ScreenOS Cheat Sheet


COMMAND INPUT

The colors designate the actual ScreenOS command in blue, while the user input (policy name, numeric value, etc) is red. 

Basic Operation

get hostame - Displays the hostname of the device 

set hostname atlanta-firewall - Sets the hostname to atlanta-firewall 

get domain - Displays the domain name of the device 

set domain skullbox.net - Sets the domain name to skullbox.net 

get chassis - Displays chassis information such as temperature, fan status, and slot information 

get system - Displays hardware and software information 

get config - Displays the complete running configuration 

get zone - Displays all zones present in device 

set zone name warehouse - Create new zone named warehouse 

unset zone warehouse - Removes zone warehouse 

get interface - Displays all physical and sub-interfaces 

get interface | include tun - Displayes all intefaces starting with tun (tunnel intefaces) 

get interface ethernet0/2 mip - Displays MIP information on specified interface 

get arp - Displays all number of sessions, MAC addresses,and IP addresses learned by the device 

get ssh - display active management SSH sessions

get counter statistics - Displays statistics for all interfaces 

get counter statistics interface ethernet0/2 - Displays statistics for ONLY specific interface 

get performance cpu - Displays CPU utilization over the last 1,5, and 15 minutes 

get performance session - Displays session utilization over the last 1,5, and 15 minutes 

get dns host settings - Displays DNS servers and assigned interfaces 

get dhcp - Displays DHCP information and assigned interfaces 

get admin - Displays management information such as access ports and filtered IP addresses 

get event - See Troubleshooting Section 

get session - See Troubleshooting Section 

get address untrust - Displays addresses in the untrust zone 

get ike gateway - Displays all gateways configured for VPN 

get vrouter trust-vr - Displays all vrouter information and routes associated with trust-vr 

get sa - Displays information about IKE (VPN) Gateways 

get ntp - Displays network time protocol information 

get service - Displays protocols both native and custom 

set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 Creates a service named RDP with source ports from 0-65535 and a destination port of 3389. 

Security

set admin manager-ip 10.15.15.0 255.255.255.0 - Sets administrator access from 10.15.15.0/24 

Policies
set policy from Cisco2821 to DMZ902 192.168.105.0/24 Any HTTP permit log - Sets policy from zone Cisco2821 to DMZ902 allowing 192.168.105.0/24 (from Cisco2821) and allows communication to any IP range in zone DMZ902 over port 80 (HTTP) and logs all traffic. This assumes 192.168.105.0/24 is contained in the address list. 

set policy from Cisco2821 to DMZ902 192.168.105.0/24 Any ANY nat src permit log - Sets policy from zone Cisco2821 to DMZ902 allowing 192.168.105.0/24 (from Cisco2821) and allows communication to any IP range in zone DMZ902 over any port and logs all traffic. This assumes 192.168.105.0/24 is contained in the address list and this policy also performs NAT. 

set policy from Untrust to warehouse Any MIP(216.93.242.16) DNS permit - Sets policy allowing any IP from Untrust (Internet) zone to MIP with IP 216.93.242.16 allowing ONLY DNS traffic 

set policy from Untrust to warehouse Any MIP(216.93.242.16) ANY deny log - Sets policy allowing any IP from Untrust (Internet) zone to MIP with IP 216.93.242.16 specifically DENYING ALL traffic and logging it 

set policy from Guest to Untrust 192.168.109.0/24 Any HTTP nat src dip-id 5 permit - Sets policy from zone Guest with IP 192.168.109.0/24 to Untrust (Internet) with any IP allowing port 80 (HTTP) performing NAT and using DIP with ID five 

set policy from Untrust to warehouse ras.skullbox.net VIP(ethernet0/2) RDP permit log - Sets policy from zone Utrust (Internet) with hostname ras.skullbox.net to zone wharehouse using the specified VIP on Ethernet0/2 allowing RDP traffic and logging it 

set policy id 43 disable - Keeps policy id 43 in the configuration, but disables it 

set policy id 13 - Modifies policy ID 13 
set src-address fin_servers - Adds group fin_servers from address book 
set src-address fin_users - Adds group fin_users from address book 
set src-address fin_network - Adds group fin_network from address book 
set src-address sales_department - Adds group sales_department from address book 

set policy id 43 - Modifies policy ID 43 
set service DNS - Adds service DNS to policy 
set service FTP - Adds service FTP to policy 
set service HTTPS - Adds service HTTPS to policy 
set service ICMP-ANY - Adds service ICMP-ANY to policy 

set zone Untrust screen tear-drop - Sets a screen on interface Untrust for tear drop attacks 
set zone Untrust screen syn-flood - Sets a screen on interface Untrust for syn flood attacks 
set zone Untrust screen ping-death - Sets a screen on interface Untrust for ping of death attacks 
set zone Untrust screen land - Sets a screen on interface Untrust for land attacks 

Network Configuration

set interface ethernet0/2 phy full 1000mb - Sets Ethernet0/2 to full-duplex and 1Gbps (not auto-negotiate) 

set interface ethernet0/0 ip 216.93.242.12/26 - Sets IP information on Ethernet0/0 

set interface ethernet3/0.1 tag 205 zone warehouse - Creates a sub-interface from Ethernet3/0 using 802.11q VLAN tag 205 and puts the new interface into the warehouse zone 

set inteface ethernet0/3 route - sets interface Ethernet0/3 to route mode 

set inteface ethernet0/5 nat - sets interface Ethernet0/5 to NAT mode 

set brgroup 3 0 - Enables group number zero on PIM slot 3. A maximum of 8 bgroups can be configured 

Bgroup Configuration
set interface bgroup 3/0 port ethernet3/1 - Add physical interfaces to Bgroup3/0 
set interface bgroup 3/0 port ethernet3/2 - Add physical interfaces to Bgroup3/0 
set interface bgroup3/0 zone warehouse - Assigns bgroup3/0 to the warehouse zone 

set interface ethernet0/5 phy link-down - Physically disables ports 
unset interface ethernet0/5 phy link-down - Physically enables ports 

set interface tunnel.5 zone Untrust - Creates tunnel interface with ID 5 assigned to zone Untrust 
set interface tunnel.5 ip unnumbered interface ethernet0/2 - Sets tunnel.5 as an unnumbered interface with Ethernet0/2 as a gateway 

set interface ethernet3/10 ip managable - Enables management interface on IP address assigned to Ethernet3/10 

set interface ethernet3/10 manage ping - Enables ping on Ethernet3/10 
set interface ethernet3/10 manage ssh - Enables ssh on Ethernet3/10 
set interface ethernet3/10 manage snmp - Enables snmp on Ethernet3/10 
set interface ethernet3/10 manage web - Enables web on Ethernet3/10 
set interface ethernet3/10 manage telnet - Enables telnet on Ethernet3/10 

DHCP Configuration
set interface ethernet3/3 dhcp server service - Enables DHCP server on Ethernet3/3 
set interface ethernet3/3 dhcp server option lease 1440 - Sets DHCP lease time (in minutes) 
set interface ethernet3/3 dhcp server option gateway 192.168.101.1 - Sets gateway provided by DHCP 
set interface ethernet3/3 dhcp server option netmask 255.255.255.0 - Sets subnet mask provided by DHCP 
set interface ethernet3/3 dhcp server option domainname skullbox.lan - Sets domain suffix provided by DHCP 
set interface ethernet3/3 dhcp server option dns1 8.8.8.8 - Sets DNS provided by DHCP 
set interface ethernet3/3 dhcp server option dns1 4.4.4.2 - Sets DNS provided by DHCP 
set interface ethernet3/3 dhcp server ip 192.168.115.200 to 192.168.115.200 - Sets range of IP addresses for DHCP lease 

set interface ethernet 0/2 dip 4 216.93.242.13 216.93.242.13 - Sets interface Ethernet0/2 with a DIP address (ID four) with a range of 216.93.242.13 to 216.93.242.13 

set interface ethernet0/2 mip 216.93.242.14 host 192.168.152.15 netmask 255.255.255.255 vr "trust-vr" - Sets Ethernet0/2 to use 216.93.242.14 as a mapped IP to 192.168.152.15/32 using virtual router trust-vr 

set interface ethernet0/2 vip interface-ip 3389 RDP 192.168.131.15 

Routing
set route 10.145.12.0/24 interface bgroup3/0 gateway 10.145.12.254 description "extranet" - Sets routing desinated for 10.145.12.0/24 to use interface bgroup3/0 with a gateway of 10.145.12.254 and a description called extranet 

set route 192.168.99.0/24 interface tunnel.5 description "dr-vpn" - Sets routing desinated for 10.192.168.99.0/24 to use interface tunnel.5 with a description called dr-vpn 

SNMP Configuration
set snmp community "xoop" Read-Write Trap-on traffic version v1 - Specifies a read-write community called xoop 
set snmp host "xoop" 10.16.0.92/32 src-interface bgroup3/0 trap v1 - sets the source interface and destination for SNMP (version one) requests 
set snmp location "rack 34" - Specifies SNMP location information 
set snmp contact "Erik Rodriguez" - Specifies SNMP contact information 
set snmp name "corp-firewall" - Specifies SNMP device information 
set snmp port listen 161 - Specifies SNMP listen port (default is UDP 161) 
set snmp port trap 162 - Specifies SNMP trap port (default is UDP 162) 

Syslog Configuration
set syslog config 192.168.105.76 - Sets the syslog destination IP 
set syslog config 192.168.105.76 facilities local0 local1 - Sets the syslog facilities 
set syslog src-interface ethernet3/2 - Sets the interface used to reach the syslog server 
set syslog enable 

NTP Configuration
set ntp server 216.93.242.12 - Enables NTP with 216.93.242.12 as time source 
set ntp server src-interface ethernet3/0 - Uses interface Ethernet3/0 to reach NTP update source 
set clock ntp - Enables system clock to sync with NTP 
exec ntp update - Forces snyc of clock with NTP server 

Troubleshooting

trace-route 216.93.242.12 from ethernet3/0 - Performs a traceroute from a specific interface 

ping 216.93.242.12 count 100 from ethernet3/11 - Performs ping to 216.93.242.12 with 100 ICMP echos from interface Ethernet3/11 

Sessions
get session src-ip 192.168.1.35 - Displays session information for source device 192.168.1.35 

get session dst-ip 216.93.242.12 - Displays session information for destination device 216.93.242.12 

get session src-port 3636 - Displays session information for source port 3636 

get session dst-port 3389 - Displays session information for destination port 3389 

clear session Immediately clears all software sessions 

Events
get event policy-id 35 - Displays any events logged regarding policy ID 35 

get event level alert Displays any logged events deemed Alerts (requiring immediate action) 

get event start-date 2011-05-03 Displays events starting from May 3rd 2011 

get event start-time 21:26:42 Displays events starting from 9:26:42 PM 

get event include SPI Displays events which include SPI (IKE activity)  

Comments

4 Responses to "ScreenOS Cheat Sheet"

50b6ca5e-3025-11e2-90ad-000bcdcb471e said... November 16, 2012 at 11:39 AM

Thanks for stealing my cheat sheet. http://www.skullbox.net/

aalia lyon said... April 29, 2014 at 3:03 AM

Its Awesome blog ,, if any firewall problem click it here its helps you to solve your peoblem.
windows firewall error 1068 windows 7
Thanks
Aalia lyon

John Smith said... December 4, 2014 at 11:15 AM

set policy from Untrust to warehouse Any MIP(216.93.242.16) DNS permit

By default the policy above will also permit traffic initiated in the reverse direction (form warehouse to Untrust) since a MIP is a static NAT.

Love the page

Anushka Sharma said... August 21, 2015 at 4:55 AM

nice post… simple and useful :).... Plz visit my site...! Thanks
Technical Support Engineering Services in Delhi,

Post a Comment

Search This Blog

Blog Archive

Total Pageviews