Home | Articles | About | Contact | Forum |
Tuesday, December 06, 2016



Lunarpages.com Web Hosting

Mailing List

E-mail:
By Joining the mailing list you will be notified of site updates.


Show Your Support For
This Site By Donating:











Audience: Network Administrators
Last Updated: 6/6/2011 1:45:41 PM
**All times are EST**





ScreenOS Cheat Sheet

By Erik Rodriguez

Tags: Juniper SSG configuration, Juniper firewall configuration, Netscreen 5GT config, Juniper configuration, ScreenOS config

This is a cheat sheet of commonly used commands for Juniper ScreenOS used on Netscreen and SSG firewalls. See also Cisco IOS Cheat Sheet.



COMMAND INPUT

The colors designate the actual ScreenOS command in blue, while the user input (policy name, numeric value, etc) is red.

Basic Operation

get hostame - Displays the hostname of the device

set hostname atlanta-firewall - Sets the hostname to atlanta-firewall

get domain - Displays the domain name of the device

set domain skullbox.net - Sets the domain name to skullbox.net

get chassis - Displays chassis information such as temperature, fan status, and slot information

get system - Displays hardware and software information

get config - Displays the complete running configuration

get zone - Displays all zones present in device

set zone name warehouse - Create new zone named warehouse

unset zone warehouse - Removes zone warehouse

get interface - Displays all physical and sub-interfaces

get interface | include tun - Displayes all intefaces starting with tun (tunnel intefaces)

get interface ethernet0/2 mip - Displays MIP information on specified interface

get arp - Displays all number of sessions, MAC addresses,and IP addresses learned by the device

get ssh - display active management SSH sessions




get counter statistics - Displays statistics for all interfaces

get counter statistics interface ethernet0/2 - Displays statistics for ONLY specific interface

get performance cpu - Displays CPU utilization over the last 1,5, and 15 minutes

get performance session - Displays session utilization over the last 1,5, and 15 minutes

get dns host settings - Displays DNS servers and assigned interfaces

get dhcp - Displays DHCP information and assigned interfaces

get admin - Displays management information such as access ports and filtered IP addresses

get event - See Troubleshooting Section

get session - See Troubleshooting Section

get address untrust - Displays addresses in the untrust zone

get ike gateway - Displays all gateways configured for VPN

get vrouter trust-vr - Displays all vrouter information and routes associated with trust-vr

get sa - Displays information about IKE (VPN) Gateways

get ntp - Displays network time protocol information

get service - Displays protocols both native and custom

set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 Creates a service named RDP with source ports from 0-65535 and a destination port of 3389.

Security

set admin manager-ip 10.15.15.0 255.255.255.0 - Sets administrator access from 10.15.15.0/24

Policies
set policy from Cisco2821 to DMZ902 192.168.105.0/24 Any HTTP permit log - Sets policy from zone Cisco2821 to DMZ902 allowing 192.168.105.0/24 (from Cisco2821) and allows communication to any IP range in zone DMZ902 over port 80 (HTTP) and logs all traffic. This assumes 192.168.105.0/24 is contained in the address list.

set policy from Cisco2821 to DMZ902 192.168.105.0/24 Any ANY nat src permit log - Sets policy from zone Cisco2821 to DMZ902 allowing 192.168.105.0/24 (from Cisco2821) and allows communication to any IP range in zone DMZ902 over any port and logs all traffic. This assumes 192.168.105.0/24 is contained in the address list and this policy also performs NAT.

set policy from Untrust to warehouse Any MIP(216.93.242.16) DNS permit - Sets policy allowing any IP from Untrust (Internet) zone to MIP with IP 216.93.242.16 allowing ONLY DNS traffic

set policy from Untrust to warehouse Any MIP(216.93.242.16) ANY deny log - Sets policy allowing any IP from Untrust (Internet) zone to MIP with IP 216.93.242.16 specifically DENYING ALL traffic and logging it

set policy from Guest to Untrust 192.168.109.0/24 Any HTTP nat src dip-id 5 permit - Sets policy from zone Guest with IP 192.168.109.0/24 to Untrust (Internet) with any IP allowing port 80 (HTTP) performing NAT and using DIP with ID five

set policy from Untrust to warehouse ras.skullbox.net VIP(ethernet0/2) RDP permit log - Sets policy from zone Utrust (Internet) with hostname ras.skullbox.net to zone wharehouse using the specified VIP on Ethernet0/2 allowing RDP traffic and logging it

set policy id 43 disable - Keeps policy id 43 in the configuration, but disables it

set policy id 13 - Modifies policy ID 13
set src-address fin_servers - Adds group fin_servers from address book
set src-address fin_users - Adds group fin_users from address book
set src-address fin_network - Adds group fin_network from address book
set src-address sales_department - Adds group sales_department from address book

set policy id 43 - Modifies policy ID 43
set service DNS - Adds service DNS to policy
set service FTP - Adds service FTP to policy
set service HTTPS - Adds service HTTPS to policy
set service ICMP-ANY - Adds service ICMP-ANY to policy

set zone Untrust screen tear-drop - Sets a screen on interface Untrust for tear drop attacks
set zone Untrust screen syn-flood - Sets a screen on interface Untrust for syn flood attacks
set zone Untrust screen ping-death - Sets a screen on interface Untrust for ping of death attacks
set zone Untrust screen land - Sets a screen on interface Untrust for land attacks

Network Configuration

set interface ethernet0/2 phy full 1000mb - Sets Ethernet0/2 to full-duplex and 1Gbps (not auto-negotiate)



set interface ethernet0/0 ip 216.93.242.12/26 - Sets IP information on Ethernet0/0

set interface ethernet3/0.1 tag 205 zone warehouse - Creates a sub-interface from Ethernet3/0 using 802.11q VLAN tag 205 and puts the new interface into the warehouse zone

set inteface ethernet0/3 route - sets interface Ethernet0/3 to route mode

set inteface ethernet0/5 nat - sets interface Ethernet0/5 to NAT mode

set brgroup 3 0 - Enables group number zero on PIM slot 3. A maximum of 8 bgroups can be configured

Bgroup Configuration
set interface bgroup 3/0 port ethernet3/1 - Add physical interfaces to Bgroup3/0
set interface bgroup 3/0 port ethernet3/2 - Add physical interfaces to Bgroup3/0
set interface bgroup3/0 zone warehouse - Assigns bgroup3/0 to the warehouse zone

set interface ethernet0/5 phy link-down - Physically disables ports
unset interface ethernet0/5 phy link-down - Physically enables ports

set interface tunnel.5 zone Untrust - Creates tunnel interface with ID 5 assigned to zone Untrust
set interface tunnel.5 ip unnumbered interface ethernet0/2 - Sets tunnel.5 as an unnumbered interface with Ethernet0/2 as a gateway

set interface ethernet3/10 ip managable - Enables management interface on IP address assigned to Ethernet3/10

set interface ethernet3/10 manage ping - Enables ping on Ethernet3/10
set interface ethernet3/10 manage ssh - Enables ssh on Ethernet3/10
set interface ethernet3/10 manage snmp - Enables snmp on Ethernet3/10
set interface ethernet3/10 manage web - Enables web on Ethernet3/10
set interface ethernet3/10 manage telnet - Enables telnet on Ethernet3/10

DHCP Configuration
set interface ethernet3/3 dhcp server service - Enables DHCP server on Ethernet3/3
set interface ethernet3/3 dhcp server option lease 1440 - Sets DHCP lease time (in minutes)
set interface ethernet3/3 dhcp server option gateway 192.168.101.1 - Sets gateway provided by DHCP
set interface ethernet3/3 dhcp server option netmask 255.255.255.0 - Sets subnet mask provided by DHCP
set interface ethernet3/3 dhcp server option domainname skullbox.lan - Sets domain suffix provided by DHCP
set interface ethernet3/3 dhcp server option dns1 8.8.8.8 - Sets DNS provided by DHCP
set interface ethernet3/3 dhcp server option dns1 4.4.4.2 - Sets DNS provided by DHCP
set interface ethernet3/3 dhcp server ip 192.168.115.200 to 192.168.115.200 - Sets range of IP addresses for DHCP lease

set interface ethernet 0/2 dip 4 216.93.242.13 216.93.242.13 - Sets interface Ethernet0/2 with a DIP address (ID four) with a range of 216.93.242.13 to 216.93.242.13

set interface ethernet0/2 mip 216.93.242.14 host 192.168.152.15 netmask 255.255.255.255 vr "trust-vr" - Sets Ethernet0/2 to use 216.93.242.14 as a mapped IP to 192.168.152.15/32 using virtual router trust-vr

set interface ethernet0/2 vip interface-ip 3389 RDP 192.168.131.15

Routing
set route 10.145.12.0/24 interface bgroup3/0 gateway 10.145.12.254 description "extranet" - Sets routing desinated for 10.145.12.0/24 to use interface bgroup3/0 with a gateway of 10.145.12.254 and a description called extranet

set route 192.168.99.0/24 interface tunnel.5 description "dr-vpn" - Sets routing desinated for 10.192.168.99.0/24 to use interface tunnel.5 with a description called dr-vpn

SNMP Configuration
set snmp community "xoop" Read-Write Trap-on traffic version v1 - Specifies a read-write community called xoop
set snmp host "xoop" 10.16.0.92/32 src-interface bgroup3/0 trap v1 - sets the source interface and destination for SNMP (version one) requests
set snmp location "rack 34" - Specifies SNMP location information
set snmp contact "Erik Rodriguez" - Specifies SNMP contact information
set snmp name "corp-firewall" - Specifies SNMP device information
set snmp port listen 161 - Specifies SNMP listen port (default is UDP 161)
set snmp port trap 162 - Specifies SNMP trap port (default is UDP 162)

Syslog Configuration
set syslog config 192.168.105.76 - Sets the syslog destination IP
set syslog config 192.168.105.76 facilities local0 local1 - Sets the syslog facilities
set syslog src-interface ethernet3/2 - Sets the interface used to reach the syslog server
set syslog enable

NTP Configuration
set ntp server 216.93.242.12 - Enables NTP with 216.93.242.12 as time source
set ntp server src-interface ethernet3/0 - Uses interface Ethernet3/0 to reach NTP update source
set clock ntp - Enables system clock to sync with NTP
exec ntp update - Forces snyc of clock with NTP server

Troubleshooting

trace-route 216.93.242.12 from ethernet3/0 - Performs a traceroute from a specific interface

ping 216.93.242.12 count 100 from ethernet3/11 - Performs ping to 216.93.242.12 with 100 ICMP echos from interface Ethernet3/11

Sessions
get session src-ip 192.168.1.35 - Displays session information for source device 192.168.1.35

get session dst-ip 216.93.242.12 - Displays session information for destination device 216.93.242.12

get session src-port 3636 - Displays session information for source port 3636

get session dst-port 3389 - Displays session information for destination port 3389

clear session Immediately clears all software sessions

Events
get event policy-id 35 - Displays any events logged regarding policy ID 35

get event level alert Displays any logged events deemed Alerts (requiring immediate action)

get event start-date 2011-05-03 Displays events starting from May 3rd 2011

get event start-time 21:26:42 Displays events starting from 9:26:42 PM

get event include SPI Displays events which include SPI (IKE activity)

Contact Us

If you found this information useful, click the +1 button



Your E-mail:


Subject:


Type verification image:
verification image, type it in the box

Message:


NOTE: this form DOES NOT e-mail this article, it sends feedback to the author.


TCP vs. UDP
Juniper SRX anti-spam filtering config
Windows Server 2008 Clustering Configuration
Windows 2008 R2 Network Load Balancing (NLB)
Extreme Networks: Downloading new software image
Juniper SRX save config to USB drive
Juniper SRX logout sessions
Extreme Networks Syslog Configuration
Command line drive mapping
Neoscale vs. Decru
Data Security vs. Data Protection
Juniper SRX Cluster Configuration
HOWTO - Create VLAN on Extreme Switch
Using a Non-local Colocation Facility
Linux Server Administration
IT Chop Shops
Flow Viewers: SFLOW, NetFLOW, and JFLOW
Exchange 2007 Back Pressure
IPtables open port for specific IP
Politics in IT Departments
HOWTO - Block Dropbox
Cisco IOS Cheat Sheet
Subnet Cheat Sheet
Design a DMZ Network
How DNS works
Firewall Configuration
Juniper SSG Firewalls
Server Management
Configuring VLANs
Runlevels in Linux
Server Clustering
SONET Networks
The Red Hat Network
Server Colocation
Complicated Linux Servers
Dark Fiber
Data Center Network Design
Firewall Types
Colocation Bandwidth






Copyright © 2002-2016 Skullbox.Net All Rights Reserved.
A division of Orlando Tech Works, LLC
By using this site you agree to its Terms and Conditions.
Contact Erik Rodriguez