NetScreen CLI Reference Guide - Juniper Networks

��

��

�

��

� ��

��

��

��

��

nce with NetScreen’s installation e with radio and television reception. This d to comply with the limits for a Class B specifications in part 15 of the FCC rules. provide reasonable protection against allation. However, there is no guarantee rticular installation.

interference to radio or television y turning the equipment off and on, the e interference by one or more of the

ing antenna.

en the equipment and receiver.

ienced radio/TV technician for help.

utlet on a circuit different from that to d.

o this product could void the user's device.

ITED WARRANTY FOR THE ET FORTH IN THE INFORMATION PRODUCT AND ARE INCORPORATED OU ARE UNABLE TO LOCATE THE

WARRANTY, CONTACT YOUR OR A COPY.

�� NetScreen, NetScreen Technologies, GigaScreen, and the NetScreen logo are registered trademarks of NetScreen Technologies, Inc. NetScreen-5XP, NetScreen-5XT, NetScreen-25, NetScreen-50, NetScreen-100, NetScreen-204, NetScreen-208, NetScreen-500, NetScreen-1000, NetScreen-5200, NetScreen-5400, NetScreen-Global PRO, NetScreen-Global PRO Express, NetScreen-Remote Security Client, NetScreen-Remote VPN Client, NetScreen-IDP 100, NetScreen-IDP 500, GigaScreen ASIC, GigaScreen-II ASIC, and NetScreen ScreenOS are trademarks of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies.Information in this document is subject to change without notice.

No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without receiving written permission from

NetScreen Technologies, Inc. 350 Oakmead Parkway Sunnyvale, CA 94085 U.S.A. www.netscreen.com

�� The following information is for FCC compliance of Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. The equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

The following information is for FCC compliance of Class B devices: The equipment described in this manual generates and may radiate radio-frequency

energy. If it is not installed in accordainstructions, it may cause interferencequipment has been tested and foundigital device in accordance with the These specifications are designed tosuch interference in a residential instthat interference will not occur in a pa

If this equipment does cause harmfulreception, which can be determined buser is encouraged to try to correct thfollowing measures:

• Reorient or relocate the receiv

• Increase the separation betwe

• Consult the dealer or an exper

• Connect the equipment to an owhich the receiver is connecte

Caution: Changes or modifications twarranty and authority to operate this

�� THE SOFTWARE LICENSE AND LIMACCOMPANYING PRODUCT ARE SPACKET THAT SHIPPED WITH THEHEREIN BY THIS REFERENCE. IF YSOFTWARE LICENSE OR LIMITED NETSCREEN REPRESENTATIVE F

http:\\www.netscreen.com

��

��

�

�

��::�� :�

! ��

��

��

�� 9

��

�� 7�

�� 7�

�� 76

�� 7:

�� 7�

�� 79

�� 7�

�� 9�

�� 6

�� :

�� 9

��

��

��" ��5��

��:

��

��

��

��:

��

��

�� "��

#

)

�

,

��*

/

�

�

4"!!��

"

"

"

"

"

"

"

"

�� !�

!!��6

!��

%"��

%�"��6�

%% ��67

�8��69

�$ ��

�$��

�3��$��+"��

�%��- ��

4�� *5��$��*$�4��%"��

�� * ��

��%��

��

!� ��

!�"%8�*��8 ��

��

��

$��$�%!��"!�&$��'"�"%( ��

�*"��+"��

��%��"��

��!�"�-��

��"��! �� .

� ��0��/�*�� .

��*��$��1��$�� .

�� .��2�3��-��$�� .��"��"�%�� .�

��"�!��3��". ��.��!�� .��,�%��* ��.��

�5��$��*$�4�%��-5 ��

�*8 ��"**��*"��

"%;"3��8"��

"��8"�$�"��%��

��3�%��

�� !��"��

"!��!� "%��

��"�%� ��

%"8�!"8��*��

$�%!��

��<��!� "%��

-��8"%��

%��"%�8��

�!��

��*$��

��;��-��

��!��

�� %��

��

��

��6��

��66�

��66�

��66�

��66�

��669

��6�7

��6�9

��6��

��6:�

��6:6

��6:�

��6::

��67�

��67:

��67�� 67�

�� 69�

�� 69�

�� 69:

�� 69�

�� 6��

�� 6��

�� 6��

�� 6�:

�� 6�7

�� 6�9

�� 6��

�� !�

�-��7

�-��-��

�� "��6

��%"��" �� 6��

4�85��$��*$�48�%��35 ��6��

�8 ��6�7

�8��%"�� "��6��

�88��% ��6��

"��%��-��

�� *��

!"�"�"��

��"�%� ��

$�%%��$��$�%!��

�� "��

%�"��$��$�%! ��

��*$��

��!��

��<��!� "%��

!�8��7

!��

!�"��

��"� ��6

�� :

�.��9

�%��

�%��6�

�8��!� ��6�

��;"%% ��6:

%�;��67

�8 ��

*"��:

*%��"%�8��

*%�*��:7

*��8��:9

*��8��.8��

$��"� ��

%6�8 ��

%"��

%�! ��

%�! ��

%��-�3 ��

%�* ��

"��

"��%�"��

��3 ��

��!�=��

��8 ��

��8��%��

��8��

��8 ��

��

�� "!��!� ��

��

��

��

��

��

��

��

��:

��

��9

��

��:��

��:��

��:��

��:�9

��:6�

��:��

��:�:

��:�7

��:��

��:��

��:��

��:�9

��:7�

��?��

��

��

�� /��

�� !�

�"��"��

�"��:

��$�!%��

�� 76

��79

�� 9�

��8 ��9�

��-��:

;��"�$ ��

;��!��

."�$ ��

+��

>��?�,�"��

��3�@��"��

�� "��"��

��"�!�?�"�%"��%��3 ��

� �� 6��

��!�� 6��

�%��!��6�6

��"��6��

��6�:

�"�3��8��6��

�%��-��6�9

��*$��

8�� "��

8��*��6

8-� ��

8�%��3 ��66

4888��5��$��*$�4+��5 ��9

888��

8��.3��! ��::

��:7

�� :9

�"��:�

�"� �%��

��%��

�3��%��-��

�3�%�*��

�3��

��$��88��

��

��"��

��" ��$"8��* ��

�% ��

��

��*��8��

��8 ��

�8� ��

�8��*��8 ��

�8��

��

��3� ��

��

�� !� ��

.��:��

��

��!�

��

d manage a NetScreen device NetScreen OS release.

uring a NetScreen device using nd syntax, arguments, and

es contain the following items:

ts of all volumes.

art Number, and the Rev

esented in alphabetical order

rfaces, which are important A).

all volumes.

eface, plus Getting Started, an device. It also explains the

�� !�

�� "��

The NetScreen CLI Reference Guide describes the commands used to configure anfrom a console interface. This manual is an ongoing publication, published with each

�� !��"This document is for system and network administrators who have experience configthe Web interface. Using the command line interface requires familiarity with commavariables.

��#�� $��

The NetScreen Command Line Reference Guide consists of four volumes. All volum

• A Table of Contents. The Table of Contents in each volume lists the conten

• A title page, which displays the range of commands described, the volume Pnumber.

• Commands, an alphabetized compendium of CLI command descriptions, pr

• USGA Features, an appendix that lists and briefly describes zones and intecomponents of NetScreen’s Universal Security Gateway Architecture (USG

• An alphabetized Index. The Index in each volume contains index listings for

The volumes in this manual are as follows:

Volume 1 describes CLI commands address through clock. It also contains this printroductory chapter providing instructions on how to connect a PC to the NetScreencommand syntax format used throughout this Manual.

Volume 2 describes CLI commands config through intervlan-traffic.

�� "�� %��"��

��

om/support/manuals.html. To ccess archived documentation

lease notes document for that are Download. Select the

ered user.)

e-mail address below:

t to document all of the ou find any errors or omissions

�� !�

Volume 3 describes CLI commands ip through policy.

Volume 3 describes CLI commands pppoe through zone.

��%�&� ��

To obtain technical documentation for any NetScreen product, visit www.netscreen.caccess the latest NetScreen documentation, see the Current Manuals section. To afrom previous releases, see the Archived Manuals section.

To obtain the latest technical information on a NetScreen product release, see the rerelease. To obtain release notes, visit www.netscreen.com/support and select Softwproduct and version, then click Go. (To perform this download, you must be a regist

If you find any errors or omissions in the following content, please contact us at the

[email protected]

��&��'

This version of the NetScreen Message Log Reference Guide marks the first attempScreenOS messages. As it stands, this effort continues to be an ongoing project. If yin the following content, please contact us at the e-mail address below:

[email protected]

www.netscreen.com/support/manuals.html

http://www.netscreen.com/support

mailto:[email protected]

mailto:[email protected]

�.��

e NetScreen device so that you ands at the CLI through a

PC running the Windows

�� !�

# �� (

This chapter provides information on how to connect a personal computer (PC) to thcan configure the device using the Command Line Interface (CLI). You enter commconsole application such as Telnet. or Hypterterminal.

Note: The examples in this guide display output generated from an IBM-compatibleoperating system.

��*��"��! /� ��0��/�*��

.��

before you start setup:

8 bits, no parity, 1 stop-bit, and

running applications on the PC

en device. This port is labeled

al emulator on that system. The ole from any operating system, g the NetScreen device from a

�� !�

&��)��&�# �

Gain access to the NetScreen device you wish to configure, and obtain these items

• a PC to connect to the NetScreen device

• an RS-232 male-to-female serial cable

• a copy of Microsoft’s Hyperterminal software, available on the PC

To communicate with the NetScreen device using a console, use a 9600 Baud rate, no flow control.

�� #��* ��%�It is not necessary power off the either PC or the NetScreen device, or to close any before connecting it to the NetScreen device.

To connect the NetScreen device to the PC:

1. Connect the female end of the RS-232 cable to the serial port on the PC.

2. Connect the male end of the RS-232 cable to the serial port on the NetScre“console.”

Note: If you are using a different operating system, you need a VT100 terminterminal emulator allows you to configure the NetScreen device using a consincluding Windows™, UNIX™, LINUX™, or Macintosh™. If you are configurinremote location, use Telnet to access the console.

��*��"��! ��

.��

L+F or the DOWN ARROW

TRL+B or the UP ARROW key.

e, type a question mark ( ? ).

detected for 10 minutes.

e of command execution. ay include names,

es.

For example, the set arp

sion on Windows 95, 98, NT, or check box, and click the OK

�� !�

��*��

The following conventions apply to all NetScreen commands.

��2�3��-��$��• To remove a single character, press BACKSPACE or CTRL+H.

• To remove an entire line, press CTRL+U.

• To traverse up to 16 lines forward in the command history buffer, press CTRkey.

• To traverse up to 16 lines backward in the command history buffer, press C

• To see the next available keyword or input and a brief description of its usag

• The console times out and the connection is closed if no keyboard activity is

��"��"�%��Most NetScreen CLI commands have changeable parameters that affect the outcomNetScreen documention represents these parameters as variables. Such variables midentification numbers, IP addresses, subnet masks, numbers, dates, and other valu

�"��"�%��"��

The variable notation used in this manual consists of italicized parameter identifiers.command uses four identifiers, as shown here:

Note: To use the arrow keys for navigating among commands in a Telnet ses2000: On the Terminal menu, click Preferences…, select the VT100 Arrowsbutton.

Note: Items you enter are into the system are in bold text.

��*��"��! ��

.��

et2 is a physical interface.

�� !�

set arp { ip_addr mac_addr interface age number | always-on-dest | no-cache }

where

• ip_addr represents an IP address.

• mac_addr represents a MAC address.

• interface represents a physical or logical interface.

• number represents a numerical value.

Thus, the command might take the following form:

ns-> set arp 172.16.10.11 00e02c000080 ethernet2

where 172.16.10.11 is an IP address, 00e02c000080 is a MAC address, and ethern

��*��"��! ��

.��

nd destination IP address.

ice group.

.

�� !�

��"��"�%��"��

The following list shows the CLI variable names used in NetScreen documents.

comm_name The community name of a host or other device.

date_str A date value.

dev_name A device name, as with flash card memory.

dom_name A domain name, such as “acme” in www.acme.com.

dst_addr A destination address, as with a policy definition that defines a source a

filename The name of a file.

fqdn Fully-qualified domain name, such as www.acme.com.

grp_name The name of a group, such as an address group or service group.

interface A physical or logical interface.

id_num An identification number.

ip_addr An IPv4 address.

ipv6_addr An IPv6 address.

key_str A key, such as a session key, a private key, or a public key.

key_hex A key expressed as a hexadecimal number.

loc_str A location of a file or other resource.

mac_addr A MAC address.

mbr_name The name of a member in a group, such as an address group or a serv

mask A subnet mask, such as 255.255.255.224 or /24.

name_str The name of an item, such as an address book entry.

number A numeric value, usually an integer, such as a threshold or a maximum

pol_num A policy number.

��*��"��! ��

.��

riables may be numbered to ariables, each numbered for

ntax. This syntax may include ommand descriptions use atory, and in which contexts.

estination IP address.

�� !�

Some commands contain multiple variables of the same type. The names of such vaidentify each individually. For example, the set dip command contains two id_num veasy identification:

set dip group id_num1 [ member id_num2 ]

��"�!��3��".Each CLI command description in this manual reveals some aspect of command syoptions, switches, parameters, and other features. To illustrate syntax rules, some cdependency delimiters. Such delimiters indicate which command features are mand

port_num A number identifying a logical port.

pref_len A number identifying the prefix length for an IPv6 address.

pswd_str A password.

ptcl_num A number uniquely identifying a protocol, such as TCP, IP, or UDP.

serv_name The name of a server.

shar_secret A shared secret value.

spi_num A Security Parameters Index (SPI) number.

src_addr A source address, as with a policy definition that defines a source and d

string A character string, such as a comment.

svc_name The name of a service, such at HTTP or MAIL.

time_str A time value.

tunn_str The name of a tunnel, such as an L2TP tunnel.

url_str A URL, such as www.acme.com.

usr_str A user, usually an external entity such as a dialup user.

vrouter A local virtual router, such as trust-vr or untrust-vr.

zone The name of a security zone.

��*��"��! ��

.��

ing special characters.

e symbols are essential for

symbols are not essential for affect the outcome.

ymbol appears between two is symbol appears at the end of

me contexts, and mandatory in

e_1, feature_2, and feature_3, s surround feature_2 and Otherwise, you cannot

command.

}

trast, the [ and ] brackets ight take any of the following

�� !�

1�8��!��3�1�%��

Each syntax description shows the dependencies between command features by us

• The { and } symbols denote a mandatory feature. Features enclosed by thesexecution of the command.

• The [ and ] symbols denote an optional feature. Features enclosed by theseexecution of the command, although omitting such features might adversely

• The | symbol denotes an “or” relationship between two features. When this sfeatures on the same line, you can use either feature (but not both). When tha line, you can use the feature on that line, or the one below it.

��!�1�8��!��

Many CLI commands have nested dependencies, which make features optional in soothers. The three hypothetical features shown below demonstrate this principle.

[ feature_1 { feature_2 | feature_3 } ]

The delimiters [ and ] surround the entire clause. Consequently, you can omit featurand still execute the command successfully. However, because the { and } delimiterfeature_3, you must include either feature_2 or feature_3 if you include feature_1.successfully execute the command.

The following example shows some of the feature dependencies of the set interface

set interface vlan1 broadcast { flood | arp [ trace-route ]

The { and } brackets indicate that specifyng either flood or arp is mandatory. By conindicate that the trace-route option for arp is not mandatory. Thus, the command mforms:

ns-> set interface vlan1 broadcast flood

ns-> set interface vlan1 broadcast arp

ns-> set interface vlan1 broadcast arp trace-route

��*��"��! ��

.��

y find that certain commands

x, attempting to use such a ge appears, confirm the ailable options for the set vpn

nsole using a get command. TFTP server, or filter output to

r-than ( > ) switch. The general

ddr.txt on a TFTP sever at IP

bol ( | ) switch. The general

�� !�

?�"�%"��%��3�� "�!��"�!�,�"��

As you execute CLI commands using the syntax descriptions in this manual, you maand command features are unavailable for your NetScreen device model.

Because NetScreen devices treat unavailable command features as improper syntafeature usually generates the unknown keyword error message. When this messafeature’s availability using the ? switch. For example, the following commands list avcommand:

ns-> set vpn ?

ns-> set vpn vpn_name ?

ns-> set vpn gateway gate_name ?

Redirecting and Filtering Console Output

Most configurable ScreenOS features have settings that you can display on your coEach get command has switches that allow you to redirect the command output to ainclude or exclude lines containing certain character strings.

��!��To direct the output of a get command to a text file on a TFTP server, use the greateformat for such redirection is as follows:

get keyword > tftp ip_addr filename

For example, to direct the output of the get address command to a text file named aaddress 172.16.3.4:

get address > tftp 172.16.3.4 addr.txt

,�%��*To include or exclude output lines generated by a get command, use the piping symformat for such filtering is:

��*��"��! ��

.��

that contain “eth”:

Null”:

�� !�

get keyword | include string

get keyword | exclude string

For example, to filter the output of the get interface command, displaying only lines

get interface | include “eth”

To filter the output of the get interface command, displaying any line that contains “

get interface | include “Null”

��*��"��! ��

.��
�� !�

�

��

s address through clock.

you may find that certain l. A good example is the vsys xp device. Similarly, some vpn command. This option is

�� !�

�

+�((� ��,��-��+��.,

This volume lists and describes NetScreen Command Line Interface (CLI) command

Note: As you execute CLI commands using the syntax descriptions in this chapter,commands and command features are unavailable on your NetScreen device modecommand, which is available on a NetScreen-500 device, but not on a NetScreen-5command options are unavailable on certain models, as with the df-bit option of theavailable on a NetScreen-500, but not on a NetScreen-5xp.

�4"!!��5��$��*$�4�%��-5

6��

�((� ��security zone. You use address

ng ]

�� !�

Description: Use the address commands to define entries in the address book of a book entries to identify addressable entities in policy definitions.

�3��".

��

get address zone [ group name_str | name name_str ]

��

set address zone name_str { dom_name | ip_addr mask } [ stri

��

unset address zone name_str

�4"!!��5��$��*$�4�%��-5

��

top

t zone:

you can bind an address book MZ. You can also assign address

e A-II.

�� !�

2�3;��!��"�!��"��"�%��

�"��"�%��"�"��

Examples: The following command:

• defines an entry named “webserver” in the address book of the DMZ zone

• assigns the entry IP address 172.16.50.9 and netmask 255.255.255.254

set address dmz webserver 172.16.50.9 255.255.255.255

The following command:

• defines an entry (odie) in the address book of the Trust zone

• assigns the entry IP address 172.16.10.1 and netmask 255.255.255.255

• assigns the entry a comment string “Mary_Desktop”

set address trust odie 172.16.10.1 255.255.255.255 Mary_Desk

The following command deletes an entry (odie) from the address book of the Trus

unset address trust my-partner

zone The name of the security zone. The default security zones to whichinclude Trust, Untrust, Global, DMZ, V1-Trust, V1-Untrust, and V1-Dbook entries to user-defined zones.For more information on zones, see “Security Zone Names” on pag

dom_name The host domain name.

ip_addr The host IP address.

mask The host subnet mask.

string A character string containing a comment line.

�4"!!��5��$��*$�4�%��-5

:��

ed Sales_Group:

ss group in a security policy

ss group in a security policy

�� !�

��

get address zone group name_str

Example: The following command displays information for an address group nam

get address trust group Sales_Group

��

Example: The following command displays a

get address zone name name_str

group The name of a group of address book entries. You can use an addredefinition to specify multiple addresses.

name name_str The name of an individual address book entry. You can use an addredefinition to specify a single address.

�4"!!��5��$��*$�4�%��-5

��

�(��eters for the NetScreen device.

�� !�

Description: Use the admin commands to configure or display administrative param

�3��".

��

clear [ cluster ] admin user { cache | login }

��

get admin [ auth [ banner | settings ] | current-user | manager-ip | scs all | user [ cache | login ] ]

��

set admin { auth

{ banner { console | telnet } login string | server name_str | timeout number | } |

device-reset |

�4"!!��5��$��*$�4�%��-5

7��

only } ]

�� !�

format { dos | unix } | hw-reset | mail

{ alert | mail-addr1 ip_addr | mail-addr2 ip_addr | server-name { ip_addr | name_str } | traffic-log } |

manager-ip ip_addr [ mask ] | name name_str | password pswd_str | port port_num | privilege { get-external | read-write } | scs

{ password { disable | enable } username name_str | port port_num }

telnet port port_num | user name_str password pswd_str [ privilege { all | read-}

��

unset admin { auth

{ banner { console | telnet } login | server | timeout | } |

�4"!!��5��$��*$�4�%��-5

9��

ffic-log } |

�� !�

device-reset | format | hw-reset | mail

{ alert | mail-addr1 | mail-addr2 | server-name | tramanager-ip { ip_addr | all } | name | password | port | scs [ port ] | telnet port | user name_str }

�4"!!��5��$��*$�4�%��-5

��

new Telnet sessions (for

ss.

�� !�

2�3;��!��"�!��"��"�%��

��

set admin mail alert

��

get admin auth [ banner | settings ]

set admin auth { banner { console | telnet } login string | server name_str | timeout number | }

unset admin auth { banner { console | telnet } login | server | timeout | }

Example: The following command creates a login banner “Telnet Login Here” for managing the NetScreen device):

set admin auth banner telnet login “Telnet Login Here”

alert Collects system alarms from the device for sending to an email addre

auth Configures admin authentication settings for the NetScreen device.

�4"!!��5��$��*$�4�%��-5

��

Management Console":

t Console"

he and propagates this change

le port (console) or a Telnet

minstrative users.

r.

�� !�

��

get admin auth banner

set admin auth banner { console | telnet } login string

unset admin auth banner { console | telnet } login

Example: The following command creates a console login banner "Hyperterminal

set admin auth banner console login "Hyperterminal Managemen

��

clear [ cluster ] admin user cache

get admin user cache

��

clear cluster admin user { cache | login }

Example: The following command clears remote adminstrative users from the cacto other devices in a NSRP cluster:

clear cluster admin user cache

banner Specifies the banner (string) displayed during login through the consosession (telnet).

cache Clears or displays the memory cache containing all current remote ad

cluster Propagates the clear operation to all other devices in a NSRP cluste

�4"!!��5��$��*$�4�%��-5

��

:

e generates the configuration file. FTP server or PCMCIA card using

�� !�

��

get admin current-user

��!��

set admin device-reset

unset admin device-reset

��

set admin format { dos | unix }

unset admin format

Example: The following command generates the configuration file in UNIX format

set admin format unix

�" ��

set admin hw-reset

unset admin hw-reset

current-user Displays the user for the current administrative session.

device-reset Enables device reset for asset recovery.

format Determines the format (dos or unix) used when the NetScreen devicOn some Netscreen device models, you can download this file to a Tthe CLI, or to a local directory using WebUI.

hw-reset Enables hardware reset for asset recovery.

�4"!!��5��$��*$�4�%��-5

��

o receive updates concerning

to receive updates concerning

�� !�

��

clear [ cluster ] admin user login

get admin user login

��

set admin mail { ... }

unset admin mail { ... }

Example: The following command configures the email address [email protected] tadministrative issues:

set admin mail mail-addr1 [email protected]

�� #

set admin mail mail-addr1 ip_addr

Example: The following command configures the email address [email protected] issues:


login Clears or displays all current administrative users.

mail Enables email for sending alerts and traffic logs.

mail-addr1 ip_addr Sets the first email address for sending alert and traffic logs.

�4"!!��5��$��*$�4�%��-5

�6��

acme.com to receive updates

ddress 172.16.10.100:

aul”:

is 0.0.0.0, which allows to specify up to six hosts or

The maximum length of the name nsitive.

�� !�

�� $

set admin mail mail-addr2 ip_addr

Example: The following command configures the secondary email address pat@concerning administrative issues:


��

get admin manager-ip

set admin manager-ip ip_addr [ mask scs [ port ]

unset admin manager-ip { ip_addr | all }

Example: The following command restricts management to a single host with IP a

set admin manager-ip 72.16.10.100 255.255.255.255

��

set admin name name_str

unset admin name

Example: The following command changes the root administrator user name to “p

mail-addr2 Sets the secondary email address for sending alert and traffic logs.

manager-ip Restricts management to a host or a subnet. The default IP address management from any workstation. All NetScreen devices allow you subnets at once.

name The login name (name_str) of the root user for the NetScreen device.is 31 characters, including all symbols except ?. The name is case-se

�4"!!��5��$��*$�4�%��-5

��

to “build4you”:

rative interface to 8000:

gth of the password is 31 ter “?.”

when using the web. Use any ). Changing the admin port

�� !�

set admin name paul

��"��

set admin password pswd_str

unset admin password

Example: The following command changes the root administrator login password

set admin password build4you

��

set admin port port_num

unset admin port

Example: The following command changes the port number for the Web administ

set admin port 8000

password Specifies the password (pswd_str) of the root user. The maximum lencharacters, including all symbols except the special command charac

port Sets the port number (port_num) for detecting configuration changesnumber between 1024 and 32767, or use the default port number (80number might require resetting the device (see the reset command).

�4"!!��5��$��*$�4�%��-5

�:��

h”:

ser privileges externally from the

and ignores the privilege returned

ows you to administer NetScreen ing secure CLI access over

session. The enable | disable me_str specifies the admin user

S communication occurs.

�� !�

��!��

set admin privilege ( get-external | read-write }

��

get admin scs all

set admin scs { password { disable | enable } username name_str | port port_num }

unset admin scs [ port ]

Example: The following command enables the password for a user named “rsmit

set admin scs password enable username rsmith

privilege Defines the administrative privilege level:

• get-external Instructs the NetScreen device to obtain the admin uRADIUS server.

• read-write Gives the RADIUS administrator read-write privileges, from the RADIUS server.

scs Provides access to the Secure Command Shell (SCS) utility. SCS alldevices from an Ethernet connection or a dial-in modem, thus providunsecured channels.

• password Sets the password for the user that establishes the SCSswitch enables or disables password authentication. username naname.

• port port_num Specifies the logical SSH port through which the SC

�4"!!��5��$��*$�4�%��-5

��

keting_Admin_AuthS”:

.10.10:

users.

server. This server receives email

setting and the admin user type

�� !�

��!��

set admin auth server name_str

unset admin auth server

Example: The following command specifies an authentication server named “Mar

set admin auth server Marketing_Admin_AuthS

��!��

set admin mail server-name ip_addr

Example: The following command specifies a SMTP server at IP address 172.16

set admin mail server-name 172.16.10.10

��

get admin auth settings

��

set admin telnet port port_num

server The name of the authentication server used for authenticating admin

server-name The IP address or name of the Simple Mail Transfer Protocol (SMTP)notification of system alarms and traffic logs.

settings Displays admin authentication settings, including the current timeout (local or remote).

�4"!!��5��$��*$�4�%��-5

�7��

our:

nge of port_num is 1024 - 32767.

vice automatically closes the web 0 specifies no timeout.ires. You set this interval using the

The traffic log can contain a e log file to each specified email is full, or every 24 hours,

�� !�

unset admin telnet port

��

set admin auth timeout number

unset admin auth timeout

Example: The following command sets an authentication timeout interval of one h

set admin auth timeout 60

��

set admin mail traffic-log

unset admin mail traffic-log

telnet port Provides CLI access through a Telnet connection. The acceptable ra

timeout Specifies the length of idle time (in minutes) before the NetScreen deadministrative session. The value can be up 999 minutes. A value of (Telnet admin sessions time out after the console timeout interval expset console timeout command.)

traffic-log Generates a log of network traffic handled by the NetScreen device. maximum of 4,096 entries. The NetScreen device sends a copy of thaddress (see mail-addr1 and mail-addr2). This happens when the logdepending upon which occurs first.

�4"!!��5��$��*$�4�%��-5

�9��

| read-only } ]

h”, with password “swordfish”:

5.

ub-administrator). The maximum e user name is case-sensitive.

read-only).

�� !�

��

get admin user [ cache | login ]

set admin user name_str password pswd_str [ privilege { all

unset admin user name_str

Example: The following command creates a non-root administrator named “rsmit

set admin user rsmith password swordfish privilege all

1� "%��

The default admin name and password are netscreen.

The default manager-ip is 0.0.0.0, and the default subnet mask is 255.255.255.25

The default privilege for a super-administrator is read-only.

The default admin port is 80.

The default mail alert setting is off.

The default for device reset is on.

user Creates or displays a non-root administrator (super-administrator or suser name length is 31 characters, including all symbols except ?. ThThe privilege switch determines the privilege level of the user (all or

�4"!!��5��$��*$�4�%��-5

��

��

]

g ]

]

�� !�

Description: Use the alarm commands to set alarm parameters.

�3��".

��

clear [ cluster ] alarm traffic [ policy pol_num1 [ -pol_num2 ] ]

[ end-time string ]

��

get alarm { threshold | traffic

[ policy { pol_num1 [ -pol_num2 ] } ] [ service name_str ]

[ src-address ip_addr ] [ dst-address ip_addr [ detail

[ start-time string ] [ end-time strin[ minute | second

[ threshold number [ -number ] [ rate number [ -number ] ]

] ] |

}

�4"!!��5��$��*$�4�%��-5

��
�� !�
��

set alarm threshold { cpu number | memory number | session { count number | percent number } }

��

unset alarm threshold { CPU | memory | session }

�4"!!��5��$��*$�4�%��-5

6��

ropagates the change to other

that occur on or after January 1,

r.

ffic alarm entries that occurred ral information and the time of the

�� !�

2�3;��!��"�!��"��"�%��

��

clear cluster alarm traffic [ ... ]

Example: The following command clears the alarm table entries for policy 4 and pdevice in a NSRP cluster:

clear cluster alarm traffic policy 4

��

get alarm traffic [ ... ] detail [ ... ]

Example: The following command displays event alarm entries or traffic alarm entries2003:

get alarm traffic detail start-time 01/01/2003


detail Displays detailed information for each Access Policy, including all traunder the policy. If you omit this option, the output contains only genemost recent alarm for each policy.

�4"!!��5��$��*$�4�%��-5

6��

er

ies at (or after) 11:59pm,

time

] [ ... ]

:

tries that occurred at or before the affic alarm entries that occurred at ss] year using the last two digits or all etween the date and the time can

number or for several access ny value between 0 and the total tarting and ending ID numbers as

�� !�

�� %��

clear [ cluster ] alarm traffic policy [ ... ] end-time numb

get alarm traffic [ ... ] end-time number

get alarm traffic [ ... ] start-time number

Example: The following command performs a detailed display of traffic alarm entrDecember 31, 2003 and at or before 12:00am, December 31, 2004:

get alarm traffic detail start-time 12/31/2003-23:59:00 end-12/31/2004-24:00:00

��&

clear [ cluster ] alarm traffic policy pol_num1 [ -pol_num2

get alarm traffic policy pol_num

Example: The following command clears the entries for policy 2 in the alarm table

clear alarm traffic policy 2

start-timeend-time

The start-time option displays event alarm entries or traffic alarm entime specified. The end-time option displays event alarm entries or tror after the time specified. The format for string is mm/dd[/yy-hh:mm:You can omit the year (the current year is the default), or express thefour digits. The hour, minute, and second are optional. The delimiter bbe a dash or an underscore:12/31/2002-23:59:0012/31/2002_23:59:00

policy Displays traffic alarm entries for an Access Policy specified by its ID policies specified by a range of ID numbers. The ID number can be anumber of established access policies. To define a range, enter the sfollows: pol_num1-pol_num2

�4"!!��5��$��*$�4�%��-5

66��

reshold settings at bytes per

ice:

s at bytes per second or bytes per

access policies with a flow rate at

tries for access policies with a

s TCP, ICMP, or FTP. (To display to be complete; for example, both rvice group, note that because TP larm entries for all three of these

�� !�

��%��

get alarm traffic [ ... ] detail

Example: The following command displays traffic alarm entries for policies with thsecond:

get alarm traffic detail second

��!��

get alarm traffic [ ... ] service name_str [ ... ]

Example: The following command displays traffic alarm entries for the HTTP serv

get alarm traffic service http

second | minute Displays traffic alarm entries for access policies with threshold settingminute.

• The rate number [ -number ] option displays traffic alarm entries fora specified value or within a specified range.

• The threshold number [ -number ] option displays traffic alarm enthreshold at a specified value or within a specified range.

service Displays traffic alarm entries for a specified service (name_str), such aall services, make the name_str value Any.) The name does not haveTC and CP are recognized as TCP. Although you cannot specify a Seis recognized as FTP, HTTP, and TFTP, entering TP displays traffic aServices.

�4"!!��5��$��*$�4�%��-5

6��

address 172.16.9.9 and

10.10

ions:

ip_addr) or from a specified

ddr) or for a specified direction,

s at a specified value or within a

cifies how many sessions can ption specifies what percentage of .

�� !�

�� %��

get alarm traffic [ ... ] src-address ip_addr [ ... ]

get alarm traffic [ ... ] dst-address ip_addr [ ... ]

Example: The following command displays traffic alarm entries originating from IPdestined for IP address 172.16.10.10:

get alarm traffic src-address 172.16.9.9 dst-address 172.16.

��

get alarm threshold

get alarm traffic [ ... ] threshold number [ -number ]

set alarm threshold { ... }

unset alarm threshold { CPU | memory | session }

Example: The following command sets the session limit threshold to 75,000 sess

set alarm threshold session count 75000

src-address Displays traffic alarm entries originating from a specified IP address (direction, such as inside_any or outside_any.

dst-address Displays traffic alarm entries destined for a specified IP address (ip_asuch as inside_any or outside_any.

threshold Displays traffic alarm entries for access policies with threshold settingspecified range.

• cpu number sets the cpu threshold.

• memory number sets the memory threshold.

• session sets the session threshold. The count number option speexist before the device generates an alarm. The percent number othe session limit is allowable before the device generates an alarm

�4"!!��5��$��*$�4�%��-5

6:��

ies originating from IP address

10.10 detail

�� !�

��

clear [ cluster ] alarm traffic [ ... ]

get alarm traffic [ ... ]

Example: The following command performs a detailed display of traffic alarm entr172.16.9.9 and destined for IP address 172.16.10.10:

get alarm traffic src-address 172.16.9.9 dst-address 172.16.

traffic Specifies traffic alarm entries.

�4"!!��5��$��*$�4�%��-5

6��

��esenting CLI commands. After .

ethernet1/1 command, then

�� !�

Description: Use the alias commands to create, remove, or list named aliases reprcreating an alias, you can use the alias name to execute the represented command

�3��".

��

get alias

��

set alias name_str string

��

unset alias name_str

2�3;��!��"�!��"��"�%��

��'��

Example: The following commands create an alias representing the get interfaceexecute the command using the alias:

set alias int_1 "get interface ethernet1/1"

int_1

name_str The name of the CLI command alias.

string The CLI command to which you assign the alias.

�4"!!��5��$��*$�4�%��-5

67��

��actory default values.

eset the device.

”

default settings.

are you sure? y / [n] n”

ginal factory default settings.

�� !�

Description: Use the unset all command to return all configuration settings to the f

�3��".

��

unset all

2�3;��!��"�!��"��"�%��

None.

A."8%�In the following example, you reset the device to its factory default settings and r

1. Execute the unset all command.

unset all

The following prompt appears: “Erase all system config, are you sure y / [n]?

2. Press the Y key. This action returns the system configuration to the factory

3. Execute the reset command.

reset

The following prompt appears: “Configuration modified, save? [y] / n”

4. Press the N key. This action generates the following prompt: “System reset,

5. Press the Y key. This action reboots the system. The device now has its ori

�4"!!��5��$��*$�4�%��-5

69��

��e Address Resolution Protocol

�� !�

Description: Use the arp commands to create, remove, or list interface entries in th(ARP) table.

�3��".

��

clear [ cluster ] arp

��

get arp

��

set arp { ip_addr mac_addr interface age number | always-on-dest }

��

unset arp { ip_addr [ interface ] | age | always-on-dest }

�4"!!��5��$��*$�4�%��-5

6��

interface ethernet4 with IP

rmation on interfaces, see

ng packet with a heading table. This may be necessary from devices using the Hot /VRRP).

�� !�

2�3;��!��"�!��"��"�%��

��'��

set arp ip_addr mac_addr interface

Example: The following command creates an entry in the ARP table for physical address 10.1.1.1 and MAC address 00104587bd22:

set arp 10.1.1.1 00104587bd22 ethernet4

��

set arp age number

��"�&� ��

set arp always-on-dest

ip_addr The IP address for the interface in the ARP table entry.

mac_addr The MAC address for the interface in the ARP table entry.

interface The name of the ARP interface in the ARP table entry. For more info“Interface Names” on page A-IV.

age Sets the age-out value (in seconds) for ARP entries.

always-on-dest Directs the NetScreen device to send an ARP request for any incomicontaining a MAC address not yet listed in the device’s MAC addresswhen packets originate from server load-balancing (SLB) switches orStandby Router Protocol/Virtual Router Redundancy Protocol (HSRP

�4"!!��5��$��*$�4�%��-5

6��

r.

�� !�

��

clear [ cluster ] arp


�4"!!��5��$��*$�4�%��-5

��

�-� four available methods are:

n problems occur with the ACE executing the clear

�� !�

Description: Use the auth commands to specify a user authentication method. The

• a built-in database

• a RADIUS server

• SecurID

• Lightweight Directory Access Protocol (LDAP)

�3��".

��

clear [ cluster ] auth [ history | queue | table [ id id_num | ip ip_addr ] ]

Note: If the NetScreen device uses SecurID to authenticate users, and communicatioserver, clear the current SecurID shared secret from the device (and the server) by node_secret command.

�4"!!��5��$��*$�4�%��-5

��
�� !�
��

get auth [ banner | history [ id id_num | ip ip_addr ] | queue | settings | table [ id id_num | ip ip_addr ] ]

��

set auth { banner { ftp | http | telnet }

{ fail string | login string | success string }

default auth server name_str }

��

unset auth { banner { ftp | http | telnet }

{ fail | login | success }

default auth server }

�4"!!��5��$��*$�4�%��-5

�6��

:

se banners to report success or

fails.

attempt occurs.

gin attempt is successful.

r.

�� !�

?�*��

��

get auth banner

set auth banner { ftp | http | telnet }

unset auth banner { ftp | http | telnet }

Example: The following command defines a banner for a failed FTP login attempt

set auth banner ftp fail "FTP login attempt failed"

��

clear [ cluster ] auth [ ... ]

banner Defines or displays firewall banners. The NetScreen device uses thefailure of login requests.

• ftp Reports on the success or failure of FTP login requests.

• http Reports on the success or failure of HTTP login requests.

• telnet Reports on the success or failure of Telnet login requests.

- fail string Specifies a message string to display a login attempt

- login string Specifies a message string to display when a login

- success string Specifies a message string to display when a lo


�4"!!��5��$��*$�4�%��-5

��

h_Server):

Screen device uses this server ication server.

creen device.

s the same display as the get

�� !�

��

set auth default auth server name_str

unset auth default auth server

Example: The following command identifies the default authentication server (Aut

set auth default auth server Auth_Server

��&

clear [ cluster ] auth history

get auth history [ id id_num | ip ip_addr ]

(��

clear [ cluster ] auth queue

get auth queue

��

get auth settings

default auth server

Specifies a default firewall authentication server (name_str). The Netwhen a security policy does not explicitly identify a particular authent

history Clears or displays the history of users authenticated through the NetS

queue Clears or displays the internal user authentication queue.

settings Displays default user authentication server settings. (This option yieldauth command.

�4"!!��5��$��*$�4�%��-5

�:��

ble:

rce IP 172.16.10.10:

entication), or displays such

lays all table entries.

ddress (ip_addr).

�� !�

��

clear [ cluster ] auth table [ id id_num | ip ip_addr ]

get auth table [ id id_num | ip ip_addr ]

Examples: The following command clears entry 7 from the user authentication ta

clear auth table id 7

The following command displays authentication details from a table entry with sou

get auth table ip 172.16.10.10

table Clears entries from the user authentication table (thus forcing reauthentries. Entries in the user authentication table can represent:

• Users currently authenticated

• Users currently undergoing authentication

• Users denied authentication

Without parameters (described below), the table option clears or disp

• id id_num Clears or displays a particular entry by ID (id_num).

• ip ip_addr Clears or displays all entries with a common source IP a

�4"!!��5��$��*$�4�%��-5

��

�-�/� �0 �r user authentication with a TH configurations use these

|

�� !�

Description: Use the auth-server commands to configure the NetScreen device fospecified authentication server. Access policies, VPN tunnel specifications, and XAUserver specifications to gain access to the appropriate resources.

�3��".

��

get auth-server { string | all | id id_num }

��

set auth-server name_str { account-type { [ admin ] | [ auth ] [ l2tp ] [ xauth ] } backup1 name_str | backup2 name_str | id id_num | ldap

{ cn name_str | dn name_str | port port_num | server-name name_str } |

�4"!!��5��$��*$�4�%��-5

�7��
�� !�
radius-port port_num | secret shar_secret | securid

{ auth-port port_num | duress number | encr id_num | retries number | timeout number } |

server-name name_str | timeout number | type { ldap | radius | securid } }

��

unset auth-server { string

[ account-type

{ admin | [ auth ] [ ike ] [ l2tp ] [ xauth ] }

backup1 | backup2 | radius-port | timeout | type ]

id id_num }

�4"!!��5��$��*$�4�%��-5

�9��

ecifies type RADIUS:

[ l2tp ] [ xauth ] }

�� !�

2�3;��!��"�!��"��"�%��

��'��

set auth-server name_str [ ... ]

Example: The following command creates a server object name (radius1) and sp

set auth-server radius1 type radius

��

get auth-server all

�� &��

set auth-server name_str account-type { [ admin ] | [ auth ]

name_str The object name of the authentication server.

all Specifies all configured authentication servers.

account-type Specifies the kinds of users authenticated by the server (name_str).

• admin specifies admin users.

• auth specifies firewall users.

• l2tp specifies Layer 2 Tunneling Protocol (L2TP) users.

• xauth specifies XAUTH users.

�4"!!��5��$��*$�4�%��-5

��

tr }

server (Reserve_1) and a

uthentication server

�� !�

��)��#�%��)��$

set auth-server name_str { backup1 name_str | backup2 name_s

unset auth-server name_str { backup1 | backup2 }

Example: The following commands create an auth server, with a primary backup secondary backup server (Reserve_2):

set auth-server Our_Server backup1 Reserve_1

set auth-server Our_Server backup2 Reserve_2

��

get auth-server id id_num

set auth-server name_str id id_num

unset auth-server id id_num

Example: The following command creates an identification number (200) for the a(Our_Server):

set auth-server Our_Server id 200

backup1 The IP address or name of the primary backup server.

backup2 The IP address or name of the secondary backup server.

id The identification number (id_num) of the authentication server.

�4"!!��5��$��*$�4�%��-5

��

n page 43.

on page 42.

ation.

er.

with the LDAP server.

IUS server.

�� !�

��

set auth-server name_str ldap { cn name_str | dn name_str | port port_num | server-name name_str }

Example: For an example of this option, see “Defining an LDAP Server Object” o

��

set auth-server name_str radius-port port_num

unset auth-server name_str radius-port

Example: For an example of this option, see “Defining a RADIUS Server Object”

ldap Configures the NetScreen device to use a LDAP server for authentic

• cn name_str The Common Name identifier for the LDAP server.

• dn name_str The Distinguished Name identifier for the LDAP serv

• port port_num Specifies the port number to use for communication

• server-name name_str The DNS name or IP of the LDAP server.

radius-port Specifies the logical port (port_num) for communication with the RAD

�4"!!��5��$��*$�4�%��-5

:��

on page 42.

n page 42.

tication.

ications with the SecurID server.

uress mode. A value of 0 means an enter a special duress PIN signal to the SecurID server, er will.

traffic. A value of 0 specifies SDI,

or authentication.

NetScreen device waits between

�� !�

��

set auth-server name_str secret shar_secret


��

set auth-server name_str securid { auth-port port_num | duress number | encr id_num | retries number | timeout number }

Example: For an example of this option, see “Defining a SecurID Server Object” o

secret Specifies the RADIUS shared secret (shar_secret).

securid Configures the NetScreen device to use a SecurID server for authen

• auth-port port_num Specifies the port number to use for commun

• duress { 0 | 1 } Specifies if the SecurID server is licensed to use dFalse, and 1 means True. When duress mode is active, the user cnumber. The NetScreen device allows the transaction, but sends aindicating that someone is forcing the user to login against his or h

• encr { 0 | 1 } Specifies the encryption algorithm for SecurID networkand 1 specifies DES. The default type DES is recommended.

• retries number Specifies the number of retries between requests f

• timeout number Specifies the length of time (in seconds) that the authentication retry attempts.

�4"!!��5��$��*$�4�%��-5

:��

n page 42.

on page 42.

user’s last session before

The unset command sets

�� !�

��!��

set auth-server name_str server-name ip_addr | name_str

��

set auth-server name_str timeout number

unset auth-server name_str timeout

Example: For an example of this option, see “Defining a SecurID Server Object” o

�&��

set auth-server name_str type { ldap | radius | securid }


server-name The IP address or name of the authentication server.

timeout Specifies how many minutes (number) elapse after termination of thethe user needs to reauthenticate.

type Specifies the type of authentication server (ldap, radius or securid).type to radius.

�4"!!��5��$��*$�4�%��-5

:6��

US server after executing these

�� !�

1� ��*�"��?1�>��)�<��

The following commands define an auth-server object for a RADIUS server:

set auth-server radius1 type radius

set auth-server radius1 account-type auth l2tp xauth

set auth-server radius1 server-name 10.20.1.100

set auth-server radius1 backup1 10.20.1.110

set auth-server radius1 backup2 10.20.1.120

set auth-server radius1 radius-port 4500

set auth-server radius1 timeout 30

set auth-server radius1 secret A56htYY97kl

save

If you are using vendor-specific attributes, load the netscreen.dct file on the RADIcommands.

1� ��*�"��1��)�<��

The following commands define an auth-server object fo a RADIUS server:

set auth-server securid1 type securid

set auth-server securid1 server-name 10.20.2.100

set auth-server securid1 backup1 10.20.2.110

set auth-server securid1 timeout 60

set auth-server securid1 account-type admin

set auth-server securid1 securid retries 3

set auth-server securid1 securid timeout 10

set auth-server securid1 securid auth-port 15000

set auth-server securid1 securid encr 1

set auth-server securid1 securid duress 0

save

�4"!!��5��$��*$�4�%��-5

:��
�� !�
1� ��*�"��1?��)�<��

The following commands define an auth-server object for an LDAP server:

set auth-server ldap1 type ldap

set auth-server ldap1 account-type auth

set auth-server ldap1 server-name 10.20.3.100

set auth-server ldap1 backup1 10.20.3.110

set auth-server ldap1 backup2 10.20.3.120

set auth-server ldap1 timeout 40

set auth-server ldap1 ldap port 15000

set auth-server ldap1 ldap cn cn

set auth-server ldap1 ldap dn c=us;o=netscreen;ou=marketing

save

The following command lists all auth-server settings:

get auth-server all

�4"!!��5��$��*$�4�%��-5

::��

1��device.

me that vrouter is the trust-vr

creen device as the default route

egates. addresses into a single route gates can reduce the size of the ition, aggregates can reduce the

�� !�

Description: Use the bgp context to configure a BGP virtual router in a NetScreen

��.��"��

Initiating the bgp context requires two steps:

1. Enter the vrouter context by executing the set vrouter command:

set vrouter vrouter

where vrouter is the name of the virtual router. (For all examples that follow, assuvirtual router.)

2. Enter the bgp context by executing the set protocol bgp command.

ns(trust-vr)-> set protocol bgp

/��"�!�

The following commands are executable in the bgp context.

advertise-default-route Use the advertise default-route commands to send the NetSfor all peer devices.Command options: set, unset

aggregate Use agggregate commands to create, display, or delete aggrAggregation is a technique for summarizing a range of routingentry, expressed as an IP address and a subnet mask. Aggrerouting table, while maintaining its level of connectivity. In addnumber of advertised addresses, thus reducing overhead.Command options: get, set, unset

�4"!!��5��$��*$�4�%��-5

:��

, or display the current the NetScreen device compares lti-Exit Discriminator (MED). The e.

play a regular expression in an

. The NetScreen device can the regular expressions contained .

nity list, to remove a router from

nity attribute. This attribute is an riterion. All routes with the same munity. Routers can use the ertised routes in the same way.

to remove a confederation, or to

ub-ASs and grouping them. Using AS, simplifying the routing

p-damping setting.the route becomes stable. Flap bility at an AS border router,

�� !�

always-compare-med Use the always-compare-med commands to enable, disablealways-compare-med setting. When you enable this setting,paths from different autonomous systems (ASs) using the MuMED determines the most suitable route to the neighbor devicCommand options: get, set, unset

as-path-access-list Use as-path-access-list commands to create, remove, or disAS-Path access list.An AS-path access list serves as a packet filtering mechanismconsult such a list and permit or deny BGP packets based on in the list. The system can have up to 99 AS-path access listsCommand options: get, set, unset

community-list Use community-list commands to enter a router in a commuthe list, or to display the list.A community consists of routes containing the same coummuidentifier that classifies the routes according to some useful ccommunity attribute are said to be members of the same comcommunity attribute when they need to treat two or more advCommand options: get, set, unset

confederation Use the confederation commands to create a confederation,display confederation information.Confederation is a technique for dividing an AS into smaller sconfederations reduces the number of connections inside an matrices created by meshes.Command options: get, set, unset

enable Use the enable commands to enable or disable BGP.Command options: get, set, unset

flap-damping Use the flap-damping commands to enable or disable the flaEnabling this setting blocks the advertisement of a route until damping allows the NetScreen device to prevent routing instaadjacent to the region where instability occurs.Command options: get, set, unset

�4"!!��5��$��*$�4�%��-5

:7��

um amount of time (in seconds) he BGP neighbor.

in seconds) that elapses between that the TCP connection between

GP router. The LOCAL_PREF references for one set of paths

xit Discriminator (MED) ID point when there are multiple S).

uration parameters for the local stablishing a BGP connection to

ork and subnet entries. The BGP t first requiring redistribution into

by external routers that use tion settings.

�� !�

hold-time Use the hold-time commands to specify or display the maximthat can elapse between keepalive messages received from tCommand options: get, set, unset

keepalive Use the keepalive commands to specify the amount of time (keepalive packet transmissions. These transmissions ensure the local BGP router and a neighbor router is up.Command options: get, set, unset

local-pref Use this command to configure a LOCAL_PREF value on a Battribute is the metric most often used in practice to express pover another for IBGP.Command options: get, set, unset

med Use the med commands to specify or display the local Multi-Enumber. The MED determines the most suitable entry or exit exit/entry points to the same neighbor autonomous system (ACommand options: get, set, unset

neighbor Use the neighbor commands to set or display general configBGP virtual router. The device uses these parameters while eanother autonomous system (AS).Command options: clear, exec, get, set, unset

network Use the network commands to create, display, or delete netwvirtual router advertises these entries to peer devices, withouBGP (as with static routing table entries).Command options: get, set, unset

redistribute Use the redistrubute commands to import routes advertised protocols other than BGP, or to display the current redistribuCommand options: get, set, unset

�4"!!��5��$��*$�4�%��-5

:9��

uter to serve as a route reflector.arned routes to specified IBGP

n a full mesh to talk to every other to the entire autonomous system

r display the reject-default-route ore default route advertisements

n with Interior Gateway Protocol

�� !�

reflector Use the reflector commands to allow the local BGP virtual roA route reflector is a router that passes Interior BGP (IBGP) leneighbors (clients), thus eliminating the need for each router irouter. The clients use the route reflector to readvertise routes(AS).Command options: get, set, unset

reject-default-route Use the reject-default-route commands to enable, disable, osetting. Enabling this setting makes the NetScreen device ignfrom the BGP peer router.Command options: get, set, unset

synchronization Use the synchronization command to enable synchronizatio(IGP).Command options: set, unset

�4"!!��5��$��*$�4�%��-5

:��

��

route entry. Each aggregate is s can reduce the size of a tion can reduce the number of

(See “Context Initiation” on

]

�� !�

Description: Use aggregate commands to create, display, or delete aggregates.

Aggregation is a technique for summarizing a range of routing addresses into a singlean address range expressed as an IP address and a subnet mask value. Aggregaterouter’s routing table, while maintaining its level of connectivity. In addition, aggregaadvertised addresses, thus reducing overhead.

Before you can execute an aggregate command, you must initiate the bgp context.page 44.)

�3��".

��

get aggregate

��

set aggregate [ ip ip_addr/mask ] [ as-set ] [ summary-only

��

unset aggregate [ ip ip_addr/mask ]

�4"!!��5��$��*$�4�%��-5

:��

r local router:

utes:

prise the new aggregate.

E.

�� !�

2�3;��!��"�!��"��"�%��

��

set aggregate ip ip_addr/mask

Example: The following command creates an aggregate router entry in the trust-v

set aggregate ip 192.168.10.0/24

��

set aggregate [ ... ] as-set [ ... ]

Example: The following command configures the aggregate for AS-SET:

set aggregate ip 192.168.10.0/24 as-set

��& ��&

set aggregate [ ... ] summary-only

Example: The following command configures the aggregate to filter out specific ro

set aggregate ip 192.168.10.0/24 summary-only

ip Specifies the IP address (ip_addr) and subnet mask (mask) that com

as-set Specifies that the aggregate uses AS-SET instead of AS-SEQUENC

summary-only Filters out more specific routes from updates.

�4"!!��5��$��*$�4�%��-5

��

�/�� /� (lay the current compares paths from each ines the most suitable route to

gp context. (See “Context

�� !�

��2��Description: Use the always-compare-med commands to enable, disable, or dispalways-compare-med setting. When you enable this setting, the NetScreen deviceautonomous system (AS) using the Multi-Exit Discriminator (MED). The MED determthe neighbor device.

Before you can execute an always-compare-med command, you must initiate the bInitiation” on page 44.)

�3��".

��

get always-compare-med

��

set always-compare-med

��

unset always-compare-med

2�3;��!��"�!��"��"�%��

None.

�4"!!��5��$��*$�4�%��-5

��

/��/�� /��lar expression in an AS-Path

ce can consult such a list and

context. (See “Context

�� !�

��Description: Use as-path-access-list commands to create, remove, or display a reguaccess list.

An AS-path access list serves as a packet filtering mechanism. The NetScreen devipermit or deny BGP packets based on the regular expressions contained in the list.

Before you can execute an as-path-access-list command, you must initiate the bgpInitiation” on page 44.)

�3��".

��

get as-path-access-list

��

set as-path-access-list id_num { deny | permit } string

��

unset as-path-access-list id_num { deny | permit } string

�4"!!��5��$��*$�4�%��-5

�6��

th access list with ID number

�� !�

2�3;��!��"�!��"��"�%��

��'��



��&�%��



Example: The following command places the regular expression “23” in an AS-Pa10:

ns(trust-vr/bgp)-> set as-path-access-list 10 permit 23

id_num The identification number of the access list (range 1 - 99 inclusive).

string The regular expression used for BGP packet filtering.

deny | permit Denies or permits BGP packets containing the regular expression.

�4"!!��5��$��*$�4�%��-5

��

��-��/��to remove a router from the list,

bute is an identifier that munity attribute are said to be ey need to treat two or more

ext. (See “Context Initiation” on

�� !�

Description: Use community-list commands to enter a router in a community list, or to display the list.

A community consists of routes containing the same coummunity attribute. This attriclassifies the routes according to some useful criterion. All routes with the same commembers of the same community. Routers can use the community attribute when thadvertised routes in the same way.

Before you can execute a community-list command, you must initiate the bgp contpage 44.)

�3��".

��

get community-list

��

set community-list id_num1 { deny | permit } [ id_num2 | as id_num3 id_num4 | no-advertise | no-export | no-export-subconfed ]

�4"!!��5��$��*$�4�%��-5

�:��
�� !�
��

unset community-list id_num1 { deny | permit }

[ id_num2 | as id_num3 id_num4 | no-advertise | no-export | no-export-subconfed ]

�4"!!��5��$��*$�4�%��-5

��

]

.. ]

mmunity list (20).

um4

_num4

ng on an AS with an ID number

ommunity list (30).

e).

the community value (id_num4).

ty list.

�� !�

2�3;��!��"�!��"��"�%��

��'��

set community-list id_num1 { deny | permit } [ id_num2 | ...

unset community-list id_num1 { deny | permit } [ id_num2 | .

Example: The following command denies BGP traffic for routers with entries in the co

ns(trust-vr/bgp)-> set community-list 20 deny

��

set community-list id_num1 { deny | permit } as id_num3 id_n

unset community-list id_num1 { deny | permit } as id_num3 id

Example: The following command creates a community list with an ID of 10, runniof 40:

ns(trust-vr/bgp)-> set community-list 10 permit as 40 10

��&�%��

set community-list id_num1 { deny | permit } [ ... ]

unset community-list id_num1 { deny | permit } [ ... ]

Example: The following command permits BGP traffic for routers with entries in the c

id_num1 The Identification Number of the community list (range 1 - 99 inclusiv

id_num2 The ID number of the community value (between 0 and 63 inclusive)

as The ID number of the AS (id_num3) and the ID number (id_num4) of

deny | permit Denies or permits BGP traffic for routers with entries in the communi

�4"!!��5��$��*$�4�%��-5

�7��

e community list (30), while

nfed

nfed

work destinations to any peer

work destinations to EBGP peers,

d network destinations to any peer

�� !�

ns(trust-vr/bgp)-> set community-list 30 permit

�� !��

set community-list id_num1 { deny | permit } no-advertise

set community-list id_num1 { deny | permit } no-advertise

Example: The following command permits BGP traffic for routers with entries in thpreventing advertisement of the listed network destinations.

ns(trust-vr/bgp)-> set community-list 30 permit no-advertise

�� *��

set community-list id_num1 { deny | permit } no-export

set community-list id_num1 { deny | permit } no-export

�� *��

set community-list id_num1 { deny | permit } no-export-subco

set community-list id_num1 { deny | permit } no-export-subco

no-advertise Specifies that the NetScreen device does not advertise the listed netdevices.

no-export Specifies that the NetScreen device does not advertise the listed netexcept sub-autonomous sytems within the confederation.

no-export-subconfed Specifies that the NetScreen device does not advertise the listedevices grouped in a confederation.

�4"!!��5��$��*$�4�%��-5

�9��

�� ( ��e a confederation, or to display

hem. Using confederations eated by meshes.

xt. (See “Context Initiation” on

�� !�

Description: Use the confederation commands to create a confederation, to removconfederation information.

Confederation is a technique for dividing an AS into smaller sub-ASs and grouping treduces the number of connections inside an AS, simplifying the routing matrices cr

Before you can execute a confederation command, you must initiate the bgp contepage 44.)

�3��".

��

get confederation

��

set confederation { id id_num1 | peer id_num2 | rfc3065 }

��

unset confederation { id | peer id_num2 | rfc3065 }

�4"!!��5��$��*$�4�%��-5

��

try.

ompliance with RFC 1965.

�� !�

2�3;��!��"�!��"��"�%��

��

set confederation id id_num1

unset confederation id

Example: The following command creates a confederation with an ID of 10:

ns(trust-vr/bgp)-> set confederation id 10

��

set confederation peer id_num2

unset confederation peer id_num2

Example: The following command adds an AS (45040) to the confederation:

ns(trust-vr/bgp)-> set confederation peer 45040

� �+�,-

set confederation rfc3065

unset confederation rfc3065

id The Identification Number (id_num1) of the confederation.

peer id_num2 The Identification Number of a new peer autonomous system (AS) en

rfc3065 Specifies configuration in compliance with RFC 3065. The default is c

�4"!!��5��$��*$�4�%��-5

��

�� /( ��-�/��- evice as the default route for all

bgp context. (See “Context

�� !�

�(0 �Description: Use the advertise-default-route commands to send the NetScreen dpeer devices.

Before you can execute a advertise-default-route command, you must initiate the Initiation” on page 44.)

�3��".

��

set advertise-default-route

��

unset advertise default-route

2�3;��!��"�!��"��"�%��

None.

�4"!!��5��$��*$�4�%��-5

7��

��1�

e “Context Initiation” on page

�� !�

Description: Use the enable commands to enable or disable BGP.

Before you can execute an enable command, you must initiate the bgp context. (Se44.)

�3��".

��

set enable

��

unset enable

2�3;��!��"�!��"��"�%��

None.

�4"!!��5��$��*$�4�%��-5

7��

��/(��ing setting.

ble. Flap damping allows the region where instability occurs.


�� !�

Description: Use the flap-damping commands to enable or disable the flap-damp

Enabling this setting blocks the advertisement of a route until the route becomes staNetScreen device to contain routing instability at an AS border router, adjacent to the

Before you can execute a flap-damping command, you must initiate the bgp contepage 44.)

�3��".

��

set flap-damping

��

unset flap-damping

2�3;��!��"�!��"��"�%��

None.

�4"!!��5��$��*$�4�%��-5

76��

��(/�� nt of time (in seconds) that can

ee “Context Initiation” on page

�� !�

Description: Use the hold-time commands to specify or display the maximum amouelapse between keepalive messages received from the BGP neighbor.

Before you can execute a hold-time command, you must initiate the bgp context. (S44.)

�3��".

��

get hold-time

��

set hold-time number

��

unset hold-time

�4"!!��5��$��*$�4�%��-5

7��
�� !�
2�3;��!��"�!��"��"�%��

��'��

set hold-time number

Example: The following command sets the hold-time value to 60 seconds:

ns(trust-vr/bgp)-> set hold-time 60

number The maximum length of time (in seconds) between messages.

�4"!!��5��$��*$�4�%��-5

7:��

�/( ��-�/��- the reject-default-route rtisements from the BGP peer

p context. (See “Context

�� !�

� 3 Description: Use the reject-default-route commands to enable, disable, or displaysetting. Enabling this setting makes the NetScreen device ignore default route adverouter.

Before you can execute an reject-default-route command, you must initiate the bgInitiation” on page 44.)

�3��".

��

get reject-default-route

��

set reject-default-route

��

unset reject-default-route

2�3;��!��"�!��"��"�%��

None.

�4"!!��5��$��*$�4�%��-5

7��

. ��0 ds) that elapses between n between the local BGP router


�� !�

Description: Use the keepalive commands to specify the amount of time (in seconkeepalive packet transmissions. These transmissions ensure that the TCP connectioand a neighbor router is up.

Before you can execute a keepalive command, you must initiate the bgp context. (S44.)

�3��".

��

get keepalive

��

set keepalive number

��

unset keepalive

�4"!!��5��$��*$�4�%��-5

77��

es.

�� !�

2�3;��!��"�!��"��"�%��

��'��

Example: The following command sets the keepalive value to 30 seconds:

ns(trust-vr/bgp)-> set keepalive 30

number The maximum length of time (in seconds) between keepalive messag

�4"!!��5��$��*$�4�%��-5

79��

��/�� for the BGP virtual router.

ferences for one set of paths


�� !�

Description: Use the local-pref commands to configure the LOCAL_PREF attribute

The LOCAL_PREF attribute is the metric most often used in practice to express preover another for IBGP. The higher the value, the greater the preference.

Before you can execute a local-pref command, you must initiate the bgp context. (S44.)

�3��".

��

get local-pref

��

set local-pref number

��

unset local-pref

�4"!!��5��$��*$�4�%��-5

7��

umber of 10:

�� !�

2�3;��!��"�!��"��"�%��

��'��

set local-pref number

Example: The following command gives the virtual router trust-vr a preference n

ns(trust-vr/bgp)-> set local-pref 10

number The preference level for the virtual router.

�4"!!��5��$��*$�4�%��-5

7��

� (iminator (MED). The MED points to the same neighbor

ontext Initiation” on page 44.)

�� !�

Description: Use the med commands to specify or display the local Multi-Exit Discrdetermines the most suitable entry or exit point when there are multiple exit or entryautonomous system (AS).

Before you can execute a med command, you must initiate the bgp context. (See “C

�3��".

��

get med

��

set med id_num

��

unset med

�4"!!��5��$��*$�4�%��-5

9��

vr:

�� !�

2�3;��!��"�!��"��"�%��

��'��

set med id_num

Example: The following command specifies MED 1004 for the virtual router trust-

ns(trust-vr/bgp)-> set med 1004

id_num The identification number of the MED.

�4"!!��5��$��*$�4�%��-5

9��

� ��1��arameters for the local BGP P connection to another


�� !�

Description: Use the neighbor commands to set or display general configuration pvirtual router. The NetScreen device uses these parameters while establishing a BGautonomous system (AS).

Before you can execute a neighbor command, you must initiate the bgp context. (S44.)

�3��".

��

clear neighbor { flap-route ip_addr [ add ] | stats }

�*��

exec neighbor ip_addr { connect | disconnect | tcp-connect }

��

get neighbor { ip_addr | peer-group name_str }

�4"!!��5��$��*$�4�%��-5

96��
�� !�
��

set neighbor { ip_addr

{ default-route | enable | ignore-default-route | med id_num } |

ip_addr | peer-group name_str [ ebgp-multihop number | hold-time number | keepalive number | md5-authentication string | nhself-enable | reflector-client | remote-as number [ local-ip ip_addr ] | route-map name_str { in | out } | send-community | weight number ]

}

��

unset neighbor { ip_addr

{ default-route |

�4"!!��5��$��*$�4�%��-5

9��
�� !�
enable | ignore-default-route | med } |

ip_addr | peer-group name_str [ ebgp-multihop | hold-time | keepalive | md5-authentication string | nhself-enable | reflector-client | remote-as number [ local-ip ip_addr ] | route-map name_str { in | out } | send-community | weight ]

}

�4"!!��5��$��*$�4�%��-5

9:��

t IP address 192.168.100.101:

ice at IP address

te to a neighbor device at IP

e BGP neighbor (ip_addr).

�� !�

2�3;��!��"�!��"��"�%��

��'��

get neighbor ip_addr

set neighbor ip_addr { ... }

unset neighbor ip_addr { ... }

Example: The following command displays information about a neighbor device a

ns(trust-vr/bgp)-> get neighbor 192.168.100.101

��

exec neighbor ip_addr connect

Example: The following command establishes a BGP conection to a neighbor dev192.168.100.101:

ns(trust-vr/bgp)-> exec neighbor 192.168.100.101 connect

��

set neighbor ip_addr default-route

set neighbor ip_addr default-route

Example: The following command directs the virtual router to send the default rouaddress 192.168.100.101:

ip_addr The IP address of the neighboring peer device.

connect Establishes a BGP connection to the neighbor (ip_addr).

default-route Configures the local BGP virtual router to send the default route to th

�4"!!��5��$��*$�4�%��-5

9��

e

number

op

ning route nodes between the

p 3

he local BGP virtual router and the re.

�� !�

ns(trust-vr/bgp)-> set neighbor 192.168.100.101 default-rout

��

exec neighbor ip_addr disconnect

��

set neighbor { ip_addr | peer-group name_str } ebgp-multihop

unset neighbor { ip_addr | peer-group name_str } ebgp-multih

Example: The following command directs the virtual router to allows three intervevirtual router and a neighbor device at IP address 192.168.100.101:

ns(trust-vr/bgp)-> set neighbor 192.168.100.101 ebgp-multiho

��

set neighbor ip_addr enable

unset neighbor ip_addr enable

disconnect Terminates the BGP connection to the neighbor (ip_addr).

ebgp-multihop The number of intervening routing nodes (number) allowed between tBGP neighbor (ip_addr). A setting of zero disables the multihop featu

enable Enables or disables BGP for a neighbor device (ip_addr).

�4"!!��5��$��*$�4�%��-5

97��

2) from history and place it in

72.16.2.2 add

ber

ute sent by the neighbor device

GP router. The Route Flap able. The add switch adds the

ker waits to receive a message

sent by the neighbor.

�� !�

��

clear neighbor flap-route ip_addr [ add ]

Example: The following command clears the neighbor’s damped route (172.16.2.the routing table:

ns(trust-vr/bgp)-> clear neighbor 192.168.10.10 flap-route 1

��

set neighbor { ip_addr | peer-group name_str } hold-time num

unset neighbor { ip_addr | peer-group name_str } hold-time

Example: The following command specifies a hold-time value of 60:

ns(trust-vr/bgp)-> set neighbor 192.168.10.10 hold-time 60

��

set neighbor ip_addr ignore-default-route

unset neighbor ip_addr ignore-default-route

Example: The following command directs the virtual router to ignore any default roat IP address 192.168.100.101:

flap-route Enables or disables the Route Flap Dampening feature on the local BDampening feature stabilizes improperly shifting values in the route tdamped route (ip_addr) to the routing table.

hold-time Specifies the number of seconds (number) that the current BGP speafrom its neighbor.

ignore-default-route Configures the local BGP virtual router to ignore any default route

�4"!!��5��$��*$�4�%��-5

99��

lt-route

ber

ation string

ication string

k094):

cation 5784ldk094

099 for a neighbor with IP

se between keepalive packet onnection to the neighbor.

(MED).

�� !�

ns(trust-vr/bgp)-> set neighbor 192.168.100.101 ignore-defau

)��!�

set neighbor { ip_addr | peer-group name_str } keepalive num

unset neighbor { ip_addr | peer-group name_str } keepalive

Example: The following command specifies a keepalive value of 90 seconds:

ns(trust-vr/bgp)-> set neighbor 192.168.100.101 keepalive 90

��- ��

set neighbor { ip_addr | peer-group name_str } md5-authentic

unset neighbor { ip_addr | peer-group name_str } md5-authent

Example: The following command specifies an MD5 authentication string (5784ld

ns(trust-vr/bgp)-> set neighbor 192.168.100.101 md5-authenti

��

set neighbor ip_addr med id_num

unset neighbor ip_addr med

Example: The following command specifies the Multi-Exit Discriminator (MED) 20address 192.168.10.10:

keepalive Specifies the maximum amount of time (in seconds) that can elaptransmissions before the local BGP virtual router terminates the c

md5-authentication Specifies the BGP peer MD5 authentication string.

med Specifies the ID number (id_num) of the local Multi-Exit Discriminator

�4"!!��5��$��*$�4�%��-5

9��

le

rust-vr) the next hop value:

er group Acme_Peers:

ive 90

ent

lient

Acme_Peers are reflector

nce.

r group shares the same update ers instead of creating a separate

er.

�� !�

ns(trust-vr/bgp)-> set neighbor 192.168.10.10 med 20099

��

set neighbor { ip_addr | peer-group name_str } nhself-enable

unset neighbor { ip_addr | peer-group name_str } nhself-enab

Example: The following command makes the local BGP virtual routing instance (t

ns(trust-vr/bgp)-> set neighbor 172.16.10.10 nhself-enable

��

set neighbor ip_addr peer-group name_str [ ... ]

unset neighbor ip_addr peer-group name_str [ ... ]

Example: The following command assigns a 90-second keepalive value to the pe

ns(trust-vr/bgp)-> set neighbor peer-group Acme_Peers keepal

��

set neighbor { ip_addr | peer-group name_str } refelctor-cli

unset neighbor { ip_addr | peer-group name_str } reflector-c

Example: The following command specifies that the neighbors in the peer group clients:

nhself-enable Specifies that the next hop value is the local BGP virtual routing insta

peer-group The name of a group of BGP neighbors. Each BGP neighbor in a peepolicies. This allows you to set up policies that apply to all the BGP pepolicy for each peer.

reflector-client Specifies if the neighbor is a reflector client in the route reflector clust

�4"!!��5��$��*$�4�%��-5

9��

tor-client

e_str { in | out }

ame_str { in | out }

apply to incoming traffic from

ap in

GP speaker. local-ip ip_addr

itches determine if the route map

�� !�

ns(trust-vr/bgp)-> set neighbor peer-group Acme_Peers reflec

��

set neighbor { ip_addr | peer-group name_str } remote-as number [ local-ip ip_addr ]

unset neighbor { ip_addr | peer-group name_str } remote-as number [ local-ip ip_addr ]

Example: The following command identifies AS 30 as the remote AS:

ns(trust-vr/bgp)-> set neighbor 172.16.10.10 remote-as 30

��

set neighbor { ip_addr | peer-group name_str } route-map nam

unset neighbor { ip_addr | peer-group name_str } route-map n

Example: The following command specifies that the routes in route map Mkt_Mapthe neighbor at IP address 172.16.10.10:

ns(trust-vr/bgp)-> set neighbor 172.16.10.10 route-map Mkt_M

remote-as Identifies the remote AS (number) to be the neighbor of the current Bspecifies the local IP address for EBGP multi-hop peer.

route-map Specifies the route map to use for the BGP neighbor. The in | out swapplies to incoming traffic or outgoing traffic.

�4"!!��5��$��*$�4�%��-5

��

y

ity

attributes to the neighbor at IP

172.16.10.10:

address 172.16.10.10:

tes to the neighbor.

�� !�

�� &

set neighbor { ip_addr | peer-group name_str } send-communit

unset neighbor { ip_addr | peer-group name_str } send-commun

Example: The following command directs the virtual router to transmit communityaddress 172.16.10.10:

ns(trust-vr/bgp)-> set neighbor 172.16.10.10 send-community

��

clear neighbor ip_addr stats

Example: The following command clears statistics for the neighbor at IP address

ns(trust-vr/bgp)-> clear neighbor 172.16.10.10 stats

��

exec neighbor ip_addr tcp-connect

Example: The following command tests the TCP connection to the neighbor at IP

ns(trust-vr/bgp)-> exec neighbor 172.16.10.10 tcp-connect

"��

set neighbor { ip_addr | peer-group name_str } weight number

send-community Directs the BGP virtual routing instance to transmit community attribu

stats Clears the statistics describing the neighbor.

tcp-connect Tests the TCP connection to the neighbor (ip_addr).

�4"!!��5��$��*$�4�%��-5

��

or at IP address 172.16.10.10:

g instance and the neighbor. The

�� !�

unset neighbor { ip_addr | peer-group name_str } weight

Example: The following command assigns a weight of 2 to the path to the neighb

ns(trust-vr/bgp)-> set neighbor 172.16.10.10 weight 2

weight The priority (number) of the path between the local BGP virtual routinhigher the value, the greater that path’s priority.

�4"!!��5��$��*$�4�%��-5

�6��

� 2��.subnet entries. The BGP virtual to BGP (as with static routing


�� !�

Description: Use the network commands to create, display, or delete network and router advertises these entries to peer devices, without first requiring redistribution intable entries).

Before you can execute a network command, you must initiate the bgp context. (Se44.)

�3��".

��

get network

��

set network ip_addr/mask [ no-check ]

��

unset network ip_addr/mask

�4"!!��5��$��*$�4�%��-5

��

the virtual router trust-vr:

for the network entry

�� !�

2�3;��!��"�!��"��"�%��

��'��

set network ip_addr/mask [ ... ]

unset network ip_addr/mask

Example: The following command creates a network entry (172.16.100.10/16) for

ns(trust-vr/bgp)-> set network 172.16.100.10/16

�� )

set network ip_addr/mask no-check

Example: The following command directs the device not to check for reachability 172.16.100.10:

ns(trust-vr/bgp)-> set network 172.16.100.10/16 no-check

ip_addr/mask The IP address and subnet mask of the network.

no-check Directs the device to not check for network reachability.

�4"!!��5��$��*$�4�%��-5

�:��

� (��1- al routers that use protocols

. (See “Context Initiation” on

�� !�

Description: Use the redistribute commands to import routes advertised by externother than BGP, or to display the current redistribute settings.

Before you can execute a redistribute command, you must initiate the bgp contextpage 44.)

�3��".

��

get redistribute

��

set redistribute route-map name_str protocol { connected | ospf | redistributed | static | }

��

unset redistribute route-map name_str protocol { connected | ospf | redistributed | static | }

�4"!!��5��$��*$�4�%��-5

��

sed by routers using connected

otocol connected

ed by routers using OSPF, and

otocol ospf

nterface with a defined IP address.

the OSPF protocol.

�� !�

2�3;��!��"�!��"��"�%��

��

set redistribute route-map name_str protocol connected

unset redistribute route-map name_str protocol connected

Example: The following command creates a redistribute rule for all routes advertiprotocl, and filtered according to the Corp_Office route map:

ns(trust-vr/bgp)-> set redistribute route-map Corp_Office pr

��

set redistribute route-map name_str protocol [ ... ]

unset redistribute route-map name_str protocol [ ... ]

��

set redistribute route-map name_str protocol ospf

unset redistribute route-map name_str protocol ospf

Example: The following command creates a redistribute rule for all routes advertisfiltered according to the Corp_Office route map:

ns(trust-vr/bgp)-> set redistribute route-map Corp_Office pr

connected Specifies that the external router that sent the advertisement has an i

route-map The name (name_str) of the route map.

ospf Specifies that the external router generated the advertisement using

�4"!!��5��$��*$�4�%��-5

�7��

r static).

to OSPF and pass them on to

es dynamically.

�� !�

��

set redistribute route-map name_str protocol [ ... ]

unset redistribute route-map name_str protocol [ ... ]

��

set redistribute route-map name_str protocol redistributed

unset redistribute route-map name_str protocol redistributed

��

set redistribute route-map name_str protocol static

unset redistribute route-map name_str protocol static

protocol The protocol to convert into BGP (connected, ospf, redistributed, o

redistributed Makes the BGP virtual router export pre-existing learned routes backother routers.

static Specifies that the external router did not generate the advertised rout

�4"!!��5��$��*$�4�%��-5

�9��

� �� rve as a route reflector.

ied IBGP neighbors (clients), he clients use the route


�� !�

Description: Use the reflector commands to allow the local BGP virtual router to se

A route reflector is a router that passes Interior BGP (IBGP) learned routes to specifthus eliminating the need for each router in a full mesh to talk to every other router. Treflector to readvertise routes to the entire autonomous system (AS).

Before you can execute a reflector command, you must initiate the bgp context. (S44.)

�3��".

��

get reflector

��

set reflector [ cluster-id id_num ]

��

unset reflector [ cluster-id id_num ]

�4"!!��5��$��*$�4�%��-5

��

a route reflector, and to set the

as the route reflector, and the r as a single entity, instead of greatly reduces overhead.

�� !�

2�3;��!��"�!��"��"�%��

��

set reflector cluster-id id_num

unset reflector cluster-id id_num

Example: The following command allows the local BGP virtual router to serve as cluster ID to 20:

ns(trust-vr/bgp)-> set reflector

ns(trust-vr/bgp)-> set reflector cluster-id 20

cluster-id The ID number (id_num) of the cluster.A cluster consists of multiple routers, with a single router designated others as clients. Routers outside of the cluster treat the entire clusteinterfacing with each individual router in full mesh. This arrangement

�4"!!��5��$��*$�4�%��-5

��

��4��ior Gateway Protocol (IGP).

text. (See “Context Initiation” on

�� !�

Description: Use the synchronization command to enable synchronization with Inter

Before you can execute a synchronization command, you must initiate the bgp conpage 44.)

�3��".

��

set synchronization

��

unset synchronization

2�3;��!��"�!��"��"�%��

None.

�4"!!��5��$��*$�4�%��-5

��

��.vice.

number }

ylight saving time.

�� !�

Description: Use the clock commands to set the system time on the NetScreen de

�3��".

��

get clock

��

set clock { date_str [ time_str ] | dst-off | ntp | timezone

��

unset clock { dst-off | ntp | timezone }

Note: By default, the NetScreen device automatically adjusts its system clock for da

�4"!!��5��$��*$�4�%��-5

��

:

d minutes in the following format:

ronizes computer clocks in the

�� !�

2�3;��!��"�!��"��"�%��

��'��

set clock date_str [ time_str ]

Example: The following command sets the clock to December 15, 2002, 12:00pm

set clock 12/15/2002 12:00

��

set clock dst-off

unset clock dst-off

��

set clock ntp

unset clock ntp

date [ time ] Specifies the month, day, year, and 24-hour time. Specify the hour an(mm/dd/yyyy hh:mm).

dst-off Turns off the automatic time adjustment for daylight saving time.

ntp Configures the device for Network Time Protocol (NTP), which synchInternet.

�4"!!��5��$��*$�4�%��-5

�6��

nce between GMT standard time the clock is already set forward tes accurately. Set the number

�� !�

��.��

set clock timezone number

unset clock timezone number

timezone Sets the current time zone value. This value indicates the time differeand the current local time (when DST is OFF). When DST is ON andone hour, decrease the time difference by one hour and set the minubetween -12 and 12.

6

��

s config through


�� !�

�

+��,��-��+�� 0��/��,

This volume lists and describes NetScreen Command Line Interface (CLI) commandintervlan-traffic.


�4�� *5��$��*$�4��%"��" ��5

�:��

��n settings for a NetScreen

�� !�

Description: Use the config commands to display the current or saved configuratiodevice.

�3��".

��

get config [ all | saved ]

2�3;��!��"�!��"��"�%��

��

get config all

��!��

get config saved

all Displays all configuration information.

saved Displays the configuration file saved in flash memory.

�4�� *5��$��*$�4��%"��" ��5

��

�� rs.

sages in the console. If this ges in a buffer so that you can

on.

�� !�

Description: Use the console commands to define or list the CLI console paramete

When the debug mode is enabled, the NetScreen device displays all debugging mesgenerates too much information at once, use the dbuf parameter to store the messalater retrieve them with the get dbuf command.

Enable console access with the unset disable command through a Telnet connecti

�3��".

��

get console

��

set console { dbuf | disable | page number | timeout number }

��

unset console { dbuf | disable | page | timeout }

�4�� *5��$��*$�4��%"��" ��5

�7��

able access to the console. Saves ion.

�� !�

2�3;��!��"�!��"��"�%��

��

set console dbuf

unset console dbuf

��

set console disable

unset console disable

��

set console page number

unset console page

Example: To define 20 lines per page displayed on the console:

set console page 20

dbuf Stores the console messages in a buffer for later retrieval.

disable Disables access to the console. Two confirmations are required to disthe current NetScreen configuration and closes the current login sess

page An integer value specifying how many lines appear on each page.

�4�� *5��$��*$�4��%"��" ��5

�9��

ing out the administrator from the s. A value of 0 means the console

�� !�

��

set console timeout number

unset console timeout

Example: To define the console timeout value to 40 minutes:

set console timeout 40

1� "%��

Access to the console is enabled by default.

The console displays 22 lines per page by default.

The default login timeout is set to 10 minutes.

The NetScreen device sends console messages to the buffer by default.

timeout Determines how much time (in minutes) the device waits before loggconsole session when the administrator stops making keyboard entrienever times out.

�4�� *5��$��*$�4��%"��" ��5

��

��-� �

�� !�

Description: Use the counter commands to clear interface and flow counters.

�3��".

��

clear [ cluster ] counter { all | ha | screen [ interface interface ] }

��

get counter { flow | statistics

[ interface interface ] | screen { interface interface | zone zone } policy pol_num { day | hour | minute | month | second } }

�4�� *5��$��*$�4��%"��" ��5

��

devices in the cluster:

r.

l inspection examines various

HA) link between two NetScreen ts and packet errors.

t the interface level. The ets according to established Names” on page A-IV.

�� !�

2�3;��!��"�!��"��"�%��

��

clear [ cluster ] counter [ ... ]

Example: To clear the contents of all counters and propagate the operation to all

clear cluster counter all

��"

get counter flow [ ... ]

��

clear [ cluster ] counter ha

��

clear [ cluster ] counter screen interface interface


flow Specifies counters for packets inspected at the flow level. A flow-leveaspects of a packet to gauge its nature and intent.

ha Specifies counters for packets transmitted across a high-availability (devices. An HA-level inspection keeps count of the number of packe

interface The name of the interface. Specifies counters for packets inspected ainspection checks for packet errors and monitors the quantity of packthreshold settings. For more information on interfaces, see “Interface

�4�� *5��$��*$�4��%"��" ��5

��

econd }

nitor the amount of traffic that the

r monitoring traffic permitted by a

fies the name of a particular on page A-IV.

e zone level. The inspection ing to established threshold n page A-IV.

�� !�

��&

get counter policy pol_num { day | hour | minute | month | s

��

clear [ cluster ] counter screen [ ... ]

get counter screen

��

get counter statistics [ ... ]

.��

get counter screen zone zone

policy Identifies a particular access policy (pol_num). This allows you to mopolicy permits.

day | hour | minute | month | second Specifies the period of time foparticular access policy.

screen Clears the screen counters. The interface interface parameter speciinterface. For more information on interfaces, see “Interface Names”

statistics Displays the counter statistics.

zone Identifies the zone, and specifies counters for packets inspected at thchecks for packet errors and monitors the quantity of packets accordsettings. For more information on interfaces, see “Interface Names” o

�4�� *5��$��*$�4��%"��" ��5

��

(1-� or to display buffer information.

�� !�

Description: Use the dbuf commands to dynamically adjust the system buffer size,

�3��".

��

clear [ cluster ] dbuf

��

get dbuf { info [ all ] | mem [ number ] [ all ] | stream [ number ] [ all ] }

��

set dbuf size number

��

unset dbuf size

�4�� *5��$��*$�4��%"��" ��5

��6��

llowed:

r.

ge offset. all specifies all slots.

�� !�

2�3;��!��"�!��"��"�%��

��

clear [ cluster ] dbuf

��

get dbuf info [ all ]

��

get dbuf mem [ number ] [ all ]

��.�

set dbuf size number

unset dbuf size

Example: The following command changes the buffer size to the maximum size a

set dbuf size 4096


info Displays the dbuf buffer information. all specifies all slots.

mem Displays dbuf buffer memory content. number specifies the percenta

size Indicates the size of the system buffer in kilobytes.

�4�� *5��$��*$�4��%"��" ��5

��

rcentage offset. all specifies all

�� !�

��

get dbuf stream [ number ] [ all ]

1� "%��

The default buffer sizes for the various NetScreen devices are:

The range of value for the buffer size is from 32 to 4096 kilobytes.

stream Displays the dbuf buffer stream information. number specifies the peslots.

NetScreen-5000 Series 1024 kilobytes

NetScreen-1000 1024 kilobytes


NetScreen-200 Series 524 kilobytes

NetScreen-100p 1024 kilobytes


NetScreen-25/50 128 kilobytes



�4�� *5��$��*$�4��%"��" ��5

��:��

(��-�/��-�r to display information on

uently, all the group members

ialup group.

�� !�

Description: Use the dialup-group commands to create a group of remote users, oconfigured dialup groups.

An access policy for a dialup group applies to all the members in the group. Conseqmust be either IKE/L2TP users, or Manual Key users.

�3��".

��

get dialup-group [ id_num | all ]

��

set dialup-group name_str [ { + | - } name_str ]

��

unset dialup-group name_str

Note: Different NetScreen device models can have different numbers of users in a d

�4�� *5��$��*$�4��%"��" ��5

��

uters”:

ommuters group:

telecommuters group:

quently, all the group members (Manual Key).

the user.

e of the user.

�� !�

2�3;��!��"�!��"��"�%��

��'��

Examples: The following command defines a dialup user group called “telecomm

set dialup-group telecommuters

The following command adds a remote VPN user named “john_home” to the telec

set dialup-group telecommuters + john_home

The following command deletes a remote VPN user named “amy_home” from the

set dialup-group telecommuters - amy_home

The following command deletes the telecommuters group:

unset dialup-group telecommuters

��

An Access Policy for a dialup-group applies to all the members in the group. Consemust be the same kind, either IKE dynamic peers (Auto Key), or VPN dialup users

name_str Assigns a name to the dialup group.

{ + name_str } Adds a remote VPN user to the group, where name_str is the name of

{ - name_str } Deletes a remote VPN user from the group, where name_str is the nam

�4�� *5��$��*$�4��%"��" ��5

��7��

(��lay DIP user group information.

�� !�

Description: Use the dip commands to set up a Dynamic IP (DIP) group, or to disp

�3��".

��

get dip [ all ]

��

set dip { group { id_num1 [ member id_num2 ] } | sticky }

��

unset dip { group { id_num1 [ member id_num2 ] } | sticky }

�4�� *5��$��*$�4��%"��" ��5

��9��

f 5

entification number you assign to ber of a DIP set.

a host for multiple concurrent

�� !�

2�3;��!��"�!��"��"�%��

��

set dip group id_num1 [ member id_num2 ]

unset dip group id_num1 [ member id_num2 ]

Example: The following commands:

• create a new regular DIP address range for interface ethernet3 with an ID o

• create a new DIP group with ID number 100

• add new DIP member to the group (5)

set interface ethernet3 dip 5 192.168.10.10 192.168.10.20

set dip group 100

set dip group 100 member 5

��)&

set dip sticky

unset dip sticky

group Creates a DIP group or adds a member to a group. id_num1 is the idthe new DIP group. member id_num2 specifies the identification num

sticky Specifies that the NetScreen device assigns the same IP address to sessions.

�4�� *5��$��*$�4��%"��" ��5

��

(��display DNS configuration

�� !�

Description: Use dns commands to configure Domain Name Services (DNS) or to information.

�3��".

��

clear [ cluster ] dns

�*��

exec dns refresh

��

get dns { host { cache | report | settings } | name dom_name }

��

set dns host { dns1 ip_addr | dns2 ip_addr | schedule time }

��

unset dns host { dns1 | dns2 | schedule }

�4�� *5��$��*$�4��%"��" ��5

��

72.16.10.101:

r.

e format of this parameter is

tting, and the number of UDP

�� !�

2�3;��!��"�!��"��"�%��

��

clear [ cluster ] dns

��

get dns host { ... }

set dns host { ... }

unset dns host { ... }

Examples: The following command sets up a host as the primary DNS server at 1

set dns host dns1 172.16.10.101

The following command schedules a refresh time at 23:59 each day:

set dns host schedule 23:59


host • cache Displays the DNS cache table.

• dns1 ip_addr Specifies the primary DNS host.

• dns2 ip_addr Specifies the backup DNS host.

• report Displays the DNS lookup table.

• schedule time Specifies the time of day to refresh DNS entries. Thhh:mm.

• settings Displays DNS settings, including IP addresses, refresh sesessions.

�4�� *5��$��*$�4��%"��" ��5

��

n device to look up an IP address

vice to perform a manual DNS

�� !�

��

get dns name dom_name

��

exec dns refresh

name The domain name of the host. Using this option directs the NetScreefor the given domain name.

refresh Refreshes all DNS entries. Using the option directs the NetScreen delookup.

�4�� *5��$��*$�4��%"��" ��5

��

(��NetScreen device.

me:

�� !�

Description: Use the domain commands to set or display the domain name of the

�3��".

��

get domain

��

set domain name_str

��

unset domain

2�3;��!��"�!��"��"�%��

��'��

Example: The following command sets the domain of the NetScreen device to ac

set domain acme

name_str Defines the domain name of the NetScreen device.

�4�� *5��$��*$�4��%"��" ��5

��6��

�0��riables files.

�� !�

Description: Use the envar commands to define the location of the environment va

�3��".

��

get envar [ resource ]

��

set envar string

��

unset envar string

�4�� *5��$��*$�4��%"��" ��5

��

as file2.cfg in slot2:

�� !�

2�3;��!��"�!��"��"�%��

��'��

set envar string

unset envar string

Example: The following command defines the location of the system configuration

set envar config=slot2:file2.cfg

��

get envar resource

string The location of the environment variables files.

resource Displays the following information:

• (max-session) Maximum number of sessions

• (max-sa) Maximum number of security associations (SAs)

• (max-l2tp-tunnel) Maximun number of L2TP tunnels

�4�� *5��$��*$�4��%"��" ��5

��:��

0 �

r ]

�� !�

Description: Use the event commands to display or clear event messages.

�3��".

��

clear [ cluster ] event [ end-time time_str ]

��

get event [ module name_str]

[ level { alert | critical | debug | emergency | error | information | notification | warning }

] [ type id_num1 [ -id_num2 ] ]

[ start-time time_str ] [ end-time time_st[ include string ] [ exclude string ]

�4�� *5��$��*$�4��%"��" ��5

��

de string ] [ ... ]

r.

a specifies string of characters

re as follows:

out normal operation.

leshooting purposes.

�� !�

2�3;��!��"�!��"��"�%��

��

clear cluster event [ ... ]

��%��*��

get event module name_str { ... } [ include string ] [ exclu

��!��

get event module name_str level { ... }


include exclude

Directs the NetScreen device to exclude or include events containing(string).

level Specifies the priority level of the event message. The priority levels a

• emergency (Level 0) The system is unusable.

• alert (Level 1) Immediate action is necessary.

• critical (Level 2) The event affects functionality.

• error (Level 3) Error condition exists.

• warning (Level 4) The event might affect functionality.

• notification (Level 5) The event is a normal occurrence.

• information (Level 6) The event generates general information ab

• debug (Level 7) The event generates detailed information for troub

�4�� *5��$��*$�4��%"��" ��5

��7��

end-time time_str ]

at 11:30am:

um2 ] [ ... ]

an event. The format for time_str

year using the last two digits or all etween the date and the time can

�� !�

��

get event module name_str [ ... ]

�� %��

clear [ cluster ] event end-time time_str

get event module name_str { ... } [ start-time time_str ] [ [ ... ]

Example: The following command clears all events generated before May 1, 2002

get event end-time 05/01/02-11:30:00

�&��

get event module name_str level { ... } type id_num1 [ -id_n

module Specifies the name of the system module that generated the event.

end-time time_str start-time time_str

Specifies the lower and upper ends of a range of dates and times foris:mm/dd/yy-hh:mm:ssYou can omit the year (the current year is the default), or express thefour digits. The hour, minute, and second are optional. The delimiter bbe a dash or an underscore:12/31/2001-23:59:0012/31/2001_23:59:00

type Specifies a priority level or a range of priority levels.

�4�� *5��$��*$�4��%"��" ��5

��9��

5�rface.

e to configure a NetScreen

�� !�

Description: Use the exit command to exit from the console and command-line inte

�3��".exit

2�3;��!��"�!��"��"�%��

None.

��

After issuing the exit command at the console, you must log back in to the consoldevice.

After issuing the exit command as root, you remain logged in to the console.

�4�� *5��$��*$�4��%"��" ��5

��

�� ebug flow output. These filters

�� !�

Description: Use the ffilter commands to create or display filters for the display of duse the following criteria:

• a specific source IP address

• destination IP address

• source port

• destination port

• IP protocol

�3��".

��

get ffilter

��

set ffilter [ dst-ip ip_addr ]

[ dst-port port_num ] [ ip-proto ptcl_num ]

[ src-ip ip_addr ]

[ src-port port_num ]

��

unset ffilter [ id_num ]

�4�� *5��$��*$�4��%"��" ��5

��

number 17, for the User

IP address 172.16.10.88 and

2.16.10.1:

alue between 0 and 255.

�� !�

2�3;��!��"�!��"��"�%��

��

set ffilter [ ... ] ip-proto ptcl_num [ ... ]

Example: The following command sets a filter for all packets with the IP protocol Datagram Protocol (UDP):

set ffilter ip-proto 17

�� %��

set ffilter src-ip ip_addr [ ... ]

set ffilter dst-ip ip_addr [ ... ]

Examples: The following command sets a filter for all packets between the sourcedestination IP 192.168.9.77:

set ffilter src-ip 172.16.10.88 dst-ip 192.168.9.77

The following command creates a filter for all traffic from a host with IP address 17

set ffilter src-ip 172.16.10.1

ip-proto ptcl_num Defines the assigned IP protocol number, where ptcl_num is a v

src-ip ip_addr Defines the source IP address.

dst-ip ip_addr Defines the destination IP address.

�4�� *5��$��*$�4��%"��" ��5

�6��

o a host with IP address

mple, if you have already set a ort numbers for the packets.

For example, if you configure a ts having IP protocol 200, the ew filters.

range from 0 to 65535.

bers range from 0 to 65535.

�� !�

�� %��

set ffilter [ ... ] src-port ip_addr

set ffilter [ ... ] dst-port ip_addr

Example: The following command creates a filter for all SMTP traffic designated t192.168.3.2:

set ffilter dst-ip 192.168.3.2 dst-port 25

��

When necessary, you can add more arguments to an existing debug filter. For exafilter for packets between a source IP and a destination IP, you can later specify p

Adding a new argument to an existing filter actually modifies an existing argument.filter to trap IP packets having IP protocol 51, and you then set a trap for IP packeNetScreen device replaces the 51 trap with the 200 trap. To prevent this, create n

src-port port_num Defines the port number for the source IP address. Port numbers

dst-port port_num Defines the port number for the destination IP address. Port num

�4�� *5��$��*$�4��%"��" ��5

�6��

�� n the flash memory.

�� !�

Description: Use the file commands to clear or display information for files stored i

�3��".

��

clear [ cluster ] file dev_name:filename

��

get file [ filename | info ]

�4�� *5��$��*$�4��%"��" ��5

�66��

emory on the memory board:

lash card memory:

r.

�� !�

2�3;��!��"�!��"��"�%��

��'��

clear [ ... ] file dev_name:filename

get file filename

Examples: The following command deletes a file named myconfig in the flash m

clear file flash:myconfig

The following command displays information for the file named corpnet from the f

get file corpnet

��

clear cluster file dev_name:filename

��

get file info

dev_name:filename Deletes the file with the name filename from the flash card memory.

filename Defines the file name stored in the flash card memory.


info Displays the base sector and address.

�4�� *5��$��*$�4��%"��" ��5

�6��

��/��( etScreen device.

es, refer to the NetScreen FIPS

�� !�

Description: Use the fips-mode commands to enable or disable FIPS mode in a N

In FIPS mode, certain security features are disabled. For information on these featur140-2 Security Policy manual.

�3��".

��

set fips-mode enable

��

unset fips-mode enable

2�3;��!��"�!��"��"�%��

None.

�4�� *5��$��*$�4��%"��" ��5

�6:��

�� 2��ackets.

onsequently, you configure mands.

he ike switch enables logging of ed SNMP packets.

�� !�

Description: Use the firewall commands to enable or disable logging of dropped p

�3��".

��

set firewall log-self { ike | snmp }

��

unset firewall log-self { ike | snmp }

2�3;��!��"�!��"��"�%��

��

set firewall log-self { ike | snmp }

unset firewall log-self { ike | snmp }

1� "%��

The following firewall features are enabled by default:

Note: NetScreen devices perform most firewall services at the security zone level. Cindividual zones to perform firewall services. For more information, see the zone com

log-self Directs the NetScreen device to log all dropped packets and pings. Tdropped IKE packets, and the snmp switch enables logging of dropp

�4�� *5��$��*$�4��%"��" ��5

�6��
�� !�
• log-self off

• ike on

• snmp off

�4�� *5��$��*$�4��%"��" ��5

�67��

��2 avoid packet fragmentation, or

�� !�

Description: Use the flow commands to adjust the initial session timeout value andto display the session timeout values.

�3��".

��

get flow [ perf | tcpmss ]

��

set flow { allow-dns-reply | gre-in-tcp-mss | gre-out-tcp-mss | initial-timeout number | mac-flooding | max-frag-pkt-size number | nonsticky-vip-session | no-tcp-seq-check | path-mtu | tcp-mss | tcp-syn-check | tcp-syn-check-in-tunnel }

�4�� *5��$��*$�4��%"��" ��5

�69��
�� !�
��

unset flow { allow-dns-reply | gre-in-tcp-mss | gre-out-tcp-mss | initial-timeout | mac-flooding | max-frag-pkt-size | nonsticky-vip-session | no-tcp-seq-check | path-mtu | tcp-mss | tcp-syn-check | tcp-syn-check-in-tunnel }

�4�� *5��$��*$�4��%"��" ��5

�6��
�� !�
2�3;��!��"�!��"��"�%��

��" �� &

set flow allow-dns-reply

unset flow allow-dns-reply

��

set flow gre-in-tcp-mss

unset flow gre-in-tcp-mss

��

set flow gre-out-tcp-mss

unset flow gre-out-tcp-mss

allow-dns-reply Allows DNS reply packet without a matched request.

gre-in-tcp-mss Specifies inbound GRE TCP MSS option (64-1420).

gre-out-tcp-mss Specifies outbound GRE TCP MSS option (64-1420).

�4�� *5��$��*$�4��%"��" ��5

�6��

n remains in the session table

vice keeps an initial session in the RST packet. The range of time is

en if its destination MAC address

�� !�

��

set flow initial-timeout number

unset flow initial-timeout

Example: The following command changes the length of time that an initial sessioto 2 minutes:

set flow initial-timeout 2

��

set flow mac-flooding

unset flow mac-flooding

initial-timeout Defines the length of time in minutes (number) that the NetScreen desession table before dropping it, or until the device receives a FIN or from 1 to 6 minutes.

mac-flooding Enables the NetScreen device to pass a packet across the firewall evis not in the MAC learning table.

�4�� *5��$��*$�4��%"��" ��5

��

y the NetScreen device to 1024

by the NetScreen device. You

-pkt-size is 1460 bytes, the device he second is 80 bytes. If you reset bytes and the second is 516 bytes.

�� !�

��* �� )� ��.�

set flow max-frag-pkt-size number

unset flow max-frag-pkt-size

Example: The following command sets the maximum size of a packet generated bbytes:

set flow max-frag-pkt-size 1024

��)& !��

set flow nonsticky-vip-session

unset flow nonsticky-vip-session

�� ( ��)

set flow no-tcp-seq-check

unset flow no-tcp-seq-check

max-frag-pkt-size The maximum allowable size for a packet fragment generatedcan set the number value between 1024 and 1500 inclusive.For example, if a received packet is 1540 bytes and max-fraggenerates two fragment packets. The first is 1460 bytes and tmax-frag-pkt-size to 1024, the first fragment packet is 1024

nonsticky-vip-session Allows unused VIP sessions to expire immediately.

no-tcp-seq-check Skips the sequence number check in stateful inspection.

�4�� *5��$��*$�4��%"��" ��5

��

tScreen device receives a packet ller packet size.

tScreen device modifies the MSS operation.

�� !�

��

set flow path-mtu

unset flow path-mtu

��

get flow perf

��

get flow tcpmss

set flow tcpmss

unset flow tcpmss

�� &� ��)

set flow tcp-syn-check

unset flow tcp-syn-check

path-mtu Enables path-MTU (maximum transmission unit) discovery. If the Nethat must be fragmented, it sends an ICMP packet suggesting a sma

perf Displays the perf information.

tcp-mss Enables the TCP-MSS (TCP-Maximum Segment Size) option. The Nevalue in the TCP packet to avoid fragmentation caused by the IPSec

tcp-syn-check Checks the TCP SYN bit before creating a session.

�4�� *5��$��*$�4��%"��" ��5

��6��

d packets.

�� !�

�� &� ��) ��

set flow tcp-syn-check-in-tunnel

unset flow tcp-syn-check-in-tunnel

1� "%��

The default initial timeout value is 1 minute.

The MAC-flooding feature is enabled by default.

tcp-syn-check-in-tunnel Checks the TCP SYN bit before creating a session for tunnele

�4�� *5��$��*$�4��%"��" ��5

��

��negotiate any data port number.

e certain FTP services that it allows FTP servers to ection monitor continues to

�� !�

Description: Use the ftp commands to allow FTP services for non-port-20 traffic to

When the ftp data-port setting is disabled, the NetScreen device does not recogniznegotiate a data port other than port 20. When the ftp data-port setting is enabled, dynamically negotiate any data port that the FTP server proposes. The stateful inspmeter the session.

�3��".

��

set ftp data-port any

��

unset ftp data-port any

2�3;��!��"�!��"��"�%��

�� &

set ftp data-port any

unset ftp data-port any

data-port any Specifies any FTP data port except port 20.

�4�� *5��$��*$�4��%"��" ��5

��:��

�� n device, how many are in use, P and similar applications. The affic occurs.

�� !�

Description: Use the gate command to check the number of gates on the NetScreeand how many are still available. Gates are logical access points in the firewall for FTNetScreen device creates the gate, then converts the gate to a session when data tr

�3��".

��

get gate

2�3;��!��"�!��"��"�%��

None.

1� "%��

The default number of gates on NetScreen devices are:

NetScreen-5000 Series 4096

NetScreen-1000 4096

NetScreen-500 1024

NetScreen-200 Series 1024

NetScreen-100 1024

NetScreen-25/50 256

NetScreen-10 256

NetScreen-5xp 256

�4�� *5��$��*$�4��%"��" ��5

��

��1��/�� PRO configuration.

ntry in the protocol table for advisable to disable the setting,

�� !�

Description: Use the global-pro commands to set or display the NetScreen-Global

�3��".

��

get global-pro { config | policy-manager | proto-dist

{ table { bytes | packets } | user-service }

}

��

set global-pro { config

{ primary { ip_addr | name_str } | secondary { ip_addr | name_str } | timeout number

Note: When the set global setting is enabled, the NetScreen device creates a log eevery packet that passes through the device. Because this affects performance, it is except when protocol distribution information is required.

�4�� *5��$��*$�4��%"��" ��5

��7��
�� !�
} | enable | policy-manager

{ nacn | primary | secondary

{ ca-idx number | cert-subject string | host { ip_addr | name_str } | outgoing-interface interface | password pswd_str | policy-domain dom_name | port port_num }

} | report

{ alarm-attack enable | alarm-other enable | alarm-traffic enable | attack-stat enable | ethernet-stat enable | flow-stat enable | log-config enable | log-info enable | log-self enable | log-traffic enable | policy-stat enable | proto-dist

{ enable | user-service name_str

�4�� *5��$��*$�4��%"��" ��5

��9��
�� !�
{ ah | esp | gre | icmp | ospf | tcp | udp port_num1-port_num2

} } |

vpn }

��

unset global-pro { config { primary | secondary | timeout } | enable | policy-manager

{ nacn | primary | secondary

{ ca-idx | cert-subject | host | outgoing-interface | password | policy-domain | port }

} | report

{ alarm-attack enable | alarm-other enable | alarm-traffic enable | attack-stat enable |

�4�� *5��$��*$�4��%"��" ��5

��
�� !�
ethernet-stat enable | flow-stat enable | log-config enable | log-info enable | log-self enable | log-traffic enable | policy-stat enable | proto-dist

{ enable | user-service name_str }

} | vpn }

�4�� *5��$��*$�4��%"��" ��5

��

You can obtain this index number

for authentication. (Optional)

�� !�

2�3;��!��"�!��"��"�%��

�� *

set global-pro policy-manager primary ca-idx number

set global-pro policy-manager secondary ca-idx number

unset global-pro policy-manager primary ca-idx

unset global-pro policy-manager secondary ca-idx

Example: The following command specifies CA certificate 2001:

set global-pro policy-manager primary ca-idx 2001

�� /��

set global-pro policy-manager primary cert-subject string

set global-pro policy-manager secondary cert-subject string

unset global-pro policy-manager primary cert-subject

unset global-pro policy-manager secondary cert-subject

Example: For an example of this option, see “NACN Example” on page 145.

ca-idx Selects by index number the CA certificate allowed for authentication.by executing get ssl ca-list. (Optional)

cert-subject Specifies the acceptable full subject name (string) of certificate used

�4�� *5��$��*$�4��%"��" ��5

�:��

IP address is 172.16.1.2:

e timeout value.

e primary server.

f the secondary server.

lobal PRO agent. (Specifying 0

�� !�

��

get global-pro config

set global-pro config { primary { ip_addr | name_str } | secondary { ip_addr | name_str } | timeout number }

unset global-pro config { primary | secondary | timeout }

Example: The following command specifies that the primary management station

set global-pro config primary 172.16.1.2

��

set global-pro enable

unset global-pro enable

config Identifies the primary and secondary Global PRO servers, and sets th

• primary ip_addr | name_str Specifies the IP address or name of th

• secondary ip_addr | name_str Specifies the IP address or name o

• timeout number Specifies the timeout value (in seconds) on the Gsets the timeout value to the default value, 30 seconds.)

enable Enables the NetScreen device for Global PRO reporting.

�4�� *5��$��*$�4��%"��" ��5

�:��

ddr }

_addr }

erface

nterface

l-PRO Policy Manager application.

N is active, the NetScreen device ged interface changes (statically,

vice sends out registration

�� !�

��

set global-pro policy-manager primary host { name_str | ip_a

set global-pro policy-manager secondary host { name_str | ip

unset global-pro policy-manager primary host

unset global-pro policy-manager secondary host

Example: To specify that the primary host IP address is 172.16.1.2:

set global-pro policy-manager primary host 172.16.1.2

��

set global-pro policy-manager nacn

unset global-pro policy-manager nacn


��

set global-pro policy-manager primary outgoing-interface int

set global-pro policy-manager secondary outgoing-interface i

unset global-pro policy-manager primary outgoing-interface

unset global-pro policy-manager secondary outgoing-interface

host Specifies the hostname or IP address of the server running the Globa

nacn Enables NetScreen Address Change Notification (NACN). When NACnotifies the Global-PRO server each time the IP address of the manaor dynamically due to DHCP or PPPoE).

outgoing-interface Specifies the monitored interface through which the NetScreen depackets.

�4�� *5��$��*$�4��%"��" ��5

�:6��

me

rd (pswd_str).

al PRO Policy Manager.

PRO arbritrator. (Optional)

�� !�

��"��

set global-pro policy-manager primary password pswd_str

set global-pro policy-manager secondary password pswd_str

unset global-pro policy-manager primary password

unset global-pro policy-manager secondary password

��& ��

get global-pro policy-manager

set global-pro policy-manager { ... }

unset global-pro policy-manager { ... }

Example: For examples of this option, see “NACN Example” on page 145.

��& ��

set global-pro policy-manager primary policy-domain dom_name

set global-pro policy-manager secondary policy-domain dom_na

unset global-pro policy-manager primary policy-domain

unset global-pro policy-manager secondary policy-domain


password Specifies the registered Global-PRO Policy Manager passwo

policy-manager Configures the NetScreen device to register its address with the Glob

policy-domain Specifies the policy domain (dom_name) registered with the Global-

�4�� *5��$��*$�4��%"��" ��5

�:��

evice talks to the Global-PRO

r servers, or identifies the Global r process.

�� !�

��

set global-pro policy-manager primary port port_num

set global-pro policy-manager secondary port port_num

unset global-pro policy-manager primary port

unset global-pro policy-manager secondary port

��&�%��&

set global-pro config primary { ... }

set global-pro config secondary { ... }

set global-pro policy-manager primary { ... }

set global-pro policy-manager secondary { ... }

unset global-pro config primary

unset global-pro config secondary

Example: For examples of this option, see “NACN Example” on page 145.

��

set global-pro report { ... }

unset global-pro report { ... }

port Specifies the port number (port_num) through which the NetScreen dPolicy Manager. The default port number is 11122.

primary | secondary Identifies the primary and secondary Global PRO Report ManagePRO Policy Manager server and sets parameters for the Arbitrato

report Enables the specified report.

• alarm-attack reports all alarm attacks.

�4�� *5��$��*$�4��%"��" ��5

�::��

user-service option displays the d services (ah | esp | gre | icmp |

ytes or in packets.

sted interface.

�� !�

��

get global-pro proto-dist table { bytes | packets }

!��

set global-pro vpn

unset global-pro vpn

• alarm-other reports all other types of alarms (non-attack alarms).

• alarm-traffic reports all traffic alarms.

• attack-stat reports all attack statistics.

• ethernet-stat reports ethernet statistics.

• flow-stat reports flow statistics.

• log-config produces the configuration logs.

• log-info produces information logs.

• log-self produces self-logs.

• log-traffic produces traffic logs.

• policy-stats reports policy statistics.

• proto-dist reports the distribution of different protocols types. TheNetScreen-Global PRO protocol distribution settings for user-defineospf | tcp | udp).

table Displays the NetScreen-Global PRO protocol distribution settings in b

vpn Allows the NetScreen device to source its report packets from the Tru

�4�� *5��$��*$�4��%"��" ��5

�:��

protocol, and configure the ers. (In this example, assume

[email protected],”

ernet3

[email protected],”

thernet3

interfaces have Telnet, SCS, or

�� !�

�?��A."8%�

The following commands enable NetScreen Address Change Notification (NACN)NetScreen device for interaction with the primary and secondary Global PRO servthe get ssl ca-list displays a Certificate Authority with index number 2.)

exec pki x509 install-factory-certs "phonehome1CA1"

get ssl ca-list

set global-pro policy-manager primary ca-idx 2

set global-pro policy-manager primary cert-subject “CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email

set global-pro policy-manager primary outgoing-interface eth

set global-pro policy-manager primary host 172.16.12.12

set global-pro policy-manager primary password swordfish

set global-pro policy-manager primary policy-domain “mmci”

set global-pro policy-manager secondary ca-idx 2

set global-pro policy-manager secondary cert-subject “CN=Marketing,OU=Marketing,O=Ajax,L=Chicago,ST=IL,C=US,Email

set global-pro policy-manager secondary outgoing-interface e

set global-pro policy-manager secondary host 172.16.12.100

set global-pro policy-manager secondary password trout

set global-pro policy-manager secondary policy-domain “mmci”

set interface ethernet3 manage scs

set global-pro policy-manager nacn

Note: The last command in this example executes successfully only if the monitored SSH enabled.

�4�� *5��$��*$�4��%"��" ��5

�:7��

��

s the total number of entries in

�� !�

Description: Use the glog commands to display the contents of the global log file.

�3��".

��

get glog

2�3;��!��"�!��"��"�%��

None.

Note: Log entries of all categories go to the global log file initially. The display showthe file and the category to which each entry belongs.

�4�� *5��$��*$�4��%"��" ��5

�:9��

��-�ices under a single name. This y.

�� !�

Description: Use the group commands to group several addresses or several servallows you to reference a group of addresses or services by name in an access polic

�3��".

��

get group { address zone [ grp_name ] | service [ grp_name ] }

��

set group { address zone grp_name [ add name_str ] [ string ] | service grp_name [ add name_str [ comment string ] ] }

��

unset group { address zone grp_name [ remove mbr_name | clear ] | service grp_name [ remove mbr_name | clear ]

}

�4�� *5��$��*$�4��%"��" ��5

�:��

]

g for the Trust zone and adds

e service AOL to the group:

quarters) for the Trust zone:

s the zone to which the address efined zone. For more information

�� !�

2�3;��!��"�!��"��"�%��

��

set group address zone grp_name [ add mbr_name ] [ string ]

set group service grp_name [ add mbr_name [ comment string ]

Examples: The following command creates an address group named engineerinthe address hw-eng to the group:

set group address trust engineering add hw-eng

The following command creates a service group named inside-sales and adds th

set group service inside-sales add AOL

��

get group address zone [ ... ]

set group address zone grp_name [ ... ]

unset group address zone grp_name [ ... ]

Example: The following command creates an empty address group (named head

set group address trust headquarters

add name_str Adds an address or service named mbr_name.

address Performs the operation on an address group. The zone value specifiegroup is bound. This zone is either a default security zone or a user-don zones, see “Security Zone Names” on page A-II.

�4�� *5��$��*$�4��%"��" ��5

�:��

engineering) bound to the

for the Trust zone and adds the

neering Group”

neering address group:

cify an address (or service) group e entire address group or service

�� !�

��

unset group address zone grp_name clear

unset group service grp_name clear

Example: The following command removes all members from an address group (Trust zone:

unset group address trust engineering clear

��

set group address zone grp_name [ ... ] [ comment string ]

set group service grp_name [ ... ] [ comment string ]

Example: The following command creates an address group named engineeringaddress hw-eng to the group:

set group address trust engineering add hw-eng comment “Engi

��!�

unset group address zone grp_name remove name_str

unset group service grp_name remove name_str

Example: The following command removes the address admin-pc from the engi

clear Removes all the members of an address or service group.

comment Adds a comment string to the service group or address group entry.

remove Removes the address (or service) named name_str. If you do not spemember, the unset group { address | service } command deletes thgroup.

�4�� *5��$��*$�4��%"��" ��5

��

eb_browsing:

cannot use the same address

h you can modify it.

�� !�

unset group address trust engineering remove admin-pc

��!��

get group service grp_name

set group service grp_name [ ... ]

unset group service grp_name [ ... ]

Example: The following command creates an empty service group and names it w

set group service web_browsing

��

Each address group and service group you create must have a unique name. Yougroup name as a service group name.

You cannot add the following addresses to a group:

• inside any

• outside any

• dialup vpn

• dmz any

You cannot add the ANY service to a group.

While an access policy references a group, you cannot remove the group, althoug

You can add only one member to a group at a time from the console.

service grp_name Performs the operation on a service group.

�4�� *5��$��*$�4��%"��" ��5

��

��-�/ 5�� ressions for use in security ssions according to NOT, AND, ps.

�� !�

�Description: Use the group-expression commands to set up or display group exppolicies. A group expression allows or excludes users or user groups, or group expreor OR operators. Such expressions are only usable for external users and user grou

�3��".

��

get group-expression { name_str | all | id number }

��

set group-expression name_str { not name_str | name_str { and | or } name_str | id number | }

�4�� *5��$��*$�4��%"��" ��5

��6��
�� !�
��

unset group-expression { name_str | id number }

�4�� *5��$��*$�4��%"��" ��5

��

roup, place them in an OR

up expressions.

�� !�

2�3;��!��"�!��"��"�%��

��'��

get group-expression name_str

set group-expression name_str

unset group-expression name_str

��

get group-expression all

��%��

set group-expression name_str name_str and name_str

set group-expression name_str name_str or name_str

Example: The following commands create group expressions SalesM and SM_Grelationship, and then place SM_Group and Office_1 in an AND relationship:

set user-group Sales_Group location external

set user-group Marketing_Group location external

set group-expression SalesM Sales_Group or Marketing_Group

set group-expression SM_Group Office_1 and SalesM

name_str The name of the group expression.

all Specifies all group expressions.

and | or Specifies AND or OR relationship between users, user groups, or gro

�4�� *5��$��*$�4��%"��" ��5

��:��

allow the Office_1 user:

�� !�

��

get group-expression id number

set group-expression name_str id number

unset group-expression id number

��

set group-expression name_str not name_str

Example: The following command creates a NOT group expression that does not

set group-expression Total_Users not Office_1

id number Specifies an identification number for the group expression.

not Specifies negation.

�4�� *5��$��*$�4��%"��" ��5

��

�� hat appears in the console

me:

�� !�

Description: Use the hostname commands to define the NetScreen device name tcommand prompt.

�3��".

��

get hostname

��

set hostname string

��

unset hostname

2�3;��!��"�!��"��"�%��

��'��

Example: The following command changes the NetScreen device hostname to ac

set hostname acme

string Sets the name of the NetScreen device.

�4�� *5��$��*$�4��%"��" ��5

��7��

�. d the gateway for an AutoKey

�� !�

Definition: Use the ike commands to define the Phase 1 and Phase 2 proposals anIKE (Internet Key Exchange) VPN tunnel, and to specify other IKE parameters.

�3��".

�*��

exec ike preshare-gen name_str usr_str

��

get ike { accept-all-proposal | ca-and-type | cert | conn-entry | cookies | gateway [ name_str ] | heartbeat | id-mode | initial-contact

[ all-peers | single-gateway [ name_str ] ] |

initiator-set-commit | member-sa-hold-time | p1-max-dialgrp-sessions | p1-proposal name_str |

�4�� *5��$��*$�4��%"��" ��5

��9��
�� !�
p1-sec-level | p2-proposal name_str | p2-sec-level | policy-checking | respond-bad-spi | responder-set-commit | soft-lifetime-buffer }

��

�$"��8��"%

set ike p1-proposal name_str [ dsa-sig | rsa-sig | preshare ]

[ group1 | group2 | group5 ] { esp

{ 3des | des | aes128 | aes192 | aes256 { md5 | sha-1

[ days number | hours number | minutes number | seconds number ]

} }

}

�4�� *5��$��*$�4��%"��" ��5

��

ll } |

ng ] |

�� !�

�$"��6��8��"%

set ike p2-proposal name_str [ group1 | group2 | group5 | no-pfs ]

{ esp { 3des | des | aes128 | aes196 | aes256 | nuah }

[ md5 | null | sha-1 [ days number | hours number | minutes number | seconds number ] ]

[ kbyte number ] ]

}

�"��;"3�&��%

set ike gateway name_str { dialup { usr_str | grp_name } ip ip_addr | dynamic

{ asn1-dn { [ container string ] | [ wildcard strifqdn string | ip-addr string | u-fqdn string }

} [ aggressive | main ] [ local-id id_str ]

�4�� *5��$��*$�4��%"��" ��5

��

y_str ]

standard } |

name_str4 ]

�� !�

[ outgoing-interface interface ] [ preshare key_str | seed-preshare ke

{ sec-level { basic | compatible | proposal name_str1

[ name_str2 ] [ name_str3 ] [}

�"��;"3�B�"��"�

set ike gateway name_str heartbeat { hello number | threshold number | reconnect number }

�"��;"3��

set ike gateway name_str cert { my-cert id_num | peer-ca [ id_num | all ] | peer-cert-type { pkcs7 | x509-sig } }

�"��;"3��?&�&�"��"%

set ike gateway name_str nat-traversal [ udp-checksum | keepalive-frequency number ]

�4�� *5��$��*$�4��%"��" ��5

�7��

-group name_str ]

old number } |

number } |

�� !�

�"��;"3�C?>&B

set ike gateway name_str xauth [ server name_str

[ [ chap ] [ query-config ] user name_str | user]

)�$��2A��"�!��;��$��

set ike { accept-all-proposal | heartbeat { hello number | reconnect number | threshid-mode { ip | subnet } | initial-contact

[ all-peers | single-gateway name_str | ] |

initiator-set-commit | member-sa-hold-time number | p1-max-dialgrp-sessions { count number | percentage policy-checking | respond-bad-spi spi_num | responder-set-commit | single-ike-tunnel name_str | soft-lifetime-buffer number }

�4�� *5��$��*$�4��%"��" ��5

�7��
�� !�
��

unset ike { accept-all-proposal | gateway name_str

[ heartbeat { hello | reconnect | threshold } | my-cert | nat-traversal [ udp-checksum ] | peer-ca | peer-cert-type | xauth ] |

heartbeat { hello | reconnect | threshold } | initial-contact | initiator-set-commit | member-hold-sa | p1-max-dialgrp-sessions | p1-proposal name_str | p2-proposal name_str | policy-checking | respond-bad-spi | responder-set-commit | single-ike-tunnel name_str }

�4�� *5��$��*$�4��%"��" ��5

�76��

s. By default, the device accepts posals.

sive mode only when you need to peer unit has a dynamically change method because it .

cate types.

�� !�

2�3;��!��"�!��"��"�%��

��

get ike accept-all-proposal

set ike accept-all-proposal

unset ike accept-all-proposal

��!��%��

set ike gateway name_str { ... } aggressive [ ... ]

set ike gateway name_str { ... } main [ ... ]

�� &��

get ike ca-and-type

accept-all-proposal Directs the NetScreen device to accept all incoming proposalonly those proposals matching predefined or user-defined pro

aggressive | main Defines the mode used for Phase 1 negotiations. Use Aggresinitiate an IKE key exchange without ID protection, as when aassigned IP address. Main mode is the recommended key-exconceals the identities of the parties during the key exchange

ca-and-type Displays the supported certificate authorities (CAs) and certifi

�4�� *5��$��*$�4��%"��" ��5

�7��

ig

recipient.

e local NetScreen device has

(CA).

of certificate (PKCS7 or X509).

okies.

�� !�

��

get ike cert

set ike gateway name_str cert my-cert id_num

set ike gateway name_str cert peer-ca [ id_num | all ]

set ike gateway name_str cert peer-cert-type { pkcs7 | 509-s

�� &

get ike conn-entry

��)��

get ike cookies

cert Uses a digital certificate to authenticate the VPN initiator and

gateway name_str cert Specifies which certificates to use.

• my-cert name_str Specifies a particular certificate when thmultiple loaded certificates.

• peer-ca name_str Specifies a preferred certificate authority

• peer-cert-type { pkcs7 | x509 } Specifies a preferred type

conn-entry Displays the Connection Entry Table.

cookies Displays the cookie table, and the total number of dead and active co

�4�� *5��$��*$�4��%"��" ��5

�7:��

]

178.

specify a user’s attributes, use the ialup command.)

The container switch treats string

�� !�

��

set ike gateway name_str dialup { usr_str | grp_name } [ ...

�&��

set ike gateway name_str dynamic { ... } [ ... ]

��"�&

get ike gateway

set ike gateway name_str { ... } [ ... ]

unset ike gateway { ... }

Example: For an example of this option, see “Setting Up a VPN Tunnel” on page

dialup Identifies an IKE dialup user (usr_str) or dialup group (grp_name). To set user command. (To specify dialup group attributes, use the set d

dynamic Specifies the dynamic IP identifier for the remote gateway interface.

• asn1-dn { container | wildcard } string The ASN1 domain name. as a container. The wildcard switch treats string as a wild card.

• fqdn The fully-qualified domain name (such as www.acme.com).

• ip_addr string The IP address of the remote gateway interface.

• u-fqdn string The user fully-qualified domain name.

gateway Configures or displays settings for a remote tunnel gateway.

�4�� *5��$��*$�4��%"��" ��5

�7��

}

.

s before the NetScreen device

device forces renegotiation of the

P) address or a gateway (subnet). se the subnet switch, the device tunnel between a NetScreen ch.)

�� !�

��

get ike heartbeat

set ike gateway name_str heartbeat { hello number | threshold number | reconnect number }

unset ike gateway heartbeat { hello | reconnect | threshold

��

get ike id-mode

set ike id-mode ip

set ike id-mode subnet

heartbeat Specifies the IKE heartbeat protocol parameters.

• hello number Sets the IKE heartbeat protocol interval (in seconds)

• reconnect number Sets the quiet interval (in seconds) that elapsereconnects a failed tunnel.

• threshold number Sets the number of retries before the NetScreenPhase 1 and Phase 2 keys.

id-mode Defines the IKE ID mode in the Phase 2 exchange as either a host (IIf you use the ip switch , the device sends no Phase 2 ID. If you choosends proxy Phase 2 IDs. (Use the ip switch when setting up a VPN device and a CheckPoint 4.0 device. Otherwise, use the subnet swit

�4�� *5��$��*$�4��%"��" ��5

�77��

IKE peer.

As, then send an initial contact

ce to delete all SAs associated tion.

an initial contact notification to all

new IPSec SA. The initiator does

�� !�

��

get ike initial-contact

set ike initial-contact [ all-peers | single-gateway name_str ]

unset ike initial-contact

initiator-set-commit

get ike initiator-set-commit

set ike initiator-set-commit

unset ike initiator-set-commit

initial-contact Determines how the NetScreen device performs initial contact with an

• Specifying all-peers instructs the NetScreen device to delete all Snotification to each IKE peer.

• Specifying single-gateway name_str instructs the NetScreen deviwith the specified IKE gateway, then send an initial contact notifica

If you specify none of the above options, the NetScreen device sendspeers during the first IKE single-user session after a system reset.

initiator-set-commit Sends the responder a request to confirm establishment of thenot use the new SA until it receives this confirmation.

�4�� *5��$��*$�4��%"��" ��5

�79��

178.

n only when the local NetScreen s a dynamically assigned IP

unused SA allocated for a dialup

�� !�

��

set ike gateway name_str ip ip_addr


��

set ike gateway name_str { ... } local-id id_str

��

get ike member-sa-hold-time

set ike member-sa-hold-time number

unset ike member-hold-sa

ip Specifies the static IP address of the remote gateway interface.

local-id Defines the IKE NetScreen identity of the local device. Use this optiodevice has a dynamically assigned IP address (Note: If either peer haaddress, use Aggressive mode for Phase 1).

member-sa-hold-time The length of time (in minutes) the NetScreen device keeps an user.

�4�� *5��$��*$�4��%"��" ��5

�7��

mktg:

e [ ... ]

ission of encrypted traffic through ncapsulates ESP packets into t headers in transit, thus

tion (used for UDP packet

NetScreen device allows before

�� !�

�� !��

set ike gateway name_str nat-traversal [ udp-checksum | keepalive-frequency number ]

unset ike gateway name_str nat-traversal [ ... ]

Examples: The following command enables NAT traversal for a gateway named

set ike gateway mktg nat-traversal

The following command sets the Keepalive setting to 25 seconds:

set ike gateway mktg nat-traversal keepalive-frequency 25

��

set ike gateway name_str { ... } outgoing-interface interfac

nat-traversal Enables or disables IPsec NAT Traversal, a feature that allows transma NetScreen device configured for NAT. The NAT Traversal feature eUDP packets. This prevents the NAT device from altering ESP packepreventing authentication failure on the peer NetScreen device.

• udp-checksum enables the NAT-Traversal UDP checksum operaauthentication).

• keepalive-frequency specifies how many seconds of inactivity thedisabling NAT Traversal.

outgoing-interface Defines the outgoing interface.

�4�� *5��$��*$�4��%"��" ��5

�7��

up groups.

ting and exchanging session keys ase 1 proposals.

the source of IKE messages. nd decryption that both

d dsa-sig refer to two kinds of the certificate holder. (The default

chnique that allows two parties to nternet. Group2 is the default

ides encryption and

gorithm.

in ESP protocol. The default

�� !�

�# ��* ��

get ike p1-max-dialgrp-sessions

set ike p1-max-dialgrp-sessions count number

set ike p1-max-dialgrp-sessions percentage number

unset ike p1-max-dialgrp-sessions

�# ��

get ike p1-proposal name_str

set ike p1-proposal name_str [ ... ] { ... }

unset ike p1-proposal name_str

p1-max-dialgrp-sessions Displays the allowed concurrent Phase 1 negotiations for dial

p1-proposal Names the IKE Phase 1 proposal, which contains parameters for creaand establishing security associations. You can specify up to four Ph

• dsa-sig | rsa-sig | preshare Specifies the method to authenticate preshare refers to a preshared key, which is a key for encryption aparticipants have before beginning tunnel negotiations. rsa-sig andigital signatures, which are certificates that confirm the identity of method is preshare.)

• group1 | group2 | group5 Identifies the Diffie-Hellman group, a tenegotiate encryption keys over an insecure medium; such as, the Igroup.

• esp Specifies Encapsulating Security Payload protocol, which provauthentication.

• des | 3des | aes128 | aes192 | aes256 Specifies the encryption al

• md5 | sha-1 Specifies the authentication (hashing) algorithm usedalgorithm is SHA-1, the stronger of the two algorithms.

�4�� *5��$��*$�4��%"��" ��5

�9��

g attributes:

gorithms

3

ttempt to renegotiate a security efault lifetime is 28800 seconds.

bytes) before NetScreen finity).

of security level.

of security level.

�� !�

Example: To define a Phase 1 proposal named pre-gl-3des-md5 with the followin

• Preshared key and a group 1 Diffie-Hellman exchange

• Encapsulating Security Payload (ESP) protocol using the 3DES and MD5 al

• Lifetime of 3 minutes:

set ike p1-proposal sf1 preshare group1 esp 3des md5 minutes

�# �� !��

get ike p1-sec-level

�$ �� !��

get ike p2-sec-level

• The following parameters define the elapsed time between each aassociation. The minimum allowable lifetime is 180 seconds. The d

- days number

- hours number

- minutes number

- seconds number

• kbytes number Indicates the maximum allowable data flow (in kilorenegotiates another security association. The default value is 0 (in

p1-sec-level Displays the predefined IKE Phase 1 proposals in descending order

p2-sec-level Displays the predefined IKE Phase 2 proposals in descending order

�4�� *5��$��*$�4��%"��" ��5

�9��

g attributes:

for creating and exchanging a up to four Phase 2 proposals.

vice generates the encryption key. w encryption key independently

E generates the Phase 2 key from he Diffie-Hellman groups, IKE efault is Group 2.

sulating Security Payload (ESP) ecifies the encryption algorithm

es authentication only.

used in ESP protocol. The default itch specifies no authentication.

ttempt to renegotiate a security efault lifetime is 28800 seconds.

ytes before NetScreen finity).

�� !�

�$ ��

get ike p2-proposal name_str

set ike p2-proposal name_str [ ... ] { ... }

set ike p2-proposal name_str

Example: To define a Phase 2 proposal named g2-esp-3des-null with the followin

p2-proposal Names the IKE Phase 2 proposal. This proposal defines parameters session key to establish a security association (SA). You can specify

• group1 | group2 | group5 | no-pfs Defines how the NetScreen dePerfect Forward Secrecy (PFS) is a method for generating each nefrom the previous key. Selecting no-pfs turns this feature off, so IKthe key generated in the Phase 1 exchange. If you specify one of tautomatically uses PFS when generating the encryption key. The d

• ah | esp In a Phase 2 proposal, identifies the IPSec protocol.

- esp { des | 3des | aes128 | aes192 | aes256 } Specifies Encapprotocol, which provides both encryption and authentication. Spused in ESP protocol.

- ah Specifies Authentication Header (AH) protocol, which provid

• md5 | null | sha-1 Specifies the authentication (hashing) algorithmalgorithm is SHA-1, the stronger of the two algorithms. The null sw

• The following parameters define the elapsed time between each aassociation. The minimum allowable lifetime is 180 seconds. The d

- days number

- hours number

- minutes number

- seconds number

• kbytes number Indicates the maximum allowable data flow in kilobrenegotiates another security association. The default value is 0 (in

�4�� *5��$��*$�4��%"��" ��5

�96��

nutes 15

178.

tablishing a connection. Use ltiple tunnels. Otherwise, the IKE

etween two peers.

on that both participants have

(If you use an RSA- or

�� !�

• Group 2 Diffie-Hellman exchange

• ESP using 3DES without authentication

• Lifetime of 15 minutes:

set ike p2-proposal g2-esp-3des-null group2 esp 3des null mi

��& ��)��

get ike policy-checking

set ike policy-checking

unset ike policy-checking

��

set ike p1-proposal name_str preshare [ ... ]

set ike gateway name_str { ... } [ ... ] preshare key_str


policy-checking Checks to see if the access policies of the two peers match before espolicy checking when configuration on the peer gateways support musession fails.You can disable policy checking when only one policy is configured b

preshare Specifies a preshared key, which is a key for encryption and decryptibefore beginning tunnel negotiations.

preshare Specifies the Preshared key (key_str) used in the Phase 1 proposal. DSA-signature in the Phase 1 proposal, do not use this option).

�4�� *5��$��*$�4��%"��" ��5

�9��

the user to a dialup user group. E ID values to establish secure

e.com.

with IP address

ciated with a Group IKE ID user. lue. After displaying the preshared

ove any spaces.)

e the set ike gateway name_str

roup IKE ID user. To create such E ID user must be associated with

�� !�

��

exec ike preshare-gen name_str usr_str

Example: The following commands create a single group IKE ID user and assign Then they create VPNs and policies that allow dialup users with matching partial IKcommunication through the NetScreen device.

• the name of the group IKE ID user is User1, with partial IKE identity of acm

• the number of dialup users that can share this user’s IKE identity is 10.

• the dialup user group is Office_1.

• the seed value for creating the preshared key is jk930k.

• the Phase 1 IKE gateway defined for the server side is Corp_GW.

• the Phase 2 VPN defined for the server side is Corp_VPN.

• the Phase 1 IKE gateway defined for the client side is Office_GW.

• the Phase 2 VPN defined for the client side is Office_VPN.

• the individual user’s full IKE identity is [email protected].

• the trusted server that dialup users access from the outside is a Web server192.168.110.200.

preshare-gen Generates an individual preshared key for a remote dialup user assoThe NetScreen device generates each preshared key from a seed vakey, you can use it to set up a configuration for the remote user. (Rem

• name_str is the IKE gateway name. To create such a gateway, uscommand.

• usr_str is the full IKE ID of an individual user, which belongs to a Ga user, use the set user name_str ike-id command. The Group IKa dialup user group to support a group of users.

�4�� *5��$��*$�4��%"��" ��5

�9:��

hare jk930k

-md5

5

Corp_VPN

d [email protected] l pre-g2-3des-md5

3des-md5

Office_VPN

178.

d3d30d7bf9b93baa2adcc6.

four Phase 1 proposals.

�� !�

set user User1 ike-id u-fqdn acme.com share-limit 10

set dialup-group Office_1 + User1

set ike gateway Corp_GW dialup Office_1 aggressive seed-presproposal pre-g2-3des-md5

set vpn Corp_VPN gateway Corp_GW tunnel proposal g2-esp-3des

set address trust http_server 192.168.110.200 255.255.255.25

set policy incoming “dial-up vpn” http_server any tunnel vpn

&��*��"��$��8��$"��!�-�3� ��$��D"��E

exec ike preshare-gen Corp_GW [email protected]

)��$��%��!�E

set ike gateway Office_GW ip 172.16.10.10 aggressive local-ipreshare c5d7f7c1806567bc57d3d30d7bf9b93baa2adcc6 proposa

set vpn Office_VPN gateway Office_GW tunnel proposal g2-esp-

set address untrust http_server 192.168.110.200

set policy outgoing “inside any” http_server any tunnel vpn

��

set ike gateway name_str { ... } [ ... ] proposal name_str1 [ name_str2 ] [ name_str3 ] [ name_str4 ]


Note: For this example, assume that this command generates c5d7f7c1806567bc57

proposal Specifies the name (name_str) of a proposal. You can specify up to

�4�� *5��$��*$�4��%"��" ��5

�9��

tr

Untrust zone

_2

e of jk930k

fied for User2.

.

ew IPSec SA. The responder does

configurations. Such a ach with an individual preshared se the seed to generate the

�� !�

��

get ike respond-bad-spi

set ike respond-bad-spi spi_num

unset ike respond-bad-spi

��

get ike responder-set-commit

set ike responder-set-commit

unset ike responder-set-commit

��

set ike gateway name_str { ... } [ ... ] seed-preshare key_s


• bind interface ethernet1 to the Trust zone and bind interface ethernet3 to the

• create a dialup user named User2 and place it in a user group named office

• set up a gateway configuration for office_2, with a preshared key seed valu

• create a security policy for all dialup users with the partial IKE identity speci

respond-bad-spi Responds to packets with bad security parameter index (SPI) values

responder-set-commit Sends the initiator a request to confirm establishment of the nnot use the new SA until it receives this confirmation.

seed-preshare Specifies a seed value (key_str) for a user group with Preshared Keyconfiguration performs IKE authentication for multiple dialup users, ekey, without having a separate configuration for each user. Instead, upreshared key with the exec ike preshare-gen command.

�4�� *5��$��*$�4��%"��" ��5

�97��

hare jk930k

tunnel vpn Corp_VPN

patible:

ic proposal provides basic-level -used settings. The standard

eer gateway.

�� !�

set interface ethernet1 zone trust

set interface ethernet1 ip 10.1.1.1/24

set interface ethernet3 zone untrust

set interface ethernet3 ip 210.1.1.1/24

set address trust web1 10.1.1.5/32

set user User2 ike-id u-fqdn netscreen.com share-limit 10

set user-group office_2 user User2

set ike gateway Corp_GW dialup office_2 aggressive seed-pressec-level compatible

set vpn Corp_VPN gateway Corp_GW sec-level compatible

set policy top from untrust to trust “Dial-Up VPN” web1 http

save

�� !��

set ike gateway name_str { ... } [ ... ] sec-level { ... }

Example: The following command specifies the pre-defined security proposal com

set vpn Corp_VPN gateway Corp_GW sec-level compatible

�� )� ��

set ike single-ike-tunnel name_str

unset ike single-ike-tunnel name_str

sec-level Specifies which pre-defined security proposal to use for IKE. The bassecurity settings. The compatible proposal provides the most widelyproposal provides settings recommended by NetScreen.

single-ike-tunnel Specifies a single Phase 2 SA for all policies to a particular remote p

�4�� *5��$��*$�4��%"��" ��5

�99��

er gateway gw1:

security association are 28,800

lifetime expires. When this interval

cifies the object name of the

tion Protocol (CHAP).

from the server.

er.

rs in a XAUTH user group.

�� !�

Example: The following command specifies a Phase 2 SA for all policies to the pe

set ike single-ike-tunnel gw1

��

get ike soft-lifetime-buffer

set ike soft-lifetime-buffer number

*��

set ike gateway name_str { ... } [ ... ] xauth [ ... ]

unset ike gateway xauth

1� "%��

Main mode is the default method for Phase 1 negotiations.

3DES and SHA-1 are the default algorithms for encryption and authentication.

The default time intervals before the NetScreen mechanism renegotiates another seconds in a Phase 1 proposal, and 3600 seconds in a Phase 2 proposal.

soft-lifetime-buffer Sets a time interval (in seconds) before the current IPSec SA key is reached, the device initiates the rekeying operation.

xauth Enables XAUTH authentication. The server name_str parameter speexternal server that performs the XAUTH authentification.

• chap Instructs the device to use Challenge Handshake Authentica

• query-config Instructs the device to query the client configuration

• user name_str Enables XAUTH authentication for an individual us

• user-group name_str Enables XAUTH authentification for the use

�4�� *5��$��*$�4��%"��" ��5

�9��

he data traffic is between two

posal.

o five steps. To set up one end he steps below.

e VPN tunnel:

lt proposals, you do not need to

osal pre-g2-3des-md5

�� !�

The default ID mode is subnet. (Changing the ID mode to IP is only necessary if tsecurity gateways, one of which is a CheckPoint 4.0 device.)

The default soft-lifetime-buffer size is 10 seconds.

By default, the single-ike-tunnel flag is not set.

By default, the commit bit is not set when initiating or responding to a Phase 2 pro

��*�>8�"��&��%

Creating a VPN tunnel for a remote gateway with a static IP address requires up tof a VPN tunnel gateway 1 (GW1) in the illustration for bidirectional traffic, follow t

1. Set the addresses for the trusted and untrusted parties at the two ends of th

set address trust host1 10.0.1.1 255.255.255.255

set address untrust host2 10.0.2.1 255.255.255.255

2. Define the IKE Phase 1 proposal and Phase 2 proposal. If you use the defaudefine Phase 1 and Phase 2 proposals.

3. Define the remote gateway:

set ike gateway gw2 ip 204.0.0.2 preshare netscreen prop

�4�� *5��$��*$�4��%"��" ��5

�9��

p to five steps.

ommand.)

Note: If you use the default

2-131.

and the VPN tunnel you

�� !�

4. Define the VPN tunnel as AutoKey IKE:

set vpn vpn1 gateway gw2 proposal g2-esp-des-md5

5. Define an outgoing incoming access policy:

set policy outgoing host1 host2 any tunnel vpn vpn1

set policy incoming host2 host1 any tunnel vpn vpn1

The procedure for setting up a VPN tunnel for a dialup user with IKE constitutes u

1. Define the trusted address that the user will access. (See the set address c

2. Define the user as an IKE user. See the set user command on page 2-122.

3. Define the IKE Phase 1 proposal, Phase 2 proposal, and remote gateway. (proposals, you do not need to define a Phase 1 or Phase 2 proposal.)

4. Define the VPN tunnel as AutoKey IKE. See the set vpn command on page

5. Define an incoming access policy, with Dial-Up VPN as the source addressconfigured in step 3 specified.

�4�� *5��$��*$�4��%"��" ��5

��

�. /��.� NetScreen device.

72.16.10.10:

s (ip_addr).

�� !�

Description: Use the ike-cookie command to remove IKE-related cookies from the

�3��".

��

clear [ cluster ] ike-cookie { all | ip_addr }

2�3;��!��"�!��"��"�%��

��'��

clear cluster ike-cookie ip_addr

clear ike-cookie ip_addr

Example: The following command removes all cookies based on the IP address 1

clear ike-cookie 172.168.10.10

��

clear cluster ike-cookie all

clear ike-cookie all

ip_addr Directs the NetScreen device to remove cookies based on a IP addres

all Directs the NetScreen device to remove all cookies.

�4�� *5��$��*$�4��%"��" ��5

��
�� !�
��

clear cluster ike-cookie all

clear cluster ike-cookie ip_addr

cluster Propagates the clear operation to all other devices in a NSRP cluster.

�4�� *5��$��*$�4��%"��" ��5

��6��

�� a NetScreen device. Interfaces ), High Availability (HA), and

fix-port ] ] ] |

sl | telnet | web } |

�� !�

Description: Use the interface commands to define or display interface settings forare physical or logical connections that handle network, virtual private network (VPNadministrative traffic.

�3��".

��

get interface interface [ dhcp

{ relay | server { ip { allocate | idle } | option } } |

protocol ospf | screen | secondary [ ip_addr ] ]

��0�&�� +�� 1

set interface interface { bandwidth number | [ ext ip ip_addr mask ] dip number [ ip_addr [ ip_addr [ gateway ip_addr [ no-default-interface ] | group | ip ip_addr/mask { tag id_num } | manage { global-pro | ident-reset | ping | scs | snmp | s

�4�� *5��$��*$�4��%"��" ��5

��

e_str ] } |

] |

sl | telnet | web } |

�� !�

manage-ip ip_addr | mip ip_addr { host ip_addr [ netmask mask ] [ vrouter namnat | phy { auto | full | half } { 10mb | 100mb } | route | secondary route-deny | tag id_num zone zone | vip ip_addr [ + ] port_num [ name_str ip_addr [ manual ] webauth | webauth-ip ip_addr | zone zone }

��0�&�� $�� 1

set interface interface

{

broadcast { flood | arp [ trace-route ] } | bypass-non-ip | bypass-others-ipsec | gateway ip_addr [ no-default-interface ] | ip ip_addr/mask { tag id_num } | manage { global-pro | ident-reset | ping | scs | snmp | smanage-ip ip_addr | nsrp manage zone zone | vlan trunk | webauth | webauth-ip ip_addr }

�4�� *5��$��*$�4��%"��" ��5

��:��

| vpn } |

�� !�

��0��2�3��4��1

set interface interface dhcp { relay { server-name { name_str | ip_addr } | service server

{ ip ip_addr { mac mac_addr | to ip_addr } | option

{ dns1 | dns2 | dns3 | gateway | news |

{ ip_addr } | nis1 | nis2 | pop3 | smtp |

{ ip_addr } | domainname name_str | lease number | netmask mask | nistag name_str | wins1 ip_addr | wins2 ip_addr }

service }

}

��0�� 2�5��4��1

set interface interface dhcp-client { enable | settings

{ autoconfig |

�4�� *5��$��*$�4��%"��" ��5

��

] ] |

�� !�

lease number | server ip_addr | update-dhcpserver | vendor id_str }

}

��06��7!��&1

set interface { ha | ha1 | ha2 } { bandwidth number | phy { 10mb | 100mb } webauth | webauth-ip ip_addr }

��08�'91

set interface interface protocol ospf { area { ip_addr | number } | authentication

{ md5 key_str [ key-id id_num ] | password pswd_str } |

cost number | dead-interval number | disable | hello-interval number | neighbor-list number1 [ number2 [ number3 [ number4 ]

�4�� *5��$��*$�4��%"��" ��5

��7��

sl | telnet | web }

�� !�

priority number | retransmit-interval number | transit-delay number }

��03��1

set interface tunnel.number { zone name_str | ip ip_addr/mask |1 protocol { bgp | ospf } }

��

unset interface interface { bandwidth | broadcast [ arp [ trace-route ] ] | bypass-non-ip | bypass-others-ipsec | [ ext ip ip_addr mask ] dip number | group | ip [ ip_addr ] | manage { global-pro | ident-reset | ping | scs | snmp | smanage-ip | mip ip_addr1 host ip_addr2 [ netmask mask ] | phy { auto | full | half } { 10mb | 100mb } | protocol ospf

{

1. Use the IP option only after adding the tunnel to a specific zone.

�4�� *5��$��*$�4��%"��" ��5

��9��

n }

s2 | pop3 | smtp }

�� !�

area | authentication | cost | dead-interval | disable | hello-interval | neighbor-list | priority | retransmit-interval | transit-delay } |

secondary route-deny | vlan trunk | webauth | webauth-ip | zone }

��0�6'2�3��.��1

unset interface interface dhcp { relay { server-name { name_str | ip_addr } | service | vpserver

{ ip ip_addr option

{ dns1 | dns2 | dns3 | gateway | news | nis1 | niservice }

} |

�4�� *5��$��*$�4��%"��" ��5

��

eer (172.16.10.10) for the

nd for interface ethernet4:

see “Interface Names” on page

ffic traversing the specified

�� !�

2�3;��!��"�!��"��"�%��

��'��

get interface interface [ ... ]

set interface interface { ... } [ ... ]

set interface interface { ... } [ ... ]

Example: The following command specifies the IP address of a remote gateway pethernet4 interface:

set interface ethernet4 gateway 172.16.10.10

��"��

set interface interface bandwidth number

unset interface interface bandwidth

Example: The following command specifies bandwidth of 10,000 kilobits per seco

set interface ethernet4 bandwidth 10000

interface The name of the interface. For more information on interface names,A-IV.

bandwidth The guaranteed maximum bandwidth in kilobits per second for all trainterface.

�4�� *5��$��*$�4��%"��" ��5

��

e ] }

ress Resolution Protocol (ARP)

s reachability of other devices

an unknown host out to all might attempt to copy frames out g network bandwidth.

ddress Resolution Protocol (ARP) ss, the device loads its ARP table this entry to reach the destination s saving bandwidth. Generating

gh a NetScreen device running in ys passed, even if when this

�� !�

��

set interface interface broadcast { flood | arp [ trace-rout

unset interface interface broadcast [ arp [ trace-route ] ]

Example: The following command instructs the NetScreen device to generate an Addbroadcast:

set interface ethernet4 broadcast arp

�&��

set interface interface bypass-non-ip

unset interface interface bypass-non-ip

broadcast (vlan1 interface only.) Controls how the NetScreen device determinewhile the device is in transparent (L2) mode.

• flood Instructs the NetScreen device to flood frames received frominterfaces that are in transparent mode. In the process, the deviceof ports that cannot access the destination address, thus consumin

• arp [ trace-route ] Instructs the NetScreen device to generate an Abroadcast. If the broadcast finds the unknown destination IP addrewith the appropriate MAC address and interface. The device uses device directly, and only sends frames through the correct port, thuthe initial ARP can cause delay, but only for the first frame.

bypass-non-ip (vlan1 interface only.) Allows non-IP traffic, such as IPX, to pass throuTransparent mode. (ARP is a special case for non-IP traffic. It is alwafeature is disabled.)

�4�� *5��$��*$�4��%"��" ��5

��

server at IP address

etScreen device in tunnel gateway but

an serve as a DHCP relay agent.

P address of the external DHCP and TCP/IP settings that it relays

ent through the interface.

nel. You must first set up a VPN er.

�� !�

�&��

set interface interface bypass-others-ipsec

unset interface interface bypass-others-ipsec

��0��&1

get interface interface dhcp relay

set interface interface dhcp relay { server-name { name_str | ip_addr } | service | vpn }

unset interface interface dhcp relay { server-name { name_str | ip_addr } | service | vpn }

The relay does not coexist with the DHCP server (OK with the client).

Example: The following configures interface ethernet4 to use an external DHCP 172.16.10.10:

set interface ethernet4 dhcp relay server-name 172.16.10.10

bypass-others-ipsec (vlan1 interface only.) Openly passes all IPSec traffic through a NTransparent mode. The NetScreen device does not act as a VPNpasses the IPSec packets onward to other gateways.

relay Configures the NetScreen interface such that the NetScreen device c

• server-name { name_str | ip_addr } Defines the domain name or Iserver from which the NetScreen device receives the IP addressesto hosts on the trusted LAN.

• service Enables the NetScreen device to act as a DHCP server ag

• vpn Allows the DHCP communications to pass through a VPN tuntunnel between the NetScreen device and the external DHCP serv

�4�� *5��$��*$�4��%"��" ��5

��

dresses to use when the DHCP e ending IP address. The IP pool e same subnet as the interface IP

e settings.

resses of the primary, secondary,

gateway to be used by the clients. or the DHCP gateway.

used for receiving and storing

mary and secondary NetInfo® thin a LAN.

l version 3 (POP3) mail server.

Protocol (SMTP) mail server.

f the network.

n IP address supplied by the

n the trusted side. The IP address teway.

�� !�

��0��!��1

set interface interface dhcp server { ... } unset interface interface dhcp server { ... }

server Makes the NetScreen interface work as a DHCP server.

• ip ip_addr to ip_addr (In Dynamic mode) Defines a range of IP adserver is filling client requests. Enter the starting IP address and thcan support up to 255 IP addresses. The IP address must be in thor the DHCP gateway.

• option Specifies the DHCP server options for which you can defin

- dns1 ip_addr | dns2 ip_addr | dns3 ip_addr Defines the IP addand tertiary Domain Name Service (DNS) servers.

- gateway ip_addr Defines the IP address of the default trusted The IP address must be in the same subnet as the interface IP

- news ip_addr Specifies the IP address of a news server to be postings for news groups.

- nis1 ip_addr | nis2 ip_addr Defines the IP addresses of the priservers, which provide the distribution of administrative data wi

- pop3 ip_addr Specifies the IP address of a Post Office Protoco

- smtp ip_addr Defines the IP address of a Simple Mail Transfer

- domainname name_str Defines the registered domain name o

- lease number Defines the length of time in minutes for which aDHCP server is leased. For an unlimited lease, enter 0.

- netmask ip_addr Defines the netmask of the default gateway omust be in the same subnet as the interface IP or the DHCP ga

�4�� *5��$��*$�4��%"��" ��5

��6��

HCP server agent through the

tInfo database.

primary and secondary Windows

ent through the interface.

services.

r-up.

�� !�

The server does not coexist with the DHCP relay (OK with the client).

Example: The following command configures the NetScreen device to act as a Dinterface ethernet4:

set interface ethernet4 dhcp server service

��0��1

set interface interface dhcp-client { enable | settings

{ autoconfig | lease number | server ip_addr | update-dhcpserver | vendor id_str }

}

- nistag string Defines the identifying tag used by the Apple® Ne

- wins1 ip_addr | wins2 ip_addr Specifies the IP address of the Internet Naming Service (WINS) servers.

• service Enables the NetScreen device to act as a DHCP server ag

dhcp-client Configures an interface (bound to the Untrust zone) for DHCP client

• enable Enables DHCP client services for the interface.

• settings Configures DHCP parameters for the interface.

- autoconfig Enables automatic configuration after device powe

- lease number Sets the default lease time.

�4�� *5��$��*$�4��%"��" ��5

��

matic DHCP configuration after

n DHCP server parameters.

the interface’s subnet. For e extended DIP could be

etScreen device uses the pool to dress Translation (NAT) to

identifies the DIP pool. The IP ngle IP address can comprise an d of the IP address range.

er. Does not apply the Port

�� !�

Example: The following command configures interface ethernet3 to perform autodevice power-up:

set interface ethernet3 dhcp-client settings autoconfig

�*��

set interface interface ext ip ip_addr mask dip number [ ip_addr [ ip_addr [ fix-port ] ] ]

unset interface interface ext ip ip_addr mask dip number

- server ip_addr Specifies the IP address of the DHCP server.

- update-dhcpserver Enables automatic update of the NetScree

- vendor id_str Specifies the DHCP vendor by ID.

ext ip The ext ip ip_addr option configures a DIP in a different subnet fromexample, an interface could have IP address 192.168.10.1/24, and th172.16.3.1/24.

• dip id_num ip_addr [ ip_addr ] Sets a Dynamic IP (DIP) pool. The Ndynamically allocate source addresses when it applies Network Adpackets traversing the specified interface. The ID number id_num address ip_addr represents the start of the IP address range. (A sientire DIP pool.) The second IP address ip_addr represents the en

Be sure to exclude the following IP addresses from a DIP pool:

- the WebUI management IP address

- the interface and gateway IP addresses

- any Virtual IP (VIP) and Mapped IP (MIP) addresses

• fix-port Keeps the original source port number in the packet headAddress Translation (PAT).

�4�� *5��$��*$�4��%"��" ��5

��:��

(ID 10) for interface ethernet3

8.100.110

eer (172.16.10.10) for the

e forwards packets that are nterface. The no-default-route

response to an IDENT request, to

or subinterface. The secondary

�� !�

Example: The following command creates an address (192.168.100.110) in a DIP(IP address 172.16.10.10):

set interface ethernet3 ext ip 172.16.10.10/24 dip 10 192.16

��"�&

set interface interface gateway ip_addr [ no-default-route ]unset interface interface gateway

Example: The following command specifies the IP address of a remote gateway pethernet4 interface:

set interface ethernet4 gateway 172.16.10.10

��

set interface interface ident-reset

��

set interface interface ip ip_addr/mask [ secondary ]

unset interface interface ip ip_addr

gateway The IP address for the default gateway to which the NetScreen devicdestined for networks beyond the immediate subnet of the specified iswitch specifies that there is no default route for this gateway.

ident-reset Directs the NetScreen device to send a TCP Reset announcement, inport 113.

ip The IP address ip_addr and netmask mask for the specified interfaceswitch specifies that the IP address is a secondary address.

�4�� *5��$��*$�4��%"��" ��5

��

o the Trust zone, and assign it

lnet | web }

lnet | web }

ethernet3:

he interface.

interface.

nouncement, in response to an

.

face.

ce.

.

�� !�

Example: The following commands create logical interface ethernet3/1.2, bind it tIP address 172.168.40.3/24:

set interface ethernet3/1.2 zone trust

set interface ethernet3/1.2 ip 172.168.40.3/24

��

set interface interface manage

{ global-pro | ident-reset | ping | scs | snmp | ssl | te

unset interface interface manage { global-pro | ident-reset | ping | scs | snmp | ssl | te

Example: The following command enables management of SCS through interface

set interface ethernet3 manage scs

manage Enables or disables monitoring and management capability through t

• global-pro Enables (or disables) Global PRO management on the

• ident-reset Directs the NetScreen device to send a TCP Reset anIDENT request, to port 113.

• ping Enables (or disables) pinging through the interface.

• scs Enables (or disables) SCS management through the interface

• snmp Enables (or disables) SNMP management through the inter

• ssl Enables (or disables) SSL management through the interface.

• telnet Enables (or disables) telnet management through the interfa

• web Enables (or disables) web management through the interface

�4�� *5��$��*$�4��%"��" ��5

��7��

hen set the Manage IP address

ame_str ] }

sk mask ]

face ethernet3 and directs

xternal applications such as etScreen device. (This address

affic sent to the MIP (ip_addr1) to a single one-to-one mapping or a lude the interface and gateway IP address range.)

�� !�

��

set interface interface manage-ip ip_addr

unset interface interface manage-ip

Example: The following commands bind interface ethernet4/1 to the Trust zone, tto 172.16.10.10:

set interface ethernet4/1 zone trust

set interface ethernet4/1 manage-ip 172.16.10.10

��

set interface interface { mip ip_addr { host ip_addr [ netmask mask ] [ vrouter n

unset interface interface mip ip_addr1 host ip_addr2 [ netma

Example: The following command defines a MIP address (172.16.10.10) for intertraffic sent to the MIP to a host at IP address 192.168.40.10:

set interface ethernet3 mip 172.16.10.10 host 192.168.40.10

manage-ip Defines the Manage IP address for the specified physical interface. ETelnet or WebUI can use this address to configure and monitor the Nmust be in the same subnet as the interface IP address.)

mip Defines a Mapped IP (MIP) address. The NetScreen device directs trthe host with the IP address ip_addr2. The netmask value specifies mapping of one IP address range to another. (Note: Be careful to excaddresses, and any Virtual IP addresses in the subnet from the MIP

�4�� *5��$��*$�4��%"��" ��5

��9��

100mb }

| 100m }

outbound traffic from the trusted in which the interfaces have

ed interface. The NetScreen unit uired by the network device

�� !�

��

set interface interface nat

��&

set interface interface phy { auto | full | half } { 10mb |

unset interface interface phy { auto | full | half } { 10mb

��

get interface interface protocol ospf

set interface interface bgp

set interface interface protocol ospf { area { ip_addr | number } | authentication

{ md5 key_str [ key-id id_num ] | password pswd_str } |

cost number | dead-interval number | disable | hello-interval number |

nat Directs the device to perform Network Address Translation (NAT) onLAN. This option is only available when the device is in Route Mode,assigned IP addresses.

phy auto | full | half defines the physical connection mode on the specifiautomatically decides whether to operate at full or half duplex (as reqconnected to NetScreen unit).

�4�� *5��$��*$�4��%"��" ��5

��

|

terface.

PF area. OSPF areas divide the is technique reduces the amount e other routers.

_str } Specifies the authentication nd password.

the interface. The lower the value

the NetScreen device waits, after neighbor as offline.

�� !�

neighbor-list number1 [ number2 [ number3 [ number4 ] ] ]priority number | retransmit-interval number | transit-delay number }

unset interface interface protocol bgp

unset interface interface protocol ospf { area | authentication | cost | dead-interval | disable | hello-interval | neighbor-list | priority | retransmit-interval | transit-delay }

protocol ospf Sets, unsets or displays the current routing protocol settings for the in

• area { ip_addr | number } Assigns the interface to the specified OSinternetwork into smaller, more manageable constituent pieces. Thof information that each router must store and maintain about all th

• authentication { md5 key_str [ key-id id_num ] | password pswdmethod, including MD5 key string, the key identification number, a

• cost number Specifies the desirability of the path associated with of this metric, the more desirable the interface path.

• dead-interval number Specifies the maximum amount of time thatit stops receiving packets from the neighbor, before classifying the

�4�� *5��$��*$�4��%"��" ��5

��

sion or receipt of OSPF packets

t elapse between instances of the sence of the interface.

ies the number of access lists (up to form adjacencies. The access

nds) that elapses before the a previous transmission attempt

at elapses before the NetScreen

assigned IP addresses.

�� !�

��

set interface interface route

��

get interface interface screen

��&

get interface interface secondary [ ip_addr ]

set interface interface secondary route-deny

• disable Disables OSPF on the interface, thus preventing transmisthrough the interface.

• hello-interval number Specifies the amount of time in seconds thainterface sending Hello packets to the network announcing the pre

• neighbor-list number1 [ number2 [ number3 [ number4 ] ] ] Specifto four), from which the local virtual router accepts valid neighborslist must be in the virtual router to which the interface is bound.

• priority number Specifies the router election priority.

• retransmit-interval number Specifies the amount of time (in secointerface resends a packet to a neighbor that did not acknowledgefor the same packet.

• transit-delay number Specifies the amount of time (in seconds) thdevice advertises a packet received on the interface.

route Directs the device to run in Route Mode, in which the interfaces have

screen Displays the current firewall (screen) counters.

�4�� *5��$��*$�4��%"��" ��5

6��

hernet3/1, assigns it VLAN tag

pf } }

IP address 172.10.10.5/24:

ffic from a host on one secondary

interface name is interface.n, ion on interface names, see

entifies the tunnel interface.

�� !�

unset interface interface secondary route-deny

��

set interface interface.n tag id_num zone zone

Example: The following command creates a subinterface for physical interface et300, and binds it to the Untrust zone:

set interface ethernet3/1.2 tag 300 zone untrust

��

set interface tunnel.n { zone name_str | protocol { bgp | os

Example: The following commands create a tunnel interface named tunnel.2 with

set interface tunnel.2 zone untrust

set interface tunnel.2 ip 172.10.10.5/24

ip_addr Identifies a secondary IP address to display.

secondary route-deny Prevents the NetScreen device from automatically routing traIP address to a host on another secondary IP address.

tag Specifies a VLAN tag (id_num) for a virtual (logical) subinterface. Thewhere n is an ID number that identifies the subinterface. For informat“Interface Names” on page A-IV.

tunnel.n Specifies a tunnel interface. The n parameter is an ID number that id

�4�� *5��$��*$�4��%"��" ��5

6��

g the MAIL service (ID 25):

10

an map routable IP addresses to s the port number, which specifies ify the service name and the IP l switch turns off server auto

epts or drops Layer-2 frames. The

es.

performs. For example, the ice to ignore the tags and forward

port.”

�� !�

!��

set interface interface vip ip_addr [ + ] port_num [ name_str ip_addr [ manual ] ]

Example: The following command creates a VIP for interface ethernet3, specifyin

set interface ethernet3 vip 172.16.14.15 25 MAIL 192.168.10.

!��)

set interface vlan1 vlan trunk

unset interface vlan1 vlan trunk

vip Defines a Virtual IP (VIP) address (ip_addr) for the interface so you cinternal servers and access their services. The port_num parameter iwhich service to access. The name_str and ip_addr parameters specaddress of the server providing the service, respectively. The manuadetection. Using the + operator adds another service to the VIP.

vlan trunk (vlan1 interface only.) Determines whether the NetScreen device accdevice makes this decision only when the following conditions apply:

• The NetScreen device is in transparent mode.

• The device receives VLAN tagged frames on an interface.

The device then performs one of two actions.

• Drop the frames because they have tags.

• Ignore the tags and forward the frames according to MAC address

The vlan trunk interface switch determines which action the device command set interface vlan1 vlan trunk instructs the NetScreen devthe frames. This action closely follows that of a Layer-2 switch “trunk

�4�� *5��$��*$�4��%"��" ��5

6�6��

ore sending service requests e WebAuth address with a web r user name and password. After

d service requests through the

security policy with the set policy erver, use the set webauth

�� !�

"��

set interface interface webauth

"��

set interface interface webauth-ip ip_addr

.��

set interface interface zone zone

unset interface interface zone

Example: To bind interface ethernet2/2 to the Trust zone:

set interface ethernet2/2 zone trust

webauth Enables WebAuth user authentication.

webauth-ip Specifies the WebAuth server IP address for user authentication. Bef(such as MAIL) through the interface, the user must first browse to thbrowser. The NetScreen device presents a login screen, prompting fosuccessfully entering the user name and password, the user can seninterface.To protect an interface with the WebAuth feature, you must create a command, specifying the webauth switch. To specify the WebAuth scommand.

zone Binds the interface to a security zone.

�4�� *5��$��*$�4��%"��" ��5

6��

�� 0��/��gh a NetScreen device.

hat traffic can enter the VSYS vices such as authentication or

lan-traffic deny command. To

�� !�

Description: Use the intervlan-traffic commands to disable inter-VLAN traffic throu

It is possible to configure a virtual system (VSYS) with two trusted interfaces, such tthrough one interface and exit through the other without undergoing any security serencryption. This is known as inter-VLAN traffic.

When inter-VLAN traffic poses a security risk, you can disable it using the set intervenable inter-VLAN traffic, use the unset intervlan-traffic command.

�3��".

��

get intervlan

��

set intervlan-traffic deny

��

unset intervlan-traffic [ deny ]

�4�� *5��$��*$�4��%"��" ��5

6�:��
�� !�
2�3;��!��"�!��"��"�%��

��&

set intervlan-traffic deny

unset intervlan-traffic deny

deny Disables inter-VLAN traffic.

�

6��

s ip through policy.


�� !�

�

+��,��-��+��,



�4�85��$��*$�48�%��35

6�7��

��on with the TFTP server.

reen device ends the attempt and

�� !�

Description: Use the ip commands to set or display IP parameters for communicati

�3��".

��

get ip tftp

��

set ip tftp { retry number | timeout number }

2�3;��!��"�!��"��"�%��

��&

set ip tftp retry number

Example: The following command sets the number of retries to 7:

set ip tftp retry 7

retry The number of times to retry a TFTP communcation before the NetScgenerates an error message.

�4�85��$��*$�48�%��35

6�9��

fore terminating an inactive TFTP

�� !�

��

set ip tftp timeout number

Example: The following command sets the timeout period to 15 seconds:

set ip tftp timeout 15

timeout Determines how the long (in seconds) the NetScreen device waits beconnection.

�4�85��$��*$�48�%��35

6��

��/��tion.

�� !�

Description: Use the ip-classification command to display the current IP classifica

�3��".

��

get ip-classification [ zone zone ]

2�3;��!��"�!��"��"�%��

.��

get ip-classification zone zone

Example: To display the current IP classification for the ethernet1 zone:

get ip-classification zone untrust

zone The name of the security zone.

�4�85��$��*$�48�%��35

6��

��nge of IP addresses. IP pools

ol (L2TP).

�� !�

Definition: Use the ippool commands to associate the name of an IP pool with a raare used when assigning addresses to dialup users using Layer 2 Tunneling Protoc

�3��".

��

get ippool name_str

��

set ippool string ip_addr1 ip_addr2

��

unset ippool string

2�3;��!��"�!��"��"�%��

��'��

get ippool name_str

set ippool string ip_addr1 ip_addr2

unset ippool string

string Defines the name of the IP pool.

ip_addr1 Sets the starting IP address in the IP pool.

ip_addr2 Sets the ending IP address in the IP pool.

�4�85��$��*$�48�%��35

6��

0.100 through 172.16.10.200:

�� !�

Example: To configure the IP pool named “office” with the IP addresses 172.16.1

set ippool office 172.16.10.100 172.16.10.200

�4�85��$��*$�48�%��35

6��

�6�ing Protocl) tunnels and L2TP perate VPNs.

�� !�

Description: Use the l2tp commands to configure or remove L2TP (Layer 2 Tunnelsettings. L2TP is an extension to PPP (Point-to-Point Protocol) that allows ISPs to o

�3��".

��

clear [ cluster ] l2tp { all | ip ip_addr }

��

get l2tp { all [ active ] | tunn_str [ active ] | default }

��0�� 1

set l2tp default { auth server name_str [ query-config ] | ippool string | dns1 ip_addr | dns2 ip_addr | wins1 ip_addr | wins2 ip_addr | ppp-auth { any | chap | pap } | radius-port port_num | }

�4�85��$��*$�48�%��35

6�6��

_name ]

ns2 } |

�� !�

��0��:��1

set l2tp tunn_str [ [ id id_num ]

[ peer-ip ip_addr ] [ host name_str ]

[ outgoing-interface interface ] [ secret string ]

[ keepalive number ] | remote-setting

{ [ ippool string ] [ dns1 ip_addr ]

[ dns2 ip_addr ] [ wins1 ip_addr ]

[ wins2 ip_addr ] }

auth server name_str [ query-config ] [ user usr_name | user-group grp

]

��

unset l2tp { default { dns1 | dns2 | ippool | radius-port | wins1 | witunn_str

{ auth | host | keepalive | outgoing-interface interface { keepalive | secret } |

�4�85��$��*$�48�%��35

6��

[ wins2 ] |

�� !�

peer-ip | remote-setting [ ippool ] [ dns1 ] [ dns2 ] [ wins1 ]secret }

�4�85��$��*$�48�%��35

6�:��

ad_Serv) for an L2TP tunnel

e L2TP connection for a tunnel

�� !�

2�3;��!��"�!��"��"�%��

��'��

get l2tp tunn_str

get l2tp tunn_str [ ... ]

set l2tp tunn_str [ ... ] unset l2tp tunn_str { ... }

Example: The following command identifies the RADIUS authentication server (R(Mkt_Tun).

set l2tp Mkt_Tun auth server Rad_Serv

��!�

get l2tp all active

get l2tp tunn_str active

Example: The following command displays the current active/inactive status of th(home2work):

get l2tp home2work active

tunn_str The name or IP address of the L2TP tunnel.

active Displays the currently active L2TP connections for tunnels.

�4�85��$��*$�48�%��35

6��

tication server (Rad_Serv) for

, peer host name, L2TP tunnel ecified L2TP tunnel (string).

ntaining the authentication groups.

tion server for IP, DNS, and WINS

TP tunnel.

r.

�� !�

��

clear cluster l2tp all

clear l2tp all

get l2tp all

��!��

set l2tp tunn_str auth server name_str [ ... ]

set l2tp default auth server name_str [ ... ] unset l2tp tunn_str auth

Example: The following command directs the device to query the RADIUS authenIP, DNS, and WINS information:

set l2tp Mkt_Tun auth server Rad_Serv query-config

��

clear cluster l2tp { ... }

all Displays or clears the ID number, tunnel name, user, peer IP addressshared secret, and keepalive value for every L2TP tunnel (all) or a sp

auth server Specifies the object name (name_str) of the authentication server codatabase. Displays server information, and configures users or user

• query-config Directs the NetScreen device to query the authenticainformation.

• user usr_name Assigns a user (usr_name) to the L2TP tunnel.

• user-group grp_name Assigns a user group (grp_name) to the L2


�4�85��$��*$�48�%��35

6�7��

r.

ses are drawn to be assigned to

response to a dialup user’s tch instructs the NetScreen device

CHAP), which encrypts the user’s

oes not use encryption.

server. The number can be

�� !�

��

get l2tp default

set l2tp default { ... }

unset l2tp tunn_str [ ... ]

unset l2tp default { ... }

default Defines or displays the default L2TP settings.

• auth server name_str The object name of the authentication serve

• dns1 ip_addr The IP address of the primary DNS server.

• dns2 ip_addr The IP address of the secondary DNS server.

• ippool string The name of the L2TP IP pool, from which IP addresL2TP users.

• ppp-auth { any [ chap | pap ] } Specifies the authentication type inrequest to make a Point-to-Point Protocol (PPP) link. (The any swito negotiate CHAP and then, if that attempt fails, PAP.)

- chap specifies Challenge Handshake Authentication Protocol (login name and password during transmission.

- pap specifies Password Authentication Protocol (PAP), which d

• radius-port port_num Defines the port number of the default L2TPbetween 1024 and 65,535.

• wins1 ip_addr The IP address of the primary WINS server.

• wins2 ip_addr The IP address of the secondary WINS server.

�4�85��$��*$�48�%��35

6�9��

ctively.

tively.

ce acting as the LAC:

Access Concentrator (LAC).

�� !�

Example: The following commands create a set of default L2TP settings.

• IP pool (chiba).

• Use of the local database.

• CHAP for L2TP authentication.

• Primary and secondary DNS servers at 192.168.2.1 and 192.168.4.71 respe

• Primary and secondary WINS servers at 10.20.1.16 and 10.20.5.101 respec

set l2tp default ippool chiba

set l2tp default auth local

set l2tp default ppp-auth chap

set l2tp default dns1 192.168.2.1

set l2tp default dns2 192.168.4.71

set l2tp default wins1 10.20.1.16

set l2tp default wins2 10.20.5.101

��

set l2tp tunn_str [ ... ] host name_str [ ... ]

unset l2tp tunn_str host

Example: The following command specifies the host name (lac_host) for the devi

set l2tp Mkt_Tun host lac_host

��

set l2tp tunn_str id id_num [ ... ]

host Specifies the host name (name_str) of the device acting as the L2TP

id id_num The ID number for the L2TP tunnel.

�4�85��$��*$�48�%��35

6��

Tun):

tunnel (west_coast):

nterface for L2TP tunnel

0.19):

waits before sending a hello

has a static IP address.

�� !�

Example: The following command assigns ID number 15 to an L2TP tunnel (Eng_

set l2tp Eng_Tun id 15

)��!�

set l2tp tunn_str [ ... ] keepalive number

Example: The following command specifies a keepalive value of 120 for an L2TP

set l2tp west_coast keepalive 120

��

set l2tp tunn_str [ ... ] outgoing-interface interface

Example: The following command specifies interface ethernet4 as the outgoing i(east_coast):

set l2tp east_coast outgoing-interface ethernet4

��

set l2tp tunn_str [ ... ] peer-ip ip_addr [ ... ]

Example: The following command specifies the IP address of the LAC (172.16.10

set l2tp east_coast peer-ip 172.16.100.19

keepalive Defines how many seconds of inactivity, the NetScreen device (LNS)message to the dialup client (LAC).

outgoing-interface Specifies the outgoing interface for the L2TP tunnel.

peer-ip Specifies the IP address of the L2TP access concentrator (LAC), if it

�4�85��$��*$�48�%��35

6��

l (west_coast)

AC-LNS pair. This is not a IPSec.

en device (which acts as the L2TP

nables any L2TP user.)

�� !�

��

set l2tp tunn_str [ ... ] secret string [ ... ]

Example: The following command specifies a shared secret (94j9387):

set l2tp east_coast secret 94j9387

��

set l2tp tunn_str auth server name_str [ ... ] user usr_name

Example: The following command assigns an L2TP user (jking) to an L2TP tunne

set l2tp west_coast auth server Our_Auth user jking

1� "%��

The default L2TP UDP port number is 1701.

By default, the NetScreen device uses no L2TP tunnel secret to authenticate the Lproblem, because the device performs IKE authentication when it uses L2TP over

The default interval for sending a keepalive message is 60 seconds.

PPP-auth type is any.

secret Defines a shared secret used for authentication between the NetScreNetwork Server, or LNS) and the L2TP access concentrator (LAC).

user Assigns an L2TP user to the L2TP tunnel. (Not specifying name_str e

�4�85��$��*$�48�%��35

66��

�� 10/100 MAC chips on a

rface command.

�� !�

Description: Use the lance info command to get internal debug information for theNetScreen device.

�3��".

��

get lance info

2�3;��!��"�!��"��"�%��

None.

��

You can also see the initial part of the get lance info output by using the get inte

�4�85��$��*$�48�%��35

66��

� ( red to signal that alarm attack. an event alarm or a firewall

�� !�

Description: When either an event alarm or a firewall attack occurs, the LED glowsUse the clear led command to return an ALARM or FW (firewall) LED to green afterattack occurs.

�3��".

��

clear [ cluster ] led { alarm | firewall }

2�3;��!��"�!��"��"�%��

��

clear [ cluster ] led alarm

��

clear cluster led alarm

clear cluster led firewall

alarm Specifies the ALARM LED.


�4�85��$��*$�48�%��35

666��
�� !�
��"��

clear [ cluster ] led firewall

firewall Specifies the firewall (FW) LED.

�4�85��$��*$�48�%��35

66��

��(anel of a NetScreen device, or

�� !�

Description: Use the lcd commands to activate or inactivate the LCD on the front pto display the current lcd setting.

�3��".

��

get lcd

��

set lcd { display | key-in }

��

unset lcd { display | key-in }

2�3;��!��"�!��"��"�%��

��&

set lcd display

unset lcd display

display Turns the LCD off or on and locks the control keys.

�4�85��$��*$�48�%��35

66:��

lay.

�� !�

)�& ��

set lcd key-in

unset lcd key-in

key-in Locks and unlocks the control keys, but does not affect the LCD disp

�4�85��$��*$�48�%��35

66��

�� /. �are license.

y_str).

�� !�

Description: Use the license-key command to upgrade or display the current softw

�3��".

�*��

exec license-key { nsrp key_str | vrouter key_str | vsys key_str | zone key_str }

��

get license-key

2�3;��!��exec license-key nsrp key_str

nsrp Specifies a NetScreen Redundancy Protocol (NSRP) license key (ke

�4�85��$��*$�48�%��35

667��
�� !�
!��

exec license-key vrouter key_str

!�&�

exec license-key vsys key_str

.��

exec license-key zone key_str

vrouter Specifies a virtual router license key (key_str).

vsys Specifies a virtual system (VSYS) license key (key_str).

zone Specifies a security zone license key (key_str).

�4�85��$��*$�48�%��35

669��

��ations, and display log status.

um ]

t-netmask mask ] ]

�� !�

Description: Use the log commands to generate log messages, specify their destin

�3��".

��

clear [ cluster ] log { self [ end-time string ] | system [ saved ] | traffic [ policy id_num [ -id_num ] [ end-time string ] ]}

��

get log { asset-recovery | self | traffic [ policy pol_num [ -pol_num ] ]

[ start-time string ] [ end-time string ] [ min-duration string ] [ max-duration string ]

[ service name_str ] [ src-ip ip_addr [ -ip_addr ]

[ src-netmask mask ] [ src-port port_n]

[ dst-ip ip_addr [ -ip_addr ] [ ds[ no-rule-displayed ] |

setting [ module { system | all } ] }

�4�85��$��*$�48�%��35

66��
�� !�
��

set log { audit-loss-mitigation | module name_str level string destination string }

��

unset log { audit-loss-mitigation | module name_str level string destination string }

�4�85��$��*$�48�%��35

66��

tem module messages at the

ents exceeds the capacity of the t logs due to log overloads.r to the management interface on vailable if the audit trail fills up and

r.

sable destinations are console, .

�� !�

2�3;��!��"�!��"��"�%��

��

set log audit-loss-mitigation

unset log audit-loss-mitigation

��

clear cluster log { ... }

��

set log module name_str level string destination string

unset log module name_str level string destination string

Example: The following command instructs the NetScreen device to direct all sysalert level (or higher) to the console port.

set log module system level alert destination console

audit-loss-mitigation Stops generation of auditable events when the number of such evNetScreen device. Enabling this feature reduces the loss of evenOn some NetScreen devices, you must connect the syslog servethe Management Module. This ensures that the syslog server is anetwork traffic stops.


destination Specifies the destination of the generated log messages. The permisinternal, email, snmp, syslog, webtrends, onesecure, and pcmcia

�4�85��$��*$�48�%��35

6��


5 minutes to 1 hour:

. Starting with the most urgent, tion, information, and all security levels.

or equal to the minimum duration

or equal to the maximum duration

�� !�

��!��

set log module name_str level string destination string

unset log module name_str level string destination string

Example: The following command instructs the NetScreen device to direct all syscritical level (or higher) to the email server:

set log module system level critical destination email

�� %��* ��

get log event { ... } [ ... ] min-duration string [ ... ]

get log event { ... } [ ... ] max-duration string [ ... ]

Example: The following command displays traffic log entries for traffic that lasted

get log traffic min-duration 00:05:00 max-duration 01:00:00

��

get log event module { ... } [ ... ]

set log module name_str { ... }

level Specifies the minimum urgency level of the generated log messagesthese levels are emergency, alert, critical, error, warning, notificadebugging. For the get log command, the all-levels option displays

min-duration Displays traffic log entries for traffic whose duration was longer than specified.

max-duration Displays traffic log entries for traffic whose duration was shorter than specified.

�4�85��$��*$�48�%��35

6��


cess policy information:

policy with ID 3 to 9 (inclusive):

essage.

tion.

mber) or for several access any value between 0 and the total tarting and ending ID numbers

�� !�

unset log module name_str { ... }

Example: The following command instructs the NetScreen device to direct all syscritical level (or higher) to the webtrends server:

set log module system level critical destination webtrends

�� &��

get log { ... } [ ... ] no-rule-displayed

Example: The following command displays traffic log entries without displaying ac

get log traffic no-rule-displayed

��&

clear [ cluster ] log traffic policy pol_num [ ... ]

Example: The following command displays traffic log table entries for any access

get log traffic policy 3-9

module Specifies the name of the ScreenOS module that generates the log m

no-rule-displayed Displays traffic log entries, but does not display access policy informa

policy Displays traffic log entries for an access policy (specified by its ID nupolicies (specified by a range of ID numbers). The ID number can be number of established access policies. To define a range, enter the susing this syntax: pol_num - pol_num

�4�85��$��*$�48�%��35

6�6��

policy with a source IP address

ule:

, FTP, or Any. The name does d as TCP. Although you cannot HTTP, and TFTP, entering TP

e name of the module for which

�� !�

��

clear [ cluster ] log self [ ... ]

get log self [ ... ]

Example: The following command displays traffic log table entries for any access of 172.16.10.1 and a destination address of 172.16.10.100:

get log self src-ip 172.16.10.1 dst-ip 172.16.10.100

��!��

get log { ... } [ ... ] service name_str [ ... ]

Example: The following command displays traffic log table entries for TCP:

get log self service tcp

��

get log setting [ ... ]

Example: The following command displays traffic log settings for the system mod

get log setting module system

self Clears or displays self-log entries from the log.

service Displays traffic log entries for a specified Service, such as TCP, ICMPnot have to be complete; for example, both TC and CP are recognizespecify a Service group, note that because TP is recognized as FTP,displays log entries for all three Services.

setting Displays log setting information. The module string value specifies ththe log settings apply.

�4�85��$��*$�48�%��35

6��

ination IP addresses

8081:

of source IP addresses. Include ll IP addresses in the same subnet ange and a source subnet mask

nge of destination IP addresses. u cannot specify a destination IP

rce port numbers.

�� !�

�� %��

get log { ... } [ ... ] src-ip ip_addr [ -ip_addr ] [ ... ]

get log { ... } [ ... ] dst-ip ip_addr [ -ip_addr ] [ ... ]

Example: The following command displays traffic log entries for the range of dest172.16.20.5–172.16.20.200:

get log traffic dst-ip 172.16.20.5-172.16.20.200

��

get log { ... } [ ... ] src-port port_num [ ... ]

Example: The following command displays traffic log entries from the source port

get log traffic src-port 8081

src-ip Displays traffic log entries for a specified source IP address or rangethe subnet mask for a source IP address to display traffic entries for aas the specified source IP address. You cannot specify a source IP rsimultaneously.

dst-ip Displays traffic log entries for a specified destination IP address or raYou can specify the subnet mask for a destination IP address, but yorange and destination subnet mask simultaneously.

src-port Displays traffic log entries for a specified port number or range of sou

�4�85��$��*$�48�%��35

6�:��

arch 4, 2001 to 2:59:59 P.M. on

:59

le system, and to generate

The format is day/month/year rrent year. You can write the year econd are optional. Separate the

ied.

aved system log information. The

�� !�

�� %��

get log { ... } start-time string [ ... ]

get log { ... } end-time string [ ... ]

Example: The following command displays event log entries from 3:00 P.M. on MMarch 6:

get log event start-time 03/04/01_15:00 end-time 03/06_14:59

�&��

clear [ cluster ] log system [ ... ]

get log system [ reversely | saved ]

Example: The following command generates log messages generated from moduonly messages that are critical or greater:

set log module system level critical destination console

start time Displays event log entries that occurred at or after the time specified.hour:minute:second. If you omit the year, the device assumes the cuwith the last two digits, or with all four digits. The hour, minute, and sdate from the time with a dash or an underscore.12/31/2001-23:59:0012/31/2001_23:59:00

end-time Displays event log entries that occurred at and before the time specif

system Displays current system log information. The saved switch displays sreversely switch displays information in reverse order.

�4�85��$��*$�48�%��35

6��

8081:

�� !�

��

clear [ cluster ] log traffic [ ... ]

get log traffic [ ... ]

Example: The following command displays traffic log entries from the source port

get log traffic src-port 8081

traffic Specifies traffic log entries.

�4�85��$��*$�48�%��35

6�7��

��AC) address for a NetScreen

to 111144446666 for the

�� !�

Description: Use the mac commands to configure a static Media Access Control (Minterface, or to display the current configuration.

�3��".

��

set mac mac_addr interface

��

unset mac mac_addr

2�3;��!��"�!��"��"�%��

��'��

Example: The following command sets the MAC address on an NetScreen deviceethernet7 interface:

set mac 111144446666 ethernet7

mac_addr Specifies the MAC address.

interface Specifies the name of the interface, as with ethernet1.

�4�85��$��*$�48�%��35

6�9��

��/� ��ccess Control (MAC) learning ode.

r.

�� !�

Description: Use the clear mac-learn command to clear the entries in the Media Atable. This command functions only when the NetScreen device is in Transparent m

�3��".

��

clear [ cluster ] mac-learn [ stats ]

��

get mac-learn [ interface ]

2�3;��!��"�!��"��"�%��

��'��

get mac-learn interface

��

clear cluster mac-learn [ ... ]

interface Identifies the interface.


�4�85��$��*$�48�%��35

6��
�� !�
��

clear [ cluster ] mac-learn stats

stats Clears the MAC learning table statistics.

�4�85��$��*$�48�%��35

6��

� ��onditions.

_num | used ]

�� !�

Description: Use the memory commands to set or display the memory allocation c

�3��".

��

get memory [ id_num | all | cache | error | free | module id

2�3;��!��"�!��"��"�%��

��'��

get memory id_num

��

get memory all

��

get memory cache

id_num The task ID number.

all Displays memory fragments.

cache Displays malloc cache.

�4�85��$��*$�48�%��35

6:��
�� !�
��

get memory error

��

get memory free

��

get memory mempool

��

get memory module id_num

��

get memory used

error Displays erroneous memory fragments.

free Displays free memory.

mempool Displays pooled memory.

module Displays a single memory module (id_num).

used Displays used memory.

�4�85��$��*$�48�%��35

6:��

��( 7� �� ret from the NetScreen device.

interface that communicates with

�� !�

Description: Use the node_secret command to clear the stored SecurID node sec

�3��".

��

clear node_secret [ ipaddr ip_addr ]

2�3;��!��"�!��"��"�%��

��

ipaddr Clears the node secret associated with the outgoing IP address of thethe SecurID server (ip_addr).

�4�85��$��*$�48�%��35

6:6��

��r Protocol) packet queues.

reen devices are in a es that the master NetScreen

er.

�� !�

Description: Use the nrtp command to clear all NRTP (NetScreen Reliable Transfe

NRTP is for multicasting NSRP control messages to multiple receivers. When NetScredundancy cluster (interconnected through the High Availability ports), NRTP ensurdevice always forwards configuration and policy messages to the backup devices.

�3��".

��

clear [ cluster ] nrtp queues

2�3;��!��"�!��"��"�%��

��

clear cluster nrtp queues

(��

clear [ cluster ] nrtp queues

cluster Propagates the clear operation to all other devices in a NSRP clust

queues Clears the NRTP packet queues.

�4�85��$��*$�48�%��35

6:��

��/-��

value must start with 0x, as with

�� !�

Description: Use the get nsp-tunnel command to get the flow tunnel information.

�3��".get nsp-tunnel [ info number ]

2�3;��!��"�!��"��"�%��

��

get nsp-tunnel info number

Example: The following command displays the flow tunnel information:

get nsp-tunnel info 0x3

info Specifies the flow tunnel information with the info value number. (The0x2.)

�4�85��$��*$�48�%��35

6::��

��ilover cluster, and to create and

urity devices within a defined device from the cluster, and devices in the cluster.

es the same cluster id, you can VSD group at a time. For another.

and assigns an identical cluster

.

rface command.

]

�� !�

Description: Use the nsrp commands to assign a NetScreen security device to a faconfigure a Virtual Security Device (VSD) group for the cluster.

The purpose of a VSD group is to allow failover between two or more NetScreen seccluster. Each VSD group represents a group of devices in a cluster, elects a masterprovides a virtual security interface (VSI) that external devices use to reference the

A group may contain every device in the cluster. For example, if you give three deviccreate a VSD group containing all three devices. A device can be in more than one example, a device can be a master in one VSD group, while serving as a backup in

The basic steps needed to set up failover VSD groups are as follows.

1. Set up a cluster of devices using the set nsrp cluster command. This commid to each device.

2. Set up a VSD group for the cluster using the set nsrp vsd-group command

3. Set up a virtual security interface (VSI) for the VSD group using the set inte

�3��".

��

clear [ cluster ] nsrp counter [ packet-fwd | protocol | rto

�4�85��$��*$�48�%��35

6:��

all } from peer |

}

�� !�

�*��

exec nsrp { sync

{ file [ name filename ] from peer | rto { arp | auth-table | dns | l2tp | session | vpn |global-config [ check-sum | save ] } |

vsd-group grp_num mode { backup | ineligible | init | pb }

��

get nsrp [ cluster | counter [ protocol | rto ]| group | link | packet-fwd | rto-mirror | track-ip [ ip ip_addr ] | vsd-group [ id id_num | all ] ]

�4�85��$��*$�48�%��35

6:7��
�� !�
��

set nsrp { arp number | auth password pswd_str | cluster [ id number | name name_str ] | encrypt password pswd_str | interface interface | link-hold-time number | link-up-on-backup | monitor interface interface | rto-mirror

{ hb-interval number | hb-threshold number | id id_num { direction { in | out } } | session off | sync }

secondary-path interface | track-ip

[ ip

[ ip_addr [ interface interface | interval number | method { arp | ping } | threshold number | weight number ]

]

�4�85��$��*$�48�%��35

6:9��
�� !�
threshold number ]

vsd-group { id id_num

[ mode ineligible | preempt [ hold-down number ] | priority number ] |

hb-interval number | hb-threshold number | init-hold number }

}

��

unset nsrp { arp number | auth | cluster id | encrypt | link-hold-time | link-up-on-backup | monitor interface interface | rto-mirror

{ hb-interval number | hb-threshold number | id id_num { direction { in | out } } | session off |

�4�85��$��*$�48�%��35

6:��
�� !�
sync }

secondary-path | track-ip

{ ip [ ip_addr ]

[ interface | interval number | method { arp | ping } | threshold number | weight number ]

} vsd-group

[ all | id number [ mode | preempt | priority ] hb-interval number | hb-threshold number | init-hold number ]

�4�85��$��*$�48�%��35

6:��

en ARP requests:

ordfish”:

nds out, notifying other network

s using the specified password.

�� !�

2�3;��!��"�!��"��"�%��

��

set nsrp arp number

unset nsrp arp number

Example: The following command instructs the NetScreen device to send out sev

set nsrp arp 7

��

set nsrp auth password pswd_str

unset nsrp auth

Example: The following command sets the NSRP authentication password to “sw

set nsrp auth password swordfish

arp Sets the number of ARP requests that a newly elected master unit sedevices of its presence. The default is 4.

auth Instructs the NetScreen device to authenticate NSRP communicationValid passwords contain from 1 to 15 characters.

�4�85��$��*$�48�%��35

6��

rom 1 to 127, inclusive) to identify

r.

�� !�

��

get nsrp cluster

set nsrp cluster id number

Example: The following command assigns the NetScreen device to cluster 2:

set nsrp cluster id 2

��0��1

clear cluster nsrp counter [ ... ]

��

clear [ cluster ] nsrp counter [ ... ]

get nsrp counter [ protocol | rto ]

Example: The following command displays all NSRP counter values:

get nsrp counter

cluster id Assigns the NetScreen device to a cluster, expressed as an integer (fthe cluster.


counter Clears or displays the NSRP counter values.

• packet-fwd Clears or displays packet-forwarding counters only.

• protocol Clears or displays NSRP protocol counters only.

• rto Clears or displays RTO message counters only.

�4�85��$��*$�48�%��35

6��

”:

:

fied password. Valid passwords

formation on interfaces, see

�� !�

��&��"��

set nsrp encrypt password pswd_str

unset nsrp encrypt

Example: The following command sets the NSRP encryption password to “manta

set nsrp encrypt password manta

��

get nsrp group

��

set nsrp interface interface

Example: The following command specifies that the NSRP interface is ethernet4

set nsrp interface ethernet4

��)

get nsrp link

encrypt password Specifies that NSRP communications be encrypted using the specicontain from 1 to 15 characters.

group Displays information on the VSD group.

interface The name of the interface to serve as the high-availability port. For in“Interface Names” on page A-IV.

link Displays HA link information

�4�85��$��*$�48�%��35

6�6��

hernet4:

e link with the peer device.

�� !�

��) ��

set nsrp link-hold-time number

unset nsrp link-hold-time

��) �� )��

set nsrp link-up-on-backup

unset nsrp link-up-on-backup

��

set nsrp monitor interface interface

unset nsrp monitor interface interface

Example: The following command specifies that the NSRP monitor interface is et

set nsrp monitor interface ethernet4

link-hold-time The delay time (in seconds) before the NetScreen device brings up th

link-up-on-backup Specifies that the link is always up on the backup device.

monitor interface Specifies the NSRP monitor interface.

�4�85��$��*$�48�%��35

6��

ion is inbound:

ce is ethernet5:

to back up run-time objects

cts synchronize after execution of

e.

id_num, an integer value between RTO mirror group direction is

minumum threshold value is 16

�� !�

��

get nsrp rto-mirror

set nsrp rto-mirror { ... }

unset nsrp rto-mirror { ... }

Example: The following command specifies that the RTO mirror group (10) direct

set nsrp rto-mirror id 10 direction in

��& ��

set nsrp secondary-path interface

unset nsrp secondary-path

Example: The following command specifies that the secondary NSRP link interfa

rto-mirror Creates an optional RTO mirror between two devices in a VSD group(RTOs).In most cases, using this option is not necessary. Normally, RTO objethe set nsrp rto sync command.A NetScreen device can belong to only one RTO mirror group at a tim

• id id_num Identifies the VSD group using its identification number 1 and 127 inclusive. The direction setting determines whether theinbound or outbound.

• hb-interval number Specifies the heartbeat interval in seconds.

• hb-threshold number Specifies the heartbeat-lost threshold. The heartbeats.

• session off Disables the RTO session.

• sync Enables RTO object synchronization.

secondary-path Specifies a secondary NSRP link interface.

�4�85��$��*$�48�%��35

6�:��

all runtime objects:

from one unit to the other.

uting the file option without

igurations. The check-sum switch aves the synchronization

) in the RTO mirror.

n.

�� !�

set nsrp secondary-path ethernet5

�&��

exec nsrp sync { ... }

Example: The following command instructs the NetScreen device to synchronize

exec nsrp sync rto all

sync Specifies the name of a particular configuration, file, or RTO to copy

• file Specifies synchronization of the files in flash memory.

- name filename specifies a particular file in flash memory. (Execspecifying a file name copies all the files.)

- from peer specifies all files from the peer device.

• global-config Specifies synchronization of the current device confcompares the check-sum after synchronization. The save switch sconfiguration to flash memory.

• rto Specifies synchronization of the current runtime objects (RTOs

- all Specifies all possible realtime objects.

- arp Specifies the Address Resolution Protocol (ARP) informatio

- dns Specifies the Domain Name Service (DNS) information.

- session Specifies the session information.

- vpn Specifies all Virtual Private Network (VPN) information.

�4�85��$��*$�48�%��35

6��

et4 to a device at IP address

nnection between a NetScreen es the other network device to

lt values.

reen device performs the path for IP tracking.

cking attempts. Required value is

The default is ping.

that can occur before the

n 1 and 255. The default weight is

the NetScreen device is said to

�� !�

��) ��

get nsrp track-ip [ ip ip_addr ]

set nsrp track-ip [ ... ]

unset nsrp track-ip [ ... ]

Example: The following command enables path tracking through interface ethern172.16.10.10:

set nsrp track-ip ip 172.16.10.10 interface ethernet4

track-ip Enables path tracking, which is a means for checking the network cointerface and that of another device. The IP address ip_addr indentificheck.Executing unset nsrp track ip resets the track options to their defauip ip_addr

• interface interface Specifies the interface through which the NetSctracking. By default, the device automatically chooses the interface

• interval number Specifies the interval in seconds between path trabetween 1 and 200. The default is 1.

• method { arp | ping } Specifies the method used for path tracking.

• threshold number Defines the number of failed tracking attempts NetScreen device is said to have failed. The default is 3.

• weight number Defines the path weight. Required value is betwee1.

threshold numberDefines the number of failed tracking attempts that can occur before have failed. The default is 3.

�4�85��$��*$�48�%��35

6�7��

at contains all members belonging aster unit from the cluster it

the group’s virtual security

ce. The ineligible switch specifies eboot. (This may be necessary for ber mode ineligible specifies that

s its master status until the unit r device waits for the specified nds inclusive. The default is 3.

teger from 1 to 254, inclusive. The er order determines which unit is power up simultaneously, and unit with the number closest to 1

l state (init mode). This value can

e can be an integer from 200 to

�� !�

!��

get nsrp vsd-group [ id id_num | all ]

set nsrp vsd-group [ ... ]

unset nsrp vsd-group [ ... ]

vsd-group Configures a VSD group for a cluster.id id_numCreates a VSD group, identified by id_num (from 1 to 8, inclusive), thto a single cluster of devices. Once created, a VSD group elects a mcontains.Other devices reference the device cluster in the VSD group throughidentification (VSI).

• mode ineligible Determines the running mode of the security devithat the local device is not intended for failover, even after system radministrative reasons.) Executing unset nsrp vsd-group id numthe device is eligible again.

• preempt [ hold-down number ] Determines if the master unit keepitself relinquishes that status. To prevent rapid failovers, the mastehold-down interval, expressed as a number between 0 to 600 seco

• priority number The priority level of the device, expressed as an inpriority level determines the failover order for the device. The failovthe master unit when two NetScreen devices in a redundant groupwhich backup unit becomes the next master during a failover. (Thebecomes the master unit.)

init-holdThe number of heartbeats that occur before the system exits the initiabe an integer from 5 to 255. The default is 5.

hb-interval numberSpecifies the heartbeat interval, expressed in milliseconds. This valu1000. The default is 200.

�4�85��$��*$�48�%��35

6�9��

e exits the initial state:

en the master unit fails:

allowed before failure. This value

when the master device fails.

aster device.

t joins the VSD group. (At the end uch as master, backup, or primary

the master unit fails.

�� !�

Examples: The following command disables the local device for failover:

set nsrp vsd-group id 2 mode ineligible

The following command specifies that ten heartbeats must occur before the devic

set nsrp vsd-group init-hold 10

!�� 0�*��1

exec nsrp vsd-group grp_num mode { ... }

Example: The following command instructs the NetScreen device to take over wh

exec nsrp vsd-group 2 mode pb

1� "%��

The default value of preempt [ holdown number ] is zero.

The default value of vsd-group id id_num priority number is 100.

hb-threshold numberSpecifies the heartbeat-lost threshold, the number of lost heartbeats can be an integer from 3 to 255. The default is 3.

vsd-group grp_num mode

Specifies a VSD group and the NetScreen device’s new mode.

• In backup mode, the device takes over work for the master device

• In ineligible mode, the device is unavailable as a backup for the m

• In init mode, the device is in the transient state that occurs when iof this initial hold up time, the device transitions to another state, sbackup.)

• In pb (primary backup) mode, the unit is the first to take over when

�4�85��$��*$�48�%��35

6��

1,000 milliseconds, or one

�� !�

The default value of vsd-group id id_num hb-interval number is 1000 (signifyingsecond).

��"��*�"��%��

The following commands:

• set up an NSRP cluster consisting of two NetScreen devices

• create two VSD groups for the cluster

• make a VSI for the VSD group

• enable RTO object synchronization, including session synchronization

8��!��7

&��@��!�!"�� "��"�!�'"�"*��

set interface redundant2 zone trust

set interface ethernet2/1 group redundant2


set interface redundant2 manage-ip 10.1.1.3

�%��"�!��1��8�


set nsrp vsd-group id 0 preempt hold-down 10

set nsrp vsd-group id 0 preempt

set nsrp vsd-group id 0 priority 1

set nsrp vsd-group id 1

set nsrp monitor interface redundant2

set nsrp rto-mirror sync

save

�4�85��$��*$�48�%��35

6��
�� !�
8��!��;

&��@��!�!"�� "��"�!�'"�"*��

set interface redundant2 zone trust



set interface redundant2 manage-ip 10.1.1.4

�%��"�!��1��8�


set nsrp rto-mirror sync

set nsrp vsd-group id 1 priority 1

set nsrp vsd-group id 1 preempt hold-down 10

set nsrp vsd-group id 1 preempt

set nsrp monitor interface redundant2

set nsrp arp 4

set arp always-on-dest

>��@��!�!"�� "��

set interface redundant1 zone untrust



��"%��3�� "��

set interface redundant1 ip 210.1.1.1/24

set interface redundant2 ip 10.1.1.1/24

set interface redundant1:1 ip 210.1.1.2/24

set interface redundant2:1 ip 10.1.1.2/24

�4�85��$��*$�48�%��35

67��

gateway 210.1.1.250

1 gateway 210.1.1.250

�� !�

��

set vrouter untrust-vr route 0.0.0.0/0 interface redundant1

set vrouter untrust-vr route 0.0.0.0/0 interface redundant1:

save

�4�85��$��*$�48�%��35

67��

��Network Time Protocol (SNTP).

TP) and is therefore a subset sion, SNTP is adequate for

�� !�

Description: Use the ntp commands to configure the NetScreen device for Simple

To enable the SNTP feature, use the set clock ntp command.

�3��".

�*��

exec ntp update

��

get ntp

��

set ntp { interval number | server ip_addr | timezone number1 number2 }

��

unset ntp { server | interval | timezone }

Note: NetScreen’s implementation is based upon Simple Network Time Protocol (SNof NTP. It is used to synchronize computer clocks in the Internet. In its simplified verdevices that do not require a high level of synchronization and accuracy.

�4�85��$��*$�48�%��35

676��

e its clock time every 20

.10.10.6 with which to

time by synchronizing with the 40 minutes.

ynchronizes time.

�� !�

2�3;��!��"�!��"��"�%��

��!��

set ntp interval number

unset ntp interval

Example: The following command configures the NetScreen device to synchronizminutes:

set ntp interval 20

��!��

set ntp server ip_addr

unset ntp server

Example: The following command defines the NTP server with IP address of 172synchronize clock time:

set ntp server 172.10.10.6

interval Defines in minutes how often the NetScreen device updates its clockNTP server. The range for the synchronization interval is from 1 to 14

server The IP address of the NTP server with which the NetScreen device s

�4�85��$��*$�48�%��35

67��

2 and 12 inclusive. A value of zero

the time setting on an NTP

�� !�

��.��

set ntp timezone number1 number2

unset ntp timezone

Example: The following command sets the Time Zone to Greenwich Mean time:

set ntp timezone 0

��

exec ntp update

timezone Defines the Time Zone, expressed as an integer number1 between -1denotes GMT (Greenwich Mean Time). number2 expresses minutes.

update Updates the time setting on a NetScreen device to synchronize it withserver.

�4�85��$��*$�48�%��35

67:��

��ice operating system.

�� !�

Description: Use the os commands to display mail and task information for the dev

�3��".

��

get os { mail | task name_str }

2�3;��!��"�!��"��"�%��

��

get os mail

��)

get os task name_str

mail Displays the mail information.

task Displays information on a specified task (name_str).

�4�85��$��*$�48�%��35

67��

�� NetScreen virtual router.

�� !�

Description: Use the ospf context to begin configuring OSPF routing protocol for a

��.��"��

Initiating the ospf context can take up to four steps:

1. Enter the vrouter context by executing the set vrouter command.

set vrouter vrouter

For example:

set vrouter trust-vr

2. Set the router ID for this virtual routing instance.

set route-id { id_num | ip_addr }

For example:

ns(trust-vr)-> set route-id 172.16.10.10

3. Enter the ospf context by executing the set protocol ospf command.

ns(trust-vr)-> set protocol ospf

4. Enable OSPF protocol (it is disabled by default).

ns(trust-vr/ospf)-> set enable

�4�85��$��*$�48�%��35

677��

the default route of the current

stination. (Any entry with a more

al routing instance.r virtual routing instances.

o automatically create virtual links. process of creating each virtual connected segments that cannot

configure the OSPF local virtual

t OSPF link state database.

current routing instance.

hreshold. When a neighbor device ackets, the virtual router drops the

sence of a routing instance on the

�� !�

)��,��"�!�

The following commands are executable in the ospf context.

advertise-def-route Use the advertise-def-route commands to advertise or displayvirtual routing instance (0.0.0.0/0) in all areas.Every router has a default route entry, which matches every despecific prefix overrides the default route entry.)Command options: get, set, unset

area Use the area commands to configure an area for an OSPF virtuAn OSPF area is a region that contains a collection of routers oCommand options: get, set, unset

auto-vlink Use the auto-vlink commands to direct the local virtual router tUsing automatic virtual links replaces the more time-consuminglink manaully. A virtual link is a conveyance that enables two unreach a backbone router to connect with each other.Command options: get, set, unset

config Use the config command to display all commands executed torouting instance.Command options: get

database Use the database command to display details about the currenCommand options: get

enable Use the enable commands to enable or disable OSPF from theCommand options: get, set, unset

hello-threshold Use the hello-threshold commands to set or display the hello texceeds this threshold by flooding the virtual router with hello pextra packets.A Hello packet is a broadcast message that announces the prenetwork.Command options: get, set, unset

�4�85��$��*$�48�%��35

679��

router.

te Advertisement (LSA) threshold. irtual router with LSA packets, the

e device, network, and routing

evices.

nt protocol than the one used by

de:

igned to it (connected)

default route learned from OSPF

efault route matches every default route entry.)

thods consistent with standards

outes imported from a protocol

�� !�

interface Use this command to display all OSPF interfaces on the virtual Command options: get

lsa-threshold Use the lsa-threshold commands to set or display the Link StaWhen a neighbor device exceeds this threshold by flooding the vvirtual router drops the extra packets.Link State Advertisements (LSAs) enable OSPF routers to makinformation available for the link state database.Command options: get, set, unset

neighbor Use the neighbor command to display details about neighbor dCommand options: get

redistribute Use the redistribute commands to import routes from a differethe current virtual routing instance.The types of routing protocols from which to import routes inclu

• manually-created routes (static)

• routes from BGP (bgp)

• routes that have at least one interface with an IP address ass

• routes that have already been imported (imported).

Command options: get, set, unset

reject-default-route Use the reject-default-route commands to reject or restore the(0.0.0.0/0) in the current routing instance.Every router has a default route entry in its routing table. This ddestination. (Any entry with a more specific prefix overrides theCommand options: get, set, unset

rfc-1583 Use the rfc-1583 commands to use routing table calculation mespecified in the Request For Comments 1583 document.Command options: get, set, unset

routes-redistribute Use the routes-redisribute command to display details about rother than OSPF.Command options: get

�4�85��$��*$�48�%��35

67��

or routes imported from a protocol

packets, link state packets, ets dropped, errors, and other ce.

ated in the current OSPF virtual

istribution.stance from a router running a d (or summarized) address that

zing mutliple addresses, you allow te, thus simplifying the process.

outing instance.ect when the backbone router

tual routing instance neighbor.

�� !�

rules-redistribute Use the rules-redistribute command to display conditions set fother than OSPF.Command options: get

statistics Use the statistics command to display information about Hellodatabase descriptions, Shortest Path First (SPF) packets, packtraffic statistics related to the current OSPF virtual routing instanCommand options: get

stub Use the stub command to display details about a stub area crerouting instance.Command options: get

summary-import Use the summary-import commands to summarize a route redAfter importing a series of routes to the current OSPF routing indifferent protocol, you can bundle the routes into one generalizeuses the same network stem of the prefix address. By summarithe OSPF routing instance to treat a series of routes as one rouCommand options: get, set, unset

vlink Use the vlink commands to create a virtual link for the current rA virtual link is a conveyance that allows two segments to connbridging them cannot reach either segment.Command options: get, set, unset

vneighbor Use the vneighbor command to display information about a virCommand options: get

�4�85��$��*$�48�%��35

67��

0 �� /( �/��- fault route of the current virtual

with a more specific prefix

spf context. (See “Context

{ 1 | 2 }

�� !�

�(Description: Use the advertise-def-route commands to advertise or display the derouting instance (0.0.0.0/0) in all areas.

Every router has a default route entry, which matches every destination. (Any entry overrides the default route entry.)

Before you can execute the advertise-def-route commands, you must initiate the oInitiation” on page 265.)

�3��".

��

get advertise-def-route

��

set advertise-def-route [ always ] metric number metric-type

��

unset advertise-def-route

�4�85��$��*$�48�%��35

69��

{ 1 | 2 }

{ 1 | 2 }

nditions, even if there is no default

with the default route.

default route. A type 1 route is a

default route. A type 2 route is a

�� !�

2�3;��!��"�!��"��"�%��

��"�&�

set advertise-def-route always { ... }


��



�� &��



always Directs the routing instance to advertise the default route under all coroute in the routing table.

metric Specifies the metric (cost), which indicates the overhead associated

metric-type Specifies the external route type to determine path preference.

• 1 Directs the routing instance to use a Type 1 route to evaluate thecomparable route, with a lower cost than a type 2 route.

• 2 Directs the routing instance to use a Type 2 route to evaluate thenon-comparable route, with a higher cost than a type 1 route.

�4�85��$��*$�48�%��35

69��

�� ing instance.

nces.


�� !�

Description: Use the area commands to configure an area for an OSPF virtual rout

An OSPF area is a region that contains a collection of routers or virtual routing insta

Before you can execute the area commands, you must initiate the ospf context. (Se265.)

�3��".

��

get area

��

set area { id_num | ip_addr }

{ stub | nssa }

��

unset area number

�4�85��$��*$�48�%��35

696��

mand:

�� !�

2�3;��!��"�!��"��"�%��

��'��

set area id_num

set area ip_addr

Example: The following command creates an OSPF area, type the following com

ns(trust-vr/ospf)-> set area 10

��

set area { id_num | ip_addr } nssa }

��

set area { id_num | ip_addr } stub

id_num The OSPF area ID that identifies the area.

ip_addr The IP address that identifies the area.

nssa Specifies that the area is a “not so stubby area.”

stub Specifies the area is a stub area.

�4�85��$��*$�48�%��35

69��

�-�/0��.ils about virtual links.

each virtual link manaully. A h a backbone router to connect


�� !�

Description: Use the auto-vlink commands to automatically create or display deta

Using automatic virtual links replaces the more time-consuming process of creating virtual link is a conveyance that enables two unconnected segments that cannot reacwith each other.

Before you can execute the auto-vlink commands, you must initiate the ospf contepage 265.)

�3��".

��

get auto-vlink

��

set auto-vlink

��

unset auto-vlink

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

69:��

��ure the OSPF local virtual


�� !�

Description: Use the config command to display all commands executed to configrouting instance.

Before you can execute the config command, you must initiate the ospf context. (S265.)

�3��".

��

get config

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

69��

(��1�� database.


router | summary

�� !�

Description: Use the database command to display details about the current OSPF

Before you can execute the database command, you must initiate the ospf context.page 265.)

�3��".

��

get database [ detail ] [ area [ number | ip_addr ] ]

[ asbr-summary | external | network | nssa-external |[ adv-router ip_addr | self-originate ]

[ link-state-id ip_addr ] ]

�4�85��$��*$�48�%��35

697��

172.16.10.10:

rea (4):

vertising router (ip_addr).

�� !�

2�3;��!��"�!��"��"�%��

��! ��

get database [ ... ] adv-router ip_addr [ ... ]

Example: The following command displays the LSAs from a router with router ID

get database adv-router 172.16.10.10

��

get database [ ... ] area [ number | ip_addr ] [ ... ]

Example: The following command displays the LSAs from an area (4):

get database area 4

��

get database detail [ ... ]

Example: The following command generates a detailed display of LSAs from an a

get database detail area 4

adv-router Displays the Link State Advertisements (LSAs) from the specified ad

area Displays the LSAs in the current area.

detail Displays detailed information.

�4�85��$��*$�48�%��35

699��

with link-state ID 172.16.1.1:

�� !�

�*��

get database [ ... ] external [ ... ]

Example: The following command displays external LSAs:

get database external

��) ��

get database { ... } link-state-id ip_addr

Example: The following command generates a detailed display of external LSAs

get database detail external link-state-id 172.16.1.1

��"��)

get database [ ... ] network [ ... ]

Example: The following command displays network LSAs:

get database network

external Displays external LSAs.

link-state-id Displays the LSA with a specified link-state ID (ip_addr).

network Displays the network LSAs.

�4�85��$��*$�48�%��35

69��

:

�� !�

�� *��

get database [ ... ] nssa-external [ ... ]

Example: The following command displays external LSAs for not-so-stubby areas

get database nssa-external

��

get database [ ... ] router [ ... ]

Example: The following command displays router LSAs:

get database router

��

get database [ ... ] self-originate [ ... ]

Example: The following command displays self-originated LSAs:

get database self-originate

nssa-external Displays the not-so-stubby areas (NSSAs) external LSAs.

router Displays router LSAs.

self-originate Displays self-originated LSAs.

�4�85��$��*$�48�%��35

69��
�� !�
��&

get database [ ... ] summary [ ... ]

Example: The following command displays summary LSAs:

get database summary

summary Displays summary LSAs.

�4�85��$��*$�48�%��35

6��

��1� t routing instance.

t. (See “Context Initiation” on

�� !�

Description: Use the enable commands to enable or disable OSPF from the curren

Before you can execute the set enable command, you must initiate the ospf contexpage 265.)

�3��".

��

set enable

��

unset enable

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

6��

� ��/�� (ld. When a neighbor device ter drops the extra packets.

tance on the network.

ontext. (See “Context Initiation”

�� !�

Description: Use the hello-threshold commands to set or display the hello threshoexceeds this threshold by flooding the virtual router with hello packets, the virtual rou

A Hello packet is a broadcast message that announces the presence of a routing ins

Before you can execute the hello-threshold commands, you must initiate the ospf con page 265.)

�3��".

��

get hello-threshold

��

set hello-threshold number

��

unset hello-threshold

�4�85��$��*$�48�%��35

6�6��

in the hello interval to 1000:

a neighbor in the hello interval.

�� !�

2�3;��!��"�!��"��"�%��

��'��

set hello-threshold number

Example: The following command sets the maximum number of packets to allow

ns(trust-vr/ospf)-> set hello-threshold 1000

number The maximum number of hello packets the virtual router accepts from

�4�85��$��*$�48�%��35

6��

��


�� !�

Description: Use this command to display all OSPF interfaces on the virtual router.

Before you can execute the interface command, you must initiate the ospf context.page 265.)

�3��".

��

get interface

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

6�:��

��/�� (ertisement (LSA) threshold. A packets, the virtual router

d routing information available

ntext. (See “Context Initiation”

�� !�

Description: Use the lsa-threshold commands to set or display the Link State AdvWhen a neighbor device exceeds this threshold by flooding the virtual router with LSdrops the extra packets.

Link State Advertisements (LSAs) enable OSPF routers to make device, network, anfor the link state database.

Before you can execute the lsa-threshold commands, you must initiate the ospf coon page 265.)

�3��".

��

get lsa-threshold

��

set lsa-threshold number1 number2

��

unset lsa-threshold number1 number2

�4�85��$��*$�48�%��35

6��

interval expressed

�� !�

2�3;��!��"�!��"��"�%��

��'��

set lsa-threshold number1 number2

unset lsa-threshold number1 number2

Example: The following command creates an OSPF LSA threshold:

set lsa-threshold 10 30

number1 The LSA time interval (in seconds).

number2 The maximum number of LSAs that the virtual router accepts within the timeby number1.

�4�85��$��*$�48�%��35

6�7��

� ��1��.


�� !�

Description: Use the neighbor command to display details about neighbor devices

Before you can execute the neighbor command, you must initiate the ospf context.page 265.)

�3��".

��

get neighbor

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

6�9��

� (��1- unning a different protocol than

nnected)

ext. (See “Context Initiation” on

�� !�

Description: Use the redistribute commands to import known routes from a router rthe current virtual routing instance.

The types of routers from which to import routes include:

• routers with manually created routes (static)

• routers running BGP (bgp)

• routers that have at least one interface with an IP address assigned to it (co

• routers with routes that have already been imported (imported)

Before you can execute the redistribute commands, you must initiate the ospf contpage 265.)

�3��".

��

get routes-redistribute

get rules-redistribute

��

set redistribute route-map string protocol { bgp | connected | imported | static }

��

unset redistribute route-map name_str protocol { bgp | connected | imported | static }

�4�85��$��*$�48�%��35

6��

that has at least one interface

connected

routing domain into the current

bgp

o determine whether to forward or

routes in the subnetwork.

routes sent from a router that has

imported routes in the subnetwork.

ic routes in the subnetwork.

ould be imported.

�� !�

2�3;��!��"�!��"��"�%��

��

set redistribute route-map string protocol { ... }

Example: The following command redistributes a route that originated on a routerwith an IP address assigned to it:

ns(trust-vr/ospf)-> set redistribute route-map map1 protocol

��

set redistribute route-map string protocol { ... }

Example: The following command redistributes a route that originated from a BGPOSPF routing domain:

ns(trust-vr/ospf)-> set redistribute route-map map1 protocol

protocol Specifies routing protocol. The route map can use the protocol type tdeny an incoming packet.

• bgp specifies that the route map performs an action only on BGP

• connected specifies that the route map performs an action only onat least one interface with an IP address assigned to it.

• imported specifies that the route map performs an action only on

• static specifies that the route map performs an action only on stat

route-map Identifies the route map that indicates the path for which the route sh

�4�85��$��*$�48�%��35

6��

�/( ��-�/��- lt route learned from OSPF

every destination. (Any entry

spf context. (See “Context

�� !�

� 3 Description: Use the reject-default-route commands to reject or restore the defau(0.0.0.0/0).

Every router has a default route entry in its routing table. This default route matcheswith a more specific prefix overrides the default route entry.)

Before you can execute the reject-default-route commands, you must initiate the oInitiation” on page 265.)

�3��".

��

get reject-default-route

��

set reject-default-route

��

unset reject-default-route

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

6��

��/89:;consistent with standards


�� !�

Description: Use the rfc-1583 commands to use routing table calculation methods specified in the Request For Comments 1583 document.

Before you can execute the rfc-1583 commands, you must initiate the ospf context.page 265.)

�3��".

��

get rfc-1583

��

set rfc-1583

��

unset rfc-1583

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

6��

- �/� (��1- imported from a protocol other

pf context. (See “Context

�� !�

��Description: Use the routes-redisribute command to display details about routes than OSPF.

Before you can execute the routes-redistribute command, you must initiate the osInitiation” on page 265.)

�3��".

��

get routes-redistribute

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

6�6��

�-� �/� (��1- es imported from a protocol

f context. (See “Context

�� !�

Description: Use the rules-redistribute command to display conditions set for routother than OSPF.

Before you can execute the rules-redistribute command, you must initiate the ospInitiation” on page 265.)

�3��".

��

get rules-redistribute

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

6��

�� objects associated with an


�� !�

Description: Use the statistics command to display information about the followingOSPF virtual routing instance:

• Hello Packets

• Link State Requests

• Link State Acknowledgments

• Link State Updates

• Database Descriptions

• Areas Created

• Shorted Path First Runs

• Packets Dropped

• Errors Received

• Bad Link State Requests

Before you can execute the statistics command, you must initiate the ospf context.page 265.)

�3��".

��

get statistics

2�3;��!��"�!��"��"�%��

None.

�4�85��$��*$�48�%��35

6�:��

�-1r the current OSPF virtual

“Context Initiation” on page

he current OSPF virtual routing

�� !�

Description: Use the stub command to display details about a stub area created forouting instance.

Before you can execute the stub command, you must initiate the ospf context. (See265.)

�3��".

��

get stub [ ip_addr ]

2�3;��!��"�!��"��"�%��

��'��

get stub ip_addr

Example: The following command displays details about a stub area created on tinstance:

ns(trust-vr/ospf)-> get stub 192.168.20.20

ip_addr Identifies the stub area.

�4�85��$��*$�48�%��35

6��

�-��/��tion.

unning a different protocol, you ame network stem of the prefix o treat a series of routes as one

f context. (See “Context

} ]

�� !�

Description: Use the summary-import commands to summarize a route redistribu

After importing a series of routes to the current OSPF routing instance from a router rcan bundle the routes into one generalized (or summarized) address that uses the saddress. By summarizing mutliple addresses, you allow the OSPF routing instance troute, thus simplifying the process.

Before you can execute the summary-import commands, you must initiate the ospInitiation” on page 265.)

�3��".

��

get summary-import

��

set summary-import ip ip_addr/mask [ tag { ip_addr | id_num

��

unset summary-import ip ip_addr/mask

�4�85��$��*$�48�%��35

6�7��

e route (20):

rk mask (mask) encompassing all

al router uses this identifier when

�� !�

2�3;��!��"�!��"��"�%��

��

set summary-import ip ip_addr/mask [ ... ]

unset summary-import ip ip_addr/mask

��

set summary-import ip ip_addr/mask tag { ip_addr | id_num }

Example: The following command summarizes a set of imported routes under on

ns(trust-vr/ospf)-> set summary-import ip 2.1.1.0/24 tag 20

ip The summarized prefix, consisting of an address (ip_addr) and netwothe imported routes.

tag A value that acts as an identifier for the summarized prefix. The virtuadvertising a new external LSA.

�4�85��$��*$�48�%��35

6�9��

0��.instance.

ne router bridging them cannot


�� !�

Description: Use the vlink commands to create a virtual link for the current routing

A virtual link is a conveyance that allows two segments to connect when the backboreach either segment.

Before you can execute the vlink command, you must initiate the ospf context. (Se265.)

�3��".

��

get vlink

��

set vlink area-id { id_num1 | ip_addr1 } router-id { id_num2 | ip_addr2 }

��

unset vlink area-id { id_num1 | ip_addr1 } router-id { id_num2 | ip_addr2 }

�4�85��$��*$�48�%��35

6��

r router with an ID of 10:

r router with an ID of 10:

| ip_addr2 }

m2 | ip_addr2 }

d.

d.

connected.

end of the virtual link.

�� !�

2�3;��!��"�!��"��"�%��

��'��

set vlink area-id { id_num1 | ip_addr1 } { ... }

unset vlink area-id { id_num1 | ip_addr1 } { ... }

Example: The following command creates a virtual link using an area of 0.0.0.1 fo

ns(trust-vr/ospf)-> set vlink area-id 0.0.0.1 router-id 10

��

set vlink area-id { id_num1 | ip_addr1 } { ... }

unset vlink area-id { id_num1 | ip_addr1 } { ... }

Example: The following command creates a virtual link using an area of 0.0.0.1 fo

ns(trust-vr/ospf)-> set vlink area-id 0.0.0.1 router-id 10

��

set vlink area-id { id_num1 | ip_addr1 } router-id { id_num2

unset vlink area-id { id_num1 | ip_addr1 } router-id { id_nu

id_num1 The ID number of the area through which the virtual link is connecte

ip_addr1 The IP address of the area through which the virtual link is connecte

area-id Specifies the ID or IP address of the area to which the virtual link is

router Specifies the ID or IP address of the router that comprises the other

�4�85��$��*$�48�%��35

6��

r router with an ID of

0.10.20

�� !�

Example: The following command creates a virtual link using an area of 0.0.0.1 fo10.10.10.20:

ns(trust-vr/ospf)-> set vlink area-id 0.0.0.1 router-id 10.1

�4�85��$��*$�48�%��35

��

0� ��1�� on the virtual link.

t. (See “Context Initiation” on

�� !�

Description: Use the vneighbor command to display information about a neighbor

Before you can execute the vneighbor command, you must initiate the ospf contexpage 265.)

�3��".

��

get vneighbor

2�3;��!��"�!��"�"��

None.

�4�85��$��*$�48�%��35

��

� �� n on the NetScreen device.

�� !�

Description: Use the performance command to retrieve CPU utitlization informatio

�3��".

��

get performance cpu [ detail ]

2�3;��!��"�!��"��"�%��

��

get performance cpu detail

detail Displays cpu performance detail.

�4�85��$��*$�48�%��35

��6��

��stem.

nt of 3:

ork from any existing MIP, or (see example in from keyword

�� !�

Description: Use the ping command to check the network connection to another sy

�3��".ping [ ip_addr | name_str ]

[ count number [ size number [ time-out number ] ] ] [ from interface ]

2�3;��!��"�!��"��"�%��

��'��

ping [ ip_addr | name_str ] [ ... ]

Example: The following command pings a host with IP address 172.16.11.2:

ping 172.16.11.2

��

ping [ ip_addr | name_str ] count number [ ... ]

Example: The following command pings a device at 10.100.2.171 with a ping cou

Note: An extended ping (using the from option) pings a host on the Untrusted netwfrom the Trusted interface IP address. The syntax for specifying a MIP is mip ip_addrdescription).

ip_addr | name_str Pings the host at IP address (ip_addr) or with name (name_str).

count The ping count (number).

�4�85��$��*$�48�%��35

��

nt of 4 from the ethernet1

results to IP address 10.1.1.3:

t number

ation on interfaces, see “Interface

�� !�

ping 10.100.2.171 count 3

��

ping [ ip_addr | name_str ] [ ... ] from interface

Examples: The following command pings a device at 10.100.2.11 with a ping couinterface:

ping 10.100.2.11 count 4 from ethernet1

The following command pings a host with IP address 192.168.11.2 and sends the

ping 192.168.11.2 from mip 10.1.1.3

��.�

ping [ ip_addr | name_str ] count number size number [ ... ]

��

ping [ ip_addr | name_str ] count number size number time-ou

Example: The following command pings a device at 10.100.2.11 with:

• a ping count of 4

• packet size 1000

from The source interface (interface) for an extended ping. For more informNames” on page A-IV.

size The packet size (number) for each ping.

time-out The ping timeout in seconds (number).

�4�85��$��*$�48�%��35

��:��
�� !�
• ping timeout of three seconds:

ping 10.100.2.11 count 4 size 1000 time-out 3

�4�85��$��*$�48�%��35

��

�.� commands perform the

.

}

�� !�

Definition: Use the pki commands to manage public-key infrastructure (PKI). Thesefollowing tasks:

• Manage PKI object.

• Create new RSA key pairs.

• Acquire certificate or CRL.

• Configure PKI-related operation, such as verification of certificate revokation

• Designate the certificate authority server information.

�3��".

�*��

exec pki { convert-cert | dsa new-key key_num | rsa new-key key_num | x509

{ delete number | install-factory-certs name_str | pkcs10 | scep { id_num | new } | tftp ip_addr { cert-name name_str | crl-name name_str}

}

�4�85��$��*$�48�%��35

��7��
�� !�
��

get pki { authority { id_num | default }

{ cert-path | cert-status | scep } |

ldap | src-interface | x509

{ cert-path | crl-refresh | dn | list

{ cert-fqdn | ca-cert | cert | crl | key-pair | local-cert | pending-cert } |

pkcs10 | raw-cn | send-to }

}

�4�85��$��*$�48�%��35

��9��

name | pkcert }

csp }

�� !�

��0��&1

set pki authority { id_num | default } { cert-path { full | partial } | cert-status

{ crl

{ refresh { daily | default | monthly | weekly } | server-name { ip_addr | dom_name } | url url_str }

ocsp { refresh number | url url_str

[ id-type { certhash | certid | issuer-serial |

[ l-sign-request ] [ no-nonce ] [ no-response-type ]

[ not-verify-resp-cert ] ]

} | revocation-check { best-effort | none | all | crl | o} |

scep { authentication { failed | passed } | ca-cgi string | ca-id name_str | challenge pswd_str | current |

�4�85��$��*$�48�%��35

��
�� !�
mode { auto | manual } | polling-int number | ra-cgi string | renew-start number }

}

��0��1

set pki ldap { server-name { name_str | ip_addr } | crl-url url_str }

��0*-�<1

set pki x509 { cert-fqdn string | default

{ cert-path { full | partial } | crl-refresh { daily | default | monthly | weekly } | send-to string } |

dn { country-name name_str | email string | ip ip_addr | local-name name_str | name name_str |

�4�85��$��*$�48�%��35

��
�� !�
org-name name_str | org-unit-name name_str | phone string | state-name name_str } |

friendly-name string | raw-cn enable }

}

��

unset pki { authority { id_num | default }

{ cert-path | cert-status

{ crl { refresh | server-name | url } | revocation-check } |

scep { ca-cgi | ca-id | challenge | current | mode | polling-int | ra-cgi | renew-start }

�4�85��$��*$�48�%��35

��
�� !�
} | ldap

{ crl-url | server-name } |

x509 { cert-fqdn | default { cert-path | crl-refresh | send-to } | dn

{ country-name | email | ip | local-name | name | org-name | org-unit-name | phone | state-name }

friendly-name id_num | raw-cn }

}

�4�85��$��*$�48�%��35

��

sed } [ id_num ]

n to passed:

rtificate revokation on a daily

The id_num value identifies a

es. The id_num parameter is the es the default authority

�� !�

2�3;��!��"�!��"��"�%��

��

set pki authority { ... } scep authentication { failed | pas

unset pki authority { ... } scep authentication

Example: The following command sets the result of a CA certificate authenticatio

set pki authority default scep authentication passed

��&

get pki authority { id_num | default } { ... }

set pki authority { id_num | default } { ... }

unset pki authority { id_num | default } { ... }

Example: The following command instructs the NetScreen device to check for cebasis:

set pki authority default cert-status crl refresh daily

authentication Sets the result of the CA certificate authentication, failed or passed.defined key pair.

authority Defines how the NetScreen device uses the CA’s authorization servicidentification number of the CA certificate. The default switch specificonfiguration.

�4�85��$��*$�48�%��35

��6��

rtial }

ull:

certificates received from the peer dered "trusted".

the root. (The last certificate in

ertificate chain may be a non-root

torage. You can set this certificate

�� !�

��

get pki authority { id_num | default } cert-path

set pki authority { id_num | default } cert-path { full | pa

unset pki authority { id_num | default } cert-path

Example: The following command defines the certificate path validation level as f

set pki authority default cert-path full

��

get pki authority { id_num | default } cert-status

set pki authority { id_num | default } cert-status { ... }

authority Defines the X509 certificate path validation level.When the device verifies a certificate, it builds a certificate chain from and the certificate stored locally. Certificates loaded locally are consi

• full Directs the NetScreen device to validate the certificate chain tothe certificate chain must be a root CA certificate.)

• partial Specifies partial path validation. (The last certificate in the cCA certificate.)

In either case, the last certificate in the chain must come from local spath validation level for a CA or a VSYS.

�4�85��$��*$�48�%��35

��

NetScreen device uses OCSP to te decided by the CRL.

er.

eters.

revocation checks. (Not currently

r. The id-type specifies the type of

Not currently available.)

ame and serial number. (Not

ly available.)

Not currently available.)

tificate.

�� !�

unset pki authority { id_num | default } cert-status { ... }

cert-status Defines how the NetScreen device verifies certificate status.

• crl Configures Certificate Revocation List (CRL) parameters.

- refresh Determines how often (daily, monthly, or weekly) thecheck for revocation. The default option uses the validation da

- server-name { ip_addr | dom_name } Specifies the LDAP serv

- url url_str Specifies the URL for accessing the CRL.

• ocsp Configures Online Certificate Status Protocol (OCSP) param

- refresh number Determines the interval (in seconds) between available.)

- url url_str Specifies the URL for accessing the OCSP respondecertificate ID.

- certhash Specifies that the ID is a hash of the certificate. (

- certid ID number of the certificate (defined in RFC 2560).

- issuer-serial Specifies that the ID is the certificate issuer ncurrently available.)

- name Specifies that the ID is a general name. (Not current

- pkcert Specifies that the ID is the name of the certificate. (

- not-verify-resp-cert Disables verification of the responder cer

�4�85��$��*$�48�%��35

��:��

check certificate status:

tificates to see if they are currently

hich there is no revokation tical. For example, in some el; however, the CRL information st-effort setting, it is advisible to rtificate without revocation epeatedly failing to get revocation tion.

s.

tificate status.

status.

the internal VSYS identifier in

ault.

�� !�

Example: The following command directs the NetScreen device to use the CRL to

set pki authority default cert-status revocation-check crl

��!��

exec pki convert-cert

��

set pki authority { ... } scep current

unset pki authority { ... } scep current

Example: The following command uses the current SCEP setting as the default:

• revocation-check Specifies how the NetScreen device checks cerrevoked.

- best-effort Specifies that the device can use a certificate for winformation. This option is useful when CRL retrieval is not pracenvironments the CRL server is only accessible through a tunnis necessary to build the tunnel originally. When you use the becheck the event log periodically. The device should accept a ceinformation only when no revocation information is available. Rinformation for a certificate usually indicates improper configura

- crl Specifies that the device uses CRL to check certificate statu

- none Specifies that the device does not perform a check of cer

- ocsp Specifies that the device uses OCSP to check certificate

convert-cert Converts VSYS certificate (for versions prior to ScreenOS 3.0) to useScreenOS 3.0 and above.

current Directs the NetScreen device to use the current SCEP setting as def

�4�85��$��*$�48�%��35

��

ddress:

th. Key length is 512, 786, 1024,

e server is not in the NetScreen

te revocation list (CRL).

in name or IP address of the

ne common name (CN).

�� !�

set pki authority default scep current

��" )�&

exec pki dsa new-key key_num

��

get pki ldap

set pki ldap { ... }

unset pki ldap { ... }

Example: The following command assigns 162.128.20.12 as the CA server’s IP a

set pki ldap server-name 162.128.20.12

��" ��

set pki x509 raw-cn enable

dsa new-key Generates a new DSA public/private key pair with a specified bit lengor 2048.

ldap Specifies settings for the LDAP server, when the CA certificate for thdevice.

• crl-url url_str Sets the default LDAP URL for retrieving the certifica

• server-name { name_str | ip_addr } Defines the full-qualified domadefault LDAP server for the certificate authority (CA).

raw-cn enable Enables the raw subject name. This subject name can contain only o

�4�85��$��*$�48�%��35

��7��

ish:”

th (number). Key length is 512,

CA authentication, failed or

ting as default.

SCEP server.

utes).

�� !�

��" )�&

exec pki rsa new-key key_num

��

exec pki x509 scep { id_num | new }

get pki authority { id_num | default } scep

set pki authority { id_num | default } scep { ... }

unset pki authority { id_num | default } scep { ... }

Example: The following command sets the SCEP Challenge password to “swordf

set pki authority default scep challenge swordfish

rsa new-key Generates a new RSA public/private key pair with a specified bit leng786, 1024, or 2048.

scep Defines Simple Certificate Enrollment Protocol (SCEP) parameters.

• authentication { passed | failed } [ id_num ] sets the result of thepassed. The id_num value identifies a defined key pair.

• ca-cgi url_str specifies the path to the CA's SCEP server.

• ca-id string specifies the identity of the CA's SCEP server.

• challenge pswd_str specifies the Challenge password.

• current directs the NetScreen device to use the current SCEP set

• mode { auto | manual } specifies the authentication mode for CA's

• polling-int number Determines the retrieval polling interval (in min

• ra-cgi url_str specifies the CGI path to the RA's SCEP server.

�4�85��$��*$�48�%��35

��9��

ate request file.

DN). PKI uses this value in the

tial option determines if the part of the path.

monthly, or weekly) of the X.509 L.

een device sends the PKCS10

ting certificate.

�� !�

��

get pki x509 send-to

set pki x509 default send-to string

unset pki x509 default send-to

*-�<

exec pki x509 { ... }

get pki x509 { ... }

set pki x509 { ... }

unset pki x509 { ... }

send-to Specifies or displays the email destination (string) of the x509 certific

x509 Specifies settings for the x509 certificate.

• cert-fqdn string Configures the Fully-Qualified Domain Name (FQcertificate subject alt name extension.

• default Specifies default settings.

- cert-path Configures the path to the X.509 CRL. The full | parNetScreen device uses the full path to the X.509 CRL or only a

- crl-refresh Sets or displays the refreshment frequency (daily, CRL. The default option uses the period embedded in each CR

- send-to string Assigns the e-mail address to which the NetScrcertificate request file.

• dn Specifies or displays the name that uniquely identifies a reques

- country-name name_str Sets the country name.

- email string Sets the e-mail address.

- ip ip_addr Sets the IP address.

�4�85��$��*$�48�%��35

��

cate subject name of the

subject name.

e certificate (id_num).

ed certificate.

te request for the NetScreen

s current status.

col (SCEP) operation to retrieve ter is the identification number of h directs the NetScreen device to

) or CRL file (crl-name name_str)

�� !�

- local-name string Sets the locality.

- name string Sets the name in a common name field.

- org-name string Sets the organization name.

- org-unit-name string Sets the organization unit name.

- phone string Sets a contact phone number as the X.509 certifiNetScreen device.

- state-name string Sets the state name as the X.509 certificate

• friendly-name name_str id_num A friendly name (name_str) for th

• install-factory-certs key_num Loads a specified factory pre-defin

• list Displays the X.509 object list.

- ca-cert Displays all CA certificates.

- cert Displays all X.509 certificates.

- cert-req Displays all certificates in the request state.

- crl Displays all Certificate Revocation Lists (CRLs).

- local-cert Displays all local certificates.

- pending-cert Displays all pending certificates.

• pkcs10 Generates or displays a PKCS10 file for an X.509 certificadevice.

• raw-cn enable Enables the raw common name (CN) or displays it

• scep { number | new } Initiates Simple Certificate Enrollment Protocertificates from a certificate authority server. The id_num paramethe pending certificate or the requesting certificate. The new switcexecute SCEP using a new CA reference.

• tftp ip_addr Uploads the specified certificate (cert-name name_strfor the specified TFTP server at IP address ip_addr.

�4�85��$��*$�48�%��35

��

e the NetScreen device sends

marketing at NetScreen

tificate from a certificate

isign.com/cgi-bin/

rver to pass a user request to ypertext Transfer Protocol

�� !�

Examples: The following command specifies the destination e-mail address wherthe PKCS10 certificate request:

set pki x509 default send-to [email protected]

The following command refreshes the certificate revocation list on a daily basis:

set pki x509 default crl-refresh daily

The following command defines a distinguished name for Ed Jones, who works inTechnologies in Santa Clara, California:

set pki x509 dn country-name “US”

set pki x509 dn state-name CA

set pki x509 dn local-name “santa clara”

set pki x509 dn org-name “netscreen technologies”

set pki x509 dn org-unit-name marketing

set pki x509 dn name “ed jones”

1� "%��

The RSA key length is set to 1024 bits.

��F��*�"��?�� "��

You use the set pki, get pki, and exec pki commands to request an x509 CA cerauthority. The following commands provide a typical example:

1. Specify a certificate authority CA CGI path.

set pki auth -1 scep ca-cgi “http://pilotonsiteipsec.verpkiclient.exe”

Note: The Common Gateway Interface (CGI) is a standard way for a web sean application program, and to receive data back. CGI is part of the web’s H(HTTP).

�4�85��$��*$�48�%��35

�6��

isign.com/cgi-bin/

y, a prompt appears presenting

oes not exist, use the value


ministrator to approve the local

cord the index number

btained in Step 7) to identify the


RA does not exist, use the

�� !�

2. Specify a registration authority RA CGI path

set pki auth -1 scep ra-cgi “http://pilotonsiteipsec.verpkiclient.exe”

3. Generate an RSA key pair, specifying a key length of 1024 bits.

exec pki rsa new 1024

4. Initiate the SCEP operation to request a local certificate.

exec pki x509 scep -1

5. If this is the first attempt to apply for a certificate from this certificate authorita fingerprint value for the CA certificate. (Otherwise, go on to Step 6.)

You must specify an RA CGI path even if the RA does not exist. If the RA dspecified for the CA CGI.get pki auth default scep

You must specify an RA CGI path even if the RA does not exist. If the RA dspecified for the CA CGI.set pki auth default scep auth passed

6. When the confirmation prompt appears, contact your certificate authority adcertificate request.

7. (Optional) Display a list of pending certificates. This allows you to see and reidentifying the certificate.

get pki x509 list pending-cert

8. (Optional) Obtain the local certificate from the CA (using the index number ocertificate.

exec pki x509 scep 1

You must specify an RA CGI path even if the RA does not exist. If the RA dspecified for the CA CGI.

set pki auth -1 scep polling-int number

Note: You must specify an RA CGI path even if the RA does not exist. If thevalue specified for the CA CGI.

�4�85��$��*$�48�%��35

�6��


�� !�

You must specify an RA CGI path even if the RA does not exist. If the RA dspecified for the CA CGI.

�4�85��$��*$�48�%��35

�66��

�� and VPN traffic.

]

n-group id_num } pol_num ]

�� !�

Description: Use the policy commands to define access policies to control network

�3��".

��

get policy [ global ] [ all | from zone1 to zone2 | id pol_num ]

��

set policy [ global ] { move pol_num1 { before pol_num2 | after pol_num3 } | [ id pol_num1 ] [ top | before pol_num2 ] [ name name_str

[ from zone1 to zone2 ] src_addr dst_addr svc_name | {

permit | tunnel { l2tp name_str | vpn-dialup name_str | vptunnel vpn name_str [ l2tp name_str | pair-policy}

[ auth [ server name_str ] [ group-expression string | user name_str | user-group name_str ]

�4�85��$��*$�48�%��35

�6��

]

enable }

�� !�

] | deny | nat [ dip-id id_num ] [ fix-port ] }

[ schedule name_str ] [ log [ alert ] ]

[ count [ alarm id_num1 id_num2 ] [ no-session-backup ]

[ traffic { gbw number } { priority number }

{ mbw [ number ] dscp { disable |

} ]

}

set policy default-permit-all

set policy [ global ] id pol_num disable

��

unset policy { [ id pol_num ] [ disable ] | default-permit-all }

�4�85��$��*$�48�%��35

�6:��

ce auth server

ate his or her identity before

on (string).

�� !�

2�3;��!��"�!��"��"�%��

��

get policy all

��

set policy { ... } auth [ ... ]

Example: The following command:

• defines a VPN tunnel policy from the Trust zone to the Untrust zone

• uses any source or destination IP address

• permits any kind of service

• requires user authentication

• uses an authentication server named WC_Server

set policy from trust to untrust any any any tunnel vpn OffiWC_Server

all Displays information about all security policies.

auth Requires the user to provide a login name and password to authenticaccessing the device and crossing the firewall.

• server name_str Identifies the authentication server (name_str).

• group-expression string Identifies users according to an expressi

• user name_str Identifies a user (name_str).

• user-group name_str Identifies a user group (name_str).

�4�85��$��*$�48�%��35

�6��

second policy:

... }

num) in the access

olicy is applied. that you can view alarms. You

er of bytes per minute (id_num2)

tching policy.

�� !�

��

set policy before pol_num1 { ... }

Example: The following command creates a new policy and positions it before the

set policy before 2 from trust to untrust any any any permit

��

set policy { ... } [ count [ alarm { id_num1 id_num2 } ] ] {





• maintains a count of all network traffic

set policy from trust to untrust any any any permit count

��

set policy default-permit-all

before Specifies the position of the access policy before another policy (pol_control list (ACL).

count Maintains a count in bytes of all network traffic to which the access pThe alarm id_num1 id_num2 parameter enables the alarm feature somust enter the number of bytes per second (id_num1) and the numbrequired to trigger an alarm.

default-permit-all Allows access without checking the access control list (ACL) for a ma

�4�85��$��*$�48�%��35

�67��

_name { ... } [ ... ]

allows all source IP addresses.

any allows all destination IP

fies all available services.

n page A-II.

�� !�

��

set policy [ global ] id pol_num disable

��

set policy { ... } from zone1 to zone2 src_addr dst_addr svc




• permits the HTTP service

set policy from trust to untrust any any HTTP permit

disable Disables the policy without removing it from the configuration.

from zone1 to zone2 src_addr dst_addr svc_name

Specifies two zones between which the policies apply.

• zone1 is the name of the source security zone.

• zone2 is the name of the destination security zone.

• src_addr is the name of the source address. Specifying any

• dst_addr is the name of the destination address. Specifyingaddresses.

• svc_name is the name of the service. Specifying any identi

For more information on zones, see “Security Zone Names” o

�4�85��$��*$�48�%��35

�69��

l_num3 }

l zone address book keeps all the longs. You can use these VIP

two security zones.

the policy.)

�� !�

��

set policy global before { ... }

set policy global id pol_num disable

set policy global move pol_num1 { before pol_num2 | after po

set policy global name name_str { ... }

set policy global top

��

get policy [ global ] id pol_num set policy [ global ] id pol_num1 { ... }

unset policy id pol_num [ disable ]



• assigns to the policy an ID value of 30


• permits the MAIL service

set policy id 30 from trust to untrust any any MAIL permit

global Creates or displays policies that use the Global zone. The The GlobaVIPs of all interfaces, regardless of the zone to which the interface beaddresses as destination addresses in access policies between any

id pol_num Specifies an access policy ID number. (The disable switch disables

�4�85��$��*$�48�%��35

�6��

str

nel vpn home2office

rt

The alert switch enables the

�� !�

�$��

set policy [ global ] { ... } tunnel l2tp name_str { ... }

set policy [ global ] { ... } tunnel vpn name_str l2tp name_


• defines an incoming access policy for an L2TP tunnel

• configures the policy for a VPN tunnel named “home2office”

• configures the policy for an L2TP tunnel named “home-office”

• configures the policy for a dialup VPN group named “home_office”

set policy from untrust to trust dialup_vpn our_side any tunl2tp home_office

��

set policy [ global ] { ... } log [ alert ] { ... }





• directs the NetScreen device to maintain a log

• enables the Syslog alert feature

set policy from trust to untrust any any HTTP permit log ale

l2tp Specifies a Layer 2 Tunneling Protocol (L2TP) tunnel.

log [ alert ] Maintains a log of all connections to which the access policy applies.Syslog alert feature.

�4�85��$��*$�48�%��35

�6��

r pol_num3 }

re the policy with ID number 2:

any permit

rt ] { ... }

nd specifies DIP group 8:

after a policy (pol_num3) in the icy in the ACL, it has higher

s policy is optional.)

er. Disables Port Address

ol. This number can be between 4

�� !�

��!�

set policy [ global ] move pol_num1 { before pol_num2 | afte

Example: The following command positions a global policy with ID number 4 befo

set policy global move 4 before 2

��

set policy [ global ] [ ... ] name name_str {... }

Example: The following command creates a new policy named S_Office:

set policy name S_Office from trust to untrust sales extern

��

set policy [ global ] { ... } nat [ dip-id id_num ] [ fix-po

Examples: The following command creates a policy (S_Office) that allows NAT a

move Repositions a policy (pol_num1) before another policy (pol_num2) oraccess control list (ACL). When one policy comes before another polprecedence.

name name_str Identifies the access policy by name. (Assigning a name to an acces

nat Enables or disables Network Address Translation (NAT).

• fix-port Keeps the original source port number in the packet headTranslation (PAT).

• dip-id id_num Specifies the ID number of the Dynamic IP (DIP) poand 255.

�4�85��$��*$�48�%��35

��

any nat dip-id 8 permit

ssume that DIP IP 8 is fix-port):

at dip-id 8 fix-port

dress across the firewall to the

�� !�

set policy name S_Office from trust to untrust sales extern

The following command defines the DIP with a fixed port on the trusted interface (a

set policy from trust to untrust 10.1.1.9 10.150.42.41 any npermit

�� )��

set policy [ global ] { ... } no-session-backup { ... }

��%��&

set policy [ global ] { ... } permit | deny [ ... ]


• defines a policy from the Trust zone to the Untrust zone



set policy from trust to untrust any any any permit

no-session-backup Disables session backup.

permit | deny • permit allows the specified service to pass from the source addestination address.

• deny blocks the service at the firewall.

�4�85��$��*$�48�%��35

��

Mkt_Sched

t

ule.

y at the top of the ACL has the

�� !�

��

set policy [ global ] { ... } schedule name_str [ ... ]





• applies the policy to an existing schedule named Mkt_Sched

set policy from trust to untrust any any any permit schedule

��

set policy [ global ] [ ... ] top



• assigns to the policy an ID value of 30

• places the policy at the top of the ACL



set policy id 30 top from trust to untrust any any any permi

schedule Applies the access policy only at times defined in the specified sched

top Places the policy at the top of the access control list (ACL). The polichighest precedence.

�4�85��$��*$�48�%��35

��6��

| enable }

gbw 3000 priority 2

NetScreen device passes traffic c shaping.

en traffic falls between the ce passes traffic with higher r priority traffic.

er second. Traffic beyond this limit

tScreen priority levels to the

�� !�

�� "

set policy [ global ] [ ... ] traffic gbw number priority number mbw [ number ] dscp { disable





• guarantees bandwidth of 3,000 kilobits per second

• assigns a priority value of 2

• sets the maximum bandwidth to 10,000 kilobits per second

• enables DSCP

set policy from trust to untrust any any HTTP permit trafficmbw 10000 dscp enable

traffic gbw Defines the guaranteed bandwidth (GBW) in kilobits per second. Thebelow this threshold with the highest priority, without performing traffi

• priority number Specifies one of the eight traffic priority levels. Whguaranteed and maximum bandwidth settings, the NetScreen devipriority first. Lower priority traffic is passed only if there is no highe

• mbw number Defines the maximum bandwidth (MBW) in kilobits pis throttled and dropped.

• dscp { enable | disable } Enables or disables a mapping of the NeDifferentiated Services Codepoint (DSCP) marking system.

�4�85��$��*$�48�%��35

��

}

ress book entry Headquarters)

vpn To_HQ

rivate telephony endpoint host s on the public side.

For an IPSec VPN tunnel, specify the name of the VPN tunnel) and

up VPN tunnel connection, specify

consist of multiple VPNs, which

�� !�

��

set policy [ global ] { ... } tunnel { l2tp name_str | vpn-dialup name_str | vpn-group id_num

set policy [ global ] { ... } tunnel vpn name_str [ l2tp name_str | pair-policy pol_num ]


• encrypts traffic exchanged with the corporate headquarters (denoted by add

• uses a VPN named To_HQ:

set policy from trust to untrust any Headquarters any tunnel

&�%�8$��3�A."8%�

The following example configures a NetScreen device to allow traffic between a pwith an H.323 gatekeeper through a NetScreen device to telephony endpoint host

tunnel Encrypts outgoing IP packets, and decrypts incoming IP packets.

• vpn [ l2tp name_str | pair-policy id_num ] Identifies a VPN tunnel.vpn and the name of the VPN tunnel. For L2TP, specify vpn (withl2tp (with the name of the L2TP tunnel).

• vpn-dialup name_str Identifies a VPN tunnel. For an incoming dialvpn-dialup and the name of the dialup user or dialup group.

• vpn-group id_num Identifies a VPN group (id_num). A VPN groupyou can specify in a single policy.

• vpn-tunnel Identifies an active tunnel.

�4�85��$��*$�48�%��35

��:��

0

�� !�

�� "��G��3�@��

1. set interface ethernet1 zone trust

2. set interface ethernet1 ip 10.10.1.1/24

3. set interface ethernet1 nat

4. set interface ethernet3 zone untrust

5. set interface ethernet3 ip 210.10.1.1/24

?!!��

6. set address trust IP_Phone1 10.10.1.2/32

7. set address trust gatekeeper 10.10.1.10/32

8. set address untrust IP_Phone2 200.20.1.2/32

'"88�!��?!!��

9. set interface ethernet3 mip 210.10.1.2 host 10.10.1.2

10. set interface ethernet3 mip 210.10.1.10 host 10.10.1.10

��

11. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr

12. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22.3.2

��%��

13. set policy from trust to untrust IP_Phone1 IP_Phone2 h.323 permit

14. set policy from trust to untrust gatekeeper IP_Phone2 h.323 permit

15. set policy from untrust to trust IP_Phone2 mip(210.10.1.2) h.323 permit

16. set policy from untrust to trust IP_Phone2 mip(210.10.1.10) h.323 permit

17. save

�4�85��$��*$�48�%��35

��
�� !�

�4�85��$��*$�48�%��35

��7��
�� !�

:

��9��

s pppoe through zone.


�� !�

�

+�� ,��-��+4�� ,



�4888��5��$��*$�4+��5

��

�� PPoE configuration

�� !�

Description: Use the pppoe commands to configure PPPoE, or to display current Pparameters.

�3��".

��

clear [ cluster ] pppoe

�*��

exec pppoe { connect | disconnect }

��

get pppoe [ configuration | statistics ]

��

set pppoe { ac name_str | authentication { CHAP | PAP | any } | auto-connect number | idle-interval number | interface [ name_str ] | ppp

{ lcp-echo-retries number |

�4888��5��$��*$�4+��5

��
�� !�
lcp-echo-timeout number } |

service name_str | static-ip | username name_str password pswd_str }

��

unset pppoe { ac | authentication { CHAP | PAP } | auto-connect | idle-interval | interface | ppp

{ lcp-echo-retries | lcp-echo-timeout }

service | static-ip | username }

�4888��5��$��*$�4+��5

�:��

tion gives preference to CHAP.) thentication to CHAP only, first

ation of a previously-closed

r.

�� !�

2�3;��!��"�!��"��"�%��

��

set pppoe ac name_str

unset pppoe ac

��

set pppoe authentication { CHAP | PAP | any }

unset pppoe authentication { CHAP | PAP }

��

set pppoe auto-connect number

unset pppoe auto-connect

��

clear cluster pppoe

ac Allows the interface to connect only to the specified AC (name_str).

authentication Sets the authentication methods to CHAP, PAP, or any. (The any opThe default of authentication is any (both CHAP and PAP). To set auexecute unset pppoe authenticaton PAP.

auto-connect Specifies the number of seconds that elapse before automatic re-initiconnection occurs. Valid range is 0-10000. (0 to disable.)


�4888��5��$��*$�4+��5

�:��

etScreen device terminates a device never terminates the

�� !�

��

get pppoe configuration

��%��

exec pppoe connect

�� !��

set pppoe idle-interval number

unset pppoe idle-interval

��

set pppoe interface [ name_str ]

unset pppoe interface

configuration Specifies the configuration options.

connect Starts PPPoE connection.

disconnect Takes down a PPPoE connection.

idle-interval Sets the idle timeout, which is time elapsed (in minutes) before the Ntunnel due to inactivity. Specifying 0 turns off the idle timeout and thetunnel.

interface Specifies the interface for PPPoE encapsulation.

�4888��5��$��*$�4+��5

�:6��

ts before connection is terminated.

o Lcp Echo requests. Valid range

device’s interface.

�� !�

��

set pppoe ppp { ... }

unset pppoe ppp { ... }

��!��

set pppoe service name_str

unset pppoe service

��

set pppoe static-ip

unset pppoe static-ip

��

get pppoe statistics

ppp Specifies

• lcp-echo-retries the number of unacknowledged Lcp Echo requesValid range is 1-30.

• lcp-echo-timeout the time that elapses between transmission of twis 1-1000 seconds.

service Allows only the specified service (name_str).

static-ip Specifies that your connection uses the IP address assigned to your

statistics Specifies the statistics information.

�4888��5��$��*$�4+��5

�:��

sword to “!@%)&&”:

e default idle timeout is 30 e is 180 seconds. the default

�� !�

��

set pppoe username name_str password pswd_str

Example: The following command sets the username to “Phred”, and Phred’s pas

set pppoe username Phred password !@%)&&

1� "%��

The command is disabled by default. The default authentication method is any. Thminutes. The default auto-connect is disabled. The default lcp-echo-timeout valuretries is 10.

username Sets the user name and password.

�4888��5��$��*$�4+��5

�::��

��5�/�(

g IKE ID values in accordance xecution of the set proxy-id cording to the policies.

e proxy-id in accordance with e a tunnel interface.

�� !�

Description: Use the proxy-id commands to set the proxy-id parameter.

By default, the NetScreen device responds to policy or routing changes by generatinwith policies, routes, and existing NAT configurations (such as MIP and DIP). After emanual-update command, the NetScreen device only updates the IKE ID values ac

Executing the unset proxy-id command instructs the NetScreen device to update thany new route change. This is useful when it is necessary to use a route to determin

�3��".

�*��

exec proxy-id update

��

get proxy-id

��

set proxy-id manual-update

��

unset proxy-id manual-update

�4888��5��$��*$�4+��5

�:��

icitly, in response to the exec

�� !�

2�3;��!��"�!��"��"�%��

��

exec proxy-id update

��

set proxy-id manual-update

unset proxy-id manual-update

1� "%��

By default, the NetScreen device updates the proxy-ID setting explicitly.

update Instructs the NetScreen device to update the VPN proxy ID.

manual-update Instructs the NetScreen device to only update the VPN proxy ID explproxy-id update command.

�4888��5��$��*$�4+��5

�:7��

� �

ion before resetting.

before resetting.

�� !�

Description: Use the reset command to reboot the NetScreen device.

�3��".reset

[ no-prompt | save-config { no | yes } [ no-prompt ] ]

��

reset no-prompt

��!� ��

reset save-config { no | yes } [ no-prompt ]

no-prompt Indicates no confirmation.

save-config • no Directs the NetScreen device to not save the current configurat

• yes Directs the NetScreen device to save the current configuration

• no-prompt Does not display a confirmation prompt.

�4888��5��$��*$�4+��5

�:9��

��-

nd owner VSYS

ith a particular IP address to the

�� !�

Description: Use the route commands to display entries in the static route table.

The get route command displays:

• The IP address, netmask, interface, gateway, protocol, preference, metric, a

• The protocol value can be any of the following:

– C (Connected)

– S (Static)

– A (Auto Exported)

– I (Imported; that is, route imported from another virtual router)

– iB (internal BGP)

– eB (external BGP)

– O (OSPF)

– E1 (OSPF external type 1)

– E2 (OSPF external type 2)

Use the get route command to find out if the NetScreen device is routing a packet wcorrect interface.

�3��".

��

get route [ id id_num | ip ip_addr | summary ]

�4888��5��$��*$�4+��5

�:��

D number 477:

h the IP address 172.16.60.1:

arget IP address is specified.

rotocol.

�� !�

2�3;��!��"�!��"��"�%��

��

get route id id_num

Example: The following command displays the route information for a route with I

get route id 477

��

get route ip ip_addr

Example: The following command displays the route information to a machine wit

get route ip 172.16.60.1

��&

get route summary

1� "%��

The get route command displays all entries in the route table unless a particular t

id Displays a specific route for the ID number id_num.

ip Displays a specific route for the target IP address ip_addr.

summary Displays summary information, including number of routes, for each p

�4888��5��$��*$�4+��5

�:��

�� Association (SA).

�� !�

Description: Use the sa commands to clear the IKE value for the specified Security

�3��".

��

clear [ cluster ] sa id_num

��

get sa [ id id_num | [ active | inactive ] stat ]

�4888��5��$��*$�4+��5

��

r.

number.

packets.

s failed.

other than those listed in the

�� !�

2�3;��!��"�!��"��"�%��

��'��

clear [ cluster ] sa id_num

��

clear cluster sa id_num

��

get sa id id_num

��

get sa [ ... ] stat

id_num Specifies the SA ID number.


id Displays a specific IPSec Security Association (SA) entry with the ID

stat Shows the SA statistics for the device.Displays these statistics for all incoming or outgoing SA pairs:

• Fragment: The total number of fragmented incoming and outgoing

• Auth-fail: The total number of packets for which authentication ha

• Other: The total number of miscellaneous internal error conditionsauth-fail category.

• Total Bytes: The amount of active incoming and outgoing traffic

�4888��5��$��*$�4+��5

��

��/�� the display of IKE gateway dresses.

�� !�

Description: Use the sa-filter commands commands to create or display filters for debug output. The filters limit the output of a debug trace according to gateway IP ad

�3��".

��

set sa-filter ip_addr

��

unset sa-filter ip_addr

�4888��5��$��*$�4+��5

��6��

ug information where the

�� !�

2�3;��!��"�!��"��"�%��

��'��

Example: The following command sets a filter that allows display of gateway debgateway IP address is 172.16.10.10:

set sa-filter 172.16.10.10

ip_addr The gateway IP address

�4888��5��$��*$�4+��5

��

��/��h as number of fragmentations VPN tunnel.

�� !�

Description: Use the sa-statistics command to clear all statistical information (sucand total bytes through the tunnel) in a Security Association (SA) for an AutoKey IKE

�3��".

��

clear [ cluster ] sa-statistics [ id id_num ]

2�3;��!��"�!��"��"�%��

��

clear cluster sa-statistics id id_num

��

clear [ cluster ] sa-statistics id id_num

Example: The following command clears the SA statistics for SA 2:

clear sa-statistics id 2


id id_num Clears statistics in a particular Security Association.

�4888��5��$��*$�4+��5

��:��

��0 settings either to the flash card

�� !�

Description: Use the save commands to save the NetScreen device configuration memory or to a Trivial File Transfer Protocol (TFTP) server.

�3��".

��!�

save

��!��

save config [ all-virtual-system | from | to

{ flash | slot1 filename | tftp ip_addr filename }

{ [ [ merge ] from interface ] to

{ flash [ from interface ] | slot1 filename | tftp ip_addr filename [ from interface ] }

} ]

�4888��5��$��*$�4+��5

��
�� !�
��!�� )�&

save image-key tftp ip_addr filename from interface

��!�� "��

save software from { flash | slot1 filename | tftp ip_addr filename }

to

{ flash | slot1 filename | tftp ip_addr filename }

[ from interface ]

�4888��5��$��*$�4+��5

��7��

ory to a file (output.txt) on a

ory to a file (output.txt) on a

the source interface.

�� !�

2�3;��!��"�!��"��"�%��

�� !�� &��

save config all-virtual-system

��

save config from flash to { ... } [ from interface ]

save software from flash to { ... } [ from interface ]

Example: The following command saves the current configuration from flash memTFTP server (172.16.10.10):

save config from flash to tftp 172.16.10.10 output.txt

��=��>��

save config from { ... } to { ... }

save software from { ... } to { ... }

Example: The following command saves the current configuration from flash memTFTP server (IP address 172.16.10.10):

save config from flash to tftp 172.16.10.10 output.txt

all-virtual-system Saves all virtual system configurations.

flash Saves from (or to) flash memory. The from interface option specifies

from Saves from the specified source.

to Saves to the specified source.

�4888��5��$��*$�4+��5

��9��

guration in a file (input.txt) on a

ut.txt) in the the slot1 memory

nt NetScreen device from a file

om interface option specifies the

�� !�

��

save config from { ... } merge [ from interface ]

Example: The following command merges the current configuration with the confiTFTP server (IP address 172.16.10.10):

save config from tftp 172.16.10.10 input.txt merge

��#

save config from slot1 to { ... }

save software from slot1 to { ... }

Example: The following commands saves the current configuration from a file (inpcard to flash memory:

save config from slot1 input.txt to flash

� ��

save config from tftp filename to { ... }

save image-key tftp ip_addr filename from interface

save software from tftp filename to { ... }

Example: The following command loads an authentication key on a FIPS-complianamed nskey.cer on a TFTP server at 10.10.1.2:

merge Merges the saved configuration with the current configuration. The frsource interface.

slot1 Saves from (or to) a file in the memory card slot.

tftp Saves from (or to) a file on a TFTP server.

�4888��5��$��*$�4+��5

��
�� !�
save image-key tftp 10.10.1.2 nskey.cer

�4888��5��$��*$�4+��5

��

�� (-� �splay schedule configuration. tervals.

ment string ] |

saturday | sunday }

�� !�

Description: Use the scheduler commands to create or modify a schedule, or to diNetScreen devices use schedules to enforce access policies at specified times or in

�3��".

��

get scheduler [ name name_str | once | recurrent ]

��

set scheduler name_str [ once start date_str time_str stop date_str time_str [ comrecurrent

{ monday | tuesday | wednesday | thursday | friday | start time_str stop time_str

[ start time_str stop time_str ] [ comment string ]

]

��

unset scheduler name_str

�4888��5��$��*$�4+��5

�7��

e_str time_str [ ... ]

minute defined, and stopping on

defined day of the week, hour,

�� !�

2�3;��!��"�!��"��"�%��

��

get scheduler name name_str

��

get scheduler once

set scheduler name_str once start date_str time_str stop dat

��

get scheduler recurrent

set scheduler name_str recurrent { ... } [ ... ]

name name_str Defines a name for the schedule.

once Apply the schedule once, starting on the day, month, year, hour, andthe month, day, year, hour, and minute defined.

recurrent Directs the NetScreen device to repeat the schedule according to theand minutes.

• monday Repeats every Monday.

• tuesday Repeat every Tuesday.

• wednesday Repeat every Wednesday.

• thursday Repeat every Thursday.

• friday Repeat every Friday.

• saturday Repeat every Saturday.

�4888��5��$��*$�4+��5

�7��

e_str time_str [ ... ]

time_str [ ... ]

” which starts on 1/10/2003 at

03 19:00

rts at 8:00 AM and ends at 5:00

00

yyy).

hh:mm).

�� !�

��%��

set scheduler name_str once start date_str time_str stop dat

set scheduler name_str recurrent { ... } start time_str stop

Examples: The following command creates a schedule definition named “mytime11:00 AM and ends on 2/12/2003 at 7:00 PM:

set scheduler mytime once start 1/10/2003 11:00 stop 2/12/20

The following command creates a schedule definition named “weekend” which staPM and repeats every Saturday and Sunday:

set scheduler weekend recurrent saturday start 8:00 stop 17:

set scheduler weekend recurrent sunday start 8:00 stop 17:00

• sunday Repeat every Sunday.

- start Defines when to start the schedule.

- stop Defines when to stop the schedule.

- comment Defines a descriptive character string.

start | stop Defines the day, month, and year (date_str) in USA format (mm/dd/y

Defines the hour and minutes (time_str) in the 24-hour clock format (

�4888��5��$��*$�4+��5

�76��

��) server task.

Screen device. When you a secure connection. (The look

me ip-addr ip_addr

�� !�

Description: Use the scs commands to configure the Secure Command Shell (SCS

The SCS server task is a SSH-compatible server application that resides on the Netenable the SCS server task, SSH client applications can manage the device throughand feel of a SSH client session is identical to a Telnet session.)

�3��".

�*��

exec scs tftp pka-rsa [ username name_str ] file-name filena[ from interface ]

��

get scs [ host-key | pka-rsa [ all | [ username name_str ] [ index number ] ] ]

��

set scs { enable | key-gen-time number | pka-rsa [ username name_str ] key number1 number2 number3}

�4888��5��$��*$�4+��5

�7��
�� !�
��

unset scs { enable | key-gen-time | pka-rsa

{ all | username name_str

{ all | index id_num } |

} }

�4888��5��$��*$�4+��5

�7:��

ncluding the fingerprint of the host

�� !�

2�3;��!��"�!��"��"�%��

��

set scs enable

unset scs enable

�� )�&

get scs host-key

)�& ��

set scs key-gen-time number

unset scs key-gen-time

�)� ��

get scs pka-rsa [ ... ]

set scs pka-rsa [ ... ]

enable Enables the Secure Command Shell (SCS) task.

host-key Shows the SCS host key (RSA public key) for the active root/VSYS, ikey.

key-gen-time Specifies the SCS server key regenerating time (in minutes).

�4888��5��$��*$�4+��5

�7��

s”:

071956054093391935 80111611537652715077837

ddr 172.16.10.11

root user to execute this option;

e details of a key bound to the y bound to the specified user.

er. The number1, number2, and odulus, respectively. Read-only

A key. file-name filename command, username displays all and read-only users can execute d-only user.

�� !�

unset scs pka-rsa { ... }

Example: The following command binds a hypothetical key to a user named “chri

set scs pka-rsa username chris key 512 655376875272488448958033213724615582796813757422715643970626128793365599992658289089019119296718115311887359071551679


• loads a key contained in a file named “key_file”

• takes the file from a server at IP address 172.16.10.11

• binds the key to a user named “chris”

exec scs tftp pka-rsa username chris file-name key_file ip-a

pka-rsa Public Key Authenticaion (PKA) using RSA.

• all Shows all PKA public keys bound to all users. You must be theadmin users and read-only users cannot execute this command.

• index number allows the admin user and read-only user to view thactive admin. It also allows the root user to view the details of a ke

• key number1 number2 number3 Binds a PKA key to the current usnumber3 values represent the key length, the exponent, and the musers cannot execute this option.

• username name_str Specifies the name of the user to bind the PKSpecifies the file containing the key to bind to the user. For the getPKA public keys bound to a specified user name_str. Admin usersthis option only if name_str identifies the current admin user or rea

�4888��5��$��*$�4+��5

�77��

dmin users and read-only users

pecified user, but only if name_str xecute this option.

m. This option allows the root _str). Read-only users cannot

�� !�

��"�!

The unset scs pka-rsa command features are as follows:

1� "%��

This feature is disabled by default.

The default key generation time is 60 minutes.

unset scs pka-rsa Unsets Public Key Authenticaion (PKA) using RSA.

• all Deletes all keys bound to all users in the active root/VSYS. Acannot execute this option.

• username name_str Unbinds and deletes all keys bound to the sis the name of the current admin user. Read-only users cannot e

• The index option unbinds and deletes the key identified by id_nuadmin user to unbind a key for any user (identified by user nameexecute this option.

�4888��5��$��*$�4+��5

�79��

� �0�� ss Policies, or to display the

| other ] ] |

�� !�

Description: Use the service commands to create custom services for use in Accecurrent entries in the service list.

�3��".

��

get service [ name_str group [ name_str ] | pre-defined | user ]

��

set service name_str [ + { ptcl_num | tcp | udp }

src number-number dst number-number | protocol { ptcl_num | tcp | udp }

[ src-port number-number ] [ dst-port number-number ]

[ timeout { number | never } ] [ group [ email | info | remote | security

group { email | info |

�4888��5��$��*$�4+��5

�7��
�� !�
remote | security | other }

{ ptcl_num | tcp | udp src number-number dst number-number

} timeout { number | never } clear ]

��

unset service [ name_str ] [ timeout ]

�4888��5��$��*$�4+��5

�7��
�� !�
2�3;��!��"�!��"��"�%��

��'��

get service name_str

set service name_str [ ... ]

unset service name_str

?

set service name_str + { ... }

��

set service name_str clear

Example: The following command clears all service entries named “test”:

set service test clear

name_str Defines a name for the service.

+ Appends a service entry to the custom services list.

clear Clears all service entries.

�4888��5��$��*$�4+��5

�9��

15

s:

, IMAP and POP 3.

ple, HTTP and DNS.

OGIN.

n, decryption, and authentication;

four groups; for example, SNMP

�� !�

��

set service name_str group { ... }


• creates a service entry named test2

• categorize the service for remote access

• specifies that the service is TCP, with a port number 10115

set service test2 group remote tcp src 0-65535 dst 10115-101

set service test2 + udp src 0-65535 dst 10115-10115

��

get service pre-defined

group Assigns the service entry to one of the following groups, or categorie

• email Services used for sending and receiving e-mail; for example

• info Services used for seeking and retrieving information; for exam

• remote Services used for remote access; for example, FTP or R L

• security Services used for security-related traffic such as encryptiofor example, HTTPS and PPTP.

• other Services used for traffic other than that covered by the otherfor network management.

pre-defined Displays all the pre-defined services.

�4888��5��$��*$�4+��5

�9��

l 50:

number

tion tcp port 1001:

1-1001

request. For example. 300 to 400.

mple, 100 to 250.

ocol.

protocol.

�� !�

��

set service name_str protocol { ... } [ ... ]

Example: The following command sets a service named “ipsec” that uses protoco

set service ipsec protocol 50

��%��

set service name_str + { ... } src number-number dst number-

�� %��

set service name_str protocol { ... } [ src-port number-number ] [ dst-port number-number ]

Example: The following command sets a service named “test1” that uses destina

set service test1 protocol tcp src-port 0-65535 dst-port 100

protocol Defines the service by IP protocol.

Defines a protocol for the specified service.

• ptcl_num specifies the protocol by protocol number.

• tcp specifies a TCP-based service.

• udp specifies a UDP-based service.

dst Defines a range of destination port numbers that receive the service

src Defines a range of source port numbers valid for the service. For exa

src-port Defines a range of source port numbers valid for the service and prot

dst-port Defines a range of destination port numbers valid for the service and

�4888��5��$��*$�4+��5

�96��

lue of 10 minutes:

ser-defined, and service group

ever.”

60 minutes.

�� !�

��

set service name_str timeout { number | never }

unset service name_str timeout

Example: The following command sets a service named “telnet” with a timeout va

set service telnet timeout 10

��

get service user

1� "%��

The default timeout for TCP connections is 30 minutes.

The default timeout for UDP connections is 1 minute.

Using the get service command without any arguments displays all pre-defined, uinformation in the service book.

timeout Defines the session timeout value for the service in minutes, or as “n

user Displays all user-defined services.

Note: The maximum timeout value for TCP connections and UDP connections is 21

�4888��5��$��*$�4+��5

�9��

� ��n device’s session table.

he device model. For example, mand lists currently active

istrative traffic. On any ommand lists sessions that are o sessions, one for each ASIC.

�� !�

Description: Use the session commands to clear or display entries in the NetScree

The kind of session information listed by the get session command depends upon ton any NetScreen device with a management module in slot 1, the get session comsessions on that module. Such sessions include management, log, and other adminNetScreen device with one or more Secure Port Modules (SPMs), the get session cactive on the ASIC for each module. If a session crosses two ASICs, it counts as tw

�3��".

��

clear [ cluster ] session [ all | id id_num | [ src-ip ip_addr [ netmask mask ] ]

[ dst-ip ip_addr [ netmask mask ] ] [ src-mac mac_addr ] [ dst-mac mac_addr ]

[ protocol ptcl_num [ ptcl_num ] ] [ src-port port_num [ port_num ] ]

[ dst-port port_num [ port_num ] ] [ vsd-id id_num ]

[ hardware { 0 | 1 } ] ]

�4888��5��$��*$�4+��5

�9:��

] ]

�� !�

��

get session [ id id_num | fragment | [ tunnel ]

[ src-ip ip_addr [ netmask mask ] ] [ dst-ip ip_addr [ netmask mask ] ]

[ src-mac mac_addr ] [ dst-mac mac_addr ] [ protocol ptcl_num [ ptcl_num ] ]

[ src-port port_num [ port_num ] ] [ dst-port port_num [ port_num

]

�4888��5��$��*$�4+��5

�9��

nd belonging to VSD group

r.

�� !�

2�3;��!��"�!��"��"�%��

��

clear [ cluster ] session all

��

clear cluster session [ ... ]

��"��

get session [ ... ] hardware { 0 | 1}

Example: The following command clears all sessions belonging to ASIC chip 1, a2001, from the host at IP address 172.16.20.12:

get session src-ip 172.16.10.12 vsd-id 2001 hardware 1

all Specifies all sessions.


hardware Includes only hardware-related session information in the display.

• 0 Displays ASIC 0 sessions.

• 1 DIsplays ASIC 1 sessions.

This option is for NetScreen-5000 Series devices only.

�4888��5��$��*$�4+��5

�97��

with ID 5116:

]

a specific source IP address:

mask ] ]

m.

ss ip_addr. For example, ip_addr

ddress ip_addr.

�� !�

��

clear [ cluster ] session id id_num

get session id id_num

Example: The following command displays the session table entry for the session

get session id 5116

�� %��

clear [ cluster ] session [ src-ip ip_addr [ netmask mask ] [ dst-ip ip_addr [ netmask mask ] ] [ ... ]

get session [ ... ] [ src-ip ip_addr [ netmask mask ] ] [ dst-ip ip_addr [ netmask mask ] ][ ... ]

Example: The following command displays all the entries in the session table for

get session src-ip 172.16.10.92

�� %��

clear [ cluster ] session [ ... ] [ dst-ip ip_addr [ netmask[ src-mac mac_addr ] [ dst-mac mac_addr ]

id id_num Identifies a specific session with Session Identification number id_nu

src-ip ip_addr Identifies all sessions intitated by packets containing source IP addrecould be the source IP address in the first TCP SYN packet.

dst-ip ip_addr Identifies all sessions intitated by packets containing destination IP a

�4888��5��$��*$�4+��5

�99��

um ] [ ... ]

_num ] ]

rotocol 5 and for source ports 2

dress mac_addr.

address mac_addr.

).

rce port port_num in the layer 4

_num port_num).

tination port port_num in the layer

_num port_num).

�� !�

get session [ ... ] [ src-ip ip_addr [ netmask mask ] ] [ dst-ip ip_addr [ netmask mask ] ]

��

clear [ cluster ] session [ ... ] protocol ptcl_num [ ptcl_n

get session [ ... ] protocol ptcl_num [ ptcl_num ] [ ... ]

�� %��

clear [ cluster ] session [ ... ] [ src-port port_num [ port[ dst-port port_num [ port_num ] ] [ ... ]

get session [ ... ] [ src-port port_num [ port_num ] ] [ dst-port port_num [ port_num ] ]

Example: The following command displays all the entries in the session table for pthrough 5:

get session protocol 5 src-port 2 5

src-mac Identifies all sessions intitated by packets containing source MAC ad

dst-mac Identifies all sessions intitated by packets containing destination MAC

protocol Identifies all sessions that use protocol ptcl_num.You can also specify any protocol within a range (ptcl_num ptcl_num

src-port Identifies all sessions intitated by packets that contain the layer 4 souprotocol header.You can also specify any layer 4 destination port within a range (port

dst-port Identifies all sessions intitated by packets that contain the layer 4 des4 protocol header.You can also specify any layer 4 destination port within a range (port

�4888��5��$��*$�4+��5

�9��

1, and initiated from the host at

�� !�

��

get session tunnel [ ... ]

!��

clear [ cluster ] session [ ... ] vsd-id id_num

get session [ ... ] vsd-id id_num

Example: The following command clears all sessions belonging to VSD group 200IP address 172.16.10.12:

clear session src-ip 172.16.10.12 vsd-id 2001

tunnel Directs the NetScreen device to display tunnel sessions.

vsd-id id_num Identifies all sessions that belong the VSD group id_num.

�4888��5��$��*$�4+��5

�9��

��le Network Management ceive notification when

�� !�

Description: Use the snmp commands to configure the NetScreen device for SimpProtocol (SNMP), to gather statistical information from the NetScreen device, and resignificant events occur.

�3��".

��

get snmp [ auth-trap | community name_str | settings | vpn ]

��

set snmp { auth-trap enable | community name_str

{ read-only | read-write } [ trap-off | trap-on [ traffic ] ] |

contact name_str | host comm_name ip_addr | location string | name name_str | port { listen [ port_num ] | trap [ port_num ] } | vpn }

�4888��5��$��*$�4+��5

��
�� !�
��

unset snmp { auth-trap enable | community name_str | contact | host comm_name ip_addr | location | name | port { listen [ port_num ] | trap [ port_num ] } | vpn }

�4888��5��$��*$�4+��5

��

the community named “public”:

n traps.

ommunities in all products.

.”

e.”

itch includes traffic alarms as

�� !�

2�3;��!��"�!��"��"�%��

��

get snmp auth-trap

set snmp auth-trap enable

unset snmp auth-trap enable

��&

get snmp community name_str

set snmp community name_str { ... }

unset snmp community name_str


• configures a community named “public”

• allows hosts to read MIB data from the SNMP agent

• enables SNMP traps for the community

set snmp community public read-only trap-on

The following command configures an SNMP host with IP address 10.20.25.30 for

auth-trap enable Enables Simple Network Management Protocol (SNMP) authenticatio

community Defines the name for the SNMP community. It supports maximum 3 c

• read-only Defines the permission for the community as “read-only

• read-write Defines the permission for the community as “read-writ

- trap-off Disables SNMP traps for the community.

- trap-on Enables SNMP traps for the community. The traffic swSNMP traps.

�4888��5��$��*$�4+��5

��6��

management host.

�� !�

set snmp host public 10.20.25.30

��

set snmp contact name_str

unset snmp contact

��

set snmp host comm_name ip_addr

unset snmp host comm_name ip_addr


• configure a community named “netscreen”

• specify read and write permission

• allow the NetScreen device to send traps to all hosts in the community

• assign the community to an SNMP host with IP address 10.40.40.15

set snmp community netscreen read-write trap-on

set snmp host netscreen 10.40.40.15

��

set snmp location string

unset snmp location

contact Defines the system contact.

host Defines the community name string and the IP address of the SNMP

location Defines the physical location of the system.

�4888��5��$��*$�4+��5

��

location of the NetScreen device.

rust zone to another zone.

�� !�

��

set snmp name name_str

unset snmp name

��

set snmp port { ... }

unset snmp port { ... }

��

get snmp settings

!��

set snmp vpn

unset snmp vpn

name Defines the name of the system.

port Specifies the SNMP listen and trap port ( listen | trap ).

settings Displays the name of the contact person, and the name and physical

vpn Enables SNMP traffic through a VPN tunnel (if one exists) from the T

�4888��5��$��*$�4+��5

��:��

��. en device.

1:

�� !�

Description: Use the socket commands to display socket information on a NetScre

�3��".

��

get socket [ id id_num ]

2�3;��!��"�!��"��"�%��

��

get socket id id_num

Example: The following command displays the information concerning socket 300

get socket id 3001

id Displays the information for an identified socket (id_num).

�4888��5��$��*$�4+��5

��

��nnection, or to display the SSL

�� !�

Description: Use the ssl commands to configure a Secure Sockets Layer (SSL) coconfiguration on a NetScreen device.

�3��".

��

get ssl [ ca-list | cert-list ]

��

set ssl { cert number | enable | encrypt

{ 3des | des } sha-1 | { rc4 | rc4-40 } md5

port port_num }

��

unset ssl { cert | enable | encrypt | port }

�4888��5��$��*$�4+��5

��7��

tly available certificates (cert-list).

�� !�

2�3;��!��"�!��"��"�%��

�� %��

get ssl ca-list

get ssl cert-list

Example: The following command displays the SSL certicate list:

get ssl cert-list

��

set ssl cert number

unset ssl cert

��

set ssl enable

set ssl enable

unset ssl enable

ca-list | cert-list Displays currently configured Certificate Authorities (ca-list) or curren

cert Specifies that the named certificate is required.

enable Turns on SSL.

�4888��5��$��*$�4+��5

��9��

hentication hashing:

�� !�

��&��

set ssl encrypt { 3des | des } sha-1 | { rc4 | rc4-40 } md5

unset ssl encrypt

Example: The following command specifies triple-DES encryption with SHA-1 aut

set ssl encrypt 3des sha-1

��

set ssl port port_num

unset ssl port

Example: The following command changes the SSL port to 11533:

set ssl port 11533

1� "%��

The default SSL port is 443.

encrypt Enables encryption over the SSL connection.

• 3des Set the 3DES security level.

• des Sets the DES security level.

• rc4 md5 Sets the RC4 MD3 security level.

• rc4-40 md5 Sets the RC4-40 MD3 security level.

port Specifies the SSL port number.

�4888��5��$��*$�4+��5

��

��/��.ck.

�� !�

Description: Use the sys-clock command to display information on the system clo

�3��".

��

get sys_clock

2�3;��!��"�!��"��"�%��

None.

�4888��5��$��*$�4+��5

��

�� traffic and event messages to

ocal6 | local7

5 | local6 | local7

�� !�

Description: Use the syslog commands to configure the NetScreen device to sendthe Syslog host, or to display the current Syslog configuration.

�3��".

��

get syslog [ config | enable | port | traffic | VPN ]

��

set syslog { config { name_str | ip_addr }

{ AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local5 | l}

{ AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local}

enable | port port_num | traffic | VPN }

Note: The Syslog host must be enabled before you can enable Syslog.

�4888��5��$��*$�4+��5

��

traffic | VPN }

6 | local7

local6 | local7

r | ip_addr } parameters define the

urity facility classifies and sends cks. The regular facility classifies gins and logouts, and system

�� !�

��

unset syslog { string | config | enable | hostname | port |

2�3;��!��"�!��"��"�%��

��

get syslog config

set syslog config { name_str | ip_addr } { ... }

unset syslog config

7536@�A�%��B

set syslog config { name_str | ip_addr } { AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local5 | local}

{ AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local5 | }

config Defines the configuration settings for the Syslog utility. The { name_stname or the IP address of the Syslog host device.

AUTH/SEC | local0…7

Defines the security facility level and the regular facility level. The secmessages to the Syslog host for security-related actions such as attaand sends messages for events unrelated to security, such as user lostatus reports.

�4888��5��$��*$�4+��5

��

logs:

atagram Protocol (UDP) packets

�� !�

Example: The following command sets the Syslog host configuration to report all

set syslog config 172.16.20.249 local0 local1

��

get syslog enable

set syslog enable

unset syslog enable

��

get syslog traffic

set syslog traffic

unset syslog traffic

��

get syslog port

set syslog port port_num

unset syslog port

Example: The following command changes the Syslog port number to 911:

set syslog port 911

enable Enables the NetScreen device to send messages to the Syslog host.

traffic Enables the NetScreen device to send traffic logs to the Syslog host.

port Defines the port number on the Syslog host that receives the User Dfrom the NetScreen device.

�4888��5��$��*$�4+��5

��6��

default WebTrends port

nnel to the Syslog server.trusted interface. Executing the ed interface. The device uses a the device encrypts the traffic

default behavior.

�� !�

!��

get syslog VPN

set syslog VPN

unset syslog VPN

1� "%��

This feature is disabled by default. The default Syslog port number is 514, and thenumber is 514.

VPN Allows the NetScreen device to send Syslog traffic through a VPN tuBy default, the NetScreen device sends syslog traffic through the UnVPN option directs the device to send syslog traffic through the Trustsecurity policy to secure this traffic. If the policy specifies encryption, according to the policy’s VPN configuration before transmission.Executing the unset syslog VPN command resets the device to the

�4888��5��$��*$�4+��5

��

��

�� !�

Description: Use the system command to display general system information.

�3��".

��

get system

2�3;��!��"�!��"��"�%��

None.

�4888��5��$��*$�4+��5

��:��

��/�-��bleshooting the NetScreen

�� !�

Description: Use the tech-support command to display system information for troudevice.

�3��".

��

get tech-support

2�3;��!��"�!��"��"�%��

None.

�4888��5��$��*$�4+��5

��

�� NetScreen device to

expired.

�� !�

Description: Use the timer commands to display timer settings, or to configure the automatically execute management or diagnosis at a specified time.

All timer settings remain in the configuration script even after the specified time has

�3��".

��

get timer

��

set timer date_str time_str action reset

��

unset timer id_num

�4888��5��$��*$�4+��5

��7��

nd date:

action. Date is in mm/dd/yyyy

ction. Time is in hh:mm format.

gs generated by the set timer

e.

�� !�

2�3;��!��"�!��"��"�%��

��'��


unset timer id_num

��


��


Example: The following command configures NetScreen to reset at a given time a

set timer 1/31/2000 19:00 action reset

date_str Specifies the date when the NetScreen device executes the defined format.

time_str Specifies the time when the NetScreen device executes the defined a

id_num Identifies the specific action by its ID number in the list of timer settincommand.

action Defines the event that the command triggers at the given date and tim

reset Resets the timer.

�4888��5��$��*$�4+��5

��9��

�� /��-

display.

�� !�

Description: Use the trace-route command to display the route to a host.

�3��".trace-route { ip_addr | name_str }

[ hop number [ time-out number ] ]

2�3;��!�

��'��

trace-route ip_addr

trace-route name_str

��

trace-route { ip_addr | name_str } hop number [ ... ]


• evaluates and displays up to four route trace hops

• sends the output to a host with IP address 172.16.10.10

trace-route 172.16.10.10 hop 4

ip_addr | name_str The IP address (ip_addr) or object name (name_str) of the host.

hop The maximum number of trace route hops (number) to evaluate and

�4888��5��$��*$�4+��5

��

r

bandoning the route trace.

�� !�

��

trace-route { ip_addr | name_str } hop number time-out numbe


• evaluates and displays up to four route trace hops

• sends the output to a host with IP address 172.16.10.10

• specifies a timeout value of four seconds

trace-route 172.16.10.10 hop 4 time-out 4

time-out Specifies the amount of time in seconds (number) to elapse before a

�4888��5��$��*$�4+��5

��

��/��ystem with the traffic-shaping

ber6 number7 number8 |

�� !�

Description: Use the traffic-shaping commands to determine the settings for the sfunction, or to display information on traffic management device interfaces.

�3��".

��

get traffic-shaping { interface [ interface ] | ip_precedence | mode }

��

set traffic-shaping { ip_precedence number1 number2 number3 number4 number5 nummode { auto | off | on } }

��

unset traffic-shaping { ip_precedence | mode }

�4888��5��$��*$�4+��5

:��

umber8

. Each setting should be a

tion. If you select auto, the system licy in the system with

on. If there is no such policy, the

�� !�

2�3;��!��"�!��"��"�%��

��

get traffic-shaping interface [ interface ]

��:��

get traffic-shaping ip_precedence

set traffic-shaping ip_precedence number1 number2 number3 number4 number5 number6 number7 n

unset traffic-shaping mode ip_precedence

��

get traffic-shaping mode

set traffic-shaping mode { auto | off | on }

unset traffic-shaping mode

1� "%��

By default, the traffic shaping function is set up to automatic mode.

interface Displays the traffic shaping info for an interface.

ip_precedence Specifies the Priorities 0 through 7 for IP precedence (TOS) mappingsingle-digit value.

mode Defines the mode settings for the system with the traffic-shaping funcautomatically determines the mode settings. If there is at least one potraffic-shaping turned on, the system automatically sets the mode to auto mode default setting is off.

�4888��5��$��*$�4+��5

:��

-�� URL filter settings.

ck | server }

�� !�

Description: Use the url commands to enable or disable URL filtering, or to display

�3��".

��

clear [ cluster ] url no-block interface1 interface2

��

get url

��

set url { config { disable | enable } | fail-mode { block | permit } | message string | msg-type number | no-block interface1 interface2 | server { name_str | ip_addr } port_num number }

��

unset url { config | fail-mode | message | msg-type | no-blo

Note: A Websense server provides the URL filtering.

�4888��5��$��*$�4+��5

:�6��

e is blocked”:

r.

mits all HTTP requests.

end to the client who is blocked

�� !�

2�3;��!��"�!��"��"�%��

��

clear cluster url no-block interface1 interface2

��

set url config { disable | enable }

unset url config

��

set url fail-mode { block | permit }

unset url fail-mode

��

set url message string

unset url message

Example: The following command defines the URL blocking message to “This sit


config Enables or disables URL filtering by the Websense server.

fail-mode If connection to the Websense server is lost, this either blocks or per

message string Defines a custom message, fewer than 220 characters in length, to sfrom reaching a URL.

�4888��5��$��*$�4+��5

:��

interface ethernet4/2:

er-defined message from the

(interface2).

�� !�

set url message “This site is blocked”

�� &��

set url msg-type number

unset url mg-type

Example: The following command enables the user-defined message:

set url msg-type 1

�� )

clear [ cluster ] url no-block interface1 interface2

set url no-block interface1 interface2

unset url no-block

Example: The following command disables blocking from interface ethernet3/1 to

set url no-block ethernet3/1 ethernet4/2

��!��

set url server { name_str | ip_addr } port_num number

msg-type A 0 uses the message sent by the Websense server. A 1 uses the usNetScreen device.

no-block Disables blocking from one interface (interface1) to another interface

�4888��5��$��*$�4+��5

:�:��

6.150.6

ehavior is to block all HTTP

(www.abc.com) or IP address seconds. The timeout value Websense server before it either

�� !�

unset url server


• specifies communication with a Websense server with the IP address 172.1

• specifies port 15868

• sets a timeout value of 10 seconds

set url server 172.16.150.6 15868 10

1� "%��

The default port number for a Websense server is 15868. The default fail-mode brequests.

server Defines communication with a Websense server with a domain nameip_addr, using port number port_num with a timeout value number inspecifies how long the NetScreen device waits for a response from theblocks or permits traffic to the URL.

�4888��5��$��*$�4+��5

:��

-� �ternal user authentication

} |

ord pswd_str } ]

�� !�

Description: Use the user commands to create, remove, or display entries in the indatabase. The basic user categories are as follows:

• Dialup users (for using Manual Key VPNs)

• Authentication users (for using network connections)

• IKE users (for using AutoKey IKE VPNs)

• L2TP users (for using L2TP tunnels)

• XAUTH users

�3��".

��

get user { name_str | all | id id_num }

��

set user name_str { dialup spi_num spi_num

{ ah { md5 | sha-1 } { key key_hex | password pswd_str esp

{ 3des | des | aes128 | aes192 | aes256

{ key key_hex | password pswd_str } | null [ auth { md5 | sha-1 } { key key_hex | passw}

outgoing-interface interface } |

�4888��5��$��*$�4+��5

:�7��

limit number ] |

wins2 } |

�� !�

disable | enable | ike-id

{ asn1-dn container string [ wildcard string ] [ share-fqdn name_str | ip ip_addr | u-fqdn name_str } |

password pswd_str | remote-settings

{ dns1 ip_addr | dns2 ip_addr | ipaddr ip_addr | ippool name_str | wins1 ip_addr | wins2 ip_addr } |

type { [ auth ] [ ike ] [ l2tp ] [ xauth ] } | uid id_num }

��

unset user name_str [ remote-settings { dns1 | dns2 | ipaddr | ippool | wins1 |type [ auth ] [ ike ] [ l2tp ] [ xauth ] ]

�4888��5��$��*$�4+��5

:�9��

r database:

�� !�

2�3;��!��"�!��"��"�%��

��'��

get user name_str

set user name_str { ... }

unset user name_str [ ... ]

Examples: The following command displays a user named “roger”:

get user roger

The following command deletes the user named jane:

unset user jane

��

get user all

user Defines the user’s name.

all Displays the following information for all the entries in the internal use

• User ID number

• User name

• Status (enabled or disabled)

• User type

• IKE ID types – email address, IP address, or domain name

• IKE identities

• Manual Key settings

�4888��5��$��*$�4+��5

:��

_str } ]

t uniquely distinguish a particular imal value between 1000 and mber at the other end and

es are MD5 and SHA-1. (Note:

tocol. For VPN dialup users and

ncryption.

ncryption.

ncryption.

ncryption.

5 or SHA-1. (Note: Some

5) algorithm for authentication.

-1) algorithm for authentication.

�� !�

��

set user name_str dialup spi_num spi_num { ... }

set user name_str dialup spi_num spi_num ah { md5 | sha-1 } { key key_hex | password pswd_str }

set user name_str dialup spi_num spi_num esp { 3des | des | aes128 | aes192 | aes256

{ key key_hex | password pswd_str } | null [ auth { md5 | sha-1 } { key key_hex | password pswd}

dialup Defines local and remote security parameter index (SPI) numbers thaencrypted tunnel from any others. This parameter must be a hexidec2fffffff. The local SPI number at one end serves as the remote SPI nuvice-versa. (For Manual Key VPN method only.)

ah Defines the use of the Authentication Header (AH) protocol. ChoicSome NetScreen devices do not support SHA-1.)esp Defines the use of the Encapsulating Security Payload (ESP) prodynamic peers.

• des Specifies Data Encryption Standard (DES), 56-bit encryption.

• 3des Specifies Triple Data Encryption Standard (3DES), 112-bit e

• aes128 Specifies Advanced Encryption Standard (AES), 128-bit e



• auth Defines the use of an authentication method. Choices are MDNetScreen devices do not support SHA-1.)

- md5 Sets the device to use the Message Digest version 5 (MD

- sha-1 Sets the device to use the Secure Hash Algorithm (SHA

�4888��5��$��*$�4+��5

:��

ish

user is disabled. I you set a

plays the same information as get

�� !�


• sets up a dialup user named maryj

• specifies SPI parameters 3456 and 7890

• configures the user for DES ESP encryption

• assigns the user a password of “ipsecmaryj”

set user maryj dialup 3456 7890 esp des password ipsecmaryj


• sets up a dialup user named smith_mkt

• specifies SPI parameters 3003 and 4004

• configures the user for Triple-DES ESP encryption

• assigns the user a password of “swordfish”

set user smith_mkt dialup 3003 4004 esp 3des password swordf

��%��

set user name_str disable

set user name_str enable

��

get user id id_num

Example: The following command displays a particular user with user ID “10”:

disable | enable Disables or enables the user in the internal database. By default, thepassword for the user, the user becomes automatically enabled.

id Displays information on the user, identified by id_num. This option disuser name_str option.

�4888��5��$��*$�4+��5

:��

e IKE-ID number 2.2.2.2:

ring, such as www.netscreen.com.

ent to an email address such as

nd field values that define user

ws multiple identity fields for each identity, the peer IKE identity fields The NetScreen device does not identical.

s only one identity field for each identity configuration, the peer IKE s specified in the wildcard identity. ws tunnel communication with any en device does not check any

sh tunnels concurrently using this treats it as a Group IKE ID user. g partial IKE identities.

�� !�

get user id 10

�)� ��

set user name_str ike-id { ... }

Examples: The following command creates an IKE user named branchsf with th

set user branchsf ike-id ip 2.2.2.2


ike-id { ip_addr | name_str }

Adds and defines an AutoKey IKE dialup user.

• ip ip_addr The IP address of the dialup user.

• fqdn name_str The Fully Qualified Domain Name, the complete st

• u-fqdn name_str Specifies the dialup user identity, usually [email protected].

• asn1-dn Specifies the user certificate distinguished name fields, aidentity.

- container string Specifies a container identity. This identity allotype (CN, OU, O, L, ST, C, and E). To match a local ASN1_DN must match all identity fields specified in the container identity. check any undefined container fields. Field sequence must be

- wildcard string Specifies a wildcard identity. This identity allowtype (CN, OU, O, L, ST, C, and E). To match a local ASN1_DN identity must contain fields matching all non-empty identity fieldFor example, the wildcard identity o=ACME,ou=Marketing allouser whose certificate contains these field values. The NetScreundefined wildcard fields. Field sequence is not important.

• share-limit number Specifies the number of users that can establiidentity. When this number is larger than 1, the NetScreen device With Group IKE ID, multiple dialup users can establish tunnels usin

�4888��5��$��*$�4+��5

:��

O field, and “Marketing” in the

ng” share-limit 10

er definition. For more ce Guide.)

e must be between 1000 and

, IKE or XAUTH user.

�� !�

• creates a new user definition named “market”

• configures the user definition to recognize up to 10 hosts

• specifies that the hosts must possess certificates containing “ACME” in the OU field

set user “market” ike-id asn1-dn wildcard “o=ACME,ou=Marketi

(This command uses Group IKE ID, which allows multiple hosts to use a single usinformation on Group IKE ID, see the NetScreen Concepts and Examples Referen

)�&

set user name_str dialup spi_num spi_num { ... } key key_hex

��

set user name_str dialup spi_num spi_num esp null [ ... ]

��"��

set user name_str password pswd_str

key Defines a hexidecimal key value.

• The 192-bit hexidecimal key used in the 3DES algorithm. This valu2fffffff.

• The 64-bit hexidecimal key used in the DES algorithm.

• The 16-byte hexidecimal key used in the MD5 algorithm.

• The 20-byte hexidecimal key used in the SHA-1 algorithm.

null Specifies “no encryption method” for the ESP protocol.

password Defines a top-level password, used to authenticate the firewall, L2TP

�4888��5��$��*$�4+��5

:�6��

n internal database for user

}

2TP user:

xauth, ike l2tp, ike xauth, l2tp

�� !�

Example: The following command creates an authentication user in the NetScreeguest with the password JnPc3g12:

set user guest password JnPc3g12

�&��

set user name_str type { [ auth ] [ ike ] [ l2tp ] [ xauth ]

Example: The following command changes the user guest to an authentication/L

set user guest type auth l2tp

type Sets the user type, in any of the following combinations, where:A = authenticationI = IKEL = L2TPX = XAUTHauth, ike, l2tp, xauth, auth ike l2tp xauth, auth ike, auth l2tp, authxauth, auth ike l2tp, auth l2tp xauth, or ike l2tp xauth.

�4888��5��$��*$�4+��5

:��

-� �/��-�p, to configure it, or to add or

al }

�� !�

Description: Use the user-group commands to create or delete a dialup user grouremove a user from it.

�3��".

��

get user-group { name_str | all | external | id id_num | loc

��

set user-group name_str { id id_num | location { external | local } | type

{ manual | [ auth ] [ ike ] [ l2tp ] [ xauth ] } |

user name_str }

��

unset user-group { name_str [ location | type | user name_str ] | id id_num }

�4888��5��$��*$�4+��5

:�:��

orp_Dial:

�� !�

2�3;��!��"�!��"��"�%��

��'��

get user-group name_str

set user-group name_str { ... }

unset user-group name_str [ ... ]

Example: The following command displays the contents of a user group named C

get user-group Corp_Dial

��

get user-group all

�*��

get user-group external

name_str Specifies the name of the user group.

all Displays all existing user groups.

external Displays all external user groups.

�4888��5��$��*$�4+��5

:��

signs the group an ID of 10:

�� !�

��

get user-group id id_num

set user-group name_str id id_num



Example: The following command creates a user group named Corp_Dial, and as

set user-group Corp_Dial id 10

��

get user-group local

��

set user-group name_str location { external | local }

unset user-group name_str location

id Identifies the user group with an identification number id_num.

name_str Specifies the name of the user group.

local Displays all local user groups.

location Specifies the location of the user group.

�4888��5��$��*$�4+��5

:�7��
�� !�
�&��

set user-group name_str type { ... }

��

set user-group name_str user name_str

unset user-group name_str user name_str

Examples: The following commands:

• create a new dialup user named guest

• create a dialup user group named Corp_Dial with ID 1010

• assign the new user to the user group:

set user guest password JnPc3g12

set user-group Corp_Dial location local

set user-group Corp_Dial user guest

The following commands remove the user guest from the group:

unset user-group Corp_Dial user guest

type Specifies the type of user group.

• manual specifies manual users.

• auth specifies firewall users.

• ike specifies autoke IKE users.

• l2tp specifies L2TP users.

• xauth specifies XAUTH users.

user name_str Specifies an individual user.

�4888��5��$��*$�4+��5

:�9��

0��ttings.

�� !�

Description: Use the vip commands to display the Virtual IP (VIP) configuration se

�3��".

��

get vip [ ip_addr { port port_num | port-status } | server | session ]

set vip [ ip_addr1

{ port_num svc_name ip_addr2 [ manual ] | + svc_name ip_addr2 [ manual ] } |

multi-port ]

�4888��5��$��*$�4+��5

:��

t3 (172.16.20.200), for

�� !�

2�3;��!��"�!��"��"�%��

��'��

get vip ip_addr { ... }

set vip ip_addr1 port_num svc_name ip_addr2 [ ... ]

set vip ip_addr1 + svc_name ip_addr2 [ ... ]

Example: The following command creates a VIP (10.10.1.1) for interface etherneaccessing the HTTP service (port 80):

set vip 10.10.1.1 80 HTTP 172.16.20.200

��

set vip ip_addr1 port_num svc_name ip_addr2 manual

set vip ip_addr1 + svc_name ip_addr2 manual

��

set vip multi-port

ip_addr | ip_addr1 Identifies the interface receiving traffic to VIPs.

port_num Identifies a logical port.

svc_name Identifies a service, such as HTTP or MAIL.

ip_addr2 Specifies the VIP address.

manual Enables server auto-detection.

multi-port Enables creation of multiple virtual ports.

�4888��5��$��*$�4+��5

:��

VIPs by default.

ibution of currently active VIP

�� !�

��!��

get vip server

��

get vip session

1� "%��

If no server or session is specified, the get vip command displays all configured

server Displays the load balance status of servers receiving traffic to VIPs.

session Displays the load balance session table, which shows balanced distrsessions.

�4888��5��$��*$�4+��5

:6��

0�� (VPN) tunnel, or to display

y. AutoKey IKE (Internet Key user-defined intervals. Manual them explicitly.

�� !�

Description: Use the vpn commands to create or remove a Virtual Private Networkcurrent VPN tunnel parameters.

NetScreen devices support two key methods for VPNs, AutoKey IKE and Manual KeExchange) is a standard protocol that automatically regenerates encryption keys at Key VPNs use predefined keys that remain unchanged until the participants change

�3��".

��

get vpn [ name_str [ detail ] | auto | manual | proxy-id | sync-frequency ]

��

�"��;"3��"�!�

set vpn name_str gateway { name_str | ip_addr } [ replay | no-replay ]

[ transport | tunnel ] [ idletime number ]

�4888��5��$��*$�4+��5

:6��

name_str4 ] ] ] ] |

�� !�

{ proposal [ name_str1 [ name_str2 [ name_str3 [sec-level { basic | compatible | standard } }

set vpn name_str manual spi_num1 spi_num2 gateway ip_addr [ nat-traversal

[ keepalive-frequency number ] [ udp-checksum ]

[ ip-gateway-public ip_addr ] { port-gateway-public number }

] [ outgoing-interface interface ]

{ ah { md5 | sha-1 }

{ key key_str | password pswd_str }

esp { aes128 | aes192 | aes256 | des | 3des

{ key key_str | password pswd_str } | null }

[ auth md5 | sha-1

{ key key_str | password pswd_str }

] }

�4888��5��$��*$�4+��5

:66��

_name

�� !�

)�$��"�!�

set vpn name_str { bind { interface interface | zone name_str } | df-bit { clear | copy | set } | monitor [ source-interface interface ] | nat-traversal

[ keepalive-frequency number ] [ udp-checksum ]

[ ip-gateway-public ip_addr ] port-gateway-public number

] | proxy-id local-ip ip_addr/mask remote-ip ip_addr/mask svc}

��

unset vpn vpn_name [ bind { interface | zone } | monitor | nat-traversal [ udp-checksum ] | proxy-id ]

�4888��5��$��*$�4+��5

:6��

... ] ah { ... }

ket content.

8-bit)

shing algorithm. (160-bit)

exidecimal key, which the from the message.s to generate an encryption or

�� !�

2�3;��!��"�!��"��"�%��

��'��

get vpn name_str [ ... ]

Example: The following command displays a VPN named “branch”:

get vpn branch

��

set vpn name_str manual spi_num1 spi_num2 gateway ip_addr [


• creates a VPN tunnel named “Mkt_vpn”

• specifies a manual key

• specifies local and remote SPI values 2002 and 3003

• specifies gateway 172.16.10.10

• specifies AH protocol for IP packet authentication

name_str Defines a name for the VPN.

ah Specifies Authentication Header (AH) protocol to authenticate IP pac

• md5 Specifies the Message Digest 5 (MD5) hashing algorithm. (12

• sha-1Specifies the Secure Hash Algorithm (version) 1 (SHA-1) ha

The key key_str value defines a 16-byte (MD5) or 20-byte (SHA-1) hNetScreen device uses to produce a 96-bit message digest (or hash)password pswd_str Specifies a password the NetScreen device useauthentication key automatically.

�4888��5��$��*$�4+��5

:6:��

-1 password swordfish

}

unnel zone:

ding.

�� !�

• specifies SHA-1 hashing

• assigns to the tunnel password “swordfish”

set vpn Mkt_vpn manual 2002 3003 gateway 172.16.10.10 ah sha

��

get vpn auto

Example: The following command displays all AutoKey IKE VPNs:

get vpn auto

��

set vpn name_str bind { interface interface | zone name_str

unset vpn vpn_name bind { interface | zone }

Example: The following command binds the VPN tunnel Mkt_vpn to the custom-t

set vpn Mkt_vpn bind zone untrust-tun

auto Displays all AutoKey IKE VPNs.

bind Binds VPN tunnel to a tunnel interface or a security zone.

• interface interface specifies the tunnel interface to use for VPN bin

• zone name_str specifies the security zone to use for VPN binding.

�4888��5��$��*$�4+��5

:6��

p { ... }

DF) bit in the outer header.

fault value.

col, which the NetScreen device

key_str value defines a 128-bit



alue defines a 64-bit hexidecimal


st specify an authentication

�� !�

� ��

set vpn name_str df-bit { clear | copy | set }

��

set vpn name_str manual spi_num1 spi_num2 gateway ip_addr es

df-bit Determines how the NetScreen device handles the Don’t Fragment (

• clear clears (disables) DF bit from the outer header. This is the de

• copy copies the DF bit to the outer header.

• set sets (enables) the DF bit in the outer header.

esp Specifies the use of the Encapsulating Security Payload (ESP) protouses to encrypt and authenticate IP packets.

• aes128 Specifies Advanced Encryption Standard (AES). The key hexidecimal key.



• des Specifies Data Encryption Standard (DES). The key key_str vkey (truncated to 56 bits).

• 3des Specifies Triple Data Encryption Standard (3DES). The key hexidecimal key (truncated to 168 bits).

• null Specifies no ecryption. (When you specify this option, you mualgorithm (MD5 or SHA-1) using the auth option.)

�4888��5��$��*$�4+��5

:67��

es password swordfish

. }

ailable choices are MD5 or ey_str value defines a 16-byte ice uses to produce a 96-bit

s to generate an encryption or

teway, or the name (name_str) of r any other IPSec-compatible

an remain inactive before the

ult setting is no-replay.

ctive IP packet is encapsulated. In iate when both of end points in an iate when either end point is a

�� !�


• creates a VPN tunnel named “Mkt_vpn”

• specifies a manual key

• specifies local and remote SPI values 2002 and 3003

• specifies gateway 172.16.10.10

• specifies ESP Triple-DES protocol for IP packet authentication

• assigns to the tunnel password “swordfish”

set vpn Mkt_vpn manual 2002 3003 gateway 172.16.10.10 esp 3d

��"�&

set vpn name_str gateway { name_str | ip_addr } [ ... ] { ..

auth Specifies the use of an authentication (hashing) method. The avSHA-1. (Some NetScreen devices do not support SHA-1.) The key k(MD5) or 20-byte (SHA-1) hexidecimal key, which the NetScreen devmessage digest (or hash) from the message.password pswd_str Specifies a password the NetScreen device useauthentication key automatically.

gateway Defines the Untrusted IP address (ip_addr) of the remote security gathe remote security gateway. The gateway can be a NetScreen unit odevice.

• idletime number The length of time in minutes that a connection cNetScreen device terminates it.

• replay | no-replay Enables or disables replay protection. The defa

• transport | tunnel Defines the IPSec mode. In tunnel mode, the atransport mode, no encapsulation occurs. Tunnel mode is approprexchange lie beyond gateway devices. Transport mode is approprgateway.

�4888��5��$��*$�4+��5

:69��

password judyvpn auth

ge

sha

e 2 proposal determines how a

�� !�


• creates a manual VPN named “judy”

• specifies local and remote SPI values 3000 and 2FFFFFFF

• set the remote gateway IP address 172.16.33.2

• specifies ESP with DES

• specifies MD5 hashing with password “judyvpn”

set vpn judy manual 3000 2FFFFFFF gateway 172.16.33.2 esp desmd5 password judyvpn


• creates an AutoKey IKE VPN named “tuval”:

• specifies remote gateway “funaf”

• enables replay protection

• specifies a Phase 2 proposal consisting of a Diffie-Hellman Group 2 exchan

• specifies ESP with Triple DES and SHA-1 hashing

set vpn tuval gateway funaf.com replay proposal g2-esp-3des-

• proposal name_str Defines up to four Phase 2 proposals. A PhasNetScreen device sends VPN session traffic.

�4888��5��$��*$�4+��5

:6��

... ] { ... }

t-traversal

al mode, you can encrypt and

eters index (SPI) numbers. Each active tunnel. Each must be a

unnel, and vice-versa.

SNMP community. The ch the NetScreen device sends peer device.

address.

�� !�

��

get vpn name_str [ detail ] manual

set vpn name_str manual spi_num1 spi_num2 gateway ip_addr [

��

set vpn name_str monitor [ ... ]

unset vpn name_str monitor

�� !��

set vpn name_str manual spi_num1 spi_num2 gateway ip_addr na[ ... ] { ... }

set vpn name_str nat-traversal [ ... ]

unset vpn vpn_name nat-traversal [ ... ]

manual Specifies a Manual Key VPN. When the NetScreen device is in Manuauthenticate by HEX key or password.spi_num1 and spi_num2 are 32-bit local and remote specurity paramSPI number uniquely distinguishes a particular tunnel from any otherhexidecimal value between 3000 and 2fffffff.The local SPI corresponds to the remote SPI at the other end of the t

monitor Monitors the specified VPN sending SNMP MIB3 data and traps to ansource-interface interface option specifies the interface through whimonitor messages to a NetScreen-Remote client or a non-NetScreen

nat-traversal Configures the VPN to work with NAT.

• ip-gateway-public ip_addr Specifies the peer gateway’s public IP

• keepalive-frequency number Specifies the keepalive frequency.

�4888��5��$��*$�4+��5

:6��

... ]

_addr/mask svc_name

les) with the HTTP service:

168.2.2/24 HTTP

IKE port number.

the outgoing interface are as n page A-IV.

VPN tunnel, and specifies the

l subnet.

r HTTP. (Specifying any enables

�� !�

��

set vpn name_str manual spi_num1 spi_num2 gateway ip_addr [ outgoing-interface interface { ... }

��*& ��

get vpn proxy-id

set vpn name_str proxy-id local-ip ip_addr/mask remote-ip ip

unset vpn vpn_name proxy-id

Example: The following command creates a VPN proxy configuration for a VPN (Sa

set vpn Sales proxy-id local-ip 172.16.1.1/24 remote-ip 192.

• port-gateway-public number Specifies the peer gateway’s public

• udp-checksum Enables the NAT-Traversal UDP checksum.

outgoing-interface The name of the outgoing interface. The interfaces you can use for follows. For more information on interfaces, see “Interface Names” o

proxy-id Specifies the combination of local and remote addresses used by theservice provided.

• local-ip ip_addr/mask The IP address and subnet mask of the loca

• remote-ip ip_addr/mask The IP address of the remote subnet.

• svc_name The name of the service, such as FTP, TELNET, DNS oall services.)

�4888��5��$��*$�4+��5

:��

. } sec-level

ic proposal provides basic-level -used settings. The standard

�� !�

�� !��

set vpn name_str gateway { name_str | ip_addr } [ ... ] { ..{ basic | compatible | standard }

1� "%��

The key lifetime is set to 3600 seconds.

The ESP authentication algorithm is NONE when not specified otherwise.

sec-level Specifies which pre-defined security proposal to use for IKE. The bassecurity settings. The compatible proposal provides the most widelyproposal provides settings recommended by NetScreen.

�4888��5��$��*$�4+��5

:��

0��/��-� display VPN groups.

�� !�

Description: Use the vpn-group commands to define or remove VPN groups, or to

�3��".

��

get vpn-group [ id id_num ]

��

set vpn-group id id_num [ vpn name_str [ weight number ] ]

��

unset vpn-group id id_num [ vpn name_str [ weight number ] ]

�4888��5��$��*$�4+��5

:�6��

roposal pre-g2-3des-md5

s-sha

16.10.1 HTTP tunnel

�� !�

2�3;��!��"�!��"��"�%��

��

get vpn-group id id_num

set vpn-group id id_num [ ... ]

unset vpn-group id id_num [ ... ]


• create an IKE gateway named “san_fran”

• create a VPN named “bay_area”

• place the VPN in a VPN group with ID 1001

• assign the VPN a weight of 1

• use the VPN group in a policy named “SF_CA”

set ike gateway san_fran ip 172.16.10.11 preshare bi273T1L p

set vpn bay_area gateway san_fran replay proposal g2-esp-3de

set vpn-group id 1001 vpn bay_area weight 1

set policy name SF_CA from trust to untrust 192.168.1.1 172.vpn-group 1001

!��

set vpn-group id id_num vpn name_str [ ... ]

unset vpn-group id id_num vpn name_str

id Specifies an identification number for the VPN group.

vpn Specifies the name of a VPN to place in the VPN group.

�4888��5��$��*$�4+��5

:��

roup. The higher the number, the

�� !�

"��

set vpn-group id id_num vpn name_str weight number

unset vpn-group id id_num vpn name_str weight number

weight Specifies a weight (priority) for the VPN relative to other VPNs in the ghigher priority.

�4888��5��$��*$�4+��5

:�:��

0��shold.

�� !�

Description: Use the vpnmonitor commands to set the monitor frequency and thre

�3��".

��

get vpnmonitor

��

set vpnmonitor { interval number | threshold number }

��

unset vpnmonitor interval { interval | threshold }

�4888��5��$��*$�4+��5

:��

ds is number multiplied by 10.

end vpnmonitor requests without

�� !�

2�3;��!��"�!��"��"�%��

��!��

set vpnmonitor interval number

unset vpnmonitor interval

��

set vpnmonitor threshold number

unset vpnmonitor threshold

interval Specifies the monitor frequency interval. The interval length in secon

threshold Specifies the monitor threshold, the number of times the device can sgetting a response, before the device sets VPN Link-Status to down.

�4888��5��$��*$�4+��5

:�7��

0��- �orm as a local virtual router.

ces the CLI in the routing context:

e specified local virtual router

rotocol.

�� !�

Description: Use the vrouter commands to configure the NetScreen device to perf

Executing the set vrouter name_str command without specifying further options placontext. For example, the following command places the CLI in the trust-vr routing


Once you intiate the routing context, all subsequent command executions apply to th(trust-vr in this example). You can then initatiate the bgp or ospf protocol context.

• To enter the bgp context, execute the set protocol bgp command.


• To enter the ospf context, execute the set protocol ospf command.

ns(trust-vr)-> set protocol ospf

In the bgp or ospf protocol context, all command executions apply to the specified p

�3��".

�*��

exec vrouter name_str protocol bgp neighbor ip_addr { connect | disconnect | tcp-connect }

��

get vrouter name_str [ access-list | config | default-vrouter | interface |

�4888��5��$��*$�4+��5

:�9��

mber ] |

protocol

�� !�

preference | protocol { bgp | ospf }1 | route [ id id_num | ip ip_addr | summary ] | route-map

[ name_str [ config | number [ config | match | set ] ]

] | router-id | rule | zone ]

��

set vrouter name_str [ access-list id_num [ { permit | deny } ip ip_addr/mask nuadd-default-route | auto-route-export | default-vrouter | export-to | import-from

vrouter name_str route-map name_str [ default-route ]{ bgp | connected | ospf | imported | static } |

max-routes number | preference

{ auto-exported number | ebgp number |

1. For more information on the protocol { bgp | ospf } options, see the bgp and ospf command descriptions.

�4888��5��$��*$�4+��5

:��

] ] |

[ interface4 ] ] ]| |

id_num4 ] ] ] |

�� !�

ibgp number | connected number | ospf number | ospf-e2 number | imported number | static number } |

protocol { bgp | ospf }2 | route ip_addr/mask

{ [ interface interface ]

[ gateway ip_addr [ metric number ] [ tag id_num vrouter name_str } |

route-map { name name_str { permit | deny } number | name_str number

[ local-pref number | [ match ]

{ as-path id_num | community id_num | interface interface1 [ interface2 [ interface3ip id_num1 [ id_num2 [ id_num3 [ id_num4 ] ] ]metric number | next-hop number id_num1 [ id_num2 [ id_num3 [ route-type | tag

{ id_num1 | ip_addr1 }


�4888��5��$��*$�4+��5

:��
�� !�
[ id_num2 | ip_addr2 id_num3 | ip_addr3

id_num4 | ip_addr4 ]

} | metric-type { type-1 | type-2 } | weight number ]

} | router-id { id_num | ip_addr } | sharable ]

��

unset vrouter name_str [ access-list id_num ip ip_addr/mask number | add-default-route | auto-route-export | export-to | import-from

vrouter name_str route-map name_str protocol { bgp | connected | ospf | imported | static } |

max-routes | preference

{ auto-exported | ebgp | ibgp | connected | ospf | ospf-e2 | imported |

�4888��5��$��*$�4+��5

::��
�� !�
static } |

protocol { bgp | ospf }3 | route ip_addr/mask

[ vrouter name_str | [ interface interface ] gateway ip_addr ] |

route-map name name_str number [ local-pref | [ match ]

{ as-path | community | interface | ip | metric | next-hop | route-type | tag }

metric-type | weight ] |

router-id | sharable ]


�4888��5��$��*$�4+��5

::��

r. (This command is available only

e untrust-vr vrouter.

�� !�

2�3;��!��"�!��"��"�%��

��'��

set vrouter name_str


• activate the trust-vr routing context

• activate the BGP context

• execute the context-dependent command get config



ns(trust-vr/bgp)-> get config

��

set add-default-route vrouter name_str

unset add-default-route

�� *��

set vrouter name_str auto-route-export

unset vrouter name_str auto-route-export

add-default-route Adds a default route with the next hop as another virtual routein the default virtual router of the current VSYS.)

auto-route-export Directs the local virtual router to export public interface routes to th

�4888��5��$��*$�4+��5

::6��

mber

range 192.168.12.1/32

entry permits (or denies) routes, e protocol, use the sequence arameter.

�� !�

��

get vrouter name_str access-list

set vrouter name_str access-list id_num [ ... ] { ... }

unset vrouter name_str access-list id_num ip ip_addr/mask nu



• create an access list with ID number 1

• add an access-list entry that permits updates from neighbors in the address

• specify a sequence number of 200


set access-list 1

set access-list 1 permit ip 192.168.12.1/32 200

��

get vrouter name_str config

access-list Creates or removes an access list, or entries in an access list. Each according to IP prefixes, to or from specified neighbors. To identify thnumber id_num. To identify the neighbors, use the ip ip_addr/mask p

• permit Directs the local virtual router to permit the route.

• deny Directs the NetScreen device to deny the route.

config Displays configuration information about the local virtual router.

�4888��5��$��*$�4+��5

::��

e_str { ... }

ame_str { ... }

s the default router, or configures

ter (source), or to export routes to

.

ed or exported routes.

.

ateway Protocol (BGP) routes.

nnected routes.

ortest Path First (OSPF) routes.

earned routes to a different

utes.

fault route.

�� !�

�� !��

set vrouter name_str default-vrouter

�*�� %��

set vrouter name_str { export-to | import-from } vrouter nam

unset vrouter name_str { export-to | import-from } vrouter n

��

get vrouter name_str interface

default-vrouter Displays the virtual systems (VSYSs) that use the local virtual router athe local virtual router to be the default vrouter for a VSYS.

export-to | import-from

Directs the local virtual router to import routes from another virtual rouanother virtual router (destination).

• vrouter name_str identifies the source or destination virtual router

• route-map name_str identifies the route map that filters the import

• protocol Specifies the protocol for the imported or exported routes

- bgp Directs the local virtual router to import or export Border G

- connected Directs the local virtual router to import or export co

- ospf Directs the local virtual router to import or export Open Sh

- imported Directs the local virtual router to export pre-existing lprotocol and pass them on to other routers.

- static Directs the local virtual router to import or export static ro

• default-route Directs the virtual router to export and import the de

interface Displays the interfaces listed in the local virtual router.

�4888��5��$��*$�4+��5

:::��

ublic interfaces) that the device

ocol (EBGP) routes.

ol (IBGP) routes.

F) routes.

es.

d to another protocol and passed

�� !�

��* ��

set vrouter name_str max-routes number

unset vrouter name_str max-routes

��

get vrouter name_str preference

set vrouter name_str preference

unset vrouter name_str preference

max-routes Specifies the maximum number of routing entries.

preference Specifies route preference level based upon protocol.

• auto-exported Specifies preference levels for routes (defined on pautomatically exports to the untrust-vr virtual router.

• ebgp Specifies preference level for External Border Gateway Prot

• ibgp Specifies preference level for Internal Border Gateway Protoc

• connected Specifies preference level for connected routes.

• ospf Specifies preference level for Open Shortest Path First (OSP

• ospf-e2 Specifies preference level for OSPF External-Type-2 rout

• imported Specifies preference level for pre-existing routes exporteon to other routers.

• static Specifies preference level for static routes.

�4888��5��$��*$�4+��5

::��

_str [ ... ] protocol

me_str protocol { ... }

t. (For information on these l.)

nd has the following options:

evice (ip_addr).

or device (ip_addr).

addr).

�� !�

��

exec vrouter name_str protocol { ... }

get vrouter name_str protocol { bgp | ospf }

set vrouter name_str protocol { bgp | ospf }

set vrouter name_str { ... } vrouter name_str route-map name{ ... }

unset vrouter name_str { ... } vrouter name_str route-map na

unset vrouter name_str protocol { bgp | ospf }

protocol Places the NetScreen device in the BGP context or the OSPF contexcontexts, see the bgp and ospf command descriptions in this manua

The exec vrouter name_str protocol bgp neighbor ip_addr comma

• connect Establishes a BGP connection to the specified neighbor d

• disconnect Terminates a BGP connection to the specified neighb

• tcp-connect Tests the TCP connection to the neighbor device (ip_

�4888��5��$��*$�4+��5

::7��

y ]

] [ route id_num ] ] |

ric value specifies the cost of the

�� !�

��

get vrouter name_str route [ id id_num | ip ip_addr | summar

set vrouter name_str route ip_addr/mask { [ interface interface ] [ gateway ip_addr [ metric numbervrouter name_str }

unset vrouter name_str route ip_addr/mask [ vrouter name_str | [ interface interface ] gateway ip_addr ]



• create a route in the local virtual router trust-vr with prefix 192.168.100.1/32

• specify the next-hop gateway 172.16.1.1

• specify a metric of 2

• specify a tag of 4


set route 192.168.100.1/32 gateway 172.16.1.1 metric 2 tag 4

route Configures routes for the local virtual router.

• gateway ip_addr Specifies the gateway for the next hop. The metroute.

• interface interface Specifies the routed interface.

• vrouter name_str Specifies a virtual router as the next hop.

• route id_num identifies the route with a numeric value.

�4888��5��$��*$�4+��5

::9��

_str [ ... ] { ... }

me_str { ... }

p entry (name_str) and specifies mine if the entry allows

g route map entry (name_str

ter progagates this attribute to nce value is the preferred path.

nt as-path, community, . (Descriptions of these

al router receives BGP updates

nity is a group of network to multiple neighbors or peer te a policy that applies to that

s up to four interfaces.

ress that the local virtual router

er the cost, and the more rets the metric value depends on

�� !�

��

get vrouter name_str route-map [ ... ]

set vrouter name_str { ... } vrouter name_str route-map name

unset vrouter name_str { ... } vrouter name_str route-map na

route-map Configures a route map entry for the local virtual router.With the name switch, the route-map option creates a new route maits sequence number (number). The permit and deny switches deterredistribution of routes to another virtual router or another protocol.Without the name switch, the route-map option configures an existinnumber).

local-pref number Specifies the path preference. The local virtual rouother routers in AS routing updates. The path with the highest prefere(Each path has a default local preference value of 100.)[ match ] Directs the local virtual router to base matches on the curreinterface, ip, metric, next-hop, route-type, or tag parameter settingparameters follow.)

• as-path id_num Specifies an AS path through which the local virtufrom a remote peer.

• community id_num Specifies a community list (id_num). A commudestinations used by a NetScreen device to apply a routing policy groups. Once the router entry is in the community list, you can crearouter and all other devices in the list.

• config Displays configuration on the route map entry.

• interface interface1 [ interface2 [ interface3 [ interface4 ] ] ] Specie

• ip id_num1 [ id_num2 [ id_num3 [ id_num4 ] ] ] Specifies an IP addcan filter through an access list.

• metric number The cost of the route. The lower this value, the lowpreferable the route over others. How the local virtual router interpthe route-type setting (described below).

�4888��5��$��*$�4+��5

::��

xt hops that the local virtual router

ntry.

es.

es.

up to four values, which can be IP addresses

�� !�



• create a route-map named Mkt_Route

• enable the route-map

• assign the route-map map a sequence number of 200


set route-map name Mkt_Route permit 200

��

get vrouter name_str router-id

set vrouter name_str router-id { id_num | ip_addr }

• next-hop id_num1 [ id_num2 [ id_num3 [ id_num4 ] ] ] Specifies necan filter, using up to four access lists.

• route-type Specifies which kind of route matches the route map e

- internal-ospf Matches only the OSPF internal routes.

- type1-external-ospf Matches only external OSPF Type-1 rout

- type2-external-ospf Matches only external OSPF Type-2 rout

• tag Specifies a tag that identifies the route. This value can containany combination of identification numbers (id_num1...id_num4) or (ip_addr1...ip_addr4).

• metric-type Specifies the kind of metric used by the route.

- type-1 Specifies OSPF Type-1 route.

- type-2 Specifies OSPF Type-2 route.

• weight number Sets the weight of the matched route for BGP.

�4888��5��$��*$�4+��5

::��

em (VSYS).

�� !�

unset vrouter name_str router-id

��

get vrouter name_str rule

��

set vrouter name_str sharable

unset vrouter name_str sharable

.��

get vrouter name_str zone

router-id Identifies the router identification for BGP and OSPF.

rule Displays import and export rules for the local virtual router.

sharable Makes the root-level local virtual router accessible from a virtual syst

zone Displays the zones accessible through the local virtual router.

�4888��5��$��*$�4+��5

:��

0�� the root level of a NetScreen

provide multi-tenant services. strators, called “virtual system domain by setting their own y a root-level administrator can es and subinterfaces.)

te that you are now operating stem and all its settings.

�� !�

Description: Use the vsys commands to create and configure virtual systems fromdevice.

Virtual systems allow you to logically partition a single NetScreen security system toEach virtual system (vsys) is a unique security domain and can have its own adminiadministrators” or “vsys admins”. Such adminstrators can individualize their securityaddress books, virtual routers, user lists, custom services, VPNs, and policies. (Onlset firewall security options, create virtual system administrators, and define interfac

When you execute the set vsys command, the command prompt changes to indicawithin a virtual system. Use the unset vsys command to remove a specific virtual sy

�3��".

��

get vsys name_str

��

set vsys name_str [ vrouter

[ name [ name_str [ id id_num ] ] vsd number ] | share [ name_str | vsd number ] | vsd number ] |

vsd number ]

�4888��5��$��*$�4+��5

:��

tches the console to the new

reates a virtual router named

a default, root-level virtual

ot level admin within the virtual ystem.

.

lt router.

�� !�

��

unset vsys name_str

2�3;��!��"�!��"��"�%��

��'��

Example: The following command creates a virtual system named Acme and swivirtual system:

set vsys Acme_Org

!��

Examples: The following command creates a virtual system named Acme_Org, cAcme_Router with ID 1025, and switches the console to the new virtual system:

set vsys Acme_Org vrouter name Acme_Router id 1025

The following command creates a virtual system named Acme_Org, and specifiesrouter (trust-vr):

name_str Defines the name of a virtual system and automatically places the rosystem. Subsequent commands configure the newly created virtual s

vrouter Defines and configures the default virtual router for the vsys.

• name Specifies a name for the virtual router.

- id id_num Assigns an identification number to the virtual router

- vsd id_num See “vsd” on page 452.

• share Specifies a shared root-level virtual router to use as a defau

• vsd id_num See “vsd” on page 452.

�4888��5��$��*$�4+��5

:�6��

reates a virtual router named stem:

outer. A VSD group is a pair of comprise a single VSD. A VSD the master device fails. For more les ScreenOS Reference Guide.

�� !�

set vsys Acme_Org vrouter share trust-vr

!��

Examples: The following command creates a virtual system named Acme_Org, cAcme_Router, creates a VSD ID 5, and switches the console to the new virtual sy

set vsys Acme_Org vrouter vsd 5

vsd Assigns a Virtual Security Device (VSD) group number to the virtual rphysical NetScreen devices (a master and a backup) that collectivelyprovides failover capability, allowing the backup device to take over ifinformation on VSD groups, see the NetScreen Concepts and Examp

�4888��5��$��*$�4+��5

:��

2 1�-�rform WebAuth authentication.

�� !�

Description: Use the webauth commands to configure the NetScreen device to pe

�3��".

��

get webauth [ banner ]

��

set webauth { banner success string | server name_str }

��

unset webauth { banner success | server }

�4888��5��$��*$�4+��5

:�:��

auth service successful”:

uth”:

ccess.

�� !�

2�3;��!��"�!��"��"�%��

��

get webauth banner

set webauth banner success string

unset webauth banner success

Example: The following command changes the Webauth success banner to “Web

set webauth banner success “Webauth service successful”

��!��

set webauth server name_str

unset webauth banner server

Example: The following command specifies a Webauth server named “Our_Weba

set webauth server Our_Webauth

1� "%��

The default banner value is Webauth Success.

banner success Specifies the banner (string) displayed in response to Webauth su

server Specifies the Webauth server name (name_str).

�4888��5��$��*$�4+��5

:��

2 1� �(�WebTrends.

�� !�

Description: Use the webtrends commands to configure the NetScreen device for

�3��".

��

get webtrends

��

set webtrends { VPN | enable | host-name name_str | port port_num }

��

unset webtrends { VPN | enable | host-name name_str | port port_num }

�4888��5��$��*$�4+��5

:�7��
�� !�
2�3;��!��"�!��"��"�%��

!��

set webtrends VPN

��

set webtrends enable

��

set webtrends host-name name_str

��

set webtrends port port_num

vpn Enables WebTrends VPN encryption.

enable Enables WebTrends.

host-name Specifies the WebTrends host name.

port port_num Specifies the WebTrends host port.

�4888��5��$��*$�4+��5

:�9��

5�-�m XAUTH authentication.

�� !�

Description: Use the xauth commands to configure the NetScreen device to perfor

�3��".

��

get xauth { active | default | lifetime }

��

set xauth { default

{ auth server name_str [ chap ] [ query-config ] | dns1 ip_addr | dns2 ip_addr | ippool name_str | wins1 ip_addr | wins2 ip_addr } |

lifetime number }

��

unset xauth { default { dns1 | dns2 | ippool | wins1 | wins2 } | lifetime }

�4888��5��$��*$�4+��5

:��

server (Our_Auth):

tr).

entication Protocol (CHAP) while

address) from the external

.

r).

�� !�

2�3;��!��"�!��"��"�%��

��!�

get xauth active

��

get xauth default

set xauth default { ... }

unset xauth default { ... }

Example: The following command sets up the NetScreen device to use a XAUTH

set xauth default auth server Our_Auth

active Displays all currently active XAUTH login instances.

default Sets or displays default XAUTH settings.

• auth server Identifies the XAUTH server by object name (name_s

- chap Directs the NetScreen to use Challenge Handshake Authperforming authentication with the XAUTH server.

- query-config Sets or displays query client settings (such as IPauthentication server.

• dns1 Identifies the DNS primary server by ip address (ip_addr).

• dns2 Identifies the DNS secondary server by ip address (ip_addr)

• ippool Identifies the IP pool (name_str).

• wins1 Identifies the WINS primary server by ip address (ip_addr).

• wins2 Identifies the WINS secondary server by ip address (ip_add

�4888��5��$��*$�4+��5

:��

f 30 minutes:

erver holds resources (such as IP

�� !�

��

get xauth lifetime

set xauth lifetime number

unset xauth lifetime number

Example: The following command specifies a maximum XAUTH session length o

set xauth lifetime 30

lifetime number Specifies the maximum length of time (in minutes) that the XAUTH saddress) on behalf of the client.

�4888��5��$��*$�4+��5

:7��

4�� curity zone.

�� !�

Description: Use the zone commands to create, remove, configure, or display a se

�3��".

��

get zone [ id id_num | all | zone [ screen { all | attack | counter | info } ] ]

��

set zone { name zone { L2 id_num | tunnel zone } | zone

{ block | screen

{ block-frag | component-block | fin-no-ack | icmp-flood [ threshold number ] | icmp-fragment | icmp-large | ip-bad-option |

�4888��5��$��*$�4+��5

:7��
�� !�
ip-filter-src | ip-loose-src-route | ip-record-route | ip-security-opt | ip-spoofing [ drop-no-rpf-route ] | ip-stream-opt | ip-strict-src-route | ip-sweep [ threshold number ] | ip-timestamp-opt | land | limit-session [ source-ip-based number ] | mal-url { string1 string2 number | code-red } | ping-death | port-scan [ threshold number ] | syn-ack-ack-proxy [ threshold number ] | syn-fin | syn-flood

[ alarm-threshold number | attack-threshold number | queue-size number | source-threshold number | timeout number ] |

syn-frag | tcp-no-flag | tear-drop | udp-flood [ threshold number ] | unknown-protocol | winnuke }

�4888��5��$��*$�4+��5

:76��
�� !�
tcp-rst | vrouter name_str } |

}

��

unset zone zone { block | screen

{ block-frag | component-block | fin-no-ack | icmp-flood [ threshold ] | icmp-fragment | icmp-large | ip-bad-option | ip-filter-src | ip-loose-src-route | ip-record-route | ip-security-opt | ip-spoofing [ drop-no-rpf-route ] | ip-stream-opt | ip-strict-src-route | ip-sweep [ threshold ] | ip-timestamp-opt | land | limit-session [ source-ip-based ] | mal-url { string1 | code-red } | ping-death | port-scan [ threshold ] |

�4888��5��$��*$�4+��5

:7��
�� !�
syn-ack-ack-proxy [ threshold number ] | syn-fin | syn-flood

[ alarm-threshold | attack-threshold | destination-threshold number | drop-unknown-mac | queue-size | source-threshold | timeout ] |

syn-frag | tcp-no-flag | tear-drop | udp-flood [ threshold number ] | unknown-protocol | winnuke }

tcp-rst | }

�4888��5��$��*$�4+��5

:7:��

es, see “Security Zone Names” on

�� !�

2�3;��!��"�!��"��"�%��

��'��

get zone zone [ ... ]

set zone zone { ... }

unset zone zone { ... }

��

get zone all [ ... ]

��)

set zone zone block

unset zone zone block

zone The name of the zone. For more information on zones and zone nampage A-II.

all Displays information on all existing zones.

block Imposes intra-zone traffic blocking.

�4888��5��$��*$�4+��5

:7��

, with VLAN ID number 1:

ntrust as the out zone:

e in Transparent Mode). The ID he name you specify (zone) must

identifies the tunnel-out zone

omponents in Web pages, and Trojan Horse contains applets that can hide these components in able (.exe) files. Enabling the applets from Web pages.

kets that have them.

�� !�

��

set zone name zone { ... }

Examples: The following command creates a new Layer-2 zone named L2-Sales

set zone name L2-Sales L2 1

The following command creates a tunnel zone named Engineering, and specify u

set zone name Engineering tunnel untrust

��

set zone zone screen { ... }

set zone zone screen { ... }

name Creates a new zone with name zone.

• L2 id_num specifies that the zone is Layer-2 (for running the devicnumber (id_num) identifies the VLAN to which the zone is bound. Tbegin with “L2-”.

• tunnel zone specifies that the new zone is a VPN tunnel zone, and(zone).

screen Enables or disables firewall services through the interface.

• block-frag Enables IP packet fragmentation blocking.

• component-block Attackers can hide malicious Java or ActiveX cthese components can install a Trojan Horse on the victim host. A allow an outside party to access the victim host directly. Attackers compressed files, such as .zip, .gzip, and .tar, as well as in executcomponent-block feature blocks all embedded Java and ActiveX

• fin-no-ack Detects an illegal combination of flags, and rejects pac

�4888��5��$��*$�4+��5

:77��

Protocol (ICMP) floods. An ICMP pose of flooding a system with so nected. The threshold defines the tination address before the

1,000,000.

flag set, or with an offset indicated

1024.

tions is malformed or incomplete.

led. The Source Route Option can ave the traffic returned to their real es, only those with Strict Source

option enabled.

enabled. With the Record Route path between the attacker and the .

ns set. These option settings evels for frames, and the ughout an internetwork.

en unauthorized agents attempt to g the ip-spoofing option een devices running in NAT or tructs the NetScreen device to lso drops the packet if the source

er set.

on enabled.

�� !�

• icmp-flood [ threshold number ] Detects Internet Control Messageflood occurs when ICMP echo requests are broadcast with the purmuch data that it first slows down, and then times out and is disconnumber of ICMP packets per second allowed to ping the same desNetScreen device rejects further ICMP packets. The range is 1 to

• icmp-fragment Detects any ICMP frame with the More Fragmentsin the offset field.

• icmp-large Detects any ICMP frame with an IP length greater the

• ip-bad-option Discards all received frames where the list of IP Op

• ip-filter-src Blocks all packets with the Source Route Option enaballow a hacker to use a false IP address to access a network, and hIP address. The administrator can block all IP Source Routed framRouting , or only those with Loose Source Routing.

• ip-loose-src-route Detects packet IPs with the loose source route

• ip-record-route Discards all frames with the Record Route optionoption enabled, attackers might access information concerning thetarget device, thus gaining information about the protected network

• ip-security-opt Discards all received frames with IP Security optioconform to RFCs 1038 and 1108, which define various protection lconfiguration of internetworking devices for forwarding frames thro

• ip-spoofing Prevents spoofing attacks. Spoofing attacks occur whbypass firewall security by imitating valid client IP addresses. Usininvalidates such false source IP address connections. Only NetScrRoute mode can use this option. The drop-no-rpf-route option insdrop any packet that does not contain a source route. The device aIP address is reserved (non-routable, as with 127.0.0.1).

• ip-stream-opt Discards all frames with the IP SATNET Stream identifi

• ip-strict-src-route Detects frames with the strict source route opti

�4888��5��$��*$�4+��5

:79��

ttack. An IP Sweep attack occurs stination addresses. If a target e IP Sweep threshold to between ur with greater frequency than this mote source address.

et.

echanism with IP spoofing packets with headers containing esses. The attacker sends these e target to create empty sessions

ximum number of sessions the ource IP address.

t scans HTTP packets for suspect s. The code-red switch enables rks as follows.

acket. Typically, this starting ast one space, plus the beginning en the command “GET” and the

-LF.

acket sizes. Although the TCP/IP ations allow larger packet sizes. shing, freezing, and rebooting.

�� !�

• ip-sweep threshold number Detects and prevents an IP Sweep awhen an attacker sends ICMP echo requests (pings) to multiple dehost replies, it reveals the target’s IP address to the attacker. Set th1 and 1,000,000 microseconds. Each time ICMP echo requests occlimit, the NetScreen device drops further echo requests from the re

• ip-timestamp-opt Discards all frames with the timestamp option s

• land Prevents Land attacks by combining the SYN flood defense mprotection. Land attacks occur when an attacker sends spoofed IPthe target’s IP address for both the source and destination IP addrpackets with the SYN flag set to any available port. This induces thwith itself, filling its session table and overwhelming its resources.

• limit-session [ source-ip-based number ] Lets you define the maNetScreen device can establish per second (number) by a single s

• mal-URL [ name_str id_str number | code-red ] Sets up a filter thaURLs. The NetScreen device drops packets that contain such URLblocking of the code-red-worm virus. Using the name_str option wo

- name_str A user-defined identification name.

- id_str Specifies the starting pattern to search for in the HTTP ppattern begins with the HTTP command GET, followed by at leof a URL. (The NetScreen device treats multiple spaces betwecharacter “/” at the start of the URL as a single space.)

- number Specifies a minimum length for the URL before the CR

• ping-of-death Detects and rejects oversized and irregular ICMP pspecification requires a specific packet size, many ping implementThis can trigger a range of adverse system reactions including cra

�4888��5��$��*$�4+��5

:7��

an attack occurs when an attacker es. The attack succeeds if a port ogs the number of different ports t scans 10 ports in 0.005 seconds e NetScreen device flags this as a e. The port-scan threshold number 1,000,000 microseconds.

ttach occurs when the attacker to terminate. This consumes all

consume sessions on the target

ccur when the connecting host esponding ACK responses.

omplete connections per second rm log.

per second required to trigger the

ckets the NetScreen device can onses.

n destination MAC addresses.

requests held in the proxied ction requests.

received (per second) from a s the SYN proxing mechanism.

half-completed connection is nds.

�� !�

• port-scan threshold number Prevents port scan attacks. A port scsends packets with different port numbers to scan available servicresponds. To prevent this attack, the NetScreen device internally lscanned from a single remote source. For example, if a remote hos(equivalent to 5000 microseconds, the default threshold setting), thport scan attack, and rejects further packets from the remote sourcvalue determines the threshold setting, which can be from 1000 to

• syn-ack-ack-proxy Prevents the SYN ACK ACK attack. Such an aestablishes multiple Telnet sessions without allowing each sessionopen slots, generating a Denial of Service condition.

• syn-fin Detects an illegal combination of flags attackers can use todevice, thus resulting in a denial of service.

• syn-flood Detects and prevents SYN flood attacks. Such attacks ocontinuously sends TCP SYN requests without replying to the corr

- alarm-threshold number Defines the number of proxied, half-cat which the NetScreen device makes enteries in the event ala

- attack_threshold number Defines the number of SYN packetsSYN proxying mechanism.

- destination-threshold number Defines the number of SYN pasend to a single source IP address without receiving ACK resp

- drop-unknown-mac Drops packets when they contain unknow

- queue-size number Defines the number of proxied connectionconnection queue before the system starts rejecting new conne

- source-threshold number Defines the number of SYN packetssingle source IP address, before the NetScreen device execute

- timeout number Defines the maximum length of time before a dropped from the queue. You can set it between 1 and 50 seco

�4888��5��$��*$�4+��5

:7��

e trust zone:

one, and instructs the device to IP address:

code-red-worm virus and drops

gments used for the attack. A SYN The host caches these fragments, them. By flooding a server or host fer eventually fills. No further em can occur.

s field.

n fragmented IP packets overlap . The tear-drop option directs the cy.

er sends UDP packets to slow nnection requests. The threshold the same destination IP within any one-second period, the ets for the remainder of that

umbers greater than 100. Such

odifies the packet as necessary, y in the event alarm log.)

�� !�

Examples: The following command enables the ip-spoofing firewall service for th

set zone trust screen ip-spoofing

The following command enables the ip-spoofing firewall service for the untrust zdrop any packet that has no source IP address, or that has a non-routable source

set zone untrust screen ip-spoofing drop-no-rpf-route

The following command sets up a filter that scans HTTP packets for the code-red such packets.

set zone untrust screen mal-url code-red

• syn-frag Detects a SYN fragment attack, and drops any packet frafragment attack floods the target host with SYN packet fragments. waiting for the remaining fragments to arrive so it can reassemble with connections that cannot be completed, the host’s memory bufconnections are possible, and damage to the host’s operating syst

• tcp-no-flag Drops an illegal packet with missing or malformed flag

• tear-drop Blocks the Teardrop attack. Teardrop attacks occur wheand cause the host attempting to reassemble the packets to crashNetScreen device to drop any packets that have such a discrepan

• udp-flood threshold number UDP flooding occurs when an attackdown the system to the point that it can no longer process valid conumber parameter is the number of packets allowed per second toaddress/port pair. When the number of packets exceeds this valueNetScreen device generates an alarm and drops subsequent packsecond. The valid range is from 1 to 1,000,000.

• unknown-protocol Discards all received IP frames with protocol nprotocol numbers are undefined or reserved.

• winnuke Detects attacks on Windows NetBios communications, mand passes it on. (Each WinNuke attack triggers an attack log entr

�4888��5��$��*$�4+��5

:9��

n it receives non-sync packets.

�� !�

��

set zone zone tcp-rst

unset zone zone tcp-rst

!��

set zone zone vrouter

��"��*�� "��


• create a new Layer-2 zone named L2-Marketing with VLAN ID number 1

• assign physical interface ethernet7 to the zone

• retrieve zone information:

set zone name L2-Marketing L2 1

set interface ethernet7 zone L2-Marketing

get zone L2-Marketing


tcp-rst Directs the NetScreen device to send back the TCP reset packet whe

vrouter Binds the zone to a virtual router.

�4888��5��$��*$�4+��5

:9��
�� !�
• create a new Layer-3 zone named Ext_Dept,

• bind the zone to the Untrust virtual router

• enable ip-spoofing and tear-drop screening

• bind interface ethernet4 to the zone:

set zone name Ext_Dept

set zone Ext_Dept vrouter untrust

set zone Ext_Dept screen ip-spoofing

set zone Ext_Dept screen tear-drop

set interface ethernet4 zone Ext_Dept

get zone Ext_Dept

get interface ethernet4

�4888��5��$��*$�4+��5

:96��
�� !�

?

?��

cture that allows you to create faces each zone requires, and erfaces, you can create hem. You can bind one or more ns on a per-zone basis.

briefly describes how to create

bes how to create user-defined,

�� !�

��

��#�� -� �Universal Security Gateway Architecture (USGA) is a NetScreen proprietary architethe number of zones your network environment requires, assign the number of interdesign each interface to your specifications. On NetScreen devices with multiple intnumerous security zones and configure access policies to regulate traffic between tinterfaces to each zone and enable management and firewall attack screening optio

This appendix covers the following key components:

• Security Zone Names describes the security zones that exist by default, anduser-defined security zones.

• Interface Names describes interfaces that exist by default, and briefly descrilogical sub-interfaces.

?88��!�.�?�>��?�,�"�� 3�@��"��

?��

pecial-purpose items. Although d configure them to meet the llows.

tes in Transparent mode.

s that communicate with trusted

rfaces that communicate with

rface.

create such zones using the set

tes in NAT mode or Router mode.

logical sub-interfaces) that

(and logical sub-interfaces) that

r mapped IP (MIP) and virtual IP is mapped to other addresses, the

e.

create such zones using the set

security devices.

ls.

h zones using the set zone name

�� !�

�� )$��!��

NetScreen devices use zones to host physical and logical interfaces, tunnels, and sScreenOS has a number of default predefined zones, you can create new zones anrequirements of your organization. The names of ScreenOS security zones are as fo

Layer-2 security zones Use Layer-2 security zones when the NetScreen device opera

• v1-trust The V1-Trust zone, which hosts physical interfacenetwork space.

• v1-untrust The V1-Untrust zone, which hosts physical inteuntrusted network space.

• v1-dmz The DMZ zone, which hosts the DMZ physical inte

• name name_str A user-defined Layer-2 security zone. (Youzone name name_str L2 command.)

Layer-3 security zones Use Layer-3 security zones when the NetScreen device opera

• trust The Trust zone, which hosts physical interfaces (and communicate with trusted network space.

• untrust The Untrust zone, which hosts physical interfaces communicate with untrusted network space.

• global The Global zone, which serves as a storage area fo(VIP) addresses. Because traffic going to these addresses Global zone does not require an interface.

• dmz The DMZ zone, which hosts the DMZ physical interfac

• name name_str A user-defined Layer-2 security zone. (Youzone name name_str command.)

Tunnel zones Use tunnel zones to set up VPN tunnels with other NetScreen

• untrust-tun The Untrust-Tun zone, which hosts VPN tunne

• name name_str A user-defined tunnel zone. You create sucname_str tunnel command.

?88��!�.�?�>��?�,�"�� 3�@��"��

?��

any interfaces that are not

nagement connections. For TTP, SCS, or Telnet, you connect

s, HA1 and HA2.

ent interface, MGT.

�� !�

Function zones Use function zones as described below.

• null The Null zone, which serves as temporary storage for currently bound to another zone.

• self The Self zone, which hosts the interface for remote maexample, when you connect to the NetScreen device via Hto the Self zone.

• ha The HA zone, which hosts the high-availability interface

• mgt The MGT zone, which hosts the out-of-band managem

?88��!�.�?�>��?�,�"�� "��"��

?��

h physical interfaces or logical

wo physical interfaces. An load sharing and failover.

face port n and no slots.

interface slot (n1) and a port (n2).

hile the NetScreen device is in

is interface when the device is in

e this interface when the device is

s interface when the device is in

hysical interfaces (each denoted

ce port (n1) with no slots. The .n2 nterfaces using the set interface

rface slot (n1) and a port (n2). The cal interfaces using the set

�� !�

��!��

Most security zones exchange traffic with other zones (or with other devices) througsub-interfaces. The interface names are as follows.

Aggregate interfaces • aggregaten An aggregate interface, which is a grouping of taggregate interface provides interface redundancy, allowing

Ethernet interfaces • ethernetn A physical ethernet interface, denoted by an inter

• ethernetn1/n2 A physical ethernet interface, denoted by an

Function interfaces • mgt An interface bound to the MGT zone.

• ha | ha1 | ha2 The name of the dedicated HA port.

Layer-2 interfaces • vlan1 The interface used for VPNs and management traffic wTransparent mode.

• v1-trust A Layer-2 interface bound to the Trust zone. Use thTransparent mode.

• v1-untrust A Layer-2 interface bound to the Untrust zone. Usin Transparent mode.

• v1-dmz A Layer-2 interface bound to the DMZ zone. Use thiTransparent mode.

Redundant interfaces • redundantn1 A redundant interface, which is a grouping of pby n1). Redundant interfaces perform interface failover.

• redundantn1.n2 A logical redundant sub-interface.

Sub-interfaces • ethernetn1.n2 A logical sub-interface, denoted by an interfaparameter identifies the logical interface. You create logical icommand.

• ethernetn1/n2.n3 A logical sub-interface, denoted by an inte.n3 parameter identifies the logical interface. You create logiinterface command.

Tunnel interfaces • tunnel.n A tunnel interface, used for VPN traffic.

?88��!�.�?�>��?�,�"�� "��"��

?��
�� !�

?88��!�.�?�>��?�,�"�� "��"��

?��
�� !�

/

/��

, some platforms do not support

ort them.

NS-5000

�� !�

��

��(�0��1��Most CLI commands are available accross all NetScreen device platforms. Howevercertain commands.

The following table lists the CLI commands, and shows which platforms do not supp

Command NS-5XP NS-5XT NS-25 NS-50 NS-100 NS-200 NS-500

address

admin

alarm

alias

arp

auth

auth-server

bgp No No

clock

config

console

counter

crypto

dbuf

dialup-group

dip

?88��!�.�/��"�!�?�"�%"��%��3

/��

NS-5000

�� !�

dns

domain

envar

event

exit

ffilter

file

fips-mode

firewall

flow

ftp

gate

global-pro

glog

group

group-expression

hostname

ike

ike-cookie

interface

intervlan-traffic No No No No No No

ip

ip-classification No No No No No No


?88��!�.�/��"�!�?�"�%"��%��3

/��

No

No

No

NS-5000

�� !�

ippool

l2tp

lance No

led No

lcd No No No No No No

license-key

log

mac

mac-learn

memory

node_secret

nrtp

nsrp No No No

ntp

os

pci_clock

ospf No No

performance

ping

pki

policy

pppoe No

proxy-id


?88��!�.�/��"�!�?�"�%"��%��3

/��

No

NS-5000

�� !�

reset

route

sa

sa-filter

sa-statistics

save

scheduler

scs

service

session

snmp

socket

ssl

sys-clock

syslog

system

tech-support

timer

trace-route

traffic-shaping No

url

user

user-group


?88��!�.�/��"�!�?�"�%"��%��3

/��

NS-5000

�� !�

vip

vpn

vpn-group

vpnmonitor

vrouter

webauth

webtrends

xauth

zone


?88��!�.�/��"�!�?�"�%"��%��3

/��
�� !�

��!�.

�C��

mip 305ntp 261policy 322proto-dist 338scheduler 359service 367snmp 379syn-threshold 385syslog 389timer 395traffic-shaping mode 399url 401user 405vpn 206, 420vsys 450nication requirements, console xration settings, saving 94

ing 117back 117meters, defining 95 and command-line interface 117 117 communication requirements xtions xi 98

ghedule 359rvice 367

��

��!Aaccess p

definaddress

addiaddresse

enteadministauthentiCCA (cer

CGIcAH 419CheckPoclear 98

flowinter

clear comled 2macsessi

commanclearclearclearconvexit get cget fget f

�� !�

ile 121irewall 134, 243, 264, 384, 385

set l2tp 211set lcd 223

a sca Se

int 165

counters 98face counters 98

mands21

-learn 237on 373d led 221 mac-learn 237 session 373entions xi117onfig 94

set arp 27set auth 30set clock 90set console 95set dbuf 101set dialup-group 104, 151, 180, 344,

413, 431, 436, 453set domain 111set envar 112set ffilter 118set firewall 123set flow 126set hostname 155set ike 156set interface 182set ippool 209

set set set

commuconfiguconsole

exitlog para

consoleexit

consoleconvencounterDdefinin

�.

oliciesing 322

bookng entries 2, 35, 203, 293s

ring 2, 35, 203, 293ration parameters 5cation, users 30

tificate authority) path 319

get glog 146get lance info 220, 225get route 347get system 393get tech-support 394get vip 417ping 302reset 346save 354set address 2, 25, 35, 203, 265, 273,

293set admin 5, 48, 50, 51, 53

set set set set set set set set set set set set

��!�.

�C�6

connection check 302 302, 303

errors 99, 100mmand 302l 419

etScreen device 346t 346mmand 346g a device 346

mmand 354a configuration file 354eting or modifying 359

y Association (SA) 349 entries 232 367defined 370

r-defined 372sting custom 367 tablering 373mandsress 2, 25, 35, 203, 265, 273, 293in 5, 48, 50, 51, 5327 30k 90sole 95

�� !�

xviget commands

NetScreen devicesetting the hostname 155

cloccon

exit command 117Extended ping 302Ffiltering traffic 118, 351firewall settings, displaying 134, 243, 264, 384, 385flash card

memory 121flash card memory 354flash memory 94flow counters 98flow level 99Ggeneral information, displaying 393Get commands

redirect the output of a Get command

hostname 155Iid-mode 165IKE (Internet Key Exchange) 156IKE ID 407interface counter 98Lload balance session table 419MMAC learning table 237MAC table

clearing 237Media Access Control (MAC) 237memory allocation status 239MIPs 302N

schedulcrea

Securitself-logservice

pre-use

Servicecrea

Sessionclea

set comaddadmarp auth

access policies 322console parameters 95users for authentication 405

dialup groupdefining 104

displayingfiles in flash card memory 121firewall settings 134, 243, 264, 384,

385general system information 393the global log file 146the static route table 347VIP settings 417

Eentries in the alarm table 20, 21

config 94file 121firewall 134, 243, 264, 384, 385glog 146lance info 220, 225route 347system 393tech-support 394vip 417

global log file, displaying 146Group

user dialup 411grouping

remote users 104H

networkping

Ppacket ping coProtoco

ESPRreboot N

resereset coresettinSsave cosaving

��!�.

�C��
�� !�
enabling 379SNTP 261

ntp 261policy 322proto-dist 338scheduler 359service 367snmp 379syn-threshold 385syslog 389timer 395traffic-shaping mode 399url 401user 405vpn 206, 420vsys 450

setting system time 90SNMP

enabling 401user authentication

creating entries 30users, creating 405VVIP 419VIP settings, displaying 417Virtual IP (VIP) 417virtual system

creating 450exiting 117

VPN (Virtual Private Network) 206, 420WWebTrends 401

dbuf 101dialup-group 104, 151, 180, 344, 413,

431, 436, 453domain 111envar 112ffilter 118firewall 123flow 126hostname 155ike 156interface 182ippool 209l2tp 211lcd 223mip 305

static route table 347static route table, displaying 347Syslog 389syslog configuration 389system time

setting 90Ttftp server xvitraffic management information 399traffic, filtering 118, 351Transparent mode 237Trivial File Transfer Protocol (TFTP) 354troubleshooting 394UURL blocking

��!�.

�C�:
�� !�

Documents

NetScreen CLI Reference Guide - Juniper Networks