 44.)
�3��".
���
get community-list
���
set community-list id_num1 { deny | permit } [ id_num2 | as id_num3 id_num4 | no-advertise | no-export | no-export-subconfed ]
�4"!!����5��$��*$�4�%��-5
�:���
���������������� ���������!������
unset community-list id_num1 { deny | permit }
[ id_num2 | as id_num3 id_num4 | no-advertise | no-export | no-export-subconfed ]
�4"!!����5��$��*$�4�%��-5
�����
]
.. ]
mmunity list (20).
um4
_num4
ng on an AS with an ID number
ommunity list (30).
e).
the community value (id_num4).
ty list.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
set community-list id_num1 { deny | permit } [ id_num2 | ...
unset community-list id_num1 { deny | permit } [ id_num2 | .
Example: The following command denies BGP traffic for routers with entries in the co
ns(trust-vr/bgp)-> set community-list 20 deny
��
set community-list id_num1 { deny | permit } as id_num3 id_n
unset community-list id_num1 { deny | permit } as id_num3 id
Example: The following command creates a community list with an ID of 10, runniof 40:
ns(trust-vr/bgp)-> set community-list 10 permit as 40 10
���&�%�������
set community-list id_num1 { deny | permit } [ ... ]
unset community-list id_num1 { deny | permit } [ ... ]
Example: The following command permits BGP traffic for routers with entries in the c
id_num1 The Identification Number of the community list (range 1 - 99 inclusiv
id_num2 The ID number of the community value (between 0 and 63 inclusive)
as The ID number of the AS (id_num3) and the ID number (id_num4) of
deny | permit Denies or permits BGP traffic for routers with entries in the communi
�4"!!����5��$��*$�4�%��-5
�7���
e community list (30), while
nfed
nfed
work destinations to any peer
work destinations to EBGP peers,
d network destinations to any peer
���������������� ���������!�
ns(trust-vr/bgp)-> set community-list 30 permit
�� ��!������
set community-list id_num1 { deny | permit } no-advertise
set community-list id_num1 { deny | permit } no-advertise
Example: The following command permits BGP traffic for routers with entries in thpreventing advertisement of the listed network destinations.
ns(trust-vr/bgp)-> set community-list 30 permit no-advertise
�� �*����
set community-list id_num1 { deny | permit } no-export
set community-list id_num1 { deny | permit } no-export
�� �*���� ������ ��
set community-list id_num1 { deny | permit } no-export-subco
set community-list id_num1 { deny | permit } no-export-subco
no-advertise Specifies that the NetScreen device does not advertise the listed netdevices.
no-export Specifies that the NetScreen device does not advertise the listed netexcept sub-autonomous sytems within the confederation.
no-export-subconfed Specifies that the NetScreen device does not advertise the listedevices grouped in a confederation.
�4"!!����5��$��*$�4�%��-5
�9���
���� ( �����e a confederation, or to display
hem. Using confederations eated by meshes.
xt. (See “Context Initiation” on
���������������� ���������!�
Description: Use the confederation commands to create a confederation, to removconfederation information.
Confederation is a technique for dividing an AS into smaller sub-ASs and grouping treduces the number of connections inside an AS, simplifying the routing matrices cr
Before you can execute a confederation command, you must initiate the bgp contepage 44.)
�3��".
���
get confederation
���
set confederation { id id_num1 | peer id_num2 | rfc3065 }
�����
unset confederation { id | peer id_num2 | rfc3065 }
�4"!!����5��$��*$�4�%��-5
�����
try.
ompliance with RFC 1965.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��
set confederation id id_num1
unset confederation id
Example: The following command creates a confederation with an ID of 10:
ns(trust-vr/bgp)-> set confederation id 10
����
set confederation peer id_num2
unset confederation peer id_num2
Example: The following command adds an AS (45040) to the confederation:
ns(trust-vr/bgp)-> set confederation peer 45040
� �+�,-
set confederation rfc3065
unset confederation rfc3065
id The Identification Number (id_num1) of the confederation.
peer id_num2 The Identification Number of a new peer autonomous system (AS) en
rfc3065 Specifies configuration in compliance with RFC 3065. The default is c
�4"!!����5��$��*$�4�%��-5
�����
�� /( ��-�/��- evice as the default route for all
bgp context. (See “Context
���������������� ���������!�
�(0 �Description: Use the advertise-default-route commands to send the NetScreen dpeer devices.
Before you can execute a advertise-default-route command, you must initiate the Initiation” on page 44.)
�3��".
���
set advertise-default-route
�����
unset advertise default-route
2�3;��!��"�!��"��"�%��
None.
�4"!!����5��$��*$�4�%��-5
7����
��1�
e “Context Initiation” on page
���������������� ���������!�
Description: Use the enable commands to enable or disable BGP.
Before you can execute an enable command, you must initiate the bgp context. (Se44.)
�3��".
���
set enable
�����
unset enable
2�3;��!��"�!��"��"�%��
None.
�4"!!����5��$��*$�4�%��-5
7����
����/(������ing setting.
ble. Flap damping allows the region where instability occurs.
xt. (See “Context Initiation” on
���������������� ���������!�
Description: Use the flap-damping commands to enable or disable the flap-damp
Enabling this setting blocks the advertisement of a route until the route becomes staNetScreen device to contain routing instability at an AS border router, adjacent to the
Before you can execute a flap-damping command, you must initiate the bgp contepage 44.)
�3��".
���
set flap-damping
�����
unset flap-damping
2�3;��!��"�!��"��"�%��
None.
�4"!!����5��$��*$�4�%��-5
76���
���(/�� nt of time (in seconds) that can
ee “Context Initiation” on page
���������������� ���������!�
Description: Use the hold-time commands to specify or display the maximum amouelapse between keepalive messages received from the BGP neighbor.
Before you can execute a hold-time command, you must initiate the bgp context. (S44.)
�3��".
���
get hold-time
���
set hold-time number
�����
unset hold-time
�4"!!����5��$��*$�4�%��-5
7����
���������������� ���������!�2�3;��!��"�!��"��"�%��
���������'��������
set hold-time number
Example: The following command sets the hold-time value to 60 seconds:
ns(trust-vr/bgp)-> set hold-time 60
number The maximum length of time (in seconds) between messages.
�4"!!����5��$��*$�4�%��-5
7:���
�/( ��-�/��- the reject-default-route rtisements from the BGP peer
p context. (See “Context
���������������� ���������!�
� 3 Description: Use the reject-default-route commands to enable, disable, or displaysetting. Enabling this setting makes the NetScreen device ignore default route adverouter.
Before you can execute an reject-default-route command, you must initiate the bgInitiation” on page 44.)
�3��".
���
get reject-default-route
���
set reject-default-route
�����
unset reject-default-route
2�3;��!��"�!��"��"�%��
None.
�4"!!����5��$��*$�4�%��-5
7����
. ����0 ds) that elapses between n between the local BGP router
ee “Context Initiation” on page
���������������� ���������!�
Description: Use the keepalive commands to specify the amount of time (in seconkeepalive packet transmissions. These transmissions ensure that the TCP connectioand a neighbor router is up.
Before you can execute a keepalive command, you must initiate the bgp context. (S44.)
�3��".
���
get keepalive
���
set keepalive number
�����
unset keepalive
�4"!!����5��$��*$�4�%��-5
77���
es.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
Example: The following command sets the keepalive value to 30 seconds:
ns(trust-vr/bgp)-> set keepalive 30
number The maximum length of time (in seconds) between keepalive messag
�4"!!����5��$��*$�4�%��-5
79���
�����/�� � for the BGP virtual router.
ferences for one set of paths
ee “Context Initiation” on page
���������������� ���������!�
Description: Use the local-pref commands to configure the LOCAL_PREF attribute
The LOCAL_PREF attribute is the metric most often used in practice to express preover another for IBGP. The higher the value, the greater the preference.
Before you can execute a local-pref command, you must initiate the bgp context. (S44.)
�3��".
���
get local-pref
���
set local-pref number
�����
unset local-pref
�4"!!����5��$��*$�4�%��-5
7����
umber of 10:
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
set local-pref number
Example: The following command gives the virtual router trust-vr a preference n
ns(trust-vr/bgp)-> set local-pref 10
number The preference level for the virtual router.
�4"!!����5��$��*$�4�%��-5
7����
� (iminator (MED). The MED points to the same neighbor
ontext Initiation” on page 44.)
���������������� ���������!�
Description: Use the med commands to specify or display the local Multi-Exit Discrdetermines the most suitable entry or exit point when there are multiple exit or entryautonomous system (AS).
Before you can execute a med command, you must initiate the bgp context. (See “C
�3��".
���
get med
���
set med id_num
�����
unset med
�4"!!����5��$��*$�4�%��-5
9����
vr:
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
set med id_num
Example: The following command specifies MED 1004 for the virtual router trust-
ns(trust-vr/bgp)-> set med 1004
id_num The identification number of the MED.
�4"!!����5��$��*$�4�%��-5
9����
� ���1��arameters for the local BGP P connection to another
ee “Context Initiation” on page
���������������� ���������!�
Description: Use the neighbor commands to set or display general configuration pvirtual router. The NetScreen device uses these parameters while establishing a BGautonomous system (AS).
Before you can execute a neighbor command, you must initiate the bgp context. (S44.)
�3��".
�����
clear neighbor { flap-route ip_addr [ add ] | stats }
�*��
exec neighbor ip_addr { connect | disconnect | tcp-connect }
���
get neighbor { ip_addr | peer-group name_str }
�4"!!����5��$��*$�4�%��-5
96���
���������������� ���������!����
set neighbor { ip_addr
{ default-route | enable | ignore-default-route | med id_num } |
ip_addr | peer-group name_str [ ebgp-multihop number | hold-time number | keepalive number | md5-authentication string | nhself-enable | reflector-client | remote-as number [ local-ip ip_addr ] | route-map name_str { in | out } | send-community | weight number ]
}
�����
unset neighbor { ip_addr
{ default-route |
�4"!!����5��$��*$�4�%��-5
9����
���������������� ���������!�enable | ignore-default-route | med } |
ip_addr | peer-group name_str [ ebgp-multihop | hold-time | keepalive | md5-authentication string | nhself-enable | reflector-client | remote-as number [ local-ip ip_addr ] | route-map name_str { in | out } | send-community | weight ]
}
�4"!!����5��$��*$�4�%��-5
9:���
t IP address 192.168.100.101:
ice at IP address
te to a neighbor device at IP
e BGP neighbor (ip_addr).
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
get neighbor ip_addr
set neighbor ip_addr { ... }
unset neighbor ip_addr { ... }
Example: The following command displays information about a neighbor device a
ns(trust-vr/bgp)-> get neighbor 192.168.100.101
�������
exec neighbor ip_addr connect
Example: The following command establishes a BGP conection to a neighbor dev192.168.100.101:
ns(trust-vr/bgp)-> exec neighbor 192.168.100.101 connect
�� ���� �����
set neighbor ip_addr default-route
set neighbor ip_addr default-route
Example: The following command directs the virtual router to send the default rouaddress 192.168.100.101:
ip_addr The IP address of the neighboring peer device.
connect Establishes a BGP connection to the neighbor (ip_addr).
default-route Configures the local BGP virtual router to send the default route to th
�4"!!����5��$��*$�4�%��-5
9����
e
number
op
ning route nodes between the
p 3
he local BGP virtual router and the re.
���������������� ���������!�
ns(trust-vr/bgp)-> set neighbor 192.168.100.101 default-rout
����������
exec neighbor ip_addr disconnect
���� ��������
set neighbor { ip_addr | peer-group name_str } ebgp-multihop
unset neighbor { ip_addr | peer-group name_str } ebgp-multih
Example: The following command directs the virtual router to allows three intervevirtual router and a neighbor device at IP address 192.168.100.101:
ns(trust-vr/bgp)-> set neighbor 192.168.100.101 ebgp-multiho
������
set neighbor ip_addr enable
unset neighbor ip_addr enable
disconnect Terminates the BGP connection to the neighbor (ip_addr).
ebgp-multihop The number of intervening routing nodes (number) allowed between tBGP neighbor (ip_addr). A setting of zero disables the multihop featu
enable Enables or disables BGP for a neighbor device (ip_addr).
�4"!!����5��$��*$�4�%��-5
97���
2) from history and place it in
72.16.2.2 add
ber
ute sent by the neighbor device
GP router. The Route Flap able. The add switch adds the
ker waits to receive a message
sent by the neighbor.
���������������� ���������!�
��� �����
clear neighbor flap-route ip_addr [ add ]
Example: The following command clears the neighbor’s damped route (172.16.2.the routing table:
ns(trust-vr/bgp)-> clear neighbor 192.168.10.10 flap-route 1
���� ����
set neighbor { ip_addr | peer-group name_str } hold-time num
unset neighbor { ip_addr | peer-group name_str } hold-time
Example: The following command specifies a hold-time value of 60:
ns(trust-vr/bgp)-> set neighbor 192.168.10.10 hold-time 60
������ �� ���� �����
set neighbor ip_addr ignore-default-route
unset neighbor ip_addr ignore-default-route
Example: The following command directs the virtual router to ignore any default roat IP address 192.168.100.101:
flap-route Enables or disables the Route Flap Dampening feature on the local BDampening feature stabilizes improperly shifting values in the route tdamped route (ip_addr) to the routing table.
hold-time Specifies the number of seconds (number) that the current BGP speafrom its neighbor.
ignore-default-route Configures the local BGP virtual router to ignore any default route
�4"!!����5��$��*$�4�%��-5
99���
lt-route
ber
ation string
ication string
k094):
cation 5784ldk094
099 for a neighbor with IP
se between keepalive packet onnection to the neighbor.
(MED).
���������������� ���������!�
ns(trust-vr/bgp)-> set neighbor 192.168.100.101 ignore-defau
)������!�
set neighbor { ip_addr | peer-group name_str } keepalive num
unset neighbor { ip_addr | peer-group name_str } keepalive
Example: The following command specifies a keepalive value of 90 seconds:
ns(trust-vr/bgp)-> set neighbor 192.168.100.101 keepalive 90
��- ��������������
set neighbor { ip_addr | peer-group name_str } md5-authentic
unset neighbor { ip_addr | peer-group name_str } md5-authent
Example: The following command specifies an MD5 authentication string (5784ld
ns(trust-vr/bgp)-> set neighbor 192.168.100.101 md5-authenti
���
set neighbor ip_addr med id_num
unset neighbor ip_addr med
Example: The following command specifies the Multi-Exit Discriminator (MED) 20address 192.168.10.10:
keepalive Specifies the maximum amount of time (in seconds) that can elaptransmissions before the local BGP virtual router terminates the c
md5-authentication Specifies the BGP peer MD5 authentication string.
med Specifies the ID number (id_num) of the local Multi-Exit Discriminator
�4"!!����5��$��*$�4�%��-5
9����
le
rust-vr) the next hop value:
er group Acme_Peers:
ive 90
ent
lient
Acme_Peers are reflector
nce.
r group shares the same update ers instead of creating a separate
er.
���������������� ���������!�
ns(trust-vr/bgp)-> set neighbor 192.168.10.10 med 20099
����� ������
set neighbor { ip_addr | peer-group name_str } nhself-enable
unset neighbor { ip_addr | peer-group name_str } nhself-enab
Example: The following command makes the local BGP virtual routing instance (t
ns(trust-vr/bgp)-> set neighbor 172.16.10.10 nhself-enable
���� �����
set neighbor ip_addr peer-group name_str [ ... ]
unset neighbor ip_addr peer-group name_str [ ... ]
Example: The following command assigns a 90-second keepalive value to the pe
ns(trust-vr/bgp)-> set neighbor peer-group Acme_Peers keepal
�� ������� ������
set neighbor { ip_addr | peer-group name_str } refelctor-cli
unset neighbor { ip_addr | peer-group name_str } reflector-c
Example: The following command specifies that the neighbors in the peer group clients:
nhself-enable Specifies that the next hop value is the local BGP virtual routing insta
peer-group The name of a group of BGP neighbors. Each BGP neighbor in a peepolicies. This allows you to set up policies that apply to all the BGP pepolicy for each peer.
reflector-client Specifies if the neighbor is a reflector client in the route reflector clust
�4"!!����5��$��*$�4�%��-5
9����
tor-client
e_str { in | out }
ame_str { in | out }
apply to incoming traffic from
ap in
GP speaker. local-ip ip_addr
itches determine if the route map
���������������� ���������!�
ns(trust-vr/bgp)-> set neighbor peer-group Acme_Peers reflec
������ ��
set neighbor { ip_addr | peer-group name_str } remote-as number [ local-ip ip_addr ]
unset neighbor { ip_addr | peer-group name_str } remote-as number [ local-ip ip_addr ]
Example: The following command identifies AS 30 as the remote AS:
ns(trust-vr/bgp)-> set neighbor 172.16.10.10 remote-as 30
����� ���
set neighbor { ip_addr | peer-group name_str } route-map nam
unset neighbor { ip_addr | peer-group name_str } route-map n
Example: The following command specifies that the routes in route map Mkt_Mapthe neighbor at IP address 172.16.10.10:
ns(trust-vr/bgp)-> set neighbor 172.16.10.10 route-map Mkt_M
remote-as Identifies the remote AS (number) to be the neighbor of the current Bspecifies the local IP address for EBGP multi-hop peer.
route-map Specifies the route map to use for the BGP neighbor. The in | out swapplies to incoming traffic or outgoing traffic.
�4"!!����5��$��*$�4�%��-5
�����
y
ity
attributes to the neighbor at IP
172.16.10.10:
address 172.16.10.10:
tes to the neighbor.
���������������� ���������!�
���� ��������&
set neighbor { ip_addr | peer-group name_str } send-communit
unset neighbor { ip_addr | peer-group name_str } send-commun
Example: The following command directs the virtual router to transmit communityaddress 172.16.10.10:
ns(trust-vr/bgp)-> set neighbor 172.16.10.10 send-community
�����
clear neighbor ip_addr stats
Example: The following command clears statistics for the neighbor at IP address
ns(trust-vr/bgp)-> clear neighbor 172.16.10.10 stats
��� �������
exec neighbor ip_addr tcp-connect
Example: The following command tests the TCP connection to the neighbor at IP
ns(trust-vr/bgp)-> exec neighbor 172.16.10.10 tcp-connect
"�����
set neighbor { ip_addr | peer-group name_str } weight number
send-community Directs the BGP virtual routing instance to transmit community attribu
stats Clears the statistics describing the neighbor.
tcp-connect Tests the TCP connection to the neighbor (ip_addr).
�4"!!����5��$��*$�4�%��-5
�����
or at IP address 172.16.10.10:
g instance and the neighbor. The
���������������� ���������!�
unset neighbor { ip_addr | peer-group name_str } weight
Example: The following command assigns a weight of 2 to the path to the neighb
ns(trust-vr/bgp)-> set neighbor 172.16.10.10 weight 2
weight The priority (number) of the path between the local BGP virtual routinhigher the value, the greater that path’s priority.
�4"!!����5��$��*$�4�%��-5
�6���
� 2��.subnet entries. The BGP virtual to BGP (as with static routing
e “Context Initiation” on page
���������������� ���������!�
Description: Use the network commands to create, display, or delete network and router advertises these entries to peer devices, without first requiring redistribution intable entries).
Before you can execute a network command, you must initiate the bgp context. (Se44.)
�3��".
���
get network
���
set network ip_addr/mask [ no-check ]
�����
unset network ip_addr/mask
�4"!!����5��$��*$�4�%��-5
�����
the virtual router trust-vr:
for the network entry
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
set network ip_addr/mask [ ... ]
unset network ip_addr/mask
Example: The following command creates a network entry (172.16.100.10/16) for
ns(trust-vr/bgp)-> set network 172.16.100.10/16
�� ����)
set network ip_addr/mask no-check
Example: The following command directs the device not to check for reachability 172.16.100.10:
ns(trust-vr/bgp)-> set network 172.16.100.10/16 no-check
ip_addr/mask The IP address and subnet mask of the network.
no-check Directs the device to not check for network reachability.
�4"!!����5��$��*$�4�%��-5
�:���
� (����1- al routers that use protocols
. (See “Context Initiation” on
���������������� ���������!�
Description: Use the redistribute commands to import routes advertised by externother than BGP, or to display the current redistribute settings.
Before you can execute a redistribute command, you must initiate the bgp contextpage 44.)
�3��".
���
get redistribute
���
set redistribute route-map name_str protocol { connected | ospf | redistributed | static | }
�����
unset redistribute route-map name_str protocol { connected | ospf | redistributed | static | }
�4"!!����5��$��*$�4�%��-5
�����
sed by routers using connected
otocol connected
ed by routers using OSPF, and
otocol ospf
nterface with a defined IP address.
the OSPF protocol.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������
set redistribute route-map name_str protocol connected
unset redistribute route-map name_str protocol connected
Example: The following command creates a redistribute rule for all routes advertiprotocl, and filtered according to the Corp_Office route map:
ns(trust-vr/bgp)-> set redistribute route-map Corp_Office pr
����� ���
set redistribute route-map name_str protocol [ ... ]
unset redistribute route-map name_str protocol [ ... ]
���
set redistribute route-map name_str protocol ospf
unset redistribute route-map name_str protocol ospf
Example: The following command creates a redistribute rule for all routes advertisfiltered according to the Corp_Office route map:
ns(trust-vr/bgp)-> set redistribute route-map Corp_Office pr
connected Specifies that the external router that sent the advertisement has an i
route-map The name (name_str) of the route map.
ospf Specifies that the external router generated the advertisement using
�4"!!����5��$��*$�4�%��-5
�7���
r static).
to OSPF and pass them on to
es dynamically.
���������������� ���������!�
��������
set redistribute route-map name_str protocol [ ... ]
unset redistribute route-map name_str protocol [ ... ]
�������������
set redistribute route-map name_str protocol redistributed
unset redistribute route-map name_str protocol redistributed
������
set redistribute route-map name_str protocol static
unset redistribute route-map name_str protocol static
protocol The protocol to convert into BGP (connected, ospf, redistributed, o
redistributed Makes the BGP virtual router export pre-existing learned routes backother routers.
static Specifies that the external router did not generate the advertised rout
�4"!!����5��$��*$�4�%��-5
�9���
� �� ���rve as a route reflector.
ied IBGP neighbors (clients), he clients use the route
ee “Context Initiation” on page
���������������� ���������!�
Description: Use the reflector commands to allow the local BGP virtual router to se
A route reflector is a router that passes Interior BGP (IBGP) learned routes to specifthus eliminating the need for each router in a full mesh to talk to every other router. Treflector to readvertise routes to the entire autonomous system (AS).
Before you can execute a reflector command, you must initiate the bgp context. (S44.)
�3��".
���
get reflector
���
set reflector [ cluster-id id_num ]
�����
unset reflector [ cluster-id id_num ]
�4"!!����5��$��*$�4�%��-5
�����
a route reflector, and to set the
as the route reflector, and the r as a single entity, instead of greatly reduces overhead.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
������� ��
set reflector cluster-id id_num
unset reflector cluster-id id_num
Example: The following command allows the local BGP virtual router to serve as cluster ID to 20:
ns(trust-vr/bgp)-> set reflector
ns(trust-vr/bgp)-> set reflector cluster-id 20
cluster-id The ID number (id_num) of the cluster.A cluster consists of multiple routers, with a single router designated others as clients. Routers outside of the cluster treat the entire clusteinterfacing with each individual router in full mesh. This arrangement
�4"!!����5��$��*$�4�%��-5
�����
���������4����ior Gateway Protocol (IGP).
text. (See “Context Initiation” on
���������������� ���������!�
Description: Use the synchronization command to enable synchronization with Inter
Before you can execute a synchronization command, you must initiate the bgp conpage 44.)
�3��".
���
set synchronization
�����
unset synchronization
2�3;��!��"�!��"��"�%��
None.
�4"!!����5��$��*$�4�%��-5
�����
����.vice.
number }
ylight saving time.
���������������� ���������!�
Description: Use the clock commands to set the system time on the NetScreen de
�3��".
���
get clock
���
set clock { date_str [ time_str ] | dst-off | ntp | timezone
�����
unset clock { dst-off | ntp | timezone }
Note: By default, the NetScreen device automatically adjusts its system clock for da
�4"!!����5��$��*$�4�%��-5
�����
:
d minutes in the following format:
ronizes computer clocks in the
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
set clock date_str [ time_str ]
Example: The following command sets the clock to December 15, 2002, 12:00pm
set clock 12/15/2002 12:00
��� �
set clock dst-off
unset clock dst-off
���
set clock ntp
unset clock ntp
date [ time ] Specifies the month, day, year, and 24-hour time. Specify the hour an(mm/dd/yyyy hh:mm).
dst-off Turns off the automatic time adjustment for daylight saving time.
ntp Configures the device for Network Time Protocol (NTP), which synchInternet.
�4"!!����5��$��*$�4�%��-5
�6���
nce between GMT standard time the clock is already set forward tes accurately. Set the number
���������������� ���������!�
����.���
set clock timezone number
unset clock timezone number
timezone Sets the current time zone value. This value indicates the time differeand the current local time (when DST is OFF). When DST is ON andone hour, decrease the time difference by one hour and set the minubetween -12 and 12.
6
�����
s config through
you may find that certain l. A good example is the vsys xp device. Similarly, some vpn command. This option is
���������������� ���������!�
�
+������,���-��+�� �0���/������,
This volume lists and describes NetScreen Command Line Interface (CLI) commandintervlan-traffic.
Note: As you execute CLI commands using the syntax descriptions in this chapter,commands and command features are unavailable on your NetScreen device modecommand, which is available on a NetScreen-500 device, but not on a NetScreen-5command options are unavailable on certain models, as with the df-bit option of theavailable on a NetScreen-500, but not on a NetScreen-5xp.
�4��� �*5��$��*$�4������%"����" ��5
�:���
������n settings for a NetScreen
���������������� ���������!�
Description: Use the config commands to display the current or saved configuratiodevice.
�3��".
���
get config [ all | saved ]
2�3;��!��"�!��"��"�%��
���
get config all
��!��
get config saved
all Displays all configuration information.
saved Displays the configuration file saved in flash memory.
�4��� �*5��$��*$�4������%"����" ��5
�����
������ rs.
sages in the console. If this ges in a buffer so that you can
on.
���������������� ���������!�
Description: Use the console commands to define or list the CLI console paramete
When the debug mode is enabled, the NetScreen device displays all debugging mesgenerates too much information at once, use the dbuf parameter to store the messalater retrieve them with the get dbuf command.
Enable console access with the unset disable command through a Telnet connecti
�3��".
���
get console
���
set console { dbuf | disable | page number | timeout number }
�����
unset console { dbuf | disable | page | timeout }
�4��� �*5��$��*$�4������%"����" ��5
�7���
able access to the console. Saves ion.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���
set console dbuf
unset console dbuf
�������
set console disable
unset console disable
����
set console page number
unset console page
Example: To define 20 lines per page displayed on the console:
set console page 20
dbuf Stores the console messages in a buffer for later retrieval.
disable Disables access to the console. Two confirmations are required to disthe current NetScreen configuration and closes the current login sess
page An integer value specifying how many lines appear on each page.
�4��� �*5��$��*$�4������%"����" ��5
�9���
ing out the administrator from the s. A value of 0 means the console
���������������� ���������!�
�������
set console timeout number
unset console timeout
Example: To define the console timeout value to 40 minutes:
set console timeout 40
1� "%��
Access to the console is enabled by default.
The console displays 22 lines per page by default.
The default login timeout is set to 10 minutes.
The NetScreen device sends console messages to the buffer by default.
timeout Determines how much time (in minutes) the device waits before loggconsole session when the administrator stops making keyboard entrienever times out.
�4��� �*5��$��*$�4������%"����" ��5
�����
��-� �
���������������� ���������!�
Description: Use the counter commands to clear interface and flow counters.
�3��".
�����
clear [ cluster ] counter { all | ha | screen [ interface interface ] }
���
get counter { flow | statistics
[ interface interface ] | screen { interface interface | zone zone } policy pol_num { day | hour | minute | month | second } }
�4��� �*5��$��*$�4������%"����" ��5
�����
devices in the cluster:
r.
l inspection examines various
HA) link between two NetScreen ts and packet errors.
t the interface level. The ets according to established Names” on page A-IV.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�������
clear [ cluster ] counter [ ... ]
Example: To clear the contents of all counters and propagate the operation to all
clear cluster counter all
��"
get counter flow [ ... ]
��
clear [ cluster ] counter ha
����� ���
clear [ cluster ] counter screen interface interface
cluster Propagates the clear operation to all other devices in a NSRP cluste
flow Specifies counters for packets inspected at the flow level. A flow-leveaspects of a packet to gauge its nature and intent.
ha Specifies counters for packets transmitted across a high-availability (devices. An HA-level inspection keeps count of the number of packe
interface The name of the interface. Specifies counters for packets inspected ainspection checks for packet errors and monitors the quantity of packthreshold settings. For more information on interfaces, see “Interface
�4��� �*5��$��*$�4������%"����" ��5
������
econd }
nitor the amount of traffic that the
r monitoring traffic permitted by a
fies the name of a particular on page A-IV.
e zone level. The inspection ing to established threshold n page A-IV.
���������������� ���������!�
�����&
get counter policy pol_num { day | hour | minute | month | s
������
clear [ cluster ] counter screen [ ... ]
get counter screen
����������
get counter statistics [ ... ]
.���
get counter screen zone zone
policy Identifies a particular access policy (pol_num). This allows you to mopolicy permits.
day | hour | minute | month | second Specifies the period of time foparticular access policy.
screen Clears the screen counters. The interface interface parameter speciinterface. For more information on interfaces, see “Interface Names”
statistics Displays the counter statistics.
zone Identifies the zone, and specifies counters for packets inspected at thchecks for packet errors and monitors the quantity of packets accordsettings. For more information on interfaces, see “Interface Names” o
�4��� �*5��$��*$�4������%"����" ��5
������
(1-� or to display buffer information.
���������������� ���������!�
Description: Use the dbuf commands to dynamically adjust the system buffer size,
�3��".
�����
clear [ cluster ] dbuf
���
get dbuf { info [ all ] | mem [ number ] [ all ] | stream [ number ] [ all ] }
���
set dbuf size number
�����
unset dbuf size
�4��� �*5��$��*$�4������%"����" ��5
��6���
llowed:
r.
ge offset. all specifies all slots.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�������
clear [ cluster ] dbuf
�� �
get dbuf info [ all ]
���
get dbuf mem [ number ] [ all ]
��.�
set dbuf size number
unset dbuf size
Example: The following command changes the buffer size to the maximum size a
set dbuf size 4096
cluster Propagates the clear operation to all other devices in a NSRP cluste
info Displays the dbuf buffer information. all specifies all slots.
mem Displays dbuf buffer memory content. number specifies the percenta
size Indicates the size of the system buffer in kilobytes.
�4��� �*5��$��*$�4������%"����" ��5
������
rcentage offset. all specifies all
���������������� ���������!�
������
get dbuf stream [ number ] [ all ]
1� "%��
The default buffer sizes for the various NetScreen devices are:
The range of value for the buffer size is from 32 to 4096 kilobytes.
stream Displays the dbuf buffer stream information. number specifies the peslots.
NetScreen-5000 Series 1024 kilobytes
NetScreen-1000 1024 kilobytes
NetScreen-500 1024 kilobytes
NetScreen-200 Series 524 kilobytes
NetScreen-100p 1024 kilobytes
NetScreen-100 512 kilobytes
NetScreen-25/50 128 kilobytes
NetScreen-10 128 kilobytes
NetScreen-5 32 kilobytes
�4��� �*5��$��*$�4������%"����" ��5
��:���
(���-�/���-�r to display information on
uently, all the group members
ialup group.
���������������� ���������!�
Description: Use the dialup-group commands to create a group of remote users, oconfigured dialup groups.
An access policy for a dialup group applies to all the members in the group. Conseqmust be either IKE/L2TP users, or Manual Key users.
�3��".
���
get dialup-group [ id_num | all ]
���
set dialup-group name_str [ { + | - } name_str ]
�����
unset dialup-group name_str
Note: Different NetScreen device models can have different numbers of users in a d
�4��� �*5��$��*$�4������%"����" ��5
������
uters”:
ommuters group:
telecommuters group:
quently, all the group members (Manual Key).
the user.
e of the user.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
Examples: The following command defines a dialup user group called “telecomm
set dialup-group telecommuters
The following command adds a remote VPN user named “john_home” to the telec
set dialup-group telecommuters + john_home
The following command deletes a remote VPN user named “amy_home” from the
set dialup-group telecommuters - amy_home
The following command deletes the telecommuters group:
unset dialup-group telecommuters
�����
An Access Policy for a dialup-group applies to all the members in the group. Consemust be the same kind, either IKE dynamic peers (Auto Key), or VPN dialup users
name_str Assigns a name to the dialup group.
{ + name_str } Adds a remote VPN user to the group, where name_str is the name of
{ - name_str } Deletes a remote VPN user from the group, where name_str is the nam
�4��� �*5��$��*$�4������%"����" ��5
��7���
(��lay DIP user group information.
���������������� ���������!�
Description: Use the dip commands to set up a Dynamic IP (DIP) group, or to disp
�3��".
���
get dip [ all ]
���
set dip { group { id_num1 [ member id_num2 ] } | sticky }
�����
unset dip { group { id_num1 [ member id_num2 ] } | sticky }
�4��� �*5��$��*$�4������%"����" ��5
��9���
f 5
entification number you assign to ber of a DIP set.
a host for multiple concurrent
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�����
set dip group id_num1 [ member id_num2 ]
unset dip group id_num1 [ member id_num2 ]
Example: The following commands:
• create a new regular DIP address range for interface ethernet3 with an ID o
• create a new DIP group with ID number 100
• add new DIP member to the group (5)
set interface ethernet3 dip 5 192.168.10.10 192.168.10.20
set dip group 100
set dip group 100 member 5
����)&
set dip sticky
unset dip sticky
group Creates a DIP group or adds a member to a group. id_num1 is the idthe new DIP group. member id_num2 specifies the identification num
sticky Specifies that the NetScreen device assigns the same IP address to sessions.
�4��� �*5��$��*$�4������%"����" ��5
������
(��display DNS configuration
���������������� ���������!�
Description: Use dns commands to configure Domain Name Services (DNS) or to information.
�3��".
�����
clear [ cluster ] dns
�*��
exec dns refresh
���
get dns { host { cache | report | settings } | name dom_name }
���
set dns host { dns1 ip_addr | dns2 ip_addr | schedule time }
�����
unset dns host { dns1 | dns2 | schedule }
�4��� �*5��$��*$�4������%"����" ��5
������
72.16.10.101:
r.
e format of this parameter is
tting, and the number of UDP
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�������
clear [ cluster ] dns
����
get dns host { ... }
set dns host { ... }
unset dns host { ... }
Examples: The following command sets up a host as the primary DNS server at 1
set dns host dns1 172.16.10.101
The following command schedules a refresh time at 23:59 each day:
set dns host schedule 23:59
cluster Propagates the clear operation to all other devices in a NSRP cluste
host • cache Displays the DNS cache table.
• dns1 ip_addr Specifies the primary DNS host.
• dns2 ip_addr Specifies the backup DNS host.
• report Displays the DNS lookup table.
• schedule time Specifies the time of day to refresh DNS entries. Thhh:mm.
• settings Displays DNS settings, including IP addresses, refresh sesessions.
�4��� �*5��$��*$�4������%"����" ��5
������
n device to look up an IP address
vice to perform a manual DNS
���������������� ���������!�
����
get dns name dom_name
�� ����
exec dns refresh
name The domain name of the host. Using this option directs the NetScreefor the given domain name.
refresh Refreshes all DNS entries. Using the option directs the NetScreen delookup.
�4��� �*5��$��*$�4������%"����" ��5
������
(�����NetScreen device.
me:
���������������� ���������!�
Description: Use the domain commands to set or display the domain name of the
�3��".
���
get domain
���
set domain name_str
�����
unset domain
2�3;��!��"�!��"��"�%��
���������'��������
Example: The following command sets the domain of the NetScreen device to ac
set domain acme
name_str Defines the domain name of the NetScreen device.
�4��� �*5��$��*$�4������%"����" ��5
��6���
�0��riables files.
���������������� ���������!�
Description: Use the envar commands to define the location of the environment va
�3��".
���
get envar [ resource ]
���
set envar string
�����
unset envar string
�4��� �*5��$��*$�4������%"����" ��5
������
as file2.cfg in slot2:
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
set envar string
unset envar string
Example: The following command defines the location of the system configuration
set envar config=slot2:file2.cfg
��������
get envar resource
string The location of the environment variables files.
resource Displays the following information:
• (max-session) Maximum number of sessions
• (max-sa) Maximum number of security associations (SAs)
• (max-l2tp-tunnel) Maximun number of L2TP tunnels
�4��� �*5��$��*$�4������%"����" ��5
��:���
0 �
r ]
���������������� ���������!�
Description: Use the event commands to display or clear event messages.
�3��".
�����
clear [ cluster ] event [ end-time time_str ]
���
get event [ module name_str]
[ level { alert | critical | debug | emergency | error | information | notification | warning }
] [ type id_num1 [ -id_num2 ] ]
[ start-time time_str ] [ end-time time_st[ include string ] [ exclude string ]
�4��� �*5��$��*$�4������%"����" ��5
������
de string ] [ ... ]
r.
a specifies string of characters
re as follows:
out normal operation.
leshooting purposes.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�������
clear cluster event [ ... ]
��������%��*�����
get event module name_str { ... } [ include string ] [ exclu
��!��
get event module name_str level { ... }
cluster Propagates the clear operation to all other devices in a NSRP cluste
include exclude
Directs the NetScreen device to exclude or include events containing(string).
level Specifies the priority level of the event message. The priority levels a
• emergency (Level 0) The system is unusable.
• alert (Level 1) Immediate action is necessary.
• critical (Level 2) The event affects functionality.
• error (Level 3) Error condition exists.
• warning (Level 4) The event might affect functionality.
• notification (Level 5) The event is a normal occurrence.
• information (Level 6) The event generates general information ab
• debug (Level 7) The event generates detailed information for troub
�4��� �*5��$��*$�4������%"����" ��5
��7���
end-time time_str ]
at 11:30am:
um2 ] [ ... ]
an event. The format for time_str
year using the last two digits or all etween the date and the time can
���������������� ���������!�
������
get event module name_str [ ... ]
����� �����%���� ����
clear [ cluster ] event end-time time_str
get event module name_str { ... } [ start-time time_str ] [ [ ... ]
Example: The following command clears all events generated before May 1, 2002
get event end-time 05/01/02-11:30:00
�&��
get event module name_str level { ... } type id_num1 [ -id_n
module Specifies the name of the system module that generated the event.
end-time time_str start-time time_str
Specifies the lower and upper ends of a range of dates and times foris:mm/dd/yy-hh:mm:ssYou can omit the year (the current year is the default), or express thefour digits. The hour, minute, and second are optional. The delimiter bbe a dash or an underscore:12/31/2001-23:59:0012/31/2001_23:59:00
type Specifies a priority level or a range of priority levels.
�4��� �*5��$��*$�4������%"����" ��5
��9���
5�rface.
e to configure a NetScreen
���������������� ���������!�
Description: Use the exit command to exit from the console and command-line inte
�3��".exit
2�3;��!��"�!��"��"�%��
None.
�����
After issuing the exit command at the console, you must log back in to the consoldevice.
After issuing the exit command as root, you remain logged in to the console.
�4��� �*5��$��*$�4������%"����" ��5
������
���� �ebug flow output. These filters
���������������� ���������!�
Description: Use the ffilter commands to create or display filters for the display of duse the following criteria:
• a specific source IP address
• destination IP address
• source port
• destination port
• IP protocol
�3��".
���
get ffilter
���
set ffilter [ dst-ip ip_addr ]
[ dst-port port_num ] [ ip-proto ptcl_num ]
[ src-ip ip_addr ]
[ src-port port_num ]
�����
unset ffilter [ id_num ]
�4��� �*5��$��*$�4������%"����" ��5
������
number 17, for the User
IP address 172.16.10.88 and
2.16.10.1:
alue between 0 and 255.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�� �����
set ffilter [ ... ] ip-proto ptcl_num [ ... ]
Example: The following command sets a filter for all packets with the IP protocol Datagram Protocol (UDP):
set ffilter ip-proto 17
��� ���%���� ��
set ffilter src-ip ip_addr [ ... ]
set ffilter dst-ip ip_addr [ ... ]
Examples: The following command sets a filter for all packets between the sourcedestination IP 192.168.9.77:
set ffilter src-ip 172.16.10.88 dst-ip 192.168.9.77
The following command creates a filter for all traffic from a host with IP address 17
set ffilter src-ip 172.16.10.1
ip-proto ptcl_num Defines the assigned IP protocol number, where ptcl_num is a v
src-ip ip_addr Defines the source IP address.
dst-ip ip_addr Defines the destination IP address.
�4��� �*5��$��*$�4������%"����" ��5
�6����
o a host with IP address
mple, if you have already set a ort numbers for the packets.
For example, if you configure a ts having IP protocol 200, the ew filters.
range from 0 to 65535.
bers range from 0 to 65535.
���������������� ���������!�
��� �����%���� ����
set ffilter [ ... ] src-port ip_addr
set ffilter [ ... ] dst-port ip_addr
Example: The following command creates a filter for all SMTP traffic designated t192.168.3.2:
set ffilter dst-ip 192.168.3.2 dst-port 25
�����
When necessary, you can add more arguments to an existing debug filter. For exafilter for packets between a source IP and a destination IP, you can later specify p
Adding a new argument to an existing filter actually modifies an existing argument.filter to trap IP packets having IP protocol 51, and you then set a trap for IP packeNetScreen device replaces the 51 trap with the 200 trap. To prevent this, create n
src-port port_num Defines the port number for the source IP address. Port numbers
dst-port port_num Defines the port number for the destination IP address. Port num
�4��� �*5��$��*$�4������%"����" ��5
�6����
��� n the flash memory.
���������������� ���������!�
Description: Use the file commands to clear or display information for files stored i
�3��".
�����
clear [ cluster ] file dev_name:filename
���
get file [ filename | info ]
�4��� �*5��$��*$�4������%"����" ��5
�66���
emory on the memory board:
lash card memory:
r.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
clear [ ... ] file dev_name:filename
get file filename
Examples: The following command deletes a file named myconfig in the flash m
clear file flash:myconfig
The following command displays information for the file named corpnet from the f
get file corpnet
�������
clear cluster file dev_name:filename
�� �
get file info
dev_name:filename Deletes the file with the name filename from the flash card memory.
filename Defines the file name stored in the flash card memory.
cluster Propagates the clear operation to all other devices in a NSRP cluste
info Displays the base sector and address.
�4��� �*5��$��*$�4������%"����" ��5
�6����
����/��( etScreen device.
es, refer to the NetScreen FIPS
���������������� ���������!�
Description: Use the fips-mode commands to enable or disable FIPS mode in a N
In FIPS mode, certain security features are disabled. For information on these featur140-2 Security Policy manual.
�3��".
���
set fips-mode enable
�����
unset fips-mode enable
2�3;��!��"�!��"��"�%��
None.
�4��� �*5��$��*$�4������%"����" ��5
�6:���
��� 2���ackets.
onsequently, you configure mands.
he ike switch enables logging of ed SNMP packets.
���������������� ���������!�
Description: Use the firewall commands to enable or disable logging of dropped p
�3��".
���
set firewall log-self { ike | snmp }
�����
unset firewall log-self { ike | snmp }
2�3;��!��"�!��"��"�%��
��� ���
set firewall log-self { ike | snmp }
unset firewall log-self { ike | snmp }
1� "%��
The following firewall features are enabled by default:
Note: NetScreen devices perform most firewall services at the security zone level. Cindividual zones to perform firewall services. For more information, see the zone com
log-self Directs the NetScreen device to log all dropped packets and pings. Tdropped IKE packets, and the snmp switch enables logging of dropp
�4��� �*5��$��*$�4������%"����" ��5
�6����
���������������� ���������!�• log-self off
• ike on
• snmp off
�4��� �*5��$��*$�4������%"����" ��5
�67���
���2 avoid packet fragmentation, or
���������������� ���������!�
Description: Use the flow commands to adjust the initial session timeout value andto display the session timeout values.
�3��".
���
get flow [ perf | tcpmss ]
���
set flow { allow-dns-reply | gre-in-tcp-mss | gre-out-tcp-mss | initial-timeout number | mac-flooding | max-frag-pkt-size number | nonsticky-vip-session | no-tcp-seq-check | path-mtu | tcp-mss | tcp-syn-check | tcp-syn-check-in-tunnel }
�4��� �*5��$��*$�4������%"����" ��5
�69���
���������������� ���������!������
unset flow { allow-dns-reply | gre-in-tcp-mss | gre-out-tcp-mss | initial-timeout | mac-flooding | max-frag-pkt-size | nonsticky-vip-session | no-tcp-seq-check | path-mtu | tcp-mss | tcp-syn-check | tcp-syn-check-in-tunnel }
�4��� �*5��$��*$�4������%"����" ��5
�6����
���������������� ���������!�2�3;��!��"�!��"��"�%��
����" ��� ����&
set flow allow-dns-reply
unset flow allow-dns-reply
��� �� ��� ���
set flow gre-in-tcp-mss
unset flow gre-in-tcp-mss
��� ��� ��� ���
set flow gre-out-tcp-mss
unset flow gre-out-tcp-mss
allow-dns-reply Allows DNS reply packet without a matched request.
gre-in-tcp-mss Specifies inbound GRE TCP MSS option (64-1420).
gre-out-tcp-mss Specifies outbound GRE TCP MSS option (64-1420).
�4��� �*5��$��*$�4������%"����" ��5
�6����
n remains in the session table
vice keeps an initial session in the RST packet. The range of time is
en if its destination MAC address
���������������� ���������!�
������� �������
set flow initial-timeout number
unset flow initial-timeout
Example: The following command changes the length of time that an initial sessioto 2 minutes:
set flow initial-timeout 2
��� �������
set flow mac-flooding
unset flow mac-flooding
initial-timeout Defines the length of time in minutes (number) that the NetScreen desession table before dropping it, or until the device receives a FIN or from 1 to 6 minutes.
mac-flooding Enables the NetScreen device to pass a packet across the firewall evis not in the MAC learning table.
�4��� �*5��$��*$�4������%"����" ��5
������
y the NetScreen device to 1024
by the NetScreen device. You
-pkt-size is 1460 bytes, the device he second is 80 bytes. If you reset bytes and the second is 516 bytes.
���������������� ���������!�
��* ��� �)� ��.�
set flow max-frag-pkt-size number
unset flow max-frag-pkt-size
Example: The following command sets the maximum size of a packet generated bbytes:
set flow max-frag-pkt-size 1024
�������)& !�� �������
set flow nonsticky-vip-session
unset flow nonsticky-vip-session
�� ��� ��( ����)
set flow no-tcp-seq-check
unset flow no-tcp-seq-check
max-frag-pkt-size The maximum allowable size for a packet fragment generatedcan set the number value between 1024 and 1500 inclusive.For example, if a received packet is 1540 bytes and max-fraggenerates two fragment packets. The first is 1460 bytes and tmax-frag-pkt-size to 1024, the first fragment packet is 1024
nonsticky-vip-session Allows unused VIP sessions to expire immediately.
no-tcp-seq-check Skips the sequence number check in stateful inspection.
�4��� �*5��$��*$�4������%"����" ��5
������
tScreen device receives a packet ller packet size.
tScreen device modifies the MSS operation.
���������������� ���������!�
���� ���
set flow path-mtu
unset flow path-mtu
���
get flow perf
��� ���
get flow tcpmss
set flow tcpmss
unset flow tcpmss
��� �&� ����)
set flow tcp-syn-check
unset flow tcp-syn-check
path-mtu Enables path-MTU (maximum transmission unit) discovery. If the Nethat must be fragmented, it sends an ICMP packet suggesting a sma
perf Displays the perf information.
tcp-mss Enables the TCP-MSS (TCP-Maximum Segment Size) option. The Nevalue in the TCP packet to avoid fragmentation caused by the IPSec
tcp-syn-check Checks the TCP SYN bit before creating a session.
�4��� �*5��$��*$�4������%"����" ��5
��6���
d packets.
���������������� ���������!�
��� �&� ����) �� ������
set flow tcp-syn-check-in-tunnel
unset flow tcp-syn-check-in-tunnel
1� "%��
The default initial timeout value is 1 minute.
The MAC-flooding feature is enabled by default.
tcp-syn-check-in-tunnel Checks the TCP SYN bit before creating a session for tunnele
�4��� �*5��$��*$�4������%"����" ��5
������
��negotiate any data port number.
e certain FTP services that it allows FTP servers to ection monitor continues to
���������������� ���������!�
Description: Use the ftp commands to allow FTP services for non-port-20 traffic to
When the ftp data-port setting is disabled, the NetScreen device does not recogniznegotiate a data port other than port 20. When the ftp data-port setting is enabled, dynamically negotiate any data port that the FTP server proposes. The stateful inspmeter the session.
�3��".
���
set ftp data-port any
�����
unset ftp data-port any
2�3;��!��"�!��"��"�%��
���� �������&
set ftp data-port any
unset ftp data-port any
data-port any Specifies any FTP data port except port 20.
�4��� �*5��$��*$�4������%"����" ��5
��:���
�� n device, how many are in use, P and similar applications. The affic occurs.
���������������� ���������!�
Description: Use the gate command to check the number of gates on the NetScreeand how many are still available. Gates are logical access points in the firewall for FTNetScreen device creates the gate, then converts the gate to a session when data tr
�3��".
���
get gate
2�3;��!��"�!��"��"�%��
None.
1� "%��
The default number of gates on NetScreen devices are:
NetScreen-5000 Series 4096
NetScreen-1000 4096
NetScreen-500 1024
NetScreen-200 Series 1024
NetScreen-100 1024
NetScreen-25/50 256
NetScreen-10 256
NetScreen-5xp 256
�4��� �*5��$��*$�4������%"����" ��5
������
���1��/��� PRO configuration.
ntry in the protocol table for advisable to disable the setting,
���������������� ���������!�
Description: Use the global-pro commands to set or display the NetScreen-Global
�3��".
���
get global-pro { config | policy-manager | proto-dist
{ table { bytes | packets } | user-service }
}
���
set global-pro { config
{ primary { ip_addr | name_str } | secondary { ip_addr | name_str } | timeout number
Note: When the set global setting is enabled, the NetScreen device creates a log eevery packet that passes through the device. Because this affects performance, it is except when protocol distribution information is required.
�4��� �*5��$��*$�4������%"����" ��5
��7���
���������������� ���������!�} | enable | policy-manager
{ nacn | primary | secondary
{ ca-idx number | cert-subject string | host { ip_addr | name_str } | outgoing-interface interface | password pswd_str | policy-domain dom_name | port port_num }
} | report
{ alarm-attack enable | alarm-other enable | alarm-traffic enable | attack-stat enable | ethernet-stat enable | flow-stat enable | log-config enable | log-info enable | log-self enable | log-traffic enable | policy-stat enable | proto-dist
{ enable | user-service name_str
�4��� �*5��$��*$�4������%"����" ��5
��9���
���������������� ���������!�{ ah | esp | gre | icmp | ospf | tcp | udp port_num1-port_num2
} } |
vpn }
�����
unset global-pro { config { primary | secondary | timeout } | enable | policy-manager
{ nacn | primary | secondary
{ ca-idx | cert-subject | host | outgoing-interface | password | policy-domain | port }
} | report
{ alarm-attack enable | alarm-other enable | alarm-traffic enable | attack-stat enable |
�4��� �*5��$��*$�4������%"����" ��5
������
���������������� ���������!�ethernet-stat enable | flow-stat enable | log-config enable | log-info enable | log-self enable | log-traffic enable | policy-stat enable | proto-dist
{ enable | user-service name_str }
} | vpn }
�4��� �*5��$��*$�4������%"����" ��5
������
You can obtain this index number
for authentication. (Optional)
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�� ��*
set global-pro policy-manager primary ca-idx number
set global-pro policy-manager secondary ca-idx number
unset global-pro policy-manager primary ca-idx
unset global-pro policy-manager secondary ca-idx
Example: The following command specifies CA certificate 2001:
set global-pro policy-manager primary ca-idx 2001
���� ���/���
set global-pro policy-manager primary cert-subject string
set global-pro policy-manager secondary cert-subject string
unset global-pro policy-manager primary cert-subject
unset global-pro policy-manager secondary cert-subject
Example: For an example of this option, see “NACN Example” on page 145.
ca-idx Selects by index number the CA certificate allowed for authentication.by executing get ssl ca-list. (Optional)
cert-subject Specifies the acceptable full subject name (string) of certificate used
�4��� �*5��$��*$�4������%"����" ��5
�:����
IP address is 172.16.1.2:
e timeout value.
e primary server.
f the secondary server.
lobal PRO agent. (Specifying 0
���������������� ���������!�
��� ��
get global-pro config
set global-pro config { primary { ip_addr | name_str } | secondary { ip_addr | name_str } | timeout number }
unset global-pro config { primary | secondary | timeout }
Example: The following command specifies that the primary management station
set global-pro config primary 172.16.1.2
������
set global-pro enable
unset global-pro enable
config Identifies the primary and secondary Global PRO servers, and sets th
• primary ip_addr | name_str Specifies the IP address or name of th
• secondary ip_addr | name_str Specifies the IP address or name o
• timeout number Specifies the timeout value (in seconds) on the Gsets the timeout value to the default value, 30 seconds.)
enable Enables the NetScreen device for Global PRO reporting.
�4��� �*5��$��*$�4������%"����" ��5
�:����
ddr }
_addr }
erface
nterface
l-PRO Policy Manager application.
N is active, the NetScreen device ged interface changes (statically,
vice sends out registration
���������������� ���������!�
����
set global-pro policy-manager primary host { name_str | ip_a
set global-pro policy-manager secondary host { name_str | ip
unset global-pro policy-manager primary host
unset global-pro policy-manager secondary host
Example: To specify that the primary host IP address is 172.16.1.2:
set global-pro policy-manager primary host 172.16.1.2
����
set global-pro policy-manager nacn
unset global-pro policy-manager nacn
Example: For an example of this option, see “NACN Example” on page 145.
�������� ����� ���
set global-pro policy-manager primary outgoing-interface int
set global-pro policy-manager secondary outgoing-interface i
unset global-pro policy-manager primary outgoing-interface
unset global-pro policy-manager secondary outgoing-interface
host Specifies the hostname or IP address of the server running the Globa
nacn Enables NetScreen Address Change Notification (NACN). When NACnotifies the Global-PRO server each time the IP address of the manaor dynamically due to DHCP or PPPoE).
outgoing-interface Specifies the monitored interface through which the NetScreen depackets.
�4��� �*5��$��*$�4������%"����" ��5
�:6���
me
rd (pswd_str).
al PRO Policy Manager.
PRO arbritrator. (Optional)
���������������� ���������!�
����"���
set global-pro policy-manager primary password pswd_str
set global-pro policy-manager secondary password pswd_str
unset global-pro policy-manager primary password
unset global-pro policy-manager secondary password
�����& �������
get global-pro policy-manager
set global-pro policy-manager { ... }
unset global-pro policy-manager { ... }
Example: For examples of this option, see “NACN Example” on page 145.
�����& ������
set global-pro policy-manager primary policy-domain dom_name
set global-pro policy-manager secondary policy-domain dom_na
unset global-pro policy-manager primary policy-domain
unset global-pro policy-manager secondary policy-domain
Example: For an example of this option, see “NACN Example” on page 145.
password Specifies the registered Global-PRO Policy Manager passwo
policy-manager Configures the NetScreen device to register its address with the Glob
policy-domain Specifies the policy domain (dom_name) registered with the Global-
�4��� �*5��$��*$�4������%"����" ��5
�:����
evice talks to the Global-PRO
r servers, or identifies the Global r process.
���������������� ���������!�
����
set global-pro policy-manager primary port port_num
set global-pro policy-manager secondary port port_num
unset global-pro policy-manager primary port
unset global-pro policy-manager secondary port
������&�%���������&
set global-pro config primary { ... }
set global-pro config secondary { ... }
set global-pro policy-manager primary { ... }
set global-pro policy-manager secondary { ... }
unset global-pro config primary
unset global-pro config secondary
Example: For examples of this option, see “NACN Example” on page 145.
������
set global-pro report { ... }
unset global-pro report { ... }
port Specifies the port number (port_num) through which the NetScreen dPolicy Manager. The default port number is 11122.
primary | secondary Identifies the primary and secondary Global PRO Report ManagePRO Policy Manager server and sets parameters for the Arbitrato
report Enables the specified report.
• alarm-attack reports all alarm attacks.
�4��� �*5��$��*$�4������%"����" ��5
�::���
user-service option displays the d services (ah | esp | gre | icmp |
ytes or in packets.
sted interface.
���������������� ���������!�
�����
get global-pro proto-dist table { bytes | packets }
!��
set global-pro vpn
unset global-pro vpn
• alarm-other reports all other types of alarms (non-attack alarms).
• alarm-traffic reports all traffic alarms.
• attack-stat reports all attack statistics.
• ethernet-stat reports ethernet statistics.
• flow-stat reports flow statistics.
• log-config produces the configuration logs.
• log-info produces information logs.
• log-self produces self-logs.
• log-traffic produces traffic logs.
• policy-stats reports policy statistics.
• proto-dist reports the distribution of different protocols types. TheNetScreen-Global PRO protocol distribution settings for user-defineospf | tcp | udp).
table Displays the NetScreen-Global PRO protocol distribution settings in b
vpn Allows the NetScreen device to source its report packets from the Tru
�4��� �*5��$��*$�4������%"����" ��5
�:����
protocol, and configure the ers. (In this example, assume
ernet3
thernet3
interfaces have Telnet, SCS, or
���������������� ���������!�
�?���A."8%�
The following commands enable NetScreen Address Change Notification (NACN)NetScreen device for interaction with the primary and secondary Global PRO servthe get ssl ca-list displays a Certificate Authority with index number 2.)
exec pki x509 install-factory-certs "phonehome1CA1"
get ssl ca-list
set global-pro policy-manager primary ca-idx 2
set global-pro policy-manager primary cert-subject “CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email
set global-pro policy-manager primary outgoing-interface eth
set global-pro policy-manager primary host 172.16.12.12
set global-pro policy-manager primary password swordfish
set global-pro policy-manager primary policy-domain “mmci”
set global-pro policy-manager secondary ca-idx 2
set global-pro policy-manager secondary cert-subject “CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email
set global-pro policy-manager secondary outgoing-interface e
set global-pro policy-manager secondary host 172.16.12.100
set global-pro policy-manager secondary password trout
set global-pro policy-manager secondary policy-domain “mmci”
set interface ethernet3 manage scs
set global-pro policy-manager nacn
Note: The last command in this example executes successfully only if the monitored SSH enabled.
�4��� �*5��$��*$�4������%"����" ��5
�:7���
����
s the total number of entries in
���������������� ���������!�
Description: Use the glog commands to display the contents of the global log file.
�3��".
���
get glog
2�3;��!��"�!��"��"�%��
None.
Note: Log entries of all categories go to the global log file initially. The display showthe file and the category to which each entry belongs.
�4��� �*5��$��*$�4������%"����" ��5
�:9���
���-�ices under a single name. This y.
���������������� ���������!�
Description: Use the group commands to group several addresses or several servallows you to reference a group of addresses or services by name in an access polic
�3��".
���
get group { address zone [ grp_name ] | service [ grp_name ] }
���
set group { address zone grp_name [ add name_str ] [ string ] | service grp_name [ add name_str [ comment string ] ] }
�����
unset group { address zone grp_name [ remove mbr_name | clear ] | service grp_name [ remove mbr_name | clear ]
}
�4��� �*5��$��*$�4������%"����" ��5
�:����
]
g for the Trust zone and adds
e service AOL to the group:
quarters) for the Trust zone:
s the zone to which the address efined zone. For more information
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���
set group address zone grp_name [ add mbr_name ] [ string ]
set group service grp_name [ add mbr_name [ comment string ]
Examples: The following command creates an address group named engineerinthe address hw-eng to the group:
set group address trust engineering add hw-eng
The following command creates a service group named inside-sales and adds th
set group service inside-sales add AOL
�������
get group address zone [ ... ]
set group address zone grp_name [ ... ]
unset group address zone grp_name [ ... ]
Example: The following command creates an empty address group (named head
set group address trust headquarters
add name_str Adds an address or service named mbr_name.
address Performs the operation on an address group. The zone value specifiegroup is bound. This zone is either a default security zone or a user-don zones, see “Security Zone Names” on page A-II.
�4��� �*5��$��*$�4������%"����" ��5
�:����
engineering) bound to the
for the Trust zone and adds the
neering Group”
neering address group:
cify an address (or service) group e entire address group or service
���������������� ���������!�
�����
unset group address zone grp_name clear
unset group service grp_name clear
Example: The following command removes all members from an address group (Trust zone:
unset group address trust engineering clear
�������
set group address zone grp_name [ ... ] [ comment string ]
set group service grp_name [ ... ] [ comment string ]
Example: The following command creates an address group named engineeringaddress hw-eng to the group:
set group address trust engineering add hw-eng comment “Engi
����!�
unset group address zone grp_name remove name_str
unset group service grp_name remove name_str
Example: The following command removes the address admin-pc from the engi
clear Removes all the members of an address or service group.
comment Adds a comment string to the service group or address group entry.
remove Removes the address (or service) named name_str. If you do not spemember, the unset group { address | service } command deletes thgroup.
�4��� �*5��$��*$�4������%"����" ��5
������
eb_browsing:
cannot use the same address
h you can modify it.
���������������� ���������!�
unset group address trust engineering remove admin-pc
���!���
get group service grp_name
set group service grp_name [ ... ]
unset group service grp_name [ ... ]
Example: The following command creates an empty service group and names it w
set group service web_browsing
�����
Each address group and service group you create must have a unique name. Yougroup name as a service group name.
You cannot add the following addresses to a group:
• inside any
• outside any
• dialup vpn
• dmz any
You cannot add the ANY service to a group.
While an access policy references a group, you cannot remove the group, althoug
You can add only one member to a group at a time from the console.
service grp_name Performs the operation on a service group.
�4��� �*5��$��*$�4������%"����" ��5
������
��-�/ 5�� �����ressions for use in security ssions according to NOT, AND, ps.
���������������� ���������!�
�Description: Use the group-expression commands to set up or display group exppolicies. A group expression allows or excludes users or user groups, or group expreor OR operators. Such expressions are only usable for external users and user grou
�3��".
���
get group-expression { name_str | all | id number }
���
set group-expression name_str { not name_str | name_str { and | or } name_str | id number | }
�4��� �*5��$��*$�4������%"����" ��5
��6���
���������������� ���������!������
unset group-expression { name_str | id number }
�4��� �*5��$��*$�4������%"����" ��5
������
roup, place them in an OR
up expressions.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
get group-expression name_str
set group-expression name_str
unset group-expression name_str
���
get group-expression all
����%���
set group-expression name_str name_str and name_str
set group-expression name_str name_str or name_str
Example: The following commands create group expressions SalesM and SM_Grelationship, and then place SM_Group and Office_1 in an AND relationship:
set user-group Sales_Group location external
set user-group Marketing_Group location external
set group-expression SalesM Sales_Group or Marketing_Group
set group-expression SM_Group Office_1 and SalesM
name_str The name of the group expression.
all Specifies all group expressions.
and | or Specifies AND or OR relationship between users, user groups, or gro
�4��� �*5��$��*$�4������%"����" ��5
��:���
allow the Office_1 user:
���������������� ���������!�
��
get group-expression id number
set group-expression name_str id number
unset group-expression id number
���
set group-expression name_str not name_str
Example: The following command creates a NOT group expression that does not
set group-expression Total_Users not Office_1
id number Specifies an identification number for the group expression.
not Specifies negation.
�4��� �*5��$��*$�4������%"����" ��5
������
������ hat appears in the console
me:
���������������� ���������!�
Description: Use the hostname commands to define the NetScreen device name tcommand prompt.
�3��".
���
get hostname
���
set hostname string
�����
unset hostname
2�3;��!��"�!��"��"�%��
���������'���������
Example: The following command changes the NetScreen device hostname to ac
set hostname acme
string Sets the name of the NetScreen device.
�4��� �*5��$��*$�4������%"����" ��5
��7���
�. d the gateway for an AutoKey
���������������� ���������!�
Definition: Use the ike commands to define the Phase 1 and Phase 2 proposals anIKE (Internet Key Exchange) VPN tunnel, and to specify other IKE parameters.
�3��".
�*��
exec ike preshare-gen name_str usr_str
���
get ike { accept-all-proposal | ca-and-type | cert | conn-entry | cookies | gateway [ name_str ] | heartbeat | id-mode | initial-contact
[ all-peers | single-gateway [ name_str ] ] |
initiator-set-commit | member-sa-hold-time | p1-max-dialgrp-sessions | p1-proposal name_str |
�4��� �*5��$��*$�4������%"����" ��5
��9���
���������������� ���������!�p1-sec-level | p2-proposal name_str | p2-sec-level | policy-checking | respond-bad-spi | responder-set-commit | soft-lifetime-buffer }
���
�$"��������8��"%
set ike p1-proposal name_str [ dsa-sig | rsa-sig | preshare ]
[ group1 | group2 | group5 ] { esp
{ 3des | des | aes128 | aes192 | aes256 { md5 | sha-1
[ days number | hours number | minutes number | seconds number ]
} }
}
�4��� �*5��$��*$�4������%"����" ��5
������
ll } |
ng ] |
���������������� ���������!�
�$"���6����8��"%
set ike p2-proposal name_str [ group1 | group2 | group5 | no-pfs ]
{ esp { 3des | des | aes128 | aes196 | aes256 | nuah }
[ md5 | null | sha-1 [ days number | hours number | minutes number | seconds number ] ]
[ kbyte number ] ]
}
�"��;"3�&���%
set ike gateway name_str { dialup { usr_str | grp_name } ip ip_addr | dynamic
{ asn1-dn { [ container string ] | [ wildcard strifqdn string | ip-addr string | u-fqdn string }
} [ aggressive | main ] [ local-id id_str ]
�4��� �*5��$��*$�4������%"����" ��5
������
y_str ]
standard } |
name_str4 ]
���������������� ���������!�
[ outgoing-interface interface ] [ preshare key_str | seed-preshare ke
{ sec-level { basic | compatible | proposal name_str1
[ name_str2 ] [ name_str3 ] [}
�"��;"3�B�"����"�
set ike gateway name_str heartbeat { hello number | threshold number | reconnect number }
�"��;"3�����
set ike gateway name_str cert { my-cert id_num | peer-ca [ id_num | all ] | peer-cert-type { pkcs7 | x509-sig } }
�"��;"3��?&�&�"����"%
set ike gateway name_str nat-traversal [ udp-checksum | keepalive-frequency number ]
�4��� �*5��$��*$�4������%"����" ��5
�7����
-group name_str ]
old number } |
number } |
���������������� ���������!�
�"��;"3�C?>&B
set ike gateway name_str xauth [ server name_str
[ [ chap ] [ query-config ] user name_str | user]
)�$����2A���"�!��;���$��
set ike { accept-all-proposal | heartbeat { hello number | reconnect number | threshid-mode { ip | subnet } | initial-contact
[ all-peers | single-gateway name_str | ] |
initiator-set-commit | member-sa-hold-time number | p1-max-dialgrp-sessions { count number | percentage policy-checking | respond-bad-spi spi_num | responder-set-commit | single-ike-tunnel name_str | soft-lifetime-buffer number }
�4��� �*5��$��*$�4������%"����" ��5
�7����
���������������� ���������!������
unset ike { accept-all-proposal | gateway name_str
[ heartbeat { hello | reconnect | threshold } | my-cert | nat-traversal [ udp-checksum ] | peer-ca | peer-cert-type | xauth ] |
heartbeat { hello | reconnect | threshold } | initial-contact | initiator-set-commit | member-hold-sa | p1-max-dialgrp-sessions | p1-proposal name_str | p2-proposal name_str | policy-checking | respond-bad-spi | responder-set-commit | single-ike-tunnel name_str }
�4��� �*5��$��*$�4������%"����" ��5
�76���
s. By default, the device accepts posals.
sive mode only when you need to peer unit has a dynamically change method because it .
cate types.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
������ ��� ��������
get ike accept-all-proposal
set ike accept-all-proposal
unset ike accept-all-proposal
��������!��%�����
set ike gateway name_str { ... } aggressive [ ... ]
set ike gateway name_str { ... } main [ ... ]
�� ��� �&��
get ike ca-and-type
accept-all-proposal Directs the NetScreen device to accept all incoming proposalonly those proposals matching predefined or user-defined pro
aggressive | main Defines the mode used for Phase 1 negotiations. Use Aggresinitiate an IKE key exchange without ID protection, as when aassigned IP address. Main mode is the recommended key-exconceals the identities of the parties during the key exchange
ca-and-type Displays the supported certificate authorities (CAs) and certifi
�4��� �*5��$��*$�4������%"����" ��5
�7����
ig
recipient.
e local NetScreen device has
(CA).
of certificate (PKCS7 or X509).
okies.
���������������� ���������!�
����
get ike cert
set ike gateway name_str cert my-cert id_num
set ike gateway name_str cert peer-ca [ id_num | all ]
set ike gateway name_str cert peer-cert-type { pkcs7 | 509-s
���� ����&
get ike conn-entry
���)���
get ike cookies
cert Uses a digital certificate to authenticate the VPN initiator and
gateway name_str cert Specifies which certificates to use.
• my-cert name_str Specifies a particular certificate when thmultiple loaded certificates.
• peer-ca name_str Specifies a preferred certificate authority
• peer-cert-type { pkcs7 | x509 } Specifies a preferred type
conn-entry Displays the Connection Entry Table.
cookies Displays the cookie table, and the total number of dead and active co
�4��� �*5��$��*$�4������%"����" ��5
�7:���
]
178.
specify a user’s attributes, use the ialup command.)
The container switch treats string
���������������� ���������!�
������
set ike gateway name_str dialup { usr_str | grp_name } [ ...
�&�����
set ike gateway name_str dynamic { ... } [ ... ]
����"�&
get ike gateway
set ike gateway name_str { ... } [ ... ]
unset ike gateway { ... }
Example: For an example of this option, see “Setting Up a VPN Tunnel” on page
dialup Identifies an IKE dialup user (usr_str) or dialup group (grp_name). To set user command. (To specify dialup group attributes, use the set d
dynamic Specifies the dynamic IP identifier for the remote gateway interface.
• asn1-dn { container | wildcard } string The ASN1 domain name. as a container. The wildcard switch treats string as a wild card.
• fqdn The fully-qualified domain name (such as www.acme.com).
• ip_addr string The IP address of the remote gateway interface.
• u-fqdn string The user fully-qualified domain name.
gateway Configures or displays settings for a remote tunnel gateway.
�4��� �*5��$��*$�4������%"����" ��5
�7����
}
.
s before the NetScreen device
device forces renegotiation of the
P) address or a gateway (subnet). se the subnet switch, the device tunnel between a NetScreen ch.)
���������������� ���������!�
���������
get ike heartbeat
set ike gateway name_str heartbeat { hello number | threshold number | reconnect number }
unset ike gateway heartbeat { hello | reconnect | threshold
�� ����
get ike id-mode
set ike id-mode ip
set ike id-mode subnet
heartbeat Specifies the IKE heartbeat protocol parameters.
• hello number Sets the IKE heartbeat protocol interval (in seconds)
• reconnect number Sets the quiet interval (in seconds) that elapsereconnects a failed tunnel.
• threshold number Sets the number of retries before the NetScreenPhase 1 and Phase 2 keys.
id-mode Defines the IKE ID mode in the Phase 2 exchange as either a host (IIf you use the ip switch , the device sends no Phase 2 ID. If you choosends proxy Phase 2 IDs. (Use the ip switch when setting up a VPN device and a CheckPoint 4.0 device. Otherwise, use the subnet swit
�4��� �*5��$��*$�4������%"����" ��5
�77���
IKE peer.
As, then send an initial contact
ce to delete all SAs associated tion.
an initial contact notification to all
new IPSec SA. The initiator does
���������������� ���������!�
������� �������
get ike initial-contact
set ike initial-contact [ all-peers | single-gateway name_str ]
unset ike initial-contact
initiator-set-commit
get ike initiator-set-commit
set ike initiator-set-commit
unset ike initiator-set-commit
initial-contact Determines how the NetScreen device performs initial contact with an
• Specifying all-peers instructs the NetScreen device to delete all Snotification to each IKE peer.
• Specifying single-gateway name_str instructs the NetScreen deviwith the specified IKE gateway, then send an initial contact notifica
If you specify none of the above options, the NetScreen device sendspeers during the first IKE single-user session after a system reset.
initiator-set-commit Sends the responder a request to confirm establishment of thenot use the new SA until it receives this confirmation.
�4��� �*5��$��*$�4������%"����" ��5
�79���
178.
n only when the local NetScreen s a dynamically assigned IP
unused SA allocated for a dialup
���������������� ���������!�
��
set ike gateway name_str ip ip_addr
Example: For an example of this option, see “Setting Up a VPN Tunnel” on page
����� ��
set ike gateway name_str { ... } local-id id_str
������ �� ���� ����
get ike member-sa-hold-time
set ike member-sa-hold-time number
unset ike member-hold-sa
ip Specifies the static IP address of the remote gateway interface.
local-id Defines the IKE NetScreen identity of the local device. Use this optiodevice has a dynamically assigned IP address (Note: If either peer haaddress, use Aggressive mode for Phase 1).
member-sa-hold-time The length of time (in minutes) the NetScreen device keeps an user.
�4��� �*5��$��*$�4������%"����" ��5
�7����
mktg:
e [ ... ]
ission of encrypted traffic through ncapsulates ESP packets into t headers in transit, thus
tion (used for UDP packet
NetScreen device allows before
���������������� ���������!�
��� ���!�����
set ike gateway name_str nat-traversal [ udp-checksum | keepalive-frequency number ]
unset ike gateway name_str nat-traversal [ ... ]
Examples: The following command enables NAT traversal for a gateway named
set ike gateway mktg nat-traversal
The following command sets the Keepalive setting to 25 seconds:
set ike gateway mktg nat-traversal keepalive-frequency 25
�������� ����� ���
set ike gateway name_str { ... } outgoing-interface interfac
nat-traversal Enables or disables IPsec NAT Traversal, a feature that allows transma NetScreen device configured for NAT. The NAT Traversal feature eUDP packets. This prevents the NAT device from altering ESP packepreventing authentication failure on the peer NetScreen device.
• udp-checksum enables the NAT-Traversal UDP checksum operaauthentication).
• keepalive-frequency specifies how many seconds of inactivity thedisabling NAT Traversal.
outgoing-interface Defines the outgoing interface.
�4��� �*5��$��*$�4������%"����" ��5
�7����
up groups.
ting and exchanging session keys ase 1 proposals.
the source of IKE messages. nd decryption that both
d dsa-sig refer to two kinds of the certificate holder. (The default
chnique that allows two parties to nternet. Group2 is the default
ides encryption and
gorithm.
in ESP protocol. The default
���������������� ���������!�
�# ��* ������� ��������
get ike p1-max-dialgrp-sessions
set ike p1-max-dialgrp-sessions count number
set ike p1-max-dialgrp-sessions percentage number
unset ike p1-max-dialgrp-sessions
�# ��������
get ike p1-proposal name_str
set ike p1-proposal name_str [ ... ] { ... }
unset ike p1-proposal name_str
p1-max-dialgrp-sessions Displays the allowed concurrent Phase 1 negotiations for dial
p1-proposal Names the IKE Phase 1 proposal, which contains parameters for creaand establishing security associations. You can specify up to four Ph
• dsa-sig | rsa-sig | preshare Specifies the method to authenticate preshare refers to a preshared key, which is a key for encryption aparticipants have before beginning tunnel negotiations. rsa-sig andigital signatures, which are certificates that confirm the identity of method is preshare.)
• group1 | group2 | group5 Identifies the Diffie-Hellman group, a tenegotiate encryption keys over an insecure medium; such as, the Igroup.
• esp Specifies Encapsulating Security Payload protocol, which provauthentication.
• des | 3des | aes128 | aes192 | aes256 Specifies the encryption al
• md5 | sha-1 Specifies the authentication (hashing) algorithm usedalgorithm is SHA-1, the stronger of the two algorithms.
�4��� �*5��$��*$�4������%"����" ��5
�9����
g attributes:
gorithms
3
ttempt to renegotiate a security efault lifetime is 28800 seconds.
bytes) before NetScreen finity).
of security level.
of security level.
���������������� ���������!�
Example: To define a Phase 1 proposal named pre-gl-3des-md5 with the followin
• Preshared key and a group 1 Diffie-Hellman exchange
• Encapsulating Security Payload (ESP) protocol using the 3DES and MD5 al
• Lifetime of 3 minutes:
set ike p1-proposal sf1 preshare group1 esp 3des md5 minutes
�# ��� ��!��
get ike p1-sec-level
�$ ��� ��!��
get ike p2-sec-level
• The following parameters define the elapsed time between each aassociation. The minimum allowable lifetime is 180 seconds. The d
- days number
- hours number
- minutes number
- seconds number
• kbytes number Indicates the maximum allowable data flow (in kilorenegotiates another security association. The default value is 0 (in
p1-sec-level Displays the predefined IKE Phase 1 proposals in descending order
p2-sec-level Displays the predefined IKE Phase 2 proposals in descending order
�4��� �*5��$��*$�4������%"����" ��5
�9����
g attributes:
for creating and exchanging a up to four Phase 2 proposals.
vice generates the encryption key. w encryption key independently
E generates the Phase 2 key from he Diffie-Hellman groups, IKE efault is Group 2.
sulating Security Payload (ESP) ecifies the encryption algorithm
es authentication only.
used in ESP protocol. The default itch specifies no authentication.
ttempt to renegotiate a security efault lifetime is 28800 seconds.
ytes before NetScreen finity).
���������������� ���������!�
�$ ��������
get ike p2-proposal name_str
set ike p2-proposal name_str [ ... ] { ... }
set ike p2-proposal name_str
Example: To define a Phase 2 proposal named g2-esp-3des-null with the followin
p2-proposal Names the IKE Phase 2 proposal. This proposal defines parameters session key to establish a security association (SA). You can specify
• group1 | group2 | group5 | no-pfs Defines how the NetScreen dePerfect Forward Secrecy (PFS) is a method for generating each nefrom the previous key. Selecting no-pfs turns this feature off, so IKthe key generated in the Phase 1 exchange. If you specify one of tautomatically uses PFS when generating the encryption key. The d
• ah | esp In a Phase 2 proposal, identifies the IPSec protocol.
- esp { des | 3des | aes128 | aes192 | aes256 } Specifies Encapprotocol, which provides both encryption and authentication. Spused in ESP protocol.
- ah Specifies Authentication Header (AH) protocol, which provid
• md5 | null | sha-1 Specifies the authentication (hashing) algorithmalgorithm is SHA-1, the stronger of the two algorithms. The null sw
• The following parameters define the elapsed time between each aassociation. The minimum allowable lifetime is 180 seconds. The d
- days number
- hours number
- minutes number
- seconds number
• kbytes number Indicates the maximum allowable data flow in kilobrenegotiates another security association. The default value is 0 (in
�4��� �*5��$��*$�4������%"����" ��5
�96���
nutes 15
178.
tablishing a connection. Use ltiple tunnels. Otherwise, the IKE
etween two peers.
on that both participants have
(If you use an RSA- or
���������������� ���������!�
• Group 2 Diffie-Hellman exchange
• ESP using 3DES without authentication
• Lifetime of 15 minutes:
set ike p2-proposal g2-esp-3des-null group2 esp 3des null mi
�����& ����)���
get ike policy-checking
set ike policy-checking
unset ike policy-checking
��������
set ike p1-proposal name_str preshare [ ... ]
set ike gateway name_str { ... } [ ... ] preshare key_str
Example: For an example of this option, see “Setting Up a VPN Tunnel” on page
policy-checking Checks to see if the access policies of the two peers match before espolicy checking when configuration on the peer gateways support musession fails.You can disable policy checking when only one policy is configured b
preshare Specifies a preshared key, which is a key for encryption and decryptibefore beginning tunnel negotiations.
preshare Specifies the Preshared key (key_str) used in the Phase 1 proposal. DSA-signature in the Phase 1 proposal, do not use this option).
�4��� �*5��$��*$�4������%"����" ��5
�9����
the user to a dialup user group. E ID values to establish secure
e.com.
with IP address
ciated with a Group IKE ID user. lue. After displaying the preshared
ove any spaces.)
e the set ike gateway name_str
roup IKE ID user. To create such E ID user must be associated with
���������������� ���������!�
�������� ���
exec ike preshare-gen name_str usr_str
Example: The following commands create a single group IKE ID user and assign Then they create VPNs and policies that allow dialup users with matching partial IKcommunication through the NetScreen device.
• the name of the group IKE ID user is User1, with partial IKE identity of acm
• the number of dialup users that can share this user’s IKE identity is 10.
• the dialup user group is Office_1.
• the seed value for creating the preshared key is jk930k.
• the Phase 1 IKE gateway defined for the server side is Corp_GW.
• the Phase 2 VPN defined for the server side is Corp_VPN.
• the Phase 1 IKE gateway defined for the client side is Office_GW.
• the Phase 2 VPN defined for the client side is Office_VPN.
• the individual user’s full IKE identity is [email protected].
• the trusted server that dialup users access from the outside is a Web server192.168.110.200.
preshare-gen Generates an individual preshared key for a remote dialup user assoThe NetScreen device generates each preshared key from a seed vakey, you can use it to set up a configuration for the remote user. (Rem
• name_str is the IKE gateway name. To create such a gateway, uscommand.
• usr_str is the full IKE ID of an individual user, which belongs to a Ga user, use the set user name_str ike-id command. The Group IKa dialup user group to support a group of users.
�4��� �*5��$��*$�4������%"����" ��5
�9:���
hare jk930k
-md5
5
Corp_VPN
d [email protected] l pre-g2-3des-md5
3des-md5
Office_VPN
178.
d3d30d7bf9b93baa2adcc6.
four Phase 1 proposals.
���������������� ���������!�
set user User1 ike-id u-fqdn acme.com share-limit 10
set dialup-group Office_1 + User1
set ike gateway Corp_GW dialup Office_1 aggressive seed-presproposal pre-g2-3des-md5
set vpn Corp_VPN gateway Corp_GW tunnel proposal g2-esp-3des
set address trust http_server 192.168.110.200 255.255.255.25
set policy incoming “dial-up vpn” http_server any tunnel vpn
&��*����"����$��8���$"��!�-�3� ����$���D"�����E
exec ike preshare-gen Corp_GW [email protected]
)���$���%�������!�E
set ike gateway Office_GW ip 172.16.10.10 aggressive local-ipreshare c5d7f7c1806567bc57d3d30d7bf9b93baa2adcc6 proposa
set vpn Office_VPN gateway Office_GW tunnel proposal g2-esp-
set address untrust http_server 192.168.110.200
set policy outgoing “inside any” http_server any tunnel vpn
��������
set ike gateway name_str { ... } [ ... ] proposal name_str1 [ name_str2 ] [ name_str3 ] [ name_str4 ]
Example: For an example of this option, see “Setting Up a VPN Tunnel” on page
Note: For this example, assume that this command generates c5d7f7c1806567bc57
proposal Specifies the name (name_str) of a proposal. You can specify up to
�4��� �*5��$��*$�4������%"����" ��5
�9����
tr
Untrust zone
_2
e of jk930k
fied for User2.
.
ew IPSec SA. The responder does
configurations. Such a ach with an individual preshared se the seed to generate the
���������������� ���������!�
������� ��� ���
get ike respond-bad-spi
set ike respond-bad-spi spi_num
unset ike respond-bad-spi
��������� ��� ������
get ike responder-set-commit
set ike responder-set-commit
unset ike responder-set-commit
���� ��������
set ike gateway name_str { ... } [ ... ] seed-preshare key_s
Example: The following commands:
• bind interface ethernet1 to the Trust zone and bind interface ethernet3 to the
• create a dialup user named User2 and place it in a user group named office
• set up a gateway configuration for office_2, with a preshared key seed valu
• create a security policy for all dialup users with the partial IKE identity speci
respond-bad-spi Responds to packets with bad security parameter index (SPI) values
responder-set-commit Sends the initiator a request to confirm establishment of the nnot use the new SA until it receives this confirmation.
seed-preshare Specifies a seed value (key_str) for a user group with Preshared Keyconfiguration performs IKE authentication for multiple dialup users, ekey, without having a separate configuration for each user. Instead, upreshared key with the exec ike preshare-gen command.
�4��� �*5��$��*$�4������%"����" ��5
�97���
hare jk930k
tunnel vpn Corp_VPN
patible:
ic proposal provides basic-level -used settings. The standard
eer gateway.
���������������� ���������!�
set interface ethernet1 zone trust
set interface ethernet1 ip 10.1.1.1/24
set interface ethernet3 zone untrust
set interface ethernet3 ip 210.1.1.1/24
set address trust web1 10.1.1.5/32
set user User2 ike-id u-fqdn netscreen.com share-limit 10
set user-group office_2 user User2
set ike gateway Corp_GW dialup office_2 aggressive seed-pressec-level compatible
set vpn Corp_VPN gateway Corp_GW sec-level compatible
set policy top from untrust to trust “Dial-Up VPN” web1 http
save
��� ��!��
set ike gateway name_str { ... } [ ... ] sec-level { ... }
Example: The following command specifies the pre-defined security proposal com
set vpn Corp_VPN gateway Corp_GW sec-level compatible
������ �)� ������
set ike single-ike-tunnel name_str
unset ike single-ike-tunnel name_str
sec-level Specifies which pre-defined security proposal to use for IKE. The bassecurity settings. The compatible proposal provides the most widelyproposal provides settings recommended by NetScreen.
single-ike-tunnel Specifies a single Phase 2 SA for all policies to a particular remote p
�4��� �*5��$��*$�4������%"����" ��5
�99���
er gateway gw1:
security association are 28,800
lifetime expires. When this interval
cifies the object name of the
tion Protocol (CHAP).
from the server.
er.
rs in a XAUTH user group.
���������������� ���������!�
Example: The following command specifies a Phase 2 SA for all policies to the pe
set ike single-ike-tunnel gw1
�� � �� ����� �� ��
get ike soft-lifetime-buffer
set ike soft-lifetime-buffer number
*����
set ike gateway name_str { ... } [ ... ] xauth [ ... ]
unset ike gateway xauth
1� "%��
Main mode is the default method for Phase 1 negotiations.
3DES and SHA-1 are the default algorithms for encryption and authentication.
The default time intervals before the NetScreen mechanism renegotiates another seconds in a Phase 1 proposal, and 3600 seconds in a Phase 2 proposal.
soft-lifetime-buffer Sets a time interval (in seconds) before the current IPSec SA key is reached, the device initiates the rekeying operation.
xauth Enables XAUTH authentication. The server name_str parameter speexternal server that performs the XAUTH authentification.
• chap Instructs the device to use Challenge Handshake Authentica
• query-config Instructs the device to query the client configuration
• user name_str Enables XAUTH authentication for an individual us
• user-group name_str Enables XAUTH authentification for the use
�4��� �*5��$��*$�4������%"����" ��5
�9����
he data traffic is between two
posal.
o five steps. To set up one end he steps below.
e VPN tunnel:
lt proposals, you do not need to
osal pre-g2-3des-md5
���������������� ���������!�
The default ID mode is subnet. (Changing the ID mode to IP is only necessary if tsecurity gateways, one of which is a CheckPoint 4.0 device.)
The default soft-lifetime-buffer size is 10 seconds.
By default, the single-ike-tunnel flag is not set.
By default, the commit bit is not set when initiating or responding to a Phase 2 pro
������*�>8�"�����&���%
Creating a VPN tunnel for a remote gateway with a static IP address requires up tof a VPN tunnel gateway 1 (GW1) in the illustration for bidirectional traffic, follow t
1. Set the addresses for the trusted and untrusted parties at the two ends of th
set address trust host1 10.0.1.1 255.255.255.255
set address untrust host2 10.0.2.1 255.255.255.255
2. Define the IKE Phase 1 proposal and Phase 2 proposal. If you use the defaudefine Phase 1 and Phase 2 proposals.
3. Define the remote gateway:
set ike gateway gw2 ip 204.0.0.2 preshare netscreen prop
�4��� �*5��$��*$�4������%"����" ��5
�9����
p to five steps.
ommand.)
Note: If you use the default
2-131.
and the VPN tunnel you
���������������� ���������!�
4. Define the VPN tunnel as AutoKey IKE:
set vpn vpn1 gateway gw2 proposal g2-esp-des-md5
5. Define an outgoing incoming access policy:
set policy outgoing host1 host2 any tunnel vpn vpn1
set policy incoming host2 host1 any tunnel vpn vpn1
The procedure for setting up a VPN tunnel for a dialup user with IKE constitutes u
1. Define the trusted address that the user will access. (See the set address c
2. Define the user as an IKE user. See the set user command on page 2-122.
3. Define the IKE Phase 1 proposal, Phase 2 proposal, and remote gateway. (proposals, you do not need to define a Phase 1 or Phase 2 proposal.)
4. Define the VPN tunnel as AutoKey IKE. See the set vpn command on page
5. Define an incoming access policy, with Dial-Up VPN as the source addressconfigured in step 3 specified.
�4��� �*5��$��*$�4������%"����" ��5
������
�. /���.� NetScreen device.
72.16.10.10:
s (ip_addr).
���������������� ���������!�
Description: Use the ike-cookie command to remove IKE-related cookies from the
�3��".
�����
clear [ cluster ] ike-cookie { all | ip_addr }
2�3;��!��"�!��"��"�%��
���������'��������
clear cluster ike-cookie ip_addr
clear ike-cookie ip_addr
Example: The following command removes all cookies based on the IP address 1
clear ike-cookie 172.168.10.10
���
clear cluster ike-cookie all
clear ike-cookie all
ip_addr Directs the NetScreen device to remove cookies based on a IP addres
all Directs the NetScreen device to remove all cookies.
�4��� �*5��$��*$�4������%"����" ��5
������
���������������� ���������!��������
clear cluster ike-cookie all
clear cluster ike-cookie ip_addr
cluster Propagates the clear operation to all other devices in a NSRP cluster.
�4��� �*5��$��*$�4������%"����" ��5
��6���
�� ���� a NetScreen device. Interfaces ), High Availability (HA), and
fix-port ] ] ] |
sl | telnet | web } |
���������������� ���������!�
Description: Use the interface commands to define or display interface settings forare physical or logical connections that handle network, virtual private network (VPNadministrative traffic.
�3��".
���
get interface interface [ dhcp
{ relay | server { ip { allocate | idle } | option } } |
protocol ospf | screen | secondary [ ip_addr ] ]
����0�&�� +������ ����1
set interface interface { bandwidth number | [ ext ip ip_addr mask ] dip number [ ip_addr [ ip_addr [ gateway ip_addr [ no-default-interface ] | group | ip ip_addr/mask { tag id_num } | manage { global-pro | ident-reset | ping | scs | snmp | s
�4��� �*5��$��*$�4������%"����" ��5
������
e_str ] } |
] |
sl | telnet | web } |
���������������� ���������!�
manage-ip ip_addr | mip ip_addr { host ip_addr [ netmask mask ] [ vrouter namnat | phy { auto | full | half } { 10mb | 100mb } | route | secondary route-deny | tag id_num zone zone | vip ip_addr [ + ] port_num [ name_str ip_addr [ manual ] webauth | webauth-ip ip_addr | zone zone }
����0�&�� $������ ����1
set interface interface
{
broadcast { flood | arp [ trace-route ] } | bypass-non-ip | bypass-others-ipsec | gateway ip_addr [ no-default-interface ] | ip ip_addr/mask { tag id_num } | manage { global-pro | ident-reset | ping | scs | snmp | smanage-ip ip_addr | nsrp manage zone zone | vlan trunk | webauth | webauth-ip ip_addr }
�4��� �*5��$��*$�4������%"����" ��5
��:���
| vpn } |
���������������� ���������!�
����0����2�3�����4���1
set interface interface dhcp { relay { server-name { name_str | ip_addr } | service server
{ ip ip_addr { mac mac_addr | to ip_addr } | option
{ dns1 | dns2 | dns3 | gateway | news |
{ ip_addr } | nis1 | nis2 | pop3 | smtp |
{ ip_addr } | domainname name_str | lease number | netmask mask | nistag name_str | wins1 ip_addr | wins2 ip_addr }
service }
}
����0���� ������2�5�������4���1
set interface interface dhcp-client { enable | settings
{ autoconfig |
�4��� �*5��$��*$�4������%"����" ��5
������
] ] |
���������������� ���������!�
lease number | server ip_addr | update-dhcpserver | vendor id_str }
}
����06����7!���������&1
set interface { ha | ha1 | ha2 } { bandwidth number | phy { 10mb | 100mb } webauth | webauth-ip ip_addr }
����08�'91
set interface interface protocol ospf { area { ip_addr | number } | authentication
{ md5 key_str [ key-id id_num ] | password pswd_str } |
cost number | dead-interval number | disable | hello-interval number | neighbor-list number1 [ number2 [ number3 [ number4 ]
�4��� �*5��$��*$�4������%"����" ��5
��7���
sl | telnet | web }
���������������� ���������!�
priority number | retransmit-interval number | transit-delay number }
����03�����1
set interface tunnel.number { zone name_str | ip ip_addr/mask |1 protocol { bgp | ospf } }
�����
unset interface interface { bandwidth | broadcast [ arp [ trace-route ] ] | bypass-non-ip | bypass-others-ipsec | [ ext ip ip_addr mask ] dip number | group | ip [ ip_addr ] | manage { global-pro | ident-reset | ping | scs | snmp | smanage-ip | mip ip_addr1 host ip_addr2 [ netmask mask ] | phy { auto | full | half } { 10mb | 100mb } | protocol ospf
{
1. Use the IP option only after adding the tunnel to a specific zone.
�4��� �*5��$��*$�4������%"����" ��5
��9���
n }
s2 | pop3 | smtp }
���������������� ���������!�
area | authentication | cost | dead-interval | disable | hello-interval | neighbor-list | priority | retransmit-interval | transit-delay } |
secondary route-deny | vlan trunk | webauth | webauth-ip | zone }
������0�6'2�3�����.���1
unset interface interface dhcp { relay { server-name { name_str | ip_addr } | service | vpserver
{ ip ip_addr option
{ dns1 | dns2 | dns3 | gateway | news | nis1 | niservice }
} |
�4��� �*5��$��*$�4������%"����" ��5
������
eer (172.16.10.10) for the
nd for interface ethernet4:
see “Interface Names” on page
ffic traversing the specified
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
get interface interface [ ... ]
set interface interface { ... } [ ... ]
set interface interface { ... } [ ... ]
Example: The following command specifies the IP address of a remote gateway pethernet4 interface:
set interface ethernet4 gateway 172.16.10.10
����"����
set interface interface bandwidth number
unset interface interface bandwidth
Example: The following command specifies bandwidth of 10,000 kilobits per seco
set interface ethernet4 bandwidth 10000
interface The name of the interface. For more information on interface names,A-IV.
bandwidth The guaranteed maximum bandwidth in kilobits per second for all trainterface.
�4��� �*5��$��*$�4������%"����" ��5
������
e ] }
ress Resolution Protocol (ARP)
s reachability of other devices
an unknown host out to all might attempt to copy frames out g network bandwidth.
ddress Resolution Protocol (ARP) ss, the device loads its ARP table this entry to reach the destination s saving bandwidth. Generating
gh a NetScreen device running in ys passed, even if when this
���������������� ���������!�
���������
set interface interface broadcast { flood | arp [ trace-rout
unset interface interface broadcast [ arp [ trace-route ] ]
Example: The following command instructs the NetScreen device to generate an Addbroadcast:
set interface ethernet4 broadcast arp
�&���� ��� ��
set interface interface bypass-non-ip
unset interface interface bypass-non-ip
broadcast (vlan1 interface only.) Controls how the NetScreen device determinewhile the device is in transparent (L2) mode.
• flood Instructs the NetScreen device to flood frames received frominterfaces that are in transparent mode. In the process, the deviceof ports that cannot access the destination address, thus consumin
• arp [ trace-route ] Instructs the NetScreen device to generate an Abroadcast. If the broadcast finds the unknown destination IP addrewith the appropriate MAC address and interface. The device uses device directly, and only sends frames through the correct port, thuthe initial ARP can cause delay, but only for the first frame.
bypass-non-ip (vlan1 interface only.) Allows non-IP traffic, such as IPX, to pass throuTransparent mode. (ARP is a special case for non-IP traffic. It is alwafeature is disabled.)
�4��� �*5��$��*$�4������%"����" ��5
������
server at IP address
etScreen device in tunnel gateway but
an serve as a DHCP relay agent.
P address of the external DHCP and TCP/IP settings that it relays
ent through the interface.
nel. You must first set up a VPN er.
���������������� ���������!�
�&���� ������ �����
set interface interface bypass-others-ipsec
unset interface interface bypass-others-ipsec
�����0����&1
get interface interface dhcp relay
set interface interface dhcp relay { server-name { name_str | ip_addr } | service | vpn }
unset interface interface dhcp relay { server-name { name_str | ip_addr } | service | vpn }
The relay does not coexist with the DHCP server (OK with the client).
Example: The following configures interface ethernet4 to use an external DHCP 172.16.10.10:
set interface ethernet4 dhcp relay server-name 172.16.10.10
bypass-others-ipsec (vlan1 interface only.) Openly passes all IPSec traffic through a NTransparent mode. The NetScreen device does not act as a VPNpasses the IPSec packets onward to other gateways.
relay Configures the NetScreen interface such that the NetScreen device c
• server-name { name_str | ip_addr } Defines the domain name or Iserver from which the NetScreen device receives the IP addressesto hosts on the trusted LAN.
• service Enables the NetScreen device to act as a DHCP server ag
• vpn Allows the DHCP communications to pass through a VPN tuntunnel between the NetScreen device and the external DHCP serv
�4��� �*5��$��*$�4������%"����" ��5
������
dresses to use when the DHCP e ending IP address. The IP pool e same subnet as the interface IP
e settings.
resses of the primary, secondary,
gateway to be used by the clients. or the DHCP gateway.
used for receiving and storing
mary and secondary NetInfo® thin a LAN.
l version 3 (POP3) mail server.
Protocol (SMTP) mail server.
f the network.
n IP address supplied by the
n the trusted side. The IP address teway.
���������������� ���������!�
�����0���!��1
set interface interface dhcp server { ... } unset interface interface dhcp server { ... }
server Makes the NetScreen interface work as a DHCP server.
• ip ip_addr to ip_addr (In Dynamic mode) Defines a range of IP adserver is filling client requests. Enter the starting IP address and thcan support up to 255 IP addresses. The IP address must be in thor the DHCP gateway.
• option Specifies the DHCP server options for which you can defin
- dns1 ip_addr | dns2 ip_addr | dns3 ip_addr Defines the IP addand tertiary Domain Name Service (DNS) servers.
- gateway ip_addr Defines the IP address of the default trusted The IP address must be in the same subnet as the interface IP
- news ip_addr Specifies the IP address of a news server to be postings for news groups.
- nis1 ip_addr | nis2 ip_addr Defines the IP addresses of the priservers, which provide the distribution of administrative data wi
- pop3 ip_addr Specifies the IP address of a Post Office Protoco
- smtp ip_addr Defines the IP address of a Simple Mail Transfer
- domainname name_str Defines the registered domain name o
- lease number Defines the length of time in minutes for which aDHCP server is leased. For an unlimited lease, enter 0.
- netmask ip_addr Defines the netmask of the default gateway omust be in the same subnet as the interface IP or the DHCP ga
�4��� �*5��$��*$�4������%"����" ��5
��6���
HCP server agent through the
tInfo database.
primary and secondary Windows
ent through the interface.
services.
r-up.
���������������� ���������!�
The server does not coexist with the DHCP relay (OK with the client).
Example: The following command configures the NetScreen device to act as a Dinterface ethernet4:
set interface ethernet4 dhcp server service
�����0������1
set interface interface dhcp-client { enable | settings
{ autoconfig | lease number | server ip_addr | update-dhcpserver | vendor id_str }
}
- nistag string Defines the identifying tag used by the Apple® Ne
- wins1 ip_addr | wins2 ip_addr Specifies the IP address of the Internet Naming Service (WINS) servers.
• service Enables the NetScreen device to act as a DHCP server ag
dhcp-client Configures an interface (bound to the Untrust zone) for DHCP client
• enable Enables DHCP client services for the interface.
• settings Configures DHCP parameters for the interface.
- autoconfig Enables automatic configuration after device powe
- lease number Sets the default lease time.
�4��� �*5��$��*$�4������%"����" ��5
������
matic DHCP configuration after
n DHCP server parameters.
the interface’s subnet. For e extended DIP could be
etScreen device uses the pool to dress Translation (NAT) to
identifies the DIP pool. The IP ngle IP address can comprise an d of the IP address range.
er. Does not apply the Port
���������������� ���������!�
Example: The following command configures interface ethernet3 to perform autodevice power-up:
set interface ethernet3 dhcp-client settings autoconfig
�*����
set interface interface ext ip ip_addr mask dip number [ ip_addr [ ip_addr [ fix-port ] ] ]
unset interface interface ext ip ip_addr mask dip number
- server ip_addr Specifies the IP address of the DHCP server.
- update-dhcpserver Enables automatic update of the NetScree
- vendor id_str Specifies the DHCP vendor by ID.
ext ip The ext ip ip_addr option configures a DIP in a different subnet fromexample, an interface could have IP address 192.168.10.1/24, and th172.16.3.1/24.
• dip id_num ip_addr [ ip_addr ] Sets a Dynamic IP (DIP) pool. The Ndynamically allocate source addresses when it applies Network Adpackets traversing the specified interface. The ID number id_num address ip_addr represents the start of the IP address range. (A sientire DIP pool.) The second IP address ip_addr represents the en
Be sure to exclude the following IP addresses from a DIP pool:
- the WebUI management IP address
- the interface and gateway IP addresses
- any Virtual IP (VIP) and Mapped IP (MIP) addresses
• fix-port Keeps the original source port number in the packet headAddress Translation (PAT).
�4��� �*5��$��*$�4������%"����" ��5
��:���
(ID 10) for interface ethernet3
8.100.110
eer (172.16.10.10) for the
e forwards packets that are nterface. The no-default-route
response to an IDENT request, to
or subinterface. The secondary
���������������� ���������!�
Example: The following command creates an address (192.168.100.110) in a DIP(IP address 172.16.10.10):
set interface ethernet3 ext ip 172.16.10.10/24 dip 10 192.16
����"�&
set interface interface gateway ip_addr [ no-default-route ]unset interface interface gateway
Example: The following command specifies the IP address of a remote gateway pethernet4 interface:
set interface ethernet4 gateway 172.16.10.10
����� �����
set interface interface ident-reset
��
set interface interface ip ip_addr/mask [ secondary ]
unset interface interface ip ip_addr
gateway The IP address for the default gateway to which the NetScreen devicdestined for networks beyond the immediate subnet of the specified iswitch specifies that there is no default route for this gateway.
ident-reset Directs the NetScreen device to send a TCP Reset announcement, inport 113.
ip The IP address ip_addr and netmask mask for the specified interfaceswitch specifies that the IP address is a secondary address.
�4��� �*5��$��*$�4������%"����" ��5
������
o the Trust zone, and assign it
lnet | web }
lnet | web }
ethernet3:
he interface.
interface.
nouncement, in response to an
.
face.
ce.
.
���������������� ���������!�
Example: The following commands create logical interface ethernet3/1.2, bind it tIP address 172.168.40.3/24:
set interface ethernet3/1.2 zone trust
set interface ethernet3/1.2 ip 172.168.40.3/24
������
set interface interface manage
{ global-pro | ident-reset | ping | scs | snmp | ssl | te
unset interface interface manage { global-pro | ident-reset | ping | scs | snmp | ssl | te
Example: The following command enables management of SCS through interface
set interface ethernet3 manage scs
manage Enables or disables monitoring and management capability through t
• global-pro Enables (or disables) Global PRO management on the
• ident-reset Directs the NetScreen device to send a TCP Reset anIDENT request, to port 113.
• ping Enables (or disables) pinging through the interface.
• scs Enables (or disables) SCS management through the interface
• snmp Enables (or disables) SNMP management through the inter
• ssl Enables (or disables) SSL management through the interface.
• telnet Enables (or disables) telnet management through the interfa
• web Enables (or disables) web management through the interface
�4��� �*5��$��*$�4������%"����" ��5
��7���
hen set the Manage IP address
ame_str ] }
sk mask ]
face ethernet3 and directs
xternal applications such as etScreen device. (This address
affic sent to the MIP (ip_addr1) to a single one-to-one mapping or a lude the interface and gateway IP address range.)
���������������� ���������!�
������ ��
set interface interface manage-ip ip_addr
unset interface interface manage-ip
Example: The following commands bind interface ethernet4/1 to the Trust zone, tto 172.16.10.10:
set interface ethernet4/1 zone trust
set interface ethernet4/1 manage-ip 172.16.10.10
���
set interface interface { mip ip_addr { host ip_addr [ netmask mask ] [ vrouter n
unset interface interface mip ip_addr1 host ip_addr2 [ netma
Example: The following command defines a MIP address (172.16.10.10) for intertraffic sent to the MIP to a host at IP address 192.168.40.10:
set interface ethernet3 mip 172.16.10.10 host 192.168.40.10
manage-ip Defines the Manage IP address for the specified physical interface. ETelnet or WebUI can use this address to configure and monitor the Nmust be in the same subnet as the interface IP address.)
mip Defines a Mapped IP (MIP) address. The NetScreen device directs trthe host with the IP address ip_addr2. The netmask value specifies mapping of one IP address range to another. (Note: Be careful to excaddresses, and any Virtual IP addresses in the subnet from the MIP
�4��� �*5��$��*$�4������%"����" ��5
��9���
100mb }
| 100m }
outbound traffic from the trusted in which the interfaces have
ed interface. The NetScreen unit uired by the network device
���������������� ���������!�
���
set interface interface nat
��&
set interface interface phy { auto | full | half } { 10mb |
unset interface interface phy { auto | full | half } { 10mb
��������
get interface interface protocol ospf
set interface interface bgp
set interface interface protocol ospf { area { ip_addr | number } | authentication
{ md5 key_str [ key-id id_num ] | password pswd_str } |
cost number | dead-interval number | disable | hello-interval number |
nat Directs the device to perform Network Address Translation (NAT) onLAN. This option is only available when the device is in Route Mode,assigned IP addresses.
phy auto | full | half defines the physical connection mode on the specifiautomatically decides whether to operate at full or half duplex (as reqconnected to NetScreen unit).
�4��� �*5��$��*$�4������%"����" ��5
������
|
terface.
PF area. OSPF areas divide the is technique reduces the amount e other routers.
_str } Specifies the authentication nd password.
the interface. The lower the value
the NetScreen device waits, after neighbor as offline.
���������������� ���������!�
neighbor-list number1 [ number2 [ number3 [ number4 ] ] ]priority number | retransmit-interval number | transit-delay number }
unset interface interface protocol bgp
unset interface interface protocol ospf { area | authentication | cost | dead-interval | disable | hello-interval | neighbor-list | priority | retransmit-interval | transit-delay }
protocol ospf Sets, unsets or displays the current routing protocol settings for the in
• area { ip_addr | number } Assigns the interface to the specified OSinternetwork into smaller, more manageable constituent pieces. Thof information that each router must store and maintain about all th
• authentication { md5 key_str [ key-id id_num ] | password pswdmethod, including MD5 key string, the key identification number, a
• cost number Specifies the desirability of the path associated with of this metric, the more desirable the interface path.
• dead-interval number Specifies the maximum amount of time thatit stops receiving packets from the neighbor, before classifying the
�4��� �*5��$��*$�4������%"����" ��5
������
sion or receipt of OSPF packets
t elapse between instances of the sence of the interface.
ies the number of access lists (up to form adjacencies. The access
nds) that elapses before the a previous transmission attempt
at elapses before the NetScreen
assigned IP addresses.
���������������� ���������!�
�����
set interface interface route
������
get interface interface screen
��������&
get interface interface secondary [ ip_addr ]
set interface interface secondary route-deny
• disable Disables OSPF on the interface, thus preventing transmisthrough the interface.
• hello-interval number Specifies the amount of time in seconds thainterface sending Hello packets to the network announcing the pre
• neighbor-list number1 [ number2 [ number3 [ number4 ] ] ] Specifto four), from which the local virtual router accepts valid neighborslist must be in the virtual router to which the interface is bound.
• priority number Specifies the router election priority.
• retransmit-interval number Specifies the amount of time (in secointerface resends a packet to a neighbor that did not acknowledgefor the same packet.
• transit-delay number Specifies the amount of time (in seconds) thdevice advertises a packet received on the interface.
route Directs the device to run in Route Mode, in which the interfaces have
screen Displays the current firewall (screen) counters.
�4��� �*5��$��*$�4������%"����" ��5
6�����
hernet3/1, assigns it VLAN tag
pf } }
IP address 172.10.10.5/24:
ffic from a host on one secondary
interface name is interface.n, ion on interface names, see
entifies the tunnel interface.
���������������� ���������!�
unset interface interface secondary route-deny
���
set interface interface.n tag id_num zone zone
Example: The following command creates a subinterface for physical interface et300, and binds it to the Untrust zone:
set interface ethernet3/1.2 tag 300 zone untrust
������
set interface tunnel.n { zone name_str | protocol { bgp | os
Example: The following commands create a tunnel interface named tunnel.2 with
set interface tunnel.2 zone untrust
set interface tunnel.2 ip 172.10.10.5/24
ip_addr Identifies a secondary IP address to display.
secondary route-deny Prevents the NetScreen device from automatically routing traIP address to a host on another secondary IP address.
tag Specifies a VLAN tag (id_num) for a virtual (logical) subinterface. Thewhere n is an ID number that identifies the subinterface. For informat“Interface Names” on page A-IV.
tunnel.n Specifies a tunnel interface. The n parameter is an ID number that id
�4��� �*5��$��*$�4������%"����" ��5
6�����
g the MAIL service (ID 25):
10
an map routable IP addresses to s the port number, which specifies ify the service name and the IP l switch turns off server auto
epts or drops Layer-2 frames. The
es.
performs. For example, the ice to ignore the tags and forward
port.”
���������������� ���������!�
!��
set interface interface vip ip_addr [ + ] port_num [ name_str ip_addr [ manual ] ]
Example: The following command creates a VIP for interface ethernet3, specifyin
set interface ethernet3 vip 172.16.14.15 25 MAIL 192.168.10.
!��������)
set interface vlan1 vlan trunk
unset interface vlan1 vlan trunk
vip Defines a Virtual IP (VIP) address (ip_addr) for the interface so you cinternal servers and access their services. The port_num parameter iwhich service to access. The name_str and ip_addr parameters specaddress of the server providing the service, respectively. The manuadetection. Using the + operator adds another service to the VIP.
vlan trunk (vlan1 interface only.) Determines whether the NetScreen device accdevice makes this decision only when the following conditions apply:
• The NetScreen device is in transparent mode.
• The device receives VLAN tagged frames on an interface.
The device then performs one of two actions.
• Drop the frames because they have tags.
• Ignore the tags and forward the frames according to MAC address
The vlan trunk interface switch determines which action the device command set interface vlan1 vlan trunk instructs the NetScreen devthe frames. This action closely follows that of a Layer-2 switch “trunk
�4��� �*5��$��*$�4������%"����" ��5
6�6���
ore sending service requests e WebAuth address with a web r user name and password. After
d service requests through the
security policy with the set policy erver, use the set webauth
���������������� ���������!�
"������
set interface interface webauth
"������ ��
set interface interface webauth-ip ip_addr
.���
set interface interface zone zone
unset interface interface zone
Example: To bind interface ethernet2/2 to the Trust zone:
set interface ethernet2/2 zone trust
webauth Enables WebAuth user authentication.
webauth-ip Specifies the WebAuth server IP address for user authentication. Bef(such as MAIL) through the interface, the user must first browse to thbrowser. The NetScreen device presents a login screen, prompting fosuccessfully entering the user name and password, the user can seninterface.To protect an interface with the WebAuth feature, you must create a command, specifying the webauth switch. To specify the WebAuth scommand.
zone Binds the interface to a security zone.
�4��� �*5��$��*$�4������%"����" ��5
6�����
�� �0���/������gh a NetScreen device.
hat traffic can enter the VSYS vices such as authentication or
lan-traffic deny command. To
���������������� ���������!�
Description: Use the intervlan-traffic commands to disable inter-VLAN traffic throu
It is possible to configure a virtual system (VSYS) with two trusted interfaces, such tthrough one interface and exit through the other without undergoing any security serencryption. This is known as inter-VLAN traffic.
When inter-VLAN traffic poses a security risk, you can disable it using the set intervenable inter-VLAN traffic, use the unset intervlan-traffic command.
�3��".
���
get intervlan
���
set intervlan-traffic deny
�����
unset intervlan-traffic [ deny ]
�4��� �*5��$��*$�4������%"����" ��5
6�:���
���������������� ���������!�2�3;��!��"�!��"��"�%��
���&
set intervlan-traffic deny
unset intervlan-traffic deny
deny Disables inter-VLAN traffic.
�
6�����
s ip through policy.
you may find that certain l. A good example is the vsys xp device. Similarly, some vpn command. This option is
���������������� ���������!�
�
+��,���-��+������,
This volume lists and describes NetScreen Command Line Interface (CLI) command
Note: As you execute CLI commands using the syntax descriptions in this chapter,commands and command features are unavailable on your NetScreen device modecommand, which is available on a NetScreen-500 device, but not on a NetScreen-5command options are unavailable on certain models, as with the df-bit option of theavailable on a NetScreen-500, but not on a NetScreen-5xp.
�4�85��$��*$�48�%��35
6�7���
��on with the TFTP server.
reen device ends the attempt and
���������������� ���������!�
Description: Use the ip commands to set or display IP parameters for communicati
�3��".
���
get ip tftp
���
set ip tftp { retry number | timeout number }
2�3;��!��"�!��"��"�%��
����&
set ip tftp retry number
Example: The following command sets the number of retries to 7:
set ip tftp retry 7
retry The number of times to retry a TFTP communcation before the NetScgenerates an error message.
�4�85��$��*$�48�%��35
6�9���
fore terminating an inactive TFTP
���������������� ���������!�
�������
set ip tftp timeout number
Example: The following command sets the timeout period to 15 seconds:
set ip tftp timeout 15
timeout Determines how the long (in seconds) the NetScreen device waits beconnection.
�4�85��$��*$�48�%��35
6�����
��/�������������tion.
���������������� ���������!�
Description: Use the ip-classification command to display the current IP classifica
�3��".
���
get ip-classification [ zone zone ]
2�3;��!��"�!��"��"�%��
.���
get ip-classification zone zone
Example: To display the current IP classification for the ethernet1 zone:
get ip-classification zone untrust
zone The name of the security zone.
�4�85��$��*$�48�%��35
6�����
������nge of IP addresses. IP pools
ol (L2TP).
���������������� ���������!�
Definition: Use the ippool commands to associate the name of an IP pool with a raare used when assigning addresses to dialup users using Layer 2 Tunneling Protoc
�3��".
���
get ippool name_str
���
set ippool string ip_addr1 ip_addr2
�����
unset ippool string
2�3;��!��"�!��"��"�%��
���������'���������
get ippool name_str
set ippool string ip_addr1 ip_addr2
unset ippool string
string Defines the name of the IP pool.
ip_addr1 Sets the starting IP address in the IP pool.
ip_addr2 Sets the ending IP address in the IP pool.
�4�85��$��*$�48�%��35
6�����
0.100 through 172.16.10.200:
���������������� ���������!�
Example: To configure the IP pool named “office” with the IP addresses 172.16.1
set ippool office 172.16.10.100 172.16.10.200
�4�85��$��*$�48�%��35
6�����
�6�ing Protocl) tunnels and L2TP perate VPNs.
���������������� ���������!�
Description: Use the l2tp commands to configure or remove L2TP (Layer 2 Tunnelsettings. L2TP is an extension to PPP (Point-to-Point Protocol) that allows ISPs to o
�3��".
�����
clear [ cluster ] l2tp { all | ip ip_addr }
���
get l2tp { all [ active ] | tunn_str [ active ] | default }
����0�� ����1
set l2tp default { auth server name_str [ query-config ] | ippool string | dns1 ip_addr | dns2 ip_addr | wins1 ip_addr | wins2 ip_addr | ppp-auth { any | chap | pap } | radius-port port_num | }
�4�85��$��*$�48�%��35
6�6���
_name ]
ns2 } |
���������������� ���������!�
����0����:���1
set l2tp tunn_str [ [ id id_num ]
[ peer-ip ip_addr ] [ host name_str ]
[ outgoing-interface interface ] [ secret string ]
[ keepalive number ] | remote-setting
{ [ ippool string ] [ dns1 ip_addr ]
[ dns2 ip_addr ] [ wins1 ip_addr ]
[ wins2 ip_addr ] }
auth server name_str [ query-config ] [ user usr_name | user-group grp
]
�����
unset l2tp { default { dns1 | dns2 | ippool | radius-port | wins1 | witunn_str
{ auth | host | keepalive | outgoing-interface interface { keepalive | secret } |
�4�85��$��*$�48�%��35
6�����
[ wins2 ] |
���������������� ���������!�
peer-ip | remote-setting [ ippool ] [ dns1 ] [ dns2 ] [ wins1 ]secret }
�4�85��$��*$�48�%��35
6�:���
ad_Serv) for an L2TP tunnel
e L2TP connection for a tunnel
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
get l2tp tunn_str
get l2tp tunn_str [ ... ]
set l2tp tunn_str [ ... ] unset l2tp tunn_str { ... }
Example: The following command identifies the RADIUS authentication server (R(Mkt_Tun).
set l2tp Mkt_Tun auth server Rad_Serv
����!�
get l2tp all active
get l2tp tunn_str active
Example: The following command displays the current active/inactive status of th(home2work):
get l2tp home2work active
tunn_str The name or IP address of the L2TP tunnel.
active Displays the currently active L2TP connections for tunnels.
�4�85��$��*$�48�%��35
6�����
tication server (Rad_Serv) for
, peer host name, L2TP tunnel ecified L2TP tunnel (string).
ntaining the authentication groups.
tion server for IP, DNS, and WINS
TP tunnel.
r.
���������������� ���������!�
���
clear cluster l2tp all
clear l2tp all
get l2tp all
��������!��
set l2tp tunn_str auth server name_str [ ... ]
set l2tp default auth server name_str [ ... ] unset l2tp tunn_str auth
Example: The following command directs the device to query the RADIUS authenIP, DNS, and WINS information:
set l2tp Mkt_Tun auth server Rad_Serv query-config
�������
clear cluster l2tp { ... }
all Displays or clears the ID number, tunnel name, user, peer IP addressshared secret, and keepalive value for every L2TP tunnel (all) or a sp
auth server Specifies the object name (name_str) of the authentication server codatabase. Displays server information, and configures users or user
• query-config Directs the NetScreen device to query the authenticainformation.
• user usr_name Assigns a user (usr_name) to the L2TP tunnel.
• user-group grp_name Assigns a user group (grp_name) to the L2
cluster Propagates the clear operation to all other devices in a NSRP cluste
�4�85��$��*$�48�%��35
6�7���
r.
ses are drawn to be assigned to
response to a dialup user’s tch instructs the NetScreen device
CHAP), which encrypts the user’s
oes not use encryption.
server. The number can be
���������������� ���������!�
�� ����
get l2tp default
set l2tp default { ... }
unset l2tp tunn_str [ ... ]
unset l2tp default { ... }
default Defines or displays the default L2TP settings.
• auth server name_str The object name of the authentication serve
• dns1 ip_addr The IP address of the primary DNS server.
• dns2 ip_addr The IP address of the secondary DNS server.
• ippool string The name of the L2TP IP pool, from which IP addresL2TP users.
• ppp-auth { any [ chap | pap ] } Specifies the authentication type inrequest to make a Point-to-Point Protocol (PPP) link. (The any swito negotiate CHAP and then, if that attempt fails, PAP.)
- chap specifies Challenge Handshake Authentication Protocol (login name and password during transmission.
- pap specifies Password Authentication Protocol (PAP), which d
• radius-port port_num Defines the port number of the default L2TPbetween 1024 and 65,535.
• wins1 ip_addr The IP address of the primary WINS server.
• wins2 ip_addr The IP address of the secondary WINS server.
�4�85��$��*$�48�%��35
6�9���
ctively.
tively.
ce acting as the LAC:
Access Concentrator (LAC).
���������������� ���������!�
Example: The following commands create a set of default L2TP settings.
• IP pool (chiba).
• Use of the local database.
• CHAP for L2TP authentication.
• Primary and secondary DNS servers at 192.168.2.1 and 192.168.4.71 respe
• Primary and secondary WINS servers at 10.20.1.16 and 10.20.5.101 respec
set l2tp default ippool chiba
set l2tp default auth local
set l2tp default ppp-auth chap
set l2tp default dns1 192.168.2.1
set l2tp default dns2 192.168.4.71
set l2tp default wins1 10.20.1.16
set l2tp default wins2 10.20.5.101
����
set l2tp tunn_str [ ... ] host name_str [ ... ]
unset l2tp tunn_str host
Example: The following command specifies the host name (lac_host) for the devi
set l2tp Mkt_Tun host lac_host
��
set l2tp tunn_str id id_num [ ... ]
host Specifies the host name (name_str) of the device acting as the L2TP
id id_num The ID number for the L2TP tunnel.
�4�85��$��*$�48�%��35
6�����
Tun):
tunnel (west_coast):
nterface for L2TP tunnel
0.19):
waits before sending a hello
has a static IP address.
���������������� ���������!�
Example: The following command assigns ID number 15 to an L2TP tunnel (Eng_
set l2tp Eng_Tun id 15
)������!�
set l2tp tunn_str [ ... ] keepalive number
Example: The following command specifies a keepalive value of 120 for an L2TP
set l2tp west_coast keepalive 120
�������� ����� ���
set l2tp tunn_str [ ... ] outgoing-interface interface
Example: The following command specifies interface ethernet4 as the outgoing i(east_coast):
set l2tp east_coast outgoing-interface ethernet4
���� ��
set l2tp tunn_str [ ... ] peer-ip ip_addr [ ... ]
Example: The following command specifies the IP address of the LAC (172.16.10
set l2tp east_coast peer-ip 172.16.100.19
keepalive Defines how many seconds of inactivity, the NetScreen device (LNS)message to the dialup client (LAC).
outgoing-interface Specifies the outgoing interface for the L2TP tunnel.
peer-ip Specifies the IP address of the L2TP access concentrator (LAC), if it
�4�85��$��*$�48�%��35
6�����
l (west_coast)
AC-LNS pair. This is not a IPSec.
en device (which acts as the L2TP
nables any L2TP user.)
���������������� ���������!�
������
set l2tp tunn_str [ ... ] secret string [ ... ]
Example: The following command specifies a shared secret (94j9387):
set l2tp east_coast secret 94j9387
����
set l2tp tunn_str auth server name_str [ ... ] user usr_name
Example: The following command assigns an L2TP user (jking) to an L2TP tunne
set l2tp west_coast auth server Our_Auth user jking
1� "%��
The default L2TP UDP port number is 1701.
By default, the NetScreen device uses no L2TP tunnel secret to authenticate the Lproblem, because the device performs IKE authentication when it uses L2TP over
The default interval for sending a keepalive message is 60 seconds.
PPP-auth type is any.
secret Defines a shared secret used for authentication between the NetScreNetwork Server, or LNS) and the L2TP access concentrator (LAC).
user Assigns an L2TP user to the L2TP tunnel. (Not specifying name_str e
�4�85��$��*$�48�%��35
66����
���� ���� 10/100 MAC chips on a
rface command.
���������������� ���������!�
Description: Use the lance info command to get internal debug information for theNetScreen device.
�3��".
�����
get lance info
2�3;��!��"�!��"��"�%��
None.
�����
You can also see the initial part of the get lance info output by using the get inte
�4�85��$��*$�48�%��35
66����
� ( red to signal that alarm attack. an event alarm or a firewall
���������������� ���������!�
Description: When either an event alarm or a firewall attack occurs, the LED glowsUse the clear led command to return an ALARM or FW (firewall) LED to green afterattack occurs.
�3��".
�����
clear [ cluster ] led { alarm | firewall }
2�3;��!��"�!��"��"�%��
�����
clear [ cluster ] led alarm
�������
clear cluster led alarm
clear cluster led firewall
alarm Specifies the ALARM LED.
cluster Propagates the clear operation to all other devices in a NSRP cluster.
�4�85��$��*$�48�%��35
666���
���������������� ���������!����"���
clear [ cluster ] led firewall
firewall Specifies the firewall (FW) LED.
�4�85��$��*$�48�%��35
66����
��(anel of a NetScreen device, or
���������������� ���������!�
Description: Use the lcd commands to activate or inactivate the LCD on the front pto display the current lcd setting.
�3��".
���
get lcd
���
set lcd { display | key-in }
�����
unset lcd { display | key-in }
2�3;��!��"�!��"��"�%��
������&
set lcd display
unset lcd display
display Turns the LCD off or on and locks the control keys.
�4�85��$��*$�48�%��35
66:���
lay.
���������������� ���������!�
)�& ��
set lcd key-in
unset lcd key-in
key-in Locks and unlocks the control keys, but does not affect the LCD disp
�4�85��$��*$�48�%��35
66����
��� �� /. �are license.
y_str).
���������������� ���������!�
Description: Use the license-key command to upgrade or display the current softw
�3��".
�*��
exec license-key { nsrp key_str | vrouter key_str | vsys key_str | zone key_str }
���
get license-key
2�3;��!�����exec license-key nsrp key_str
nsrp Specifies a NetScreen Redundancy Protocol (NSRP) license key (ke
�4�85��$��*$�48�%��35
667���
���������������� ���������!�!������
exec license-key vrouter key_str
!�&�
exec license-key vsys key_str
.���
exec license-key zone key_str
vrouter Specifies a virtual router license key (key_str).
vsys Specifies a virtual system (VSYS) license key (key_str).
zone Specifies a security zone license key (key_str).
�4�85��$��*$�48�%��35
669���
���ations, and display log status.
um ]
t-netmask mask ] ]
���������������� ���������!�
Description: Use the log commands to generate log messages, specify their destin
�3��".
�����
clear [ cluster ] log { self [ end-time string ] | system [ saved ] | traffic [ policy id_num [ -id_num ] [ end-time string ] ]}
���
get log { asset-recovery | self | traffic [ policy pol_num [ -pol_num ] ]
[ start-time string ] [ end-time string ] [ min-duration string ] [ max-duration string ]
[ service name_str ] [ src-ip ip_addr [ -ip_addr ]
[ src-netmask mask ] [ src-port port_n]
[ dst-ip ip_addr [ -ip_addr ] [ ds[ no-rule-displayed ] |
setting [ module { system | all } ] }
�4�85��$��*$�48�%��35
66����
���������������� ���������!����
set log { audit-loss-mitigation | module name_str level string destination string }
�����
unset log { audit-loss-mitigation | module name_str level string destination string }
�4�85��$��*$�48�%��35
66����
tem module messages at the
ents exceeds the capacity of the t logs due to log overloads.r to the management interface on vailable if the audit trail fills up and
r.
sable destinations are console, .
���������������� ���������!�
2�3;��!��"�!��"��"�%��
����� ���� ����������
set log audit-loss-mitigation
unset log audit-loss-mitigation
�������
clear cluster log { ... }
�����������
set log module name_str level string destination string
unset log module name_str level string destination string
Example: The following command instructs the NetScreen device to direct all sysalert level (or higher) to the console port.
set log module system level alert destination console
audit-loss-mitigation Stops generation of auditable events when the number of such evNetScreen device. Enabling this feature reduces the loss of evenOn some NetScreen devices, you must connect the syslog servethe Management Module. This ensures that the syslog server is anetwork traffic stops.
cluster Propagates the clear operation to all other devices in a NSRP cluste
destination Specifies the destination of the generated log messages. The permisinternal, email, snmp, syslog, webtrends, onesecure, and pcmcia
�4�85��$��*$�48�%��35
6�����
tem module messages at the
5 minutes to 1 hour:
. Starting with the most urgent, tion, information, and all security levels.
or equal to the minimum duration
or equal to the maximum duration
���������������� ���������!�
��!��
set log module name_str level string destination string
unset log module name_str level string destination string
Example: The following command instructs the NetScreen device to direct all syscritical level (or higher) to the email server:
set log module system level critical destination email
��� ���������%���* ��������
get log event { ... } [ ... ] min-duration string [ ... ]
get log event { ... } [ ... ] max-duration string [ ... ]
Example: The following command displays traffic log entries for traffic that lasted
get log traffic min-duration 00:05:00 max-duration 01:00:00
������
get log event module { ... } [ ... ]
set log module name_str { ... }
level Specifies the minimum urgency level of the generated log messagesthese levels are emergency, alert, critical, error, warning, notificadebugging. For the get log command, the all-levels option displays
min-duration Displays traffic log entries for traffic whose duration was longer than specified.
max-duration Displays traffic log entries for traffic whose duration was shorter than specified.
�4�85��$��*$�48�%��35
6�����
tem module messages at the
cess policy information:
policy with ID 3 to 9 (inclusive):
essage.
tion.
mber) or for several access any value between 0 and the total tarting and ending ID numbers
���������������� ���������!�
unset log module name_str { ... }
Example: The following command instructs the NetScreen device to direct all syscritical level (or higher) to the webtrends server:
set log module system level critical destination webtrends
�� ���� ������&��
get log { ... } [ ... ] no-rule-displayed
Example: The following command displays traffic log entries without displaying ac
get log traffic no-rule-displayed
�����&
clear [ cluster ] log traffic policy pol_num [ ... ]
Example: The following command displays traffic log table entries for any access
get log traffic policy 3-9
module Specifies the name of the ScreenOS module that generates the log m
no-rule-displayed Displays traffic log entries, but does not display access policy informa
policy Displays traffic log entries for an access policy (specified by its ID nupolicies (specified by a range of ID numbers). The ID number can be number of established access policies. To define a range, enter the susing this syntax: pol_num - pol_num
�4�85��$��*$�48�%��35
6�6���
policy with a source IP address
ule:
, FTP, or Any. The name does d as TCP. Although you cannot HTTP, and TFTP, entering TP
e name of the module for which
���������������� ���������!�
���
clear [ cluster ] log self [ ... ]
get log self [ ... ]
Example: The following command displays traffic log table entries for any access of 172.16.10.1 and a destination address of 172.16.10.100:
get log self src-ip 172.16.10.1 dst-ip 172.16.10.100
���!���
get log { ... } [ ... ] service name_str [ ... ]
Example: The following command displays traffic log table entries for TCP:
get log self service tcp
�������
get log setting [ ... ]
Example: The following command displays traffic log settings for the system mod
get log setting module system
self Clears or displays self-log entries from the log.
service Displays traffic log entries for a specified Service, such as TCP, ICMPnot have to be complete; for example, both TC and CP are recognizespecify a Service group, note that because TP is recognized as FTP,displays log entries for all three Services.
setting Displays log setting information. The module string value specifies ththe log settings apply.
�4�85��$��*$�48�%��35
6�����
ination IP addresses
8081:
of source IP addresses. Include ll IP addresses in the same subnet ange and a source subnet mask
nge of destination IP addresses. u cannot specify a destination IP
rce port numbers.
���������������� ���������!�
��� ���%���� ��
get log { ... } [ ... ] src-ip ip_addr [ -ip_addr ] [ ... ]
get log { ... } [ ... ] dst-ip ip_addr [ -ip_addr ] [ ... ]
Example: The following command displays traffic log entries for the range of dest172.16.20.5–172.16.20.200:
get log traffic dst-ip 172.16.20.5-172.16.20.200
��� ����
get log { ... } [ ... ] src-port port_num [ ... ]
Example: The following command displays traffic log entries from the source port
get log traffic src-port 8081
src-ip Displays traffic log entries for a specified source IP address or rangethe subnet mask for a source IP address to display traffic entries for aas the specified source IP address. You cannot specify a source IP rsimultaneously.
dst-ip Displays traffic log entries for a specified destination IP address or raYou can specify the subnet mask for a destination IP address, but yorange and destination subnet mask simultaneously.
src-port Displays traffic log entries for a specified port number or range of sou
�4�85��$��*$�48�%��35
6�:���
arch 4, 2001 to 2:59:59 P.M. on
:59
le system, and to generate
The format is day/month/year rrent year. You can write the year econd are optional. Separate the
ied.
aved system log information. The
���������������� ���������!�
����� �����%���� ����
get log { ... } start-time string [ ... ]
get log { ... } end-time string [ ... ]
Example: The following command displays event log entries from 3:00 P.M. on MMarch 6:
get log event start-time 03/04/01_15:00 end-time 03/06_14:59
�&����
clear [ cluster ] log system [ ... ]
get log system [ reversely | saved ]
Example: The following command generates log messages generated from moduonly messages that are critical or greater:
set log module system level critical destination console
start time Displays event log entries that occurred at or after the time specified.hour:minute:second. If you omit the year, the device assumes the cuwith the last two digits, or with all four digits. The hour, minute, and sdate from the time with a dash or an underscore.12/31/2001-23:59:0012/31/2001_23:59:00
end-time Displays event log entries that occurred at and before the time specif
system Displays current system log information. The saved switch displays sreversely switch displays information in reverse order.
�4�85��$��*$�48�%��35
6�����
8081:
���������������� ���������!�
��� ��
clear [ cluster ] log traffic [ ... ]
get log traffic [ ... ]
Example: The following command displays traffic log entries from the source port
get log traffic src-port 8081
traffic Specifies traffic log entries.
�4�85��$��*$�48�%��35
6�7���
���AC) address for a NetScreen
to 111144446666 for the
���������������� ���������!�
Description: Use the mac commands to configure a static Media Access Control (Minterface, or to display the current configuration.
�3��".
���
set mac mac_addr interface
�����
unset mac mac_addr
2�3;��!��"�!��"��"�%��
���������'���������
Example: The following command sets the MAC address on an NetScreen deviceethernet7 interface:
set mac 111144446666 ethernet7
mac_addr Specifies the MAC address.
interface Specifies the name of the interface, as with ethernet1.
�4�85��$��*$�48�%��35
6�9���
���/� ���ccess Control (MAC) learning ode.
r.
���������������� ���������!�
Description: Use the clear mac-learn command to clear the entries in the Media Atable. This command functions only when the NetScreen device is in Transparent m
�3��".
�����
clear [ cluster ] mac-learn [ stats ]
���
get mac-learn [ interface ]
2�3;��!��"�!��"��"�%��
���������'��������
get mac-learn interface
�������
clear cluster mac-learn [ ... ]
interface Identifies the interface.
cluster Propagates the clear operation to all other devices in a NSRP cluste
�4�85��$��*$�48�%��35
6�����
���������������� ���������!������
clear [ cluster ] mac-learn stats
stats Clears the MAC learning table statistics.
�4�85��$��*$�48�%��35
6�����
� ����onditions.
_num | used ]
���������������� ���������!�
Description: Use the memory commands to set or display the memory allocation c
�3��".
���
get memory [ id_num | all | cache | error | free | module id
2�3;��!��"�!��"��"�%��
���������'���������
get memory id_num
���
get memory all
�����
get memory cache
id_num The task ID number.
all Displays memory fragments.
cache Displays malloc cache.
�4�85��$��*$�48�%��35
6:����
���������������� ���������!������
get memory error
���
get memory free
�������
get memory mempool
������
get memory module id_num
����
get memory used
error Displays erroneous memory fragments.
free Displays free memory.
mempool Displays pooled memory.
module Displays a single memory module (id_num).
used Displays used memory.
�4�85��$��*$�48�%��35
6:����
��( 7� �� ret from the NetScreen device.
interface that communicates with
���������������� ���������!�
Description: Use the node_secret command to clear the stored SecurID node sec
�3��".
�����
clear node_secret [ ipaddr ip_addr ]
2�3;��!��"�!��"��"�%��
������
ipaddr Clears the node secret associated with the outgoing IP address of thethe SecurID server (ip_addr).
�4�85��$��*$�48�%��35
6:6���
���r Protocol) packet queues.
reen devices are in a es that the master NetScreen
er.
���������������� ���������!�
Description: Use the nrtp command to clear all NRTP (NetScreen Reliable Transfe
NRTP is for multicasting NSRP control messages to multiple receivers. When NetScredundancy cluster (interconnected through the High Availability ports), NRTP ensurdevice always forwards configuration and policy messages to the backup devices.
�3��".
�����
clear [ cluster ] nrtp queues
2�3;��!��"�!��"��"�%��
�������
clear cluster nrtp queues
(�����
clear [ cluster ] nrtp queues
cluster Propagates the clear operation to all other devices in a NSRP clust
queues Clears the NRTP packet queues.
�4�85��$��*$�48�%��35
6:����
���/-�� �
value must start with 0x, as with
���������������� ���������!�
Description: Use the get nsp-tunnel command to get the flow tunnel information.
�3��".get nsp-tunnel [ info number ]
2�3;��!��"�!��"��"�%��
�� �
get nsp-tunnel info number
Example: The following command displays the flow tunnel information:
get nsp-tunnel info 0x3
info Specifies the flow tunnel information with the info value number. (The0x2.)
�4�85��$��*$�48�%��35
6::���
����ilover cluster, and to create and
urity devices within a defined device from the cluster, and devices in the cluster.
es the same cluster id, you can VSD group at a time. For another.
and assigns an identical cluster
.
rface command.
]
���������������� ���������!�
Description: Use the nsrp commands to assign a NetScreen security device to a faconfigure a Virtual Security Device (VSD) group for the cluster.
The purpose of a VSD group is to allow failover between two or more NetScreen seccluster. Each VSD group represents a group of devices in a cluster, elects a masterprovides a virtual security interface (VSI) that external devices use to reference the
A group may contain every device in the cluster. For example, if you give three deviccreate a VSD group containing all three devices. A device can be in more than one example, a device can be a master in one VSD group, while serving as a backup in
The basic steps needed to set up failover VSD groups are as follows.
1. Set up a cluster of devices using the set nsrp cluster command. This commid to each device.
2. Set up a VSD group for the cluster using the set nsrp vsd-group command
3. Set up a virtual security interface (VSI) for the VSD group using the set inte
�3��".
�����
clear [ cluster ] nsrp counter [ packet-fwd | protocol | rto
�4�85��$��*$�48�%��35
6:����
all } from peer |
}
���������������� ���������!�
�*��
exec nsrp { sync
{ file [ name filename ] from peer | rto { arp | auth-table | dns | l2tp | session | vpn |global-config [ check-sum | save ] } |
vsd-group grp_num mode { backup | ineligible | init | pb }
���
get nsrp [ cluster | counter [ protocol | rto ]| group | link | packet-fwd | rto-mirror | track-ip [ ip ip_addr ] | vsd-group [ id id_num | all ] ]
�4�85��$��*$�48�%��35
6:7���
���������������� ���������!����
set nsrp { arp number | auth password pswd_str | cluster [ id number | name name_str ] | encrypt password pswd_str | interface interface | link-hold-time number | link-up-on-backup | monitor interface interface | rto-mirror
{ hb-interval number | hb-threshold number | id id_num { direction { in | out } } | session off | sync }
secondary-path interface | track-ip
[ ip
[ ip_addr [ interface interface | interval number | method { arp | ping } | threshold number | weight number ]
]
�4�85��$��*$�48�%��35
6:9���
���������������� ���������!�threshold number ]
vsd-group { id id_num
[ mode ineligible | preempt [ hold-down number ] | priority number ] |
hb-interval number | hb-threshold number | init-hold number }
}
�����
unset nsrp { arp number | auth | cluster id | encrypt | link-hold-time | link-up-on-backup | monitor interface interface | rto-mirror
{ hb-interval number | hb-threshold number | id id_num { direction { in | out } } | session off |
�4�85��$��*$�48�%��35
6:����
���������������� ���������!�sync }
secondary-path | track-ip
{ ip [ ip_addr ]
[ interface | interval number | method { arp | ping } | threshold number | weight number ]
} vsd-group
[ all | id number [ mode | preempt | priority ] hb-interval number | hb-threshold number | init-hold number ]
�4�85��$��*$�48�%��35
6:����
en ARP requests:
ordfish”:
nds out, notifying other network
s using the specified password.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���
set nsrp arp number
unset nsrp arp number
Example: The following command instructs the NetScreen device to send out sev
set nsrp arp 7
����
set nsrp auth password pswd_str
unset nsrp auth
Example: The following command sets the NSRP authentication password to “sw
set nsrp auth password swordfish
arp Sets the number of ARP requests that a newly elected master unit sedevices of its presence. The default is 4.
auth Instructs the NetScreen device to authenticate NSRP communicationValid passwords contain from 1 to 15 characters.
�4�85��$��*$�48�%��35
6�����
rom 1 to 127, inclusive) to identify
r.
���������������� ���������!�
�������
get nsrp cluster
set nsrp cluster id number
Example: The following command assigns the NetScreen device to cluster 2:
set nsrp cluster id 2
��������0�����1
clear cluster nsrp counter [ ... ]
�������
clear [ cluster ] nsrp counter [ ... ]
get nsrp counter [ protocol | rto ]
Example: The following command displays all NSRP counter values:
get nsrp counter
cluster id Assigns the NetScreen device to a cluster, expressed as an integer (fthe cluster.
cluster Propagates the clear operation to all other devices in a NSRP cluste
counter Clears or displays the NSRP counter values.
• packet-fwd Clears or displays packet-forwarding counters only.
• protocol Clears or displays NSRP protocol counters only.
• rto Clears or displays RTO message counters only.
�4�85��$��*$�48�%��35
6�����
”:
:
fied password. Valid passwords
formation on interfaces, see
���������������� ���������!�
����&�������"���
set nsrp encrypt password pswd_str
unset nsrp encrypt
Example: The following command sets the NSRP encryption password to “manta
set nsrp encrypt password manta
�����
get nsrp group
����� ���
set nsrp interface interface
Example: The following command specifies that the NSRP interface is ethernet4
set nsrp interface ethernet4
���)
get nsrp link
encrypt password Specifies that NSRP communications be encrypted using the specicontain from 1 to 15 characters.
group Displays information on the VSD group.
interface The name of the interface to serve as the high-availability port. For in“Interface Names” on page A-IV.
link Displays HA link information
�4�85��$��*$�48�%��35
6�6���
hernet4:
e link with the peer device.
���������������� ���������!�
���) ���� ����
set nsrp link-hold-time number
unset nsrp link-hold-time
���) �� �� ���)��
set nsrp link-up-on-backup
unset nsrp link-up-on-backup
������������� ���
set nsrp monitor interface interface
unset nsrp monitor interface interface
Example: The following command specifies that the NSRP monitor interface is et
set nsrp monitor interface ethernet4
link-hold-time The delay time (in seconds) before the NetScreen device brings up th
link-up-on-backup Specifies that the link is always up on the backup device.
monitor interface Specifies the NSRP monitor interface.
�4�85��$��*$�48�%��35
6�����
ion is inbound:
ce is ethernet5:
to back up run-time objects
cts synchronize after execution of
e.
id_num, an integer value between RTO mirror group direction is
minumum threshold value is 16
���������������� ���������!�
��� ������
get nsrp rto-mirror
set nsrp rto-mirror { ... }
unset nsrp rto-mirror { ... }
Example: The following command specifies that the RTO mirror group (10) direct
set nsrp rto-mirror id 10 direction in
��������& ����
set nsrp secondary-path interface
unset nsrp secondary-path
Example: The following command specifies that the secondary NSRP link interfa
rto-mirror Creates an optional RTO mirror between two devices in a VSD group(RTOs).In most cases, using this option is not necessary. Normally, RTO objethe set nsrp rto sync command.A NetScreen device can belong to only one RTO mirror group at a tim
• id id_num Identifies the VSD group using its identification number 1 and 127 inclusive. The direction setting determines whether theinbound or outbound.
• hb-interval number Specifies the heartbeat interval in seconds.
• hb-threshold number Specifies the heartbeat-lost threshold. The heartbeats.
• session off Disables the RTO session.
• sync Enables RTO object synchronization.
secondary-path Specifies a secondary NSRP link interface.
�4�85��$��*$�48�%��35
6�:���
all runtime objects:
from one unit to the other.
uting the file option without
igurations. The check-sum switch aves the synchronization
) in the RTO mirror.
n.
���������������� ���������!�
set nsrp secondary-path ethernet5
�&��
exec nsrp sync { ... }
Example: The following command instructs the NetScreen device to synchronize
exec nsrp sync rto all
sync Specifies the name of a particular configuration, file, or RTO to copy
• file Specifies synchronization of the files in flash memory.
- name filename specifies a particular file in flash memory. (Execspecifying a file name copies all the files.)
- from peer specifies all files from the peer device.
• global-config Specifies synchronization of the current device confcompares the check-sum after synchronization. The save switch sconfiguration to flash memory.
• rto Specifies synchronization of the current runtime objects (RTOs
- all Specifies all possible realtime objects.
- arp Specifies the Address Resolution Protocol (ARP) informatio
- dns Specifies the Domain Name Service (DNS) information.
- session Specifies the session information.
- vpn Specifies all Virtual Private Network (VPN) information.
�4�85��$��*$�48�%��35
6�����
et4 to a device at IP address
nnection between a NetScreen es the other network device to
lt values.
reen device performs the path for IP tracking.
cking attempts. Required value is
The default is ping.
that can occur before the
n 1 and 255. The default weight is
the NetScreen device is said to
���������������� ���������!�
����) ��
get nsrp track-ip [ ip ip_addr ]
set nsrp track-ip [ ... ]
unset nsrp track-ip [ ... ]
Example: The following command enables path tracking through interface ethern172.16.10.10:
set nsrp track-ip ip 172.16.10.10 interface ethernet4
track-ip Enables path tracking, which is a means for checking the network cointerface and that of another device. The IP address ip_addr indentificheck.Executing unset nsrp track ip resets the track options to their defauip ip_addr
• interface interface Specifies the interface through which the NetSctracking. By default, the device automatically chooses the interface
• interval number Specifies the interval in seconds between path trabetween 1 and 200. The default is 1.
• method { arp | ping } Specifies the method used for path tracking.
• threshold number Defines the number of failed tracking attempts NetScreen device is said to have failed. The default is 3.
• weight number Defines the path weight. Required value is betwee1.
threshold numberDefines the number of failed tracking attempts that can occur before have failed. The default is 3.
�4�85��$��*$�48�%��35
6�7���
at contains all members belonging aster unit from the cluster it
the group’s virtual security
ce. The ineligible switch specifies eboot. (This may be necessary for ber mode ineligible specifies that
s its master status until the unit r device waits for the specified nds inclusive. The default is 3.
teger from 1 to 254, inclusive. The er order determines which unit is power up simultaneously, and unit with the number closest to 1
l state (init mode). This value can
e can be an integer from 200 to
���������������� ���������!�
!�� �����
get nsrp vsd-group [ id id_num | all ]
set nsrp vsd-group [ ... ]
unset nsrp vsd-group [ ... ]
vsd-group Configures a VSD group for a cluster.id id_numCreates a VSD group, identified by id_num (from 1 to 8, inclusive), thto a single cluster of devices. Once created, a VSD group elects a mcontains.Other devices reference the device cluster in the VSD group throughidentification (VSI).
• mode ineligible Determines the running mode of the security devithat the local device is not intended for failover, even after system radministrative reasons.) Executing unset nsrp vsd-group id numthe device is eligible again.
• preempt [ hold-down number ] Determines if the master unit keepitself relinquishes that status. To prevent rapid failovers, the mastehold-down interval, expressed as a number between 0 to 600 seco
• priority number The priority level of the device, expressed as an inpriority level determines the failover order for the device. The failovthe master unit when two NetScreen devices in a redundant groupwhich backup unit becomes the next master during a failover. (Thebecomes the master unit.)
init-holdThe number of heartbeats that occur before the system exits the initiabe an integer from 5 to 255. The default is 5.
hb-interval numberSpecifies the heartbeat interval, expressed in milliseconds. This valu1000. The default is 200.
�4�85��$��*$�48�%��35
6�9���
e exits the initial state:
en the master unit fails:
allowed before failure. This value
when the master device fails.
aster device.
t joins the VSD group. (At the end uch as master, backup, or primary
the master unit fails.
���������������� ���������!�
Examples: The following command disables the local device for failover:
set nsrp vsd-group id 2 mode ineligible
The following command specifies that ten heartbeats must occur before the devic
set nsrp vsd-group init-hold 10
!�� ������0�*��1
exec nsrp vsd-group grp_num mode { ... }
Example: The following command instructs the NetScreen device to take over wh
exec nsrp vsd-group 2 mode pb
1� "%��
The default value of preempt [ holdown number ] is zero.
The default value of vsd-group id id_num priority number is 100.
hb-threshold numberSpecifies the heartbeat-lost threshold, the number of lost heartbeats can be an integer from 3 to 255. The default is 3.
vsd-group grp_num mode
Specifies a VSD group and the NetScreen device’s new mode.
• In backup mode, the device takes over work for the master device
• In ineligible mode, the device is unavailable as a backup for the m
• In init mode, the device is in the transient state that occurs when iof this initial hold up time, the device transitions to another state, sbackup.)
• In pb (primary backup) mode, the unit is the first to take over when
�4�85��$��*$�48�%��35
6�����
1,000 milliseconds, or one
���������������� ���������!�
The default value of vsd-group id id_num hb-interval number is 1000 (signifyingsecond).
���"���*�"��������%����
The following commands:
• set up an NSRP cluster consisting of two NetScreen devices
• create two VSD groups for the cluster
• make a VSI for the VSD group
• enable RTO object synchronization, including session synchronization
8����!����7
&����@������!�!"�������� "���"�!�'"�"*����
set interface redundant2 zone trust
set interface ethernet2/1 group redundant2
set interface ethernet2/2 group redundant2
set interface redundant2 manage-ip 10.1.1.3
�%�����"�!���1����8�
set nsrp cluster id 1
set nsrp vsd-group id 0 preempt hold-down 10
set nsrp vsd-group id 0 preempt
set nsrp vsd-group id 0 priority 1
set nsrp vsd-group id 1
set nsrp monitor interface redundant2
set nsrp rto-mirror sync
save
�4�85��$��*$�48�%��35
6�����
���������������� ���������!�8����!����;
&����@������!�!"�������� "���"�!�'"�"*����
set interface redundant2 zone trust
set interface ethernet2/1 group redundant2
set interface ethernet2/2 group redundant2
set interface redundant2 manage-ip 10.1.1.4
�%�����"�!���1����8�
set nsrp cluster id 1
set nsrp rto-mirror sync
set nsrp vsd-group id 1 priority 1
set nsrp vsd-group id 1 preempt hold-down 10
set nsrp vsd-group id 1 preempt
set nsrp monitor interface redundant2
set nsrp arp 4
set arp always-on-dest
>������@������!�!"�������� "��
set interface redundant1 zone untrust
set interface ethernet1/1 group redundant1
set interface ethernet1/2 group redundant1
����"%�������3������ "���
set interface redundant1 ip 210.1.1.1/24
set interface redundant2 ip 10.1.1.1/24
set interface redundant1:1 ip 210.1.1.2/24
set interface redundant2:1 ip 10.1.1.2/24
�4�85��$��*$�48�%��35
67����
gateway 210.1.1.250
1 gateway 210.1.1.250
���������������� ���������!�
�����
set vrouter untrust-vr route 0.0.0.0/0 interface redundant1
set vrouter untrust-vr route 0.0.0.0/0 interface redundant1:
save
�4�85��$��*$�48�%��35
67����
��Network Time Protocol (SNTP).
TP) and is therefore a subset sion, SNTP is adequate for
���������������� ���������!�
Description: Use the ntp commands to configure the NetScreen device for Simple
To enable the SNTP feature, use the set clock ntp command.
�3��".
�*��
exec ntp update
���
get ntp
���
set ntp { interval number | server ip_addr | timezone number1 number2 }
�����
unset ntp { server | interval | timezone }
Note: NetScreen’s implementation is based upon Simple Network Time Protocol (SNof NTP. It is used to synchronize computer clocks in the Internet. In its simplified verdevices that do not require a high level of synchronization and accuracy.
�4�85��$��*$�48�%��35
676���
e its clock time every 20
.10.10.6 with which to
time by synchronizing with the 40 minutes.
ynchronizes time.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�����!��
set ntp interval number
unset ntp interval
Example: The following command configures the NetScreen device to synchronizminutes:
set ntp interval 20
���!��
set ntp server ip_addr
unset ntp server
Example: The following command defines the NTP server with IP address of 172synchronize clock time:
set ntp server 172.10.10.6
interval Defines in minutes how often the NetScreen device updates its clockNTP server. The range for the synchronization interval is from 1 to 14
server The IP address of the NTP server with which the NetScreen device s
�4�85��$��*$�48�%��35
67����
2 and 12 inclusive. A value of zero
the time setting on an NTP
���������������� ���������!�
����.���
set ntp timezone number1 number2
unset ntp timezone
Example: The following command sets the Time Zone to Greenwich Mean time:
set ntp timezone 0
������
exec ntp update
timezone Defines the Time Zone, expressed as an integer number1 between -1denotes GMT (Greenwich Mean Time). number2 expresses minutes.
update Updates the time setting on a NetScreen device to synchronize it withserver.
�4�85��$��*$�48�%��35
67:���
��ice operating system.
���������������� ���������!�
Description: Use the os commands to display mail and task information for the dev
�3��".
���
get os { mail | task name_str }
2�3;��!��"�!��"��"�%��
����
get os mail
���)
get os task name_str
mail Displays the mail information.
task Displays information on a specified task (name_str).
�4�85��$��*$�48�%��35
67����
���� NetScreen virtual router.
���������������� ���������!�
Description: Use the ospf context to begin configuring OSPF routing protocol for a
�����.�������"����
Initiating the ospf context can take up to four steps:
1. Enter the vrouter context by executing the set vrouter command.
set vrouter vrouter
For example:
set vrouter trust-vr
2. Set the router ID for this virtual routing instance.
set route-id { id_num | ip_addr }
For example:
ns(trust-vr)-> set route-id 172.16.10.10
3. Enter the ospf context by executing the set protocol ospf command.
ns(trust-vr)-> set protocol ospf
4. Enable OSPF protocol (it is disabled by default).
ns(trust-vr/ospf)-> set enable
�4�85��$��*$�48�%��35
677���
the default route of the current
stination. (Any entry with a more
al routing instance.r virtual routing instances.
o automatically create virtual links. process of creating each virtual connected segments that cannot
configure the OSPF local virtual
t OSPF link state database.
current routing instance.
hreshold. When a neighbor device ackets, the virtual router drops the
sence of a routing instance on the
���������������� ���������!�
)��,���"�!�
The following commands are executable in the ospf context.
advertise-def-route Use the advertise-def-route commands to advertise or displayvirtual routing instance (0.0.0.0/0) in all areas.Every router has a default route entry, which matches every despecific prefix overrides the default route entry.)Command options: get, set, unset
area Use the area commands to configure an area for an OSPF virtuAn OSPF area is a region that contains a collection of routers oCommand options: get, set, unset
auto-vlink Use the auto-vlink commands to direct the local virtual router tUsing automatic virtual links replaces the more time-consuminglink manaully. A virtual link is a conveyance that enables two unreach a backbone router to connect with each other.Command options: get, set, unset
config Use the config command to display all commands executed torouting instance.Command options: get
database Use the database command to display details about the currenCommand options: get
enable Use the enable commands to enable or disable OSPF from theCommand options: get, set, unset
hello-threshold Use the hello-threshold commands to set or display the hello texceeds this threshold by flooding the virtual router with hello pextra packets.A Hello packet is a broadcast message that announces the prenetwork.Command options: get, set, unset
�4�85��$��*$�48�%��35
679���
router.
te Advertisement (LSA) threshold. irtual router with LSA packets, the
e device, network, and routing
evices.
nt protocol than the one used by
de:
igned to it (connected)
default route learned from OSPF
efault route matches every default route entry.)
thods consistent with standards
outes imported from a protocol
���������������� ���������!�
interface Use this command to display all OSPF interfaces on the virtual Command options: get
lsa-threshold Use the lsa-threshold commands to set or display the Link StaWhen a neighbor device exceeds this threshold by flooding the vvirtual router drops the extra packets.Link State Advertisements (LSAs) enable OSPF routers to makinformation available for the link state database.Command options: get, set, unset
neighbor Use the neighbor command to display details about neighbor dCommand options: get
redistribute Use the redistribute commands to import routes from a differethe current virtual routing instance.The types of routing protocols from which to import routes inclu
• manually-created routes (static)
• routes from BGP (bgp)
• routes that have at least one interface with an IP address ass
• routes that have already been imported (imported).
Command options: get, set, unset
reject-default-route Use the reject-default-route commands to reject or restore the(0.0.0.0/0) in the current routing instance.Every router has a default route entry in its routing table. This ddestination. (Any entry with a more specific prefix overrides theCommand options: get, set, unset
rfc-1583 Use the rfc-1583 commands to use routing table calculation mespecified in the Request For Comments 1583 document.Command options: get, set, unset
routes-redistribute Use the routes-redisribute command to display details about rother than OSPF.Command options: get
�4�85��$��*$�48�%��35
67����
or routes imported from a protocol
packets, link state packets, ets dropped, errors, and other ce.
ated in the current OSPF virtual
istribution.stance from a router running a d (or summarized) address that
zing mutliple addresses, you allow te, thus simplifying the process.
outing instance.ect when the backbone router
tual routing instance neighbor.
���������������� ���������!�
rules-redistribute Use the rules-redistribute command to display conditions set fother than OSPF.Command options: get
statistics Use the statistics command to display information about Hellodatabase descriptions, Shortest Path First (SPF) packets, packtraffic statistics related to the current OSPF virtual routing instanCommand options: get
stub Use the stub command to display details about a stub area crerouting instance.Command options: get
summary-import Use the summary-import commands to summarize a route redAfter importing a series of routes to the current OSPF routing indifferent protocol, you can bundle the routes into one generalizeuses the same network stem of the prefix address. By summarithe OSPF routing instance to treat a series of routes as one rouCommand options: get, set, unset
vlink Use the vlink commands to create a virtual link for the current rA virtual link is a conveyance that allows two segments to connbridging them cannot reach either segment.Command options: get, set, unset
vneighbor Use the vneighbor command to display information about a virCommand options: get
�4�85��$��*$�48�%��35
67����
0 ��� /( �/��- fault route of the current virtual
with a more specific prefix
spf context. (See “Context
{ 1 | 2 }
���������������� ���������!�
�(Description: Use the advertise-def-route commands to advertise or display the derouting instance (0.0.0.0/0) in all areas.
Every router has a default route entry, which matches every destination. (Any entry overrides the default route entry.)
Before you can execute the advertise-def-route commands, you must initiate the oInitiation” on page 265.)
�3��".
���
get advertise-def-route
���
set advertise-def-route [ always ] metric number metric-type
�����
unset advertise-def-route
�4�85��$��*$�48�%��35
69����
{ 1 | 2 }
{ 1 | 2 }
nditions, even if there is no default
with the default route.
default route. A type 1 route is a
default route. A type 2 route is a
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��"�&�
set advertise-def-route always { ... }
unset advertise-def-route
������
set advertise-def-route [ always ] metric number metric-type
unset advertise-def-route
������ �&��
set advertise-def-route [ always ] metric number metric-type
unset advertise-def-route
always Directs the routing instance to advertise the default route under all coroute in the routing table.
metric Specifies the metric (cost), which indicates the overhead associated
metric-type Specifies the external route type to determine path preference.
• 1 Directs the routing instance to use a Type 1 route to evaluate thecomparable route, with a lower cost than a type 2 route.
• 2 Directs the routing instance to use a Type 2 route to evaluate thenon-comparable route, with a higher cost than a type 1 route.
�4�85��$��*$�48�%��35
69����
�� �ing instance.
nces.
e “Context Initiation” on page
���������������� ���������!�
Description: Use the area commands to configure an area for an OSPF virtual rout
An OSPF area is a region that contains a collection of routers or virtual routing insta
Before you can execute the area commands, you must initiate the ospf context. (Se265.)
�3��".
���
get area
���
set area { id_num | ip_addr }
{ stub | nssa }
�����
unset area number
�4�85��$��*$�48�%��35
696���
mand:
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
set area id_num
set area ip_addr
Example: The following command creates an OSPF area, type the following com
ns(trust-vr/ospf)-> set area 10
����
set area { id_num | ip_addr } nssa }
����
set area { id_num | ip_addr } stub
id_num The OSPF area ID that identifies the area.
ip_addr The IP address that identifies the area.
nssa Specifies that the area is a “not so stubby area.”
stub Specifies the area is a stub area.
�4�85��$��*$�48�%��35
69����
�-�/0���.ils about virtual links.
each virtual link manaully. A h a backbone router to connect
xt. (See “Context Initiation” on
���������������� ���������!�
Description: Use the auto-vlink commands to automatically create or display deta
Using automatic virtual links replaces the more time-consuming process of creating virtual link is a conveyance that enables two unconnected segments that cannot reacwith each other.
Before you can execute the auto-vlink commands, you must initiate the ospf contepage 265.)
�3��".
���
get auto-vlink
���
set auto-vlink
�����
unset auto-vlink
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
69:���
������ure the OSPF local virtual
ee “Context Initiation” on page
���������������� ���������!�
Description: Use the config command to display all commands executed to configrouting instance.
Before you can execute the config command, you must initiate the ospf context. (S265.)
�3��".
���
get config
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
69����
(��1�� database.
(See “Context Initiation” on
router | summary
���������������� ���������!�
Description: Use the database command to display details about the current OSPF
Before you can execute the database command, you must initiate the ospf context.page 265.)
�3��".
���
get database [ detail ] [ area [ number | ip_addr ] ]
[ asbr-summary | external | network | nssa-external |[ adv-router ip_addr | self-originate ]
[ link-state-id ip_addr ] ]
�4�85��$��*$�48�%��35
697���
172.16.10.10:
rea (4):
vertising router (ip_addr).
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��! ������
get database [ ... ] adv-router ip_addr [ ... ]
Example: The following command displays the LSAs from a router with router ID
get database adv-router 172.16.10.10
����
get database [ ... ] area [ number | ip_addr ] [ ... ]
Example: The following command displays the LSAs from an area (4):
get database area 4
������
get database detail [ ... ]
Example: The following command generates a detailed display of LSAs from an a
get database detail area 4
adv-router Displays the Link State Advertisements (LSAs) from the specified ad
area Displays the LSAs in the current area.
detail Displays detailed information.
�4�85��$��*$�48�%��35
699���
with link-state ID 172.16.1.1:
���������������� ���������!�
�*������
get database [ ... ] external [ ... ]
Example: The following command displays external LSAs:
get database external
���) ����� ��
get database { ... } link-state-id ip_addr
Example: The following command generates a detailed display of external LSAs
get database detail external link-state-id 172.16.1.1
���"��)
get database [ ... ] network [ ... ]
Example: The following command displays network LSAs:
get database network
external Displays external LSAs.
link-state-id Displays the LSA with a specified link-state ID (ip_addr).
network Displays the network LSAs.
�4�85��$��*$�48�%��35
69����
:
���������������� ���������!�
���� �*������
get database [ ... ] nssa-external [ ... ]
Example: The following command displays external LSAs for not-so-stubby areas
get database nssa-external
������
get database [ ... ] router [ ... ]
Example: The following command displays router LSAs:
get database router
��� ���������
get database [ ... ] self-originate [ ... ]
Example: The following command displays self-originated LSAs:
get database self-originate
nssa-external Displays the not-so-stubby areas (NSSAs) external LSAs.
router Displays router LSAs.
self-originate Displays self-originated LSAs.
�4�85��$��*$�48�%��35
69����
���������������� ���������!�������&
get database [ ... ] summary [ ... ]
Example: The following command displays summary LSAs:
get database summary
summary Displays summary LSAs.
�4�85��$��*$�48�%��35
6�����
��1� t routing instance.
t. (See “Context Initiation” on
���������������� ���������!�
Description: Use the enable commands to enable or disable OSPF from the curren
Before you can execute the set enable command, you must initiate the ospf contexpage 265.)
�3��".
���
set enable
�����
unset enable
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
6�����
� ���/�� ����(ld. When a neighbor device ter drops the extra packets.
tance on the network.
ontext. (See “Context Initiation”
���������������� ���������!�
Description: Use the hello-threshold commands to set or display the hello threshoexceeds this threshold by flooding the virtual router with hello packets, the virtual rou
A Hello packet is a broadcast message that announces the presence of a routing ins
Before you can execute the hello-threshold commands, you must initiate the ospf con page 265.)
�3��".
���
get hello-threshold
���
set hello-threshold number
�����
unset hello-threshold
�4�85��$��*$�48�%��35
6�6���
in the hello interval to 1000:
a neighbor in the hello interval.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
set hello-threshold number
Example: The following command sets the maximum number of packets to allow
ns(trust-vr/ospf)-> set hello-threshold 1000
number The maximum number of hello packets the virtual router accepts from
�4�85��$��*$�48�%��35
6�����
�� ����
(See “Context Initiation” on
���������������� ���������!�
Description: Use this command to display all OSPF interfaces on the virtual router.
Before you can execute the interface command, you must initiate the ospf context.page 265.)
�3��".
���
get interface
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
6�:���
���/�� ����(ertisement (LSA) threshold. A packets, the virtual router
d routing information available
ntext. (See “Context Initiation”
���������������� ���������!�
Description: Use the lsa-threshold commands to set or display the Link State AdvWhen a neighbor device exceeds this threshold by flooding the virtual router with LSdrops the extra packets.
Link State Advertisements (LSAs) enable OSPF routers to make device, network, anfor the link state database.
Before you can execute the lsa-threshold commands, you must initiate the ospf coon page 265.)
�3��".
���
get lsa-threshold
���
set lsa-threshold number1 number2
�����
unset lsa-threshold number1 number2
�4�85��$��*$�48�%��35
6�����
interval expressed
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
set lsa-threshold number1 number2
unset lsa-threshold number1 number2
Example: The following command creates an OSPF LSA threshold:
set lsa-threshold 10 30
number1 The LSA time interval (in seconds).
number2 The maximum number of LSAs that the virtual router accepts within the timeby number1.
�4�85��$��*$�48�%��35
6�7���
� ���1��.
(See “Context Initiation” on
���������������� ���������!�
Description: Use the neighbor command to display details about neighbor devices
Before you can execute the neighbor command, you must initiate the ospf context.page 265.)
�3��".
���
get neighbor
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
6�9���
� (����1- unning a different protocol than
nnected)
ext. (See “Context Initiation” on
���������������� ���������!�
Description: Use the redistribute commands to import known routes from a router rthe current virtual routing instance.
The types of routers from which to import routes include:
• routers with manually created routes (static)
• routers running BGP (bgp)
• routers that have at least one interface with an IP address assigned to it (co
• routers with routes that have already been imported (imported)
Before you can execute the redistribute commands, you must initiate the ospf contpage 265.)
�3��".
���
get routes-redistribute
get rules-redistribute
���
set redistribute route-map string protocol { bgp | connected | imported | static }
�����
unset redistribute route-map name_str protocol { bgp | connected | imported | static }
�4�85��$��*$�48�%��35
6�����
that has at least one interface
connected
routing domain into the current
bgp
o determine whether to forward or
routes in the subnetwork.
routes sent from a router that has
imported routes in the subnetwork.
ic routes in the subnetwork.
ould be imported.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��������
set redistribute route-map string protocol { ... }
Example: The following command redistributes a route that originated on a routerwith an IP address assigned to it:
ns(trust-vr/ospf)-> set redistribute route-map map1 protocol
����� ���
set redistribute route-map string protocol { ... }
Example: The following command redistributes a route that originated from a BGPOSPF routing domain:
ns(trust-vr/ospf)-> set redistribute route-map map1 protocol
protocol Specifies routing protocol. The route map can use the protocol type tdeny an incoming packet.
• bgp specifies that the route map performs an action only on BGP
• connected specifies that the route map performs an action only onat least one interface with an IP address assigned to it.
• imported specifies that the route map performs an action only on
• static specifies that the route map performs an action only on stat
route-map Identifies the route map that indicates the path for which the route sh
�4�85��$��*$�48�%��35
6�����
�/( ��-�/��- lt route learned from OSPF
every destination. (Any entry
spf context. (See “Context
���������������� ���������!�
� 3 Description: Use the reject-default-route commands to reject or restore the defau(0.0.0.0/0).
Every router has a default route entry in its routing table. This default route matcheswith a more specific prefix overrides the default route entry.)
Before you can execute the reject-default-route commands, you must initiate the oInitiation” on page 265.)
�3��".
���
get reject-default-route
���
set reject-default-route
�����
unset reject-default-route
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
6�����
���/89:;consistent with standards
(See “Context Initiation” on
���������������� ���������!�
Description: Use the rfc-1583 commands to use routing table calculation methods specified in the Request For Comments 1583 document.
Before you can execute the rfc-1583 commands, you must initiate the ospf context.page 265.)
�3��".
���
get rfc-1583
���
set rfc-1583
�����
unset rfc-1583
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
6�����
- �/� (����1- imported from a protocol other
pf context. (See “Context
���������������� ���������!�
��Description: Use the routes-redisribute command to display details about routes than OSPF.
Before you can execute the routes-redistribute command, you must initiate the osInitiation” on page 265.)
�3��".
���
get routes-redistribute
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
6�6���
�-� �/� (����1- es imported from a protocol
f context. (See “Context
���������������� ���������!�
Description: Use the rules-redistribute command to display conditions set for routother than OSPF.
Before you can execute the rules-redistribute command, you must initiate the ospInitiation” on page 265.)
�3��".
���
get rules-redistribute
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
6�����
������� objects associated with an
(See “Context Initiation” on
���������������� ���������!�
Description: Use the statistics command to display information about the followingOSPF virtual routing instance:
• Hello Packets
• Link State Requests
• Link State Acknowledgments
• Link State Updates
• Database Descriptions
• Areas Created
• Shorted Path First Runs
• Packets Dropped
• Errors Received
• Bad Link State Requests
Before you can execute the statistics command, you must initiate the ospf context.page 265.)
�3��".
���
get statistics
2�3;��!��"�!��"��"�%��
None.
�4�85��$��*$�48�%��35
6�:���
�-1r the current OSPF virtual
“Context Initiation” on page
he current OSPF virtual routing
���������������� ���������!�
Description: Use the stub command to display details about a stub area created forouting instance.
Before you can execute the stub command, you must initiate the ospf context. (See265.)
�3��".
���
get stub [ ip_addr ]
2�3;��!��"�!��"��"�%��
���������'���������
get stub ip_addr
Example: The following command displays details about a stub area created on tinstance:
ns(trust-vr/ospf)-> get stub 192.168.20.20
ip_addr Identifies the stub area.
�4�85��$��*$�48�%��35
6�����
�-�����/�����tion.
unning a different protocol, you ame network stem of the prefix o treat a series of routes as one
f context. (See “Context
} ]
���������������� ���������!�
Description: Use the summary-import commands to summarize a route redistribu
After importing a series of routes to the current OSPF routing instance from a router rcan bundle the routes into one generalized (or summarized) address that uses the saddress. By summarizing mutliple addresses, you allow the OSPF routing instance troute, thus simplifying the process.
Before you can execute the summary-import commands, you must initiate the ospInitiation” on page 265.)
�3��".
���
get summary-import
���
set summary-import ip ip_addr/mask [ tag { ip_addr | id_num
�����
unset summary-import ip ip_addr/mask
�4�85��$��*$�48�%��35
6�7���
e route (20):
rk mask (mask) encompassing all
al router uses this identifier when
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��
set summary-import ip ip_addr/mask [ ... ]
unset summary-import ip ip_addr/mask
���
set summary-import ip ip_addr/mask tag { ip_addr | id_num }
Example: The following command summarizes a set of imported routes under on
ns(trust-vr/ospf)-> set summary-import ip 2.1.1.0/24 tag 20
ip The summarized prefix, consisting of an address (ip_addr) and netwothe imported routes.
tag A value that acts as an identifier for the summarized prefix. The virtuadvertising a new external LSA.
�4�85��$��*$�48�%��35
6�9���
0���.instance.
ne router bridging them cannot
e “Context Initiation” on page
���������������� ���������!�
Description: Use the vlink commands to create a virtual link for the current routing
A virtual link is a conveyance that allows two segments to connect when the backboreach either segment.
Before you can execute the vlink command, you must initiate the ospf context. (Se265.)
�3��".
���
get vlink
����
set vlink area-id { id_num1 | ip_addr1 } router-id { id_num2 | ip_addr2 }
�����
unset vlink area-id { id_num1 | ip_addr1 } router-id { id_num2 | ip_addr2 }
�4�85��$��*$�48�%��35
6�����
r router with an ID of 10:
r router with an ID of 10:
| ip_addr2 }
m2 | ip_addr2 }
d.
d.
connected.
end of the virtual link.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
set vlink area-id { id_num1 | ip_addr1 } { ... }
unset vlink area-id { id_num1 | ip_addr1 } { ... }
Example: The following command creates a virtual link using an area of 0.0.0.1 fo
ns(trust-vr/ospf)-> set vlink area-id 0.0.0.1 router-id 10
���� ��
set vlink area-id { id_num1 | ip_addr1 } { ... }
unset vlink area-id { id_num1 | ip_addr1 } { ... }
Example: The following command creates a virtual link using an area of 0.0.0.1 fo
ns(trust-vr/ospf)-> set vlink area-id 0.0.0.1 router-id 10
������ ��
set vlink area-id { id_num1 | ip_addr1 } router-id { id_num2
unset vlink area-id { id_num1 | ip_addr1 } router-id { id_nu
id_num1 The ID number of the area through which the virtual link is connecte
ip_addr1 The IP address of the area through which the virtual link is connecte
area-id Specifies the ID or IP address of the area to which the virtual link is
router Specifies the ID or IP address of the router that comprises the other
�4�85��$��*$�48�%��35
6�����
r router with an ID of
0.10.20
���������������� ���������!�
Example: The following command creates a virtual link using an area of 0.0.0.1 fo10.10.10.20:
ns(trust-vr/ospf)-> set vlink area-id 0.0.0.1 router-id 10.1
�4�85��$��*$�48�%��35
������
0� ���1�� on the virtual link.
t. (See “Context Initiation” on
���������������� ���������!�
Description: Use the vneighbor command to display information about a neighbor
Before you can execute the vneighbor command, you must initiate the ospf contexpage 265.)
�3��".
���
get vneighbor
2�3;��!��"�!��"�"�����
None.
�4�85��$��*$�48�%��35
������
� �������� n on the NetScreen device.
���������������� ���������!�
Description: Use the performance command to retrieve CPU utitlization informatio
�3��".
���
get performance cpu [ detail ]
2�3;��!��"�!��"��"�%��
������
get performance cpu detail
detail Displays cpu performance detail.
�4�85��$��*$�48�%��35
��6���
����stem.
nt of 3:
ork from any existing MIP, or (see example in from keyword
���������������� ���������!�
Description: Use the ping command to check the network connection to another sy
�3��".ping [ ip_addr | name_str ]
[ count number [ size number [ time-out number ] ] ] [ from interface ]
2�3;��!��"�!��"��"�%��
���������'���������
ping [ ip_addr | name_str ] [ ... ]
Example: The following command pings a host with IP address 172.16.11.2:
ping 172.16.11.2
�����
ping [ ip_addr | name_str ] count number [ ... ]
Example: The following command pings a device at 10.100.2.171 with a ping cou
Note: An extended ping (using the from option) pings a host on the Untrusted netwfrom the Trusted interface IP address. The syntax for specifying a MIP is mip ip_addrdescription).
ip_addr | name_str Pings the host at IP address (ip_addr) or with name (name_str).
count The ping count (number).
�4�85��$��*$�48�%��35
������
nt of 4 from the ethernet1
results to IP address 10.1.1.3:
t number
ation on interfaces, see “Interface
���������������� ���������!�
ping 10.100.2.171 count 3
���
ping [ ip_addr | name_str ] [ ... ] from interface
Examples: The following command pings a device at 10.100.2.11 with a ping couinterface:
ping 10.100.2.11 count 4 from ethernet1
The following command pings a host with IP address 192.168.11.2 and sends the
ping 192.168.11.2 from mip 10.1.1.3
��.�
ping [ ip_addr | name_str ] count number size number [ ... ]
���� ���
ping [ ip_addr | name_str ] count number size number time-ou
Example: The following command pings a device at 10.100.2.11 with:
• a ping count of 4
• packet size 1000
from The source interface (interface) for an extended ping. For more informNames” on page A-IV.
size The packet size (number) for each ping.
time-out The ping timeout in seconds (number).
�4�85��$��*$�48�%��35
��:���
���������������� ���������!�• ping timeout of three seconds:
ping 10.100.2.11 count 4 size 1000 time-out 3
�4�85��$��*$�48�%��35
������
�.� commands perform the
.
}
���������������� ���������!�
Definition: Use the pki commands to manage public-key infrastructure (PKI). Thesefollowing tasks:
• Manage PKI object.
• Create new RSA key pairs.
• Acquire certificate or CRL.
• Configure PKI-related operation, such as verification of certificate revokation
• Designate the certificate authority server information.
�3��".
�*��
exec pki { convert-cert | dsa new-key key_num | rsa new-key key_num | x509
{ delete number | install-factory-certs name_str | pkcs10 | scep { id_num | new } | tftp ip_addr { cert-name name_str | crl-name name_str}
}
�4�85��$��*$�48�%��35
��7���
���������������� ���������!����
get pki { authority { id_num | default }
{ cert-path | cert-status | scep } |
ldap | src-interface | x509
{ cert-path | crl-refresh | dn | list
{ cert-fqdn | ca-cert | cert | crl | key-pair | local-cert | pending-cert } |
pkcs10 | raw-cn | send-to }
}
�4�85��$��*$�48�%��35
��9���
name | pkcert }
csp }
���������������� ���������!�
����0��������&1
set pki authority { id_num | default } { cert-path { full | partial } | cert-status
{ crl
{ refresh { daily | default | monthly | weekly } | server-name { ip_addr | dom_name } | url url_str }
ocsp { refresh number | url url_str
[ id-type { certhash | certid | issuer-serial |
[ l-sign-request ] [ no-nonce ] [ no-response-type ]
[ not-verify-resp-cert ] ]
} | revocation-check { best-effort | none | all | crl | o} |
scep { authentication { failed | passed } | ca-cgi string | ca-id name_str | challenge pswd_str | current |
�4�85��$��*$�48�%��35
������
���������������� ���������!�mode { auto | manual } | polling-int number | ra-cgi string | renew-start number }
}
����0����1
set pki ldap { server-name { name_str | ip_addr } | crl-url url_str }
����0*-�<1
set pki x509 { cert-fqdn string | default
{ cert-path { full | partial } | crl-refresh { daily | default | monthly | weekly } | send-to string } |
dn { country-name name_str | email string | ip ip_addr | local-name name_str | name name_str |
�4�85��$��*$�48�%��35
������
���������������� ���������!�org-name name_str | org-unit-name name_str | phone string | state-name name_str } |
friendly-name string | raw-cn enable }
}
�����
unset pki { authority { id_num | default }
{ cert-path | cert-status
{ crl { refresh | server-name | url } | revocation-check } |
scep { ca-cgi | ca-id | challenge | current | mode | polling-int | ra-cgi | renew-start }
�4�85��$��*$�48�%��35
������
���������������� ���������!�} | ldap
{ crl-url | server-name } |
x509 { cert-fqdn | default { cert-path | crl-refresh | send-to } | dn
{ country-name | email | ip | local-name | name | org-name | org-unit-name | phone | state-name }
friendly-name id_num | raw-cn }
}
�4�85��$��*$�48�%��35
������
sed } [ id_num ]
n to passed:
rtificate revokation on a daily
The id_num value identifies a
es. The id_num parameter is the es the default authority
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��������������
set pki authority { ... } scep authentication { failed | pas
unset pki authority { ... } scep authentication
Example: The following command sets the result of a CA certificate authenticatio
set pki authority default scep authentication passed
��������&
get pki authority { id_num | default } { ... }
set pki authority { id_num | default } { ... }
unset pki authority { id_num | default } { ... }
Example: The following command instructs the NetScreen device to check for cebasis:
set pki authority default cert-status crl refresh daily
authentication Sets the result of the CA certificate authentication, failed or passed.defined key pair.
authority Defines how the NetScreen device uses the CA’s authorization servicidentification number of the CA certificate. The default switch specificonfiguration.
�4�85��$��*$�48�%��35
��6���
rtial }
ull:
certificates received from the peer dered "trusted".
the root. (The last certificate in
ertificate chain may be a non-root
torage. You can set this certificate
���������������� ���������!�
���� ����
get pki authority { id_num | default } cert-path
set pki authority { id_num | default } cert-path { full | pa
unset pki authority { id_num | default } cert-path
Example: The following command defines the certificate path validation level as f
set pki authority default cert-path full
���� ������
get pki authority { id_num | default } cert-status
set pki authority { id_num | default } cert-status { ... }
authority Defines the X509 certificate path validation level.When the device verifies a certificate, it builds a certificate chain from and the certificate stored locally. Certificates loaded locally are consi
• full Directs the NetScreen device to validate the certificate chain tothe certificate chain must be a root CA certificate.)
• partial Specifies partial path validation. (The last certificate in the cCA certificate.)
In either case, the last certificate in the chain must come from local spath validation level for a CA or a VSYS.
�4�85��$��*$�48�%��35
������
NetScreen device uses OCSP to te decided by the CRL.
er.
eters.
revocation checks. (Not currently
r. The id-type specifies the type of
Not currently available.)
ame and serial number. (Not
ly available.)
Not currently available.)
tificate.
���������������� ���������!�
unset pki authority { id_num | default } cert-status { ... }
cert-status Defines how the NetScreen device verifies certificate status.
• crl Configures Certificate Revocation List (CRL) parameters.
- refresh Determines how often (daily, monthly, or weekly) thecheck for revocation. The default option uses the validation da
- server-name { ip_addr | dom_name } Specifies the LDAP serv
- url url_str Specifies the URL for accessing the CRL.
• ocsp Configures Online Certificate Status Protocol (OCSP) param
- refresh number Determines the interval (in seconds) between available.)
- url url_str Specifies the URL for accessing the OCSP respondecertificate ID.
- certhash Specifies that the ID is a hash of the certificate. (
- certid ID number of the certificate (defined in RFC 2560).
- issuer-serial Specifies that the ID is the certificate issuer ncurrently available.)
- name Specifies that the ID is a general name. (Not current
- pkcert Specifies that the ID is the name of the certificate. (
- not-verify-resp-cert Disables verification of the responder cer
�4�85��$��*$�48�%��35
��:���
check certificate status:
tificates to see if they are currently
hich there is no revokation tical. For example, in some el; however, the CRL information st-effort setting, it is advisible to rtificate without revocation epeatedly failing to get revocation tion.
s.
tificate status.
status.
the internal VSYS identifier in
ault.
���������������� ���������!�
Example: The following command directs the NetScreen device to use the CRL to
set pki authority default cert-status revocation-check crl
���!��� ����
exec pki convert-cert
�������
set pki authority { ... } scep current
unset pki authority { ... } scep current
Example: The following command uses the current SCEP setting as the default:
• revocation-check Specifies how the NetScreen device checks cerrevoked.
- best-effort Specifies that the device can use a certificate for winformation. This option is useful when CRL retrieval is not pracenvironments the CRL server is only accessible through a tunnis necessary to build the tunnel originally. When you use the becheck the event log periodically. The device should accept a ceinformation only when no revocation information is available. Rinformation for a certificate usually indicates improper configura
- crl Specifies that the device uses CRL to check certificate statu
- none Specifies that the device does not perform a check of cer
- ocsp Specifies that the device uses OCSP to check certificate
convert-cert Converts VSYS certificate (for versions prior to ScreenOS 3.0) to useScreenOS 3.0 and above.
current Directs the NetScreen device to use the current SCEP setting as def
�4�85��$��*$�48�%��35
������
ddress:
th. Key length is 512, 786, 1024,
e server is not in the NetScreen
te revocation list (CRL).
in name or IP address of the
ne common name (CN).
���������������� ���������!�
set pki authority default scep current
������" )�&
exec pki dsa new-key key_num
����
get pki ldap
set pki ldap { ... }
unset pki ldap { ... }
Example: The following command assigns 162.128.20.12 as the CA server’s IP a
set pki ldap server-name 162.128.20.12
��" ���������
set pki x509 raw-cn enable
dsa new-key Generates a new DSA public/private key pair with a specified bit lengor 2048.
ldap Specifies settings for the LDAP server, when the CA certificate for thdevice.
• crl-url url_str Sets the default LDAP URL for retrieving the certifica
• server-name { name_str | ip_addr } Defines the full-qualified domadefault LDAP server for the certificate authority (CA).
raw-cn enable Enables the raw subject name. This subject name can contain only o
�4�85��$��*$�48�%��35
��7���
ish:”
th (number). Key length is 512,
CA authentication, failed or
ting as default.
SCEP server.
utes).
���������������� ���������!�
������" )�&
exec pki rsa new-key key_num
����
exec pki x509 scep { id_num | new }
get pki authority { id_num | default } scep
set pki authority { id_num | default } scep { ... }
unset pki authority { id_num | default } scep { ... }
Example: The following command sets the SCEP Challenge password to “swordf
set pki authority default scep challenge swordfish
rsa new-key Generates a new RSA public/private key pair with a specified bit leng786, 1024, or 2048.
scep Defines Simple Certificate Enrollment Protocol (SCEP) parameters.
• authentication { passed | failed } [ id_num ] sets the result of thepassed. The id_num value identifies a defined key pair.
• ca-cgi url_str specifies the path to the CA's SCEP server.
• ca-id string specifies the identity of the CA's SCEP server.
• challenge pswd_str specifies the Challenge password.
• current directs the NetScreen device to use the current SCEP set
• mode { auto | manual } specifies the authentication mode for CA's
• polling-int number Determines the retrieval polling interval (in min
• ra-cgi url_str specifies the CGI path to the RA's SCEP server.
�4�85��$��*$�48�%��35
��9���
ate request file.
DN). PKI uses this value in the
tial option determines if the part of the path.
monthly, or weekly) of the X.509 L.
een device sends the PKCS10
ting certificate.
���������������� ���������!�
���� ��
get pki x509 send-to
set pki x509 default send-to string
unset pki x509 default send-to
*-�<
exec pki x509 { ... }
get pki x509 { ... }
set pki x509 { ... }
unset pki x509 { ... }
send-to Specifies or displays the email destination (string) of the x509 certific
x509 Specifies settings for the x509 certificate.
• cert-fqdn string Configures the Fully-Qualified Domain Name (FQcertificate subject alt name extension.
• default Specifies default settings.
- cert-path Configures the path to the X.509 CRL. The full | parNetScreen device uses the full path to the X.509 CRL or only a
- crl-refresh Sets or displays the refreshment frequency (daily, CRL. The default option uses the period embedded in each CR
- send-to string Assigns the e-mail address to which the NetScrcertificate request file.
• dn Specifies or displays the name that uniquely identifies a reques
- country-name name_str Sets the country name.
- email string Sets the e-mail address.
- ip ip_addr Sets the IP address.
�4�85��$��*$�48�%��35
������
cate subject name of the
subject name.
e certificate (id_num).
ed certificate.
te request for the NetScreen
s current status.
col (SCEP) operation to retrieve ter is the identification number of h directs the NetScreen device to
) or CRL file (crl-name name_str)
���������������� ���������!�
- local-name string Sets the locality.
- name string Sets the name in a common name field.
- org-name string Sets the organization name.
- org-unit-name string Sets the organization unit name.
- phone string Sets a contact phone number as the X.509 certifiNetScreen device.
- state-name string Sets the state name as the X.509 certificate
• friendly-name name_str id_num A friendly name (name_str) for th
• install-factory-certs key_num Loads a specified factory pre-defin
• list Displays the X.509 object list.
- ca-cert Displays all CA certificates.
- cert Displays all X.509 certificates.
- cert-req Displays all certificates in the request state.
- crl Displays all Certificate Revocation Lists (CRLs).
- local-cert Displays all local certificates.
- pending-cert Displays all pending certificates.
• pkcs10 Generates or displays a PKCS10 file for an X.509 certificadevice.
• raw-cn enable Enables the raw common name (CN) or displays it
• scep { number | new } Initiates Simple Certificate Enrollment Protocertificates from a certificate authority server. The id_num paramethe pending certificate or the requesting certificate. The new switcexecute SCEP using a new CA reference.
• tftp ip_addr Uploads the specified certificate (cert-name name_strfor the specified TFTP server at IP address ip_addr.
�4�85��$��*$�48�%��35
������
e the NetScreen device sends
marketing at NetScreen
tificate from a certificate
isign.com/cgi-bin/
rver to pass a user request to ypertext Transfer Protocol
���������������� ���������!�
Examples: The following command specifies the destination e-mail address wherthe PKCS10 certificate request:
set pki x509 default send-to [email protected]
The following command refreshes the certificate revocation list on a daily basis:
set pki x509 default crl-refresh daily
The following command defines a distinguished name for Ed Jones, who works inTechnologies in Santa Clara, California:
set pki x509 dn country-name “US”
set pki x509 dn state-name CA
set pki x509 dn local-name “santa clara”
set pki x509 dn org-name “netscreen technologies”
set pki x509 dn org-unit-name marketing
set pki x509 dn name “ed jones”
1� "%��
The RSA key length is set to 1024 bits.
��F�����*�"��?������ ��"��
You use the set pki, get pki, and exec pki commands to request an x509 CA cerauthority. The following commands provide a typical example:
1. Specify a certificate authority CA CGI path.
set pki auth -1 scep ca-cgi “http://pilotonsiteipsec.verpkiclient.exe”
Note: The Common Gateway Interface (CGI) is a standard way for a web sean application program, and to receive data back. CGI is part of the web’s H(HTTP).
�4�85��$��*$�48�%��35
�6����
isign.com/cgi-bin/
y, a prompt appears presenting
oes not exist, use the value
oes not exist, use the value
ministrator to approve the local
cord the index number
btained in Step 7) to identify the
oes not exist, use the value
RA does not exist, use the
���������������� ���������!�
2. Specify a registration authority RA CGI path
set pki auth -1 scep ra-cgi “http://pilotonsiteipsec.verpkiclient.exe”
3. Generate an RSA key pair, specifying a key length of 1024 bits.
exec pki rsa new 1024
4. Initiate the SCEP operation to request a local certificate.
exec pki x509 scep -1
5. If this is the first attempt to apply for a certificate from this certificate authorita fingerprint value for the CA certificate. (Otherwise, go on to Step 6.)
You must specify an RA CGI path even if the RA does not exist. If the RA dspecified for the CA CGI.get pki auth default scep
You must specify an RA CGI path even if the RA does not exist. If the RA dspecified for the CA CGI.set pki auth default scep auth passed
6. When the confirmation prompt appears, contact your certificate authority adcertificate request.
7. (Optional) Display a list of pending certificates. This allows you to see and reidentifying the certificate.
get pki x509 list pending-cert
8. (Optional) Obtain the local certificate from the CA (using the index number ocertificate.
exec pki x509 scep 1
You must specify an RA CGI path even if the RA does not exist. If the RA dspecified for the CA CGI.
set pki auth -1 scep polling-int number
Note: You must specify an RA CGI path even if the RA does not exist. If thevalue specified for the CA CGI.
�4�85��$��*$�48�%��35
�6����
oes not exist, use the value
���������������� ���������!�
You must specify an RA CGI path even if the RA does not exist. If the RA dspecified for the CA CGI.
�4�85��$��*$�48�%��35
�66���
������ and VPN traffic.
]
n-group id_num } pol_num ]
���������������� ���������!�
Description: Use the policy commands to define access policies to control network
�3��".
���
get policy [ global ] [ all | from zone1 to zone2 | id pol_num ]
���
set policy [ global ] { move pol_num1 { before pol_num2 | after pol_num3 } | [ id pol_num1 ] [ top | before pol_num2 ] [ name name_str
[ from zone1 to zone2 ] src_addr dst_addr svc_name | {
permit | tunnel { l2tp name_str | vpn-dialup name_str | vptunnel vpn name_str [ l2tp name_str | pair-policy}
[ auth [ server name_str ] [ group-expression string | user name_str | user-group name_str ]
�4�85��$��*$�48�%��35
�6����
]
enable }
���������������� ���������!�
] | deny | nat [ dip-id id_num ] [ fix-port ] }
[ schedule name_str ] [ log [ alert ] ]
[ count [ alarm id_num1 id_num2 ] [ no-session-backup ]
[ traffic { gbw number } { priority number }
{ mbw [ number ] dscp { disable |
} ]
}
set policy default-permit-all
set policy [ global ] id pol_num disable
�����
unset policy { [ id pol_num ] [ disable ] | default-permit-all }
�4�85��$��*$�48�%��35
�6:���
ce auth server
ate his or her identity before
on (string).
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���
get policy all
����
set policy { ... } auth [ ... ]
Example: The following command:
• defines a VPN tunnel policy from the Trust zone to the Untrust zone
• uses any source or destination IP address
• permits any kind of service
• requires user authentication
• uses an authentication server named WC_Server
set policy from trust to untrust any any any tunnel vpn OffiWC_Server
all Displays information about all security policies.
auth Requires the user to provide a login name and password to authenticaccessing the device and crossing the firewall.
• server name_str Identifies the authentication server (name_str).
• group-expression string Identifies users according to an expressi
• user name_str Identifies a user (name_str).
• user-group name_str Identifies a user group (name_str).
�4�85��$��*$�48�%��35
�6����
second policy:
... }
num) in the access
olicy is applied. that you can view alarms. You
er of bytes per minute (id_num2)
tching policy.
���������������� ���������!�
�� ���
set policy before pol_num1 { ... }
Example: The following command creates a new policy and positions it before the
set policy before 2 from trust to untrust any any any permit
�����
set policy { ... } [ count [ alarm { id_num1 id_num2 } ] ] {
Example: The following command:
• defines a VPN tunnel policy from the Trust zone to the Untrust zone
• uses any source or destination IP address
• permits any kind of service
• maintains a count of all network traffic
set policy from trust to untrust any any any permit count
�� ���� ������ ���
set policy default-permit-all
before Specifies the position of the access policy before another policy (pol_control list (ACL).
count Maintains a count in bytes of all network traffic to which the access pThe alarm id_num1 id_num2 parameter enables the alarm feature somust enter the number of bytes per second (id_num1) and the numbrequired to trigger an alarm.
default-permit-all Allows access without checking the access control list (ACL) for a ma
�4�85��$��*$�48�%��35
�67���
_name { ... } [ ... ]
allows all source IP addresses.
any allows all destination IP
fies all available services.
n page A-II.
���������������� ���������!�
�������
set policy [ global ] id pol_num disable
����������
set policy { ... } from zone1 to zone2 src_addr dst_addr svc
Example: The following command:
• defines a VPN tunnel policy from the Trust zone to the Untrust zone
• uses any source or destination IP address
• permits the HTTP service
set policy from trust to untrust any any HTTP permit
disable Disables the policy without removing it from the configuration.
from zone1 to zone2 src_addr dst_addr svc_name
Specifies two zones between which the policies apply.
• zone1 is the name of the source security zone.
• zone2 is the name of the destination security zone.
• src_addr is the name of the source address. Specifying any
• dst_addr is the name of the destination address. Specifyingaddresses.
• svc_name is the name of the service. Specifying any identi
For more information on zones, see “Security Zone Names” o
�4�85��$��*$�48�%��35
�69���
l_num3 }
l zone address book keeps all the longs. You can use these VIP
two security zones.
the policy.)
���������������� ���������!�
������
set policy global before { ... }
set policy global id pol_num disable
set policy global move pol_num1 { before pol_num2 | after po
set policy global name name_str { ... }
set policy global top
��
get policy [ global ] id pol_num set policy [ global ] id pol_num1 { ... }
unset policy id pol_num [ disable ]
Example: The following command:
• defines a VPN tunnel policy from the Trust zone to the Untrust zone
• assigns to the policy an ID value of 30
• uses any source or destination IP address
• permits the MAIL service
set policy id 30 from trust to untrust any any MAIL permit
global Creates or displays policies that use the Global zone. The The GlobaVIPs of all interfaces, regardless of the zone to which the interface beaddresses as destination addresses in access policies between any
id pol_num Specifies an access policy ID number. (The disable switch disables
�4�85��$��*$�48�%��35
�6����
str
nel vpn home2office
rt
The alert switch enables the
���������������� ���������!�
�$��
set policy [ global ] { ... } tunnel l2tp name_str { ... }
set policy [ global ] { ... } tunnel vpn name_str l2tp name_
Example: The following command:
• defines an incoming access policy for an L2TP tunnel
• configures the policy for a VPN tunnel named “home2office”
• configures the policy for an L2TP tunnel named “home-office”
• configures the policy for a dialup VPN group named “home_office”
set policy from untrust to trust dialup_vpn our_side any tunl2tp home_office
���
set policy [ global ] { ... } log [ alert ] { ... }
Example: The following command:
• defines a VPN tunnel policy from the Trust zone to the Untrust zone
• uses any source or destination IP address
• permits the HTTP service
• directs the NetScreen device to maintain a log
• enables the Syslog alert feature
set policy from trust to untrust any any HTTP permit log ale
l2tp Specifies a Layer 2 Tunneling Protocol (L2TP) tunnel.
log [ alert ] Maintains a log of all connections to which the access policy applies.Syslog alert feature.
�4�85��$��*$�48�%��35
�6����
r pol_num3 }
re the policy with ID number 2:
any permit
rt ] { ... }
nd specifies DIP group 8:
after a policy (pol_num3) in the icy in the ACL, it has higher
s policy is optional.)
er. Disables Port Address
ol. This number can be between 4
���������������� ���������!�
��!�
set policy [ global ] move pol_num1 { before pol_num2 | afte
Example: The following command positions a global policy with ID number 4 befo
set policy global move 4 before 2
����
set policy [ global ] [ ... ] name name_str {... }
Example: The following command creates a new policy named S_Office:
set policy name S_Office from trust to untrust sales extern
���
set policy [ global ] { ... } nat [ dip-id id_num ] [ fix-po
Examples: The following command creates a policy (S_Office) that allows NAT a
move Repositions a policy (pol_num1) before another policy (pol_num2) oraccess control list (ACL). When one policy comes before another polprecedence.
name name_str Identifies the access policy by name. (Assigning a name to an acces
nat Enables or disables Network Address Translation (NAT).
• fix-port Keeps the original source port number in the packet headTranslation (PAT).
• dip-id id_num Specifies the ID number of the Dynamic IP (DIP) poand 255.
�4�85��$��*$�48�%��35
������
any nat dip-id 8 permit
ssume that DIP IP 8 is fix-port):
at dip-id 8 fix-port
dress across the firewall to the
���������������� ���������!�
set policy name S_Office from trust to untrust sales extern
The following command defines the DIP with a fixed port on the trusted interface (a
set policy from trust to untrust 10.1.1.9 10.150.42.41 any npermit
�� ������� ���)��
set policy [ global ] { ... } no-session-backup { ... }
�������%����&
set policy [ global ] { ... } permit | deny [ ... ]
Example: The following command:
• defines a policy from the Trust zone to the Untrust zone
• uses any source or destination IP address
• permits any kind of service
set policy from trust to untrust any any any permit
no-session-backup Disables session backup.
permit | deny • permit allows the specified service to pass from the source addestination address.
• deny blocks the service at the firewall.
�4�85��$��*$�48�%��35
������
Mkt_Sched
t
ule.
y at the top of the ACL has the
���������������� ���������!�
��������
set policy [ global ] { ... } schedule name_str [ ... ]
Example: The following command:
• defines a policy from the Trust zone to the Untrust zone
• uses any source or destination IP address
• permits any kind of service
• applies the policy to an existing schedule named Mkt_Sched
set policy from trust to untrust any any any permit schedule
���
set policy [ global ] [ ... ] top
Example: The following command:
• defines a policy from the Trust zone to the Untrust zone
• assigns to the policy an ID value of 30
• places the policy at the top of the ACL
• uses any source or destination IP address
• permits any kind of service
set policy id 30 top from trust to untrust any any any permi
schedule Applies the access policy only at times defined in the specified sched
top Places the policy at the top of the access control list (ACL). The polichighest precedence.
�4�85��$��*$�48�%��35
��6���
| enable }
gbw 3000 priority 2
NetScreen device passes traffic c shaping.
en traffic falls between the ce passes traffic with higher r priority traffic.
er second. Traffic beyond this limit
tScreen priority levels to the
���������������� ���������!�
��� �����"
set policy [ global ] [ ... ] traffic gbw number priority number mbw [ number ] dscp { disable
Example: The following command:
• defines a VPN tunnel policy from the Trust zone to the Untrust zone
• uses any source or destination IP address
• permits the HTTP service
• guarantees bandwidth of 3,000 kilobits per second
• assigns a priority value of 2
• sets the maximum bandwidth to 10,000 kilobits per second
• enables DSCP
set policy from trust to untrust any any HTTP permit trafficmbw 10000 dscp enable
traffic gbw Defines the guaranteed bandwidth (GBW) in kilobits per second. Thebelow this threshold with the highest priority, without performing traffi
• priority number Specifies one of the eight traffic priority levels. Whguaranteed and maximum bandwidth settings, the NetScreen devipriority first. Lower priority traffic is passed only if there is no highe
• mbw number Defines the maximum bandwidth (MBW) in kilobits pis throttled and dropped.
• dscp { enable | disable } Enables or disables a mapping of the NeDifferentiated Services Codepoint (DSCP) marking system.
�4�85��$��*$�48�%��35
������
}
ress book entry Headquarters)
vpn To_HQ
rivate telephony endpoint host s on the public side.
For an IPSec VPN tunnel, specify the name of the VPN tunnel) and
up VPN tunnel connection, specify
consist of multiple VPNs, which
���������������� ���������!�
������
set policy [ global ] { ... } tunnel { l2tp name_str | vpn-dialup name_str | vpn-group id_num
set policy [ global ] { ... } tunnel vpn name_str [ l2tp name_str | pair-policy pol_num ]
Example: The following command:
• encrypts traffic exchanged with the corporate headquarters (denoted by add
• uses a VPN named To_HQ:
set policy from trust to untrust any Headquarters any tunnel
&�%�8$��3�A."8%�
The following example configures a NetScreen device to allow traffic between a pwith an H.323 gatekeeper through a NetScreen device to telephony endpoint host
tunnel Encrypts outgoing IP packets, and decrypts incoming IP packets.
• vpn [ l2tp name_str | pair-policy id_num ] Identifies a VPN tunnel.vpn and the name of the VPN tunnel. For L2TP, specify vpn (withl2tp (with the name of the L2TP tunnel).
• vpn-dialup name_str Identifies a VPN tunnel. For an incoming dialvpn-dialup and the name of the dialup user or dialup group.
• vpn-group id_num Identifies a VPN group (id_num). A VPN groupyou can specify in a single policy.
• vpn-tunnel Identifies an active tunnel.
�4�85��$��*$�48�%��35
��:���
0
���������������� ���������!�
����� "����G�������3�@����
1. set interface ethernet1 zone trust
2. set interface ethernet1 ip 10.10.1.1/24
3. set interface ethernet1 nat
4. set interface ethernet3 zone untrust
5. set interface ethernet3 ip 210.10.1.1/24
?!!������
6. set address trust IP_Phone1 10.10.1.2/32
7. set address trust gatekeeper 10.10.1.10/32
8. set address untrust IP_Phone2 200.20.1.2/32
'"88�!����?!!������
9. set interface ethernet3 mip 210.10.1.2 host 10.10.1.2
10. set interface ethernet3 mip 210.10.1.10 host 10.10.1.10
�����
11. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr
12. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22.3.2
��%�����
13. set policy from trust to untrust IP_Phone1 IP_Phone2 h.323 permit
14. set policy from trust to untrust gatekeeper IP_Phone2 h.323 permit
15. set policy from untrust to trust IP_Phone2 mip(210.10.1.2) h.323 permit
16. set policy from untrust to trust IP_Phone2 mip(210.10.1.10) h.323 permit
17. save
�4�85��$��*$�48�%��35
������
���������������� ���������!��4�85��$��*$�48�%��35
��7���
���������������� ���������!�:
��9���
s pppoe through zone.
you may find that certain l. A good example is the vsys xp device. Similarly, some vpn command. This option is
���������������� ���������!�
�
+���� ,���-��+4�� ,
This volume lists and describes NetScreen Command Line Interface (CLI) command
Note: As you execute CLI commands using the syntax descriptions in this chapter,commands and command features are unavailable on your NetScreen device modecommand, which is available on a NetScreen-500 device, but not on a NetScreen-5command options are unavailable on certain models, as with the df-bit option of theavailable on a NetScreen-500, but not on a NetScreen-5xp.
�4888��5��$��*$�4+���5
������
���� PPoE configuration
���������������� ���������!�
Description: Use the pppoe commands to configure PPPoE, or to display current Pparameters.
�3��".
�����
clear [ cluster ] pppoe
�*��
exec pppoe { connect | disconnect }
���
get pppoe [ configuration | statistics ]
���
set pppoe { ac name_str | authentication { CHAP | PAP | any } | auto-connect number | idle-interval number | interface [ name_str ] | ppp
{ lcp-echo-retries number |
�4888��5��$��*$�4+���5
������
���������������� ���������!�lcp-echo-timeout number } |
service name_str | static-ip | username name_str password pswd_str }
�����
unset pppoe { ac | authentication { CHAP | PAP } | auto-connect | idle-interval | interface | ppp
{ lcp-echo-retries | lcp-echo-timeout }
service | static-ip | username }
�4888��5��$��*$�4+���5
�:����
tion gives preference to CHAP.) thentication to CHAP only, first
ation of a previously-closed
r.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��
set pppoe ac name_str
unset pppoe ac
��������������
set pppoe authentication { CHAP | PAP | any }
unset pppoe authentication { CHAP | PAP }
���� �������
set pppoe auto-connect number
unset pppoe auto-connect
�������
clear cluster pppoe
ac Allows the interface to connect only to the specified AC (name_str).
authentication Sets the authentication methods to CHAP, PAP, or any. (The any opThe default of authentication is any (both CHAP and PAP). To set auexecute unset pppoe authenticaton PAP.
auto-connect Specifies the number of seconds that elapse before automatic re-initiconnection occurs. Valid range is 0-10000. (0 to disable.)
cluster Propagates the clear operation to all other devices in a NSRP cluste
�4888��5��$��*$�4+���5
�:����
etScreen device terminates a device never terminates the
���������������� ���������!�
��� ���������
get pppoe configuration
��������%�����������
exec pppoe connect
���� �����!��
set pppoe idle-interval number
unset pppoe idle-interval
����� ���
set pppoe interface [ name_str ]
unset pppoe interface
configuration Specifies the configuration options.
connect Starts PPPoE connection.
disconnect Takes down a PPPoE connection.
idle-interval Sets the idle timeout, which is time elapsed (in minutes) before the Ntunnel due to inactivity. Specifying 0 turns off the idle timeout and thetunnel.
interface Specifies the interface for PPPoE encapsulation.
�4888��5��$��*$�4+���5
�:6���
ts before connection is terminated.
o Lcp Echo requests. Valid range
device’s interface.
���������������� ���������!�
���
set pppoe ppp { ... }
unset pppoe ppp { ... }
���!���
set pppoe service name_str
unset pppoe service
������ ��
set pppoe static-ip
unset pppoe static-ip
����������
get pppoe statistics
ppp Specifies
• lcp-echo-retries the number of unacknowledged Lcp Echo requesValid range is 1-30.
• lcp-echo-timeout the time that elapses between transmission of twis 1-1000 seconds.
service Allows only the specified service (name_str).
static-ip Specifies that your connection uses the IP address assigned to your
statistics Specifies the statistics information.
�4888��5��$��*$�4+���5
�:����
sword to “!@%)&&”:
e default idle timeout is 30 e is 180 seconds. the default
���������������� ���������!�
���� ����
set pppoe username name_str password pswd_str
Example: The following command sets the username to “Phred”, and Phred’s pas
set pppoe username Phred password !@%)&&
1� "%��
The command is disabled by default. The default authentication method is any. Thminutes. The default auto-connect is disabled. The default lcp-echo-timeout valuretries is 10.
username Sets the user name and password.
�4888��5��$��*$�4+���5
�::���
���5�/�(
g IKE ID values in accordance xecution of the set proxy-id cording to the policies.
e proxy-id in accordance with e a tunnel interface.
���������������� ���������!�
Description: Use the proxy-id commands to set the proxy-id parameter.
By default, the NetScreen device responds to policy or routing changes by generatinwith policies, routes, and existing NAT configurations (such as MIP and DIP). After emanual-update command, the NetScreen device only updates the IKE ID values ac
Executing the unset proxy-id command instructs the NetScreen device to update thany new route change. This is useful when it is necessary to use a route to determin
�3��".
�*��
exec proxy-id update
���
get proxy-id
���
set proxy-id manual-update
�����
unset proxy-id manual-update
�4888��5��$��*$�4+���5
�:����
icitly, in response to the exec
���������������� ���������!�
2�3;��!��"�!��"��"�%��
������
exec proxy-id update
������ ������
set proxy-id manual-update
unset proxy-id manual-update
1� "%��
By default, the NetScreen device updates the proxy-ID setting explicitly.
update Instructs the NetScreen device to update the VPN proxy ID.
manual-update Instructs the NetScreen device to only update the VPN proxy ID explproxy-id update command.
�4888��5��$��*$�4+���5
�:7���
� �
ion before resetting.
before resetting.
���������������� ���������!�
Description: Use the reset command to reboot the NetScreen device.
�3��".reset
[ no-prompt | save-config { no | yes } [ no-prompt ] ]
�� ������
reset no-prompt
��!� ��� ��
reset save-config { no | yes } [ no-prompt ]
no-prompt Indicates no confirmation.
save-config • no Directs the NetScreen device to not save the current configurat
• yes Directs the NetScreen device to save the current configuration
• no-prompt Does not display a confirmation prompt.
�4888��5��$��*$�4+���5
�:9���
��-
nd owner VSYS
ith a particular IP address to the
���������������� ���������!�
Description: Use the route commands to display entries in the static route table.
The get route command displays:
• The IP address, netmask, interface, gateway, protocol, preference, metric, a
• The protocol value can be any of the following:
– C (Connected)
– S (Static)
– A (Auto Exported)
– I (Imported; that is, route imported from another virtual router)
– iB (internal BGP)
– eB (external BGP)
– O (OSPF)
– E1 (OSPF external type 1)
– E2 (OSPF external type 2)
Use the get route command to find out if the NetScreen device is routing a packet wcorrect interface.
�3��".
���
get route [ id id_num | ip ip_addr | summary ]
�4888��5��$��*$�4+���5
�:����
D number 477:
h the IP address 172.16.60.1:
arget IP address is specified.
rotocol.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��
get route id id_num
Example: The following command displays the route information for a route with I
get route id 477
��
get route ip ip_addr
Example: The following command displays the route information to a machine wit
get route ip 172.16.60.1
������&
get route summary
1� "%��
The get route command displays all entries in the route table unless a particular t
id Displays a specific route for the ID number id_num.
ip Displays a specific route for the target IP address ip_addr.
summary Displays summary information, including number of routes, for each p
�4888��5��$��*$�4+���5
�:����
�� Association (SA).
���������������� ���������!�
Description: Use the sa commands to clear the IKE value for the specified Security
�3��".
�����
clear [ cluster ] sa id_num
���
get sa [ id id_num | [ active | inactive ] stat ]
�4888��5��$��*$�4+���5
������
r.
number.
packets.
s failed.
other than those listed in the
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
clear [ cluster ] sa id_num
�������
clear cluster sa id_num
��
get sa id id_num
����
get sa [ ... ] stat
id_num Specifies the SA ID number.
cluster Propagates the clear operation to all other devices in a NSRP cluste
id Displays a specific IPSec Security Association (SA) entry with the ID
stat Shows the SA statistics for the device.Displays these statistics for all incoming or outgoing SA pairs:
• Fragment: The total number of fragmented incoming and outgoing
• Auth-fail: The total number of packets for which authentication ha
• Other: The total number of miscellaneous internal error conditionsauth-fail category.
• Total Bytes: The amount of active incoming and outgoing traffic
�4888��5��$��*$�4+���5
������
��/��� �the display of IKE gateway dresses.
���������������� ���������!�
Description: Use the sa-filter commands commands to create or display filters for debug output. The filters limit the output of a debug trace according to gateway IP ad
�3��".
���
set sa-filter ip_addr
�����
unset sa-filter ip_addr
�4888��5��$��*$�4+���5
��6���
ug information where the
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
Example: The following command sets a filter that allows display of gateway debgateway IP address is 172.16.10.10:
set sa-filter 172.16.10.10
ip_addr The gateway IP address
�4888��5��$��*$�4+���5
������
��/�������h as number of fragmentations VPN tunnel.
���������������� ���������!�
Description: Use the sa-statistics command to clear all statistical information (sucand total bytes through the tunnel) in a Security Association (SA) for an AutoKey IKE
�3��".
�����
clear [ cluster ] sa-statistics [ id id_num ]
2�3;��!��"�!��"��"�%��
�������
clear cluster sa-statistics id id_num
��
clear [ cluster ] sa-statistics id id_num
Example: The following command clears the SA statistics for SA 2:
clear sa-statistics id 2
cluster Propagates the clear operation to all other devices in a NSRP cluster.
id id_num Clears statistics in a particular Security Association.
�4888��5��$��*$�4+���5
��:���
��0 settings either to the flash card
���������������� ���������!�
Description: Use the save commands to save the NetScreen device configuration memory or to a Trivial File Transfer Protocol (TFTP) server.
�3��".
��!�
save
��!����� ��
save config [ all-virtual-system | from | to
{ flash | slot1 filename | tftp ip_addr filename }
{ [ [ merge ] from interface ] to
{ flash [ from interface ] | slot1 filename | tftp ip_addr filename [ from interface ] }
} ]
�4888��5��$��*$�4+���5
������
���������������� ���������!���!������� )�&
save image-key tftp ip_addr filename from interface
��!���� �"���
save software from { flash | slot1 filename | tftp ip_addr filename }
to
{ flash | slot1 filename | tftp ip_addr filename }
[ from interface ]
�4888��5��$��*$�4+���5
��7���
ory to a file (output.txt) on a
ory to a file (output.txt) on a
the source interface.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��� !������ �&����
save config all-virtual-system
����
save config from flash to { ... } [ from interface ]
save software from flash to { ... } [ from interface ]
Example: The following command saves the current configuration from flash memTFTP server (172.16.10.10):
save config from flash to tftp 172.16.10.10 output.txt
����=�����>���
save config from { ... } to { ... }
save software from { ... } to { ... }
Example: The following command saves the current configuration from flash memTFTP server (IP address 172.16.10.10):
save config from flash to tftp 172.16.10.10 output.txt
all-virtual-system Saves all virtual system configurations.
flash Saves from (or to) flash memory. The from interface option specifies
from Saves from the specified source.
to Saves to the specified source.
�4888��5��$��*$�4+���5
��9���
guration in a file (input.txt) on a
ut.txt) in the the slot1 memory
nt NetScreen device from a file
om interface option specifies the
���������������� ���������!�
�����
save config from { ... } merge [ from interface ]
Example: The following command merges the current configuration with the confiTFTP server (IP address 172.16.10.10):
save config from tftp 172.16.10.10 input.txt merge
����#
save config from slot1 to { ... }
save software from slot1 to { ... }
Example: The following commands saves the current configuration from a file (inpcard to flash memory:
save config from slot1 input.txt to flash
� ��
save config from tftp filename to { ... }
save image-key tftp ip_addr filename from interface
save software from tftp filename to { ... }
Example: The following command loads an authentication key on a FIPS-complianamed nskey.cer on a TFTP server at 10.10.1.2:
merge Merges the saved configuration with the current configuration. The frsource interface.
slot1 Saves from (or to) a file in the memory card slot.
tftp Saves from (or to) a file on a TFTP server.
�4888��5��$��*$�4+���5
������
���������������� ���������!�save image-key tftp 10.10.1.2 nskey.cer
�4888��5��$��*$�4+���5
������
��� (-� �splay schedule configuration. tervals.
ment string ] |
saturday | sunday }
���������������� ���������!�
Description: Use the scheduler commands to create or modify a schedule, or to diNetScreen devices use schedules to enforce access policies at specified times or in
�3��".
���
get scheduler [ name name_str | once | recurrent ]
���
set scheduler name_str [ once start date_str time_str stop date_str time_str [ comrecurrent
{ monday | tuesday | wednesday | thursday | friday | start time_str stop time_str
[ start time_str stop time_str ] [ comment string ]
]
�����
unset scheduler name_str
�4888��5��$��*$�4+���5
�7����
e_str time_str [ ... ]
minute defined, and stopping on
defined day of the week, hour,
���������������� ���������!�
2�3;��!��"�!��"��"�%��
����
get scheduler name name_str
����
get scheduler once
set scheduler name_str once start date_str time_str stop dat
���������
get scheduler recurrent
set scheduler name_str recurrent { ... } [ ... ]
name name_str Defines a name for the schedule.
once Apply the schedule once, starting on the day, month, year, hour, andthe month, day, year, hour, and minute defined.
recurrent Directs the NetScreen device to repeat the schedule according to theand minutes.
• monday Repeats every Monday.
• tuesday Repeat every Tuesday.
• wednesday Repeat every Wednesday.
• thursday Repeat every Thursday.
• friday Repeat every Friday.
• saturday Repeat every Saturday.
�4888��5��$��*$�4+���5
�7����
e_str time_str [ ... ]
time_str [ ... ]
” which starts on 1/10/2003 at
03 19:00
rts at 8:00 AM and ends at 5:00
00
yyy).
hh:mm).
���������������� ���������!�
������%�����
set scheduler name_str once start date_str time_str stop dat
set scheduler name_str recurrent { ... } start time_str stop
Examples: The following command creates a schedule definition named “mytime11:00 AM and ends on 2/12/2003 at 7:00 PM:
set scheduler mytime once start 1/10/2003 11:00 stop 2/12/20
The following command creates a schedule definition named “weekend” which staPM and repeats every Saturday and Sunday:
set scheduler weekend recurrent saturday start 8:00 stop 17:
set scheduler weekend recurrent sunday start 8:00 stop 17:00
• sunday Repeat every Sunday.
- start Defines when to start the schedule.
- stop Defines when to stop the schedule.
- comment Defines a descriptive character string.
start | stop Defines the day, month, and year (date_str) in USA format (mm/dd/y
Defines the hour and minutes (time_str) in the 24-hour clock format (
�4888��5��$��*$�4+���5
�76���
���) server task.
Screen device. When you a secure connection. (The look
me ip-addr ip_addr
���������������� ���������!�
Description: Use the scs commands to configure the Secure Command Shell (SCS
The SCS server task is a SSH-compatible server application that resides on the Netenable the SCS server task, SSH client applications can manage the device throughand feel of a SSH client session is identical to a Telnet session.)
�3��".
�*��
exec scs tftp pka-rsa [ username name_str ] file-name filena[ from interface ]
���
get scs [ host-key | pka-rsa [ all | [ username name_str ] [ index number ] ] ]
���
set scs { enable | key-gen-time number | pka-rsa [ username name_str ] key number1 number2 number3}
�4888��5��$��*$�4+���5
�7����
���������������� ���������!������
unset scs { enable | key-gen-time | pka-rsa
{ all | username name_str
{ all | index id_num } |
} }
�4888��5��$��*$�4+���5
�7:���
ncluding the fingerprint of the host
���������������� ���������!�
2�3;��!��"�!��"��"�%��
������
set scs enable
unset scs enable
���� )�&
get scs host-key
)�& ��� ����
set scs key-gen-time number
unset scs key-gen-time
�)� ���
get scs pka-rsa [ ... ]
set scs pka-rsa [ ... ]
enable Enables the Secure Command Shell (SCS) task.
host-key Shows the SCS host key (RSA public key) for the active root/VSYS, ikey.
key-gen-time Specifies the SCS server key regenerating time (in minutes).
�4888��5��$��*$�4+���5
�7����
s”:
071956054093391935 80111611537652715077837
ddr 172.16.10.11
root user to execute this option;
e details of a key bound to the y bound to the specified user.
er. The number1, number2, and odulus, respectively. Read-only
A key. file-name filename command, username displays all and read-only users can execute d-only user.
���������������� ���������!�
unset scs pka-rsa { ... }
Example: The following command binds a hypothetical key to a user named “chri
set scs pka-rsa username chris key 512 655376875272488448958033213724615582796813757422715643970626128793365599992658289089019119296718115311887359071551679
The following command:
• loads a key contained in a file named “key_file”
• takes the file from a server at IP address 172.16.10.11
• binds the key to a user named “chris”
exec scs tftp pka-rsa username chris file-name key_file ip-a
pka-rsa Public Key Authenticaion (PKA) using RSA.
• all Shows all PKA public keys bound to all users. You must be theadmin users and read-only users cannot execute this command.
• index number allows the admin user and read-only user to view thactive admin. It also allows the root user to view the details of a ke
• key number1 number2 number3 Binds a PKA key to the current usnumber3 values represent the key length, the exponent, and the musers cannot execute this option.
• username name_str Specifies the name of the user to bind the PKSpecifies the file containing the key to bind to the user. For the getPKA public keys bound to a specified user name_str. Admin usersthis option only if name_str identifies the current admin user or rea
�4888��5��$��*$�4+���5
�77���
dmin users and read-only users
pecified user, but only if name_str xecute this option.
m. This option allows the root _str). Read-only users cannot
���������������� ���������!�
����������������"�!
The unset scs pka-rsa command features are as follows:
1� "%��
This feature is disabled by default.
The default key generation time is 60 minutes.
unset scs pka-rsa Unsets Public Key Authenticaion (PKA) using RSA.
• all Deletes all keys bound to all users in the active root/VSYS. Acannot execute this option.
• username name_str Unbinds and deletes all keys bound to the sis the name of the current admin user. Read-only users cannot e
• The index option unbinds and deletes the key identified by id_nuadmin user to unbind a key for any user (identified by user nameexecute this option.
�4888��5��$��*$�4+���5
�79���
� �0�� ss Policies, or to display the
| other ] ] |
���������������� ���������!�
Description: Use the service commands to create custom services for use in Accecurrent entries in the service list.
�3��".
���
get service [ name_str group [ name_str ] | pre-defined | user ]
���
set service name_str [ + { ptcl_num | tcp | udp }
src number-number dst number-number | protocol { ptcl_num | tcp | udp }
[ src-port number-number ] [ dst-port number-number ]
[ timeout { number | never } ] [ group [ email | info | remote | security
group { email | info |
�4888��5��$��*$�4+���5
�7����
���������������� ���������!�remote | security | other }
{ ptcl_num | tcp | udp src number-number dst number-number
} timeout { number | never } clear ]
�����
unset service [ name_str ] [ timeout ]
�4888��5��$��*$�4+���5
�7����
���������������� ���������!�2�3;��!��"�!��"��"�%��
���������'���������
get service name_str
set service name_str [ ... ]
unset service name_str
?
set service name_str + { ... }
�����
set service name_str clear
Example: The following command clears all service entries named “test”:
set service test clear
name_str Defines a name for the service.
+ Appends a service entry to the custom services list.
clear Clears all service entries.
�4888��5��$��*$�4+���5
�9����
15
s:
, IMAP and POP 3.
ple, HTTP and DNS.
OGIN.
n, decryption, and authentication;
four groups; for example, SNMP
���������������� ���������!�
�����
set service name_str group { ... }
Example: The following commands:
• creates a service entry named test2
• categorize the service for remote access
• specifies that the service is TCP, with a port number 10115
set service test2 group remote tcp src 0-65535 dst 10115-101
set service test2 + udp src 0-65535 dst 10115-10115
��� �� ����
get service pre-defined
group Assigns the service entry to one of the following groups, or categorie
• email Services used for sending and receiving e-mail; for example
• info Services used for seeking and retrieving information; for exam
• remote Services used for remote access; for example, FTP or R L
• security Services used for security-related traffic such as encryptiofor example, HTTPS and PPTP.
• other Services used for traffic other than that covered by the otherfor network management.
pre-defined Displays all the pre-defined services.
�4888��5��$��*$�4+���5
�9����
l 50:
number
tion tcp port 1001:
1-1001
request. For example. 300 to 400.
mple, 100 to 250.
ocol.
protocol.
���������������� ���������!�
��������
set service name_str protocol { ... } [ ... ]
Example: The following command sets a service named “ipsec” that uses protoco
set service ipsec protocol 50
����%����
set service name_str + { ... } src number-number dst number-
��� �����%���� ����
set service name_str protocol { ... } [ src-port number-number ] [ dst-port number-number ]
Example: The following command sets a service named “test1” that uses destina
set service test1 protocol tcp src-port 0-65535 dst-port 100
protocol Defines the service by IP protocol.
Defines a protocol for the specified service.
• ptcl_num specifies the protocol by protocol number.
• tcp specifies a TCP-based service.
• udp specifies a UDP-based service.
dst Defines a range of destination port numbers that receive the service
src Defines a range of source port numbers valid for the service. For exa
src-port Defines a range of source port numbers valid for the service and prot
dst-port Defines a range of destination port numbers valid for the service and
�4888��5��$��*$�4+���5
�96���
lue of 10 minutes:
ser-defined, and service group
ever.”
60 minutes.
���������������� ���������!�
�������
set service name_str timeout { number | never }
unset service name_str timeout
Example: The following command sets a service named “telnet” with a timeout va
set service telnet timeout 10
����
get service user
1� "%��
The default timeout for TCP connections is 30 minutes.
The default timeout for UDP connections is 1 minute.
Using the get service command without any arguments displays all pre-defined, uinformation in the service book.
timeout Defines the session timeout value for the service in minutes, or as “n
user Displays all user-defined services.
Note: The maximum timeout value for TCP connections and UDP connections is 21
�4888��5��$��*$�4+���5
�9����
� �����n device’s session table.
he device model. For example, mand lists currently active
istrative traffic. On any ommand lists sessions that are o sessions, one for each ASIC.
���������������� ���������!�
Description: Use the session commands to clear or display entries in the NetScree
The kind of session information listed by the get session command depends upon ton any NetScreen device with a management module in slot 1, the get session comsessions on that module. Such sessions include management, log, and other adminNetScreen device with one or more Secure Port Modules (SPMs), the get session cactive on the ASIC for each module. If a session crosses two ASICs, it counts as tw
�3��".
�����
clear [ cluster ] session [ all | id id_num | [ src-ip ip_addr [ netmask mask ] ]
[ dst-ip ip_addr [ netmask mask ] ] [ src-mac mac_addr ] [ dst-mac mac_addr ]
[ protocol ptcl_num [ ptcl_num ] ] [ src-port port_num [ port_num ] ]
[ dst-port port_num [ port_num ] ] [ vsd-id id_num ]
[ hardware { 0 | 1 } ] ]
�4888��5��$��*$�4+���5
�9:���
] ]
���������������� ���������!�
���
get session [ id id_num | fragment | [ tunnel ]
[ src-ip ip_addr [ netmask mask ] ] [ dst-ip ip_addr [ netmask mask ] ]
[ src-mac mac_addr ] [ dst-mac mac_addr ] [ protocol ptcl_num [ ptcl_num ] ]
[ src-port port_num [ port_num ] ] [ dst-port port_num [ port_num
]
�4888��5��$��*$�4+���5
�9����
nd belonging to VSD group
r.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���
clear [ cluster ] session all
�������
clear cluster session [ ... ]
����"���
get session [ ... ] hardware { 0 | 1}
Example: The following command clears all sessions belonging to ASIC chip 1, a2001, from the host at IP address 172.16.20.12:
get session src-ip 172.16.10.12 vsd-id 2001 hardware 1
all Specifies all sessions.
cluster Propagates the clear operation to all other devices in a NSRP cluste
hardware Includes only hardware-related session information in the display.
• 0 Displays ASIC 0 sessions.
• 1 DIsplays ASIC 1 sessions.
This option is for NetScreen-5000 Series devices only.
�4888��5��$��*$�4+���5
�97���
with ID 5116:
]
a specific source IP address:
mask ] ]
m.
ss ip_addr. For example, ip_addr
ddress ip_addr.
���������������� ���������!�
��
clear [ cluster ] session id id_num
get session id id_num
Example: The following command displays the session table entry for the session
get session id 5116
��� ���%���� ��
clear [ cluster ] session [ src-ip ip_addr [ netmask mask ] [ dst-ip ip_addr [ netmask mask ] ] [ ... ]
get session [ ... ] [ src-ip ip_addr [ netmask mask ] ] [ dst-ip ip_addr [ netmask mask ] ][ ... ]
Example: The following command displays all the entries in the session table for
get session src-ip 172.16.10.92
��� ����%���� ���
clear [ cluster ] session [ ... ] [ dst-ip ip_addr [ netmask[ src-mac mac_addr ] [ dst-mac mac_addr ]
id id_num Identifies a specific session with Session Identification number id_nu
src-ip ip_addr Identifies all sessions intitated by packets containing source IP addrecould be the source IP address in the first TCP SYN packet.
dst-ip ip_addr Identifies all sessions intitated by packets containing destination IP a
�4888��5��$��*$�4+���5
�99���
um ] [ ... ]
_num ] ]
rotocol 5 and for source ports 2
dress mac_addr.
address mac_addr.
).
rce port port_num in the layer 4
_num port_num).
tination port port_num in the layer
_num port_num).
���������������� ���������!�
get session [ ... ] [ src-ip ip_addr [ netmask mask ] ] [ dst-ip ip_addr [ netmask mask ] ]
��������
clear [ cluster ] session [ ... ] protocol ptcl_num [ ptcl_n
get session [ ... ] protocol ptcl_num [ ptcl_num ] [ ... ]
��� �����%���� ����
clear [ cluster ] session [ ... ] [ src-port port_num [ port[ dst-port port_num [ port_num ] ] [ ... ]
get session [ ... ] [ src-port port_num [ port_num ] ] [ dst-port port_num [ port_num ] ]
Example: The following command displays all the entries in the session table for pthrough 5:
get session protocol 5 src-port 2 5
src-mac Identifies all sessions intitated by packets containing source MAC ad
dst-mac Identifies all sessions intitated by packets containing destination MAC
protocol Identifies all sessions that use protocol ptcl_num.You can also specify any protocol within a range (ptcl_num ptcl_num
src-port Identifies all sessions intitated by packets that contain the layer 4 souprotocol header.You can also specify any layer 4 destination port within a range (port
dst-port Identifies all sessions intitated by packets that contain the layer 4 des4 protocol header.You can also specify any layer 4 destination port within a range (port
�4888��5��$��*$�4+���5
�9����
1, and initiated from the host at
���������������� ���������!�
������
get session tunnel [ ... ]
!�� ��
clear [ cluster ] session [ ... ] vsd-id id_num
get session [ ... ] vsd-id id_num
Example: The following command clears all sessions belonging to VSD group 200IP address 172.16.10.12:
clear session src-ip 172.16.10.12 vsd-id 2001
tunnel Directs the NetScreen device to display tunnel sessions.
vsd-id id_num Identifies all sessions that belong the VSD group id_num.
�4888��5��$��*$�4+���5
�9����
����le Network Management ceive notification when
���������������� ���������!�
Description: Use the snmp commands to configure the NetScreen device for SimpProtocol (SNMP), to gather statistical information from the NetScreen device, and resignificant events occur.
�3��".
���
get snmp [ auth-trap | community name_str | settings | vpn ]
���
set snmp { auth-trap enable | community name_str
{ read-only | read-write } [ trap-off | trap-on [ traffic ] ] |
contact name_str | host comm_name ip_addr | location string | name name_str | port { listen [ port_num ] | trap [ port_num ] } | vpn }
�4888��5��$��*$�4+���5
������
���������������� ���������!������
unset snmp { auth-trap enable | community name_str | contact | host comm_name ip_addr | location | name | port { listen [ port_num ] | trap [ port_num ] } | vpn }
�4888��5��$��*$�4+���5
������
the community named “public”:
n traps.
ommunities in all products.
.”
e.”
itch includes traffic alarms as
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���� �����������
get snmp auth-trap
set snmp auth-trap enable
unset snmp auth-trap enable
��������&
get snmp community name_str
set snmp community name_str { ... }
unset snmp community name_str
Examples: The following command:
• configures a community named “public”
• allows hosts to read MIB data from the SNMP agent
• enables SNMP traps for the community
set snmp community public read-only trap-on
The following command configures an SNMP host with IP address 10.20.25.30 for
auth-trap enable Enables Simple Network Management Protocol (SNMP) authenticatio
community Defines the name for the SNMP community. It supports maximum 3 c
• read-only Defines the permission for the community as “read-only
• read-write Defines the permission for the community as “read-writ
- trap-off Disables SNMP traps for the community.
- trap-on Enables SNMP traps for the community. The traffic swSNMP traps.
�4888��5��$��*$�4+���5
��6���
management host.
���������������� ���������!�
set snmp host public 10.20.25.30
�������
set snmp contact name_str
unset snmp contact
����
set snmp host comm_name ip_addr
unset snmp host comm_name ip_addr
Example: The following commands:
• configure a community named “netscreen”
• specify read and write permission
• allow the NetScreen device to send traps to all hosts in the community
• assign the community to an SNMP host with IP address 10.40.40.15
set snmp community netscreen read-write trap-on
set snmp host netscreen 10.40.40.15
��������
set snmp location string
unset snmp location
contact Defines the system contact.
host Defines the community name string and the IP address of the SNMP
location Defines the physical location of the system.
�4888��5��$��*$�4+���5
������
location of the NetScreen device.
rust zone to another zone.
���������������� ���������!�
����
set snmp name name_str
unset snmp name
����
set snmp port { ... }
unset snmp port { ... }
��������
get snmp settings
!��
set snmp vpn
unset snmp vpn
name Defines the name of the system.
port Specifies the SNMP listen and trap port ( listen | trap ).
settings Displays the name of the contact person, and the name and physical
vpn Enables SNMP traffic through a VPN tunnel (if one exists) from the T
�4888��5��$��*$�4+���5
��:���
���. en device.
1:
���������������� ���������!�
Description: Use the socket commands to display socket information on a NetScre
�3��".
���
get socket [ id id_num ]
2�3;��!��"�!��"��"�%��
��
get socket id id_num
Example: The following command displays the information concerning socket 300
get socket id 3001
id Displays the information for an identified socket (id_num).
�4888��5��$��*$�4+���5
������
���nnection, or to display the SSL
���������������� ���������!�
Description: Use the ssl commands to configure a Secure Sockets Layer (SSL) coconfiguration on a NetScreen device.
�3��".
���
get ssl [ ca-list | cert-list ]
���
set ssl { cert number | enable | encrypt
{ 3des | des } sha-1 | { rc4 | rc4-40 } md5
port port_num }
�����
unset ssl { cert | enable | encrypt | port }
�4888��5��$��*$�4+���5
��7���
tly available certificates (cert-list).
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�� �����%����� ����
get ssl ca-list
get ssl cert-list
Example: The following command displays the SSL certicate list:
get ssl cert-list
����
set ssl cert number
unset ssl cert
������
set ssl enable
set ssl enable
unset ssl enable
ca-list | cert-list Displays currently configured Certificate Authorities (ca-list) or curren
cert Specifies that the named certificate is required.
enable Turns on SSL.
�4888��5��$��*$�4+���5
��9���
hentication hashing:
���������������� ���������!�
����&��
set ssl encrypt { 3des | des } sha-1 | { rc4 | rc4-40 } md5
unset ssl encrypt
Example: The following command specifies triple-DES encryption with SHA-1 aut
set ssl encrypt 3des sha-1
����
set ssl port port_num
unset ssl port
Example: The following command changes the SSL port to 11533:
set ssl port 11533
1� "%��
The default SSL port is 443.
encrypt Enables encryption over the SSL connection.
• 3des Set the 3DES security level.
• des Sets the DES security level.
• rc4 md5 Sets the RC4 MD3 security level.
• rc4-40 md5 Sets the RC4-40 MD3 security level.
port Specifies the SSL port number.
�4888��5��$��*$�4+���5
������
���/����.ck.
���������������� ���������!�
Description: Use the sys-clock command to display information on the system clo
�3��".
���
get sys_clock
2�3;��!��"�!��"��"�%��
None.
�4888��5��$��*$�4+���5
������
������ traffic and event messages to
ocal6 | local7
5 | local6 | local7
���������������� ���������!�
Description: Use the syslog commands to configure the NetScreen device to sendthe Syslog host, or to display the current Syslog configuration.
�3��".
���
get syslog [ config | enable | port | traffic | VPN ]
���
set syslog { config { name_str | ip_addr }
{ AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local5 | l}
{ AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local}
enable | port port_num | traffic | VPN }
Note: The Syslog host must be enabled before you can enable Syslog.
�4888��5��$��*$�4+���5
������
traffic | VPN }
6 | local7
local6 | local7
r | ip_addr } parameters define the
urity facility classifies and sends cks. The regular facility classifies gins and logouts, and system
���������������� ���������!�
�����
unset syslog { string | config | enable | hostname | port |
2�3;��!��"�!��"��"�%��
��� ��
get syslog config
set syslog config { name_str | ip_addr } { ... }
unset syslog config
7536@�A�%����������B
set syslog config { name_str | ip_addr } { AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local5 | local}
{ AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local5 | }
config Defines the configuration settings for the Syslog utility. The { name_stname or the IP address of the Syslog host device.
AUTH/SEC | local0…7
Defines the security facility level and the regular facility level. The secmessages to the Syslog host for security-related actions such as attaand sends messages for events unrelated to security, such as user lostatus reports.
�4888��5��$��*$�4+���5
������
logs:
atagram Protocol (UDP) packets
���������������� ���������!�
Example: The following command sets the Syslog host configuration to report all
set syslog config 172.16.20.249 local0 local1
������
get syslog enable
set syslog enable
unset syslog enable
��� ��
get syslog traffic
set syslog traffic
unset syslog traffic
����
get syslog port
set syslog port port_num
unset syslog port
Example: The following command changes the Syslog port number to 911:
set syslog port 911
enable Enables the NetScreen device to send messages to the Syslog host.
traffic Enables the NetScreen device to send traffic logs to the Syslog host.
port Defines the port number on the Syslog host that receives the User Dfrom the NetScreen device.
�4888��5��$��*$�4+���5
��6���
default WebTrends port
nnel to the Syslog server.trusted interface. Executing the ed interface. The device uses a the device encrypts the traffic
default behavior.
���������������� ���������!�
!��
get syslog VPN
set syslog VPN
unset syslog VPN
1� "%��
This feature is disabled by default. The default Syslog port number is 514, and thenumber is 514.
VPN Allows the NetScreen device to send Syslog traffic through a VPN tuBy default, the NetScreen device sends syslog traffic through the UnVPN option directs the device to send syslog traffic through the Trustsecurity policy to secure this traffic. If the policy specifies encryption, according to the policy’s VPN configuration before transmission.Executing the unset syslog VPN command resets the device to the
�4888��5��$��*$�4+���5
������
��� �
���������������� ���������!�
Description: Use the system command to display general system information.
�3��".
���
get system
2�3;��!��"�!��"��"�%��
None.
�4888��5��$��*$�4+���5
��:���
��/�-����bleshooting the NetScreen
���������������� ���������!�
Description: Use the tech-support command to display system information for troudevice.
�3��".
���
get tech-support
2�3;��!��"�!��"��"�%��
None.
�4888��5��$��*$�4+���5
������
�� �NetScreen device to
expired.
���������������� ���������!�
Description: Use the timer commands to display timer settings, or to configure the automatically execute management or diagnosis at a specified time.
All timer settings remain in the configuration script even after the specified time has
�3��".
���
get timer
���
set timer date_str time_str action reset
�����
unset timer id_num
�4888��5��$��*$�4+���5
��7���
nd date:
action. Date is in mm/dd/yyyy
ction. Time is in hh:mm format.
gs generated by the set timer
e.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
set timer date_str time_str action reset
unset timer id_num
������
set timer date_str time_str action reset
�����
set timer date_str time_str action reset
Example: The following command configures NetScreen to reset at a given time a
set timer 1/31/2000 19:00 action reset
date_str Specifies the date when the NetScreen device executes the defined format.
time_str Specifies the time when the NetScreen device executes the defined a
id_num Identifies the specific action by its ID number in the list of timer settincommand.
action Defines the event that the command triggers at the given date and tim
reset Resets the timer.
�4888��5��$��*$�4+���5
��9���
��� /��-
display.
���������������� ���������!�
Description: Use the trace-route command to display the route to a host.
�3��".trace-route { ip_addr | name_str }
[ hop number [ time-out number ] ]
2�3;��!�
���������'���������
trace-route ip_addr
trace-route name_str
���
trace-route { ip_addr | name_str } hop number [ ... ]
Example: The following command:
• evaluates and displays up to four route trace hops
• sends the output to a host with IP address 172.16.10.10
trace-route 172.16.10.10 hop 4
ip_addr | name_str The IP address (ip_addr) or object name (name_str) of the host.
hop The maximum number of trace route hops (number) to evaluate and
�4888��5��$��*$�4+���5
������
r
bandoning the route trace.
���������������� ���������!�
���� ���
trace-route { ip_addr | name_str } hop number time-out numbe
Example: The following command:
• evaluates and displays up to four route trace hops
• sends the output to a host with IP address 172.16.10.10
• specifies a timeout value of four seconds
trace-route 172.16.10.10 hop 4 time-out 4
time-out Specifies the amount of time in seconds (number) to elapse before a
�4888��5��$��*$�4+���5
������
������/�������ystem with the traffic-shaping
ber6 number7 number8 |
���������������� ���������!�
Description: Use the traffic-shaping commands to determine the settings for the sfunction, or to display information on traffic management device interfaces.
�3��".
���
get traffic-shaping { interface [ interface ] | ip_precedence | mode }
���
set traffic-shaping { ip_precedence number1 number2 number3 number4 number5 nummode { auto | off | on } }
�����
unset traffic-shaping { ip_precedence | mode }
�4888��5��$��*$�4+���5
:�����
umber8
. Each setting should be a
tion. If you select auto, the system licy in the system with
on. If there is no such policy, the
���������������� ���������!�
2�3;��!��"�!��"��"�%��
����� ���
get traffic-shaping interface [ interface ]
��:����������
get traffic-shaping ip_precedence
set traffic-shaping ip_precedence number1 number2 number3 number4 number5 number6 number7 n
unset traffic-shaping mode ip_precedence
����
get traffic-shaping mode
set traffic-shaping mode { auto | off | on }
unset traffic-shaping mode
1� "%��
By default, the traffic shaping function is set up to automatic mode.
interface Displays the traffic shaping info for an interface.
ip_precedence Specifies the Priorities 0 through 7 for IP precedence (TOS) mappingsingle-digit value.
mode Defines the mode settings for the system with the traffic-shaping funcautomatically determines the mode settings. If there is at least one potraffic-shaping turned on, the system automatically sets the mode to auto mode default setting is off.
�4888��5��$��*$�4+���5
:�����
-�� URL filter settings.
ck | server }
���������������� ���������!�
Description: Use the url commands to enable or disable URL filtering, or to display
�3��".
�����
clear [ cluster ] url no-block interface1 interface2
���
get url
���
set url { config { disable | enable } | fail-mode { block | permit } | message string | msg-type number | no-block interface1 interface2 | server { name_str | ip_addr } port_num number }
�����
unset url { config | fail-mode | message | msg-type | no-blo
Note: A Websense server provides the URL filtering.
�4888��5��$��*$�4+���5
:�6���
e is blocked”:
r.
mits all HTTP requests.
end to the client who is blocked
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�������
clear cluster url no-block interface1 interface2
��� ��
set url config { disable | enable }
unset url config
��� ����
set url fail-mode { block | permit }
unset url fail-mode
�������
set url message string
unset url message
Example: The following command defines the URL blocking message to “This sit
cluster Propagates the clear operation to all other devices in a NSRP cluste
config Enables or disables URL filtering by the Websense server.
fail-mode If connection to the Websense server is lost, this either blocks or per
message string Defines a custom message, fewer than 220 characters in length, to sfrom reaching a URL.
�4888��5��$��*$�4+���5
:�����
interface ethernet4/2:
er-defined message from the
(interface2).
���������������� ���������!�
set url message “This site is blocked”
��� �&��
set url msg-type number
unset url mg-type
Example: The following command enables the user-defined message:
set url msg-type 1
�� ����)
clear [ cluster ] url no-block interface1 interface2
set url no-block interface1 interface2
unset url no-block
Example: The following command disables blocking from interface ethernet3/1 to
set url no-block ethernet3/1 ethernet4/2
���!��
set url server { name_str | ip_addr } port_num number
msg-type A 0 uses the message sent by the Websense server. A 1 uses the usNetScreen device.
no-block Disables blocking from one interface (interface1) to another interface
�4888��5��$��*$�4+���5
:�:���
6.150.6
ehavior is to block all HTTP
(www.abc.com) or IP address seconds. The timeout value Websense server before it either
���������������� ���������!�
unset url server
Example: The following command:
• specifies communication with a Websense server with the IP address 172.1
• specifies port 15868
• sets a timeout value of 10 seconds
set url server 172.16.150.6 15868 10
1� "%��
The default port number for a Websense server is 15868. The default fail-mode brequests.
server Defines communication with a Websense server with a domain nameip_addr, using port number port_num with a timeout value number inspecifies how long the NetScreen device waits for a response from theblocks or permits traffic to the URL.
�4888��5��$��*$�4+���5
:�����
-� �ternal user authentication
} |
ord pswd_str } ]
���������������� ���������!�
Description: Use the user commands to create, remove, or display entries in the indatabase. The basic user categories are as follows:
• Dialup users (for using Manual Key VPNs)
• Authentication users (for using network connections)
• IKE users (for using AutoKey IKE VPNs)
• L2TP users (for using L2TP tunnels)
• XAUTH users
�3��".
���
get user { name_str | all | id id_num }
���
set user name_str { dialup spi_num spi_num
{ ah { md5 | sha-1 } { key key_hex | password pswd_str esp
{ 3des | des | aes128 | aes192 | aes256
{ key key_hex | password pswd_str } | null [ auth { md5 | sha-1 } { key key_hex | passw}
outgoing-interface interface } |
�4888��5��$��*$�4+���5
:�7���
limit number ] |
wins2 } |
���������������� ���������!�
disable | enable | ike-id
{ asn1-dn container string [ wildcard string ] [ share-fqdn name_str | ip ip_addr | u-fqdn name_str } |
password pswd_str | remote-settings
{ dns1 ip_addr | dns2 ip_addr | ipaddr ip_addr | ippool name_str | wins1 ip_addr | wins2 ip_addr } |
type { [ auth ] [ ike ] [ l2tp ] [ xauth ] } | uid id_num }
�����
unset user name_str [ remote-settings { dns1 | dns2 | ipaddr | ippool | wins1 |type [ auth ] [ ike ] [ l2tp ] [ xauth ] ]
�4888��5��$��*$�4+���5
:�9���
r database:
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
get user name_str
set user name_str { ... }
unset user name_str [ ... ]
Examples: The following command displays a user named “roger”:
get user roger
The following command deletes the user named jane:
unset user jane
���
get user all
user Defines the user’s name.
all Displays the following information for all the entries in the internal use
• User ID number
• User name
• Status (enabled or disabled)
• User type
• IKE ID types – email address, IP address, or domain name
• IKE identities
• Manual Key settings
�4888��5��$��*$�4+���5
:�����
_str } ]
t uniquely distinguish a particular imal value between 1000 and mber at the other end and
es are MD5 and SHA-1. (Note:
tocol. For VPN dialup users and
ncryption.
ncryption.
ncryption.
ncryption.
5 or SHA-1. (Note: Some
5) algorithm for authentication.
-1) algorithm for authentication.
���������������� ���������!�
������
set user name_str dialup spi_num spi_num { ... }
set user name_str dialup spi_num spi_num ah { md5 | sha-1 } { key key_hex | password pswd_str }
set user name_str dialup spi_num spi_num esp { 3des | des | aes128 | aes192 | aes256
{ key key_hex | password pswd_str } | null [ auth { md5 | sha-1 } { key key_hex | password pswd}
dialup Defines local and remote security parameter index (SPI) numbers thaencrypted tunnel from any others. This parameter must be a hexidec2fffffff. The local SPI number at one end serves as the remote SPI nuvice-versa. (For Manual Key VPN method only.)
ah Defines the use of the Authentication Header (AH) protocol. ChoicSome NetScreen devices do not support SHA-1.)esp Defines the use of the Encapsulating Security Payload (ESP) prodynamic peers.
• des Specifies Data Encryption Standard (DES), 56-bit encryption.
• 3des Specifies Triple Data Encryption Standard (3DES), 112-bit e
• aes128 Specifies Advanced Encryption Standard (AES), 128-bit e
• aes192 Specifies Advanced Encryption Standard (AES), 192-bit e
• aes256 Specifies Advanced Encryption Standard (AES), 256-bit e
• auth Defines the use of an authentication method. Choices are MDNetScreen devices do not support SHA-1.)
- md5 Sets the device to use the Message Digest version 5 (MD
- sha-1 Sets the device to use the Secure Hash Algorithm (SHA
�4888��5��$��*$�4+���5
:�����
ish
user is disabled. I you set a
plays the same information as get
���������������� ���������!�
Examples: The following command:
• sets up a dialup user named maryj
• specifies SPI parameters 3456 and 7890
• configures the user for DES ESP encryption
• assigns the user a password of “ipsecmaryj”
set user maryj dialup 3456 7890 esp des password ipsecmaryj
The following command:
• sets up a dialup user named smith_mkt
• specifies SPI parameters 3003 and 4004
• configures the user for Triple-DES ESP encryption
• assigns the user a password of “swordfish”
set user smith_mkt dialup 3003 4004 esp 3des password swordf
��������%�������
set user name_str disable
set user name_str enable
��
get user id id_num
Example: The following command displays a particular user with user ID “10”:
disable | enable Disables or enables the user in the internal database. By default, thepassword for the user, the user becomes automatically enabled.
id Displays information on the user, identified by id_num. This option disuser name_str option.
�4888��5��$��*$�4+���5
:�����
e IKE-ID number 2.2.2.2:
ring, such as www.netscreen.com.
ent to an email address such as
nd field values that define user
ws multiple identity fields for each identity, the peer IKE identity fields The NetScreen device does not identical.
s only one identity field for each identity configuration, the peer IKE s specified in the wildcard identity. ws tunnel communication with any en device does not check any
sh tunnels concurrently using this treats it as a Group IKE ID user. g partial IKE identities.
���������������� ���������!�
get user id 10
�)� ��
set user name_str ike-id { ... }
Examples: The following command creates an IKE user named branchsf with th
set user branchsf ike-id ip 2.2.2.2
The following command:
ike-id { ip_addr | name_str }
Adds and defines an AutoKey IKE dialup user.
• ip ip_addr The IP address of the dialup user.
• fqdn name_str The Fully Qualified Domain Name, the complete st
• u-fqdn name_str Specifies the dialup user identity, usually [email protected].
• asn1-dn Specifies the user certificate distinguished name fields, aidentity.
- container string Specifies a container identity. This identity allotype (CN, OU, O, L, ST, C, and E). To match a local ASN1_DN must match all identity fields specified in the container identity. check any undefined container fields. Field sequence must be
- wildcard string Specifies a wildcard identity. This identity allowtype (CN, OU, O, L, ST, C, and E). To match a local ASN1_DN identity must contain fields matching all non-empty identity fieldFor example, the wildcard identity o=ACME,ou=Marketing allouser whose certificate contains these field values. The NetScreundefined wildcard fields. Field sequence is not important.
• share-limit number Specifies the number of users that can establiidentity. When this number is larger than 1, the NetScreen device With Group IKE ID, multiple dialup users can establish tunnels usin
�4888��5��$��*$�4+���5
:�����
O field, and “Marketing” in the
ng” share-limit 10
er definition. For more ce Guide.)
e must be between 1000 and
, IKE or XAUTH user.
���������������� ���������!�
• creates a new user definition named “market”
• configures the user definition to recognize up to 10 hosts
• specifies that the hosts must possess certificates containing “ACME” in the OU field
set user “market” ike-id asn1-dn wildcard “o=ACME,ou=Marketi
(This command uses Group IKE ID, which allows multiple hosts to use a single usinformation on Group IKE ID, see the NetScreen Concepts and Examples Referen
)�&
set user name_str dialup spi_num spi_num { ... } key key_hex
����
set user name_str dialup spi_num spi_num esp null [ ... ]
����"���
set user name_str password pswd_str
key Defines a hexidecimal key value.
• The 192-bit hexidecimal key used in the 3DES algorithm. This valu2fffffff.
• The 64-bit hexidecimal key used in the DES algorithm.
• The 16-byte hexidecimal key used in the MD5 algorithm.
• The 20-byte hexidecimal key used in the SHA-1 algorithm.
null Specifies “no encryption method” for the ESP protocol.
password Defines a top-level password, used to authenticate the firewall, L2TP
�4888��5��$��*$�4+���5
:�6���
n internal database for user
}
2TP user:
xauth, ike l2tp, ike xauth, l2tp
���������������� ���������!�
Example: The following command creates an authentication user in the NetScreeguest with the password JnPc3g12:
set user guest password JnPc3g12
�&��
set user name_str type { [ auth ] [ ike ] [ l2tp ] [ xauth ]
Example: The following command changes the user guest to an authentication/L
set user guest type auth l2tp
type Sets the user type, in any of the following combinations, where:A = authenticationI = IKEL = L2TPX = XAUTHauth, ike, l2tp, xauth, auth ike l2tp xauth, auth ike, auth l2tp, authxauth, auth ike l2tp, auth l2tp xauth, or ike l2tp xauth.
�4888��5��$��*$�4+���5
:�����
-� �/���-�p, to configure it, or to add or
al }
���������������� ���������!�
Description: Use the user-group commands to create or delete a dialup user grouremove a user from it.
�3��".
���
get user-group { name_str | all | external | id id_num | loc
���
set user-group name_str { id id_num | location { external | local } | type
{ manual | [ auth ] [ ike ] [ l2tp ] [ xauth ] } |
user name_str }
�����
unset user-group { name_str [ location | type | user name_str ] | id id_num }
�4888��5��$��*$�4+���5
:�:���
orp_Dial:
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
get user-group name_str
set user-group name_str { ... }
unset user-group name_str [ ... ]
Example: The following command displays the contents of a user group named C
get user-group Corp_Dial
���
get user-group all
�*������
get user-group external
name_str Specifies the name of the user group.
all Displays all existing user groups.
external Displays all external user groups.
�4888��5��$��*$�4+���5
:�����
signs the group an ID of 10:
���������������� ���������!�
��
get user-group id id_num
set user-group name_str id id_num
unset user-group name_str [ ... ]
unset user-group name_str [ ... ]
Example: The following command creates a user group named Corp_Dial, and as
set user-group Corp_Dial id 10
�����
get user-group local
��������
set user-group name_str location { external | local }
unset user-group name_str location
id Identifies the user group with an identification number id_num.
name_str Specifies the name of the user group.
local Displays all local user groups.
location Specifies the location of the user group.
�4888��5��$��*$�4+���5
:�7���
���������������� ���������!��&��
set user-group name_str type { ... }
����
set user-group name_str user name_str
unset user-group name_str user name_str
Examples: The following commands:
• create a new dialup user named guest
• create a dialup user group named Corp_Dial with ID 1010
• assign the new user to the user group:
set user guest password JnPc3g12
set user-group Corp_Dial location local
set user-group Corp_Dial user guest
The following commands remove the user guest from the group:
unset user-group Corp_Dial user guest
type Specifies the type of user group.
• manual specifies manual users.
• auth specifies firewall users.
• ike specifies autoke IKE users.
• l2tp specifies L2TP users.
• xauth specifies XAUTH users.
user name_str Specifies an individual user.
�4888��5��$��*$�4+���5
:�9���
0��ttings.
���������������� ���������!�
Description: Use the vip commands to display the Virtual IP (VIP) configuration se
�3��".
���
get vip [ ip_addr { port port_num | port-status } | server | session ]
set vip [ ip_addr1
{ port_num svc_name ip_addr2 [ manual ] | + svc_name ip_addr2 [ manual ] } |
multi-port ]
�4888��5��$��*$�4+���5
:�����
t3 (172.16.20.200), for
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
get vip ip_addr { ... }
set vip ip_addr1 port_num svc_name ip_addr2 [ ... ]
set vip ip_addr1 + svc_name ip_addr2 [ ... ]
Example: The following command creates a VIP (10.10.1.1) for interface etherneaccessing the HTTP service (port 80):
set vip 10.10.1.1 80 HTTP 172.16.20.200
������
set vip ip_addr1 port_num svc_name ip_addr2 manual
set vip ip_addr1 + svc_name ip_addr2 manual
����� ����
set vip multi-port
ip_addr | ip_addr1 Identifies the interface receiving traffic to VIPs.
port_num Identifies a logical port.
svc_name Identifies a service, such as HTTP or MAIL.
ip_addr2 Specifies the VIP address.
manual Enables server auto-detection.
multi-port Enables creation of multiple virtual ports.
�4888��5��$��*$�4+���5
:�����
VIPs by default.
ibution of currently active VIP
���������������� ���������!�
���!��
get vip server
�������
get vip session
1� "%��
If no server or session is specified, the get vip command displays all configured
server Displays the load balance status of servers receiving traffic to VIPs.
session Displays the load balance session table, which shows balanced distrsessions.
�4888��5��$��*$�4+���5
:6����
0�� (VPN) tunnel, or to display
y. AutoKey IKE (Internet Key user-defined intervals. Manual them explicitly.
���������������� ���������!�
Description: Use the vpn commands to create or remove a Virtual Private Networkcurrent VPN tunnel parameters.
NetScreen devices support two key methods for VPNs, AutoKey IKE and Manual KeExchange) is a standard protocol that automatically regenerates encryption keys at Key VPNs use predefined keys that remain unchanged until the participants change
�3��".
���
get vpn [ name_str [ detail ] | auto | manual | proxy-id | sync-frequency ]
���
�"��;"3���"�!�
set vpn name_str gateway { name_str | ip_addr } [ replay | no-replay ]
[ transport | tunnel ] [ idletime number ]
�4888��5��$��*$�4+���5
:6����
name_str4 ] ] ] ] |
���������������� ���������!�
{ proposal [ name_str1 [ name_str2 [ name_str3 [sec-level { basic | compatible | standard } }
set vpn name_str manual spi_num1 spi_num2 gateway ip_addr [ nat-traversal
[ keepalive-frequency number ] [ udp-checksum ]
[ ip-gateway-public ip_addr ] { port-gateway-public number }
] [ outgoing-interface interface ]
{ ah { md5 | sha-1 }
{ key key_str | password pswd_str }
esp { aes128 | aes192 | aes256 | des | 3des
{ key key_str | password pswd_str } | null }
[ auth md5 | sha-1
{ key key_str | password pswd_str }
] }
�4888��5��$��*$�4+���5
:66���
_name
���������������� ���������!�
)�$���������"�!�
set vpn name_str { bind { interface interface | zone name_str } | df-bit { clear | copy | set } | monitor [ source-interface interface ] | nat-traversal
[ keepalive-frequency number ] [ udp-checksum ]
[ ip-gateway-public ip_addr ] port-gateway-public number
] | proxy-id local-ip ip_addr/mask remote-ip ip_addr/mask svc}
�����
unset vpn vpn_name [ bind { interface | zone } | monitor | nat-traversal [ udp-checksum ] | proxy-id ]
�4888��5��$��*$�4+���5
:6����
... ] ah { ... }
ket content.
8-bit)
shing algorithm. (160-bit)
exidecimal key, which the from the message.s to generate an encryption or
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
get vpn name_str [ ... ]
Example: The following command displays a VPN named “branch”:
get vpn branch
��
set vpn name_str manual spi_num1 spi_num2 gateway ip_addr [
Example: The following command:
• creates a VPN tunnel named “Mkt_vpn”
• specifies a manual key
• specifies local and remote SPI values 2002 and 3003
• specifies gateway 172.16.10.10
• specifies AH protocol for IP packet authentication
name_str Defines a name for the VPN.
ah Specifies Authentication Header (AH) protocol to authenticate IP pac
• md5 Specifies the Message Digest 5 (MD5) hashing algorithm. (12
• sha-1Specifies the Secure Hash Algorithm (version) 1 (SHA-1) ha
The key key_str value defines a 16-byte (MD5) or 20-byte (SHA-1) hNetScreen device uses to produce a 96-bit message digest (or hash)password pswd_str Specifies a password the NetScreen device useauthentication key automatically.
�4888��5��$��*$�4+���5
:6:���
-1 password swordfish
}
unnel zone:
ding.
���������������� ���������!�
• specifies SHA-1 hashing
• assigns to the tunnel password “swordfish”
set vpn Mkt_vpn manual 2002 3003 gateway 172.16.10.10 ah sha
����
get vpn auto
Example: The following command displays all AutoKey IKE VPNs:
get vpn auto
����
set vpn name_str bind { interface interface | zone name_str
unset vpn vpn_name bind { interface | zone }
Example: The following command binds the VPN tunnel Mkt_vpn to the custom-t
set vpn Mkt_vpn bind zone untrust-tun
auto Displays all AutoKey IKE VPNs.
bind Binds VPN tunnel to a tunnel interface or a security zone.
• interface interface specifies the tunnel interface to use for VPN bin
• zone name_str specifies the security zone to use for VPN binding.
�4888��5��$��*$�4+���5
:6����
p { ... }
DF) bit in the outer header.
fault value.
col, which the NetScreen device
key_str value defines a 128-bit
key_str value defines a 192-bit
key_str value defines a 256-bit
alue defines a 64-bit hexidecimal
key_str value defines a 192-bit
st specify an authentication
���������������� ���������!�
� ���
set vpn name_str df-bit { clear | copy | set }
���
set vpn name_str manual spi_num1 spi_num2 gateway ip_addr es
df-bit Determines how the NetScreen device handles the Don’t Fragment (
• clear clears (disables) DF bit from the outer header. This is the de
• copy copies the DF bit to the outer header.
• set sets (enables) the DF bit in the outer header.
esp Specifies the use of the Encapsulating Security Payload (ESP) protouses to encrypt and authenticate IP packets.
• aes128 Specifies Advanced Encryption Standard (AES). The key hexidecimal key.
• aes192 Specifies Advanced Encryption Standard (AES). The key hexidecimal key.
• aes256 Specifies Advanced Encryption Standard (AES). The key hexidecimal key.
• des Specifies Data Encryption Standard (DES). The key key_str vkey (truncated to 56 bits).
• 3des Specifies Triple Data Encryption Standard (3DES). The key hexidecimal key (truncated to 168 bits).
• null Specifies no ecryption. (When you specify this option, you mualgorithm (MD5 or SHA-1) using the auth option.)
�4888��5��$��*$�4+���5
:67���
es password swordfish
. }
ailable choices are MD5 or ey_str value defines a 16-byte ice uses to produce a 96-bit
s to generate an encryption or
teway, or the name (name_str) of r any other IPSec-compatible
an remain inactive before the
ult setting is no-replay.
ctive IP packet is encapsulated. In iate when both of end points in an iate when either end point is a
���������������� ���������!�
Example: The following command:
• creates a VPN tunnel named “Mkt_vpn”
• specifies a manual key
• specifies local and remote SPI values 2002 and 3003
• specifies gateway 172.16.10.10
• specifies ESP Triple-DES protocol for IP packet authentication
• assigns to the tunnel password “swordfish”
set vpn Mkt_vpn manual 2002 3003 gateway 172.16.10.10 esp 3d
����"�&
set vpn name_str gateway { name_str | ip_addr } [ ... ] { ..
auth Specifies the use of an authentication (hashing) method. The avSHA-1. (Some NetScreen devices do not support SHA-1.) The key k(MD5) or 20-byte (SHA-1) hexidecimal key, which the NetScreen devmessage digest (or hash) from the message.password pswd_str Specifies a password the NetScreen device useauthentication key automatically.
gateway Defines the Untrusted IP address (ip_addr) of the remote security gathe remote security gateway. The gateway can be a NetScreen unit odevice.
• idletime number The length of time in minutes that a connection cNetScreen device terminates it.
• replay | no-replay Enables or disables replay protection. The defa
• transport | tunnel Defines the IPSec mode. In tunnel mode, the atransport mode, no encapsulation occurs. Tunnel mode is approprexchange lie beyond gateway devices. Transport mode is approprgateway.
�4888��5��$��*$�4+���5
:69���
password judyvpn auth
ge
sha
e 2 proposal determines how a
���������������� ���������!�
Examples: The following command:
• creates a manual VPN named “judy”
• specifies local and remote SPI values 3000 and 2FFFFFFF
• set the remote gateway IP address 172.16.33.2
• specifies ESP with DES
• specifies MD5 hashing with password “judyvpn”
set vpn judy manual 3000 2FFFFFFF gateway 172.16.33.2 esp desmd5 password judyvpn
The following command:
• creates an AutoKey IKE VPN named “tuval”:
• specifies remote gateway “funaf”
• enables replay protection
• specifies a Phase 2 proposal consisting of a Diffie-Hellman Group 2 exchan
• specifies ESP with Triple DES and SHA-1 hashing
set vpn tuval gateway funaf.com replay proposal g2-esp-3des-
• proposal name_str Defines up to four Phase 2 proposals. A PhasNetScreen device sends VPN session traffic.
�4888��5��$��*$�4+���5
:6����
... ] { ... }
t-traversal
al mode, you can encrypt and
eters index (SPI) numbers. Each active tunnel. Each must be a
unnel, and vice-versa.
SNMP community. The ch the NetScreen device sends peer device.
address.
���������������� ���������!�
������
get vpn name_str [ detail ] manual
set vpn name_str manual spi_num1 spi_num2 gateway ip_addr [
�������
set vpn name_str monitor [ ... ]
unset vpn name_str monitor
��� ���!�����
set vpn name_str manual spi_num1 spi_num2 gateway ip_addr na[ ... ] { ... }
set vpn name_str nat-traversal [ ... ]
unset vpn vpn_name nat-traversal [ ... ]
manual Specifies a Manual Key VPN. When the NetScreen device is in Manuauthenticate by HEX key or password.spi_num1 and spi_num2 are 32-bit local and remote specurity paramSPI number uniquely distinguishes a particular tunnel from any otherhexidecimal value between 3000 and 2fffffff.The local SPI corresponds to the remote SPI at the other end of the t
monitor Monitors the specified VPN sending SNMP MIB3 data and traps to ansource-interface interface option specifies the interface through whimonitor messages to a NetScreen-Remote client or a non-NetScreen
nat-traversal Configures the VPN to work with NAT.
• ip-gateway-public ip_addr Specifies the peer gateway’s public IP
• keepalive-frequency number Specifies the keepalive frequency.
�4888��5��$��*$�4+���5
:6����
... ]
_addr/mask svc_name
les) with the HTTP service:
168.2.2/24 HTTP
IKE port number.
the outgoing interface are as n page A-IV.
VPN tunnel, and specifies the
l subnet.
r HTTP. (Specifying any enables
���������������� ���������!�
�������� ����� ���
set vpn name_str manual spi_num1 spi_num2 gateway ip_addr [ outgoing-interface interface { ... }
���*& ��
get vpn proxy-id
set vpn name_str proxy-id local-ip ip_addr/mask remote-ip ip
unset vpn vpn_name proxy-id
Example: The following command creates a VPN proxy configuration for a VPN (Sa
set vpn Sales proxy-id local-ip 172.16.1.1/24 remote-ip 192.
• port-gateway-public number Specifies the peer gateway’s public
• udp-checksum Enables the NAT-Traversal UDP checksum.
outgoing-interface The name of the outgoing interface. The interfaces you can use for follows. For more information on interfaces, see “Interface Names” o
proxy-id Specifies the combination of local and remote addresses used by theservice provided.
• local-ip ip_addr/mask The IP address and subnet mask of the loca
• remote-ip ip_addr/mask The IP address of the remote subnet.
• svc_name The name of the service, such as FTP, TELNET, DNS oall services.)
�4888��5��$��*$�4+���5
:�����
. } sec-level
ic proposal provides basic-level -used settings. The standard
���������������� ���������!�
��� ��!��
set vpn name_str gateway { name_str | ip_addr } [ ... ] { ..{ basic | compatible | standard }
1� "%��
The key lifetime is set to 3600 seconds.
The ESP authentication algorithm is NONE when not specified otherwise.
sec-level Specifies which pre-defined security proposal to use for IKE. The bassecurity settings. The compatible proposal provides the most widelyproposal provides settings recommended by NetScreen.
�4888��5��$��*$�4+���5
:�����
0��/���-� display VPN groups.
���������������� ���������!�
Description: Use the vpn-group commands to define or remove VPN groups, or to
�3��".
���
get vpn-group [ id id_num ]
���
set vpn-group id id_num [ vpn name_str [ weight number ] ]
�����
unset vpn-group id id_num [ vpn name_str [ weight number ] ]
�4888��5��$��*$�4+���5
:�6���
roposal pre-g2-3des-md5
s-sha
16.10.1 HTTP tunnel
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��
get vpn-group id id_num
set vpn-group id id_num [ ... ]
unset vpn-group id id_num [ ... ]
Example: The following commands:
• create an IKE gateway named “san_fran”
• create a VPN named “bay_area”
• place the VPN in a VPN group with ID 1001
• assign the VPN a weight of 1
• use the VPN group in a policy named “SF_CA”
set ike gateway san_fran ip 172.16.10.11 preshare bi273T1L p
set vpn bay_area gateway san_fran replay proposal g2-esp-3de
set vpn-group id 1001 vpn bay_area weight 1
set policy name SF_CA from trust to untrust 192.168.1.1 172.vpn-group 1001
!��
set vpn-group id id_num vpn name_str [ ... ]
unset vpn-group id id_num vpn name_str
id Specifies an identification number for the VPN group.
vpn Specifies the name of a VPN to place in the VPN group.
�4888��5��$��*$�4+���5
:�����
roup. The higher the number, the
���������������� ���������!�
"�����
set vpn-group id id_num vpn name_str weight number
unset vpn-group id id_num vpn name_str weight number
weight Specifies a weight (priority) for the VPN relative to other VPNs in the ghigher priority.
�4888��5��$��*$�4+���5
:�:���
0��������shold.
���������������� ���������!�
Description: Use the vpnmonitor commands to set the monitor frequency and thre
�3��".
���
get vpnmonitor
���
set vpnmonitor { interval number | threshold number }
�����
unset vpnmonitor interval { interval | threshold }
�4888��5��$��*$�4+���5
:�����
ds is number multiplied by 10.
end vpnmonitor requests without
���������������� ���������!�
2�3;��!��"�!��"��"�%��
�����!��
set vpnmonitor interval number
unset vpnmonitor interval
���������
set vpnmonitor threshold number
unset vpnmonitor threshold
interval Specifies the monitor frequency interval. The interval length in secon
threshold Specifies the monitor threshold, the number of times the device can sgetting a response, before the device sets VPN Link-Status to down.
�4888��5��$��*$�4+���5
:�7���
0��- �orm as a local virtual router.
ces the CLI in the routing context:
e specified local virtual router
rotocol.
���������������� ���������!�
Description: Use the vrouter commands to configure the NetScreen device to perf
Executing the set vrouter name_str command without specifying further options placontext. For example, the following command places the CLI in the trust-vr routing
set vrouter trust-vr
Once you intiate the routing context, all subsequent command executions apply to th(trust-vr in this example). You can then initatiate the bgp or ospf protocol context.
• To enter the bgp context, execute the set protocol bgp command.
ns(trust-vr)-> set protocol bgp
• To enter the ospf context, execute the set protocol ospf command.
ns(trust-vr)-> set protocol ospf
In the bgp or ospf protocol context, all command executions apply to the specified p
�3��".
�*��
exec vrouter name_str protocol bgp neighbor ip_addr { connect | disconnect | tcp-connect }
���
get vrouter name_str [ access-list | config | default-vrouter | interface |
�4888��5��$��*$�4+���5
:�9���
mber ] |
protocol
���������������� ���������!�
preference | protocol { bgp | ospf }1 | route [ id id_num | ip ip_addr | summary ] | route-map
[ name_str [ config | number [ config | match | set ] ]
] | router-id | rule | zone ]
���
set vrouter name_str [ access-list id_num [ { permit | deny } ip ip_addr/mask nuadd-default-route | auto-route-export | default-vrouter | export-to | import-from
vrouter name_str route-map name_str [ default-route ]{ bgp | connected | ospf | imported | static } |
max-routes number | preference
{ auto-exported number | ebgp number |
1. For more information on the protocol { bgp | ospf } options, see the bgp and ospf command descriptions.
�4888��5��$��*$�4+���5
:�����
] ] |
[ interface4 ] ] ]| |
id_num4 ] ] ] |
���������������� ���������!�
ibgp number | connected number | ospf number | ospf-e2 number | imported number | static number } |
protocol { bgp | ospf }2 | route ip_addr/mask
{ [ interface interface ]
[ gateway ip_addr [ metric number ] [ tag id_num vrouter name_str } |
route-map { name name_str { permit | deny } number | name_str number
[ local-pref number | [ match ]
{ as-path id_num | community id_num | interface interface1 [ interface2 [ interface3ip id_num1 [ id_num2 [ id_num3 [ id_num4 ] ] ]metric number | next-hop number id_num1 [ id_num2 [ id_num3 [ route-type | tag
{ id_num1 | ip_addr1 }
2. For more information on the protocol { bgp | ospf } options, see the bgp and ospf command descriptions.
�4888��5��$��*$�4+���5
:�����
���������������� ���������!�[ id_num2 | ip_addr2 id_num3 | ip_addr3
id_num4 | ip_addr4 ]
} | metric-type { type-1 | type-2 } | weight number ]
} | router-id { id_num | ip_addr } | sharable ]
�����
unset vrouter name_str [ access-list id_num ip ip_addr/mask number | add-default-route | auto-route-export | export-to | import-from
vrouter name_str route-map name_str protocol { bgp | connected | ospf | imported | static } |
max-routes | preference
{ auto-exported | ebgp | ibgp | connected | ospf | ospf-e2 | imported |
�4888��5��$��*$�4+���5
::����
���������������� ���������!�static } |
protocol { bgp | ospf }3 | route ip_addr/mask
[ vrouter name_str | [ interface interface ] gateway ip_addr ] |
route-map name name_str number [ local-pref | [ match ]
{ as-path | community | interface | ip | metric | next-hop | route-type | tag }
metric-type | weight ] |
router-id | sharable ]
3. For more information on the protocol { bgp | ospf } options, see the bgp and ospf command descriptions.
�4888��5��$��*$�4+���5
::����
r. (This command is available only
e untrust-vr vrouter.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'��������
set vrouter name_str
Example: The following commands:
• activate the trust-vr routing context
• activate the BGP context
• execute the context-dependent command get config
set vrouter trust-vr
ns(trust-vr)-> set protocol bgp
ns(trust-vr/bgp)-> get config
��� �� ���� �����
set add-default-route vrouter name_str
unset add-default-route
���� ����� �*����
set vrouter name_str auto-route-export
unset vrouter name_str auto-route-export
add-default-route Adds a default route with the next hop as another virtual routein the default virtual router of the current VSYS.)
auto-route-export Directs the local virtual router to export public interface routes to th
�4888��5��$��*$�4+���5
::6���
mber
range 192.168.12.1/32
entry permits (or denies) routes, e protocol, use the sequence arameter.
���������������� ���������!�
������ ����
get vrouter name_str access-list
set vrouter name_str access-list id_num [ ... ] { ... }
unset vrouter name_str access-list id_num ip ip_addr/mask nu
Example: The following commands:
• activate the trust-vr routing context
• create an access list with ID number 1
• add an access-list entry that permits updates from neighbors in the address
• specify a sequence number of 200
set vrouter trust-vr
set access-list 1
set access-list 1 permit ip 192.168.12.1/32 200
��� ��
get vrouter name_str config
access-list Creates or removes an access list, or entries in an access list. Each according to IP prefixes, to or from specified neighbors. To identify thnumber id_num. To identify the neighbors, use the ip ip_addr/mask p
• permit Directs the local virtual router to permit the route.
• deny Directs the NetScreen device to deny the route.
config Displays configuration information about the local virtual router.
�4888��5��$��*$�4+���5
::����
e_str { ... }
ame_str { ... }
s the default router, or configures
ter (source), or to export routes to
.
ed or exported routes.
.
ateway Protocol (BGP) routes.
nnected routes.
ortest Path First (OSPF) routes.
earned routes to a different
utes.
fault route.
���������������� ���������!�
�� ���� !������
set vrouter name_str default-vrouter
�*���� ���%������� ���
set vrouter name_str { export-to | import-from } vrouter nam
unset vrouter name_str { export-to | import-from } vrouter n
����� ���
get vrouter name_str interface
default-vrouter Displays the virtual systems (VSYSs) that use the local virtual router athe local virtual router to be the default vrouter for a VSYS.
export-to | import-from
Directs the local virtual router to import routes from another virtual rouanother virtual router (destination).
• vrouter name_str identifies the source or destination virtual router
• route-map name_str identifies the route map that filters the import
• protocol Specifies the protocol for the imported or exported routes
- bgp Directs the local virtual router to import or export Border G
- connected Directs the local virtual router to import or export co
- ospf Directs the local virtual router to import or export Open Sh
- imported Directs the local virtual router to export pre-existing lprotocol and pass them on to other routers.
- static Directs the local virtual router to import or export static ro
• default-route Directs the virtual router to export and import the de
interface Displays the interfaces listed in the local virtual router.
�4888��5��$��*$�4+���5
:::���
ublic interfaces) that the device
ocol (EBGP) routes.
ol (IBGP) routes.
F) routes.
es.
d to another protocol and passed
���������������� ���������!�
��* ������
set vrouter name_str max-routes number
unset vrouter name_str max-routes
��� ������
get vrouter name_str preference
set vrouter name_str preference
unset vrouter name_str preference
max-routes Specifies the maximum number of routing entries.
preference Specifies route preference level based upon protocol.
• auto-exported Specifies preference levels for routes (defined on pautomatically exports to the untrust-vr virtual router.
• ebgp Specifies preference level for External Border Gateway Prot
• ibgp Specifies preference level for Internal Border Gateway Protoc
• connected Specifies preference level for connected routes.
• ospf Specifies preference level for Open Shortest Path First (OSP
• ospf-e2 Specifies preference level for OSPF External-Type-2 rout
• imported Specifies preference level for pre-existing routes exporteon to other routers.
• static Specifies preference level for static routes.
�4888��5��$��*$�4+���5
::����
_str [ ... ] protocol
me_str protocol { ... }
t. (For information on these l.)
nd has the following options:
evice (ip_addr).
or device (ip_addr).
addr).
���������������� ���������!�
��������
exec vrouter name_str protocol { ... }
get vrouter name_str protocol { bgp | ospf }
set vrouter name_str protocol { bgp | ospf }
set vrouter name_str { ... } vrouter name_str route-map name{ ... }
unset vrouter name_str { ... } vrouter name_str route-map na
unset vrouter name_str protocol { bgp | ospf }
protocol Places the NetScreen device in the BGP context or the OSPF contexcontexts, see the bgp and ospf command descriptions in this manua
The exec vrouter name_str protocol bgp neighbor ip_addr comma
• connect Establishes a BGP connection to the specified neighbor d
• disconnect Terminates a BGP connection to the specified neighb
• tcp-connect Tests the TCP connection to the neighbor device (ip_
�4888��5��$��*$�4+���5
::7���
y ]
] [ route id_num ] ] |
ric value specifies the cost of the
���������������� ���������!�
�����
get vrouter name_str route [ id id_num | ip ip_addr | summar
set vrouter name_str route ip_addr/mask { [ interface interface ] [ gateway ip_addr [ metric numbervrouter name_str }
unset vrouter name_str route ip_addr/mask [ vrouter name_str | [ interface interface ] gateway ip_addr ]
Example: The following commands:
• activate the trust-vr routing context
• create a route in the local virtual router trust-vr with prefix 192.168.100.1/32
• specify the next-hop gateway 172.16.1.1
• specify a metric of 2
• specify a tag of 4
set vrouter trust-vr
set route 192.168.100.1/32 gateway 172.16.1.1 metric 2 tag 4
route Configures routes for the local virtual router.
• gateway ip_addr Specifies the gateway for the next hop. The metroute.
• interface interface Specifies the routed interface.
• vrouter name_str Specifies a virtual router as the next hop.
• route id_num identifies the route with a numeric value.
�4888��5��$��*$�4+���5
::9���
_str [ ... ] { ... }
me_str { ... }
p entry (name_str) and specifies mine if the entry allows
g route map entry (name_str
ter progagates this attribute to nce value is the preferred path.
nt as-path, community, . (Descriptions of these
al router receives BGP updates
nity is a group of network to multiple neighbors or peer te a policy that applies to that
s up to four interfaces.
ress that the local virtual router
er the cost, and the more rets the metric value depends on
���������������� ���������!�
����� ���
get vrouter name_str route-map [ ... ]
set vrouter name_str { ... } vrouter name_str route-map name
unset vrouter name_str { ... } vrouter name_str route-map na
route-map Configures a route map entry for the local virtual router.With the name switch, the route-map option creates a new route maits sequence number (number). The permit and deny switches deterredistribution of routes to another virtual router or another protocol.Without the name switch, the route-map option configures an existinnumber).
local-pref number Specifies the path preference. The local virtual rouother routers in AS routing updates. The path with the highest prefere(Each path has a default local preference value of 100.)[ match ] Directs the local virtual router to base matches on the curreinterface, ip, metric, next-hop, route-type, or tag parameter settingparameters follow.)
• as-path id_num Specifies an AS path through which the local virtufrom a remote peer.
• community id_num Specifies a community list (id_num). A commudestinations used by a NetScreen device to apply a routing policy groups. Once the router entry is in the community list, you can crearouter and all other devices in the list.
• config Displays configuration on the route map entry.
• interface interface1 [ interface2 [ interface3 [ interface4 ] ] ] Specie
• ip id_num1 [ id_num2 [ id_num3 [ id_num4 ] ] ] Specifies an IP addcan filter through an access list.
• metric number The cost of the route. The lower this value, the lowpreferable the route over others. How the local virtual router interpthe route-type setting (described below).
�4888��5��$��*$�4+���5
::����
xt hops that the local virtual router
ntry.
es.
es.
up to four values, which can be IP addresses
���������������� ���������!�
Example: The following commands:
• activate the trust-vr routing context
• create a route-map named Mkt_Route
• enable the route-map
• assign the route-map map a sequence number of 200
set vrouter trust-vr
set route-map name Mkt_Route permit 200
������ ��
get vrouter name_str router-id
set vrouter name_str router-id { id_num | ip_addr }
• next-hop id_num1 [ id_num2 [ id_num3 [ id_num4 ] ] ] Specifies necan filter, using up to four access lists.
• route-type Specifies which kind of route matches the route map e
- internal-ospf Matches only the OSPF internal routes.
- type1-external-ospf Matches only external OSPF Type-1 rout
- type2-external-ospf Matches only external OSPF Type-2 rout
• tag Specifies a tag that identifies the route. This value can containany combination of identification numbers (id_num1...id_num4) or (ip_addr1...ip_addr4).
• metric-type Specifies the kind of metric used by the route.
- type-1 Specifies OSPF Type-1 route.
- type-2 Specifies OSPF Type-2 route.
• weight number Sets the weight of the matched route for BGP.
�4888��5��$��*$�4+���5
::����
em (VSYS).
���������������� ���������!�
unset vrouter name_str router-id
����
get vrouter name_str rule
��������
set vrouter name_str sharable
unset vrouter name_str sharable
.���
get vrouter name_str zone
router-id Identifies the router identification for BGP and OSPF.
rule Displays import and export rules for the local virtual router.
sharable Makes the root-level local virtual router accessible from a virtual syst
zone Displays the zones accessible through the local virtual router.
�4888��5��$��*$�4+���5
:�����
0��� the root level of a NetScreen
provide multi-tenant services. strators, called “virtual system domain by setting their own y a root-level administrator can es and subinterfaces.)
te that you are now operating stem and all its settings.
���������������� ���������!�
Description: Use the vsys commands to create and configure virtual systems fromdevice.
Virtual systems allow you to logically partition a single NetScreen security system toEach virtual system (vsys) is a unique security domain and can have its own adminiadministrators” or “vsys admins”. Such adminstrators can individualize their securityaddress books, virtual routers, user lists, custom services, VPNs, and policies. (Onlset firewall security options, create virtual system administrators, and define interfac
When you execute the set vsys command, the command prompt changes to indicawithin a virtual system. Use the unset vsys command to remove a specific virtual sy
�3��".
���
get vsys name_str
���
set vsys name_str [ vrouter
[ name [ name_str [ id id_num ] ] vsd number ] | share [ name_str | vsd number ] | vsd number ] |
vsd number ]
�4888��5��$��*$�4+���5
:�����
tches the console to the new
reates a virtual router named
a default, root-level virtual
ot level admin within the virtual ystem.
.
lt router.
���������������� ���������!�
�����
unset vsys name_str
2�3;��!��"�!��"��"�%��
���������'���������
Example: The following command creates a virtual system named Acme and swivirtual system:
set vsys Acme_Org
!������
Examples: The following command creates a virtual system named Acme_Org, cAcme_Router with ID 1025, and switches the console to the new virtual system:
set vsys Acme_Org vrouter name Acme_Router id 1025
The following command creates a virtual system named Acme_Org, and specifiesrouter (trust-vr):
name_str Defines the name of a virtual system and automatically places the rosystem. Subsequent commands configure the newly created virtual s
vrouter Defines and configures the default virtual router for the vsys.
• name Specifies a name for the virtual router.
- id id_num Assigns an identification number to the virtual router
- vsd id_num See “vsd” on page 452.
• share Specifies a shared root-level virtual router to use as a defau
• vsd id_num See “vsd” on page 452.
�4888��5��$��*$�4+���5
:�6���
reates a virtual router named stem:
outer. A VSD group is a pair of comprise a single VSD. A VSD the master device fails. For more les ScreenOS Reference Guide.
���������������� ���������!�
set vsys Acme_Org vrouter share trust-vr
!��
Examples: The following command creates a virtual system named Acme_Org, cAcme_Router, creates a VSD ID 5, and switches the console to the new virtual sy
set vsys Acme_Org vrouter vsd 5
vsd Assigns a Virtual Security Device (VSD) group number to the virtual rphysical NetScreen devices (a master and a backup) that collectivelyprovides failover capability, allowing the backup device to take over ifinformation on VSD groups, see the NetScreen Concepts and Examp
�4888��5��$��*$�4+���5
:�����
2 1�-�rform WebAuth authentication.
���������������� ���������!�
Description: Use the webauth commands to configure the NetScreen device to pe
�3��".
���
get webauth [ banner ]
���
set webauth { banner success string | server name_str }
�����
unset webauth { banner success | server }
�4888��5��$��*$�4+���5
:�:���
auth service successful”:
uth”:
ccess.
���������������� ���������!�
2�3;��!��"�!��"��"�%��
��������������
get webauth banner
set webauth banner success string
unset webauth banner success
Example: The following command changes the Webauth success banner to “Web
set webauth banner success “Webauth service successful”
���!��
set webauth server name_str
unset webauth banner server
Example: The following command specifies a Webauth server named “Our_Weba
set webauth server Our_Webauth
1� "%��
The default banner value is Webauth Success.
banner success Specifies the banner (string) displayed in response to Webauth su
server Specifies the Webauth server name (name_str).
�4888��5��$��*$�4+���5
:�����
2 1� �(�WebTrends.
���������������� ���������!�
Description: Use the webtrends commands to configure the NetScreen device for
�3��".
���
get webtrends
���
set webtrends { VPN | enable | host-name name_str | port port_num }
�����
unset webtrends { VPN | enable | host-name name_str | port port_num }
�4888��5��$��*$�4+���5
:�7���
���������������� ���������!�2�3;��!��"�!��"��"�%��
!��
set webtrends VPN
������
set webtrends enable
���� ����
set webtrends host-name name_str
����
set webtrends port port_num
vpn Enables WebTrends VPN encryption.
enable Enables WebTrends.
host-name Specifies the WebTrends host name.
port port_num Specifies the WebTrends host port.
�4888��5��$��*$�4+���5
:�9���
5�-�m XAUTH authentication.
���������������� ���������!�
Description: Use the xauth commands to configure the NetScreen device to perfor
�3��".
���
get xauth { active | default | lifetime }
���
set xauth { default
{ auth server name_str [ chap ] [ query-config ] | dns1 ip_addr | dns2 ip_addr | ippool name_str | wins1 ip_addr | wins2 ip_addr } |
lifetime number }
�����
unset xauth { default { dns1 | dns2 | ippool | wins1 | wins2 } | lifetime }
�4888��5��$��*$�4+���5
:�����
server (Our_Auth):
tr).
entication Protocol (CHAP) while
address) from the external
.
r).
���������������� ���������!�
2�3;��!��"�!��"��"�%��
����!�
get xauth active
�� ����
get xauth default
set xauth default { ... }
unset xauth default { ... }
Example: The following command sets up the NetScreen device to use a XAUTH
set xauth default auth server Our_Auth
active Displays all currently active XAUTH login instances.
default Sets or displays default XAUTH settings.
• auth server Identifies the XAUTH server by object name (name_s
- chap Directs the NetScreen to use Challenge Handshake Authperforming authentication with the XAUTH server.
- query-config Sets or displays query client settings (such as IPauthentication server.
• dns1 Identifies the DNS primary server by ip address (ip_addr).
• dns2 Identifies the DNS secondary server by ip address (ip_addr)
• ippool Identifies the IP pool (name_str).
• wins1 Identifies the WINS primary server by ip address (ip_addr).
• wins2 Identifies the WINS secondary server by ip address (ip_add
�4888��5��$��*$�4+���5
:�����
f 30 minutes:
erver holds resources (such as IP
���������������� ���������!�
�� �����
get xauth lifetime
set xauth lifetime number
unset xauth lifetime number
Example: The following command specifies a maximum XAUTH session length o
set xauth lifetime 30
lifetime number Specifies the maximum length of time (in minutes) that the XAUTH saddress) on behalf of the client.
�4888��5��$��*$�4+���5
:7����
4�� curity zone.
���������������� ���������!�
Description: Use the zone commands to create, remove, configure, or display a se
�3��".
���
get zone [ id id_num | all | zone [ screen { all | attack | counter | info } ] ]
���
set zone { name zone { L2 id_num | tunnel zone } | zone
{ block | screen
{ block-frag | component-block | fin-no-ack | icmp-flood [ threshold number ] | icmp-fragment | icmp-large | ip-bad-option |
�4888��5��$��*$�4+���5
:7����
���������������� ���������!�ip-filter-src | ip-loose-src-route | ip-record-route | ip-security-opt | ip-spoofing [ drop-no-rpf-route ] | ip-stream-opt | ip-strict-src-route | ip-sweep [ threshold number ] | ip-timestamp-opt | land | limit-session [ source-ip-based number ] | mal-url { string1 string2 number | code-red } | ping-death | port-scan [ threshold number ] | syn-ack-ack-proxy [ threshold number ] | syn-fin | syn-flood
[ alarm-threshold number | attack-threshold number | queue-size number | source-threshold number | timeout number ] |
syn-frag | tcp-no-flag | tear-drop | udp-flood [ threshold number ] | unknown-protocol | winnuke }
�4888��5��$��*$�4+���5
:76���
���������������� ���������!�tcp-rst | vrouter name_str } |
}
�����
unset zone zone { block | screen
{ block-frag | component-block | fin-no-ack | icmp-flood [ threshold ] | icmp-fragment | icmp-large | ip-bad-option | ip-filter-src | ip-loose-src-route | ip-record-route | ip-security-opt | ip-spoofing [ drop-no-rpf-route ] | ip-stream-opt | ip-strict-src-route | ip-sweep [ threshold ] | ip-timestamp-opt | land | limit-session [ source-ip-based ] | mal-url { string1 | code-red } | ping-death | port-scan [ threshold ] |
�4888��5��$��*$�4+���5
:7����
���������������� ���������!�syn-ack-ack-proxy [ threshold number ] | syn-fin | syn-flood
[ alarm-threshold | attack-threshold | destination-threshold number | drop-unknown-mac | queue-size | source-threshold | timeout ] |
syn-frag | tcp-no-flag | tear-drop | udp-flood [ threshold number ] | unknown-protocol | winnuke }
tcp-rst | }
�4888��5��$��*$�4+���5
:7:���
es, see “Security Zone Names” on
���������������� ���������!�
2�3;��!��"�!��"��"�%��
���������'���������
get zone zone [ ... ]
set zone zone { ... }
unset zone zone { ... }
���
get zone all [ ... ]
����)
set zone zone block
unset zone zone block
zone The name of the zone. For more information on zones and zone nampage A-II.
all Displays information on all existing zones.
block Imposes intra-zone traffic blocking.
�4888��5��$��*$�4+���5
:7����
, with VLAN ID number 1:
ntrust as the out zone:
e in Transparent Mode). The ID he name you specify (zone) must
identifies the tunnel-out zone
omponents in Web pages, and Trojan Horse contains applets that can hide these components in able (.exe) files. Enabling the applets from Web pages.
kets that have them.
���������������� ���������!�
����
set zone name zone { ... }
Examples: The following command creates a new Layer-2 zone named L2-Sales
set zone name L2-Sales L2 1
The following command creates a tunnel zone named Engineering, and specify u
set zone name Engineering tunnel untrust
������
set zone zone screen { ... }
set zone zone screen { ... }
name Creates a new zone with name zone.
• L2 id_num specifies that the zone is Layer-2 (for running the devicnumber (id_num) identifies the VLAN to which the zone is bound. Tbegin with “L2-”.
• tunnel zone specifies that the new zone is a VPN tunnel zone, and(zone).
screen Enables or disables firewall services through the interface.
• block-frag Enables IP packet fragmentation blocking.
• component-block Attackers can hide malicious Java or ActiveX cthese components can install a Trojan Horse on the victim host. A allow an outside party to access the victim host directly. Attackers compressed files, such as .zip, .gzip, and .tar, as well as in executcomponent-block feature blocks all embedded Java and ActiveX
• fin-no-ack Detects an illegal combination of flags, and rejects pac
�4888��5��$��*$�4+���5
:77���
Protocol (ICMP) floods. An ICMP pose of flooding a system with so nected. The threshold defines the tination address before the
1,000,000.
flag set, or with an offset indicated
1024.
tions is malformed or incomplete.
led. The Source Route Option can ave the traffic returned to their real es, only those with Strict Source
option enabled.
enabled. With the Record Route path between the attacker and the .
ns set. These option settings evels for frames, and the ughout an internetwork.
en unauthorized agents attempt to g the ip-spoofing option een devices running in NAT or tructs the NetScreen device to lso drops the packet if the source
er set.
on enabled.
���������������� ���������!�
• icmp-flood [ threshold number ] Detects Internet Control Messageflood occurs when ICMP echo requests are broadcast with the purmuch data that it first slows down, and then times out and is disconnumber of ICMP packets per second allowed to ping the same desNetScreen device rejects further ICMP packets. The range is 1 to
• icmp-fragment Detects any ICMP frame with the More Fragmentsin the offset field.
• icmp-large Detects any ICMP frame with an IP length greater the
• ip-bad-option Discards all received frames where the list of IP Op
• ip-filter-src Blocks all packets with the Source Route Option enaballow a hacker to use a false IP address to access a network, and hIP address. The administrator can block all IP Source Routed framRouting , or only those with Loose Source Routing.
• ip-loose-src-route Detects packet IPs with the loose source route
• ip-record-route Discards all frames with the Record Route optionoption enabled, attackers might access information concerning thetarget device, thus gaining information about the protected network
• ip-security-opt Discards all received frames with IP Security optioconform to RFCs 1038 and 1108, which define various protection lconfiguration of internetworking devices for forwarding frames thro
• ip-spoofing Prevents spoofing attacks. Spoofing attacks occur whbypass firewall security by imitating valid client IP addresses. Usininvalidates such false source IP address connections. Only NetScrRoute mode can use this option. The drop-no-rpf-route option insdrop any packet that does not contain a source route. The device aIP address is reserved (non-routable, as with 127.0.0.1).
• ip-stream-opt Discards all frames with the IP SATNET Stream identifi
• ip-strict-src-route Detects frames with the strict source route opti
�4888��5��$��*$�4+���5
:79���
ttack. An IP Sweep attack occurs stination addresses. If a target e IP Sweep threshold to between ur with greater frequency than this mote source address.
et.
echanism with IP spoofing packets with headers containing esses. The attacker sends these e target to create empty sessions
ximum number of sessions the ource IP address.
t scans HTTP packets for suspect s. The code-red switch enables rks as follows.
acket. Typically, this starting ast one space, plus the beginning en the command “GET” and the
-LF.
acket sizes. Although the TCP/IP ations allow larger packet sizes. shing, freezing, and rebooting.
���������������� ���������!�
• ip-sweep threshold number Detects and prevents an IP Sweep awhen an attacker sends ICMP echo requests (pings) to multiple dehost replies, it reveals the target’s IP address to the attacker. Set th1 and 1,000,000 microseconds. Each time ICMP echo requests occlimit, the NetScreen device drops further echo requests from the re
• ip-timestamp-opt Discards all frames with the timestamp option s
• land Prevents Land attacks by combining the SYN flood defense mprotection. Land attacks occur when an attacker sends spoofed IPthe target’s IP address for both the source and destination IP addrpackets with the SYN flag set to any available port. This induces thwith itself, filling its session table and overwhelming its resources.
• limit-session [ source-ip-based number ] Lets you define the maNetScreen device can establish per second (number) by a single s
• mal-URL [ name_str id_str number | code-red ] Sets up a filter thaURLs. The NetScreen device drops packets that contain such URLblocking of the code-red-worm virus. Using the name_str option wo
- name_str A user-defined identification name.
- id_str Specifies the starting pattern to search for in the HTTP ppattern begins with the HTTP command GET, followed by at leof a URL. (The NetScreen device treats multiple spaces betwecharacter “/” at the start of the URL as a single space.)
- number Specifies a minimum length for the URL before the CR
• ping-of-death Detects and rejects oversized and irregular ICMP pspecification requires a specific packet size, many ping implementThis can trigger a range of adverse system reactions including cra
�4888��5��$��*$�4+���5
:7����
an attack occurs when an attacker es. The attack succeeds if a port ogs the number of different ports t scans 10 ports in 0.005 seconds e NetScreen device flags this as a e. The port-scan threshold number 1,000,000 microseconds.
ttach occurs when the attacker to terminate. This consumes all
consume sessions on the target
ccur when the connecting host esponding ACK responses.
omplete connections per second rm log.
per second required to trigger the
ckets the NetScreen device can onses.
n destination MAC addresses.
requests held in the proxied ction requests.
received (per second) from a s the SYN proxing mechanism.
half-completed connection is nds.
���������������� ���������!�
• port-scan threshold number Prevents port scan attacks. A port scsends packets with different port numbers to scan available servicresponds. To prevent this attack, the NetScreen device internally lscanned from a single remote source. For example, if a remote hos(equivalent to 5000 microseconds, the default threshold setting), thport scan attack, and rejects further packets from the remote sourcvalue determines the threshold setting, which can be from 1000 to
• syn-ack-ack-proxy Prevents the SYN ACK ACK attack. Such an aestablishes multiple Telnet sessions without allowing each sessionopen slots, generating a Denial of Service condition.
• syn-fin Detects an illegal combination of flags attackers can use todevice, thus resulting in a denial of service.
• syn-flood Detects and prevents SYN flood attacks. Such attacks ocontinuously sends TCP SYN requests without replying to the corr
- alarm-threshold number Defines the number of proxied, half-cat which the NetScreen device makes enteries in the event ala
- attack_threshold number Defines the number of SYN packetsSYN proxying mechanism.
- destination-threshold number Defines the number of SYN pasend to a single source IP address without receiving ACK resp
- drop-unknown-mac Drops packets when they contain unknow
- queue-size number Defines the number of proxied connectionconnection queue before the system starts rejecting new conne
- source-threshold number Defines the number of SYN packetssingle source IP address, before the NetScreen device execute
- timeout number Defines the maximum length of time before a dropped from the queue. You can set it between 1 and 50 seco
�4888��5��$��*$�4+���5
:7����
e trust zone:
one, and instructs the device to IP address:
code-red-worm virus and drops
gments used for the attack. A SYN The host caches these fragments, them. By flooding a server or host fer eventually fills. No further em can occur.
s field.
n fragmented IP packets overlap . The tear-drop option directs the cy.
er sends UDP packets to slow nnection requests. The threshold the same destination IP within any one-second period, the ets for the remainder of that
umbers greater than 100. Such
odifies the packet as necessary, y in the event alarm log.)
���������������� ���������!�
Examples: The following command enables the ip-spoofing firewall service for th
set zone trust screen ip-spoofing
The following command enables the ip-spoofing firewall service for the untrust zdrop any packet that has no source IP address, or that has a non-routable source
set zone untrust screen ip-spoofing drop-no-rpf-route
The following command sets up a filter that scans HTTP packets for the code-red such packets.
set zone untrust screen mal-url code-red
• syn-frag Detects a SYN fragment attack, and drops any packet frafragment attack floods the target host with SYN packet fragments. waiting for the remaining fragments to arrive so it can reassemble with connections that cannot be completed, the host’s memory bufconnections are possible, and damage to the host’s operating syst
• tcp-no-flag Drops an illegal packet with missing or malformed flag
• tear-drop Blocks the Teardrop attack. Teardrop attacks occur wheand cause the host attempting to reassemble the packets to crashNetScreen device to drop any packets that have such a discrepan
• udp-flood threshold number UDP flooding occurs when an attackdown the system to the point that it can no longer process valid conumber parameter is the number of packets allowed per second toaddress/port pair. When the number of packets exceeds this valueNetScreen device generates an alarm and drops subsequent packsecond. The valid range is from 1 to 1,000,000.
• unknown-protocol Discards all received IP frames with protocol nprotocol numbers are undefined or reserved.
• winnuke Detects attacks on Windows NetBios communications, mand passes it on. (Each WinNuke attack triggers an attack log entr
�4888��5��$��*$�4+���5
:9����
n it receives non-sync packets.
���������������� ���������!�
��� ���
set zone zone tcp-rst
unset zone zone tcp-rst
!������
set zone zone vrouter
���"���*������ "���
Example: The following commands:
• create a new Layer-2 zone named L2-Marketing with VLAN ID number 1
• assign physical interface ethernet7 to the zone
• retrieve zone information:
set zone name L2-Marketing L2 1
set interface ethernet7 zone L2-Marketing
get zone L2-Marketing
Example: The following commands:
tcp-rst Directs the NetScreen device to send back the TCP reset packet whe
vrouter Binds the zone to a virtual router.
�4888��5��$��*$�4+���5
:9����
���������������� ���������!�• create a new Layer-3 zone named Ext_Dept,
• bind the zone to the Untrust virtual router
• enable ip-spoofing and tear-drop screening
• bind interface ethernet4 to the zone:
set zone name Ext_Dept
set zone Ext_Dept vrouter untrust
set zone Ext_Dept screen ip-spoofing
set zone Ext_Dept screen tear-drop
set interface ethernet4 zone Ext_Dept
get zone Ext_Dept
get interface ethernet4
�4888��5��$��*$�4+���5
:96���
���������������� ���������!�?
?�����
cture that allows you to create faces each zone requires, and erfaces, you can create hem. You can bind one or more ns on a per-zone basis.
briefly describes how to create
bes how to create user-defined,
���������������� ���������!�
����������
��#�� �-� �Universal Security Gateway Architecture (USGA) is a NetScreen proprietary architethe number of zones your network environment requires, assign the number of interdesign each interface to your specifications. On NetScreen devices with multiple intnumerous security zones and configure access policies to regulate traffic between tinterfaces to each zone and enable management and firewall attack screening optio
This appendix covers the following key components:
• Security Zone Names describes the security zones that exist by default, anduser-defined security zones.
• Interface Names describes interfaces that exist by default, and briefly descrilogical sub-interfaces.
?88��!�.�?�>��?�,�"���� ������3�@�����"��
?������
pecial-purpose items. Although d configure them to meet the llows.
tes in Transparent mode.
s that communicate with trusted
rfaces that communicate with
rface.
create such zones using the set
tes in NAT mode or Router mode.
logical sub-interfaces) that
(and logical sub-interfaces) that
r mapped IP (MIP) and virtual IP is mapped to other addresses, the
e.
create such zones using the set
security devices.
ls.
h zones using the set zone name
���������������� ���������!�
����� �)$�����!��
NetScreen devices use zones to host physical and logical interfaces, tunnels, and sScreenOS has a number of default predefined zones, you can create new zones anrequirements of your organization. The names of ScreenOS security zones are as fo
Layer-2 security zones Use Layer-2 security zones when the NetScreen device opera
• v1-trust The V1-Trust zone, which hosts physical interfacenetwork space.
• v1-untrust The V1-Untrust zone, which hosts physical inteuntrusted network space.
• v1-dmz The DMZ zone, which hosts the DMZ physical inte
• name name_str A user-defined Layer-2 security zone. (Youzone name name_str L2 command.)
Layer-3 security zones Use Layer-3 security zones when the NetScreen device opera
• trust The Trust zone, which hosts physical interfaces (and communicate with trusted network space.
• untrust The Untrust zone, which hosts physical interfaces communicate with untrusted network space.
• global The Global zone, which serves as a storage area fo(VIP) addresses. Because traffic going to these addresses Global zone does not require an interface.
• dmz The DMZ zone, which hosts the DMZ physical interfac
• name name_str A user-defined Layer-2 security zone. (Youzone name name_str command.)
Tunnel zones Use tunnel zones to set up VPN tunnels with other NetScreen
• untrust-tun The Untrust-Tun zone, which hosts VPN tunne
• name name_str A user-defined tunnel zone. You create sucname_str tunnel command.
?88��!�.�?�>��?�,�"���� ������3�@�����"��
?�������
any interfaces that are not
nagement connections. For TTP, SCS, or Telnet, you connect
s, HA1 and HA2.
ent interface, MGT.
���������������� ���������!�
Function zones Use function zones as described below.
• null The Null zone, which serves as temporary storage for currently bound to another zone.
• self The Self zone, which hosts the interface for remote maexample, when you connect to the NetScreen device via Hto the Self zone.
• ha The HA zone, which hosts the high-availability interface
• mgt The MGT zone, which hosts the out-of-band managem
?88��!�.�?�>��?�,�"���� ����� "����"��
?������
h physical interfaces or logical
wo physical interfaces. An load sharing and failover.
face port n and no slots.
interface slot (n1) and a port (n2).
hile the NetScreen device is in
is interface when the device is in
e this interface when the device is
s interface when the device is in
hysical interfaces (each denoted
ce port (n1) with no slots. The .n2 nterfaces using the set interface
rface slot (n1) and a port (n2). The cal interfaces using the set
���������������� ���������!�
����������!��
Most security zones exchange traffic with other zones (or with other devices) througsub-interfaces. The interface names are as follows.
Aggregate interfaces • aggregaten An aggregate interface, which is a grouping of taggregate interface provides interface redundancy, allowing
Ethernet interfaces • ethernetn A physical ethernet interface, denoted by an inter
• ethernetn1/n2 A physical ethernet interface, denoted by an
Function interfaces • mgt An interface bound to the MGT zone.
• ha | ha1 | ha2 The name of the dedicated HA port.
Layer-2 interfaces • vlan1 The interface used for VPNs and management traffic wTransparent mode.
• v1-trust A Layer-2 interface bound to the Trust zone. Use thTransparent mode.
• v1-untrust A Layer-2 interface bound to the Untrust zone. Usin Transparent mode.
• v1-dmz A Layer-2 interface bound to the DMZ zone. Use thiTransparent mode.
Redundant interfaces • redundantn1 A redundant interface, which is a grouping of pby n1). Redundant interfaces perform interface failover.
• redundantn1.n2 A logical redundant sub-interface.
Sub-interfaces • ethernetn1.n2 A logical sub-interface, denoted by an interfaparameter identifies the logical interface. You create logical icommand.
• ethernetn1/n2.n3 A logical sub-interface, denoted by an inte.n3 parameter identifies the logical interface. You create logiinterface command.
Tunnel interfaces • tunnel.n A tunnel interface, used for VPN traffic.
?88��!�.�?�>��?�,�"���� ����� "����"��
?�����
���������������� ���������!�?88��!�.�?�>��?�,�"���� ����� "����"��
?������
���������������� ���������!�/
/�����
, some platforms do not support
ort them.
NS-5000
���������������� ���������!�
����������
������(�0����1����Most CLI commands are available accross all NetScreen device platforms. Howevercertain commands.
The following table lists the CLI commands, and shows which platforms do not supp
Command NS-5XP NS-5XT NS-25 NS-50 NS-100 NS-200 NS-500
address
admin
alarm
alias
arp
auth
auth-server
bgp No No
clock
config
console
counter
crypto
dbuf
dialup-group
dip
?88��!�.�/���"�!�?�"�%"��%��3
/������
NS-5000
���������������� ���������!�
dns
domain
envar
event
exit
ffilter
file
fips-mode
firewall
flow
ftp
gate
global-pro
glog
group
group-expression
hostname
ike
ike-cookie
interface
intervlan-traffic No No No No No No
ip
ip-classification No No No No No No
Command NS-5XP NS-5XT NS-25 NS-50 NS-100 NS-200 NS-500
?88��!�.�/���"�!�?�"�%"��%��3
/�������
No
No
No
NS-5000
���������������� ���������!�
ippool
l2tp
lance No
led No
lcd No No No No No No
license-key
log
mac
mac-learn
memory
node_secret
nrtp
nsrp No No No
ntp
os
pci_clock
ospf No No
performance
ping
pki
policy
pppoe No
proxy-id
Command NS-5XP NS-5XT NS-25 NS-50 NS-100 NS-200 NS-500
?88��!�.�/���"�!�?�"�%"��%��3
/������
No
NS-5000
���������������� ���������!�
reset
route
sa
sa-filter
sa-statistics
save
scheduler
scs
service
session
snmp
socket
ssl
sys-clock
syslog
system
tech-support
timer
trace-route
traffic-shaping No
url
user
user-group
Command NS-5XP NS-5XT NS-25 NS-50 NS-100 NS-200 NS-500
?88��!�.�/���"�!�?�"�%"��%��3
/�����
NS-5000
���������������� ���������!�
vip
vpn
vpn-group
vpnmonitor
vrouter
webauth
webtrends
xauth
zone
Command NS-5XP NS-5XT NS-25 NS-50 NS-100 NS-200 NS-500
?88��!�.�/���"�!�?�"�%"��%��3
/������
���������������� ���������!����!�.
�C�����
mip 305ntp 261policy 322proto-dist 338scheduler 359service 367snmp 379syn-threshold 385syslog 389timer 395traffic-shaping mode 399url 401user 405vpn 206, 420vsys 450nication requirements, console xration settings, saving 94
ing 117back 117meters, defining 95 and command-line interface 117 117 communication requirements xtions xi 98
ghedule 359rvice 367
��������
��!Aaccess p
definaddress
addiaddresse
enteadministauthentiCCA (cer
CGIcAH 419CheckPoclear 98
flowinter
clear comled 2macsessi
commanclearclearclearconvexit get cget fget f
�������� ���������!�
ile 121irewall 134, 243, 264, 384, 385
set l2tp 211set lcd 223
a sca Se
int 165
counters 98face counters 98
mands21
-learn 237on 373d led 221 mac-learn 237 session 373entions xi117onfig 94
set arp 27set auth 30set clock 90set console 95set dbuf 101set dialup-group 104, 151, 180, 344,
413, 431, 436, 453set domain 111set envar 112set ffilter 118set firewall 123set flow 126set hostname 155set ike 156set interface 182set ippool 209
set set set
commuconfiguconsole
exitlog para
consoleexit
consoleconvencounterDdefinin
�.
oliciesing 322
bookng entries 2, 35, 203, 293s
ring 2, 35, 203, 293ration parameters 5cation, users 30
tificate authority) path 319
get glog 146get lance info 220, 225get route 347get system 393get tech-support 394get vip 417ping 302reset 346save 354set address 2, 25, 35, 203, 265, 273,
293set admin 5, 48, 50, 51, 53
set set set set set set set set set set set set
���!�.
�C�6
connection check 302 302, 303
errors 99, 100mmand 302l 419
etScreen device 346t 346mmand 346g a device 346
mmand 354a configuration file 354eting or modifying 359
y Association (SA) 349 entries 232 367defined 370
r-defined 372sting custom 367 tablering 373mandsress 2, 25, 35, 203, 265, 273, 293in 5, 48, 50, 51, 5327 30k 90sole 95
���������������� ���������!�
xviget commands
NetScreen devicesetting the hostname 155
cloccon
exit command 117Extended ping 302Ffiltering traffic 118, 351firewall settings, displaying 134, 243, 264, 384, 385flash card
memory 121flash card memory 354flash memory 94flow counters 98flow level 99Ggeneral information, displaying 393Get commands
redirect the output of a Get command
hostname 155Iid-mode 165IKE (Internet Key Exchange) 156IKE ID 407interface counter 98Lload balance session table 419MMAC learning table 237MAC table
clearing 237Media Access Control (MAC) 237memory allocation status 239MIPs 302N
schedulcrea
Securitself-logservice
pre-use
Servicecrea
Sessionclea
set comaddadmarp auth
access policies 322console parameters 95users for authentication 405
dialup groupdefining 104
displayingfiles in flash card memory 121firewall settings 134, 243, 264, 384,
385general system information 393the global log file 146the static route table 347VIP settings 417
Eentries in the alarm table 20, 21
config 94file 121firewall 134, 243, 264, 384, 385glog 146lance info 220, 225route 347system 393tech-support 394vip 417
global log file, displaying 146Group
user dialup 411grouping
remote users 104H
networkping
Ppacket ping coProtoco
ESPRreboot N
resereset coresettinSsave cosaving
���!�.
�C�����
���������������� ���������!�enabling 379SNTP 261
ntp 261policy 322proto-dist 338scheduler 359service 367snmp 379syn-threshold 385syslog 389timer 395traffic-shaping mode 399url 401user 405vpn 206, 420vsys 450
setting system time 90SNMP
enabling 401user authentication
creating entries 30users, creating 405VVIP 419VIP settings, displaying 417Virtual IP (VIP) 417virtual system
creating 450exiting 117
VPN (Virtual Private Network) 206, 420WWebTrends 401
dbuf 101dialup-group 104, 151, 180, 344, 413,
431, 436, 453domain 111envar 112ffilter 118firewall 123flow 126hostname 155ike 156interface 182ippool 209l2tp 211lcd 223mip 305
static route table 347static route table, displaying 347Syslog 389syslog configuration 389system time
setting 90Ttftp server xvitraffic management information 399traffic, filtering 118, 351Transparent mode 237Trivial File Transfer Protocol (TFTP) 354troubleshooting 394UURL blocking
���!�.
�C�:
���������������� ���������!�