netscreen cli reference guide version 3.1

��

NetScreen CLI Reference Guide (Pre-Release Version)

��

Version 3.1.0

��

�

��

his product could void the user’s warranty

d Trademarks, NetScreen-Global Manager, en-Remote, NetScreen-5, nd NetScreen-1000 are registered

etScreen Technologies, Inc.

xchange are trademarks of Adobe egistered trademark of Apple the United State and other

icator is a registered trademark of nd/or other countries. Netscape

r are registered trademarks of orporation and may be ecurID is a registered mics Technologies, Inc. SSH and or registered trademarks of ity, Inc. All rights reserved. istered trademark of Sun ited States and other countries. ark or registered trademark of e United States and other ed trademark in the United xclusively licensed through nse is a registered trademark of ’s product names are either

rvice marks or registered bTrends is a registered rosoft, Windows and Windows NT,

ks or registered trademarks of S.A. and/or other countries. ademarks of Hilgraeve names mentioned in this manual ademarks of their respective

ING THE PRODUCTS IN THIS ANGE WITHOUT NOTICE. ALL

AND RECOMMENDATIONS IN THIS E ACCURATE BUT ARE NTY OF ANY KIND, EXPRESS OR ULL RESPONSIBILITY FOR THEIR

��

Copyright Notice

Copyright © 1998-2001 NetScreen Technologies, Inc. NetScreen Technologies, Inc., the NetScreen logo, NetScreen-5XP, NetScreen-10, NetScreen-100, NetScreen-500, NetScreen-1000, NetScreen-Global Manager, NetScreen-Global PRO, NetScreen-Remote, GigaScreen ASIC, and NetScreen ScreenOS are trademarks and NetScreen is a registered trademark of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.

NetScreen Technologies, Inc. 350 Oakmead Parkway, Suite 500 Sunnyvale, CA 94085 U.S.A.www.netscreen.com

FCC Statement

This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a light commercial installation. This equipment generates, uses and can radiate radio frequency energy, and, if not installed and used in accordance with the instruction, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:

•Reorient or relocate the receiving antenna.

•Increase the separation between the equipment and receiver.

•Consult the dealer or an experienced radio/TV technician for help.

•Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.

Caution: Changes or modifications to tand authority to operate this device.

Licenses, Copyrights, anNetScreen, the NetScreen logoNetScreen-Global Pro, NetScreNetScreen-10, NetScreen-100, atrademarks or trademarks of N

Adobe, Acrobat, and Acrobat ESystems Inc. Macintosh is a rComputer, Inc., registered incountries. Netscape CommunNetscape in the United States aand Netscape CommunicatoNetscape Communications Cregistered outside the U.S. Strademark of Security DynaSecure Shell are trademarksSSH Communications SecurSolaris is a trademark or regMicrosystems, Inc. in the UnSunNet Manager is a trademSun Microsystems, Inc. in thcountries. UNIX is a registerStates and other countries, eX/Open Company, Ltd. WebseWebsense, Inc. and Websensetrademarks, trade names, setrademarks of Websense. Wetrademark of WebTrends. Micand NetMeeting, are trademarMicrosoft Corporation in the U.Hyperterminal is a registered trCorporation. All other product are trademarks or registered trmanufacturers.THE SPECIFICATIONS REGARDMANUAL ARE SUBJECT TO CHSTATEMENTS, INFORMATION, MANUAL ARE BELIEVED TO BPRESENTED WITHOUT WARRAIMPLIED. USERS MUST TAKE F

�

��

and title and interest in and to, and including copyrights, to the emain with NetScreen. You intellectual property in the nd you will not acquire any rights

icense as specifically set forth

rm of the license is for the duration Software. NetScreen may diately without notice if you breach terms and conditions of this n such termination, you will either entation or return all materials to is Agreement, other than the icense Grant”) shall survive

d of ninety (90) days after delivery air or replace any defective stomer, provided it is returned to se within that period. NetScreen product will substantially conform cifications for that product if

ith the procedures described in tScreen. NetScreen’s exclusive conforming product shall be, at the product or use commercially ustomer with a correction of the r the purchase price paid for the be reported to NetScreen in a form n reasonably requested by , diagnose, and correct the defect. mer shall notify NetScreen of any the warranty period, obtain a conforming product, from onforming product to NetScreen’s nt describing the nonconformance. HEREIN TO THE CONTRARY, THE

SOLE AND EXCLUSIVE REMEDY BY NETSCREEN WITH RESPECT

shall not apply to any Product or ified, repaired or altered, except by

��

APPLICATION OF ANY PRODUCTS. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS, ELECTRONIC OR MECHANICAL, FOR ANY PURPOSE, WITHOUT RECEIVING WRITTEN PERMISSION FROM NETSCREEN TECHNOLOGIES INC.

PRODUCT LICENSE AGREEMENTPLEASE READ THIS LICENSE AGREEMENT (“AGREEMENTS”) CAREFULLY BEFORE USING THIS PRODUCT. BY INSTALLING AND OPERATING, YOU INDICATE YOUR ACCEPTANCE OF THE TERMS OF THIS LEGAL AND BINDING AGREEMENT AND ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PART TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT START THE INSTALLATION PROCESS.1. License Grant. This is a license, not a sales agreement, between you, the end user, and NetScreen Technologies, Inc. (“NetScreen”). The term “Software” includes all NetScreen and third party Software provided to you with the NetScreen product, and includes any accompanying documentation, any updates and enhancements of the Software provided to you by NetScreen, at its option. NetScreen grants to you a non-transferable (except as provided in section 3 (“Transfer”) below), non-exclusive license to use the Software in accordance with the terms set forth in this License Agreement. The Software is “in use” on the product when it is loaded into temporary memory (i.e. RAM).2. Limitation on Use. You may not attempt and if you are a corporation, you will use best efforts to prevent your employees and contractors from attempting to, (a) modify, translate, reverse engineer, decompile, disassemble, create, derivative works based on, sublicense, or distribute the Software or the accompanying documentation; (b) rent or lease any rights in the Software or accompanying documentation in any form to any person; or (c) remove any proprietary notice, labels, or marks on the Software, documentation, and containers. 3. Transfer. You may transfer (not rent or lease) the Software to the end user on a permanent basis, provided that: (i) the end user receives a copy of this Agreement and agrees in writing to be bound by its terms and conditions, and (ii) you at all times comply with all applicable United States export control laws and regulations.

4. Proprietary Rights. All rightsall intellectual property rights, software, and documentation, racknowledge that no title to theSoftware is transferred to you ato the Software except for the lherein.5. Term and Termination. The teof NetScreen's copyright in theterminate this Agreement immeor fail to comply with any of theAgreement. You agree that, upodestroy all copies of the documNetScreen. The provisions of thlicense granted in Section 1 (“Ltermination.6. Limited Warranty. For a perioto Customer, NetScreen will repsoftware product shipped to CuNetScreen at Customer’s expenwarrants to Customer that suchwith NetScreen’s published speproperly used in accordance wdocumentation supplied by Neobligation with respect to non-NetScreen’s option, to replace reasonable efforts to provide Cdefect, or to refund to customeunit. Defects in the product willand with supporting informatioNetScreen to enable it to verifyFor returned product, the custononconforming product duringreturn authorization for the nonNetScreen, and return the noncfactory of origin with a statemeNOTWITHSTANDING ANYTHINGFOREGOING IS CUSTOMER’S FOR BREACH OF WARRANTY TO THE PRODUCT.The warranties set forth above Hardware which has been mod

�

��

ING INFORMATION OR L COMPLIANCE WITH ALL UNITED BLE LAWS AND REGULATIONS.Rights. If this Product is being nt, the Product and related omputer Product and

usively at private expense, and (a) if lian agency, shall be subject to the e, and (b) if acquired by or on nt of Defense (“DoD”) shall be rcial computer Software license .

e responsible for the payment of at any time whatsoever on this

f this Agreement are held invalid, full force and effect. The laws of g the application of its conflicts of nse Agreement. This Agreement

ited Nations Convention on the Sale of Goods. This Agreement is he parties as to the subject matter er Technologies, advertisements, t to the Software and t may not be modified or altered,

which expressly refers to this xecuted by both parties.

e read this Agreement, understand terms and conditions.

��

NetScreen, or which has not been maintained in accordance with any handling or operating instructions supplied by NetScreen, or which has been subjected to unusual physical or electrical stress, misuse, abuse, negligence or accidents.THE FOREGOING WARRANTIES ARE THE SOLE AND EXCLUSIVE WARRANTIES EXPRESS OR IMPLIED GIVEN BY NETSCREEN IN CONNECTION WITH THE PRODUCT AND HARDWARE, AND NETSCREEN DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. NETSCREEN DOES NOT PROMISE THAT THE PRODUCT IS ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION.7. Limitation of Liability. IN NO EVENT SHALL NETSCREEN OR ITS LICENSORS BE LIABLE UNDER ANY THEORY FOR ANY INDIRECT, INCIDENTAL, COLLATERAL, EXEMPLARY, CONSEQUENTIAL OR SPECIAL DAMAGES OR LOSSES SUFFERED BY YOU OR ANY THIRD PARTY, INCLUDING WITHOUT LIMITATION LOSS OF USE, PROFITS, GOODWILL, SAVINGS, LOSS OF DATA, DATA FILES OR PROGRAMS THAT MAY HAVE BEEN STORED BY ANY USER OF THE SOFTWARE. IN NO EVENT WILL NETSCREEN’S OR ITS LICENSORS’ AGGREGATE LIABILITY CLAIM BY YOU, OR ANYONE CLAIMING THROUGH OR ON BEHALF OF YOU, EXCEED THE ACTUAL AMOUNT PAID BY YOU TO NETSCREEN FOR SOFTWARE. Some jurisdictions do not allow the exclusions and limitations of incidental, consequential or special damages, so the above exclusions and limitations may not apply to you.8. Export Law Assurance. You understand that the Software is subject to export control laws and regulations. YOU MAY NOT DOWNLOAD OR OTHERWISE EXPORT OR RE-EXPORT THE

SOFTWARE OR ANY UNDERLYTECHNOLOGY EXCEPT IN FULSTATES AND OTHER APPLICA9. U.S. Government Restricted acquired by the U.S. Governmedocumentation is commercial cdocumentation developed exclacquired by or on behalf of civiterms of this computer Softwarbehalf of units of the Departmesubject to terms of this commeSupplement and its successors10. Tax Liability. You agree to bany sales or use taxes imposedtransaction.11. General. If any provisions othe remainder shall continue inthe State of California, excludinlaw rules shall govern this Licewill not be governed by the UnContracts for the International the entire agreement between thereof and supersedes any othor understandings with respecdocumentation. This Agreemenexcept by written amendment, Agreement and which, is duly eYou acknowledge that you havit, and agree to be bound by its

��

!��" "�� 4��"��)�!�4��

$%��8$!"��%/��3��9��33�� %�� %��% ��8+�4�8��44!! �83 ��4�8� �� !)��+/%��/�4��%��4��:49��4! ��0�+��444!��++�"�$�� ++:"�"�+��"��+��"�/4�+�:"" �+��"0" !)�+��/4��%��$��"$! ��+�3��/��+�:��% ��"$%4��)�+�� +�+�"��+��4��+3��4�/!��!��+3:��!��+38�"0"�+��7��"�+��*!��+��

�%��""��%�/��% %�/��% �%"�+��%�4�+��%�� % %�/�+��%��$�+3

��

#$!��$!� ��%��$�"�&%��% '��

(�)%��*%��!��

�� %��!�"��

�+��)��%��+

,� !��-!��,�)��

!��)��$��.��!��$��

!��!�"��

��!//%��0��%1�2!�/%��3.�4��0�.� �/��"�35/��.�4��"�3��%� %�� 0�! ��!//%��"�%��2�%��"��%/4 ��0��%1��"��%��!��2!�/%��

��%� %�� 0�! ��!//%��"6��7��$�"6�%��%��%/��"�8

�+��!//%��"�+

"��%��""��"��%�/��"��% %�/�+�"��% �%"�++"��%�4�+�"��%�� % %�/�+�"��%��$�+�"�� !�9��"��!�"! ��"�� 3"��% �4�)�!�4��:"��4��"��"��"��!/%��"��%��"�� "�� 4"�/!��"�� 7% ��:"�� !7��

"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��"��

�+��!//%��"�+

)��)��)��)��)��)��)��

�!��"

,!!9��

�"�"�8��"��8��"�""�!��88�"�/4��+�"!�9��"! �7%��9�0��"0" !)��"0"��/��8��$�"�44!��/4��%��+��/��+�+��% ��"$%4��)�+�� +��"��+��4�+��4��+�:��4�/!��!��++��!��+++��"0"�++��7��"�++��*!��++3

��%�/��% %�/��%�4�3��%�� % %�/��%��$�:��!��8��04�!�� +��$�4�++��"�+�� +��9��!!9��+3�� 4�+�� +:�� !)�+8��/%�� %��!��;"��+

��

)�� !�9�+8)��!� �)�+�)��!�"! ��)��!��+)��% �4�)�!�4��3)��4��:)��"��8)��!/%��)��%��+)�� )�� 7% ��)��)%��)��) !�% ��)��) !�% �4�!��:)��) !)��)��)�!�4��)��$%��)��$!"��%/��)��9��3)�� %��)�� %��3�)��4�3�)��44!! �3�)�� 4�33)�� %��3:)�� 38)�� !)�3�)��/%�� %��)��/%"��)��/�/!�0��3)��/�4��:)��%��;9%��8)��"4�� )��4�:�)��!"�:+)��4�� !�/%��:�)��49��:�)��4! ��0�:�)��444!��:8)��!��:�)��"%�8+)��"�$�� 8�

)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��)��

�+�� %��!//%��"�+

� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%� �%

��
��
� �%��444!�� %��"%�� %��"%�"�%��3� �%��"�""�!�� %�� 8

�+��&�"�� %��!�"�!//%��"�+

�1��$�4��1��"��1��$%�3�1��4��1��4��)�:�1��49��1��444!��+��1��"%��+��1��"�"�+:�1��"! �7%��9�0�+8�1��%��!��+��1��4��)��+��"��"%��%��!��8

��"��)��$��.��!2%��!�0�.� %� ��)"�+

<��2�%��"�+

��0�=!��"��

�� %��"��

��1�+

�!��"

,!!9��
��

��

d manage a NetScreen device NetScreen OS release.

uring a NetScreen device using nd syntax, arguments, and

pters:

o the NetScreen device. It also

rameters and data

cted in various tables, buffers,

g in any other category.

��

�� %��

The NetScreen CLI Reference Guide describes the commands used to configure anfrom a console interface. This manual is an ongoing publication, published with each

#>(��>(<.��5�.��>��&��<�'This document is for system and network administrators who have experience configthe Web interface. Using the command line interface requires familiarity with commavariables.

(��=��(�

The NetScreen Command Line Reference Guide is organized into the following cha

“Getting Started” includes an introduction and instructions on how to connect a PC texplains the command syntax format used in this Manual.

“Set Commands”describes the commands used to configure the NetScreen device.

“Get Commands” describes the commands used to display system configuration pa

“Clear Commands” describes the commands used to remove or clear the data colleand memory.

“Miscellaneous Commands” includes descriptions for commands that do not beloon

�5��55��<,��(��

Please refer to the following guides for information about your NetScreen products.

�� %��

��

the concepts behind NetScreen

escription presents the

nged since the last version. It he last version.

ote allows a remote user to

message entry includes the message.

known issues, and suggested

e Data Collectors, Master

creen-Global PRO suite and

nd Crystal Decisions™ Crystal

odule for Micromuse Netcool.

��

NetScreen Concepts & Examples ScreenOS Reference GuideA guide to the ScreenOS™ used to manage NetScreen devices. This guide presents product features, and provides examples illustrating those concepts in practice.

NetScreen CLI Reference GuideA compendium of all the command line interface (CLI) commands. Each command dcommand’s syntax, explains its arguments, and provides examples.

What’s New In ScreenOS 3.10A manual with descriptions of all new CLI commands, and commands that have chaalso lists (without describing) the commands that are unchanged or removed since t

NetScreen-Remote Administrator’s GuideA manual for installing and using the NetScreen-Remote™ software. NetScreen-Remconnect to a NetScreen device via a virtual private network (VPN) tunnel.

NetScreen Message Reference GuideThis manual documents the log messages that appear in ScreenOS 3.0.0. Each logmessage text, its meaning, and any recommended action to take upon receiving the

ScreenOS Release NotesA set of notes containing an overview of new features, lists of addressed issues andbug fixes and work-arounds.

NetScreen-Global PRO Report Manager Installer & User’s GuideA guide to installing and configuring all components of Report Manager, including thControllers, and Consoles.

NetScreen-Global PRO Report Manager Console User’s GuideA guide to using the Report Manager Console to govern the components in the NetSgenerate realtime and historic reports.

NetScreen-Global PRO Historical Reports GuideThis guide explains the out-of-the-box integration between NetScreen-Global PRO aReports™. This allows you to create historical reports.

NetScreen-Global PRO Integration Module for NetcoolA guide for installing, configuring and using the NetScreen-Global PRO Integration M

��

nterprise providers to control offers concurrent centralized nces.

l PRO Netra Server, and

etra Server for Realtime

��

NetScreen-Global Manager User’s GuideA manual for NetScreen-Global Manager™ software. This is a tool for services and esecurity for multi-site networks from a single location. This management application configuration and policy administration for all NetScreen security systems and applia

NetScreen-Global PRO Policy Manager Installer & User’s GuideThis document contains the complete procedures for installing the NetScreen-Globaincludes a tutorial intended to familiarize the user with the Policy Manager software.

NetScreen-Global PRO Express Realtime Monitor Installer & User’s GuideA guide to installing, configuring, and using the Express Realtime Monitor and the NReports.

�� %��

��
��

+

+��

�

e NetScreen device so that you ands at the CLI through a

PC running the Windows

��

��

This chapter provides information on how to connect a personal computer (PC) to thcan configure the device using the Command Line Interface (CLI). You enter commconsole application such as Telnet. or Hypterterminal.

Note: The examples in this guide display output generated from an IBM-compatibleoperating system.

+��)��%�� ,� !��-!��,�)��

��

before you start setup:

8 bits, no parity, 1 stop-bit, and

al emulator on that system. The ole from any operating system, g the NetScreen device from a

��

��Gain access to the NetScreen device you wish to configure, and obtain these items

• a PC to connect to the NetScreen device

• an RS-232 male-to-female serial cable

• a copy of Microsoft’s Hyperterminal software, available on the PC

To communicate with the NetScreen device using a console, use a 9600 Baud rate, no flow control.

Note: If you are using a different operating system, you need a VT100 terminterminal emulator allows you to configure the NetScreen device using a consincluding Windows™, UNIX™, LINUX™, or Macintosh™. If you are configurinremote location, use Telnet to access the console.

+��)��%�� !��)��$��.��!��$��

��

running applications on the PC

en device. This port is labeled

��

��It is not necessary power off the either PC or the NetScreen device, or to close any before connecting it to the NetScreen device.

To connect the NetScreen device to the PC:

1. Connect the female end of the RS-232 cable to the serial port on the PC.

2. Connect the male end of the RS-232 cable to the serial port on the NetScre“Diagnostics.”

+��)��%�� !��!�"

��

L+F or the DOWN ARROW

TRL+B or the UP ARROW key.

e, type a question mark ( ? ).

detected for 10 minutes.

sion on Windows 95, 98, NT, or check box, and click the OK

��

��The following conventions apply to all NetScreen commands:

• To remove a single character, press BACKSPACE or CTRL+H.

• To remove an entire line, press CTRL+U.

• To traverse up to 16 lines forward in the command history buffer, press CTRkey.

• To traverse up to 16 lines backward in the command history buffer, press C

• To see the next available keyword or input and a brief description of its usag

• IP addresses are represented by <ip_addr>.

• A subnet mask is represented by <mask>.

• The console times out and the connection is closed if no keyboard activity is

Note: To use the arrow keys for navigating among commands in a Telnet ses2000: On the Terminal menu, click Preferences…, select the VT100 Arrowsbutton.

Note: Items you enter are into the system are in bold text.

+��)��%�� !//%��0��%1�2!�/%�

3��

ntax. This syntax may include ommand descriptions use

ing special characters.

se symbols are essential for

symbols are not essential for affect the outcome.

ymbol appears between two is symbol appears at the end of

in some contexts, and rinciple.

can omit both feature_1 and iters { and } surround not successfully execute the

encies.

��

�� !��!"�� !�Each CLI command description in this manual reveals some aspect of command syoptions, switches, parameters, and other features. To illustrate syntax rules, some cdependency delimiters.

.�4��0�.� �/��"Each syntax description shows the dependencies between command features by us

• The { and } symbols denote a mandatory feature. Features enclosed by theexecution of the command.

• The [ and ] symbols denote an optional feature. Features enclosed by theseexecution of the command, although omitting such features might adversely

• The | symbol denotes an “or” relationship between two features. When this sfeatures on the same line, you can use either feature (but not both). When tha line, you can use the feature on that line, or the one below it.

5/��.�4��"Many CLI commands have embedded dependencies, which make features optionalmandatory in others. The two hypothetical features shown below demonstrate this p

[ feature_1 { feature_2 } ]

In this example, the delimiters [ and ] surround the entire clause. Consequently, youfeature_2, and still execute the command successfully. However, because the delimfeature_2, you must include feature_2 if you include feature_1. Otherwise, you cancommand.

The following example shows some of the set interface command’s feature depend

set interface vlan1 broadcast { flood | arp [ trace-route ] }

+��)��%�� !//%��0��%1�2!�/%�

��

trast, the [ and ] brackets nd might take any of the

y find that certain commands

g to use such a feature usually firm the feature’s availability e set vpn command:

format. This format reveals the

|

��

The { and } brackets indicate that specifyng either flood or arp is mandatory. By conindicate that the arp option’s trace-route switch is not mandatory. Thus, the commafollowing forms:

ns-> set interface vlan1 broadcast floodns-> set interface vlan1 broadcast arpns-> set interface vlan1 broadcast arp trace-route

��%� %�� 0�! ��!//%��"�%��2�%��"As you execute CLI commands using the syntax descriptions in this manual, you maand command features are unavailable for your NetScreen device model.

Because NetScreen devices treat unavailable features as improper syntax, attemptingenerates the unknown keyword error message. When this message appears, conusing the ? switch. For example, the following commands list available options for th

ns-> set vpn ?ns-> set vpn vpn_name ?ns-> set vpn gateway gate_name ?

�%/4 ��0��%1��"��%��!��2!�/%�This manual displays command syntax using a hierarchical, structured presentationcommand’s syntax, feature dependencies, and basic structure.

The example below shows the syntax description for the set interface command.

set interface{ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3>

{bandwidth <number> |dip <number> [ <ip_addr> [ <ip_addr> [ fix-port ] ] ] ident-reset |ip <ip_addr>/<mask> { tag <id_num> } |manage-ip <ip_addr> |

+��)��%�� !//%��0��%1�2!�/%�

:��

outer <name_str> ] } |

] ] |

mgt | vlan1

4, and assigns to it VLAN tag 3:

��

mip <ip_addr> { host <ip_addr> [ netmask <mask> ] [ vrnat |route |secondary |vip <ip_addr>

[ <port_num> | + [ <name_str> <ip_addr> [ manual ] zone <name_str>} |

ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3> |{ip <ip_addr>/<mask> |manage-ip <ip_addr> |phy { auto | full | half } { 10mb | 100mb }} |

vlan1{broadcast { flood | arp [ trace-route ] |bypass-non-ip |bypass-others-ipsec |vlan { trunk }}

}

The following command gives subinterface ethernet3/1.2 IP address 172.168.40.3/2

ns-> set interface ethernet3/1.2 ip 172.168.40.3/24 tag 3

+��)��%�� %� %�� 0�! ��!//%��"6��7��$�"6�%��%�%/��"

8��

y find that certain commands

evice, but not on a models, as with the df-bit not on the NetScreen-5xp.

g to use such a feature usually firm the feature’s availability e set vpn command:

��

!�!��!�� !��#��$��#�!��!�! ��As you execute CLI commands using the syntax descriptions in this manual, you maand command features are unavailable for your NetScreen device model.

A good example is the set vsys command, which is available on a NetScreen-500 dNetScreen-5xp device. Similarly, some command options are unavailable on certainoption of the set vpn command. This option is available on the NetScreen-500, but

Because NetScreen devices treat unavailable features as improper syntax, attemptingenerates the unknown keyword error message. When this message appears, conusing the ? switch. For example, the following commands list available options for th

ns-> set vpn ?ns-> set vpn vpn_name ?ns-> set vpn gateway gate_name ?

�

+��

you may find that certain l. A good example is the set en-5xp device. Similarly, some

set vpn command. This option

��

�

��%&& ��

Use the set commands to enter system configuration parameters.

Note: As you execute CLI commands using the syntax descriptions in this chapter,commands and command features are unavailable on your NetScreen device modevsys command, which is available on a NetScreen-500 device, but not on a NetScrecommand options are unavailable on certain models, as with the df-bit option of theis available on a NetScreen-500, but not on a NetScreen-5xp.

��!//%��"

��

�� of a security zone. You use

efault security zones to which you st, Untrust, Global, DMZ, ou can also assign address book

ecurity Zones in USGA

ent line.

��

Description: Use the set address command to define an entry in the address bookaddress book entries to identify addressable entities in policy definitions.

�0��%1set address <zone> <name_str>

{ <dom_name> | <ip_addr> { <mask> } }[ <string> ] |

}

unset address <zone>

��)�/��

.� %� �"

Most zones have the following system-defined Address Book entries:

<zone> The name of the security zone. The dcan bind an address book include TruV1-Trust, V1-Untrust, and V1-DMZ. Yentries to user-defined zones.For more information on zones, see SFeatures

<name_str> The name of the address book entry.

<dom_name> The host domain name.

<ip_addr> The host IP address.

<mask> The host subnet mask.

<string> A character string containing a comm

��!//%��"

��

e zone

IP address 172.16.50.9 and a

dress 172.16.10.1 and a

esktop

��

• Any – any host connected through an interface bound to the zone

• Dial-Up VPN – any dialup hosts connected through an interface bound to th

51%/4 �"

To define an entry named “webserver” in the address book of the DMZ zone, with annetmask 255.255.255.254:

ns -> set address dmz webserver 172.16.50.9 255.255.255.254

To define an entry named “odie” in the address book of the Trust zone, with an IP adnetmask 255.255.255.255, with a comment of “Mary_Desktop”:

ns-> set address trust odie 172.16.10.1 255.255.255.255 Mary_D

To delete an entry named “my-partner” from the address book of the Untrust zone:

ns-> unset address untrust my-partner

�� "!

See the set policy and get address command.

��!//%��"

��

�� &�rs for the NetScreen device.

} | port <port_num> } |

| read-only } ]

��

Description: Use the set admin command to configure the administrative paramete

�0��%1set admin

{auth

{radius-port <port_num> |secret <shar_secr> | server-name { <name_str> | <ip_addr> } |timeout <number> |type { local | radius} |

device-reset |format { dos | unix } |hw-reset |mail

{alert |mail-addr1 <ip_addr> |mail-addr2 <ip_addr> |server-name { <ip_addr> | <name_str> } |traffic-log} |

manager-ip <ip_addr> [ <mask> ] |name <name_str> |password <pswd_str> |port <port_num> |scs { password { disable | enable { username <name_str> } sys-ip <ip_addr> |telnet port <port_num> |user <name_str> { password <pswd_str> } [ privilege { all }

��!//%��"

3��

} |

fic-log } |

nge of port numbers is from 1024

red and enabled) of the RADIUS

re the NetScreen device he value can be up 999 minutes.

administrative session never

��

unset admin{auth

{ radius-port | secret | server-name | timeout | type device-reset |format |hw-reset |mail

{ alert | mail-addr1 | mail-addr2 | server-name | trafmanager-ip { <ip_addr> | all } |name |password |port |scs port |sys-ip |telnet port |user <name_str>}

��)�/��"

auth radius-port <port_num>Server port for a RADIUS server. The possible rato 65535.

secret <shar_secr>Shared secret for a RADIUS server.

server-name <name_str>The IP address or the server name (DNS configuserver.

timeout <number>Specifies the length of idle time (in minutes) befoautomatically closes the administrative session. TA <number> value of 0 indicates that an inactivetimes out.

��!//%��"

��

abase only.l database. If the admin name is

ermines the format used to device models, you can ard using the CLI, and to a local

ot available on all NetScreen

ng to an email address.

etScreen device. The traffic log tScreen device sends a copy of he mail-addr1 and mail-addr2 ll, or every 24 hours, depending

traffic logs.

d traffic logs.

fer Protocol (SMTP) server that traffic logs.

��

type { local | radius }local: Checks the admin name in the internal datradius: Checks for the admin name in the internanot found, checks in the RADIUS server.

device-reset Enables device reset for asset recovery.

format { dos | unix } Applies to all NetScreen devices. This switch detgenerate a configuration file. On some Netscreendownload this file to a TFTP server or PCMCIA cdirectory using WebUI.

hw-reset Executes a hardware reset for asset recovery. (Ndevice models.)

mail Enables email for sending alerts and traffic logs.

alertCollects system alarms from the device for sendi

traffic-logCollects a log of network traffic handled by the Ncan contain a maximum of 4,096 entries. The Nethe log file to each specified email address (see tswitches below). This happens when the log is fuupon which occurs first.

mail-addr1 <ip_addr>Sets the first email address for sending alert and

mail-addr2 <ip_addr>Sets a second email address for sending alert an

server-name { <ip_addr> | <name_str> }The IP address or name of the Simple Mail Transreceives email notification of system alarms and

��!//%��"

:��

ote host or subnet. The default IP m any workstation. All NetScreen bnets at once.and, specify one or all of the six

n device. The maximum length of except ?. The name is

imum length of the password is 31 ial command character “?”.

hanges when using the web. Use default port number—80. setting the device (see the reset

SCS) utility. SCS allows you to onnection or a dial-in modem, ls.

through which the SCS

tablishes the SCS session. The word authentication. The in user name.

��

manager-ip <ip_addr> | <mask> Restricts management to an IP address for a remaddress is 0.0.0.0, which allows management frodevices allow you to specify up to six hosts or suWhen using the unset admin manager-ip commpossible management IP addresses.

name <name_str> The login name of the root user for the NetScreethe name is 31 characters, including all symbols case-sensitive.

password <pswd_str> Specifies the password of the root user. The maxcharacters, including all symbols except the spec

port <port_num> Sets the port number for detecting configuration cany number between 1024 and 32767, or use theChanging the admin port number might require recommand).

scs Provides access to the Secure Command Shell (administer NetScreen devices from an Ethernet cthus providing CLI access over unsecure channe

port <port_num> Specifies the logical SSH portcommunication occurs.

password Sets the password for the user that esenable | disable switch enables or disables passusername <name_str> option specifies the adm

��!//%��"

8��

en device. If the NetScreen ddress must be in the same u plan to access the system IP

ion.

- administrators and e maximum length of the user ept ?. The user name is

istrator. This administrator can odify the root user or other r cannot change his or her own

administrator. This administrator xit, get, and ping commands.

��

.� %� �"

The default admin name and password are netscreen.

The default manager-ip is 0.0.0.0, and the default subnet mask is 255.255.255.255.

The default sys-ip is 192.168.1.1 (it is 209.125.148.254 before firmware 1.61).

The default privilege for a super-administrator is read only.

The default admin port is 80.

The default mail alert setting is off.

51%/4 �"

To change the root administrator user name to “paul”:

sys-ip <ip_addr> The system IP address for managing the NetScredevice is in NAT or Route mode, the system IP asubnet as the physical interface through which yoaddress.

telnet port <port_num> Provides CLI access through a TELNET connect

user <name_str> The login name of non-root administrators (supersub-administrators) for the NetScreen device. Thname is 31 characters, including all symbols exccase-sensitive.

privilege { all | read-only } Defines the administrative privilege level:

- all sets the level of privilege to super-adminexecute all commands except those that msuper-administrators. A super-administratoname.

- read-only sets the level of privilege to sub-can only execute the enter, trace-route, e

��!//%��"

��

ive issues:

tion:

��

ns-> set admin name paul

To change the root administrator login password to “build4you”:

ns-> set admin password build4you

To assign a level-2 administrator named joe with the password “angel”:

ns-> set admin user joe password angel privilege all

To generate the configuration file in UNIX format:

ns-> set admin format unix

To change the port number for the Web administrative interface to 8000:

ns-> set admin port 8000

To enable email notification for system alarms:

ns-> set admin mail alert

To enable email notification of traffic logging:

ns-> set admin mail traffic-log

To configure [email protected] as the email address to receive updates on administrat

ns-> set admin mail mail-addr1 [email protected]

To specify 172.16.34.100 as the email server to receive administrative email notifica

ns-> set admin mail server-ip 172.16.34.100

To set the administrator password back to netscreen:

ns-> unset admin password

To disable email notification of system alarms:

ns-> unset admin mail alert

�� "!

See the get admin and reset commands.

��!//%��"

+��

�� &

��

Description: Use the set alarm command to set alarm parameters.

�0��%1set alarm threshold { CPU <number> | memory <number> }

unset alarm threshold { CPU | memory }

��)�/��"

.� %� �"

Default thresholds are 95% for memory and 90% for CPU utilization.

51%/4 �"

To set the CPU utilization to 90%:

ns-> set alarm threshold CPU 90

�� "!

See the get alarm and clear alarm commands.

threshold CPU <number>Percentage of CPU used (1 to 100%).

memory <num>Percentage of threshold memory used (1 to 100%).

��!//%��"

++��

��

, then execute the command

��

Description: Use the set alias command to create and alias for a CLI command.

�0��%1set alias <name_str> <string>

unset alias <name_str>

��)�/��"

.� %� �"

None

51%/4 �"

The following commands assign an alias to the command get interface ethernet1/1using the alias.

ns-> set alias int_1 "get interface ethernet1/1"ns-> int_1

�� "!

See the get alias command.

<name_str> The name of the CLI command alias.

<string> The CLI command to which you assign the alias.

��!//%��"

+��

�� ' (Address Resolution Protocol)

ry.

information on interfaces, refer to

��

Description: Use the set arp command to create an entry for an interface in the ARPtable.

�0��%1set arp

{<ip_addr> <mac_addr> <interface>age <number> |always-on-dest |no-cache}

unset arp{<ip_addr> |age |always-on-dest |no-cache}

��)�/��"

<ip_addr> Specifies the IP address for the interface in the ARP table entry.

<mac_addr> Specifies the MAC address for the interface in the ARP table ent

<interface> The name of the ARP interface in the ARP table entry. For moreInterfaces in USGA Features.

age <number> Sets the age-out value (in seconds) for ARP entries.

��!//%��"

+��

s 10.1.1.1 and MAC address

MAC address 00201034a98c:

a MAC address for any incoming the device’s MAC address table. load-balancing (SLB) switches or er Redundancy Protocol

��

.� %� �"

The always-on-dest setting is disabled by default.

51%/4 �"

To create an entry in the ARP table for physical interface ethernet4/2 with IP addres00104587bd22:

ns-> set arp 10.1.1.1 00104587bd22 ethernet4/2

To delete an ARP entry for an interface ethernet3/1 with IP address 172.16.9.23 and

ns-> unset arp 172.16.9.23 ethernet3/1

�� "!

See the clear arp and get arp commands.

�!��"

To display the current always-on-dest setting, use the get arp command.

always-on-dest Directs the NetScreen device to send an ARP request and obtainpacket whose heading contains a MAC address not yet listed in This option may be required when packets originate from server from devices using the Hot Standby Router Protocol/Virtual Rout(HSRP/VRRP).

no-cache Turns off the cache capability.

��!//%��"

+��

�� (�)��* � �&ture.

rface module failure, a power fined threshold.

e failure.

ure.

admin-defined threshold.

��

�Description: Use the set audible-alarm command to activate the audible alarm fea

�0��%1set audible-alarm

{all |fan-failed |module-failed |power-failed |temperature}

unset audible-alarm{all |fan-failed |module-failed |power-failed |temperature}

��)�/��"

all Enables the audible alarm in the event of a fan failure, a intesupply failure, or a temperature increase above an admin-de

fan-failed Enables the audible alarm in the event of a fan failure.

module-failed Enables the audible alarm in the event of an interface modul

power-failed Enables the audible alarm in the event of a power supply fail

temperature Enables the audible alarm if the temperature rises above an

��!//%��"

+3��

fan assembly fails:

ar audible-alarm commands.

��

.� %� �"

The audible alarm is inactive by default.

51%/4 �"

To enable the audible alarm to sound in the event that one or more of the fans in the

ns-> set audible-alarm fan-failed

�� "!

See the set temperature-threshold, get temperature, get audible-alarm , and cle

��!//%��"

+��

�� (�+n. The four available methods

unicating properly with the ACE secret so that you can reset.

��

Description: Use the set auth command to specify a method for user authenticatioare:

• a built-in database

• a RADIUS server

• SecurID

• Lightweight Directory Access Protocol (LDAP)

When the NetScreen device is using SecurID to authenticate users and is not commserver, check the clear node_secret command to clear the current SecurID shared

�0��%1set auth

{ldap server-name { <ip_addr> | <name_str> }

{ <port_num> { <name_str> { <name_str> } } } |radius-port <port_num> |secret <shar_secr> |securid

{auth-port <port_num> |duress <number> |encr <number> |master { <ip_addr> | <name_str> } |retries <number> |slave { <ip_addr> | <name_str> } |timeout <number>} |

server-name <serv_name> |timeout <number> | type { 0 | 1 | 2 | 3 }}

��!//%��"

+:��

server.

ectory path where users are listed

server.

e user name in the LDAP server

ge is 1024 to 65535.

n device and the RADIUS server. e two devices.

o use for communications with the

IP address or the name for the

s licensed to use duress mode. e.

for SecurID network traffic. A efault type DES is recommended.

��

unset auth{radius-port |secret |server-name |securid |ldap |timeout |type}

��)�/��"

ldap server-name Defines the RADIUS server for user authentication.

<ip_addr> Specifies the IP address of the RADIUS

<name_str> The LDAP distinguished name (the dirin the LDAP server).

<port_num> The listening port number of the LDAP

<name_str> The LDAP common name identifier (thdirectory)

radius-port <port_num> Specifies the RADIUS server port number. Valid ran

secret <shar_secr> Defines the password shared between the NetScreeIt is used to authenticate all transactions between th

securid auth-port <port_num> Specifies the port number tSecurID server.

slave <ip_addr> | <name_str> Specifies either thesecondary SecurID server.

duress <number> Specifies if the SecurID server iFor <number>, a 0 defines False, and 1 defines Tru

encr <number> Specifies the encryption algorithmvalue of 0 specifies SDI, and 1 specifies DES. The d

��!//%��"

+8��

ient retries is 3 and timeout is 3

00, and using the Data

e IP address or the name for the

llowed for attempting

seconds) that the NetScreen

r name.

rminating authentication status.

0 for the built-in NetScreen d 3 for an LDAP server.

��

.� %� �"

The NetScreen built-in user database is used by default.

The SecurID authentication port is 5500 with DES encryption type. The number of clseconds.

The user authentication idle timeout is 10 minutes.

51%/4 �"

To define the RADIUS shared secret to “mysecret”:

ns-> set auth secret mysecret

To specify the SecurID server’s IP address as 172.16.22.1 with authentication port 5Encryption Standard (DES) algorithm:

ns-> set auth securid master 172.16.22.1ns-> set auth securid auth-port 500ns-> set auth securid encr 1

master <ip_addr> | <name_str> Specifies either thprimary SecurID server.

retries <number> Specifies the number of retries aauthentication with the SecurID server.

timeout <number> Specifies the length of time (in device waits between authentication retry attempts.

server-name <serv_name> Specifies the RADIUS server’s IP address or serve

timeout <number> Specifies the length of idle time in minutes before teValid range is from 0-255 minutes.

type { 0 | 1 | 2 | 3 } Specifies the type of authentication to use. Specify database, 1 for a RADIUS server, 2 for SecurID, an

��!//%��"

+��

unicating properly with the ACE h machines.

��

To use the built-in user database of the NetScreen device for user authentication:

ns-> set auth type 0

�!��"

When the NetScreen device is using SecurID to authenticate users and is not commserver, execute the clear node_secret command to ensure it is set correctly for bot

�� "!

See the clear auth, get auth, and clear node_secret commands.

��!//%��"

��

��,�%,- device.

.

ur and minutes in the following

ynchronizes computer clocks in

time.

��

Description: Use the set clock command to set the system time on the NetScreen

�0��%1set clock { <date> | dst-off | ntp | timezone <number> }

unset clock { dst-off | ntp | zone }

��)�/��"

.� %� �"

The NetScreen device automatically adjusts its system clock for daylight saving time

51%/4 �"

To define the system time as November 3, 2001 at 1:30PM:

ns-> set clock 11/03/2001 13:30

To turn off daylight saving time:

ns-> set clock dst-off

<date> Specifies the month, day, year, and 24-hour time. Specify the hoformat: (<mm/dd/yyyy hh:mm>).

dst-off Turns off the automatic time adjustment for daylight saving time.

ntp Configures the device for Network Time Protocol (NTP), which sthe Internet.

zone <number> Sets the current time zone offset compared to the GMT standardSet the number between -12 and 12.

��!//%��"

�+��
��
�� "!

See the get clock, set ntp, get ntp, and exec ntp commands.

��!//%��"

��

��,%��%��

are displayed in the console. If essages in a buffer so that you

on.

red to disable access to the es the current login session.

page.

��

Description: Use the set console command to define the console parameters.

When the debug mode is enabled on the NetScreen device, all debugging messagesthis generates too much information at once, use the dbuf parameter to store the mcan later retrieve them with the get dbuf command.

Enable console access with the unset disable command through a Telnet connecti

�0��%1set console

{dbuf |disable |page <number> |timeout <number>}

unset console{dbuf |disable |page |timeout}

��)�/��"

dbuf Stores the console messages in a buffer for later retrieval.

disable Disables access to the console. Two confirmations are requiconsole. Saves the current NetScreen configuration and clos

page <number> An integer value specifying how many lines appear on each

��!//%��"

��

ore logging out the administrator ng keyboard entries. A value of 0

��

.� %� �"

Access to the console is enabled by default.

The console displays 22 lines per page by default.

The default login timeout is set to 10 minutes.

The NetScreen device sends console messages to the buffer by default.

51%/4 �"

To redirect all debugging messages to the buffer:

ns-> set console dbuf

To disable console access:

ns-> set console disable

To define 20 lines per page displayed on the console:

ns-> set console page 20

To define the console timeout value to 40 minutes:

ns-> set console timeout 40

�� "!

See the get console, clear dbuf, and get dbuf commands.

timeout <number> Determines how much time (in minutes) the device waits beffrom the console session when the administrator stops makimeans the console never times out.

��!//%��"

��

es in the console. If this in a buffer so that you can

on.

��

�!��"

When debug mode is enabled, the NetScreen device displays all debugging messaggenerates too much information at once, use the dbuf option to store the messagesretrieve them later with the get dbuf command.

Enable console access with the unset disable command through a Telnet connecti

��!//%��"

�3��

��)(.lly.

��

Description: Use the set dbuf command to adjust the system buffer size dynamica

�0��%1set dbuf size <num>

unset dbuf size

��)�/��"

.� %� �"

The default buffer sizes for the various NetScreen devices are:

The range of value for the buffer size is from 32 to 4096 kilobytes.

51%/4 �"

To change the buffer size to the maximum size allowed:

size <num> Indicates the size of the system buffer in kilobytes

NetScreen-1000 1024 kilobytes


NetScreen-100p 1024 kilobytes




��!//%��"

��
��
ns-> set dbuf size 4096

�� "!

See also the get memory command.

��!//%��"

�:��

�� ('*��%('s.

uently, all the group members

name of the user.

the name of the user.

��

Description: Use the set dialup-group command to create a group of remote user

Different platforms can have different numbers of users in a dialup group.

An access policy for a dialup group applies to all the members in the group. Conseqmust be the same kind—either IKE/2TP users, or Manual Key users.

�0��%1set dialup-group <name_str> [ { + | - } <name_str> ]

unset dialup-group <name_str>

��)�/��"

.� %� �"

None.

51%/4 �"

To define a dialup user group called “telecommuters”:

ns-> set dialup-group telecommuters

To add a remote VPN user named “john-home” to the telecommuters group:

ns-> set dialup-group telecommuters + john_home

<name_str> Assigns a name to the dialup group.

{ + <name_str> } Adds a remote VPN user to the group, where <name_str> is the

{ - <name_str> } Deletes a remote VPN user from the group, where <name_str> is

��!//%��"

�8��

uently, all the group members (Manual Key).

��

To delete a remote VPN user named “amy-home” from the telecommuters group:

ns-> set dialup-group telecommuters - amy_home

To delete the telecommuters group:

ns-> unset dialup-group telecommuters

�� "!

See the get dialup-group command.

�!��"

A dialup-group may contain a maximum of 100 remote dialup users.

An Access Policy for a dialup-group applies to all the members in the group. Conseqmust be the same kind—either IKE dynamic peers (Auto Key), or VPN dialup users

��!//%��"

��

��'

��

Use the set dip command to set up a Dynamic IP (DIP) pool configuration.

�0��%1set dip

{<ip_addr>-<ip_addr> |<ip_addr> <mask>}

unset dip <id_num>

��)�/��"

.� %� �"

None.

51%/4 �"

To create DIP encompassing an IP range from 172.16.10.10 to 172.16.10.100:

ns-> set dip 172.16.10.10-172.16.10.100

�� "!

See the get dip, set vip, and set interface commands.

<ip_addr>-<ip_addr> A range of addresses to include in the DIP.

<ip_addr> <mask> A range of addresses expressed with subnet mask.

��!//%��"

��

��

rameter is hh:dd.

��

Description: Use the set dns command to configure Domain Name Services.

�0��%1set dns

{forward |host

{dns1 <ip_addr> |dns2 <ip_addr> |schedule <string>}

}

unset dns{forward |host { dns1 | dns2 | schedule }}

��)�/��"

forward Sets up forward DNS requests.

host dns1 <ip_addr>Specifies the DNS host.dns2 <ip_addr>Specifies the DNS host.schedule <string>Specifies the time of day to refresh DNS entries. The format of this pa

��!//%��"

�+��
��
51%/4 �"

To set up a host as the primary DNS server at 172.16.10.101:

ns-> set dns host dns1 172.16.10.101

To schedule a refresh time at 23:59 each day:

ns-> set dns host schedule 23:59

�� "!

See the get dns, clear dns, and exec dns commands.

��!//%��"

��

��%& �en device.

��

Description: Use the set domain command to set the domain name of the NetScre

�0��%1set domain <name_str>

unset domain

��)�/��"

.� %� �"

None.

51%/4 �

To set the domain of the NetScreen device to netscreen:

ns-> set domain netscreen

�� "!

See the get domain and the unset domain commands.

<string> Defines the domain name of the NetScreen device.

��!//%��"

��

��/ � variables files.

��

Description: Use the set envar command to define the location of the environment

�0��%1set envar <loc_str>

unset envar <loc_str>

��)�/��"

.� %� �"

On the NetScreen-1000, the default slot is slot 1.

51%/4 �"

To define the location of the system configuration as file2.cfg in slot2:

ns-> set envar slot2:file2.cfg

�� "!

See the get envar command.

<loc_str> The location of the environment variables files.

��!//%��"

��

��..�� These filters allow display only

um> is a value between 0 and

umbers range from 0 to 65535.

ort numbers range from 0 to

��

Description: Use the set ffilter command to create filters for the debug flow output.traffic related to one or a combination of the following:

• a specific source IP address

• destination IP address

• source port

• destination port

• IP protocol

�0��%1set ffilter

[ src-ip <ip_addr> ][ dst-ip <ip_addr> ]

[ ip-proto <ptcl_num> ][ src-port <port_num> ]

[ dst-port <port_num> ]

unset ffilter [ <id_num> ]

��)�/��"

src-ip <ip_addr> Defines the source IP address.

dst-ip <ip_addr> Defines the destination IP address.

ip-proto <ptcl_num> Defines the assigned IP protocol number, where <ptcl_n255.

src-port <port_num> Defines the port number for the source IP address. Port n

dst-port <port_num> Defines the port number for the destination IP address. P65535.

��!//%��"

�3��

.2:

ation IP 192.168.9.77:

rotocol (UDP):

ple, if you have already set a t numbers for the packets.

or example, if you configure a having IP protocol 200, the filters.

��

.� %� �"

None.

51%/4 �"

To create a filter for all traffic from a host with IP address 172.16.10.1:

ns-> set ffilter src-ip 172.16.10.1

To create a filter for all SMTP traffic designated to a host with IP address 192.168.3

ns-> set ffilter dst-ip 192.168.3.2 dst-port 25

To set a filter for all packets between the source IP address 172.16.10.88 and destin

ns-> set ffilter src-ip 172.16.10.88 dst-ip 192.168.9.77

To set a filter for all packets with the IP protocol number 17, for the User Datagram P

ns-> set ffilter ip-proto 17

To erase all filter settings:

ns-> unset ffilter

�� "!

See the get ffilter command.

�!��"

When necessary, you can add more arguments to an existing debug filter. For examfilter for packets between a source IP and a destination IP, you can later specify por

Adding a new argument to an existing filter actually modifies an existing argument. Ffilter to trap IP packets having IP protocol 51, and you then set a trap for IP packets NetScreen device replaces the 51 trap with the 200 trap. To prevent this, create new

��!//%��"

��

��.'�*&%��ode. In FIPS mode, certain

graphic Module Security Policy

��

Description: Use the set fips-mode command to put a NetScreen device in FIPS msecurity features are disabled. For information on these features, refer to the Cryptomanual.

�0��%1set fips-mode { enable }

unset fips-mode { enable }

.� %� �"

The default mode is non-FIPS mode.

51%/4 �"

To put a NetScreen device in FIPS mode:

ns-> set fips-mode enable

To take a NetScreen device out of FIPS mode:

ns-> unset fips-mode enable

��!//%��"

�:��

��.��0 ��

equently, you configure et interface command.

etScreen device. The ike switch gging of SNMP packets.

��

Description: Use the set firewall command to enable logging of dropped packets.

�0��%1set firewall

{ log-self { ike | snmp } }

unset firewall{ log-self { ike | snmp } }

��)�/��"

.� %� �"

The following firewall features are enabled by default:

• log-self off

• ike on

• snmp off

51%/4 �"

To enable logging of dropped IKE packets:

Note: NetScreen devices perform most firewall services at the interface level. Consindividual interfaces to perform firewall services. For more information, refer to the s

log-self Enables logging of dropped packets and pings received by the Nenables logging of IKE packets, and the snmp switch enables lo

��!//%��"

�8��
��
ns-> set firewall log-self ike

To enable logging of dropped SNMP packets:

ns-> set firewall log-self snmp

�� "!

See the get firewall, set interface, and get interface commands.

��!//%��"

��

��.�%0rent mode, to adjust the initial

��

Description: Use the set flow command, when the NetScreen device is in Transpasession timeout value and avoid packet fragmentation.

�0��%1set flow

{allow-dns-reply |check-session |initial-timeout <number> |mac-flooding |max-frag-pkt-size <number> |no-tcp-seq-check |path-mtu |tcp-mss |tcp-syn-check}

unset flow{allow-dns-reply |check-session |initial-timeout |mac-flooding |max-frag-pkt-size |no-tcp-seq-check |path-mtu |tcp-mss |tcp-syn-check}

��)�/��"

allow-dns-reply Allows DNS reply packet without a matched request.

��!//%��"

��

minutes:

duplication.

en device keeps an initial session ice receives a FIN or RST packet.

very. If the NetScreen device n ICMP packet suggesting a

the firewall even if its destination

n.

) option. The NetScreen device gmentation caused by the IPSec

��

.� %� �"

The default initial timeout value is 1 minute.

The MAC-flooding feature is enabled by default.

51%/4 �"

To change the length of time that an initial session remains in the session table to 2

ns-> set flow initial-timeout 2

To enable the TCP-MSS feature:

ns-> set flow tcp-mss

check-session Creates lookup session on management slot to avoid

initial-timeout <number> Defines the length of time in minutes that the NetScrein the session table before dropping it, or until the devThe range of time is from 1 to 6 minutes.

path-mtu Enables path-MTU (maximum transmission unit) discoreceives a packet that must be fragmented, it sends asmaller packet size.

mac-flooding Enables the NetScreen device to pass a packet acrossMAC address is not in the MAC learning table.

max-frag-pkt-size <number>

The maximum allowable size for a packet fragment.

no-tcp-seq-check Skips the sequence number check in stateful inspectio

tcp-mss Enables the TCP-MSS (TCP-Maximum Segment Sizemodifies the MSS value in the TCP packet to avoid fraoperation.

tcp-syn-check Checks the tcp syn bit before creating a session.

��!//%��"

�+��

e.

��

�!��"

This command can be configured in any mode, but is active only in Transparent mod

��!//%��"

��

��.�' to negotiate any data port

that negotiate a data port other cally any data port that the FTP

rvice:

��

Description: Use the set ftp command to allow FTP services for non-port-20 trafficnumber.

In the unset condition, a NetScreen device does not recognize certain FTP servicesthan port 20. When this feature is enabled, it allows FTP servers to negotiate dynamiserver proposes. The session is still metered by the stateful inspection monitor.

�0��%1set ftp { data-port any }

unset ftp { data-port any }

��)�/��"

.� %� �"

The default condition is unset.

51%/4 �

To enable a NetScreen device to negotiate the data port number for a Quick FTP se

ns-> set ftp data-port any

data-port any Specifies any FTP data port except port 20.

��!//%��"

��

that negotiate a data port other cally any data port that the FTP

��

�!��"

In the unset condition, a NetScreen device does not recognize certain FTP servicesthan port 20. When this feature is enabled, it allows FTP servers to negotiate dynamiserver proposes. The stateful inspection monitor still monitors the session.

��!//%��"

��

��%('rvices under a single name. policy.

v1-dmz |

p is bound. The default security -Trust, V1-Untrust, and v1-DMZ.

Zones in USGA Features.

address group.

��

Description: Use the set group command to group several addresses or several seThis allows you to reference a group of addresses or services by name in an access

�0��%1set group

{address <zone>

{ <name_str> [ add ] [ <string> ] } |service <name_str>

[ add <name_str> [ comment <string> ] ] |

unset group{address

{trust | untrust | <name_str> | v1-trust | v1-untrust |global | dmz | untrust-tun | null | self | ha | mgt}

<name_str>[ remove <name_str> | clear ] |

service <name_str> [ remove <name_str> | clear ]}

��)�/��"

address Specifies the zone to which the address grouzones include Trust, Untrust, Global, DMZ, V1You can also specify user-defined zones.For more information on zones, see Security

add <name_str> Adds the address named <name_str> to the

comment <string> Adds a comment <string> to the entry.

��!//%��"

�3��

rs:

e address hw-eng to the group:

p:

fines its name.

ervice group.

m the address group. If you do set group address command

rvice group.

m the service group. If you do not roup service command deletes

��

.� %� �"

None.

51%/4 �"

To create an empty address group for the trusted interface and name it headquarte

ns-> set group address trust headquarters

To create an empty service group and name it web-browsing;

ns-> set group service web-browsing

To create an address group named engineering for the trusted interface and add th

ns-> set group address trust engineering add hw-eng

To remove the address for admin-pc from the engineering address group:

ns-> unset group address trust engineering remove admin-pc

To create a service group named inside-sales and add the service AOL to the grou

ns-> set group service inside-sales add AOL

To remove the service PC-Anywhere from the service group named inside-sales:

service <name_str> Defines the group as a service group, and de

add <name_str> Adds the service named <name_str> to the s

remove <name_str> Removes the address named <name_str> fronot specify an address group member, the undeletes the entire address group.

clear Removes all the members of an address or se

remove <name_str> Removes the service named <name_str> frospecify a service group member, the unset gthat entire service group.

��!//%��"

��

ame group.

ample, you cannot create a not use the same address

you can modify it.

��

ns-> unset group service inside-sales remove PC-Anywhere

To remove the trusted address group named engineering:

ns-> unset group address trust engineering

To remove the service group named inside-sales:

ns-> unset group service inside-sales

�� "!

See the set address, set service, and get group commands.

�!��"

You cannot include addresses for trusted, untrusted and dmz interfaces within the s

Each address group and service group you create must have a unique name. For extrusted group and an untrusted group each named outside-sales. Similarly, you cangroup name as a service group name.

You cannot add the following addresses to a group:

• inside any

• outside any

• dialup vpn

• dmz any

You cannot add the ANY server to a group:

While an access policy references a group, you cannot remove the group, although

You can add only one member to a group at a time.

��!//%��"

�:��

embers for each group varies

p

��

The maximum number of groups that you can create and the maximum number of mwith the NetScreen device model.

�� "!

See the get group command.

NetScreen Device Number of Address Groups Number of Members per Grou

NetScreen-5 16 16

NetScreen-5xp 16 16

NetScreen-10 32 32

NetScreen-100 64 64

NetScreen-204 64 128



NetScreen-5000 16000 1024

��!//%��"

�8��

��+ ) for a NetScreen device.

��

Description: Use the set ha command to enable and configure High Availability (HA

�0��%1set ha

{arp <number> |auth password <pswd> |encrypt { password <pswd> }fast-mode |group <id_num> |interface <name_str> |link-hold-time <number> |monitor <name_str>priority <number> |second-path [ <name_str> ] |session off |track

{ip

[<ip_addr>

[interval <number> |method { arp | ping } |threshold <number> |weight <number>]

] |threshold <number>}

}

��!//%��"

��

aster unit sends out, notifying

nications authentication using the 6 characters.

unications using the specified ers.

er and a backup) you can quicken his option essentially eliminates candidate to become the master,

, where <number> can be ) is disabled.

faces, refer to Interfaces in

��

unset ha{arp <number> |auth |encrypt |fast-mode |group |interface |link-hold-time |monitor

[ dmz | trust | untrust ] |priority |second-path |session off}

��)�/��"

arp Sets the number of ARP requests that a newly elected mother network devices of its presence. The default is 2.

auth password Specifies that the NetScreen device performs HA commuspecified password. Valid passwords contain from 1 to 1

encrypt password Specifies that the NetScreen device encrypts HA commpassword. Valid passwords contain from 1 to 16 charact

fast-mode When a redundant group has only two members (a mastthe failover procedure by using the fast-mode option. Tthe election process. Because there is only one possiblethere is no need to determine which unit to promote.

group Defines an identification number for the redundant groupbetween 0 and 255. If you specify 0, high availability (HA

interface <name_str> The name of the interface. For more information on interUSGA Features.

link-hold-time Sets the link down time on the backup unit.

��!//%��"

3��

fy for monitoring are as follows.

n USGA Features.

devices in a redundant group

g a failover

master unit

should the primary link fail. The

n USGA Features.

ces to the other members of the

e network connection between a ddress <ip_addr> indicates the

an IP address. You can set the

��

monitor <name_str> Sets the monitor interface. The interfaces you can speci

- ethernet<n>

- ethernet<n1>.<n2>

- ethernet<n1>/<n2>

- ethernet<n1>/<n2>.<n3>

- mgt

For more information on interfaces, refer to Interfaces i

priority Assigns a number to define:

- which unit is the master unit when two NetScreen power up simultaneously

- which backup unit becomes the next master durin

- the unit with the number closest to 1 becomes the

second-path <name_str> Specifies a backup unit interface for HA communication,interfaces you can set up for backup are as follows.

- ethernet<n>

- ethernet<n1>.<n2>

- ethernet<n1>/<n2>


- mgt

- ha | ha1 | ha2

For more information on interfaces, refer to Interfaces i

session off Stops the master HA from propagating a session’s serviredundant group.

track ip <ip_addr> Enables path tracking, which is a means for checking thNetScreen interface and that of another device. The IP athe other network device to be checked.

interval <number> Defines the frequency for checking interval between 1 and 200 seconds.

��!//%��"

3+��

path tracking.

ive unanswered requests required rk device.

remote address. A value of 16 , if a NetScreen device fails to get ht of 16, the number of failed

failover. The range is between 1

��

.� %� �"

The default group ID number is 0, which means that HA is disabled.

The default priority number is 100.

The default method for path tracking is pinging.

The default interval for path tracking is 1 second.

The default number of unanswered requests considered as a failed attempt is 3.

The default weight is 1.

The default track threshold required to initiate a failover is 255.

51%/4 �"�

To define the HA group ID as 3:

ns-> set ha group 3

To disable high availability:

ns-> unset ha group

or

method { arp | ping } Determines the method to perform

threshold <number> Specifies the number of consecutto constitute a failed attempt at reaching a remote netwo

weight <number> Assigns an importance to the trackeddenotes the most important, and 1 the least. For example3 consecutive responses from an IP address with a weigattempts is 48.

track threshold <number>

Sets the number of failed attempts required to initiate a and 255.

��!//%��"

3��

master or a backup unit. Green de.

device is in FIPS mode. The e.

��

ns-> set ha group 0

To enable path tracking to IP address 172.16.66.170 every 5 seconds:

ns-> set ha track ip 172.16.66.170 interval 5

�!��"

The color of the Status LED indicates whether a NetScreen device is operating as a indicates the device is running in master mode, and yellow indicates the backup mo

The key <hex_key> and the password <pswd> option are both available when thekey <hex_key> option is unavailable when the NetScreen device is not in FIPS mod

�� "!

See the get ha and exec ha commands.

��!//%��"

3��

��+%�� &� device. This is the name that

��

Description: Use the set hostname command to define the name of the NetScreenappears in the console.

�0��%1set hostname <name_str>

unset hostname

��)�/��"

.� %� �"

For NetScreen-5xp, it is ns5xp.

For NetScreen-10, it is ns10.




51%/4 �"

To change the a NetScreen device hostname to acme:

ns-> set hostname acme

To reset the NetScreen device hostname to the default value:

acme-> unset hostname

<name_str> Sets the name of the NetScreen device.

��!//%��"

3��
��
�� "!

See the get hostname command.

��!//%��"

33��

��-�nd the gateway for an AutoKey

��

Definition: Use the set ike command to define the Phase 1 and Phase 2 proposals aIKE (Internet Key Exchange) VPN tunnel, and to specify other IKE parameters.

�0��%1

��

set ike p1-proposal <name_str>[ DSA-Sig | RSA-Sig | preshare

[ group1 | group2 | group5 ]]

{ esp{ 3des | des | aes128

{ md5 | sha-1[days <number> |hours <number> |minutes <number> |seconds <number>]

}}

}

��

set ike p2-proposal <name_str>[ group1 | group2 | group5 | no-pfs ]

{esp { 3des | des | aes128 | null } |ah}

[ md5 | null | sha-1

��!//%��"

3��
��
[days <number> |hours <number> |minutes <number> |seconds <number> ]]

[ kbyte <number> ]]

}

��

set ike gateway <name_str>{dialup <name_str> |dynamic <name_str> |heartbeat

{hello <number> |threshold <number>} |

ip <ip_addr> [ id <id_str> ]}

[ aggressive | main ][ local-id <id_str> ]

[ preshare <key_str> ]{ proposal <name_str>

[ <name_str> ][ <name_str> ]

[ <name_str> ]} |

{cert

{my-cert <id_num> |peer-ca <id_num> |peer-cert-type

{

��!//%��"

3:��
��
pkcs7 |x509-sig}

} |nat-traversal

[udp-checksum |keepalive-frequency <number>] |

disable-udp-checksum | enable-udp-checksum}

��

set ike{accept-all-proposal |heartbeat |policy-checking |single-ike-tunnel <name_str> |soft-lifetime-buffer <number> |respond-bad-spi <spi_num> |initiator-set-commit |responder-set-commit |id-mode

{ ip | subnet }}

set ike initial-contact[all-peers |single-gateway <name_str> |single-user <name_str>]

unset ike{accept-all-proposal |gateway |initial-contact |

��!//%��"

38��

ains parameters for creating and urity associations. You can

ce of IKE messages. preshare cryption and decryption that both otiations.igital signatures which are is who he or she claims to be.

rotocol that provides both

P protocol.

��

p1-proposal <name_str> |p2-proposal <name_str> |accept-all-proposal |policy-checking |heartbeat |initial-contact |initiator-set-commit |respond-bad-spi |responder-set-commit |single-ike-tunnel <name_str>}

unset ike gateway <name>[my-cert |peer-ca |peer-cert-type |nat-traversal [ udp-checksum ]]

��)�/��"

p1-proposal <name_str> Names the IKE Phase 1 proposal, which contexchanging session keys and establishing secspecify up to four Phase 1 proposals.

DSA-Sig | RSA-Sig | preshare Specifies the method to authenticate the sourrefers to a Preshared key; that is, a key for enparticipants have before beginning tunnel negRSA-Sig and DSA-Sig refer to two kinds of dcertificates testifying that the certificate holderPreshared key is the default method.

esp Specifies Encapsulating Security Payload, a pencryption and authentication.

des | 3des | aes128 Specifies the encryption algorithm used in ES

��!//%��"

3��

m used in ESP protocol. The two algorithms.

e that allows two parties to edium; such as, the Internet.

pt to renegotiate another security 180 seconds. The default lifetime

es the parameters for creating ociation for securing data to be fy up to four Phase 2 proposals.

the encryption key.r generating each new encryption cting no-pfs turns this feature off, from the key generated in the

, IKE automatically uses PFS ult is Group 2.

otocol—either Authentication r Encapsulating Security Payload entication).

ntication applies. You cannot tion.

kilobytes before NetScreen default value is 0 (infinity).

ay.

��

md5 | null | sha-1 Specifies the authentication (hashing) algorithdefault algorithm is SHA-1, the stronger of the

group1 | group2 | group5 Identifies the Diffie-Hellman group, a techniqunegotiate encryption keys over an insecure mGroup2 is the default group.

days <number>hours <number>minutes <number>seconds <number>

Defines the elapsed time between each attemassociation. The minimum allowable lifetime isis 28800 seconds.

p2-proposal <name_str> Names the IKE Phase 2 proposal, which definand exchanging session key and security asssent through the IPSec tunnel. You can speci

group1 | group2 | group5 | no-pfs Defines how the NetScreen device generatesPerfect Forward Secrecy (PFS) is a method fokey independently from the previous key. Selespecifying that IKE generates the Phase 2 keyPhase 1 exchange.If you specify one of the Diffie-Hellman groupswhen generating the encryption key. The defa

ah | esp In a Phase 2 proposal, identifies the IPSec prHeader (AH), which provides authentication, o(ESP), which provides encryption (and/or auth

null Specifies that either no encryption or no autheselect null for both encryption and authentica

kbytes <number> Indicates the maximum allowable data flow inrenegotiates another security association. The

gateway <name_str> Specifies the name of the remote tunnel gatew

��!//%��"

��

l parameters.col interval in seconds.ies before the NetScreen device e 2 keys.

o specify a user’s attributes, use oup’s attributes, use the set

mically assigned IP address. mote peer device.

teway.

ature that allows transmission of AT Traversal feature This prevents the NAT device us preventing authentication

DP checksum operation (used for

onds of inactivity the NetScreen .

tification can be in one of the

or example, www.netscreen.com

such as [email protected].

force identifying the peer gateway ecks the peer’s ID payload to see

��

heartbeat Specifies the IKE heartbeat protocohello <number> Sets the IKE heartbeat protothreshold <number> Sets the number of retrforces renegotiation of the Phase 1 and Phas

dialup <name_str> Identifies an IKE dialup user or dialup group. Tthe set user command. To specify a dialup grdialup command.

dynamic <name_str> Specifies that the remote gateway has a dyna<name_str> defines the IKE identity of the re

ip <ip_addr> Defines the static IP address of the remote ga

nat-traversal Enables or disables IPsec NAT-Traversal, a feencrypted traffic through a NAT device. The Nencapsulates ESP packets into UDP packets.from altering ESP packet headers in transit, thfailure on the peer NetScreen device.udp-checksum enables the NAT-Traversal UUDP packet authentication).keepalive-frequency specifies how many secdevice allows before disabling NAT Traversal

id <id_str> (Optional) Identifies the remote gateway. Idenfollowing three forms:

- an IP address

- a fully qualified domain name (FQDN); f

- a RFC822 name; that is, an email name

Include the peer ID only when you want to enwith the specified ID. The NetScreen device chif it matches the specified ID.

��!//%��"

�+��

ns. Use Aggressive mode only e without ID protection such as assigned IP address. Main mode cause it conceals the identities of

l device. Use only when the local IP address (Note: If either of the dress, use Aggressive mode for

1 proposal. (If you use an RSA- or t include this reference).

cify up to four Phase 1 proposals.

PN initiator and receipient.

device has multiple certificates

.

S7 or X509.

to accept only those proposals s.

participants match before

supported between two peer

.0 and earlier, you can disable ured between two peers.

o the same remote peer. (Note: backward compatibility with

peration before the current IPSec

��

aggressive | main Defines the mode used for Phase 1 negotiatiowhen you need to initiate an IKE key exchangwhen one of the participants has a dynamicallyis the recommended key-exchange method bethe parties during the key exchange.

local-id <id_str> Defines the IKE NetScreen identity of the locaNetScreen device has a dynamically assignedparticipants has a dynamically assigned IP adPhase 1).

preshare <key_str> Defines the Preshared key used in the Phase DSA-signature in the Phase 1 proposal, do no

proposal <name_str> Specifies the name of a proposal. You can spe

cert Uses a digital certificate to authenticate the V

my-cert <name_str> Specifies one certificate if the local NetScreenloaded.

peer-ca <name_str> Specifies a preferred certificate authority (CA)

peer-cert-type { pkcs7 | x509 } Specifies a preferred type of certificate—PKC

accept-all-proposal Accepts all incoming proposals. The default ismatching predefined or user-defined proposal

policy-checking Checks if the access policies of the two VPN establishing a connection.Use policy checking when multiple tunnels aregateways. Otherwise, the IKE session fails.For backwards compatibility with ScreenOS 2policy checking when only one policy is config

single-ike-tunnel <name_str> Specifies a single Phase 2 SA for all policies tThis feature has been implemented to ensureScreenOS 2.0.)

soft-lifetime-buffer <number> Sets a time in seconds to initiate a rekeying oSA key lifetime expires.

��!//%��"

��

curity association are 28,800

data traffic is between two

ith a bad security parameter index

w IPSec SA is established. The rmation is received. The default is

IPSec SA is established before

ange as either a host (IP) address hase 2 ID is sent. If you choose when setting up a VPN tunnel nt 4.0 device. Otherwise, use the

deletes all SAs, and sends an ou do not specify anything, the

fication to all peers during the first system reset.r single-user <string>, the with the specified IKE gateway or tion.

��

.� %� �"

Main mode is the default method for Phase 1 negotiations.

3DES and SHA-1 are the default algorithms for encryption and authentication.

The default time intervals before the NetScreen mechanism renegotiates another seseconds in a Phase 1 proposal, and 3600 seconds in a Phase 2 proposal.

The default ID mode is subnet. (Changing the ID mode to IP is only necessary if thesecurity gateways, one of which is a CheckPoint 4.0 device.)

The default soft-lifetime-buffer size is 10 seconds.

respond-bad-spi <spi_num> Responds to a specified number of packets w(SPI) value after a reboot.

initiator-set-commit Requests the responder to confirm that the neinitiator will not use the new SA until this confiunset.

responder-set-commit Requests the initiator to confirm that the new using it. The default is unset.

id-mode { ike ip | subnet } Defines the IKE ID mode in the Phase 2 exchor a gateway (subnet). If you choose ip, no Psubnet , proxy Phase 2 IDs are sent. (Use IP between a NetScreen device and a CheckPoisubnet option.)

initial-contact { all-peers | single-gateway <name_str> | single-user <user_name> }

By specifying all-peers, the NetScreen deviceinitial contact notification to each IKE peer. If yNetScreen device sends an initial contact notiIKE single-user session with that peer after a By specifying single-gateway <name_str> oNetScreen device deletes all SAs associated IKE user, then sends an initial contact notificaThe default is unset.

��!//%��"

��

sal.

gorithms

tes 3

minutes 15

L proposal

s section below.

��

By default, the single-ike-tunnel flag is not set.

By default, the commit bit is not set when initiating or responding to a Phase 2 propo

51%/4 �"

To define a Phase 1 proposal named pre-gl-3des-md5 with the following attributes:

• Preshared key and a group 1 Diffie-Hellman exchange

• Encapsulating Security Payload (ESP) protocol using the 3DES and MD5 al

• Lifetime of 3 minutes:

ns-> set ike p1-proposal sf1 preshare group1 esp 3des md5 minu

To define a Phase 2 proposal named g2-esp-3des-null with the following attributes:

• Group 2 Diffie-Hellman exchange

• ESP using 3DES without authentication

• Lifetime of 15 minutes:

ns-> set ike p2-proposal g2-esp-3des-null group2 esp 3des null

To define a remote gateway named “san_fran” with the following attributes:

• Main mode

• Preshared Key with the value bi273T1L

• Reference to the Phase 1 proposal pre-g2-3des-md5

ns-> set ike gateway san_fran ip 172.16.10.11 preshare bi273T1pre-g2-3des-md5

For an example of the complete procedure for setting up a VPN tunnel, see the Note

To enable NAT traversal for a gateway named mktg:

ns-> set ike gateway mktg nat-traversal

To enable the UDP checksum setting:

ns-> set ike gateway mktg nat-traversal udp-checksum

��!//%��"

��

five steps. To set up one end of eps below.

e VPN tunnel:

lt proposals, you do not need to

��

To disable the UDP checksum setting:

ns-> unset ike gateway mktg nat-traversal udp-checksum

To set the Keepalive setting to 25 seconds:

ns-> set ike gateway mktg nat-traversal keepalive-frequency 25

�� "!

See the clear ike, get ike, set policy, set user, set vpn, and get sa commands.

�!��"

Setting up a VPN tunnel for a remote gateway with a static IP address requires up to a VPN tunnel gateway 1 (GW1) in the illustration for bidirectional traffic, follow the st

1. Set the addresses for the trusted and untrusted parties at the two ends of th

ns-> set address trust host1 10.0.1.1 255.255.255.255ns-> set address untrust host2 10.0.2.1 255.255.255.255

2. Define the IKE Phase 1 proposal and Phase 2 proposal. If you use the defaudefine Phase 1 and Phase 2 proposals.

3. Define the remote gateway:

��!//%��"

�3��

proposal

o five steps.

ommand.)

Note: If you use the default

2-131.

and the VPN tunnel you

��

ns-> set ike gateway gw2 ip 204.0.0.2 preshare netscreenpre-g2-3des-md5

4. Define the VPN tunnel as AutoKey IKE:

ns-> set vpn vpn1 gateway gw2 proposal g2-esp-des-md5

5. Define an outgoing incoming access policy:

ns-> set policy outgoing host1 host2 any tunnel vpn vpn1ns-> set policy incoming host2 host1 any tunnel vpn vpn1

The procedure for setting up a VPN tunnel for a dialup user with IKE constitutes up t

1. Define the trusted address that the user will access. (See the set address c

2. Define the user as an IKE user. See the set user command on page 2-122.

3. Define the IKE Phase 1 proposal, Phase 2 proposal, and remote gateway. (proposals, you do not need to define a Phase 1 or Phase 2 proposal.)

4. Define the VPN tunnel as AutoKey IKE. See the set vpn command on page

5. Define an incoming access policy, with Dial-Up VPN as the source addressconfigured in step 3 specified. See the set policy command on page 2-92.

�� "!

See the get ike and clear ike-cookie commands.

��!//%��"

��

��. ,�twork, virtual private network

|

outer <name_str> ] } |

] ] |

mgt | vlan1

��

Description: Use the set interface command to define the interface settings for ne(VPN), High Availability (HA), and administrative traffic.

�0��%1set interface

{ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3>

{bandwidth <number> |dip <number> [ <ip_addr> [ <ip_addr> [ fix-port ] ] ] ident-reset |ip <ip_addr>/<mask> { tag <id_num> } |manage-ip <ip_addr> |mip <ip_addr> { host <ip_addr> [ netmask <mask> ] [ vrnat |route |secondary |vip <ip_addr>

[ <port_num> | + [ <name_str> <ip_addr> [ manual ] zone <name_str>} |

ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3> |{ip <ip_addr>/<mask> |manage-ip <ip_addr> |phy { auto | full | half } { 10mb | 100mb }} |

vlan1{broadcast < flood | arp [ trace-route ] |bypass-non-ip |

��!//%��"

�:��

3> | v1-trust

��

bypass-others-ipsec |vlan { trunk }}

}

��

set interface{ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n

dhcp{relay

{server-name { <name_str> | <ip_addr> }service |vpn}

server{ip <ip_addr>

{mac <mac_addr> |to <ip_addr>} |

option{dns1 | dns2 | dns3 | gateway | news |

{ <ip_addr> } |nis1 | nis2 | pop3 | smtp |

{ <ip_addr> } |domainname <name_str> |lease <number> |netmask <mask> |nistag <name_str> |wins1 <ip_addr> |

��!//%��"

�8��

t | v1-dmz

> <number> }

��

wins2 <ip_addr>}

service}

}{

��

set interface{ethernet<n> | ethernet<n1>/<n2> | v1-trust | v1-untrus}

{ident-reset |manage { ping | scs | snmp | ssl | telnet | web } |screen

{component-block |fin-no-ack |icmp-flood { threshold <number> } |icmp-fragment |icmp-large |ip-bad-option |ip-filter-src |ip-loose-src-route |ip-record-route |ip-security-opt |ip-spoofing |ip-stream-opt |ip-strict-src-route |ip-sweep { threshold <number> } |ip-timestamp-opt |land |limit-session [ source-ip-based <number> ] |mal-url { code-red | mal-url <name_str> <id_strping-death |port-scan { threshold <number> } |

��!//%��"

��
��
syn-fin |syn-flood

[alarm-threshold <number>attack-threshold <number>queue-size <number>source-threshold <number>timeout <number>] |

syn-frag |tcp-no-flag |tear-drop |udp-flood { threshold <number> } |unknown-protocol |winnuke}

}}

�� !��"��

set interface{ ha | ha1 | ha2 }

{ phy { 10mb | 100mb } }

#$��

set interfacetunnel/<n>

{zone <name_str> |ip <ip_addr>/<mask>}

��!//%��"

:��

rfaces, refer to Interfaces in

ter identifies the tunnel interface.

ond for all traffic traversing the

ses the pool to dynamically ress Translation (NAT) to packets um> identifies the DIP pool. The ress range. (Note: A single IP IP address <ip_addr> represents

IP pool:

nouncement in response to an

al interface. The Manage IP r management purposes on a

e specified interface or interface to VLAN tag <id_num>.

o the MIP <ip_addr> is directed to an specify a single one-to-one

her. (Note: Be careful to exclude l IP addresses in the subnet from

ion (NAT) on outbound traffic from performing NAT.

��

��)�/��"�

interface The name of the interface. For more information on inteUSGA Features.

tunnel/<number> The interface for a VPN tunnel. The <number> parame

bandwidth <number> The guaranteed maximum bandwidth in kilobits per secspecified interface.

dip <id_num> <ip_addr> [ <ip_addr> ]

Sets a Dynamic IP (DIP) pool. The NetScreen device uallocate source addresses when it applies Network Addtraversing the specified interface. The ID number <id_nIP address <ip_addr> represents the start of the IP addaddress can comprise an entire DIP pool.) The second the end of the IP address range.Be sure to exclude the following IP addresses from a D

- the interface and gateway IP addresses

- any Virtual IP and Mapped IP addresses

ident-reset Enables the NetScreen device to send a TCP Reset anIDENT request to port 113.

manage-ip <ip_addr> Defines the Manage IP address for the specified physicaddress can be used to access the NetScreen device foper-interface basis.

ip <ip_addr>/<mask> [ tag <id_num> ]

The IP address <ip_addr> and netmask <mask> for thsubinterface. The [ tag <id_num> ] switch assigns the

mip <ip_addr> host <ip_addr> [ netmask <mask> ]

Defines a Mapped IP (MIP) address so that traffic sent tthe host with the IP address <ip_addr>. The netmask cmapping or a mapping of one IP address range to anotthe interface and gateway IP addresses, and any Virtuathe MIP address range.)

nat | route Specifies whether to perform Network Address Translatthe trusted LAN or to route the outbound traffic without

��!//%��"

:+��

ng traffic from a host on one P address.

nterface so you can map routable es. The <port_num> parameter

ddr> parameters specify the g the service, respectively. The e + operator adds another service

r more information on zones, see

on the specified interface. The e at full or half duplex (as required

bility of other devices while the

ood frames received from an parent mode. In the process, the cannot access the destination

erate an Address Resolution the unknown destination IP ith the appropriate MAC address destination device directly, and ng bandwidth. The process of for the first frame.

tScreen device in Transparent ys passed, even if when feature is

vice in Transparent mode. The y but passes the IPSec packets

��

secondary-ip( route-deny )

Prevents the NetScreen device from automatically routisecondary IP address to a host on another secondary I

vip <ip_addr> Defines a Virtual IP (VIP) address (<ip_addr>) for the iIP addresses to internal servers and access their servicspecifies the port number. The <name_str> and <ip_aservice name and the IP address of the server providinmanual switch turns off server auto detection. Using thto the VIP.

zone <name_str> Specifies the zone to which the new interface binds. FoSecurity Zones in USGA Features.

phy { auto | full | half } auto | full | half defines the physical connection mode NetScreen unit automatically decides whether to operatby the network device connected to NetScreen unit).

vlan1 broadcast Controls how the NetScreen device determines reachadevice is in transparent (L2) mode.

• The flood switch instructs the NetScreen device to flunknown host out all other interfaces that are in transdevice might attempt to copy frames out of ports thataddress, thus consuming network bandwidth.

• The arp switch instructs the NetScreen device to genProtocol (ARP) broadcast. If the ARP broadcast findsaddress, the NetScreen device loads its ARP table wand interface. The device uses this entry to reach theonly sends frames through the correct port, thus savigenerating the initial ARP can cause delay, but only

bypass-non-ip Allows non-IP traffic, such as IPX, to pass through a Nemode. (ARP is a special case for non-IP traffic. It is alwadisabled.)

bypass-others-ipsec Openly passes all IPSec traffic through a NetScreen deNetScreen device does not act as a VPN tunnel gatewaonward to other gateways.

��!//%��"

:��

rops Layer-2 frames. The device apply:

nterface.

to MAC addresses.

evice performs. For example, the device to ignore the tags and

Layer-2 switch “trunk port.”

reen device can serve as a DHCP

ain name or IP address of the s the IP addresses and TCP/IP

HCP relay agent through the

a VPN tunnel. You must first set e DHCP server.

he DHCP server assigns a ied by its MAC address

a range of IP addresses to use e starting IP address and the

rt up to 255 IP addresses.

��

vlan { trunk } Determines whether the NetScreen device accepts or dmakes this decision only when the following conditions

- The NetScreen device is in transparent mode.

- The device receives VLAN tagged frames on an i

The device then performs one of two actions.

- Drop the frames because they have tags.

- Ignore the tags and forward the frames according

The vlan { trunk } switch determines which action the dcommand set vlan1 vlan trunk instructs the NetScreenforward the frames. This action closely follows that of a

relay Configures the NetScreen interface such that the NetScrelay agent.

server-name <name_str> | <ip_addr> Defines the domDHCP server from which the NetScreen device receivesettings that it relays to hosts on the trusted LAN.

service Enables the the NetScreen device to act as a Dinterface.

vpn Allows the DHCP communications to pass throughup a VPN tunnel between the NetScreen device and th

server Makes the NetScreen interface a DHCP server.

ip <ip_addr> mac <mac_addr> (In Reserved mode) Tdesignated IP address (<ip_addr>) to a machine specif(<mac_addr>).

ip <ip_addr> to <ip_addr> (In Dynamic mode) Defineswhen the DHCP server is filling client requests. Enter thending IP address.The IP pool can include up to 64 entries, and can suppo

service Enables DHCP operation.

��!//%��"

:��

efine settings.

> Defines the IP addresses of the ce (DNS) servers.

fault trusted gateway used by the

server for receiving and storing

resses of the primary and ution of administrative data within

ffice Protocol version 3 (POP3)

Mail Transfer Protocol (SMTP)

main name of the network.

s for which an IP address supplied , enter 0.

ult gateway on the trusted side.

he Apple® NetInfo database.

address of the primary and ) servers.

lay agent through the interface.

��

optionSpecifies the DHCP server options for which you can d

• dns1 <ip_addr> | dns2 <ip_addr> | dns3 <ip_addrprimary, secondary, and tertiary Domain Name Servi

• gateway <ip_addr> Defines the IP address of the declients.

• news <ip_addr> Specifies the IP address of a newspostings for news groups.

• nis1 <ip_addr> | nis2 <ip_addr> Defines the IP addsecondary NetInfo® servers, which provide the distriba LAN.

• pop3 <ip_addr> Specifies the IP address of a Post Omail server.

• smtp <ip_addr> Defines the IP address of a Simplemail server.

• domainname <name_str> Defines the registered do

• lease <number> Defines the length of time in minuteby the DHCP server is leased. For an unlimited lease

• netmask <ip_addr> Defines the netmask of the defa

• nistag <string> Defines the identifying tag used by t

• wins1 <ip_addr> | wins2 <ip_addr> Specifies the IPsecondary Windows Internet Naming Service (WINS

service Enables the the NetScreen device to act as a DHCP re

��!//%��"

:��

ility through the interface.

ace.

the interface.

ugh the interface.

the interface.

ugh the interface.

the interface

ce.

a or ActiveX components in Web rse on the victim host. A Trojan

access the victim host directly. files, such as .zip, .gzip, and .tar, ponent-block feature blocks all

s.

d rejects packets that have them.

Control Message Protocol (ICMP) casts ICMP echo requests in

ystem to slow down, time out, and f ICMP packets per second the NetScreen device rejects

re Fragments flag set, or with an

h greater the 1024.

e list of IP Options is malformed or

��

manage Enables or disables monitoring and management capab

• ping Enables (or disables) pinging through the interf

• scs Enables (or disables) SCS management through

• snmp Enables (or disables) SNMP management thro

• ssl Enables (or disables) SSL management through

• telnet Enables (or disables) telnet management thro

• web Enables (or disables) web management through

screen Enables or disables firewall services through the interfa

• component-block Attackers can hide malicious Javpages, and these components can install a Trojan HoHorse contains applets that allow an outside party toAttackers can hide these components in compressedas well as in executable (.exe) files. Enabling the comembedded Java and ActiveX applets from Web page

• fin-no-ack Detects an illegal combination of flags, an

• icmp-flood [threshold <number>] Detects Internet floods. An ICMP flood occurs when an attacker broadorder to flood the system with data. This causes the sthen disconnect. The threshold defines the number oallowed to ping the same destination address beforefurther ICMP packets. The range is 1 to 1,000,000.

• icmp-fragment Detects any ICMP frame with the Mooffset indicated in the offset field.

• icmp-large Detects any ICMP frame with an IP lengt

• ip-bad-option Discards all received frames where thincomplete.

��!//%��"

:3��

Option enabled. The Source dress to access a network, and administrator can block all IP Routing , or only those with Loose

source route option enabled.

Route option enabled. With the s information concerning the path ing information about the

Security options set. These option ne various protection levels for ces for forwarding frames

cks occur when unauthorized valid client IP addresses. Using

IP address connections. Only n use this option.

Stream identifier set.

rce route option enabled.

ts an IP Sweep attack. An IP echo requests (pings) to multiple als the target’s IP address to the d 1,000,000 microseconds. Each

cy than this limit, the NetScreen ource address.

tamp option set.

��

• ip-filter-src Blocks all packets with the Source RouteRoute Option can allow a hacker to use a false IP adhave the traffic returned to their real IP address. TheSource Routed frames, only those with Strict Source Source Routing.

• ip-loose-src-route Detects packet IPs with the loose

• ip-record-route Discards all frames with the RecordRecord Route option enabled, attackers might accesbetween the attacker and the target device, thus gainprotected network.

• ip-security-opt Discards all received frames with IP settings conform to RFCs 1038 and 1108, which defiframes, and the configuration of internetworking devithroughout an internetwork.

• ip-spoofing Prevents spoofing attacks. Spoofing attaagents attempt to bypass firewall security by imitatingthe ip-spoofing option invalidates such false sourceNetScreen devices running in NAT or Route mode ca

• ip-stream-opt Discards all frames with the IP SATNET

• ip-strict-src-route Detects frames with the strict sou

• ip-sweep threshold <number> Detects and prevenSweep attack occurs when an attacker sends ICMP destination addresses. If a target host replies, it reveattacker. Set the IP Sweep threshold to between 1 antime ICMP echo requests occur with greater frequendevice drops further echo requests from the remote s

• ip-timestamp-opt Discards all frames with the times

��!//%��"

:��

ood defense mechanism with IP cker sends spoofed IP packets th the source and destination IP

e SYN flag set to any available s with itself, filling its session table

ou define the maximum number of ond by a single source IP address.

hat scans HTTP packets for that contain such URLs. The -red-worm virus. Using the

or in the HTTP packet. Typically, nd GET, followed by at least one en device treats multiple spaces

/” at the start of the URL as a

L before the CR-LF.

gular ICMP packet sizes. packet size, many ping rigger a range of adverse system .

attacks. A port scan attack occurs mbers to scan available services. is attack, the NetScreen device

from a single remote source. For nds (the default threshold setting), , and rejects further packets from er> value determines the

00 milliseconds.

��

• land Prevents Land attacks by combining the SYN flspoofing protection. Land attacks occur when an attawith headers containing the target’s IP address for boaddresses. The attacker sends these packets with thport. This induces the target to create empty sessionand overwhelming its resources.

• limit-session [ source-ip-based <number> ] Lets ysessions the NetScreen device can establish per sec

• mal-URL [ <name_str> | code-red] Sets up a filter tsuspect URLs. The NetScreen device drops packetscode-red-worm switch enables blocking of the code<name_str> option works as follows.

- <name_str> A user-defined identification name.

- <id_str> Specifies the starting pattern to search fthis starting pattern begins with the HTTP commaspace, plus the beginning of a URL. (The NetScrebetween the command “GET” and the character “single space.)

- <number> Specifies a minimum length for the UR

• ping-of-death Detects and rejects oversized and irreAlthough the TCP/IP specification requires a specificimplementations allow larger packet sizes. This can treactions including crashing, freezing, and rebooting

• port-scan threshold <number> Prevents port scan when an attacker sends packets with different port nuThe attack succeeds if a port responds. To prevent thinternally logs the number of different ports scanned example, if a remote host scans 10 ports in 0.05 secothe NetScreen device flags this as a port scan attackthe remote source. The port-scan threshold <numbthreshold setting, which can be from 1000 to 1,000,0

��!//%��"

::��

ers can use to consume sessions ice.

occur when the connecting host ing to the corresponding ACK

er of proxied, half-complete evice makes enteries in the event

ber of SYN packets per second

oxied connection requests held in starts rejecting new connection

ber of SYN packets received (per e NetScreen device executes the

th of time before a half-completed et it between 1 and 50 seconds.

ny packet fragments used for the with SYN packet fragments. The ng packets to arrive so it can onnections that cannot be No further connections are can occur.

alformed flags field.

cks occur when fragmented IP ssemble the packets to crash. The any packets that have such a

��

• syn-fin Detects an illegal combination of flags attackon the target device, thus resulting in a denial of serv

• SYN flood Prevents SYN flood attacks. Such attackscontinuously sends TCP SYN requests without replyresponses. Detects SYN Flood attacks.

- [ alarm-threshold <number> ] defines the numbconnections per second at which the NetScreen dalarm log.

- [ attack_threshold <number> ] defines the numrequired to trigger the SYN proxying mechanism.

- [queue-size <number>] defines the number of prthe proxied connection queue before the system requests.

- [ source-threshold <number>] defines the numsecond) from a single source IP address, before thSYN proxing mechanism.

- [ timeout <number> ] defines the maximum lengconnection is dropped from the queue. You can s

• syn-frag Detects a SYN fragment attack, and drops aattack. A SYN fragment attack floods the target host host caches these fragments, waiting for the remainireassemble them. By flooding a server or host with ccompleted, the host’s memory buffer eventually fills. possible, and damage to the host’s operating system

• tcp-no-flag Drops an illegal packet with missing or m

• tear-drop Blocks the Teardrop attack. Teardrop attapackets overlap and cause the host attempting to reatear-drop option directs the NetScreen device to dropdiscrepancy.

��!//%��"

:8��

interface :

s when UDP packets are sent with that it can no longer process valid per second to the same exceeded, the NetScreen device he valid range is from 1 to

ith protocol numbers greater than ed.

unications, modifies the packet as triggers an attack log entry in the

der. The Port Address Translation

tScreen device forwards packets bnet of the specified interface.

the specified interface or

��

51%/4 �"

To set up the Level-2 interface to perform land attack detection:

ns-> set interface v1-dmz screen land

To bind interface ethernet4/1 to the Trust zone and enable Web management for the

ns-> set interface ethernet4/1 zone trustns-> set interface ethernet4/1 manage web

To bind the ethernet4/2 to the untrusted interface and enable ping for the interface:

ns-> set interface ethernet4/1 zone untrustns-> set interface ethernet4/1 manage ping

To enable the ability to reset ident requests through the ethernet3/2 interface:

• udp-flood threshold <number> UDP flooding occurthe purpose of slowing down the system to the point connection requests. The number of packets alloweddestination IP address/port pair. When this number isgenerates an alarm and drops subsequent packets. T1,000,000.

• unknown-protocol Discards all received IP frames w100. Such protocol numbers are undefined or reserv

• winnuke Detects attacks on Windows NetBios commnecessary, and passes it on. (Each WinNuke attack event alarm log.)

fix-port Keeps the original source port number in the packet hea(PAT) is not applied.

gateway <ip_addr> The IP address for the default gateway to which the Nethat are destined for networks beyond the immediate su

ip <ip_addr>/<mask> [ secondary ]

The IP address <ip_addr> and netmask <ip_addr> forsubinterface.

��!//%��"

:��

zone:

AN tag 3:

erver:

e commands.

asis. When set, the IP address

rface IP is used to manage the

inistrator can use the interface manage-ip.

��

ns-> set interface ethernet4/1 ident-reset

To create a subinterface for physical interface ethernet3/1 and bind it to the Untrust

ns-> set interface ethernet3/1.2 zone untrust

To assign IP address 172.168.40.3/24 to subinterface ethernet3/1.2 and assign it VL

ns-> set interface ethernet3/1.2 ip 172.168.40.3/24 tag 3

To create a tunnel interface named tunnel/2 with IP address 172.10.10.5/24:

ns-> set interface tunnel/2 zone untrustns-> set interface tunnel/2 ip 172.10.10.5/24

To configure interface ethernet3/2 to receive its address dynamically from a DHCP s

ns-> set interface ethernet3/2 dhcp server service

To unset the tunnel interface named tunnel/1:

ns-> unset interface tunnel/1

�� "!

See the get interface, set vsys, set dhcp, exec dhcp, set pppoe, and exec pppo

�!��"

The manage-ip option supersedes the sys-ip option and applies on a per interface bis for managing the device.

If both the per-interface manage-ip and the global sys-ip are set to 0.0.0.0, the intedevice.

Note: The manage-ip takes precedence over sys-ip. If the sys-ip is 0.0.0.0, the admIP address to manage the device, with the exception of those interfaces and set with

��!//%��"

8��
��

��!//%��"

8+��

��/� �*�� ..,ffic through a NetScreen

hat traffic can enter the VSYS vices such as authentication or

lan-traffic deny command. To

��

��Description: Use the set intervlan-traffic deny command to disable inter-VLAN tradevice.

It is possible to configure a virtual system (VSYS) with two trusted interfaces, such tthrough one interface and exit through the other without undergoing any security serencryption. This is known as inter-VLAN traffic.

When inter-VLAN traffic poses a security risk, you can disable it using the set intervenable inter-VLAN traffic, use the unset intervlan-traffic command.

�0��%1set intervlan-traffic { deny }

unset intervlan-traffic [ deny ]

��)�/��"

51%/4 �"

To disable inter-VLAN traffic:

ns-> set intervlan-traffic deny

To enable inter-VLAN traffic:

ns-> unset intervlan-traffic deny

set intervlan-traffic deny Disables inter-VLAN traffic.

unset intervlan-traffic deny Disables inter-VLAN traffic.

��!//%��"

8��
��
�� "!

See the set vsys and set interface commands.

��!//%��"

8��

��' the TFTP server.

e NetScreen device ends the

erminating an inactive TFTP

��

Description: Use the set ip command to set IP parameters for communication with

�0��%1set ip { tftp }

{retry <number> |timeout <number>}

unset ip tftp

��)�/��"

.� %� �"

The number of retries is 10.

The default timeout period is 2 seconds.

51%/4 �"

To set the number of retries to 7:

ns-> set ip tftp retry 7

To set the timeout period to 15 seconds:

retry <number> The number of times to retry a TFTP communcation before thattempt and generates an error message.

timeout <number> Determines how the long the NetScreen device waits before tconnection.

��!//%��"

8��
��
ns-> set ip tftp timeout 15

�� "!

See the get ip tftp command.

��!//%��"

83��

��''%%�range of IP addresses. IP pools col (L2TP).

h 172.16.10.200:

��

Definition: Use the set ippool command to associate the name of an IP pool with a are used when assigning addresses to dialup users via the Layer 2 Tunneling Proto

�0��%1set ippool { <string> <ip_addr> <ip_addr> }

unset ippool <string>

��)�/��"

.� %� �"

None.

51%/4 �"

To configure the IP pool named “office” with the IP addresses 172.16.10.100 throug

ns-> set ippool office 172.16.10.100 172.16.10.200

�� "!

See the get ippool command.

<string> Defines the name of the IP pool.

<ip_addr> Sets the starting IP address in the IP pool.

<ip_addr> Sets the ending IP address in the IP pool.

��!//%��"

8��

��1�'P settings.

tor.

��

Description: Use the set l2tp command to configure L2TP tunnels and default L2T

This command is available for the root administrator, not a virtual system administra

�0��%1set l2tp

{<string> { [ id <id_num> ] user <name_str> }

[ peer-ip <ip_addr>[ host <string> ]

[ outgoing-interface ]]

[ secret <string> ][ keepalive <number> ] |

default{auth { local | radius } |dns1 <ip_addr> |dns2 <ip_addr> |ippool <string> |ppp-auth

{ any | chap [ pap ] | pap } |radius-port <port_num> |radius-secret <string> |server-name <string> |wins1 <ip_addr> |wins2 <ip_addr>}

}unset l2tp

{<string>default

{

��!//%��"

8:��

entrator (LAC), if it has a static IP

LAC.

els.

etween the L2TP network server nd the LAC.

creen device (LNS) waits before ).

e—the NetScreen internal base.

��

dns1 |dns2 |ippool |ppp-auth

{ any | chap [ pap ] | pap } |radius-portradius-secret |server-name |wins1 |wins2}

}

��)�/��"

l2tp <string> The L2TP tunnel name.

id <id_num> The ID number for the L2TP tunnel.

user <string> The name of the L2TP user.

peer-ip <ip_addr> Specifies the IP address of the L2TP access concaddress.

host <string> Specifies the name of the computer acting as the

outgoing-interface <name_str> Specifies the outgoing interface for the L2TP tunn

secret <string> Defines a shared secret used for authentication b(LNS), which the NetScreen device is asting as, a

keepalive <number> Defines how many seconds of inactivity, the NetSsending a hello message to the dialup client (LAC

default Defines the default L2TP settings.

auth { local | radius } Specifies the type of user authentication databasdatabase (local) or a remote RADIUS server data

dns1 <ip_addr> The IP address of the primary DNS server.

dns2 <ip_addr> The IP address of the secondary DNS server.

��!//%��"

88��

resses are drawn to be assigned

dialup user’s request to make a

ntication Protocol (CHAP), which rd during transmission.

tocol (PAP), which does not use

tiate CHAP and then, if that

he number can be between 1024

and the RADIUS server.

erver.

��

.� %� �"

The default L2TP UDP port number is 1701.

By default, no L2TP secret is used to authenticate the LAC-LNS pair.

The default interval for sending a keepalive message is 60 seconds.

PPP-auth type is any.

51%/4 �"

To create an L2TP tunnel named west_coast for a dialup user named jking:

ns-> set l2tp west_coast user jking

ippool <string> The name of the L2TP IP pool, from which IP addto L2TP users.

ppp-auth { any | chap | pap } Specifies the authentication type in response to aPoint-to-Point Protocol (PPP) link.

- chap specifies Challenge Handshake Autheencrypts the user’s login name and passwo

- pap specifies Password Authentication Proencryption.

- any instructs the NetScreen device to negoattempt fails, PAP.

radius-port <port_num> Defines the port number of the RADIUS server. Tand 65,535.

radius-secret <string> The shared secret used by the NetScreen device

default server-name <string> The IP address or domain name of the RADIUS s

default wins1 <ip_addr> The IP address of the primary WINS server.

default wins2 <ip_addr> The IP address of the secondary WINS server.

��!//%��"

8��

s for a dialup user named dd:

abase, CHAP for L2TP 1, and primary and secondary

��

To create an L2TP tunnel named east_coast with a keep alive value of 120 second

ns-> set l2tp west_coast user dd keepalive 120

To create a set of default L2TP settings, using an IP pool named chiba, the local datauthentication, primary and secondary DNS servers at 192.168.2.1 and 192.168.4.7WINS servers at 10.20.1.16 and 10.20.5.101:

ns-> set l2tp default ippool chibans-> set l2tp default auth localns-> set l2tp default ppp-auth chapns-> set l2tp default dns1 192.168.2.1ns-> set l2tp default dns2 192.168.4.71ns-> set l2tp default wins1 10.20.1.16ns-> set l2tp default wins2 10.20.5.101

�� "!

See the get l2tp, clear l2tp, and set ippool commands.

��!//%��"

��

��,�etScreen device.

.

��

Description: Use the set lcd command to activate the LCD on the front panel of a N

�0��%1set lcd { display | key-in }

unset lcd { display | key-in }

��)�/��"

51%/4 �"

To turn off the LCD and lock the control keys:

ns-> unset lcd display

To leave the LCD on but lock the control keys:

ns-> set lcd key-in

To turn on the LCD but leave the control keys locked:

ns-> set lcd display

To turn on the LCD and unlock the control keys:

ns-> unset lcd key

�� "!

See the get lcd command.

display Turns the LCD off or on and locks the control keys.

key Locks and unlocks the control keys, but does not affect the LCD display

��!//%��"

�+��

��%� destinations.

ring> } } }

string> } } }

rates the log message.

ges. Starting with the most urgent,

��

Description: Use the set log command to generate log messages and specify their

�0��%1set log { module <name_str> { level <string> { destination <st

unset log { module <name_str> { level <string> { destination <

��)�/��"

module <name_str> Specifies the name of the ScreenOS module that gene

level <string> The minimum urgency level of the generated log messathese levels are as follows.

• emergency

• alert

• critical

• error

• warning

• notification

• information

• debugging

��!//%��"

��

essages that are critical or

rmissable destinations are as

��

51%/4 �"

To generate log messages generated from module system, and to generate only mgreater:

ns-> set log module system level alert destination email

�� "!

See the unset log command.

destination <string> The destination of the generated log messages. The pefollows.

• console

• internal

• email

• snmp

• syslog

• webtrends

• onesecure

• pcmcia

��!//%��"

��

��& ,(MAC) address for a NetScreen

1 interface:

mmands.

��

Description: Use the set mac command to configure a static Media Access Control interface.

�0��%1set mac <mac_addr> <interface>

unset mac <mac_addr>

��)�/��"

.� %� �"

None.

51%/4 �"

To set the MAC address on an NetScreen device to 111144446666 for the ethernet

ns-> set mac 111144446666 ethernet1

�� "!

See the get mac-learn, clear mac-learn, get mac-count, and clear mac-count co

<mac_addr> Specifies the MAC address.

<interface> Specifies the name of the interface, as with ethernet1.

��!//%��"

��

��&'IP) configurations.

.16.10.92 to the valid external

16.10.92 to a specific host with

55.255

tarting from 192.168.15.1 to an 55.248:

ped traffic.

��

Definition: Use the set mip command to define and modify Mapped IP address (M

�0��%1set mip <ip_addr1> host <ip_addr2> [ netmask <mask> ]

unset mip <ip_addr> [ netmask <mask> ]

��)�/��"

.� %� �"

The default subnet mask is 255.255.255.255.

51%/4 �"

To define a one-to-one Mapped IP configuration for a server with the IP address 172IP address 192.168.192.1:

ns-> set mip 172.16.10.92 host 192.168.192.1

To define a one-to-one Mapped IP configuration for a machine with IP address 172.an IP address 192.168.175.1:

ns-> set mip 172.16.10.92 host 192.168.175.1 netmask 255.255.2

To define a subnet-to-subnet Mapped IP configuration for a subnet with IP address sactual subnet with IP addresses starting from 10.1.1.1 using a netmask of 255.255.2

<ip_addr1> The MIP address.

host The IP address <ip_addr2> of the host (or subnet) to receive the map

netmask Defines the subnet mask of the mapped IP address.

��!//%��"

�3��

8

t-to-subnet Mapped IP nd the actual IP subnet.

its associated interface IP n its associated interface IP

check Virtual IPs (VIPs) as

��

ns-> set mip 192.168.15.1 host 10.1.1.1 netmask 255.255.255.24

�!��"

Use the unset mip command to delete a Mapped IP configuration.

Mapping is allowed for a one-to-one or subnet-to-subnet relationship. When a subneconfiguration is defined, the subnet mask is applied to both the Mapped IP subnet a

�� "!

See the set interface and get mip commands.

Note: For the Trust and Tunnel interfaces, the MIP must be on the same subnet as address. For the Untrust interface, the MIP may be located on a different subnet thaaddress.

When creating a new MIP, check for overlapping with other MIPs or DIPs. Be sure towell.

��!//%��"

��

��

��

Description: Use the set natt command to set the NAT-T keepalive frequency.

�0��%1set natt frequency <number>

unset natt frequency

��)�/��"

51%/4 �"

To set the NAT-T keepalive frequency to one hour:

ns-> set natt frequency 6

�� "!

See the unset natt command.

<number> The keepalive frequency expressed in 10-second intervals.

��!//%��"

�:��

��'le Network Time Protocol

updates its clock time by e synchronization interval is from

evice synchronizes time. Replace

umber1> between -12 and 12 h Mean Time). <number2>

��

Description: Use the set ntp command to configure the NetScreen device for Simp(SNTP).

To enable the SNTP feature, use the set clock command.

�0��%1set ntp

{interval <number> |server <ip_addr> |zone <number1> <number2>}

unset ntp { server | interval | zone }

��)�/��"

.� %� �"

This is a list of system defaults:

• The NTP service is off by default.

interval <number> Defines in minutes how often the NetScreen devicesynchronizing with the NTP server. The range for th1 to 300 minutes.

server <ip_addr> Defines the NTP server with which the NetScreen d<ip_addr> with the IP address of the NTP server.

zone <number1> <number2> Defines the Time Zone, expressed as an integer <ninclusive. A value of zero denotes GMT (Greenwicexpresses minutes.

��!//%��"

�8��

s.

).

clock time:

nd is therefore a subset of NTP. TP is adequate for devices that

��

• The IP address for the NTP server is set to 0.0.0.0.

• The frequency (time interval) for synchronizing clock time is every 10 minute

• The Time Zone is set to 0, which translates to GMT (Greenwich Mean Time

51%/4 �"

To enable NTP:

ns-> set clock ntp

To define the NTP server with IP address of 172.10.10.6 with which to synchronize

ns-> set ntp server 172.10.10.6

To configure the NetScreen device to synchronize its clock time every 20 minutes:

ns-> set ntp interval 20

To disable the NTP feature:

ns-> unset clock ntp

To disable the NTP server and set its default IP address back to 0.0.0.0:

ns-> unset ntp server

To set the default synchronization interval back to 10 minutes:

ns-> unset ntp interval

�� "!

See the set clock, get ntp and exec ntp commands.

�!��"

NetScreen’s implementation is based upon Simple Network Time Protocol (SNTP) aIt is used to synchronize computer clocks in the Internet. In its simplified version, SNdo not require a high level of synchronization and accuracy.

��!//%��"

��

��'-IP and e-mail addresses, to cryption.

��

Definition: Use the set pki command to designate the certificate authority server’s retrieve local certificate requests, and to create new RSA key pairs for public key en

�0��%1set pki

{convert-cert |authority { <id_num> | default }

{cert-status

{crl

{refresh

{daily |default |monthly |weekly} |

url <url_str>}

ocsp{refresh <number> |url <url_str>

[id-type

{certhash |certid |issuer-serial |name |pkcert

��!//%��"

+��
��
}[ l-sign-request ] [ no-nonce ]

[ no-response-type ][ not-verify-resp-cert ]

]} |

revocation-check{noneall |crl |ocsp}

} |scep

{authentication { failed | passed } |ca-cgi <string> |ca-id <name_str> |challenge <pswd_str> |current |mode { auto | manual } |polling-int <number> |ra-cgi <string> |renew-start <number>}

} |ldap

{server-name { <name_str> | <ip_addr> } |crl-url <url_str>} |

x509{default

{cert-path { full | partial } |crl-refresh

{

��!//%��"

+�+��
��
daily |default |monthly |weekly} |

send-to <string>} |

dn{country-name <name_str> |email <string> |ip <ip_addr> |local-name <name_str> |name <name_str> |org-name <name_str> |org-unit-name <name_str> |phone <string> |state-name <name_str>} |

raw-cn { enable }}

}

unset pki{authority <id_num>

{cert-status

{crl

{refresh

{daily |default |monthly |weekly |}

��!//%��"

+��
��
url <name_str>}

ocsp{refresh <number> |url <url_str>

[id-type

{certhash |certid |issuer-serial |name |pkcert}

[ l-sign-request ] [ no-nonce ][ no-response-type ]

[ not-verify-resp-cert ]]

}revocation-check

{all |crl |ocsp}

} |scep

{authentication |ca-cgi |ca-id |challenge |current |mode |polling-int |ra-cgi |renew-start}

��!//%��"

+��

n services.

he revocation-check option y are currently revoked.

ertificate’s revokation status.n device to use both the CRL and

ice checks for revocation.

Certificate Revocation List.

the certificate’s revokation status.

ice uses OCSP to check for

OCSP responder.

��

} |ldap

{crl-url |server-name} |

x509{default |dn |raw-cn}

}

��)�/��"

convert-cert Converts old VSYS certificate to new style.

authority <id_num> Defines how the NetScreen device uses the CA’s authorizatio

cert-status Defines how the NetScreen device verifies certificate status. Tdirects the NetScreen device to check certificates to see if the

crl Uses the Certificate Revocation List (CRL) to determine the cThe both option of the revocation-check directs the NetScreethe OCSP.

The refresh setting determines how often the NetScreen dev

The url <url_str> setting specifies the URL for accessing the

ocsp Uses Online Certificate Status Protocol (OSCP) to determine

The refresh setting determines how often the NetScreen devrevocation.

The url <url_str> setting specifies the URL for accessing the

��!//%��"

+��

rtificate. The certhash type specifies the certificate sh of the issuer distinguished cate’s serial number. The mber. The name type specifies the entire certificate.

request for revocation verification.

ce value with the request.

ifying an acceptable response

ifying the responder’s certificate.

rs.

failed or passed.

rver.

erver.

rd.

SCEP setting as default.

de for CA’s SCEP server.

nterval (in minutes).

P server.

fore starting the renewal process.

n name or IP address of the for the certificate authority (CA)

cate revocation list (CRL) to be

��

id-type The id-type is the type of certificate ID used to identify the cespecifies the hashing value for the certificate. The certid typeidentification value, which includes the hash algorithm, the haname (DN), the hash of the issuer’s public key, and the certifiissuer-serial type specifies the CA issuer name and serial nuthe general name of the certificate. The pkcert type specifies

l-sign-request Specifies that the NetScreen device signs the

no-nonce Prevents the NetScreen device from sending a non

no-response-type Prevents the NetScreen device from spectype.

not-verify-resp-cert Prevents the NetScreen device from ver

scep Sets Simple Certificate Enrollment Protocol (SCEP) paramete

- authentication sets the result of the CA authentication,

- ca-cgi <url-str> specifies the path to the CA’s SCEP se

- ca-id <string> specifies the identity of the CA’s SCEP s

- challenge <pswd_str> specifies the Challenge passwo

- current directs the NetScreen device to use the current

- mode { auto | manual } specifies the authentication mo

- polling-int <number> Determines the retrieval polling i

- ra-cgi <url_str> specifies the CGI path to the RA’s SCE

- renew-start <number> specifies the number of days be

ldap Specifies settings for the LDAP server.

server-name { <name_str> | <ip_addr> } Defines the domaidefault Lightweight Directory Access Protocol (LDAP) server that validates the X.509 certificate.

crl-url <url-str> Sets the default LDAP URL for the CA certifiused for X.509 CRL retrieval purposes.

��!//%��"

+�3��

.509 certificate settings.

he full | partial option determines r only a part of the path.

. The default option uses the

re the PKCS10 certificate request

r whom the certificate is being

09 certificate subject name of the

een device administrator as the

its X.509 certificate subject name.

09 certificate subject name of the

X.509 certificate subject name. th the same RSA key, but issued

certificate subject name of the

he X.509 certificate subject name

reen device administrator as the

icate subject name of the

��

x509 Specifies settings for the x509 certificate.

default Specifies a type of digital certificate with the default X

The cert-path option configures the path to the X.509 CRL. Tif the NetScreen device uses the full path to the X.509 CRL o

crl-refresh Sets the refreshment frequency of the X.509 CRLvalidation date decided by each CRL.

send-to <string> Assigns the destination e-mail address whefile is sent.

dn Specifies a distinguished name to uniquely identify the user forequested.

country-name <name_str> Sets the country name as the X.5NetScreen device.

email <string> Sets the contact e-mail address of the NetScrX.509 certificate subject name of the NetScreen device.

ip <ip_addr> Sets the IP address of the NetScreen device as

local-name <string> Sets the name of the locality as the X.5NetScreen device.

name <string> Sets the name of the NetScreen device as itsThis name uniquely identifies NetScreen X.509 certificates wiby different Certificate Authorities.

org-name <string> Sets the organization name as the X.509NetScreen device.

org-unit-name <string> Sets the organization unit name as tof the NetScreen device.

phone <string> Sets the contact phone number of the NetScX.509 certificate subject name of the NetScreen device.

state-name <string> Sets the state name as the X.509 certifNetScreen device.

��!//%��"

+��

CS10 certificate request:

Technologies in Santa Clara,

cate from a certificate authority.

i x509 dn name <name_str>, N.

��

.� %� �"

The RSA key length is set to 1024 bits.

51%/4 �"

To identify 162.128.20.12 as the CA server’s IP address:

ns-> set pki ldap server-name 162.128.20.12

To specify the destination e-mail address where the NetScreen device sends the PK

ns-> set pki x509 default send-to [email protected]

To refresh the certificate revocation list on a daily basis:

ns-> set pki x509 default crl-refresh daily

To define a distinguished name for Ed Jones, who works in marketing at NetScreenCalifornia:

ns-> set pki x509 dn country-name “US”ns-> set pki x509 dn state-name CAns-> set pki x509 dn local-name “santa clara”ns-> set pki x509 dn org-name “netscreen technologies”ns-> set pki x509 dn org-unit-name marketingns-> set pki x509 dn name “ed jones”

You use the set pki, get pki, and exec pki commands to request an x509 CA certifiThe following commands provide a typical example:

raw-cn { enable } Enables the raw common name (CN).You specify the certificate’s raw-cn with the command set pkwhere <name_str> is a string of characters comprising the C

��!//%��"

+�:��

isign.com

isign.com

A does not exist, use the value

y, a prompt appears presenting

t CA certificate.

ministrator to approve the local

cord the index number

rver to pass a user request to ypertext Transfer Protocol

��

1. Specify a certificate authority CA CGI path.

set pki auth -1 scep ca-cgi “http://pilotonsiteipsec.ver/cgi-bin/pkiclient.exe”

2. Specify a registration authority RA CGI path

set pki auth -1 scep ra-cgi “http://pilotonsiteipsec.ver/cgi-bin/pkiclient.exe”

Note: You must specify an RA CGI path even if the RA does not exist. If the Rspecified for the CA CGI.

3. Generate an RSA key pair, specifying a key length of 1024 bits.

exec pki rsa new 1024

4. Initiate the SCEP operation to request a local certificate.

exec pki x509 scep -1

5. If this is the first attempt to apply for a certificate from this certificate authorita fingerprint value for the CA certificate. (Otherwise, go on to Step 6.)

You need to contact the certificate authority to confirm that this is the correc

Execute the following command to get the device’s authentication mode.

get pki auth default scep

If the authentication mode is auto, go on to Step 6. Otherwise, execute:

set pki auth default scep auth passed

6. When the confirmation prompt appears, contact your certificate authority adcertificate request.

7. (Optional) Display a list of pending certificates. This allows you to see and reidentifying the certificate.

Note: The Common Gateway Interface (CGI) is a standard way for a web sean application program, and to receive data back. CGI is part of the web’s H(HTTP).

��!//%��"

+�8��

btained in Step 7) to identify the

e certificate automatically from period depends upon how you

��

get pki x509 list pending-cert

8. (Optional) Obtain the local certificate from the CA (using the index number ocertificate.

exec pki x509 scep 1

If you do not execute Steps 7 and 8, the NetScreen device will still retrieve ththe CA. However, there will be a time delay of at least 15 minutes. This delayconfigured the device. The configuration command for this feature is:

set pki auth -1 scep polling-int <number>

where <number> is time in minutes. The minimum is 15.

�� "!

See the get pki and exec pki commands.

��!//%��"

+��

��'%�,2ork and VPN traffic.

name_str> }]

}

]e | enable }

��

Description: Use the set policy command to define access policies to control netw

�0��%1set policy

{id <id_num> [ disable ] |[ id <id_num> ] [ before <pol_num> ]

[ name <name_str> ]{ from <zone1> to <zone2> <addr_str1> <addr_str2> <

[ nat [ dip-id <id_num> [ fix-port ] ] }

{tunnel

{l2tp <name_str> |vpn-dialup <name_str> |vpn <name_str> | vpn-tunnel <name_str>

[ id <id_num> ] [ l2tp <name_str> ]} [ auth ] |

deny | permit [ auth ]}

[ schedule <name_str> ][ log [ alert ]

[ count[ alarm <number> <number> ]

]]

[ traffic { gbw <number>{ priority <number> }

{ mbw [ <number> dscp { disabl

}] |

move <number>

��!//%��"

++��

s control list (ACL) before another

.

n USGA Features.

cies.

This number can be between 4

��

{before <id_num> |after <id_num>} |

default-permit-all |}

unset policy{[ id ] <id_number> [ disable ] |default-permit-all}

��)�/��"

id <id_num> Specifies an access policy ID number.

disable Disables the policy.

before <pol_num> Specifies the position of the access policy in the accespolicy.

name <name_str> Names the access policy.

from <zone1> to <zone2> <addr_str1> <addr_str2> <name_str>

Specifies two zones between which the policies apply<zone1> is the name of the source security zone.<zone2> is the name of the destination security zone.<addr_str1> is the name of the source address.<addr_str2> is the destination address.<name_str> is the name of the service.For more information on zones, see Security Zones i

nat Enables or disables Network Address Translation poli

dip-id <id_num> Specifies the ID number of the Dynamic IP (DIP) pool.and 255.

��!//%��"

+++��

eader; that is, Port Address

ecapsulates and decrypts

y vpn-dialup and the name of the

f the VPN tunnel. For the VPN tunnel) and l2tp (and the

ource address across the firewall

rd to authenticate his or her

pecified schedule.

policy applies. alert enables the

h the access policy is applied.

. You must enter the number of per minute (<number>) required

er second. The NetScreen device rity, without performing traffic

affic falls between the guaranteed ice passes traffic with higher is no higher priority traffic.

��

fix-port Keeps the original source port number in the packet hTranslation (PAT) is not applied.

tunnel Encapsulates and encrypts outgoing IP packets, and dincoming IP packets.

l2tp <id_num> Specifies a Layer 2 Tunneling Protocol (L2TP) tunnel.

vpn-dialup <name_str> For an incoming dialup VPN tunnel connection, specifdialup user or dialup group.

vpn [ l2tp <name_str> ] For an IPSec VPN tunnel, specify vpn and the name oIPSec-over-L2TP, specify both vpn (and the name of name of the L2TP tunnel).

vpn-tunnel Specifies an active tunnel.

permit | deny permit allows the specified service to pass from the sto the destination address.deny blocks the service at the firewall.

auth Requires the user to provide a login name and passwoidentity before access to cross the firewall is granted.

schedule <name_str> Applies the access policy only at times defined in the s

log [ alert ] Maintains a log of all connections to which the accessSyslog alert feature.

count Maintains a count in bytes of all network traffic to whic

alarm <number> <number>

Enables the alarm feature so that you can view alarmsbytes per second (<number>) and the number of bytesto trigger an alarm.

traffic gbw <number> Defines the guaranteed bandwidth (GBW) in kilobits ppasses traffic below this threshold with the highest prioshaping.

priority <number> Specifies one of the eight traffic priority levels. When trand maximum bandwidth settings, the NetScreen devpriority first. Lower priority traffic is passed only if there

��!//%��"

++��

tunnel name is “home2office” ffice”:

tunnel vpn home2office

rk using NAT and the DIP pool

dip-id 7 permit

7 fix

te telephony endpoint host with e public side.

second. Traffic beyond this limit is

ity levels to the Differentiated

re or after another policy with

(ACL) for a matching policy.

uration.

��

51%/4 �"

To define an incoming access policy for an IPSec-over-L2TP tunnel (where the VPNand the L2TP tunnel name is “home-office”) for a dialup VPN group named “home_o

ns-> set policy from untrust to trust dialup_vpn our_side any l2tp home_office

To create an outgoing access policy from the Sales department on the trusted netwowith ID #7:

ns-> set policy from trust to untrust sales out_there any nat

To define the DIP with a fixed port on the trusted interface:

ns-> set policy outgoing 10.1.1.9 10.150.42.41 any nat dip-id

The following example configures a NetScreen device to allow traffic between a privaan H.323 gatekeeper through a NetScreen device to telephony endpoint hosts on th

�� %��"�?��0�=!��"

1. set interface ethernet1 zone trust

2. set interface ethernet1 ip 10.10.1.1/24

3. set interface ethernet1 nat

4. set interface ethernet3 zone untrust

mbw <number> Defines the maximum bandwidth (mbw) in kilobits per throttled and dropped.

dscp { enable | disable } Enables or disables a mapping of the NetScreen priorServices Codepoint (DSCP) marking system.

move <id_num> { before | after } <id_num>

Repositions an access policy with one ID number befoanother ID number in the access control list (ACL).

default-permit-all Allows access without checking the access control list

disable Disables the policy without removing it from the config

��!//%��"

++��

0

t traffic-shaping commands.

��

5. set interface ethernet3 ip 210.10.1.1/24

��""�"

6. set address trust IP_Phone1 10.10.1.2/32

7. set address trust gatekeeper 10.10.1.10/32

8. set address untrust IP_Phone2 200.20.1.2/32

&%44��""�"

9. set interface ethernet3 mip 210.10.1.2 host 10.10.1.2

10. set interface ethernet3 mip 210.10.1.10 host 10.10.1.10

�!��"

11. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr

12. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22.3.2

�! ��"

13. set policy from trust to untrust IP_Phone1 IP_Phone2 h.323 permit

14. set policy from trust to untrust gatekeeper IP_Phone2 h.323 permit

15. set policy from untrust to trust IP_Phone2 mip(210.10.1.2) h.323 permit

16. set policy from untrust to trust IP_Phone2 mip (210.10.1.10) h.323 permit

17. save

�� "!

See the get policy, set address, set vpn, set l2tp, set user, set schedule, and se

��!//%��"

++��

��'''%�

ified AC.

��

Description: Use the set pppoe command to configure PPPoE.

�0��%1set pppoe

{ac <name_str> |authentication { CHAP | PAP | any } |auto-connect <number> |idle-interval <number> |interface [ <name_str> ] |ppp

{lcp-echo-retries <number> |lcp-echo-timeout <number>} |

service <name_str> |static-ip |username <name_str> { password <string> } |}

unset pppoe{ac |authentication { CHAP | PAP } |idle-interval |interface [ <name_str> ] |service|static-ip |username |}

��)�/��"

ac <name_str> Allows the interface to connect only to the spec

��!//%��"

++3��

default idle timeout is 30

, or both. The default of o set authentication to CHAP only, .

efore automatic re-initiation of a ge is 0-10000. (0 to disable.)

minutes) before the NetScreen ecifying 0 turns off the idle timeout

n.

p Echo requests before connection

een transmission of two Lcp Echo

ified service.

resses assigned by the AC.

��

.� %� �"

The command is disabled by default. The default authentication method is any. The minutes.

51%/4 �"

To set the username to “Phred”, and Phred’s password to “!@%)&&”:

ns-> set pppoe username Phred password !@%)&&

authentication { CHAP | PAP | any } Sets the authentication methods to CHAP, PAPauthentication is any (both CHAP and PAP). Tfirst execute unset pppoe authenticaton PAP

auto-connect <number> Specifies the number of seconds that elapse bpreviously-closed connection occurs. Valid ran

idle-interval <number> Sets the idle timeout, which is time elapsed (indevice terminates a tunnel due to inactivity. Spand the device never terminates the tunnel.

interface <name_str> Specifies the interface for PPPoE encapsulatio

ppp Specifies

• lcp-echo-retries the number of unacked Lcis terminated. Valid range is 1-30.

• lcp-echo-timeout the time that elapses betwrequests. Valid range is 1-1000 seconds.

service <name_str> Allows the interface to connect only to the spec

static-ip Specifies that your connection uses the IP add

username <name_str> Sets the user name and password.

��!//%��"

++��
��
�� "!

See get pppoe, clear pppoe, and exec pppoe commands.

��!//%��"

++:��

��,+��(��edules are used to enforce

d minute defined, and stopping on

��

Description: Use the set scheduler command to create or modify a schedule. Schaccess policies at certain times.

�0��%1set scheduler <name_str>

[once

{ start <date> <time> stop <date> <time> }[ comment <string> ] |

recurrent{monday |tuesday |wednesday |thursday |friday |saturday |sunday}

{ start <time> stop <time> }[ start <time> stop <time> ]

[ comment <string> ]]

unset scheduler <name_str>

��)�/��"

<name_str> Defines a name for the schedule.

once Apply the schedule once, starting on the day, month, year, hour, anthe month, day, year, hour, and minute defined.

start Defines when to start the schedule.

��!//%��"

++8��

AM and ends on 2/12/1999 at

/1999 19:00

at 5:00 PM and repeats every

17:00:00

he defined day of the week, hour,

��

.� %� �"

None.

51%/4 �"

To create a schedule definition named “mytime” which starts on 1/10/1999 at 11:00 7:00 PM:

ns-> set scheduler mytime once start 1/10/1999 11:00 stop 2/12

To create a schedule definition named “weekend” which starts at 8:00 AM and endsSaturday and Sunday:

ns-> set scheduler weekend recurrent saturday start 8:00 stop ns-> set scheduler weekend recurrent sunday start 8:00 stop 17

stop Defines when to stop the schedule.

<date> Defines the day, month, and year in USA format (mm/dd/yyyy).

<time> Defines the hour and minutes in the 24-hour clock format (hh:mm).

recurrent Directs the NetScreen device to repeat the schedule according to tand minutes.

monday Repeat every Monday.

tuesday Repeat every Tuesday.

wednesday Repeat every Wednesday.

thursday Repeat every Thursday.

friday Repeat every Friday.

saturday Repeat every Saturday.

sunday Repeat every Sunday.

��!//%��"

++��
��
�� "!

See the get scheduler command.

��!//%��"

+��

��,�o display information or

��

Description: Use the set scs command to enable a secure command shell (SCS) tconfigure a NetScreen device from a remote system.

�0��%1set scs

{enable |key-gen-time <number> |pka-rsa

{tftp

{file name |username <name_str> file-name <filename>}

{ ip-addr <ip_addr> }[ username <name_str> ] key <number> <number> <number>} |

}unset scs

{enable |hash <name_str> <name_str> |key-gen-time |pka-rsa

{all |username <name_str>

{all |index <id_num>} |

}}

��!//%��"

+�+��

ey to the current user. The ent, and the modulus,

ion.r to bind the PKA key. file-name d to the user.

t/VSYS. Admin users and

bound to the specified user, but ser. Read-only users cannot execute

d by <id_num>. This option (identified by user <name_str>).

��

��)�/��"

.� %� �"

This feature is disabled by default.

The default key generation time is 60 minutes.

51%/4 �"

To enable Secure Command Shell (SCS) on a NetScreen device:

ns-> set scs enable

enable Enables the Secure Command Shell (SCS) shell.

key-gen-time <number> Specifies the SCS key regenerating time (in minutes).

pka-rsa Public Key Authenticaion (PKA) using RSA.

tftp Loads and binds the PKA key using TFTP.key <number> <number> <number> Binds a PKA k<number> values represent the key length, the exponrespectively. Read-only users cannot execute this optusername <name_str> Specifies the name of the use<filename> Specifies the file containing the key to bin

unset scs pka-rsa Unsets Public Key Authenticaion (PKA) using RSA.

all Deletes all keys bound to all users in the active rooread-only users cannot execute this option.

username <name_str> Unbinds and deletes all keys only if <name_str> is the name of the current admin uthis option.

The index option unbinds and deletes the key identifieallows the root admin user to unbind a key for any userRead-only users cannot execute this option.

��!//%��"

+��

956054093391935033213724077837089019119296718115

��

To set the key regeneration time to 15 minutes:

ns-> set scs key-gen-time 15

To bind a hypothetical key to a user named “chris”:

ns-> set scs pka-rsa username chris key 512 65537687527248844895807161558279681375742271564397062612879336559999265828980111611537652715311887359071551679

�� "!

See the get scs and exec scs commands.

��!//%��"

+��

��/,�cess Policies.

��

Description: Use the set service command to create custom services for use in Ac

�0��%1set service <name_str>

[+

{ <number> | tcp | udp{ src <number>-<number>

{ dst <number>-<number> }}

}protocol { <number> | tcp | udp }

[ src-port <number>-<number> ][ dst-port <number>-<number> ]

[ timeout { <number> | never } ][ group

[email |info |remote |security |other]

] |group

{email |info |remote |security |other}

{ <number> | tcp | udp{ src <number>-<number>

��!//%��"

+��

ices list.

wing groups, or categories:

receiving e-mail; for example,

etrieving information; for example,

cess; for example, FTP or R

elated traffic such as encryption, ample, HTTPS and PPTP.

han that covered by the other four rk management.

service.

lid for the service. For example,

��

{ dst <number>-<number> }}

}timeout { <number> | never }clear]

unset service <name_str>

��)�/��"

<string> Defines a name for the service.

+ Appends a service entry to the custom serv

group { email | info | other | remote | security }

Assigns the service entry to one of the follo

- email: Services used for sending andIMAP and POP 3.

- info: Services used for seeking and rHTTP and DNS.

- remote: Services used for remote acLOGIN.

- security: Services used for security-rdecryption, and authentication; for ex

- other: Services used for traffic other tgroups; for example, SNMP for netwo

protocol Defines the service by IP protocol.

<ptcl_num> Defines a protocol number for the specified

tcp Defines a TCP-based service.

udp Defines a UDP-based service.

src <number> <number> Defines a range of source port numbers va100 to 250.

��!//%��"

+�3��

1001-1001

d that uses tcp with a port

10115

s that receive the service request.

rvice in minutes or as “never.”

tom services list.

��

.� %� �"The default timeout for TCP connections is 30 minutes.

The default timeout for UDP connections is 1 minute.

51%/4 �"

To clear all service entries named “test”:

ns-> set service test clear

To set a service named “ipsec” that uses protocol 50:

ns-> set service ipsec protocol 50

To set a service named “test1” that uses destination tcp port 1001:

ns-> set service test1 protocol tcp src-port 0-65535 dst-port

To set a service named “test2” that is categorized as a service for remote access annumber 10115:

ns-> set service test2 group remote tcp src 0-65535 dst 10115-

ns-> set service test2 + udp src 0-65535 dst 10115-10115

To set a service named “telnet” with a timeout value of 10 minutes:

ns-> set service telnet timeout 10

To unset a service named “test”:

dst <number> <number> Defines a range of destination port numberFor example. 300 to 400.

clear Clears all service entries.

timeout {<number> | never} Defines the session timeout value for the se

unset service <name_str> Removes the specified service from the cus

��!//%��"

+��
��
ns-> unset service test

�� "!

See the get service command.

�!��"

The maximum timeout value for TCP connections is 40 minutes.

The maximum timeout value for UDP connections is 40 minutes.

��!//%��"

+�:��

��&'mple Network Management eive notification when events of

��

Description: Use the set snmp command to configure the NetScreen device for SiProtocol (SNMP) to gather statistical information from the NetScreen device and recinterest occur.

�0��%1set snmp

{auth-trap { enable } |community <name_str>

{ read-only | read-write }[trap-off |trap-on [ traffic ]] |

contact <name_str> |host <name_str> <ip_addr> |location <string> |name <name_str> |port

{listen [ <port_num> ] |trap [ <port_num> ]} |

vpn}

unset snmp{auth-trap { enable } |community <name_str> |contact |host <name_str> <ip_addr> |location |name |

��!//%��"

+�8��

ormation Base II (MIB II) data,

ntication traps.

um 3 communities in all products.

��

port{listen [ <port_num> ] |trap [ <port_num> ]} |

vpn}

��)�/��"

51%/4 �"

To configure a community named “public” that allows hosts to read Management Infas defined in RFC-1213, and to receive traps:

auth-trap enable Enables Simple Network Management Protocol (SNMP) authe

community Defines the name for the SNMP community. It supports maxim

read-only Defines the permission for the community as “read-only.”

read-write Defines the permission for the community as “read-write.”

trap-on Enables SNMP traps for the community.

traffic Includes traffic alarms as SNMP traps.

trap-off Disables SNMP traps for the community.

contact Defines the system contact.

host Defines the IP address of the SNMP host.

host ip Sets the host’s IP address.

location Defines the physical location of the system.

name Defines the name of the system.

port { listen | trap } Specifies the SNMP listen and trap port.

vpn SNMP VPN encryption

��!//%��"

+��

public”:

etscreen” with read and write

s HP OpenView™) is required. nternet.

��

ns-> set snmp community public read-only trap-on

To configure an SNMP host with IP address 10.20.25.30 for the community named “

ns-> set snmp host public 10.20.25.30

To configure an SNMP host with IP address 10.40.40.15 for a community named “npermission, and allow traps to be sent to all hosts in this community:

ns-> set snmp community netscreen read-write trap-onns-> set snmp host netscreen 10.40.40.15

�� "!

See the get snmp command.

�!��"

To browse the MIB II data and receive traps, an SNMP manager applications (such aMany shareware and freeware SNMP manager applications are available from the I

Note: The community must exist before a host may be added to it.

��!//%��"

+��

��ction.

��

Description: Use the set ssl command to configure a Secure Sockets Layer conne

�0��%1set ssl

{cert <number> |enable |encrypt

{3des { sha-1 } |des { sha-1} |rc4 { md5 } |rc4-40 { md5 }}

port <port_num>}

unset ssl { cert | enable | encrypt | port }

��)�/��"

cert <number> Specifies that the named certificate is required.

enable Turns on SSL.

encrypt Enables encryption over the SSL connection.

3des Set the 3DES security level.

des Sets the DES security level.

rc4 md5 Sets the RC4 MD3 security level.

rc4-40 md5 Sets the RC4-40 MD3 security level.

port Specifies the SSL port number.

��!//%��"

+�+��
��
.� %� �"

The default SSL port is 443.

51%/4 �"

To change the SSL port to 11533:

ns-> set ssl port 11533

To specify triple-DES encryption with SHA-1 authentication hashing:

ns-> set ssl encrypt 3des sha-1

�� "!

See the get ssl command.

��!//%��"

+��

��2��%�nd traffic and event messages

��

Description: Use the set syslog command to configure the NetScreen device to seto the Syslog host.

�0��%1set syslog

{VPN |config { <name_str> | <ip_addr> }

{AUTH/SEC |local0 |local1 |local2 |local3 |local4 |local5 |local6 |local7}

{AUTH/SEC |local0 |local1 |local2 |local3 |local4 |local5 |local6 |local7}

enable |port <port_num> |traffic}

��!//%��"

+��

gh a VPN tunnel to the Syslog

ough the Untrusted interface. log traffic through the Trusted is traffic. If the policy specifies e policy’s VPN configuration

evice to the default behavior.

evice.

vel. The security facility classifies ted actions such as attacks. The unrelated to security, such as

Syslog host.

Syslog host.

s the User Datagram Protocol

��

unset syslog{<string> |VPN |config |enable |hostname |port |traffic}

��)�/��"

VPN Allows the NetScreen device to send Syslog traffic throuserver.By default, the NetScreen device sends syslog traffic thrExecuting the VPN option directs the device to send sysinterface. The device uses a security policy to secure thencryption, the device encrypts the traffic according to thbefore transmission.Executing the unset syslog VPN command resets the d

config Defines the configuration settings for the Syslog utility.

<name_str> | <ip_addr> Defines the name or the IP address of the Syslog host d

AUTH/SEC | local0…7 Defines the security facility level and the regular facility leand sends messages to the Syslog host for security-relaregular facility classifies and sends messages for eventsuser logins and logouts, and system status reports.

enable Enables the NetScreen device to send messages to the

traffic Enables the NetScreen device to send traffic logs to the

port Defines the port number on the Syslog host that receive(UDP) packets from the NetScreen device.

��!//%��"

+��

efault WebTrends port number

��

.� %� �"

This feature is disabled by default. The default Syslog port number is 514, and the dis 514.

51%/4 �"

To set the Syslog host configuration with the ability to report all logs:

ns-> set syslog config 172.16.20.249 AUTH/SEC local0 debug

To turn on the Syslog feature:

ns-> set syslog enable

To change the Syslog port number to 911:

ns-> set syslog port 911

�� "!

See the get syslog command.

Note: The Syslog host must be enabled before you can enable Syslog.

��!//%��"

+�3��

� �(��*�+��+%��evere temperature thresholds

larm, which increases the vent log.

��

��&'�Description: Use the set temperature-threshold command to set the normal and sfor triggering temperature alarms.

�0��%1set temperature-threshold

{alarm { celsius <number> | fahrenheit <number> } |severe { celsius <number> | fahrenheit <number> }}

unset temperature-threshold{alarm { celsius <number> | fahrenheit <number> } |severe { celsius <number> | fahrenheit <number> }}

��)�/��"

51%/4 �"

To set the normal temperature alarm threshold at 150° Fahrenheit:

ns-> set temperature-threshold alarm fahrenheit 150

To set the severe temperature alarm threshold at 70° Celsius:

ns-> set temperature-threshold severe celsius 70

severe { celsius <number> | fahrenheit <number> }

Defines the temperature required to trigger a severe afrequency of audible alarms and entries to the alarm e

��!//%��"

+��
��
�� "!

See the get temperature command.

��!//%��"

+�:��

��&��matically execute a

expired.

action. Date is in <mm/dd/yyyy>

ction. Time is in <hh:mm> format.

me.

gs generated by the set timer

��

Description: Use the set timer command to configure the NetScreen device to automanagement or diagnosis functionality at a specified time.

All timer settings remain in the configuration script even after the specified time has

�0��%1set timer <date_str> <time_str> action reset

unset timer <id_num>

��)�/��"

.� %� �"

None.

51%/4 �"

To configure NetScreen to reset at a given time and date:

ns-> set timer 1/31/2000 19:00 action reset

<date_str> Specifies the date when the NetScreen device executes the defined format.

<time_str> Specifies the time when the NetScreen device executes the defined a

action Defines the event that the command triggers at the given date and ti

reset Resets the timer.

<number> Identifies the specific action by its ID number in the list of timer settincommand.

��!//%��"

+�8��
��
�� "!

See the get timer command.

��!//%��"

+��

�� ..,*�+ '�� system with the traffic-shaping

S) mapping. Each setting should

aping function. If you select auto, there is at least one policy in the ically sets the mode to on. If there

��

��Description: Use the set traffic-shaping command to determine the settings for thefunction.

�0��%1set traffic-shaping

{ip_precedence <number> <number> <number>

<number> <number> <number> <number> <number> |mode { auto | off | on }}

unset traffic-shaping mode { ip_precedence | mode }

��)�/��"

.� %� �"

By default, the traffic shaping function is set up to automatic mode.

51%/4 �"

To turn on the traffic shaping function:

ns-> set traffic-shaping mode on

ip_precedence Specifies the Priorities 0 through 7 for IP precedence (TObe a single-digit value.

mode { auto | off | on } Defines the mode settings for the system with the traffic-shthe system automatically determines the mode settings. Ifsystem with traffic-shaping turned on, the system automatis no such policy, the auto mode default setting is off.

��!//%��"

+��
��
�� "!

See the get traffic-shaping command.

��!//%��"

+�+��

��(��ided by a Websense server.

��

Description: Use the set url command to enable URL filtering. URL filtering is prov

�0��%1set url

{config

{disable |enable} |

fail-mode{block |permit} |

message <string> |msg-type <number> |no-block <name_str> <name_str> |server { <name_str> | <ip_addr> }

{ <port_num> <number> }}

unset url{config |fail-mode |message |msg-type |server}

��!//%��"

+��

vior is to block all HTTP that user access to a URL is

bsense server.

, this either blocks or permits all

characters in length, to send to L.

e server. A 1 uses the evice.

e_str1>) to another interface

rver with a domain name using port number ber> in seconds. The timeout ice waits for a response from the ermits traffic to the URL.

��

��)�/��"

.� %� �"

The default port number for a Websense server is 15868. The default failmode beharequests. The Websense server is the default source of a message which indicates blocked.

51%/4 �"

To disable blocking from interface ethernet3/1 to interface ethernet4/2:

ns-> set url no-block ethernet3/1 ethernet4/2

To enable the URL blocking feature:

ns-> set url config enable

config { enable | disable } Enables or disables URL filtering by the We

fail-mode { block | permit } If connection to the Websense server is lostHTTP requests.

message <string> Defines a custom message, fewer than 220the client who is blocked from reaching a UR

msg-type <number> A 0 uses the message sent by the Websensuser-defined message from the NetScreen d

no-block <name_str1> <name_str2> Disables blocking from one interface (<nam(<name_str2>).

server <name_str> | <ip_addr> Defines communication with a Websense se(www.abc.com) or IP address <ip_addr>, <port_number> with a timeout value <numvalue specifies how long the NetScreen devWebsense server before it either blocks or p

��!//%��"

+��

6 at port 15868 and a timeout

��

To define the URL blocking message to “This site is blocked”:

ns-> set url message “This site is blocked”

To use the message from the NetScreen device:

ns-> set url msg-type 1

To specify communication with a Websense server with the IP address 172.16.150.value of 10 seconds:

ns-> set url server 172.16.150.6 15868 10

�� "!

See the get url and get url-filter commands.

��!//%��"

+��

��(��ntication database. There are

��

Description: Use the set user command to create entries in the internal user authethe four basic categories of users:

• Dialup users (for using Manual Key VPNs)

• Authentication users (for using network connections)

• IKE users (for using AutoKey IKE VPNs)

• Authentication/IKE users

�0��%1set user <name_str>

{dialup <spi_num> <spi_num>

{ah { md5 | sha-1 }

{ key <key_hex> | password <pswd_str> } |esp

{3des | des | aes128

{ key <key_hex> | password <pswd_str> } |null

[ auth{ md5 | sha-1

{key <key_hex> |password <pswd_str>}

}]

}outgoing-interface <interface>} |

disable |enable |

��!//%��"

+�3��

al and remote security parameter a particular encrypted tunnel from imal value between 1000 and s as the remote SPI number at the

��

ike-id{ip <ip_addr> |fqdn <name_str> |u-fqdn <name_str> |asn1-dn

{[ container <name_str> ]

{ wildcard <name_str> }[ share-limit <number> ] |

password <pswd-str> |remote-settings

{dns1 <ip_addr> |dns2 <ip_addr> |ipaddr <ip_addr> |ippool <name_str> |wins1 <ip_addr> |wins2 <ip_addr>} |

type{ [ auth ] [ ike ] [ l2tp ] }

}

unset user <string> [ type { auth [ ike ] } ]

��)�/��"

user <name_str> Defines the user’s name.

dialup <spi_num> <spi-num> For Manual Key VPN method only. Defines locindex (SPI) numbers that uniquely distinguish any others. This parameter must be a hexidec2fffffff. The local SPI number at one end serveother end and vice-versa.

��!//%��"

+��

ines the use of the Encapsulating

(3DES) algorithm.

AES), 128-bit encryption.

3DES algorithm. This value must

xidecimal key. The NetScreen based upon the password string

DES algorithm.

rotocol.

hoices are MD5 or SHA-1. (Note: -1.)

(AH) protocol. Choices are MD5 o not support SHA-1.)

rsion 5 (MD5) algorithm for

e MD5 algorithm.

ithm (SHA-1) algorithm for

e SHA-1 algorithm.

lowing: authentication, IKE, L2TP, ntication/IKE/L2TP, or IKE/L2TP.

tabase. By default, the user is

��

esp For VPN dialup users and dynamic peers. DefSecurity Payload (ESP) protocol.

3des Specifies the Triple Data Encryption Standard

aes128 Specifies the Advanced Encryption Standard (

key <key_hex> Defines the 192-bit hexidecimal key used in thebe between 1000 and 2fffffff.

password <pswd_str> Defines a password for the generation of a hedevice creates a hexidecimal key for the user that the user provides.

des Specifies the DES encryption algorithm.

key <key_hex> Defines the 64-bit hexidecimal key used in the

null Defines “no encryption method” for the ESP p

auth Defines the use of an authentication method. CSome NetScreen devices do not support SHA

ah Defines the use of the Authentication Header and SHA-1. (Note: Some NetScreen devices d

md5 Sets the device to use the Message Digest veauthentication.

key <key_hex> Defines the 16-byte hexidecimal key used in th

sha-1 Sets the device to use the Secure Hash Algorauthentication.

key <key_hex> Defines the 20-byte hexidecimal key used in th

type { [ auth ] [ ike ] [ l2tp ] } Sets the user type, which can be one of the folauthentication/IKE, authentication/L2TP, authe

disable | enable Disables or enables the user in the internal daenabled.

��!//%��"

+�:��

.

ser.

in Name, the complete string,

r identity, usually equivalent to an

s the user certificate distinguished r identity.

ommunication with any user s. The NetScreen device does not

concurrently using this identity is f the VPN gateway uses so only a single user can log in

r authentication/L2TP users, the authentication.

le entry. The interfaces you can

terfaces in USGA Features.

��

ike-id { <ip_addr> | <name_str> } Adds and defines an AutoKey IKE dialup user

• ip <ip_addr> The IP address of the dialup u

• fqdn <name_str> The Fully Qualified Domasuch as www.netscreen.com.

• u-fqdn <name_str> Specifies the dialup useemail address, such as [email protected].

• asn1-dn { wildcard <name_str> } Specifiename fields and field values that define use

Example: “o=ACME,ou=Marketing”This user identity automatically allows tunnel chaving a certificate containing these field valuecheck any fields not defined here.The number of users that can establish tunnelsset by the share-limit <number> parameter. Ipreshared keys, the share limit is limited to 1, with that identity.

password <pswd_str> The password used for user authentication. Fosame password is for both network and L2TP

outgoing-interface <interface> The name of the ARP interface in the ARP tabuse for the ARP interface are as follows.

- ethernet<n>

- ethernet<n1>/<n2>

- ethernet<n1>.<n2>


- v1-trust

- v1-untrust

- v1-dmz

For more information on interfaces, refer to In

��!//%��"

+�8��

with the password JnPc3g12:

ipsecmaryj, and with a

yj

at supersede the default L2TP

igned to an L2TP user.

ssigned to an L2TP user.

.

me_str>.

signed to an L2TP user.

assigned to an L2TP user.

��

.� %� �"

Users are enabled by default.

51%/4 �"

To create an authentication user in the NetScreen internal database for user guest

ns-> set user guest password JnPc3g12

To change the user guest to an authentication/L2TP user:

ns-> set user guest type auth l2tp

To create a dialup user named maryj using DES encryption based on the passwordlocal-spi defined as 3456 and remote-spi defined as 7890:

ns-> set user maryj dialup 3456 7890 esp des password ipsecmar

To create an IKE user named branchsf with the IKE-ID number 2.2.2.2:

ns-> set user branchsf ike-id 2.2.2.2

To delete the user named jane:

ns-> unset user jane

remote settings Defines user-specific remote L2TP settings thsettings.

dns1 <ip_addr> The IP address of the primary DNS server ass

dns2 <ip_addr> The IP address of the secondary DNS server a

idaddr <ip_addr> Assigns a specific IP address to an L2TP user

ippool <name_str> Specifies the L2TP IP pool with the name <na

wins1 <ip_addr> The IP address of the primary WINS server as

wins2 <ip_addr> The IP address of the secondary WINS server

��!//%��"

+��

ssessing certificates containing

arketing” share-limit

definition.

��

To create a new user definition named “marketing” that recognizes up to 10 hosts po“ACME” in the O field, and “Marketing” in the OU field:

ns-> set user “marketing” ike-id asn1-dn wildcard “o=ACME,ou=M10

This command uses Group IKE ID, which allows multiple hosts to use a single user

�� "!

See the get user, set ike, set l2tp, set ippool, and set vpn commands.

��!//%��"

+3��

��/'�unnel.

y. AutoKey IKE (Internet Key user-defined intervals. By ipants change them explicitly.

ort it generates the error

ssage AutoKey VPN is not

��

Description: Use the set vpn command to create a Virtual Private Network (VPN) t

NetScreen devices support two key methods for VPNs, AutoKey IKE and Manual KeExchange) is a standard protocol that automatically regenerates encryption keys at contrast, Manual Key VPNs use predefined keys that are unchanged until the partic

Attempting to use the SHA-1 parameter with a NetScreen device that does not suppmessage This device doesn’t support SHA-1 Authentication.

Entering the set vpn <name_str> trust gateway command generates the error mesupported on trust interface.

�0��%1set vpn <name_str>

[ trust ]{monitor |gateway { <name_str> | <ip_addr> }

{[ replay | no-replay ]

[ transport | tunnel ][ idletime <number> ]

[ proposal[ <name_str>

[ <name_str>[ <name_str>

[ <name_str> ]]

]]

]} |

manual <32_bit_hex> <32_bit_hex>{ gateway { <ip_addr> }

��!//%��"

+3+��
��
{[ nat-traversal

[ keepalive-frequency <number> ][ udp-checksum ]

[ ip-gateway-public <ip_addr> ]{ port-gateway-public <number> }

][ outgoing-interface <interface> ]

{ah { md5 | sha-1 } |

{key <16_byte_hex> |password <pswd-str>}

esp {3des

{key <192-bit_hex> |password <pswd_str>}

des{key <64-bit_hex> |password <pswd_str>}

aes128{key <128-bit_hex> |password <pswd_str>

null[ auth

md5 | sha-1{key <16_byte_hex> |password <pswd-str>}

]{

��!//%��"

+3��

ay. (This can be a NetScreen unit

lt setting is no-replay.

tive IP packet is encapsulated. In l mode is appropriate when both

y devices. Transport mode is

an remain inactive before the

��

}}

proxy-id <name_str>{ local-ip <ip_addr>/<mask> }

{ remote-ip <ip_addr>/<mask> }{ <name_str> } |

df-bit{clear |copy |set} |

bind{interface <interface> |zone <name_str>}

}

unset vpn <vpn_name> [ monitor ]

��)�/��"

vpn <name_str> Defines a name for the VPN.

trust Specifies the Trusted interface.

gateway <name_str> Specifies the name of the remote security gatewor any other IPSec-compatible device).

replay | no-replay Enables or disables replay protection. The defau

transport | tunnel Defines the IPSec mode. In tunnel mode, the actransport mode, no encapsulation occurs. Tunneof end points in an exchange lie beyond gatewaappropriate when either end point is a gateway.

idletime<number> The length of time in minutes that a connection cNetScreen device terminates it.

��!//%��"

+3��

2 proposal determines how a

en device is in Manual mode, you sword.l and remote specurity ber uniquely distinguishes a ch must be a hexidecimal value

the other end of the tunnel, and

security gateway. This can be a evice.

authenticate IP packet content.

vice.

for authentication.

tScreen device uses to produce a age.

(SHA-1) algorithm for

ayload (ESP) protocol, which the ate IP packets. Encryption no encryption”).

DES) encryption algorithm.

ryption.

ncryption algorithm.

tion.

ES), 128-bit encryption.

��

proposal <name_str> Defines up to four Phase 2 proposals. A Phase NetScreen device sends VPN session traffic.

manual <32_bit_hex> <32_bit_hex>

Specifies a Manual Key VPN. When the NetScrecan encrypt and authenticate by HEX key or pas<32_bit_hex> and <32_bit_hex> are 32-bit locaparameters index (SPI) numbers. Each SPI numparticular tunnel from any other active tunnel. Eabetween 3000 and 2fffffff.The local SPI corresponds to the remote SPI at vice-versa.

gateway <ip_addr> Defines the Untrusted IP address of the remote NetScreen unit or any other IPSec-compatible d

ah Specifies Authentication Header (AH) protocol toHashing algorithm choices are MD5 and SHA-1.

local-interface Specifies the local interface of the NetScreen de

md5 Specifies the Message Digest 5 (MD5) algorithm

key <16_byte_hex> Defines a 16-byte hexidecimal key, which the Ne128-bit message digest (or hash) from the mess

sha-1 Specifies the Secure Hash Algorithm (version) 1authentication.

esp Specifies the use of the Encapsulating Security PNetScreen device uses to encrypt and authenticalgorithm choices are DES, 3DES and Null (for “

3des Specifies the Triple Data Encryption Standard (3

key <192_bit_hex> Defines a 192-bit hexadecimal key for 3DES enc

des Specifies the Data Encryption Standard (DES) e

key <64-bit hex> Defines a 64-bit hexidecimal key for DES encryp

aes128 Specifies the Advanced Encryption Standard (A

��!//%��"

+3��

ption.

ethod.” When used with auth,

uses to generate an encryption or

eer gateway’s public IP address.

e keepalive frequency.

e peer gateway’s public IKE port

DP checksum.

es you can use for the outgoing

rfaces in USGA Features.

��

key <128-bit hex> Defines a 128-bit hexidecimal key for DES encry

null When used with ESP, specifies “no encryption mspecifies “no authentication method.”

password <pswd_str> Specifies a password that the NetScreen deviceauthentication key automatically.

nat-traversal Configures the VPN to work with NAT.

• ip-gateway-public <ip_addr> Specifies the p

• keepalive-frequency <number> Specifies th

• port-gateway-public <number> Specifies thnumber.

• udp-checksum Enables the NAT-Traversal U

outgoing-interface <interface> The name of the outgoing interface. The interfacinterface are as follows.

- ethernet<n>

- ethernet<n1>.<n2>

- ethernet<n1>/<n2>


- v1-trust

- v1-untrust

- v1-dmz

For more information on interfaces, refer to Inte

��!//%��"

+33��

dresses used by the VPN tunnel,

nd subnet mask of the local

s of the remote subnet.

s FTP, TELNET, DNS or HTTP.

ethod. The available choices are t support SHA-1. See below for

3 data and traps to an SNMP

the Don’t Fragment (DF) bit in the

eader.

er.

interface to use for VPN binding.

one to use for VPN binding.

��

.� %� �"

The key lifetime is set to 3600 seconds.

The ESP authentication algorithm is NONE when not specified otherwise.

proxy-id Specifies the combination of local and remote adand specifies the service provided.

• local-ip <ip_addr>/<mask> The IP address asubnet.

• remote-ip <ip_addr>/<mask> The IP addres

• <name_str> The name of the service, such a

auth Specifies the use of an authentication (hashing) mMD5 or SHA-1. (Some NetScreen devices do nomore information.)

monitor Monitors the specified VPN sending SNMP MIBcommunity.

df-bit Determines how the NetScreen device handles outer header.

• clear clears (disables) DF bit from the outer h

• copy copies the DF bit to the outer header.

• set sets (enables) the DF bit in the outer head

bind Performs VPN binding.

- interface <interface> specifies the tunnel

- zone <name_str> specifies the security z

��!//%��"

+3��

esp des password

68.2.2/24 prx_main

mand)

es-sha

ection contains the complete

��

51%/4 �"

To create a manual VPN named “judy” with the following features:

• local and remote SPIs defined as 00001111 and 00002222

• the remote gateway IP address set at 172.16.33.2

• ESP with DES and MD5 using keys generated from the password “judyvpn”

ns-> set vpn judy manual 00001111 00002222 gateway 172.16.33.2judyvpn auth md5 password judyvpn

To specify a vpn proxy configuration named prx_main:

ns-> set vpn x proxy-id local-ip 172.16.1.1/24 remote-ip 192.1

To create an AutoKey IKE VPN named “tuval” with the following features:

• remote gateway “funaf” (previously specified using the set ike gateway com

• replay protection enabled

• a Phase 2 proposal consisting of a Diffie-Hellman Group 2 exchange

• ESP with Triple DES and SHA-1

ns-> set vpn tuval gateway funaf.com replay proposal g2-esp-3d

�� "!

See the get vpn, set vpnmonitor, and set ike commands. The set ike command ssteps for setting up a VPN tunnel.

��!//%��"

+3:��

��/'�&%��%�

gth in seconds is <number>

��

Description: Use the set vpnmonitor command to set the monitor frequency.

�0��%1set vpnmonitor frequency { <number> }

unset vpnmonitor frequency

��)�/��"

.� %� �"

None.

51%/4 �"

To set a vpnmonitor with a frequency of 30 seconds:

ns-> set vpnmonitor frequency 3

�� "!

See the get vpnmonitor, get vpn, and set ike commands.

frequency <number> Specifies the monitor frequency interval. The interval lenmultiplied by 10.

��!//%��"

+38��

��/�%(��

ifies which addresses the t (deny). The <ip_addr>/<mask> al router.

rtual router.

��

Description: Use the set vrouter command to configure a virtual router.

�0��%1set vrouter <name_str>

[access-list <number>

{ deny | permit }{ ip <ip_addr>/<mask> } |

auto-route-export |import-from | export-to

{ vrouter <name_str> }{ ip <ip_addr>/<mask> } |

id <number> |max-routes <number> |route <ip_addr>/<mask>

{[ interface <interface> ]

gateway <ip_addr> [ metric <number> ] |vrouter <name_str>} |

router-id <number> | <ip_addr> ]

unset config

��)�/��"

access-list <number> Adds IP addresses to the virtual router, and specNetScreen device routs (permit) and does not rouvalue identifies the IP address to place in the virtu

auto-route-export Exports public interface routes to the untrust-vr vi

��!//%��"

+3��

router untrust-vr.

92.168.2.3/24

t-from) or exports routes to ame_str> parameter identifies mask> value identifies the IP

ber>.

allowed in the vrouter.

��

51%/4 �"

To create a new virtual router named Out_Route, with ID number 1035:

ns-> set vrouter Out_Route id 1035

To import a route with IP address 192.168.2.3/24 to vrouter Out_Route from virtual

ns-> set vrouter Out_Route import-from vrouter untrust-vr ip 1

�� "!

See the get vrouter command.

import-from | export-to Imports routes from another virtual router (imporanother virtual router (export-to). The vrouter <nthe other virtual router by name. The <ip_addr>/<address route to import or export.

id <number> Creates a new virtual router with ID number <num

max-routes <number> Specifies the maximum number of routing entries

route <ip_addr>/<mask> Configures a route in the virtual routing table.

router-id <number> | <ip_addr> Specifies the virtual router ID for ospf/bgp.

��!//%��"

+��

��/�2�el of a NetScreen device.

virtual system:

each a unique security domain

root level admin within the virtual al system.

��

Description: Use the set vsys command to create virtual systems from the root lev

�0��%1set vsys <name_str>

unset vsys <name_str>

��)�/��"

.� %� �"

The default condition is no virtual systems configured.

51%/4 �"

To create a virtual system named organization3 and switch the console to the new

ns-> set vsys organization3

�� "!

See the get vsys, set interface and enter vsys commands.

�!��"

The NetScreen-500 and -1000 provide multi-tenant services through virtual systems,with its own settings and management.

<name_str> Defines the name of a virtual system and automatically places thesystem. Subsequent commands configure the newly created virtu

��!//%��"

+�+��

te that you are now operating

et vsys command to remove a

l system software_key feature.

stems.

��

When you execute the set vsys command, the command prompt changes to indicawithin a virtual system.

To access an existing virtual system, execute the enter vsys command.Use the unsspecific virtual system and all its settings.

Note: The number of virtual systems depends on the quantity obtained via the virtua

The virtual system user software_key only allows you to configure up to 25 virtual sy

��!//%��"

+��

��0�)��

��

Description: Use the set webtrends command to configure WebTrends.

�0��%1set webtrends

{VPNenablehost-name <name_str>port <port_num>}

unset webtrends{VPNenablehost-name <name_str>port <port_num>}

��)�/��"

��%� %�� 0

This feature is supported on all NetScreen devices.

vpn Enables WebTrends VPN encryption.

enable Enables WebTrends.

host-name <name_str> Specifies the WebTrends host name.

port <port_num> Specifies the WebTrends host port.

��!//%��"

+��
��
.� %� �"

None.

51%/4 �"

To set the WebTrends VPN encryption:

ns-> set webtrends vpn

To enable WebTrends:

ns-> set webtrends enable

�� "!

See the set vsys-traffic command.

��!//%��"

+��

��3%��

d zone names, see Security

ayer-2 zones when you need to

nnel zone.

��

Description: Use the set zone command to create or configure a security zone.

�0��%1set zone

{id <id_num> | <name_str>

{ block | vrouter <name_str> } |name <zone>

{L2 <id_num> |tunnel <name_str>}

}

unset zone <interface>[ name <name_str> ]

��)�/��"

id <id_num> The identification number of the zone.

<name_str> The name of the zone. For more information on zones anZones in USGA Features.

block Imposes intra-zone blocking.

vrouter <name_str> Binds the zone to a virtual router.

name <zone> Creates a new zone with name <zone>.

• L2 <id_num> specifies that the zone is Layer-2. Use Lrun the NetScreen device in Transparent Mode.

• tunnel <name_str> specifies that the zone is a VPN tu

��!//%��"

+�3��
��
51%/4 �"

To create a new Layer-2 zone named Marketing, with VLAN ID number 3:

ns-> set zone name Marketing L2 3

To impose inter-zone blocking on the Trust zone:

ns-> set zone trust block

To create a tunnel zone named Engineering:

ns-> set zone name Engineering tunnel Tunn_Zone

�� "!

See the get zone and set config commands.

��!//%��"

+��
��

�

+��

�

console.

nter a greater-than sign ( > ) for

d that certain commands and the get vsys command, which is command options are unavailable terface command are available on

��

��%&& ��

Use the get commands to display system configuration parameters and data on the

If you wish to redirect the output of a get command to a TFTP server as a text file, eevery get command.

get address > tftp <ip_addr> <filename>

�4 &'��ns-> get address > tftp 172.16.3.4 addr.txt

• As you execute CLI commands using the syntax descriptions in this chapter, you may fincommand features are unavailable on your NetScreen device model. A good example is available on a NetScreen-500 device, but not on a NetScreen-208 device. Similarly, someon certain models. For example, the ha1 and ha2 switches under the get counter flow inthe NetScreen-500 but not on the NetScreen-208.

��!//%��"

��

�� signed to security zones.

n the TFTP server:

more information on zones, see

ss group within the address book.

ame> on the TFTP server

��

Description: Use the get address command to display the address book entries as

�0��%1get address <zone> [ group <name_str> ]

[ > tftp <ip_addr> <filename> ]

��)�/��"

51%/4 �"

To display only Address Book entries for the Trusted interface:

ns-> get address trust

To display a specific address group named “sales” on the Trusted interface:

ns-> get address trust group sales

To direct Address Book entries for the Untrusted interface to a file named genr.otp o

ns-> get address untrust > tftp 172.16.10.10 genr.otp

�� "!

See the set address command.

zone The address book’s security zone. ForSecurity Zones in USGA Features.

group <name_str> specifies an addre

> tftp <ip_addr> <filename> Directs generated output to a file <filen<ip_addr>.

��!//%��"

��

g, and comments for the entry.

��

�!��"

The display for each Address Book entry shows the name, IP address, netmask, fla

��!//%��"

��

�� &�ameters.

, or domain name, flag, and

. (Compare this lays the authentication

can use the internal ation, you can use the erver.

one entering the

gement workstation.

��

Description: Use the get admin command to display the system administration par

The display for each address book entry shows the name, IP address, and netmaskcomments for the entry.

�0��%1get admin

[auth [ settings ] |current-user |manager-ip |user

[cache |login] |

scs { all }]


��)�/��"

auth [ settings ] Displays authentication settings for administratorscommand with the get auth command, which dispsettings for users.) For admin authentication, youdatabase or a RADIUS server. For user authenticinternal database, a RADIUS server or an LDAP s

current-user Lists only the name of the current user; that is, thecommand.

manager-ip Displays the IP address and netmask of the mana

��!//%��"

3��

ation parameters:

tification

e:

re SCS password

the TFTP server

��

51%/4 �"

To show all the administrative parameters for the NetScreen device:

ns-> get admin

To show the names of the administrators:

ns-> get admin user

�� "!

See the set admin command.

�!��"

The get admin command displays the following system administration and configur

• The system IP address and port number for Web management

• The e-mail alert status

• The e-mail server IP address or server name

• The remote e-mail address or addresses for the recipients of e-mail alerts

• The remote e-mail address or addresses for the recipients of e-mail alert no

• The configuration format—DOS or UNIX

user Lists the names of the administrators for the deviccache: Lists all remote admin users.login: Lists current users of all login sessions.

scs { all } Lists all admin users, and indicates which users aauthentication (PWA) enabled.

> tftp <ip_addr> <filename> Directs generated output to a file (<filename>) on(<ip_addr>).

��!//%��"

��

�� &

ing> ]ng> ] |

r> ]

ing> ]

] ]

��

Description: Use the get alarm command to display alarm entries.

�0��%1�get alarm

{event

[type <number> [ -<number> ] |module { system | all-modules } |

[ level{emergency |alert |critical |error |warning |notification |information |debugging |all-levels}

[ type ]]

][ start-time <string> ] [ end-time <str

[ include <string> ] [ exclude <stritraffic

[ policy { <pol_num> [ -<pol_num> ] } ][ service <name_str> ]

[ src-address <ip_addr> ] [ dst-address <ip_add[ detail

[ start-time <string> ] [ end-time <str[ minute | second

[ threshold <number> [ -<number>

��!//%��"

:��

] ]

display. The all-levels option

the ScreenOS module that

a range of types.

a specified alarm event.

arm entries that occurred at and r <string> is:

is the default), or express the year The hour, minute, and second are and the time can be a space, a

e the detail specified.

e the detail specified.

��

[ rate <number> [ -<number> ]

] |threshold}


��)�/��"

event Specifies event alarm entries.

level Specifies the security level of alarms to display all security levels.

module Specifies alarms to display according togenerated them.

type <number> [ -<number> ] Message type. Enter a specific type, or

begin <string> Displays event alarm entries that follow

end-time <string> Displays event alarm entries or traffic albefore the time specified. The format fomm/dd[/yy-hh:mm:ss.You can omit the year (the current year using the last two digits or all four digits.optional. The delimiter between the datedash, or an underscore:12/31/2001-23:59:0012/31/2001_23:59:00

exclude <string> Displays event alarm entries that exclud

include <string> Displays event alarm entries that includ

��!//%��"

8��

arm entries that occurred at the tring> is:

is the default), or express the year The hour, minute, and second are and the time can be a space, a

ss Policy specified by its ID ecified by a range of ID numbers.

en 0 and the total number of range, enter the starting and

fied Service, such as TCP, ICMP, e <name_str> value Any.) The example, both TC and CP are t specify a Service group, note

HTTP, and TFTP, entering TP of these Services.

from a specified IP address or e_Any or Outside_Any.

r a specified IP address or for a or outside_any.

ccess Policy, including all traffic licy. If you omit this option, the and the time of the most recent

��

start-time <string> Displays event alarm entries or traffic alspecified time or after. The format for <smm/dd[/yy-hh:mm:ss.You can omit the year (the current year using the last two digits or all four digits.optional. The delimiter between the datedash, or an underscore:12/31/2001-23:59:0012/31/2001_23:59:00

traffic Specifies traffic alarm entries.

policy { <pol_num> | <pol_num> | <pol_num> }

Displays traffic alarm entries for an Accenumber or for several Access Policies spThe ID number can be any value betweestablished Access Policies. To define aending ID numbers as follows: <pol_num> - <pol_num>

service <name_str> Displays traffic alarm entries for a specior FTP. (To display all services, make thname does not have to be complete; forrecognized as TCP. Although you cannothat because TP is recognized as FTP, displays traffic alarm entries for all three

src-address <ip_addr> Displays traffic alarm entries originatingfrom a specified direction, such as Insid

dst-address <ip_addr> Displays traffic alarm entries destined fospecified direction, such as inside_any

detail Displays detailed information for each Aalarm entries that occurred under the pooutput contains only general informationalarm for each policy.

��!//%��"

��

larm entries and Access Policy get alarm traffic command

0:

Policies with threshold settings at

Policies with threshold settings at nge.

Policies with a flow rate at a ge.

ame> on the TFTP server

��

.� %� �"

If you execute get alarm without options or parameters, the command displays all ainformation. The get alarm event command displays all event alarm entries, and thedisplays all traffic alarm entries.

51%/4 �"

To display all alarm entries:

ns-> get alarm

To show event alarm entries:

ns-> get alarm event

To show all traffic alarm entries:

ns-> get alarm traffic

To show traffic alarm entries for an Access Policy with ID number 4:

ns-> get alarm traffic policy 4

To show all event alarm entries from 1:30 P.M. on February 28, 2000:

ns-> get alarm event start-time 02/28/2000-13:30

To show all event alarm entries from 1:30 P.M. to 1:39:59 P.M. on February 28, 200

second | minute Displays traffic alarm entries for Accessbytes/second or bytes/minute.

threshold { <number> | <number>-<number> }

Displays traffic alarm entries for Accessa specified value or within a specified ra

rate { <number> | <number>-<number> } Displays traffic alarm entries for Accessspecified value or within a specified ran

> tftp <ip_addr> <filename> Directs generated output to a file <filen<ip_addr>.

��!//%��"

+��

13:39:59

0 except for Access Policy

13:39:59 exclude

dress 172.16.1.24:

m thresholds set within the

tics:

nts for the Trusted as well as exclude untrust string.

��

ns-> get alarm event start-time 02/28/00_13:30 end-time 02/28_

To show all event alarm entries from 1:30 P.M. to 1:39:59 P.M. on February 28, 200changes:

ns-> get alarm event start-time 02/28/00_13:30 end-time 02/28_“policy change”

To show all event alarm entries on traffic originating from the Trusted side:

ns-> get alarm event include trust exclude untrust

To show traffic alarm entries for HTTP service:

ns-> get alarm traffic service http

To show traffic alarm entries for all traffic originating from the Untrusted side:

ns-> get alarm traffic src outside_any

To show traffic alarm entries for all incoming traffic destined for the server with IP ad

ns-> get alarm traffic src outside_any dst 172.16.1.24

To show emergency-level alarms:

ns-> get alarm event level emergency

To show detailed information on all traffic alarm entries:

ns-> get alarm traffic detail

To show detailed information on traffic alarm entries for all Access Policies with alarrange of 1000 to 20,000 bytes/second:

ns-> get alarm traffic detail second threshold 1000-20000

To show detailed information on all traffic alarm entries with the following characteris

• outgoing traffic

Note: Because strings are not considered whole words, include trust shows all eveUntrusted interfaces. To restrict the display to events from the Trusted side, add the

��!//%��"

++��

etail start-time

maintain and the current

ystem on the NetScreen-1000, l Systems do not appear.

��

• using TCP

• operating under Access Policies

• within the ID range of 3 to 7

• on May 27, 2000 from 4:00 P.M. to 4:59:59 P.M

ns-> get alarm traffic policy 3-7 service TCP src inside_any d05/27/00_16:00 end-time 05/27_16:59:59

�� "!

See the clear alarm command.

�!��"

The console displays the maximum number of alarms that the NetScreen device cannumber of entries in the table.

When you executie get alarm from within a Virtual System or from within the main sthe command displays only entries from that system. Alarm entries from other Virtua

��!//%��"

+��

�� s.

��

Description: Use the get alias command to list aliases representing CLI command

�0��%1get alias

��)�/��"

None.

.� %� �"

None

51%/4 �"

The following command lists all alias assignments.

ns-> get alias

�� "!

See the set alias command.

��!//%��"

+��

�� 'tion Protocol (ARP) table.

device

the TFTP server <ip_addr>.

��

Description: Use the get arp command to display the entries in the Address Resolu

The get arp command displays the following information for each entry:

• The IP address of the system sending network traffic through the NetScreen

• The system’s MAC address

• The name of the interface connected to the system

• The age of the entry in seconds

The ARP table contains a maximum of 256 entries.

�0��%1get arp


��)�/��"

51%/4 �"

To display all the entries in the arp table:

ns-> get arp

�� "!

See the set arp and clear arp commands.

> tftp <ip_addr> <filename> Directs generated output to a file <filename> on

��!//%��"

+��

�� (�)��* � �&s on a NetScreen device.

TFTP server <ip_addr>.

��

�Description: Use the get audible-alarm command to view the audible alarm setting

�0��%1get audible-alarm


��)�/��"

51%/4 �"

To view the audible alarm settings:

ns-> get audible-alarm

�� "!

See the set audible-alarm and clear audible-alarm commands.

> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the

��!//%��"

+3��

�� (�+ation settings.

erver to authenticate users. be processed.

ation method.et auth settings displays the

thentication requests originate, ic deletion. Also displays whether

e TFTP server <ip_addr>.

��

Description: Use the get auth command to display the user authentication configur

�0��%1get auth

[history |queue |settings |table]


��)�/��"

51%/4 �"

To display the authentication queue:

ns-> get auth queue

history Displays the authentication history.

queue Applies only if using a RADIUS server or SecurID sDisplays a list of authentication requests waiting to

settings Displays settings according to the current authenticWhen the NetScreen internal database is in use, gtimeout value for the authenticated entry.

table Displays a table of IP addresses from which the auand how much time each entry has before automatauthentication attempt is successful or not.

> tftp <ip_addr> <filename> Directs generated output to a file <filename> on th

��!//%��"

+��

entry in the NetScreen xpires, the device deletes the

the NetScreen device rejects

the authenticated entry, the IP in use, get auth settings

ed

��

To display the authentication settings:

ns-> get auth settings

To display the authentication table:

ns-> get auth table

�� "!

See the set auth and clear auth commands.

�!��"

When a user authentication attempt is successful, the NetScreen device creates an authentication table, and assigns the entry a timeout value. When the timeout limit eentry, and any newly initiated traffic requires new authentication.

NetScreen supports a maximum of 4096 entries in this table. When the table is full, any new authentication attempts until a current entry expires.

When the RADIUS server is in use, get auth settings displays the timeout value foraddress for the RADIUS server, and the shared secret. When the SecurID server is displays the following values:

• The authentication port number

• The SecurID Master server name, and the SecurID Slave server name, if us

• Whether duress is used

• The type of encryption

• The maximum number of retries

• The communication timeout value

• The authenticated entry timeout value

��!//%��"

+:��

imeout value, the IP address of d name and common name

��

When the LDAP server is in use, get auth settings displays the authenticated entry tthe LDAP server, and its listening port. The command also displays the distinguisheidentifier.

��!//%��"

+8��

��,�%,-een device.

since 1/1/1970 GMT. The


��

Description: Use the get clock command to display the system time on the NetScr

�0��%1get clock


��)�/��"

51%/4 �

To display the system time for the NetScreen device:

ns-> get clock

�� "!

See the set clock command.

�!��"

The display includes the current date in calendar format and the number of secondsdisplay also includes the NetScreen device’s uptime since the last power-up.


��!//%��"

+��

��,%�.�tion settings for a NetScreen

9:

ory.


��

Description: Use the get config command to display the current or saved configuradevice.

�0��%1get config [ saved ]


��)�/��"

51%/4 �"

To display the current runtime configuration on the console:

ns-> get config

To display the configuration that has been saved in the flash memory:

ns-> get config saved

To download a configuration file named new_cnfg from a TFTP server at 172.16.54.

ns-> get config > tftp 172.16.54.9 new_cnfg

�� "!

See the save command.

saved Displays the configuration file saved in flash mem


��!//%��"

��

��,%��%��

ole or Telnet, and the duration


��

Description: Use the get console command to display the console parameters.

�0��%1get console


��)�/��"

51%/4 �"

To display all the console parameters:

ns-> get console

�� "!�

See the set console command.

�!��"

The get console command displays this console configuration information:

• The timeout value

• The number of lines to display per screen

• Where the debug messages are displayed

• The number of active connections to the NetScreen device through the consof these connections

• For a Telnet connection, the IP address for the client machine.


��!//%��"

�+��

��,%(��n on the NetScreen interfaces.

the flow level. A flow-level acket to gauge its nature and

rs for packets inspected at the checks for packet errors and stablished threshold settings. Interfaces in USGA Features.

��

Description: Use the get counter command to display system and traffic informatio

�0��%1get counter

{flow | statistics | screen

[ interface <name_str> ] |policy <pol_num>

{day |hour |minute |month |second}

}[ > tftp <ip_addr> <filename> ]

��)�/��"

flow Specifies counters for packets inspected atinspection examines various aspects of a pintent.

statistics Displays the counter statistics.

screen Displays screen counter statistics.

interface <name_str> The name of the interface. Specifies counteinterface level. An interface-level inspectionmonitors the quantity of packets in light of eFor more information on interfaces, refer to

��!//%��"

��

P) packets received

te option

ed

Address Translation (NAT)

(DIP) addresses

trusted side

g the administrator to monitor the

raffic permitted by a particular

> on the TFTP server <ip_addr>.

��

51%/4 �

To list the counters for the Truster interface:

ns-> get counter flow interface trust

�!��"

This command is used only for technical support.

This system information is displayed for flow-level counters:

• tiny frag – the number of tiny fragmented packets received

• tear drop – the number of oversize Internet Control Message Protocol (ICM

• src route – the number of packets dropped because of the filter source rou

• pingdeath – the number of suspected ping-of-death attack packets received

• addr spf – the number of suspected address spoofing attack packets receiv

• land att – the number of suspected land attack packets received

• no route – the number of unroutable packets received

• no conn – the number of packets dropped because of unavailable Networkconnections

• poli deny – the number of packets denied by a defined access policy

• auth fail – the number of times user authentication failed

• no dip – the number of packets dropped because of unavailable Dynamic IP

• no map – the number of packets dropped because there was no map to the

policy <pol_num> Identifies a particular access policy, allowinamount of traffic it permits.

day | hour| minute | month | second Specifies the period of time for monitoring taccess policy.

> tftp <ip_addr> <filename> Directs generated output to a file <filename

��!//%��"

��

syn flood protection or user

could not be found

Translation (NAT) connection

RP) packets attempting to

kets

ooped back

SA) was defined

associated with an SA

el counters:

unknown MAC address

RC) error

ream

��

• url block – the number of HTTP requests that were blocked

• tcp proxy – the number of packets dropped from using a tcp proxy such asauthentication

• no gate – the number of packets dropped because no gate was available

• no parent – the number of packets dropped because the parent connection

• no g-gate – the number of packets dropped because the Network Address was unavailable for the gate

• nvec err – the number of packets dropped because of NAT vector error

• trmn drp – the number of packets dropped by traffic management

• trmng que – the number of packets waiting in the queue

• big bkstr – an excessively large number of Address Resolution Protocol (Auncover the Media Access Control (MAC) address for an IP address

• enc fai – the number of failed Point to Point Tunneling Protocol (PPTP) pac

• lpbk deny – the number of packets dropped because the packets can’t be l

• no sa – the number of packets dropped because no Security Associations (

• no sapoli – the number of packets dropped because no access policy was

• sa inact – the number of packets dropped because of an inactive SA

• sapoli dn – the number of packets denied by an SA policy

• illegal – the number of packets dropped because they are illegal packets

The get counter command displays the following traffic information for interface-lev

• in pak – the number of packets received

• in vpn – the number of IPSec packets received

• out pak – the number of packets sent

• out bpak – the number of packets held in back store while searching for an

• in crc – the number of incoming packets with a cyclic redundancy check (C

• in alg – the number of incoming packets with an alignment error in the bit st

��!//%��"

��

ers

received

P address

��

• in nobuf – the number of unreceivable packets because of unavailable buff

• in short – the number of incoming packets with an in-short error

• in err – the number of incoming packets with at least one error

• in coll – the number of incoming collision packets

• out unr – the number of transmitted underrun packets

• early fr – counters used in an ethernet driver buffer descriptor management

• late fr – counters used in an ethernet driver buffer descriptor management

• in icmp – the number of Internet Control Message Protocol (ICMP) packets

• in self – the number of packets addressed to the NetScreen Management I

• in unk – the number of UNKNOWN packets received

• connection – the number of sessions established since the last boot

��!//%��"

�3��

�� ('*��%('uration parameters.

mber of members for all the

up with ID <id_num>. The rs and their SPI ID-type for the the IKE dialup user.


��

�Description: Use the get dialup-group command to display the dialup group config

�0��%1get dialup-group

{all |id <id_num>}


��)�/��"

51%/4 �"

To display all the dialup-group configurations:

ns-> get dialup-group all

To display the configuration settings for the dialup-group with ID number 4:

ns-> get dialup-group id 4

all Displays the dialup group ID, name, and the total nuconfigured dialup groups.

id <id_num> Displays detailed information for a specific dialup groinformation includes the names of the group membevalues for the manual key dialup user, or the ID and


��!//%��"

��
��
�� "!

See the set dialup-group command.

��!//%��"

�:��

��'ttings for a NetScreen device:

bers.

ool for a particular interface.


��

Description: Use the get dip command to display the following dynamic IP (DIP) se

• the DIP pool ID number

• the range of IP addresses in the DIP pool

• the interface to which the pool is associated

• whether the pool supports Port Address Translation (PAT) or fixed port num

�0��%1get dip [ all ]


��)�/��"

51%/4 �"

To display all DIP configurations:

ns-> get dip

To display all DIP configurations and direct the output to a file on the TFTP server:

ns-> get dip > tftp 172.16.10.10 outp.txt

�� "!

See the set interface command, which is the command to use to configure a DIP p

all Displays all DIPs for every virtual system (VSYS).


��!//%��"

�8��

�� settings on the NetScreen


��

Description: Use the get dns command to verify the Domain Name Service (DNS)device.

�0��%1get dns

{forward |host

{cache |report |settings} |

name <name_str>}


��)�/��"

forward Shows the DNS forwarding information.

host cacheDisplays the DNS cache table.

reportDisplays the DNS lookup table.

settingsDisplays the DNS settings.

name <string> Specifies the domain name.


��!//%��"

��
��
51%/4 �

To get the DNS host report information on a NetScreen device:

ns-> get dns host report

�� "!

See the set dns command.

��!//%��"

��

��%& �reen device.


��

Description: Use the get domain command to view the domain name of the NetSc

�0��%1get domain


��)�/��"

51%/4 �

To get the domain name of the NetScreen device:

ns-> get domain

�� "!

See the set domain command.


��!//%��"

�+��

��/ �gs.

and:


��

Description: Use the get envar command to display the environment variable settin

�0��%1get envar


��)�/��"

51%/4 �

To display the environment variable settings you specified with the set envar comm

ns-> get envar

�� "!

See the set envar command.


��!//%��"

��

��.��flash memory.

ry.


��

Description: Use the get file command to display information for files stored in the

�0��%1get file [ <filename> | info ]


��)�/��"

51%/4 �"

To display the configuration files stored in flash memory:

ns-> get file

To display information for the file named corpnet from the flash card memory:

ns-> get file corpnet

�� "!

See the clear file and save commands.

<filename> Defines the file name stored in the flash card memo

info Displays the base sector and address.


��!//%��"

��

��.��0 ��nd to note which features are

wall command, showing if each


��

Description: Use the get firewall command to display firewall protection settings aenabled.

�0��%1get firewall


��)�/��"

51%/4 �"

To display the firewall protection settings:

ns-> get firewall

�� "!

See the set firewall command.

�!��"

The output from the get firewall command lists elements configured with the set fireis enabled. On means the feature is enabled. Off means the feature is disabled.


��!//%��"

��

�� etScreen device, or if all are in


��

Description: Use the get gate command to check if any gates are available on the Nuse.

�0��%1get gate


��)�/��"

.� %� �"

The default number of gates on NetScreen devices are:

51%/4 �"

To display the number of gates on the NetScreen device:

ns-> get gate


NetScreen-5xp 256

NetScreen-5 256

NetScreen-10 256

NetScreen-100 1024

NetScreen-500 1024

NetScreen-1000 4096

��!//%��"

�3��

e creates the gate first. When

��

�!��"

Gates are holes in the firewall for FTP and similar applications. The NetScreen devicthe real data traffic occurs, the device converts the gate to an actual session.

If the system reports alloc failed, all gates are currently in use.

��!//%��"

��

��%) �er settings.

n

orting port


��

Description: Use the get global command to display the NetScreen-Global Manag

�0��%1get global


��)�/��"

51%/4 �

To display the NetScreen-Global Manager configuration and reporting settings:

ns-> get global

�!��"

The get global command displays:

• Whether the NetScreen-Global Manager feature is enabled or not

• The IP address or the server name of the NetScreen-Global Manager statio

• The NetScreen-Global Manager server configuration port and the server rep

• The local listening port for the NetScreen device

• Whether the VPN encryption feature is enabled or not

• The type of reports that the NetScreen-Global Manager station requests

�� "!

See the set global command.


��!//%��"

�:��

��%) �*'�%O settings.

ttings.

ution settings in bytes or in

ution settings for user-defined


��

Description: Use the get global-pro command to display the NetScreen-Global PR

�0��%1get global-pro

{config |proto-dist

{table

{bytes |packets} |

user-service}


��)�/��"

51%/4 �"


config Display the NetScreen-Global PRO configuration se

proto-dist table Displays the NetScreen-Global PRO protocol distribpackets.

proto-dist user-service Displays the NetScreen-Global PRO protocol distribservices.


��!//%��"

�8��
��
ns-> get global-pro

�� "!

See the set global-pro command.

��!//%��"

��

��%�e.

tal number of entries in the file


��

Description: Use the get glog command to display the contents of the global log fil

�0��%1get glog


��)�/��"

51%/4 �"

To display all log entries in the global log file:

ns-> get glog

�!��"

Log entries of all categories go to the global log file initially. The display shows the toand the category to which each entry belongs.

�� "!

See the set glog command.


��!//%��"

��

��%('e groups configured on the

k of a security zone.

rity zone. For more information on Features.

address group.

and specifies its name. If you do command displays all service

name> on the TFTP server

��

Description: Use the get group command to display the address groups and servicNetScreen device.

�0��%1get group

{address { <zone> <name_str> }service [ <name_str> ]}


��)�/��"

51%/4 �"

To display a trusted address group named engineering:

ns-> get group address trust engineering

To display a service group named inside-sales:

address Assigns the group to the address boo

<zone> The name of the address book’s secuzones, see Security Zones in USGA

<name_str> specifies the name of the

service Defines the group as a service group,not include a service group name, thegroups.

> tftp <ip_addr> <filename> Directs generated output to a file <file<ip_addr>.

��!//%��"

�+��

ands.

��

ns-> get group service inside-sales

To display all untrusted address groups:

ns-> get group address untrust

To display all service groups:

ns-> get group service

�� "!

See the set group, set address, get address, set service, and get service comm

��!//%��"

��

��+ gs for high availability (HA).

HA packets.


��

Description: Use the get ha command to display the status and configuration settin

�0��%1get ha [ counter | detail | track ip ]


��)�/��"

51%/4 �"

To display the high availability group information:

ns-> get ha

�!��"

The get ha command displays:

• The software version

• The redundant group to which the NetScreen device belongs

• Whether the NetScreen device is designated as master or slave

• The MAC addresses for all devices in the group

• Whether encryption and authentication are enabled or not

counter Displays the number of sent, received, and dropped

detail Displays general high availability information.

track ip Displays the path tracking status and settings.


��!//%��"

��
��
• The arp count

• The monitor port(s)

• The ha mode

• The session synchronization

• The slave linkup

�� "!

See the set ha and exec ha commands.

��!//%��"

��

��+%�� &�creen device.


��

Description: Use the get hostname command to display the hostname of the NetS

�0��%1get hostname


��)�/��"

51%/4 �"

To display the name of the NetScreen device:

ns-> get hostname

�� "!

See the set hostname command.


��!//%��"

�3��

��-�xchange (IKE).

��

Description: Use the get ike command to display various settings for Internet Key E

�0��%1get ike

{accept-all-proposal |ca-and-type |cert |conn-entry |cookies |gateway [ <ip_addr> | <name_str> ] |heartbeat |id-mode |initial-contact

[all-peers |single-gateway [ <name_str> ] |single-user <name_str>] |

initiator-set-commit |p1-proposal <name_str> |p2-proposal <name_str> |policy-checking |respond-bad-spi |responder-set-commit |single-ike-tunnel <name_str> |soft-lifetime-buffer}


��!//%��"

��

proposals, or only specified

tScreen device.

device.

de

lo interval and the number of

ay (subnet).

tact notification to its IKE peers

2 proposal.

��

��)�/��"

accept-all-proposal Shows if the NetScreen device accepts all incoming preconfigured ones.

ca-and-type Displays the types of certificates supported by the Ne

cert Displays all local certificates loaded in the NetScreen

conn-entry Displays the current IKE connections.

cookies Displays all IKE cookies.

gateway [ <string> ] Shows the following details for all remote gateways:gateway ID numbergateway namegateway IP address, if it uses Main or Aggressive mothe preshared key (if used)all Phase 1 proposalsSpecifying a gateway name displays more details.

heartbeat Displays IKE heartbeat information, including the helheartbeat retries before expiration.

id-mode Shows if the IKE ID mode uses a host (IP) or a gatew

initial-contact Displays if the NetScreen device sends an initial conwhen it reboots.

initiator-set-commit Notes if the commit bit is set when initiating a Phase

��!//%��"

�:��

als or just for the proposal specified:

als or just for the proposal specified:

iffie-Hellman exchangepsulating Security Payload (ESP)

ts must match before a VPN

esponds to a remote peer with a

evice responds to a Phase 2

connections with the specified


��

p1-proposal [ <string> ] Shows the following details of all the Phase 1 proposProposal ID numberProposal nameAuthentication method – preshared key, RSA signature, or DSA signatureDiffie-Hellman Group – 1, 2, or 5ESP encryption algorithm – DES or 3DESESP authentication algorithm – MD5 or SHA-1Key lifetime

p2-proposal [ <string> ] Shows the following details of all the Phase 1 proposProposal ID numberProposal nameDiffie-Hellman Group – 1, 2, or 5; 0 indicates noPerfect Forward Secrecy (PFS), and so there is no DIPSec protocol – Authentication Header (AH) or EncaEncryption algorithm – DES or 3DESAuthentication algorithm – MD5 or SHA-1Key lifetime (in seconds)Key lifesize (in kilobytes)

policy-checking Shows if the access policies for both VPN participanconnection is established.

respond-bad-spi Displays the number of times the NetScreen device rbad security parameter index (SPI).

responder-set-commit Shows if the commit bit is set when the NetScreen dproposal.

single-ike-tunnel Notes if the single-ike-tunnel flag is enabled for VPNremote gateway.

soft-lifetime-buffer Displays the soft-lifetime buffer size (in seconds).


��!//%��"

�8��
��
51%/4 �"

To display all the details of the Phase 1 proposal “sf1”:

ns-> get ike p1-proposal sf1

To display all the currently running IKE connections:

ns-> get ike conn-entry

To display all IKE cookies:

ns-> get ike cookies

�� "!

See the set ike and clear ike commands.

��!//%��"

��

��. ,�erface settings for the

interfaces, refer to Interfaces in

��

Description: Use the get interface command to display the physical and logical intNetScreen device.

�0��%1get interface <name_str>

[dhcp

{relay |server

{ip { allocate | idle } |option}

}screen

[all |attack |counter |info |]

secondary] |


��)�/��"

<interface> The name of the interface. For more information on USGA Features.

��!//%��"

3��

or virtual system) in which you

agent.

er. The ip allocate suboption CP server. The ip idle suboption ding IP address, state, MAC

splays all DHCP options.

rs.

ters.

.


��

51%/4 �"

To display general information for all physical and logical interfaces at the level (rootissue the command:

ns-> get interface

To display detailed information for the trusted interface:

ns-> get interface trust

To display information on secondary interfaces for the DMZ interface:

ns-> get interface dmz secondary

To display information on the DHCP server for interface ethernet2/1:

ns-> get interface ethernet2/1 dhcp server

dhcp Lists DHCP information for the specified interface.

- relay Displays information on the DHCP relay

- server Displays information on the DHCP servdisplays the IP addresses allocated by the DHdisplays information on the DHCP idle IP, incluaddress, and lease time. The option switch di

screen Lists screen information for the specified interface.

- all Lists all screen information.

- attack Displays the screen attack type counte

- counter Displays all screen counters.

- info Displays the screen information type coun

secondary Displays the secondary IP for the specified interface


��!//%��"

3+��
��
�� "!

See the set interface command.

��!//%��"

3��

��/� � enabled or denied.

the TFTP server:


��

Description: Use the get intervlan command to show if intervlan traffic is currently

�0��%1get intervlan


��)�/��"

51%/4 �

To display the current intervlan enable/disable status and send the output to a file on

ns-> get intervlan > tftp 172.16.10.10 outp.txt

�� "!

See the set intervlan-traffic command.


��!//%��"

3��

��'on with the TFTP server. These

evice ends the attempt and

connection.


��

Description: Use the get ip tftp command to display IP parameters for communicatiparameters include:

• The number of times to retry a TFTP communcation before the NetScreen dgenerates an error message.

• The length of time before the NetScreen device terminates an inactive TFTP

�0��%1get ip { tftp }


��)�/��"

.� %� �"

The default number of retries is 10.

The default timeout period is 2 seconds.

51%/4 �

To display IP parameters for TFTP server communication:

ns-> get ip tftp

�� "!

See the set ip tftp command.


��!//%��"

3��

��''%%� pools that can be used for

wing its ID number, its name, and


��

Description: Use the get ippool command to display information about all of the IPassigning addresses via the Layer 2 Tunneling Protocol (L2TP).

�0��%1get ippool [ <name_str> ]


��)�/��"

51%/4 �"

To display the values for all the IP pools:

ns-> get ippool

�� "!

See the set ippool command.

<name_str> Returns information about the specified IP pool, shoits starting and ending IP addresses.


ID IP Pool Start IP End IP

1 pool 1 10.1.1.1 10.1.1.10

2 pool 2 10.1.1.11 10.1.1.20

��!//%��"

33��

��1�'

address, peer host name, L2TP ecified L2TP tunnel.P tunnel.

address, peer host name, L2TP L2TP tunnel.els.


��

Description: Use the get l2tp command to view the L2TP status and settings.

�0��%1get l2tp

{<string> | all

[ active ] |default}


��)�/��"

51%/4 �"

To display the current state of an L2TP tunnel named “home2work”:

ns-> get l2tp home2work active

To display the L2TP default settings:

ns-> get l2tp default

<string> Displays the ID number, tunnel name, user, peer IPtunnel shared secret, and keepalive value for the spactive displays the current state of the specified L2T

all Displays the ID number, tunnel name, user, peer IPtunnel shared secret, and keepalive value for every active displays the current state of all the L2TP tunn

default Displays all the default L2TP settings.


��!//%��"

3��
��
�� "!

See the set l2tp, clear l2tp, and get ippool commands.

��!//%��"

3:��

�� ,� for the 10/100 MAC chips on a

ce command.


��

Description: Use the get lance { info } command to get internal debug informationNetScreen device.

�0��%1get lance { info }


��)�/��"

51%/4 �"

To view 10/100 MAC chip-specific debug information:

ns-> get lance info

�!��"

You can also see the initial part of the get lance info output by using the get interfa


��!//%��"

38��

��,�ol keys on a NetScreen device.


��

Description: Use the get lcd command to view the status of the LCD and the contr

�0��%1get lcd


��)�/��"

51%/4 �"

To view the status of the LCD and control keys:

ns-> get lcd

�� "!

See the set lcd command.


��!//%��"

3��

��%�

��

Description: Use the get log command to display all the entries in the log table.

�0��%1get log

{device-reset |event

[type <number> [ -<number> ] |module { system | all-modules } |

[ level{emergency |alert |critical |error |warning |notification |information |debugging |all-levels}

][ start-time <string> ]

[ end-time <string> ][ include <string> ]

[ exclude <string> ]] |

self | traffic [ policy <pol_num> | <pol_num>-<pol_num> ][ start-time <string> ] [ end-time <string> ]

[ min-duration <string> ] [ max-duration <string> ][ service <name_str> ]

[ src-ip <ip_addr> [ -<ip_addr> ] [ src-netmask <mask> ]

��!//%��"

��

]

. The all-levels option display all

reenOS module that generated

types.

the time specified— the year, in which case the ite the year with either just the last ond can be omitted. Separate the

erscore:

ore the time specified.

ecified.

pecified.

ent.

��

[ src-port <port_num> ]]

[ dst-ip <ip_addr> [ -<ip_addr> [ dst-netmask <mask> ]

][ no-rule-displayed ] |

system [ reversely | saved ] |setting [ module { system | all } ]}


��)�/��"

event Specifies event log entries.

level Specifies the security level of log entries to displaysecurity levels.

module Specifies log entries to display according to the Scthem.

type <number> [ -<number> ] Message type. Enter a specific type, or a range of

start time <string> Displays event log entries that occurred at or after day/month/year hour:minute:second. You can omitcurrent year is assumed, and you can choose to wrtwo digits or with all four. The hour, minute, and secdate from the time with a space, a dash, or an und12/31/2001-23:59:0012/31/2001_23:59:00

end-time <string> Displays event log entries that occurred at and bef

include <string> Displays event log entries that include the detail sp

exclude <string> Displays event log entries that exclude the detail s

begin <string> Displays event log entries that follow a specified ev

traffic Specifies traffic log entries.

��!//%��"

�+��

cified by its ID number or for numbers. The ID number can be lished Access Policies. To define

using this syntax:

was longer than or equal to the

was shorter than or equal to the

uch as TCP, ICMP, FTP, or Any. ple, both TC and CP are Service group, note that because ng TP displays log entries for all

address or range of source IP P address to display traffic entries cified source IP address.ot be specified simultaneously.

ber or range of source port

n IP address or range of net mask for a destination IP nge and destination subnet mask

cess Policy information.


ing> value specifies the name of

��

policy { <pol_num> | <pol_num> - <pol_num> }

Displays traffic log entries for an Access Policy speseveral Access Policies specified by a range of ID any value between 0 and the total number of estaba range, enter the starting and ending ID numbers<pol_num> - <pol_num>

min-duration <string> Displays traffic log entries for traffic whose durationminimum duration specified.

max-duration <string> Displays traffic log entries for traffic whose durationmaximum duration specified.

service <name_str> Displays traffic log entries for a specified Service, sThe name does not have to be complete; for examrecognized as TCP. Although you cannot specify aTP is recognized as FTP, HTTP, and TFTP, enterithree Services.

src-ip { <ip_addr> [ <ip_addr> - <ip_addr> ] }

Displays traffic log entries for a specified source IPaddresses. Include the subnet mask for a source Ifor all IP addresses in the same subnet as the speA source IP range and a source subnet mask cann

src-port { <port_num> | <port_num> - <port_num> }

Displays traffic log entries for a specified port numnumbers.

dst-ip { <ip_addr> [ <ip_addr> - <ip_addr> ] }

Displays traffic log entries for a specified destinatiodestination IP addresses. You can specify the subaddress, but you cannot specify a destination IP rasimultaneously.

no-rule-displayed Displays traffic log entries, but does not display Ac

system Displays current system log information.

system saved Displays saved system log information.


setting Displays log setting information. The module <strthe module for which the log settings apply.

��!//%��"

��

rch 6:

:59:59

00

72.16.20.200:

��

.� %� �"

If no arguments are entered, the get log command displays all log entries.

51%/4 �"

To display all entries in the log table:

ns-> get log

To display the entries in the traffic log table for an Access Policy with ID 3:

ns-> get log traffic policy 3

To display event log entries from 3:00 P.M. on March 4, 2001:

ns-> get log event start-time 03/04/01_15:00

To display event log entries from 3:00 P.M. on March 4, 2001 to 2:59:59 P.M. on Ma

ns-> get log event start-time 03/04/01_15:00 end-time 03/06_14

To display traffic log entries for traffic for a period between 5 minutes and 1 hour:

ns-> get log traffic min-duration 00:05:00 max-duration 01:00:

To display traffic log entries for the range of destination IP addresses 172.16.20.5–1

ns-> get log traffic dst-ip 172.16.20.5-172.16.20.200

To display traffic log entries from the source port 8081:

ns-> get log traffic src-port 8081

To display traffic log entries without displaying Access Policy information:

ns-> get log traffic no-rule-displayed

�� "!

See the clear log command.

��!//%��"

��

��& ,*�� rning table.

ransparent mode.

��

Description: Use the get mac-learn command to display the entries in the MAC lea

�0��%1get mac-learn [ trust | untrust ]

��)�/��"

51%/4 �"

To display all entries in the MAC learning table:

ns-> get mac-learn

To display the MAC learning table entries on the Trusted interface only:

ns-> get mac-learn trust

.� %� �"

None.

�� "!

See the clear mac-learn, get mac-count, and clear mac-count commands.

trust Specifies the trust interface.

untrust Specifies the untrust interface.

Note: This command is available only when the NetScreen-10 device is running in T

��!//%��"

��

��& ��on. You can use this command


��

Use the get master command to display the master device’s configuration informationly on a slave device.

�0��%1get master { config }


��)�/��"

.� %� �"

None.

51%/4 �"

To display information about the master device configuration:

ns-> get master config

�� "!

See the get system command.


��!//%��"

�3��

��&�&%�2s.

umber>.


��

Description: Use the get memory command to display the memory allocation statu

�0��%1get memory

[<id_num> |all |error |free |mempool |used]


��)�/��"

51%/4 �"

To display the memory usage status:

<id_num> Displays the task ID number.

all Displays memory fragments.

error Displays erroneous memory fragments.

free Displays free memory.

mempool Displays pooled memory.

used Displays used memory.

minsize <number> Show all memory fragments that are larger than <n


��!//%��"

��

ted, the amount remaining, and

��

ns-> get memory

To display all erroneous memory fragments:

ns-> get memory error

�!��"

The get memory command displays information about the amount of memory allocathe number of fragments.

��!//%��"

�:��

��&'ons.

t mask address for the Mapped


��

Description: Use the get mip command to display the Mapped IP (MIP) configurati

The get mip command displays the IP address, the host IP address, and the subneIP.

�0��%1get mip [ all ]


��)�/��"

51%/4 �

To display all MIP configurations and direct the output to a file on the TFTP server:

ns-> get mip all > tftp 172.16.10.10 outp.txt

�� "!

See also the set mip command.

all Shows all Mapped IPs for all virtual systems.


��!//%��"

�8��

�� 5- such as the current VPN

��

Description: Use the get natt_ka command to list the NATT keepalive parameters,monitory frequency.

�0��%1get natt_ka

��)�/��"

None.

.� %� �"

None

51%/4 �"

The following command lists the current VPN monitor frequency.

ns-> get natt_ka

�� "!

See the get vpn command.

��!//%��"

��

��'*�(��

lue <number>. The value must


��

Description: Use the get nsp-tunnel command to get the flow tunnel information.

�0��%1get nsp-tunnel [ info <number> ]


��)�/��"

51%/4 �"

To display the flow tunnel information:

ns-> get nsp-tunnel info 0x3

�� "!

See the set nsp-tunnel command.

info <number> Specifies the flow tunnel information with the info vastart with 0x, as with 0x2.


��!//%��"

:��

��' Protocol (NTP).


��

Description: Use the get ntp command to display the settings for the Network Time

�0��%1get ntp


��)�/��"

51%/4 �"

To display the settings for NTP on the NetScreen device:

ns-> get ntp

�� "!

See the set ntp and exec ntp commands.


��!//%��"

:+��

��%�evice operating system.


��

Description: Use the get os command to display mail and task information for the d

Syntax

get os { mail | task <name_str> }[ > tftp <ip_addr> <filename> ]

��)�/��"

51%/4 �"

To display the operating system information:

ns-> get os

�� "!

See the set os command.

mail Displays the mail information.

task <name_str> Displays the task information.


��!//%��"

:��

��'��.%�& �,�formation on the NetScreen

on the TFTP server:


��

�Description: Use the get performance cpu command to retrieve CPU utitlization indevice.

�0��%1get performance { cpu }

[ detail ][ > tftp <ip_addr> <filename> ]

��)�/��"

51%/4 �"

To display the CPU utilization for the NetScreen device and send the output to a file

ns-> get performance cpu > tftp 170.16.10.10 outp.txt

�� "!


detail Displays cpu performance detail.


��!//%��"

:��

��'-’s IP address and e-mail

��

Description: Use the get pki command to show the CA (certificate authority) serveraddress, the certificate administrator’s e-mail address, and the RSA key length.

�0��%1get pki

{authority <id_num>

{cert-status |scep} |

ldap |x509

{cert-path |crl-refresh |dn |list

{ca-cert |cert |local-cert} |

ns-cert |pkcs10 |raw-cn}


��!//%��"

:��

ty (CA). The cert-status option scep option displays information

ss and the default LDAP URL for

n (ITU-T) X.509/PKCS digital

validation level.

cy rate.

en X.509 digital certificate.

creen device.

certificates currently loaded in the

in the NetScreen device.

.

icate.

d generates the file in that ndard.)

enabled or disabled.mand set pki x509 dn name comprising the CN.


��

��)�/��"

authority <id_num> Shows authority references for the Certificat Authoridisplays information on the x509 CA certificate. the on the SCEP server.

ldap Shows the default certificate authority server’s addrethe certificate revocation list (CRL) retrieval.

x509 Specifies an International Telecommunications Uniocertificate for these types:

cert-path Displays the default X509 certificate path

crl-refresh Displays the X.509 CRL refresh frequen

dn Displays the distinguished name on the NetScre

list Displays the X.509 object list loaded in the NetS

ca-cert Displays the certificate authority (CA) X.509 NetScreen device.

cert Displays the X.509 certificates currently loaded

local-cert Displays the local (non-CA) X.509 certificates currently loaded in the NetScreen device

ns-cert Displays the NetScreen device’s X509 certif

pkcs10 Shows the destination of the PKCS10 file anlocation. (PKCS is the Public Key Cryptography Sta

raw-cn Shows if the raw-certificate name feature is The raw-cn is the CN value you specify with the com<name_str>, where <name_str> is a string of characters


��!//%��"

:3��

LDAP server:

ice:

��

51%/4 �"

To display the URL and the IP address or name of the default certificate authority’s

ns-> get pki ldap

To display a list of certificate authority (CA) certificates loaded in the NetScreen dev

ns-> get pki x509 list ca-cert

�� "!

See the set pki command.

��!//%��"

:��

��'%�,2formation.

cy with the ID number <id_num>.

two specified security zones


��

Description: Use the get policy command to display access policy configuration in

�0��%1get policy

[id <id_num> |from <name_str> to <name_str>]


��)�/��"

51%/4 �"

To display all access policy configurations:

ns-> get policy

To display all incoming access policy configurations:

ns-> get policy from trust to untrust

To display detailed information for an access policy with ID number 5:

ns-> get policy id 5

id <id_num> Displays detailed information for the access poli

from <name_str> to <name_str> Displays a summary of access policies between(<name_str> and <name_str>).


��!//%��"

::��
��
�� "!

See the set policy command.

��!//%��"

:8��

��'''%�

��

Description: Use the get pppoe command to configure PPPoE.

�0��%1get pppoe [ configuration | statistics ]

��)�/��"

.� %� �"

None.

51%/4 �"

To get the PPPoE configuration:

ns-> get pppoe configuration

To get the PPPoE statistics:

ns-> get pppoe statistics

�� "!

See the set pppoe, clear pppoe, and exec pppoe commands.

configuration Specifies the configuration options.

statistics Specifies the statistics information.

��!//%��"

:��

��%(��.

ar target IP address is specified.

:

ress <ip_addr>.

d_num>.


��

Description: Use the get route command to display entries in the static route table

�0��%1get route

[id <id_num> |ip <ip_addr>]


��)�/��"

.� %� �"

The get route command displays all entries in the static route table unless a particul

51%/4 �"

To display all the entries in the static route table:

ns-> get route

To display the static route information to a machine with the IP address 172.16.60.1

ns-> get route ip 172.16.60.1

To display the static route information for a route with ID number 477:

ip <ip_addr> Displays a specific static route for the target IP add

id <id_num> Displays a specific static route for the ID number <i


��!//%��"

8��

IP address and interface

of a specified IP address

is format:

ith a particular IP address to the

��

ns-> get route id 477

�� "!

See the set route command.

�!��"

The get route command displays:

• The IP address, netmask, interface, gateway, metric, and flag

• The Flag value is 8000 for a well-known route generated from the interface gateway

• The Flag value is 0000 if the entry uses the gateway from the interface listed

When you specify an IP address in the get route command, the output appears in th

ns-> <ip-addr> => <interface>/<gateway>, <metric>

Use the get route command to find out if the NetScreen device is routing a packet wcorrect interface.

��!//%��"

8+��

�� A) only when you define VPN

entry with the ID number.

g and outgoing packets.thentication has failed.rror conditions other than those

tgoing traffic


��

Description: Use the get sa command to display the IPSec security associations (Spolicies for a manual VPN.

�0��%1get sa

[id <id_num> |[ active | inactive ] [ stat ]]


��)�/��"

51%/4 �"

To display all the IPSec SA entries:

id <number> Displays a specific IPSec Security Association (SA)

active | inactive Displays only active or inactive SAs.

stat Shows the SA statistics for the device.Displays these statistics for all incoming / outgoing SA pairs:Fragment: The total number of fragmented incominAuth-fail: The total number of packets for which auOther: The total number of miscellaneous internal elisted in the auth-fail category.Total Bytes: The amount of active incoming and ou


��!//%��"

8��
��
ns-> get sa

To display a specific IPSec SA entry with ID number 5:

ns-> get sa id 5

�� "!

See the set vpn, set ike, and clear sa-statistics commands.

��!//%��"

8��

��,+��(�� for the NetScreen device.


��

Description: Use the get scheduler command to display the schedules configured

�0��%1get scheduler

[name <name_str> |once |recurrent]


��)�/��"

51%/4 �"

To display all the schedule definitions:

ns-> get scheduler all

To display a specific schedule definition with ID number 0:

ns-> get scheduler id 0

�� "!

See the set scheduler command.

name Displays the schedule of the specified device.

once Displays all one-time schedules.

recurrent Displays all recurrent schedules.


��!//%��"

8��

��,�a secure command shell to a

tive root/VSYS, including the

ey Authenticaion (PKA) using

u must be the root user to execute execute this command.

��

Description: Use the get scs command to display the SCS keys used to establish NetScreen device from a remote system.

�0��%1get scs

[ host-key ] |[ pka-rsa ]

[all |username <name_str> [ index <number> ]

[ > tftp <ip_addr> <filename> ]]

��)�/��"

scs Displays these items:If SCS is enabled or notSCS statusKey regeneration timeCurrent number of SCS connectionsDetails of current connections

host-key Shows the SCS host key (RSA public key) for the acfingerprint of the host key.

pka-rsa Shows current user-specific information on Public KRSA.

all Shows all PKA public keys bound to all users. Yothis option; admin users and read-only users cannot

��!//%��"

83��

device:

ecified user <name_str>. Admin nly if <name_str> identifies the

ser and read-only user to view the s the root user to view the details


��

51%/4 �"

To display all users and keys for the secure command shell feature on a NetScreen

ns-> get scs pka-rsa all

To display PKA public keys for a user named “chris”:

ns-> get scs pka-rsa username chris

�� "!

See the set scs command.

username Shows all PKA public keys bound to a spusers and read-only users can execute this option ocurrent admin user or read-only user. The index <number> parameter allows the admin udetails of a key bound to the user name. It also allowof a key bound to the specified user.


��!//%��"

8��

��/,�.

er-defined, and service group


��

Description: Use the get service command to display the entries in the service list

�0��%1get service

[<name_str>group <name_str> |pre-defined |user]


��)�/��"

.� %� �"

Using the get service command without any arguments displays all pre-defined, usinformation in the service book.

51%/4 �"

To display all entries in the service book:

<name_str> The name of a specific service.

group Displays all service groups.

pre-defined Displays all the pre-defined services.

user Displays all user-defined services.


��!//%��"

8:��
��
ns-> get service

To display all user-defined entries in the service book:

ns-> get service user

To display a specific service named “ftp:”

ns-> get service ftp

�� "!

See the set service command.

��!//%��"

88��

��%�ble.

um> ] ]

> ]

cific session with Session

sions intitated by packets r example, <ip_addr> could be

packet.

sions intitated by packets >.

sions intitated by packets r>.

��

Description: Use the get session command to display the entries in the session ta

�0��%1get session

[id <id_num> |fragment |[ tunnel ]

[ src-ip <ip_addr> [ netmask <mask> ] ][ dst-ip <ip_addr> [ netmask <mask> ] ]

[ src-mac <mac_addr> ] [ dst-mac <mac_addr> ][ protocol <ptcl_num> [ <ptcl_num> ] ]

[ src-port <port_num> [ <port_num> ] ][ dst-port <port_num> [ <port_n

][ > tftp <ip_addr> <filename

��)�/��"

id <id_num> Directs the NetScreen device to clear a speIdentification number <id_num>.

fragment Displays fragment sessions.

tunnel Displays VPN tunnel sessions.

src-ip <ip_addr> Directs the NetScreen device to clear all sescontaining source IP address <ip_addr>. Fothe source IP address in the first TCP SYN

dst-ip <ip_addr> Directs the NetScreen device to clear all sescontaining destination IP address <ip_addr

src-mac <mac_addr> Directs the NetScreen device to clear all sescontaining source MAC address <mac_add

��!//%��"

8��

l entries in the session table by

rough 5:

sions intitated by packets addr>.

sions that use protocol

ange (<ptcl_num> <ptcl_num>).

sions intitated by packets that in the layer 4 protocol header. port within a range (<port_num>

sions intitated by packets that um> in the layer 4 protocol

port within a range (<port_num>

��

.� %� �"

If no arguments are specified, the get session command displays information for aldefault.

51%/4 �"

To display all the entries in the session table:

ns-> get session

To display all the entries in the session table for a specific source IP address:

ns-> get session src-ip 172.16.10.92

To display all the entries in the session table for port 80:

ns-> get session dst-port 80

To display all the entries in the session table for protocol 5 and for source ports 2 th

dst-mac <mac_addr> Directs the NetScreen device to clear all sescontaining destination MAC address <mac_

protocol <ptcl_num> [ <ptcl_num> ] Directs the NetScreen device to clear all ses<ptcl_num>.You can also specify any protocol within a r

src-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all sescontain the layer 4 source port <port_num>You can also specify any layer 4 destination<port_num>).

dst-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all sescontain the layer 4 destination port <port_nheader.You can also specify any layer 4 destination<port_num>).

��!//%��"

��
��
ns-> get session protocol 5 src-port 2 5

To display the session table entry for the session with ID 5116:

ns-> get session id 5116

�� "!

See the clear session command.

�!��"

The get session command displays:

• The Network Address Translation (NAT) mode

• The sessions in the normal session table

• The sessions in the external session table

• The packets coming into the session’s trusted IP address

• The packets going out of the untrusted IP address

• The currently active normal and external sessions

• The session’s ID number in the session table.

• The pseudo port, flag, and PID for the session

• The load-balancing server index

• The vector ID (VID)

• The session timeout specification

• The Gateway IP address

• The session’s security association

��!//%��"

�+��

��&' for Simple Network

MP community.

ame and physical location of the

Disabled).


��

Description: Use the get snmp command to display the NetScreen device settingsManagement Protocol (SNMP).

�0��%1get snmp

{auth-trap |community <name_str> |settings |vpn}


��)�/��"

51%/4 �"

To display the settings for an SNMP community named “public:”

ns-> get snmp community public

To display the settings for all the communities:

ns-> get snmp all

auth-trap Displays the status of SNMP authentication traps.

community <name_str> Displays the permissions assigned to the named SN

settings Displays the name of the contact person, and the nNetScreen device.

vpn Displays SNMP VPN encryption status (Enabled or


��!//%��"

��

NetScreen device:

��

To display the name of the contact person and the name and physical location of the

ns-> get snmp settings

�� "!

See the set snmp command.

��!//%��"

��

��%,-��creen device.


��

Description: Use the get socket command to display socket information on a NetS

�0��%1get socket [ id <id_num> ]


��)�/��"

��%� %�� 0

All NetScreen device models support this feature.

51%/4 �"

To display socket information:

ns-> get socket

To display the information concerning socket 3001:

ns-> get socket id 3001

�� "!

See the set socket command.

id Displays the socket ID value.


��!//%��"

��

��%.�0 ��*-�2ation on the NetScreen device.


��

Description: Use the get software-key command to display the software-key inform

�0��%1get software-key


��)�/��"

51%/4 �"

To display the software key on a Netscreen device:

ns-> get software-key

�� "!

See the set software-key command.

�!��

The get software-key command displays this information:

• VSYS key

• NSRP key

• Maximum number of virtual systems allowed

• Whether NSRP is enabled


��!//%��"

�3��

��on a NetScreen device.


��

Description: Use the get ssl command to display the Secure Socket Layers (SSL)

�0��%1get ssl [ cert-list ]


��)�/��"

51%/4 �"

To display the SSL information on a NetScreen device:

ns-> get ssl

To display the SSL certicate list:

ns-> get ssl cert-list

�� "!

See the set ssl command.

cert-list Displays currently available certificates.


��!//%��"

��

��2��%�

r virtual private network.

or not.

log server.


��

Description: Use the get syslog command to display the syslog configuration.

�0��%1get syslog

[VPN |config enable |port |traffic]


��)�/��"

51%/4 �"

To display all syslog configuration information:

ns-> get syslog

To display whether the syslog mechanism has been configured or not:

vpn Shows if syslog encryption is enabled for a particula

config Shows whether the syslog mechanism is configured

enable Shows whether syslog is enabled or not.

port Displays the port used to communicate with the sys

traffic Indicates whether the traffic log is sent to syslog.


��!//%��"

�:��
��
ns-> get syslog config

To display whether the syslog mechanism is enabled or not:

ns-> get syslog enable

To display the port used to communicated with the syslog server:

ns-> get syslog port

To display if sending the traffic log through syslog is enabled or not:

ns-> get syslog traffic

To display if communication with the Webtrends server is enabled or not:

ns-> get syslog webtrends

�� "!

See the set syslog command.

��!//%��"

�8��

��2��&


��

Description: Use the get system command to display general system information.

�0��%1get system


��)�/��"

51%/4 �"

To display the general system information:

ns-> get system

�� "!

See the set admin and set interface commands.


��!//%��"

��

��,+*�(''%�� troubleshooting the NetScreen


��

Description: Use the get tech-support command to display system information fordevice.

�0��%1get tech-support


��)�/��"

51%/4 �"

To display information for troubleshooting purposes:

ns-> get tech-support

�� "!



��!//%��"

+��

��&'�� (��rature, and the normal and


��

Description: Use the get temperature command to view the current system tempesevere temperature thresholds for triggering temperature alarms.

�0��%1get temperature


��)�/��"

.� %� �"

The default temperature thresholds in Fahrenheit and Celsius are as follows:

• Normal alarm temperature threshold: 113° Fahrenheit, 50° Celsius

• Severe alarm temperature threshold: 122° Fahrenheit, 60° Celsius

51%/4 �"

To view the temperature settings:

ns-> get temperature

�!��

The output is displayed as shown below:

Current system temperature is 113’F, 45’C.The normal alarm temperature is 122’F, 50’C.The severe alarm temperature is 140’F, 60’C.


��!//%��"

+�+��

��&��


��

Description: Use the get timer command to display the current timer settings.

�0��%1get timer


��)�/��"

51%/4 �"

To display the timer settings:

ns-> get timer

�� "!

See the set timer command.


��!//%��"

+��

�� ..,*�+ '��nformation device interfaces. If

��

��Description: Use the get traffic-shaping command to display traffic management ino interface name is specified, the information for all interfaces is displayed.

�0��%1get traffic-shaping

{interface [ <name_str> ] |ip_precedence |mode}

��)�/��"

51%/4 �"

To display traffic management information for all interfaces:

ns-> get traffic-shaping interface

�� "!

See the get interface command.

<name_str> Defines the name of the interface.

interface Displays the traffic shaping info for an interface.

ip_precedence Displays the priority to IP precedence (TOS) mapping.

mode Displays the traffic shaping mode.

��!//%��"

+��

��(��*.��ion settings.

ebsense server does not g in the status line of the CLI,

er the request is received. The


��

Description: Use the get url-filter command to display the URL blocking configurat

�0��%1get url-filter


��)�/��"

51%/4 �"

To display information about the URL blocking settings:

ns-> get url-filter

�� "!

See the set url command.

�!��"

NetScreen monitors the status of the Websense server once a minute. When the Wrespond, this is reported in the WebUI. Also, an entry is added to the Event Alarm loand all URL requests are blocked.

All sessions waiting to be acknowledged by the Websense server are listed in the ordwaiting queue can have a maximum of 256 requests.


��!//%��"

+��

��(��e.

>:

domain name

ternal user database:

domain name

��

Description: Use the get user command to display the user authentication databas

�0��%1get user { <name_str> | all | id <id_num> }


��)�/��"

<name_str> Displays this information with the name <name_str

- User ID number

- User name

- Status (enabled or disabled)

- Type: manual, auth, ike 12tp, auth/ike, auth/12tp, auth/ike/12tp, ike/12tp

- IKE ID types – email address, IP address, or

- IKE identities

- Manual Key settings

- Remote L2TP settings

all Displays a this information for all the entries in the in

- User ID number

- User name

- Status (enabled or disabled)

- User type

- IKE ID types – email address, IP address, or

- IKE identities

- Manual Key settings

��!//%��"

+�3��

r <name_str> option.


��

51%/4 �"

To display a particular user named “roger”:

ns-> get user roger

To display all the users in the NetScreen internal database:

ns-> get user all

To display a particular user with user ID “10”:

ns-> get user id 10

�� "!

See the set user command.

id <id_num> Displays the same information as does the get use


��!//%��"

+��

��/'settings.

Ps by default.

traffic to VIPs.

s balanced distribution of currently


��

Description: Use the get vip command to display the Virtual IP (VIP) configuration

�0��%1get vip

[server |session]


��)�/��"

.� %� �"

If no server or session is specified, the get vip command displays all configured VI

51%/4 �"

To display all the configured VIPs:

ns-> get vip

�� "!

See the set vip command.

server Displays the load balance status of servers receiving

session Displays the load balance session table, which showactive VIP sessions.


��!//%��"

+�:��

��/'�nfigurations.

Key IKE VPN with the name

ng the VPN

losed

ation about the VPN. For

��

Description: Use the get vpn command to display Virtual Private Network (VPN) co

�0��%1get vpn

[<name_str> [ detail ] |auto |manual |proxy-id]


��)�/��"

<name_str> Displays the following information for a specific Auto<name_str>:

- VPN name and VPN gateway name

- IPSec mode—tunnel or transport

- Replay protection (enabled or disabled)

- Phase 2 proposals

- VPN monitoring (enabled or disabled)

- The number of access policies using the VPN

- The number of security associations (SAs) usi

- The idle timeout value after which the VPN is c

- A 16-bit VPN flag that provides internal informdebugging purposes only.

��!//%��"

+�8��

ual Key VPN with the name

PI) numbers

ng the VPN

debugging purposes

ncapsulating Security Payload

s employed, any passwords used eys, and the keys themselves

encryption and authentication of the incoming and outgoing

ation consists of local and remote services provided.


��

51%/4 �"

To display all VPN definitions:

ns-> get vpn

To display a VPN named “branch”:

ns-> get vpn branch

To display all AutoKey IKE VPNs:

ns-> get vpn auto

Displays the following information for a specific Man<string>:

- Local and remote security parameter index (S

- The number of security associations (SAs) usi

- An 8-bit flag indicating internal information for

- The IPSec protocol used in the VPN—either E(ESP) or Authentication Header (AH)

- The encryption and/or authentication algorithmto generate encryption and/or authentication k

- VPN monitoring (enabled or disabled)

detail Provides a detailed profile of the VPN, including the keys, its current state of activity, and the ID numbersaccess policies that reference the VPN.

manual Displays all Manual Key VPNs.

auto Displays all AutoKey IKE VPNs.

proxy-id Displays proxy-id configurations. A proxy-id configuraddresses used by a VPN tunnel, and specifies the


��!//%��"

+��
��
To display all Manual Key VPNs:

ns-> get vpn manual

To display all proxy-id configurations:

ns-> get vpn proxy-id

�� "!

See the set vpn command.

��!//%��"

++��

��/'�&%��%�s.


��

Description: Use the get vpnmonitor command to display VPN Monitor parameter

�0��%1get vpnmonitor


��)�/��"

51%/4 �"


ns-> get vpnmonitor

�� "!

See the set vpnmonitor command.


��!//%��"

+++��

��/�%(��

<id_num> parameter displays the parameter displays the route

��

Description: Use the set vrouter command to configure a virtual router.

�0��%1get vrouter

[<name_str>

[interface |route

{id <id_num> |ip <ip_addr>} |

rule |zone]

]

unset config

��)�/��"

<name_str> The name of the virtual router.

interface Displays the interface entries in the virtual router.

route Displays the contents of the routing table. The id route identified by an ID number. The <ip_addr> identified by an IP address.

rule Displays the import and export rules.

zone Displays the zones bound to the virtual router.

��!//%��"

++��
��
51%/4 �"

To display the interface entries in a virtual router named Marketing:

ns-> get vrouter Marketing interface

To display the route with ID of 1 in the untrust-vr virtual router:

ns-> get vrouter untrust-vr route id 1

�� "!

See the set vrouter command.

��!//%��"

++��

��/�2�he virtual systems on a

ted with the SIF, and the IP

m with the name <name_str>.


��

Description: Use the get vsys command to display a specific virtual system or all tNetScreen device.

�0��%1get vsys [ <name_str> ]


��)�/��"

51%/4 �"

To display all virtual systems on the NetScreen-1000 device:

ns-> get vsys

To display the sub-interface (SIF) identifying number, the name of the VLAN associaaddress and netmask for a virtual system named “organization3”:

ns-> get vsys organization3

�� "!

See the set interface, set vsys, enter vsys, and exit commands.

<name_str> Displays the configuration settings for a virtual syste


��!//%��"

++��

��0�)��ttings.


��

Description: Use the get webtrends command to display the WebTrends server se

�0��%1get webtrends


��)�/��"

51%/4 �"

To display the WeTrends server settings:

ns-> get webtrends

�� "!

See the set webtrends command.


��!//%��"

++3��

��3%��s.

e Security Zones in USGA

��

Description: Use the get zone command to display information about security zone

�0��%1get zone [ id <id_num> | <name_str> | all ]

��)�/��"

51%/4 �"

To create a new Layer-2 zone named Marketing, with VLAN ID number 3:

ns-> set zone name Marketing L2 3

To impose inter-zone blocking on the Trust zone:

ns-> set zone trust block

To create a tunnel zone named Engineering:

ns-> set zone name Engineering tunnel Tunn_Zone

�� "!

See the get config command.

id <id_num> The identification number of the zone.

<name_str> The name of the zone. For more information on zones, seFeatures.

all Displays information on all zones.

��!//%��"

++��
��

�

+��

�

ored in memory, and remove

you may find that certain l. A good example is the clear reen-500 device.

��

�� %&& ��

Use the clear commands to remove data stored in log tables, remove information stinformation stored on the flash card.

Note: As you execute CLI commands using the syntax descriptions in this chapter,commands and command features are unavailable on your NetScreen device modepppoe command, which is available on a NetScreen-208 device, but not on a NetSc

�� %��!//%��"

��

,�� &�ation.

��

Description: Use the clear admin command to remove remote administrator inform

�0��%1clear admin { user { cache | login } }

��)�/��"

51%/4 �"

To clear the profiles for all remote administrators:

ns-> clear admin user cache

�� "!

See the get admin command.

cache Remote admin users

login Current users of all the login sessions

�� %��!//%��"

��

,�� &

cified. The format for <string> is:

ress the year with using the last nal. The delimiter between the

y specified by its ID number or for The ID number can be any value ies. To define a range, enter the um>

��

Description: Use the clear alarm command to clear the entries in the alarm table.

�0��%1clear alarm

{event [ end-time <string> ] |traffic

[ policy { <id_num> [ -<id_num> ] } ][ end-time <string> ]

}

��)�/��"

event Specifies entries in the event alarm table.

traffic Specifies entries in the traffic alarm table.

end-time <string> Clears alarm entries that occurred at and before the time spemm/dd[/yy-hh:mm:ss.You can omit the year (the current year is the default), or exptwo digits or all four. The hour, minute, and second are optiodate and the time can be a dash or an underscore:12/31/2001-23:59:0012/31/2001_23:59:00

policy Clears entries from the traffic alarm table for an Access Policseveral Access Policies specified by a range of ID numbers.between 0 and the total number of established Access Policstarting and ending ID numbers as follows: <id_num>-<id_n

�� %��!//%��"

��

h the event alarm table and the

ble:

c alarm table:

ble:

��

.� %� �"

If you specify no arguments, the clear alarm command removes all entries from bottraffic alarm table.

51%/4 �"

To clear all entries in the event alarm table:

ns-> clear alarm event

To clear all entries in the traffic alarm table:

ns-> clear alarm traffic

To clear alarm entries for an Access Policy with ID number 4 from the traffic alarm ta

ns-> clear alarm traffic policy 4

To clear alarm entries for Access Policies within the ID range of 5 to 8 from the traffi

ns-> clear alarm traffic policy 5-8

To clear alarm entries at or before July 15, 2000 11:00 A.M. from the traffic alarm ta

ns-> clear alarm traffic end-time 07/15/00-11:00

�� "!

See the get alarm command.

�� %��!//%��"

3��

,�� ' Protocol (ARP) table.

��

Description: Use the clear arp command to clear entries in the Address Resolution

�0��%1clear arp

��)�/��"

None.

51%/4 �"

To clear the entries in the ARP table:

ns-> clear arp

�� "!

See the get arp command.

�� %��!//%��"

��

�� (�)��* � �&on a NetScreen device.

��

,�� Description: Use the clear audible-alarm command to turn off an alarm sounding

�0��%1clear audible-alarm

��)�/��"

None.

51%/4 �"

To turn off an audible alarm:

ns-> clear audible-alarm

�� "!

See the set audible-alarm and get audible-alarm commands.

�� %��!//%��"

:��

,�� (�+ stores the ongoing

nts and timeout values.

��

Description: Use the clear auth command to clear the authentication queue whichauthentication process.

�0��%1clear auth [ history ]

��)�/��"

51%/4 �"

To clear all entries in the authentication table:

ns-> clear auth

To clear user authentication history:

ns-> clear auth history

�� "!

See the get auth and set auth commands.

history Clears the authentication history which stores the authenticated eve

�� %��!//%��"

8��

,�� ,%(��

vailability (HA) link between two the number of packets and packet

rameter specifies the name of a er to Interfaces in USGA

��

Description: Use the clear counter command to clear interface and flow counters.

�0��%1clear counter

{all |hascreen [ interface <interface> ]}

��)�/��"

51%/4 �"

To clear the ha counter:

ns-> clear counter ha

�� "!

See the get counter command.

ha Specifies counters for packets transmitted across a high-aNetScreen devices. An HA-level inspection keeps count of errors.

screen Clears the screen counters. The interface <interface> paparticular interface. For more information on interfaces, refFeatures.

�� %��!//%��"

��

,�� ,�2'�% key) as FIPS requires when

��

Description: Use the clear crypto command to delete the crypto file (image signingyou want to reset the whole NetScreen device.

�0��%1clear crypto { auth-key | file }

��)�/��"

51%/4 �"

To clear the crypto authentication key:

ns-> clear crypto auth-key

To clear the crypto file:

ns-> clear crypto file

�� "!

See the ping crypto and trace-route crypto commands.

auth-key Deletes the image authentication key.

file Deletes all crypto files.

�� %��!//%��"

+��

,�� )(.r.

��

Description: Use the clear dbuf command to clear the contents of the debug buffe

�0��%1clear dbuf

��)�/��"

None.

51%/4 �"

To clear the contents of the debug buffer:

ns-> clear dbuf

�� "!

See the get dbuf and set console commands.

�� %��!//%��"

++��

,�� +,'n device is using for its can also use clear dhcp to l of IP addresses, or to return all

r:

device untrusted interface.

information on interfaces, refer to

��

Description: Use the clear dhcp command to release the IP address the NetScreeuntrusted interface. The device obtains this IP address from the DHCP server. You return a specific IP address to the Dynamic Host Configuration Protocol (DHCP) pooIP addresses to the pool.

�0��%1clear dhcp

{client |server { <interface> }}

��)�/��"

51%/4 �"

To release the IP address that the NetScreen device obtained from the DHCP serve

ns-> clear dhcp client

To return the IP address for interface ethernet1 to the DHCP server pool:

ns-> clear dhcp server ethernet1

To return the IP address for interface ethernet3/1 to the DHCP server pool:

ns-> clear dhcp server ethernet3/1

client Clears the DHCP client IP which obtained by the NetScreen

server <interface> Clears the IP in the DHCP server IP address pool. For more Interfaces in USGA Features.

�� %��!//%��"

+��
��
�� "!

See the set dhcp, unset dhcp, get dhcp, and exec dhcp client commands.

�� %��!//%��"

+��

,��

��

Description: Use the clear dns command to clear the DNS cache table.

�0��%1clear dns

��)�/��"

None.

51%/4 �"

To clear the dns cache table:

ns-> clear dns

�� "!

See the set dns, unset dns, get dns, and exec dns commands.

�� %��!//%��"

+��

,�� .�� memory.

h card memory.

��

Description: Use the clear file command to delete a specific file from the flash card

�0��%1clear file <dev_name>:<filename>

��)�/��"

51%/4 �"

To delete a file named myconfig in the flash memory on the memory board:

ns-> clear file flash:myconfig

�� "!

See the get file command.

<dev_name>:<filename> Deletes the file with the name <filename> from the flas

�� %��!//%��"

+3��

,�� -�*,%%-� Key Exchange (IKE) cookie

��

Description: Use the clear ike-cookie command to clear the entries in the Internettable.

�0��%1

clear ike-cookie { <ip_addr> | all }

��)�/��"

51%/4 �"

To clear all entries in the IKE cookie table:

ns-> clear ike-cookie all

To clear entries for IP address 100.2.30.1 in the IKE cookies table:

ns-> clear ike-cookie 100.2.30.1

�� "!

See the set ike, unset ike, and get ike commands.

<ip_addr> Clear the entries for IP address <ip_addr> in the IKE cookie table.

all Clears all entries in the IKE cookie table.

�� %��!//%��"

+��

,�� 1�'r a specific L2TP tunnel whose

��

Description: Use the clear l2tp command to remove all of the active L2TP tunnels opeer is at specified IP addresses.

�0��%1clear l2tp { all | ip <ip_addr> }

��)�/��"

51%/4 �"

To clear all active L2TP tunnels:

ns-> clear l2tp all

To clear the l2tp tunnel whose peer is at IP 1.1.1.1:

ns-> clear L2TP ip 1.1.1.1

�� "!

See the set l2tp, unset l2tp, get l2tp, and unset l2tp commands.

all Clears all active L2TP tunnels.

ip <ip_addr> Specifies the peer IP address.

�� %��!//%��"

+:��

,�� red to signal that alarm attack. an event alarm or a firewall

��

Description: When either an event alarm or a firewall attack occurs, the LED glowsUse the clear led command to return an ALARM or FW (firewall) LED to green afterattack occurs.

�0��%1clear led { alarm | firewall }

��)�/��"

51%/4 �"

To return the FW LED to green after a firewall attack occurs:

ns-> clear led firewall

To change the ALARM LED to green after an event alarm occurs:

ns-> clear led alarm

alarm Specifies the ALARM LED.

firewall Specifies the firewall (FW) LED.

�� %��!//%��"

+8��

,�� %�

efore the time specified. The

is the default), or express the year he hour, minute, and second are

and the time can be a dash or an

��

Description: Use the clear log command to clear the entries in the log table.

�0��%1clear log

{event [ end-time <string> ] |self [ end-time <string> ] |system [ saved ] |traffic

[ policy { <id_num>-<id_num> | <id_num> } ][ end-time <string> ]

}

��)�/��"

event Clears event entries from the log.

self Clears self-log entries from the log.

traffic Clears traffic entries from the log.

end-time <string> Clears log entries that occurred at and bformat for <string> is:mm/dd[/yy-hh:mm:ss.You can omit the year (the current year with using the last two digits or all four. Toptional. The delimiter between the dateunderscore:12/31/2001-23:59:0012/31/2001_23:59:00

�� %��!//%��"

+��

ccess policies ranging from ID

for the access policy with ID

the range of specified ID numbers.

��

51%/4 �"

To clear entries in the event log:

ns-> clear log event

To clear all entries in the traffic log:

ns-> clear log traffic

To clear all entries for an access policy with ID number 4 in the traffic log:

ns-> clear log traffic policy 4

To clear event log entries that occurred at or before 5:00 P.M. April 10, 2000:

ns-> clear log event end-time 04/10/00-17:00

To clear traffic log entries that occurred at or before 3:15 P.M. on June 3, 2001 for a5–10:

ns-> clear log traffic policy 5-10 end-time 06/03/01_15:15

�� "!

See the get log command.

policy <id_num>-<id_num> | <id_num> Clears the traffic entries in the log table number <id_num> - <id_num> or <id_num>, or for access policies within

�� %��!//%��"

��

,�� & ,*�� ccess Control (MAC) learning ode.

��

Description: Use the clear mac-learn command to clear the entries in the Media Atable. This command functions only when the NetScreen device is in Transparent m

�0��%1clear mac-learn [ stats ]

��)�/��"

51%/4 �"

To clear the statistics in the MAC learning table:

ns-> clear mac-learn stats

�� "!

See the get mac-learn, get mac-count, and clear mac-count commands.

stats Clears the MAC learning table statistics.

�� %��!//%��"

�+��

� ��%��5��,��sing SecurID to authenticate

erface IP address changes, it is ACE server.

server:

g with the ACE Server. If this lid. Use the clear node_secret

e SecurID server.

��

,�Description: Use the clear node_secret command when the NetScreen device is uusers and is not communicating properly with the ACE Server. If the system IP or intnecessary to clear and reset the node secret on both the NetScreen device and the

�0��%1clear node_secret

[ ipaddr <ip_addr> ]

��)�/��"

.� %� �"

None.

51%/4 �"

To clear and prompt the NetScreen device to request the node secret from the ACE

ns-> clear node_secret

�!��"

If you remove, move, or reconfigure a NetScreen device, it might stop communicatinhappens, the ACE Server log displays a message saying that the node secret is invacommand to resynchronize communication between the two.

ipaddr <ip_addr> Specifies the outgoing IP address for communication with th

�� %��!//%��"

��

s possible. When the first he NetScreen device stores the

, the unset all command does not

IP address or if the ACE server

��

The node secret bit tells the ACE server to negotiate an encryption secret as soon asuccessful authentication occurs, the ACE server negotiates an encryption secret. Tnode secret in nonvolatile memory.

Caution

Because the node secret does not reside in the configurationclear it.Reset the node secret whenever you change the NetScreen administrator deletes and recreates the client.

�� %��!//%��"

��

,�� '''%�

��

Description: Use the clear pppoe command to reset PPPoE statistical registers.

�0��%1clear pppoe

��)�/��"�

None.

51%/4 �"

To reset the statistics for the PPPoE connection:

ns-> clear pppoe

�� "!

See set pppoe, unset pppoe, get pppoe, and exec pppoe commands.

�� %��!//%��"

��

,�� curity Association (SA).

��

Description: Use the clear sa command to clear the IKE value for the specified Se

�0��%1clear sa { <number> }

��)�/��"

51%/4 �"

To clear the IKE value for SA 2:

ns-> clear sa 2

�� "!

See the clear sa-statistics and the get sa commands.

<number> Specifies the SA index number.

�� %��!//%��"

�3��

,�� *�� h as number of fragmentations VPN tunnel.

��

Description: Use the clear sa-stat command to clear all statistical information (sucand total bytes through the tunnel) in a Security Association (SA) for an AutoKey IKE

�0��%1clear sa-stat [ id <id_num> ]

��)�/��"

51%/4 �"

To clear the SA statistics for SA 2:

ns-> clear sa-stat id 2

To clear the SA statistics for all security associations:

ns-> clear sa-stat

�� "!

See the clear sa and the get sa commands.

id <id_num> Clears statistics in a particular Security Association.

�� %��!//%��"

��

,�� %�ice’s session table.

ssions.

cific session with Session

ssions intitated by packets or example, <ip_addr> could be packet.

ssions intitated by packets >.

ssions intitated by packets r>.

ssions intitated by packets addr>.

��

Description: Use the clear session command to clear entries in the NetScreen dev

�0��%1clear session

[all |id <id_num> |[ src-ip <ip_addr> [ netmask <mask> ] ]

[ dst-ip <ip_addr> [ netmask <mask> ] ][ src-mac <mac_addr> ] [ dst-mac <mac_addr> ]

[ protocol <ptcl_num> [ <ptcl_num> ] ][ src-port <port_num> [ <port_num> ] ]

[ dst-port <port_num> [ <port_num> ] ][ vsd-id <id_num> ]

]

��)�/��"

all Directs the NetScreen device to clear all se

id <id_num> Directs the NetScreen device to clear a speIdentification number <id_num>.

src-ip <ip_addr> Directs the NetScreen device to clear all secontaining source IP address <ip_addr>. Fthe source IP address in the first TCP SYN

dst-ip <ip_addr> Directs the NetScreen device to clear all secontaining destination IP address <ip_addr

src-mac <mac_addr> Directs the NetScreen device to clear all secontaining source MAC address <mac_add

dst-mac <mac_addr> Directs the NetScreen device to clear all secontaining destination MAC address <mac_

�� %��!//%��"

�:��

address 172.16.10.12:

ssions that use protocol

ange (<ptcl_num> <ptcl_num>).

ssions intitated by packets that in the layer 4 protocol header. port within a range (<port_num>

ssions intitated by packets that um> in the layer 4 protocol

port within a range (<port_num>

ssions that belong the VSD group

��

51%/4 �"

To clear all entries in the session table:

ns-> clear session

To clear all sessions belonging to VSD group 2001, and initiated from the host at IP

ns-> clear session src-ip 172.16.10.12 vsd-id 2001

�� "!

See the get session command.

protocol <ptcl_num> [ <ptcl_num> ] Directs the NetScreen device to clear all se<ptcl_num>.You can also specify any protocol within a r

src-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all secontain the layer 4 source port <port_num>You can also specify any layer 4 destination<port_num>).

dst-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all secontain the layer 4 destination port <port_nheader.You can also specify any layer 4 destination<port_num>).

vsd-id <id_num> Directs the NetScreen device to clear all se<id_num>.

�� %��!//%��"

�8��

,�� (��air.

erface> <interface>.

��

Description: Use the clear url command to disable URL blocking for an interface p

�0��%1clear url { no-block { <interface> { <interface> } } }

��)�/��"

51%/4 �"

To remove URL blocking for the interfaces ethernet1 and ethernet2:

ns-> clear url no-block ethernet1 ethernet2

�� "!

See the get file command.

no-block <interface> <interface> Disables URL blocking for the inteface pair <int

3

+��

�

ies.

you may find that certain l. A good example is the exec reen-500 device.

��

�,�� %(��%&& ��

This chapter contains miscellaneous commands that do not fit into the other categor

Note: As you execute CLI commands using the syntax descriptions in this manual,commands and command features are unavailable on your NetScreen device modepppoe command, which is available on a NetScreen-208 device, but not on a NetSc

3�&�"�� %��!�"�!//%��"

��

�4�,��+,'m a DHCP server.

��

Description: Use the exec dhcp command to renew the lease for an IP address fro

�0��%1exec dhcp

{client { renew } |server { sync }}

��)�/��"

51%/4 �"

To renew a lease for an IP address from the DHCP server immediately:

ns-> exec dhcp client renew

�� "!

See the set dhcp, get dhcp, and clear dhcp commands.

client Executes the DHCP client.

server Executes the DHCP server.

renew Renews the DHCP client lease.

sync Syncs the DHCP server IP allocation (for HA).

3�&�"�� %��!�"�!//%��"

��

s, the system administrator can boots. The NetScreen device

��

�!��"

The exec dhcp command can be useful if the DHCP server fails. When this happenrequest a new lease for the NetScreen device immediately after the DHCP server remay or may not be assigned the same IP address it used on the previous lease.

3�&�"�� %��!�"�!//%��"

��

�4�,��

��

Description: Use the exec dns command to refresh all DNS entries.

�0��%1exec dns { refresh }

��)�/��"

51%/4 �"

To refresh all DNS entries:

ns-> exec dns refresh

�� "!

See the set dns, unset dns, get dns, and clear dns commands.

refresh Refreshes all DNS entries.

3�&�"�� %��!�"�!//%��"

3��

�4�,�+ unit. Execute this command in

er unit to a backup unit. Executing files.

��

Description: Use the exec ha command to copy files from a master unit to a backupthe master unit.

�0��%1exec ha { file-sync [ <filename> ] }

��)�/��"

51%/4 �"

To copy all files from the master unit to a backup unit:

ns-> exec ha file-sync

To copy the environment variable records from the master unit to a backup unit:

ns-> exec ha file-sync envar.rec

The command cannot take effect until you reboot the backup unit.

ns-> rebootns-> configuration modified, save? [y]/n nns-> system reset, are you sure? y/[n] y

�� "!

See the set ha, unset ha, and get ha commands.

file-sync <filename> Specifies the name of a particular file to copy from the mastthis command without specifying a file name copies all the

3�&�"�� %��!�"�!//%��"

��

�4�,��'ice clock using Network Time

the time setting on an NTP server.

��

Description: Use the exec ntp command to immediately update the NetScreen devProtocol (NTP).

�0��%1exec ntp { update }

��)�/��"

51%/4 �"

To update the NetScreen device time by synchronizing it with the NTP server:

ns-> exec ntp update

�� "!

See the set ntp, unset ntp, and get ntp commands.

update Updates the time setting on a NetScreen device to synchronize it with

3�&�"�� %��!�"�!//%��"

:��

�4�,�'��her system.

<name_str>.

formation on interfaces, refer to

��

Description: Use the exec ping command to check the network connection to anot

�0��%1exec ping [ <ip_addr> | <name_str> ]

[ count <number> [ size <number> [ time-out <number> ] ] ][ from <interface> ]

��)�/��"

51%/4 �"

To ping a host with IP address 172.16.11.2:

ns-> exec ping 172.16.11.2

To ping a host with IP address 192.168.11.2 and have the results sent to 10.1.1.3:

ns-> exec ping 192.168.11.2 from mip 10.1.1.3

To ping a host with IP address 172.16.11.2 from interface ethernet2:

ns-> exec ping 172.16.11.2 from ethernet2

<ip_addr> | <name_str> Pings the host with the IP address <ip_addr> or name

count <number> The ping count.

size <number> The packet size for each ping.

time-out <number> The ping timeout in seconds.

from <interface> The source interface for an extended ping. For more inInterfaces in USGA Features.

3�&�"�� %��!�"�!//%��"

8��

usted network from any of the

��

�!��"

An extended ping (using the from option) allows the user to ping a host on the UntrMIPs or from the Trusted interface IP address.

3�&�"�� %��!�"�!//%��"

��

�4�,�'- X.509 certificate requests and

d bit length. Key length is 512,

d bit length. Key length is 512,

en device.

quest for the NetScreen device.

��

Description: Use the exec pki commands to manage RSA key pair generation andremovals for public-key infrastructure (PKI).

�0��%1exec pki

{convert-cert |dsa new-key <key_num> |rsa new-key <key_num> |x509

{delete <number> |pkcs10 |tftp <ip_addr>

{cert-name <name_str> |crl-name <name_str>} |

scep <number>}

}

��)�/��"

convert-cert Moves the local certificate to the VSYS environment.

dsa new-key Generates a new DSA public/private key pair with a specifie786, 1024, or 2048.

rsa new-key Generates a new RSA public/private key pair with a specifie786, 1024, or 2048.

x509 delete: Deletes a specified X.509 certificate from a NetScre

pkcs10: Generates a PKCS10 file for an X.509 certificate re

3�&�"�� %��!�"�!//%��"

+��

ates:

sign.com

sign.com

bits.

x number identifying the

cified TFTP server. The TFTP

) operation to retrieve certificates

��

51%/4 �"

To create a new RSA key pair with a length of 1024 bits:

ns-> exec pki rsa new-key 1024

To remove an X.509 certificate with the ID number 3 from the NetScreen device:

ns-> exec pki x509 delete 3

To obtain an x509 CA certificate from a certificate authority to sign your local certific

ns-> set pki auth -1 scep ca-cgi “http://pilotonsiteipsec.veri/cgi-bin/pkiclient.exe”ns-> set pki auth -1 scep ra-cgi “http://pilotonsiteipsec.veri/cgi-bin/pkiclient.exe”ns-> exec pki rsa new 1024ns-> exec pki x509 scep -1ns-> get pki x509 list pending-certns-> exec pki x509 scep 1

These commands perform the following operations:

1. Specify CA and RA CGI paths to a certificate authority (CA) server.

2. Execute RSA private/pulic key configuration, specifying a key length of 1024

3. Initiate the SCEP operation to retrieve certificates.

4. Display a list of pending certificates, allowing you to see and record the indecertificate.

tftp: Uploads the specified certificate or CRL file for the speserver is identified by its IP address <ip_hddr>.

scep: Initiates Simple Certificate Enrollment Protocol (SCEPfrom a certificate authority server.

cert-name <string> Specifies the name of the certificate.

crl-name <string> Specifies the name of the revocation list.

3�&�"�� %��!�"�!//%��"

++��

d in Step 4) to identify the

��

5. Obtain a CA certificate from the CA server (using the index number obtainecertificate.

�� "!

See also the set pki, unset pki, and get pki commands.

3�&�"�� %��!�"�!//%��"

+��

�4�,�'''%�ection.

��

Description: Use the exec pppoe command to set up or take down a PPPoE conn

�0��%1exec pppoe { connect | disconnect }

��)�/��"

51%/4 �"

To setup a PPPoE connection:

ns-> exec pppoe connect

�� "!

See set pppoe, unset pppoe, get pppoe, and clear pppoe commands.

connect Starts PPPoE connection.

disconnect Takes down a PPPoE connection.

3�&�"�� %��!�"�!//%��"

+��

�4�,�� /�tion settings either to the flash sted interface on the NetScreen

��

Description: Use the exec save command to save the NetScreen device configuracard memory or to a Trivial File Transfer Protocol (TFTP) server connected to the trudevice.

�0��%1exec save

[config

[[ from

{flash |slot1 <name_str> |tftp <ip_addr> <name_str>}

][append |to {

flash |slot1 <name_str> |tftp <ip_addr> <name_str>}

] |all-virtual-system |ha-master] |

softwarefrom


3�&�"�� %��!�"�!//%��"

+��

onfigurations.

nds to the current configuration.

TFTP server with the IP address ation to the current configuration

e slave unit console, use this rom the Master unit to the slave on settings are passed.

s to the current configuration.

TP server with the IP address

cifically from the TFTP <ip_addr>

��

to{flash |slot1 <name_str> |tftp <ip_addr> <name_str>} |

image-key { tftp <ip_addr> <filename> }]

��)�/��"

config Saves configurations according to argument:all-virtual-system: Saves all virtual system cfrom: Saves from the specified source.flash: Saves from flash, and if selected, appeslot1: Saves from the pccard in slot 1.tftp: Saves the configuration settings from a <ip_addr>. Appends the configuration informfile on the NetScreen device.ha-master: Saves master configuration. At thcommand to pass the configuration settings funit. Reset the slave unit after the configuratito: Saves to following destination type:flash: Saves to flash, and if selected, appendslot1: Saves to pccard in slot1.tftp: Saves the configuration settings to a TF<ip_addr>.

image-key Loads image key from TFTP server, and speif specified.

software Saves software.

3�&�"�� %��!�"�!//%��"

+3��

rver with IP address

address 172.16.30.10 and

6.20.10 to flash:

h

ed ns_cnfg5 in a TFTP server

_cnfg

ed nskey.cer on a TFTP server

server with the IP address

ifically from the TFTP <ip_addr>,

��

51%/4 �"

To save the current configuration settings to the flash memory:

ns-> exec save

To save the current configuration settings to a file named “my_config” on a TFTP se192.16.11.9:

ns-> exec save config to tftp 192.16.11.9 my_config

To download a configuration file named “my_config” from a TFTP server with the IPoverwrite the current saved configuration settings on the NetScreen device:

ns-> exec save config from tftp 172.16.30.10 my_config

To download the software file ns5.165 from a TFTP server with the IP address 172.1

ns-> exec save software from tftp 172.16.20.10 ns5.165 to flas

To copy a configuration file named cnfg5 from the PCMCIA card in slot 1 to a file namat 172.16.156.9:

ns-> exec save config from slot1 cnfg5 to tftp 172.16.156.9 ns

To load an authentication key on a FIPS-compliant NetScreen device from a file namat 10.10.1.2:

ns-> exec save image-key tftp 10.10.1.2 nskey.cer

from Saves the software from the source:flash: Downloads system image from flashslot1: Downloads system image from slot 1tftp: Downloads system image from the TFTP<ip_addr> to the NetScreen device.

image { tftp <ip_addr> <filename> } Loads image key from TFTP server, and specfile name <filename> if specified.

3�&�"�� %��!�"�!//%��"

+��
��
�� "!


3�&�"�� %��!�"�!//%��"

+:��

�4�,��,�r and bind the key to a user.

rom a server at IP address

p-addr 172.16.10.11

sa key from a file.

ic user.

inds the key to the current user, d specifies the file name

��

Description: Use the exec scs command to load a key from a file on a TFTP serve

�0��%1exec scs

{ tftp {pka-rsa }[ username <name_str> ]

{ file-name <filename> ip-addr <ip_addr> }

��)�/��"

51%/4 �"

To load and bind a key contained in a file named “key_file” to a user named “chris” f172.16.10.11:

ns-> exec scs tftp pka-rsa username chris file-name key_file i

�� "!

See the set scs and get scs commands.

tftp { pka-rsa } Specifies a TFTP server from which to load and bind a pka-r

username <name_str> Loads and binds the key to a specif

file-name <filename> and ip-addr <ip_addr> Loads and bspecifies the IP address (<ip_addr>) of the TFTP server, an(<filename>) of the file containing the key.

3�&�"�� %��!�"�!//%��"

+8��

4�,��%.�0 ��*-�2 their options.

��

�Description: Use the exec software-key command to upgrade device features and

�0��%1exec software-key

{vpn <key_str> |vsys <key_str> |zone <key_str> }

��)�/��"

51%/4 �"

To upgrade zone capability:

ns-> exec software-key zone 2d2b340097de5000

To upgrade the VPN feature:

ns-> exec software-key vpn 3d2c340187de5401

�� "!

See the get software-key command.

vpn <key_str> Specifies the key for VPN capability upgrade.

vsys <key_str> Specifies the VSYS capability upgrade.

zone <key_str> Specifies key for zone capability upgrade.

3�&�"�� %��!�"�!//%��"

+��

�4�,�� ,�*�%(��

yhost”:

me-out interval of 10 seconds:

efore abandoning the trace-route

tScreen device abandons tha

��

Description: Use the trace-route command to obtain the host name.

�0��%1exec trace-route { <name_str> | <ip_addr> }

[ hop <number> [ time-out <number> ] ]

��)�/��"

51%/4 �"

To execute the trace-route command from the NetScreen device to a host named “m

ns-> trace-route myhost

To execute the trace-route through up to 3 hops to a host named “ourhost”:

ns-> trace-route ourhost hop 3

To execute the trace-route through up to 5 hops to a host named “thishost,” with a ti

ns-> trace-route thishost hop 3 time-out 10

�� "!

See the ping and exec trace-route commands.

<name_str> | <ip_addr> Specifies the name or IP address of the host to trace.

hop <number> Specifies the number of gateway devices to traverse battempt.

time-out <number> Specifies the length of time, in seconds, before the Netrace-route attempt.

3�&�"�� %��!�"�!//%��"

��

�4�rface.

o configure a NetScreen device.

��

Description: Use the exit command to exit from the console and command-line inte

�0��%1exit

��)�/��"None.

51%/4 �"

To log off the console:

ns-> exit

�!��"

After issuing the exit command at the console, you must log back in to the console t

After issuing the exit command as root, you remain logged in to the console.

3�&�"�� %��!�"�!//%��"

�+��

'��stem.

<name_str>.

formation on interfaces, refer to

��

Description: Use the ping command to check the network connection to another sy

�0��%1ping [ <ip_addr> | <name_str> ]

[ count <number> [ size <number> [ time-out <number> ] ] ][ from <interface> ]

��)�/��"

51%/4 �"

To ping a host with IP address 172.16.11.2:

ns-> ping 172.16.11.2

To ping a host with IP address 192.168.11.2 and have the results sent to 10.1.1.3:

ns-> ping 192.168.11.2 from mip 10.1.1.3

To ping a host with IP address 172.16.11.2 from interface ethernet2:

ns-> ping 172.16.11.2 from ethernet2

<ip_addr> | <name_str> Pings the host with the IP address <ip_addr> or name

count <number> The ping count.

size <number> The packet size for each ping.

time-out <number> The ping timeout in seconds.

from <interface> The source interface for an extended ping. For more inInterfaces in USGA Features.

3�&�"�� %��!�"�!//%��"

��

usted network from any of the

��

�!��"

An extended ping (using the from option) allows the user to ping a host on the UntrMIPs or from the Trusted interface IP address.

3�&�"�� %��!�"�!//%��"

��

��

��

Description: Use the reset command to reboot the NetScreen device.

�0��%1reset

[no-prompt |save-config

{ no | yes }[ no-prompt ]

]

��)�/��"

51%/4 �"

To reboot a NetScreen device:

ns-> reset

no-prompt Indicates no confirmation.

save-config { no | yes } Saves the configurations:no: Does not save configurationyes: Saves the configurationsno-prompt: Does not display a confirmation.

3�&�"�� %��!�"�!//%��"

��

� /�ettings either to the flash card interface on the NetScreen

��

Description: Use the save command to save the NetScreen device configuration smemory or to a Trivial File Transfer Protocol (TFTP) server connected to the trusteddevice.

�0��%1save

[config

[[ from


][append |to {

flash |slot1 <name_str> |tftp <ip_addr> <name_str>}

] |all-virtual-system |ha-master] |

softwarefrom


3�&�"�� %��!�"�!//%��"

�3��

onfigurations.

nds to the current configuration.

TFTP server with the IP address ation to the current configuration

e slave unit console, use this rom the Master unit to the slave on settings are passed.

s to the current configuration.

TP server with the IP address

cifically from the TFTP <ip_addr>

��

to{flash |slot1 <name_str> |tftp <ip_addr> <name_str>} |

image-key { tftp <ip_addr> <filename> }]

��)�/��"

config Saves configurations according to argument:all-virtual-system: Saves all virtual system cfrom: Saves from the specified source.flash: Saves from flash, and if selected, appeslot1: Saves from the pccard in slot 1.tftp: Saves the configuration settings from a <ip_addr>. Appends the configuration informfile on the NetScreen device.ha-master: Saves master configuration. At thcommand to pass the configuration settings funit. Reset the slave unit after the configuratito: Saves to following destination type:flash: Saves to flash, and if selected, appendslot1: Saves to pccard in slot1.tftp: Saves the configuration settings to a TF<ip_addr>.

image-key Loads image key from TFTP server, and speif specified.

software Saves software.

3�&�"�� %��!�"�!//%��"

��

rver with IP address



6.20.10 to flash:

ed ns_cnfg5 in a TFTP server

server with the IP address

ifically from the TFTP <ip_addr>,

��

51%/4 �"

To save the current configuration settings to the flash memory:

ns-> save

To save the current configuration settings to a file named “my_config” on a TFTP se192.16.11.9:

ns-> save config to tftp 192.16.11.9 my_config

To download a configuration file named “my_config” from a TFTP server with the IPoverwrite the current saved configuration settings on the NetScreen device:

ns-> save config from tftp 172.16.30.10 my_config

To download a configuration file named “my_config” from a TFTP server with the IPappend the current configuration settings on the NetScreen device:

ns-> save config from tftp 172.16.30.10 my_config append

To download the software file ns5.165 from a TFTP server with the IP address 172.1

ns-> save software from tftp 172.16.20.10 ns5.165 to flash

To copy a configuration file named cnfg5 from the PCMCIA card in slot 1 to a file namat 172.16.156.9:

ns-> save config from slot1 cnfg5 to tftp 172.16.156.9 ns_cnfg

from Saves the software from the source:flash: Downloads system image from flashslot1: Downloads system image from slot 1tftp: Downloads system image from the TFTP<ip_addr> to the NetScreen device.

image { tftp <ip_addr> <filename> } Loads image key from TFTP server, and specfile name <filename> if specified.

3�&�"�� %��!�"�!//%��"

�:��

ed nskey.cer on a TFTP server

��

To load an authentication key on a FIPS-compliant NetScreen device from a file namat 10.10.1.2:

ns-> save image-key tftp 10.10.1.2 nskey.cer

�� "!


3�&�"�� %��!�"�!//%��"

�8��

�� ,�*�%(��

the route trace.

��

Description: Use the trace-route command to obtain the host name.

�0��%1trace-route <name_str>

[ hop { <number> [ time-out <number> ] } ]

��)�/��"

51%/4 �"ns-> trace-route

<name_str> The host name.

hop <number> The number of trace route hops to

time-out <number> Specifies the amount of time to elapse before abandoning

�

+��

creen device to its default perform this operation, you LI Reference Guide and the

unset admin device-reset atically disabled.

to factory defaults, clearing all

of the device will be erased. In has been reset. This is your last ory default configuration, which uld you like to continue? y/[n]

rd.

��

$SSHQGL[�$

��+��/,��%� ,�%�2��. (��

If the admin password is lost, you can use the following procedure to reset the NetSsettings. The configurations will be lost, but access to the device will be restored. Toneed to make a console connection, which is described in detail in the NetScreen Cinstaller’s guides.

By default the device recovery feature is enabled. You can disable it by entering thecommand. Also, if the NetScreen-100 is in FIPS mode, the recovery feature is autom

1. At the login prompt, type the serial number of the device.2. At the password prompt, type the serial number again.

The following message appears:

!!! Lost Password Reset !!! You have initiated a command to reset the devicecurrent configuration, keys and settings. Would you like to continue? y/[n]

3. Press the y key.

The following message appears:

!! Reconfirm Lost Password Reset !! If you continue, the entire configurationaddition, a permanent counter will be incremented to signify that this device chance to cancel this command. If you proceed, the device will return to factis: System IP: 192.168.1.1; username: netscreen; password: netscreen. Wo

4. Press the y key to rest the device.

You can now login in using netscreen as the default username and passwo

�44��1��"��)��$��.��!�2%��!�0�.� %� ��)"

��
��

,

+��

Gateway Architecture (USGA).

��

$SSHQGL[�%

��!�� (��This appendix contains information on features of the NetScreen Universal SecurityThese features include the following.

• Security zones

• Interfaces

�44��1�,�<��2�%��" ��0�=!��"

��

pecial-purpose items. These

operates in Transparent mode.

sical interfaces that communicate

ts physical interfaces that

Z physical interface.

security zone. (You create such mand.)

operates in NAT mode or Router

nterfaces (and logical rk space.

ical interfaces (and logical ork space.

storage area for mapped IP (MIP) to these addresses is mapped to interface.

hysical interface.

security zone. (You create such nd.)

creen security devices.

osts VPN tunnels.

ne. (You create such zones using

��

��6��NetScreen devices use zones to host physical and logical interfaces, tunnels, and szones are as follows.

Layer-2 security zones Use Layer-2 security zones when the NetScreen device

• v1-trust specifies the V1-Trust zone, which hosts phywith trusted network space.

• v1-untrust specifies the V1-Untrust zone, which hoscommunicate with untrusted network space.

• v1-dmz specifies the DMZ zone, which hosts the DM

• name <name_str> specifies a user-defined Layer-2 zones using the set zone name <name_str> L2 com

Layer-3 security zones Use Layer-3 security zones when the NetScreen devicemode.

• trust specifies the Trust zone, which hosts physical isub-interfaces) that communicate with trusted netwo

• untrust specifies the Untrust zone, which hosts physsub-interfaces) that communicate with untrusted netw

• global specifies the Global zone, which serves as a and virtual IP (VIP) addresses. Because traffic goingother addresses, the Global zone does not require an

• dmz specifies the DMZ zone, which hosts the DMZ p

• name <name_str> specifies a user-defined Layer-2 zones using the set zone name <name_str> comma

Tunnel zones Use tunnel zones to set up VPN tunnels with other NetS

• untrust-tun specifies the Untrust-Tun zone, which h

• name <name_str> specifies a user-defined tunnel zothe set zone name <name_str> tunnel command.)

�44��1�,�<��2�%��" ��0�=!��"

��

ary storage for any interfaces that

for remote management etScreen device via HTTP, SCS,

ability interfaces, HA1 and HA2.

band management interface,

��

Function zones Use function zones as described below.

• null specifies the Null zone, which serves as temporare not currently bound to another zone.

• self specifies the Self zone, which hosts the interfaceconnections. For example, when you connect to the Nor Telnet, you connect to the Self zone.

• ha specifies the HA zone, which hosts the high-avail

• mgt specifies the MGT zone, which hosts the out-of-MGT.

�44��1�,�<��2�%��" �� %��"

��

h physical interfaces or logical

ce, denoted by an interface port

denoted by an interface port ies the logical interface.

interface, denoted by an interface

face, denoted by an interface slot entifies the logical interface.

ile the NetScreen device is in

e Trust zone. Use this interface

the Untrust zone. Use this .

DMZ zone. Use this interface

interface for VPN traffic.

e.

.

��

��!��Most security zones exchange traffic with other zones (or with other devices) througsub-interfaces. The interfaces are as follows.

Ethernet interfaces - ethernet<n> specifies a physical ethernet interfa<n> and no slots.

- ethernet<n1>.<n2> specifies a logical interface, (<n1>) with no slots. The .<n2> parameter identif

- ethernet<n1>/<n2> specifies a physical ethernetslot (<n1>) and a port (<n2>).

- ethernet<n1>/<n2>.<n3> specifies a logical inter(<n1>) and a port (<n2>). The .<n3> parameter id

Layer-2 interfaces - vlan1 specifies the interface used in for VPNs whtransparent mode.

- v1-trust specifies a Layer-2 interface bound to thwhen the device is in Transparent mode.

- v1-untrust specifies a Layer-2 interface bound tointerface when the device is in Transparent mode

- v1-dmz specifies a Layer-2 interface bound to thewhen the device is in Transparent mode.

Tunnel interfaces - tunnel.<n> specifies a tunnel interface. Use this

Function interfaces - mgt specifies an interface bound to the MGT zon

- ha | ha1 | ha2 the name of the dedicated HA port

+��

r active-user 2

r alarm 3

r arp 5

r audible-alarm 6

r auth 7

r counter 8, 9, 16

r dbuf 10

r dhcp client ip 11, 13

r file 14, 28

r ike cookie 15

r led 17

r log 18

r mac-learn 20

r node_secret 21

r session 26

entions 4

dhcp client renew 2, 4, 17, 18

ha file-sync 5

ntp 6

pki 9

20

larm 6

rp 13

udible-alarm 14

uth 15

lock 18

onfig 19

onsole 20

ounter 21

ialup-group 25

ip 27

ile 32

��

��1�access policies

defining 109

displaying 76

ACE Server 21

ACE Server log 21

Address Bookentries, default 2, 81, 85

address bookadding entries 2, 81

address book entry 4

domain name 4

flag 4

IP address 4

name 4

netmask 4

Address Resolution Protocol (ARP) 13, 23

addressesentering 2, 81

grouping 44, 40

admin authentication 4

administration parameters 4

aggressive mode 46

alarms, clearing 3

alarms, displaying 6

all 86

append 26

ARP (Address Resolution Protocol) table 13

ARP table, clearing 5

authentication table 15

authentication, users 16

,back store 23

bit stream 23

buffer, clearing 10

CA (certificate authority) 73

CGI path 107

cAH 106

CheckPoint 62

clear 5, 8

Address Resolution Protocol (ARP) table 5

flow counters 8

interface counters 8

clear commandsactive-user 2

alarm 3

arp 5

audible-alarm 6

auth 7

counter 8, 9, 16

dbuf 10

dhcp client ip 11, 13

file 14, 28

ike cookie 15

led 17

log 18

mac-learn 20

session 26

clearing alarms 3

CLI 103

command

cleacleacleacleacleacleacleacleacleacleacleacleacleacleacleaconvexecexecexecexecexitget aget aget aget aget cget cget cget cget dget dget f

��1

,!!9��

imer 137

raffic-shaping mode 139

rl 141

ser 144

pn 83, 150, 53

sys 160

ication requirements, console 2

ation settings, saving 19

laying configuration 20

ng 20

ack 20

meters, defining 22

nd command-line interface 20

20

ommunication requirements 2

arameters 20

ons 4

ble 15

environment variable records 5

files 5

8

ffer 10

ddress Book entries 2, 81, 85

edule 117

rvice 123

ss policies 109

ole parameters 22

s for authentication 144

t IP address, clearing 11, 13

t, renewing an IP address 2, 4, 17, 18

�

get firewall 33, 34, 37, 69, 71, 93, 94, 95, 110, 114

get global 36

get glog 39

get group 40

get ha 42

get hostname 44

get ike 45

get interface 49

get ippool 54

get l2tp 55

get lance info 57

get lcd 58

get log 59

get mac-learn 63

get mip 67, 73

get ntp 70

get policy 76

get route 79

get sa 81

get scheduler 83

get service 86

get session 88

get snmp 91

get ssh 84

get syslog 96

get system 98

get tech-support 99

get temperature 100

get timer 101

get traffic-shaping interface 102

get url 103

get user 104

get vip 106

get vpn 107

get vsys 113

ping 7, 21

reset 23

save 13, 24

set address 2, 11, 81, 12, 68

set admin 4

set arp 12

set audible-alarm 14

set auth 16

set clock 20

set console 22

set dbuf 25

set dialup-group 27

set domain 32

set envar 33

set ffilter 34

set firewall 36, 37

set flow 39

set ftp data-port any 42

set group 44

set ha 48

set hostname 53

set ike 55

set interface 66

set ippool 85

set l2tp 86

set lcd 90

set mip 94, 99

set ntp 97

set policy 109

set proto-dist 114, 78

set scheduler 117

set service 123

set snmp 127

set ssh 120

set syn-threshold 130

set syslog 132

set temperature-threshold 135

set tset tset uset uset vset v

communconfigurconsole

dispexitilog bpara

console aexit

console cconsole pconventicookie tacopying copying counter

.debug budefault Adefining

a scha Seacceconsuser

DHCPclienclien

��

ters 8

l 21

l counters 22

l counters, system information 22

IP address 90

nformation, displaying 98

n command 4

lay system administration parameters 4

command 6

lay alarm entries 6

mands 1

lay data on the console 1

lay system configuration parameters 1

rect the output of a Get command 1

andsm 6

13

ble-alarm 14

15

18

ig 19

ole 20

ter 21

p-group 25

27

32

all 33, 34, 37, 69, 71, 93, 94, 95, 110, 114

al 36

39

p 40

2

name 44

��

DHCP client 2

DHCP client lease 2

DHCP server 2

DHCP server IP allocation 2

DHCP server reboot 3

dialup groupconfiguration parameters 25

defining 27

display 2

displayingaccess policies 76

alarms 6

console configuration 20

dynamic IP settings 27

entries in the log table 59

entries in the MAC table 63

files in flash card memory 32

firewall settings 33, 34, 37, 69, 71, 93, 94, 95,

110, 114

general system information 98

high availability settings 42

IKE information 45

interface settings 49

mapped IPs 67, 73

NetScreen-Global Manager settings 36

schedules 83

security associations 81

service entries 86

syslog configuration 96

system time 18

the global log file 39

the hostname of the NetScreen device 44

the sessions table 88

the static route table 79

the user authentication table 15

traffic information 21

URL blocking 103

user database 104

VIP settings 106

VPN information 107

DNS cache 13

DNS entries 4, 17

refresh 4

Dynamic Host Configuration Protocol (DHCP) 11

dynamic IP 27

Dynamic IP (DIP) 22

5encryption secret 22

entries in the alarm table 3

environment variable 31

Event Alarm log 103

event entries 18

exec dhcp client renew command 2, 4, 17, 18

exec ha file-sync command 5

exec ntp command 6

exec pki command 9

exit command 20

Extended ping 8, 22

2filter source route 22

filtering traffic 34

firewall protection 33

firewall settings, displaying 33, 34, 37, 69, 71, 93,

94, 95, 110, 114

flash cardclearing files 14, 28

memory 32

flash card memory 14, 13, 24

flash memory 19

flow counflow leveflow-leveflow-leve

�Gatewaygeneral iget 2, 4

get admidisp

get alarmdisp

Get comdispdispredi

get commalararpaudiauthclockconfconscoundialudipfilefirewglobgloggrouha 4

host

��1

,!!9��

dress 13

rning table 20

lering 20

laying 63

de 46

VPN 81

IP (MIP) 67

IPsting 94

laying 67, 73

nit 14, 25

ccess Control (MAC) 23, 20

allocation status 65

usage status 65

22

neous commands 1

tor error 23

n devicelaying hostname 44

ng the hostname 53

n-Global Manager 36

laying settings 36

Address Translation (NAT) 22

connection check 7, 21

7, 21

Time Protocol (NTP) 70, 6

traffic 13

ret 21

ile memory 22

�

ike 45

interface 49

ippool 54

l2tp 55

lance info 57

lcd 58

log 59

mac-learn 63

mip 67, 73

ntp 70

policy 76

route 79

sa 81

scheduler 83

service 86

session 88

snmp 91

ssh 84

syslog 96

system 98

tech-support 99

temperature 100

timer 101

traffic-shaping interface 102

url 103

user 104

vip 106

vpn 107

vsys 113

global log file, displaying 39

Groupuser dialup 149

groupingaddresses 44, 40

remote users 27

services 44, 40

>high availability

defining a group 48

displaying 42

hostname 53

�id-mode 62

IKE (Internet Key Exchange) 55

IKE cookie table 15

IKE cookie table, clearing 15

IKE ID 104

IKE information, displaying 45

inactive SA 23

in-short error 24

InterfaceWeb User 103

interface counter 8

interface settings, displaying 49

interface-level counters 23

interface-level counters, traffic information 23

internal database 4

Internet Control Message Protocol (ICMP) 22

Internet Key Exchange (IKE) 45, 15

IP address 90

IP pools 54

IPSec security associations (SA) 81

load balance session table 106

log table, displaying 59

logical interface 50

logs, clearing 18

&MAC adMAC leaMAC tab

cleadisp

main momanual Mapped mapped

creadisp

Master uMedia Amemory memory MIPs 8,

miscella

�NAT vecNetScree

dispsetti

NetScreedisp

Networknetwork

pingNetworknetworknode secnonvolatNTP 6

3��

P 4

IUS 4

nfiguration port 36

porting port 36

6

ps 86

defined 86

ific 86

-defined 86

ntries, displaying 86

ting custom 123

ping 44, 40

ablering 26

laying 88

able, entries 88

andsess 2, 11, 81, 12, 68

in 4

12

ble-alarm 14

16

20

ole 22

25

p-group 27

ain 32

r 33

r 34

all 36, 37

39

ata-port any 42

p 44

��

(overwrite 15, 26

�packet errors 21

packets 22

Address Resolution Protocol (ARP) 23

address spoofing attack 22

collision 24

Control Message Protocol (ICMP) 22

denied 22

dropped 22

fragmented 22

illegal 23

incoming 23

Internet Control Message Protocol (ICMP) 24

IPSec 23

land attack 22

Network Address Translation (NAT) 22

ping-of-death attack 22

Point to Point Tunneling Protocol (PPTP) 23

received 23

transmitted underrun 24

UNKNOWN 24

unreceivable 24

unroutable 22

parent connection 23

PCMCIA card 15, 26

physical interface 50

ping command 7, 21

Point to Point Tunneling Protocol (PPTP) 23

pool of IP addresses 11

PPPoE connection 12

set up 12

take down 12

PPPoE statistical registers 23

preshared key 46

ProtocolESP 106

pseudo port 90

�RADIUS server 4

reboot NetScreen device 23

reset 23

remote gateway 46

remove 2

data stored in log tables 1

information stored in memory 1

information stored on the flash card 1

remote administrator profile 2

renewing the lease 2

reset command 23

resetting a device 23

RSA key length 73

�SA policy 23

save command 13, 24

saving a configuration file 13, 24

schedulecreating or modifying 117

displaying 83

secure shell 120, 84

SecurID, resetting communication 21

Security Association (SA) 24

Security Associations (SA) 23

security associations, displaying 81

self-log entries 18

Server 4

serverLDARAD

server coserver reservice 8

groupre-specuser

service eServices

creagrou

Session tcleadisp

session tset comm

addradmarpaudiauthclockconsdbufdialudomenvaffiltefirewflowftp dgrou

��1

,!!9��

d interface 11

NetScreen device clock 6

ckinglaying 103

ling 141

cking configuration 103

cking setting 103

henticationring 7

ting entries 16

laying table 15

hentication configuration settings 15

abase, displaying 104

eating 144

90

ings, displaying 106

P (VIP) 106

rivate Network (VPN) 107

ystemting 160

laying 113

ng 20

rtual Private Network) 83, 150, 53

ryption 36

rmation, displaying 107

icies 81

ds 141

ds server 97

�

ha 48

hostname 53

ike 55

interface 66

ippool 85

l2tp 86

lcd 90

mip 94, 99

ntp 97

policy 109

proto-dist 114, 78

scheduler 117

service 123

snmp 127

ssh 120

syn-threshold 130

syslog 132

temperature-threshold 135

timer 137

traffic-shaping mode 139

url 141

user 144

vpn 83, 150, 53

vsys 160

setting system time 20

Simple Network Management Protocol (SNMP) 91

Slave unit console 14, 25

SNMP 91

displaying configuration 91

enabling 127

SNTP 97

source route 22

static route table 79

static route table, displaying 79

subnet 46

subnet mask 67

syn flood protection 23

synchronizing 6

Syslog 132

syslog configuration 96

syslog configuration, displaying 96

syslog mechanism 96

system administration configuration parameters 5

addresses for the recipients of e-mail alerts 5

configuration format 5

domain name 5

e-mail alert status 5

e-mail server IP address 5

port number for Web management 5

remote e-mail address 5

system IP address 5

system timedisplaying 18

setting 20

�TCP proxy 23

tftp server 1

timer settings 101

traffic entries 18

traffic information 21

traffic information, displaying 21

traffic management information 102

traffic, filtering 34

traffic-shaping interface 102

Transparent mode 63, 20

Trivial File Transfer Protocol (TFTP) 13, 24

troubleshooting 99

trusted interface 50

<untrusteupdatingURL blo

dispenab

URL bloURL blouser aut

cleacreadisp

user autuser datusers, cr

@vector IDVID 90

VIP 106

VIP settVirtual IVirtual Pvirtual s

creadispexiti

VPN (ViVPN encVPN infoVPN pol

#WebTrenWebTren

netscreen cli reference guide version 3.1

Documents