Showing posts with label Netscreen. Show all posts
Showing posts with label Netscreen. Show all posts

Useful Netscreen Commands for Troubleshooting

Netscreen Commands for Troubleshooting:

Here is some useful Netscreen commands for troubleshooting.


get config : to get device configuration

save : to save changes to config

get system : gets system information, Netscreen mode

get session info : shows load on the firewall 85+ implies there will be some latency

get interface : shows interfaces, zones

get address trust/unturst: shows defined network objects

get Arp : shows firewall Arp entries

get route : shows firewall routes

get service : shows firewall services

get group address : network groups

get group service : service groups

get policy in/out : shows applied firewall policies

get log traffic : shows firewall logs – options: based on src/dst/IP/port

unset : to remove a config statement

get user all : shows vpn users

get log event : shows vpn logs

get MIP : shows one to one Nat’s

get VIP : shows configured port forwarding rules

get route ip x.x.x.x: finds the specific route for an ip

set policy id xx : put you in a specific policy then you can add more objects it instead of creating a group

5/18/2010 10:57:00 AM

Posted by Kishore | Filed Under | 1 Comments

Basic Netscreen Commands

Basic NETSCREEN Firewall Commands
If you are new to managing the Netscreen Firewall, then these commands will help you in managing the Netscreen Firewall from the Command Line Interface.

NETSCREEN
Note:Always remember to use the TAB when you are not sure the syntax of the command for a Netscreen Firewall. When you press TAB on your keyboard, it would give you what the next options are, and you can chose from the same. TAB is your best friend.

Step 1: define networks & network groups
***********************************************

Set address trust int-10.1.1.0_24 10.1.1.0/24

Set address untrust ext-192.168.15.15 192.168.15.15/32

Set group address untrust Remote

Set group address untrust Remote add ext-192.168.15.15

Step 2: define services & service groups
**********************************************

Set service tcp_445 protocol tcp src-port 1024-65535 dst-port 445-445 timeout 120
Set service tcp_3399 protocol tcp src-port 1024-65535 dst-port 3390-3390 timeout 120

Set group service outsrvgroup1

Set group service outsrvgroup1 add http

Set group service outsrvgroup1 add https

Step 3: Define policies
*************************

set policy from trust to untrust int-10.1.1.0_24 any outsrvgrp1 permit log count

Note: policies are applied from zone to zone.

Step 4: define NAT
**********************

NAPT is on by default.

Step 5: define one to one NAT (MIP)
*****************************************

Set interface untrust MIP 192.168.1.15 host 10.1.1.15 netmask 255.255.255.255

Set group service insrvgroup1

Set group service insrvgroup1 add http

Set group service insrvgroup1 add https

Set policy from untrust to trust any MIP(192.168.1.15) insrvgroup1 permit log count

Set policy move 59 before 4

(Move the new policy is before the default deny policy)

Step 6: define port forwarding (VIP)
*****************************************

Set interface untrust VIP 192.168.1.55 443 https 10.1.1.55

Set policy from untrust to trust any VIP::1 https permit log count

Step 6: define routes
************************

Set route 10.1.1.0/24 gateway 192.168.1.254

5/18/2010 10:46:00 AM

Posted by Kishore | Filed Under | 0 Comments

Search This Blog

Blog Archive

Total Pageviews