Académique Documents
Professionnel Documents
Culture Documents
Basic Operation
get hostame - Displays the hostname of the device
set hostname atlanta-firewall - Sets the hostname to atlanta-firewall
get domain - Displays the domain name of the device
set domain skullbox.net - Sets the domain name to skullbox.net
get chassis - Displays chassis information such as temperature, fan status, and slot information
get system - Displays hardware and software information
get config - Displays the complete running configuration
get zone - Displays all zones present in device
set zone name warehouse - Create new zone named warehouse
unset zone warehouse - Removes zone warehouse
get interface - Displays all physical and sub-interfaces
get interface | include tun - Displayes all intefaces starting with tun (tunnel intefaces)
get interface ethernet0/2 mip - Displays MIP information on specified interface
get arp - Displays all number of sessions, MAC addresses,and IP addresses learned by the device
get ssh - display active management SSH sessions
Security
set admin manager-ip 10.15.15.0 255.255.255.0 - Sets administrator access from 10.15.15.0/24
Policies
set policy from Cisco2821 to DMZ902 192.168.105.0/24 Any HTTP permit log - Sets policy from
zone Cisco2821 to DMZ902 allowing 192.168.105.0/24 (from Cisco2821) and allows communication to any
IP range in zone DMZ902 over port 80 (HTTP) and logs all traffic. This assumes 192.168.105.0/24 is
contained in the address list.
set policy from Cisco2821 to DMZ902 192.168.105.0/24 Any ANY nat src permit log - Sets policy
from zone Cisco2821 to DMZ902 allowing 192.168.105.0/24 (from Cisco2821) and allows communication to
any IP range in zone DMZ902 over any port and logs all traffic. This assumes 192.168.105.0/24 is contained
in the address list and this policy also performs NAT.
set policy from Untrust to warehouse Any MIP(216.93.242.16) DNS permit - Sets policy allowing
any IP from Untrust (Internet) zone to MIP with IP 216.93.242.16 allowing ONLY DNS traffic
set policy from Untrust to warehouse Any MIP(216.93.242.16) ANY deny log - Sets policy allowing
any IP from Untrust (Internet) zone to MIP with IP 216.93.242.16 specifically DENYING ALL traffic and
logging it
set policy from Guest to Untrust 192.168.109.0/24 Any HTTP nat src dip-id 5 permit - Sets policy
from zone Guest with IP192.168.109.0/24 to Untrust (Internet) with any IP allowing port 80 (HTTP)
performing NAT and using DIP with ID five
set policy from Untrust to warehouse ras.skullbox.net VIP(ethernet0/2) RDP permit log - Sets
policy from zone Utrust (Internet) with hostname ras.skullbox.net to zone wharehouse using the specified
VIP on Ethernet0/2 allowing RDP traffic and logging it
set policy id 43 disable - Keeps policy id 43 in the configuration, but disables it
set
set
set
set
set
zone
zone
zone
zone
Untrust
Untrust
Untrust
Untrust
screen
screen
screen
screen
Network Configuration
set interface ethernet0/2 phy full 1000mb - Sets Ethernet0/2 to full-duplex and 1Gbps (not autonegotiate)
Bgroup Configuration
set interface bgroup 3/0 port ethernet3/1 - Add physical interfaces to Bgroup3/0
set interface bgroup 3/0 port ethernet3/2 - Add physical interfaces to Bgroup3/0
set interface bgroup3/0 zone warehouse - Assigns bgroup3/0 to the warehouse zone
set interface ethernet0/5 phy link-down - Physically disables ports
unset interface ethernet0/5 phy link-down - Physically enables ports
set interface tunnel.5 zone Untrust - Creates tunnel interface with ID 5 assigned to zone Untrust
set interface tunnel.5 ip unnumbered interface ethernet0/2 - Sets tunnel.5 as an unnumbered
interface with Ethernet0/2 as a gateway
set interface ethernet3/10 ip managable - Enables management interface on IP address assigned to
Ethernet3/10
set
set
set
set
set
interface
interface
interface
interface
interface
ethernet3/10
ethernet3/10
ethernet3/10
ethernet3/10
ethernet3/10
DHCP Configuration
manage
manage
manage
manage
manage
set interface ethernet 0/2 dip 4 216.93.242.13 216.93.242.13 - Sets interface Ethernet0/2 with a DIP
address (ID four) with a range of 216.93.242.13 to 216.93.242.13
set
interface ethernet0/2 mip 216.93.242.14 host 192.168.152.15 netmask 255.255.255.255 vr "tru
st-vr" - Sets Ethernet0/2 to use 216.93.242.14 as a mapped IP to 192.168.152.15/32 using virtual router
trust-vr
set interface ethernet0/2 vip interface-ip 3389 RDP 192.168.131.15
Routing
set route 10.145.12.0/24 interface bgroup3/0 gateway 10.145.12.254 description "extranet" Sets routing desinated for10.145.12.0/24 to use interface bgroup3/0 with a gateway of 10.145.12.254 and a
description called extranet
set route 192.168.99.0/24 interface tunnel.5 description "dr-vpn" - Sets routing desinated for
10.192.168.99.0/24 to use interface tunnel.5 with a description called dr-vpn
SNMP Configuration
set snmp community "xoop" Read-Write Trap-on traffic version v1 - Specifies a read-write
community called xoop
set snmp host "xoop" 10.16.0.92/32 src-interface bgroup3/0 trap v1 - sets the source interface and
destination for SNMP (version one) requests
set snmp location "rack 34" - Specifies SNMP location information
set snmp contact "Erik Rodriguez" - Specifies SNMP contact information
set snmp name "corp-firewall" - Specifies SNMP device information
set snmp port listen 161 - Specifies SNMP listen port (default is UDP 161)
set snmp port trap 162 - Specifies SNMP trap port (default is UDP 162)
Syslog Configuration
set
set
set
set
syslog
syslog
syslog
syslog
NTP Configuration
set ntp server 216.93.242.12 - Enables NTP with 216.93.242.12 as time source
set ntp server src-interface ethernet3/0 - Uses interface Ethernet3/0 to reach NTP update source
set clock ntp - Enables system clock to sync with NTP
exec ntp update - Forces snyc of clock with NTP server
Troubleshooting
trace-route 216.93.242.12 from ethernet3/0 - Performs a traceroute from a specific interface
ping 216.93.242.12 count 100 from ethernet3/11 - Performs ping to 216.93.242.12 with 100 ICMP
echos from interface Ethernet3/11
Sessions
get session src-ip 192.168.1.35 - Displays session information for source device 192.168.1.35
get session dst-ip 216.93.242.12 - Displays session information for destination device 216.93.242.12
get session src-port 3636 - Displays session information for source port 3636
get session dst-port 3389 - Displays session information for destination port 3389
clear session Immediately clears all software sessions
Events
get event policy-id 35 - Displays any events logged regarding policy ID 35
get event level alert Displays any logged events deemed Alerts (requiring immediate action)
get event start-date 2011-05-03 Displays events starting from May 3rd 2011
get event start-time 21:26:42 Displays events starting from 9:26:42 PM
get event include SPI Displays events which include SPI (IKE activity)