NetScreen CLI Reference Guide Version 3.1

NetScreen CLI Reference Guide (Pre-Release Version)
31 5HY $
Version 3.1.0
1HW6FUHHQ &/, 5HIHUHQFH *XLGH
Copyright Notice
Copyright 1998-2001 NetScreen Technologies, Inc. NetScreen Technologies, Inc., the NetScreen logo, NetScreen-5XP, NetScreen-10, NetScreen-100, NetScreen-500, NetScreen-1000, NetScreen-Global Manager, NetScreen-Global PRO, NetScreen-Remote, GigaScreen ASIC, and NetScreen ScreenOS are trademarks and NetScreen is a registered trademark of NetScreen Technologies, Inc. All other trademarks and registered trademarks are the property of their respective companies. NetScreen Technologies, Inc. 350 Oakmead Parkway, Suite 500 Sunnyvale, CA 94085 U.S.A. www.netscreen.com
Caution: Changes or modifications to this product could void the users warranty and authority to operate this device.
Licenses, Copyrights, and Trademarks

NetScreen, the NetScreen logo, NetScreen-Global Manager, NetScreen-Global Pro, NetScreen-Remote, NetScreen-5, NetScreen-10, NetScreen-100, and NetScreen-1000 are registered trademarks or trademarks of NetScreen Technologies, Inc. Adobe, Acrobat, and Acrobat Exchange are trademarks of Adobe Systems Inc. Macintosh is a registered trademark of Apple Computer, Inc., registered in the United State and other countries. Netscape Communicator is a registered trademark of Netscape in the United States and/or other countries. Netscape and Netscape Communicator are registered trademarks of Netscape Communications Corporation and may be registered outside the U.S. SecurID is a registered trademark of Security Dynamics Technologies, Inc. SSH and Secure Shell are trademarks or registered trademarks of SSH Communications Security, Inc. All rights reserved. Solaris is a trademark or registered trademark of Sun Microsystems, Inc. in the United States and other countries. SunNet Manager is a trademark or registered trademark of Sun Microsystems, Inc. in the United States and other countries. UNIX is a registered trademark in the United States and other countries, exclusively licensed through X/Open Company, Ltd. Websense is a registered trademark of Websense, Inc. and Websenses product names are either trademarks, trade names, service marks or registered trademarks of Websense. WebTrends is a registered trademark of WebTrends. Microsoft, Windows and Windows NT, and NetMeeting, are trademarks or registered trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Hyperterminal is a registered trademarks of Hilgraeve Corporation. All other product names mentioned in this manual are trademarks or registered trademarks of their respective manufacturers. THE SPECIFICATIONS REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR
FCC Statement
This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference in a light commercial installation. This equipment generates, uses and can radiate radio frequency energy, and, if not installed and used in accordance with the instruction, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Consult the dealer or an experienced radio/TV technician for help. Connect the equipment to an outlet on a circuit different from that to which the receiver is connected.
APPLICATION OF ANY PRODUCTS. NO PART OF THIS DOCUMENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS, ELECTRONIC OR MECHANICAL, FOR ANY PURPOSE, WITHOUT RECEIVING WRITTEN PERMISSION FROM NETSCREEN TECHNOLOGIES INC.
PRODUCT LICENSE AGREEMENT

PLEASE READ THIS LICENSE AGREEMENT (AGREEMENTS) CAREFULLY BEFORE USING THIS PRODUCT. BY INSTALLING AND OPERATING, YOU INDICATE YOUR ACCEPTANCE OF THE TERMS OF THIS LEGAL AND BINDING AGREEMENT AND ARE CONSENTING TO BE BOUND BY AND ARE BECOMING A PART TO THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS AGREEMENT, DO NOT START THE INSTALLATION PROCESS. 1. License Grant. This is a license, not a sales agreement, between you, the end user, and NetScreen Technologies, Inc. (NetScreen). The term Software includes all NetScreen and third party Software provided to you with the NetScreen product, and includes any accompanying documentation, any updates and enhancements of the Software provided to you by NetScreen, at its option. NetScreen grants to you a non-transferable (except as provided in section 3 (Transfer) below), non-exclusive license to use the Software in accordance with the terms set forth in this License Agreement. The Software is in use on the product when it is loaded into temporary memory (i.e. RAM). 2. Limitation on Use. You may not attempt and if you are a corporation, you will use best efforts to prevent your employees and contractors from attempting to, (a) modify, translate, reverse engineer, decompile, disassemble, create, derivative works based on, sublicense, or distribute the Software or the accompanying documentation; (b) rent or lease any rights in the Software or accompanying documentation in any form to any person; or (c) remove any proprietary notice, labels, or marks on the Software, documentation, and containers. 3. Transfer. You may transfer (not rent or lease) the Software to the end user on a permanent basis, provided that: (i) the end user receives a copy of this Agreement and agrees in writing to be bound by its terms and conditions, and (ii) you at all times comply with all applicable United States export control laws and regulations.
4. Proprietary Rights. All rights and title and interest in and to, and all intellectual property rights, including copyrights, to the software, and documentation, remain with NetScreen. You acknowledge that no title to the intellectual property in the Software is transferred to you and you will not acquire any rights to the Software except for the license as specifically set forth herein. 5. Term and Termination. The term of the license is for the duration of NetScreen's copyright in the Software. NetScreen may terminate this Agreement immediately without notice if you breach or fail to comply with any of the terms and conditions of this Agreement. You agree that, upon such termination, you will either destroy all copies of the documentation or return all materials to NetScreen. The provisions of this Agreement, other than the license granted in Section 1 (License Grant) shall survive termination. 6. Limited Warranty. For a period of ninety (90) days after delivery to Customer, NetScreen will repair or replace any defective software product shipped to Customer, provided it is returned to NetScreen at Customers expense within that period. NetScreen warrants to Customer that such product will substantially conform with NetScreens published specifications for that product if properly used in accordance with the procedures described in documentation supplied by NetScreen. NetScreens exclusive obligation with respect to non-conforming product shall be, at NetScreens option, to replace the product or use commercially reasonable efforts to provide Customer with a correction of the defect, or to refund to customer the purchase price paid for the unit. Defects in the product will be reported to NetScreen in a form and with supporting information reasonably requested by NetScreen to enable it to verify, diagnose, and correct the defect. For returned product, the customer shall notify NetScreen of any nonconforming product during the warranty period, obtain a return authorization for the nonconforming product, from NetScreen, and return the nonconforming product to NetScreens factory of origin with a statement describing the nonconformance. NOTWITHSTANDING ANYTHING HEREIN TO THE CONTRARY, THE FOREGOING IS CUSTOMERS SOLE AND EXCLUSIVE REMEDY FOR BREACH OF WARRANTY BY NETSCREEN WITH RESPECT TO THE PRODUCT. The warranties set forth above shall not apply to any Product or Hardware which has been modified, repaired or altered, except by
NetScreen, or which has not been maintained in accordance with any handling or operating instructions supplied by NetScreen, or which has been subjected to unusual physical or electrical stress, misuse, abuse, negligence or accidents. THE FOREGOING WARRANTIES ARE THE SOLE AND EXCLUSIVE WARRANTIES EXPRESS OR IMPLIED GIVEN BY NETSCREEN IN CONNECTION WITH THE PRODUCT AND HARDWARE, AND NETSCREEN DISCLAIMS ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. NETSCREEN DOES NOT PROMISE THAT THE PRODUCT IS ERROR-FREE OR WILL OPERATE WITHOUT INTERRUPTION. 7. Limitation of Liability. IN NO EVENT SHALL NETSCREEN OR ITS LICENSORS BE LIABLE UNDER ANY THEORY FOR ANY INDIRECT, INCIDENTAL, COLLATERAL, EXEMPLARY, CONSEQUENTIAL OR SPECIAL DAMAGES OR LOSSES SUFFERED BY YOU OR ANY THIRD PARTY, INCLUDING WITHOUT LIMITATION LOSS OF USE, PROFITS, GOODWILL, SAVINGS, LOSS OF DATA, DATA FILES OR PROGRAMS THAT MAY HAVE BEEN STORED BY ANY USER OF THE SOFTWARE. IN NO EVENT WILL NETSCREENS OR ITS LICENSORS AGGREGATE LIABILITY CLAIM BY YOU, OR ANYONE CLAIMING THROUGH OR ON BEHALF OF YOU, EXCEED THE ACTUAL AMOUNT PAID BY YOU TO NETSCREEN FOR SOFTWARE. Some jurisdictions do not allow the exclusions and limitations of incidental, consequential or special damages, so the above exclusions and limitations may not apply to you. 8. Export Law Assurance. You understand that the Software is subject to export control laws and regulations. YOU MAY NOT DOWNLOAD OR OTHERWISE EXPORT OR RE-EXPORT THE
SOFTWARE OR ANY UNDERLYING INFORMATION OR TECHNOLOGY EXCEPT IN FULL COMPLIANCE WITH ALL UNITED STATES AND OTHER APPLICABLE LAWS AND REGULATIONS. 9. U.S. Government Restricted Rights. If this Product is being acquired by the U.S. Government, the Product and related documentation is commercial computer Product and documentation developed exclusively at private expense, and (a) if acquired by or on behalf of civilian agency, shall be subject to the terms of this computer Software, and (b) if acquired by or on behalf of units of the Department of Defense (DoD) shall be subject to terms of this commercial computer Software license Supplement and its successors. 10. Tax Liability. You agree to be responsible for the payment of any sales or use taxes imposed at any time whatsoever on this transaction. 11. General. If any provisions of this Agreement are held invalid, the remainder shall continue in full force and effect. The laws of the State of California, excluding the application of its conflicts of law rules shall govern this License Agreement. This Agreement will not be governed by the United Nations Convention on the Contracts for the International Sale of Goods. This Agreement is the entire agreement between the parties as to the subject matter hereof and supersedes any other Technologies, advertisements, or understandings with respect to the Software and documentation. This Agreement may not be modified or altered, except by written amendment, which expressly refers to this Agreement and which, is duly executed by both parties. You acknowledge that you have read this Agreement, understand it, and agree to be bound by its terms and conditions.
&RQWHQWV
:KR 6KRXOG 5HDG 7KLV 0DQXDO" Y 2UJDQL]DWLRQ Y 1HW6FUHHQ 3XEOLFDWLRQV Y
*HWWLQJ 6WDUWHG
%HIRUH <RX %HJLQ &RQQHFWLQJ WKH 1HW6FUHHQ 'HYLFH WR WKH 3& &RQYHQWLRQV &/, &RPPDQG 6\QWD[ )RUPDW 'HSHQGHQF\ 'HOLPLWHUV (PEHGGHG 'HSHQGHQFLHV $YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV 6DPSOH 6\QWD[ 3UHVHQWDWLRQ )RUPDW $YDLODELOLW\ RI &/, &RPPDQGV 6ZLWFKHV DQG 3D UDPHWHUV
6HW &RPPDQGV
VHW DGGUHVV VHW DGPLQ VHW DODUP VHW DOLDV VHW DUS VHW DXGLEOHDODUP VHW DXWK VHW FORFN VHW FRQVROH VHW GEXI VHW GLDOXSJURXS VHW GLS VHW GQV VHW GRPDLQ VHW HQYDU VHW IILOWHU VHW ILSVPRGH VHW ILUHZDOO VHW IORZ
VHW IWS VHW JURXS VHW KD VHW KRVWQDPH VHW LNH VHW LQWHUIDFH VHW LQWHUYODQWUDIILF VHW LS VHW LSSRRO VHW OWS VHW OFG VHW ORJ VHW PDF VHW PLS VHW QDWW VHW QWS VHW SNL VHW SROLF\ VHW SSSRH VHW VFKHGXOHU VHW VFV VHW VHUYLFH VHW VQPS VHW VVO VHW V\VORJ VHW WHPSHUDWXUHWKUHVKROG VHW WLPHU VHW WUDIILFVKDSLQJ VHW XUO VHW XVHU VHW YSQ VHW YSQPRQLWRU VHW YURXWHU VHW YV\V VHW ZHEWUHQGV VHW ]RQH
*HW &RPPDQGV
JHW DGGUHVV JHW DGPLQ JHW DODUP JHW DOLDV JHW DUS JHW DXGLEOHDODUP JHW DXWK
6XE 7LWOH
&RQWHQWV
JHW FORFN JHW FRQILJ JHW FRQVROH JHW FRXQWHU JHW GLDOXSJURXS JHW GLS JHW GQV JHW GRPDLQ JHW HQYDU JHW ILOH JHW ILUHZDOO JHW JDWH JHW JOREDO JHW JOREDOSUR JHW JORJ JHW JURXS JHW KD JHW KRVWQDPH JHW LNH JHW LQWHUIDFH JHW LQWHUYODQ JHW LS JHW LSSRRO JHW OWS JHW ODQFH JHW OFG JHW ORJ JHW PDFOHDUQ JHW PDVWHU JHW PHPRU\ JHW PLS JHW QDWWBND JHW QVSWXQQHO JHW QWS JHW RV JHW SHUIRUPDQFH JHW SNL JHW SROLF\ JHW SSSRH JHW URXWH JHW VD JHW VFKHGXOHU JHW VFV JHW VHUYLFH JHW VHVVLRQ JHW VQPS JHW VRFNHW JHW VRIWZDUHNH\ JHW VVO JHW V\VORJ JHW V\VWHP JHW WHFKVXSSRUW JHW WHPSHUDWXUH JHW WLPHU JHW WUDIILFVKDSLQJ JHW XUOILOWHU JHW XVHU JHW YLS JHW YSQ JHW YSQPRQLWRU JHW YURXWHU JHW YV\V JHW ZHEWUHQGV JHW ]RQH
&OHDU &RPPDQGV
FOHDU DGPLQ FOHDU DODUP FOHDU DUS FOHDU DXGLEOHDODUP FOHDU DXWK FOHDU FRXQWHU FOHDU FU\SWR FOHDU GEXI FOHDU GKFS FOHDU GQV FOHDU ILOH FOHDU LNHFRRNLH FOHDU OWS FOHDU OHG FOHDU ORJ FOHDU PDFOHDUQ FOHDU QRGHBVHFUHW
LL
%RRN7LWOH
FOHDU SSSRH FOHDU VD FOHDU VDVWDW FOHDU VHVVLRQ FOHDU XUO
0LVFHOODQHRXV &RPPDQGV
H[HF GKFS H[HF GQV H[HF KD H[HF QWS H[HF SLQJ H[HF SNL H[HF SSSRH H[HF VDYH H[HF VFV H[HF VRIWZDUHNH\ H[HF WUDFHURXWH H[LW SLQJ UHVHW VDYH WUDFHURXWH
5HVHWWLQJ WKH 'HYLFH WR )DFWRU\ 'HIDXOW 6HWWLQJV 86*$ )HDWXUHV

6HFXULW\ =RQHV ,QWHUIDFHV
,QGH[
6XE 7LWOH
LLL
&RQWHQWV
LY
%RRN7LWOH
3UHIDFH
The NetScreen CLI Reference Guide describes the commands used to configure and manage a NetScreen device from a console interface. This manual is an ongoing publication, published with each NetScreen OS release.
:+2 6+28/' 5($' 7+,6 0$18$/"

This document is for system and network administrators who have experience configuring a NetScreen device using the Web interface. Using the command line interface requires familiarity with command syntax, arguments, and variables.
25*$1,=$7,21
The NetScreen Command Line Reference Guide is organized into the following chapters: Getting Started includes an introduction and instructions on how to connect a PC to the NetScreen device. It also explains the command syntax format used in this Manual. Set Commandsdescribes the commands used to configure the NetScreen device. Get Commands describes the commands used to display system configuration parameters and data Clear Commands describes the commands used to remove or clear the data collected in various tables, buffers, and memory. Miscellaneous Commands includes descriptions for commands that do not beloong in any other category.
1(76&5((1 38%/,&$7,216
Please refer to the following guides for information about your NetScreen products.
3UHIDFH
NetScreen Concepts & Examples ScreenOS Reference Guide A guide to the ScreenOS used to manage NetScreen devices. This guide presents the concepts behind NetScreen product features, and provides examples illustrating those concepts in practice. NetScreen CLI Reference Guide A compendium of all the command line interface (CLI) commands. Each command description presents the commands syntax, explains its arguments, and provides examples. Whats New In ScreenOS 3.10 A manual with descriptions of all new CLI commands, and commands that have changed since the last version. It also lists (without describing) the commands that are unchanged or removed since the last version. NetScreen-Remote Administrators Guide A manual for installing and using the NetScreen-Remote software. NetScreen-Remote allows a remote user to connect to a NetScreen device via a virtual private network (VPN) tunnel. NetScreen Message Reference Guide This manual documents the log messages that appear in ScreenOS 3.0.0. Each log message entry includes the message text, its meaning, and any recommended action to take upon receiving the message. ScreenOS Release Notes A set of notes containing an overview of new features, lists of addressed issues and known issues, and suggested bug fixes and work-arounds. NetScreen-Global PRO Report Manager Installer & Users Guide A guide to installing and configuring all components of Report Manager, including the Data Collectors, Master Controllers, and Consoles. NetScreen-Global PRO Report Manager Console Users Guide A guide to using the Report Manager Console to govern the components in the NetScreen-Global PRO suite and generate realtime and historic reports. NetScreen-Global PRO Historical Reports Guide This guide explains the out-of-the-box integration between NetScreen-Global PRO and Crystal Decisions Crystal Reports . This allows you to create historical reports. NetScreen-Global PRO Integration Module for Netcool A guide for installing, configuring and using the NetScreen-Global PRO Integration Module for Micromuse Netcool.
YL
NetScreen-Global Manager Users Guide A manual for NetScreen-Global Manager software. This is a tool for services and enterprise providers to control security for multi-site networks from a single location. This management application offers concurrent centralized configuration and policy administration for all NetScreen security systems and appliances. NetScreen-Global PRO Policy Manager Installer & Users Guide This document contains the complete procedures for installing the NetScreen-Global PRO Netra Server, and includes a tutorial intended to familiarize the user with the Policy Manager software. NetScreen-Global PRO Express Realtime Monitor Installer & Users Guide A guide to installing, configuring, and using the Express Realtime Monitor and the Netra Server for Realtime Reports.
YLL
3UHIDFH
YLLL
*HWWLQJ 6WDUWHG
This chapter provides information on how to connect a personal computer (PC) to the NetScreen device so that you can configure the device using the Command Line Interface (CLI). You enter commands at the CLI through a console application such as Telnet. or Hypterterminal. Note: The examples in this guide display output generated from an IBM-compatible PC running the Windows operating system.
*HWWLQJ 6WDUWHG
%HIRUH <RX %HJLQ
%()25( <28 %(*,1

Gain access to the NetScreen device you wish to configure, and obtain these items before you start setup: a PC to connect to the NetScreen device an RS-232 male-to-female serial cable a copy of Microsofts Hyperterminal software, available on the PC Note: If you are using a different operating system, you need a VT100 terminal emulator on that system. The terminal emulator allows you to configure the NetScreen device using a console from any operating system, including Windows, UNIX, LINUX, or Macintosh. If you are configuring the NetScreen device from a remote location, use Telnet to access the console. To communicate with the NetScreen device using a console, use a 9600 Baud rate, 8 bits, no parity, 1 stop-bit, and no flow control.
*HWWLQJ 6WDUWHG
&RQQHFWLQJ WKH 1HW6FUHHQ 'HYLFH WR WKH 3&
&211(&7,1* 7+( 1(76&5((1 '(9,&( 72 7+( 3&

It is not necessary power off the either PC or the NetScreen device, or to close any running applications on the PC before connecting it to the NetScreen device. To connect the NetScreen device to the PC: 1. 2. Connect the female end of the RS-232 cable to the serial port on the PC. Connect the male end of the RS-232 cable to the serial port on the NetScreen device. This port is labeled Diagnostics.
*HWWLQJ 6WDUWHG
&RQYHQWLRQV
&219(17,216
The following conventions apply to all NetScreen commands: To remove a single character, press BACKSPACE or CTRL+H. To remove an entire line, press CTRL+U. To traverse up to 16 lines forward in the command history buffer, press CTRL+F or the DOWN ARROW key. Note: To use the arrow keys for navigating among commands in a Telnet session on Windows 95, 98, NT, or 2000: On the Terminal menu, click Preferences, select the VT100 Arrows check box, and click the OK button. To traverse up to 16 lines backward in the command history buffer, press CTRL+B or the UP ARROW key. To see the next available keyword or input and a brief description of its usage, type a question mark ( ? ). IP addresses are represented by <ip_addr>. A subnet mask is represented by <mask>. The console times out and the connection is closed if no keyboard activity is detected for 10 minutes.
Note: Items you enter are into the system are in bold text.
*HWWLQJ 6WDUWHG
&/, &RPPDQG 6\QWD[ )RUPDW
&/, &200$1' 6<17$; )250$7

Each CLI command description in this manual reveals some aspect of command syntax. This syntax may include options, switches, parameters, and other features. To illustrate syntax rules, some command descriptions use dependency delimiters.
'HSHQGHQF\ 'HOLPLWHUV
Each syntax description shows the dependencies between command features by using special characters. The { and } symbols denote a mandatory feature. Features enclosed by these symbols are essential for execution of the command. The [ and ] symbols denote an optional feature. Features enclosed by these symbols are not essential for execution of the command, although omitting such features might adversely affect the outcome. The | symbol denotes an or relationship between two features. When this symbol appears between two features on the same line, you can use either feature (but not both). When this symbol appears at the end of a line, you can use the feature on that line, or the one below it.
(PEHGGHG 'HSHQGHQFLHV
Many CLI commands have embedded dependencies, which make features optional in some contexts, and mandatory in others. The two hypothetical features shown below demonstrate this principle. [ feature_1 { feature_2 } ] In this example, the delimiters [ and ] surround the entire clause. Consequently, you can omit both feature_1 and feature_2, and still execute the command successfully. However, because the delimiters { and } surround feature_2, you must include feature_2 if you include feature_1. Otherwise, you cannot successfully execute the command. The following example shows some of the set interface commands feature dependencies. set interface vlan1 broadcast { flood | arp [ trace-route ] }
*HWWLQJ 6WDUWHG
The { and } brackets indicate that specifyng either flood or arp is mandatory. By contrast, the [ and ] brackets indicate that the arp options trace-route switch is not mandatory. Thus, the command might take any of the following forms: ns-> set interface vlan1 broadcast flood ns-> set interface vlan1 broadcast arp ns-> set interface vlan1 broadcast arp trace-route
$YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV

As you execute CLI commands using the syntax descriptions in this manual, you may find that certain commands and command features are unavailable for your NetScreen device model. Because NetScreen devices treat unavailable features as improper syntax, attempting to use such a feature usually generates the unknown keyword error message. When this message appears, confirm the features availability using the ? switch. For example, the following commands list available options for the set vpn command: ns-> set vpn ? ns-> set vpn vpn_name ? ns-> set vpn gateway gate_name ?
6DPSOH 6\QWD[ 3UHVHQWDWLRQ )RUPDW

This manual displays command syntax using a hierarchical, structured presentation format. This format reveals the commands syntax, feature dependencies, and basic structure. The example below shows the syntax description for the set interface command. set interface { ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3> { bandwidth <number> | dip <number> [ <ip_addr> [ <ip_addr> [ fix-port ] ] ] | ident-reset | ip <ip_addr>/<mask> { tag <id_num> } | manage-ip <ip_addr> |
*HWWLQJ 6WDUWHG
mip <ip_addr> { host <ip_addr> [ netmask <mask> ] [ vrouter <name_str> ] } | nat | route | secondary | vip <ip_addr> [ <port_num> | + [ <name_str> <ip_addr> [ manual ] ] ] | zone <name_str> } | ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3> | mgt | vlan1 { ip <ip_addr>/<mask> | manage-ip <ip_addr> | phy { auto | full | half } { 10mb | 100mb } } | vlan1 { broadcast { flood | arp [ trace-route ] | bypass-non-ip | bypass-others-ipsec | vlan { trunk } } } The following command gives subinterface ethernet3/1.2 IP address 172.168.40.3/24, and assigns to it VLAN tag 3: ns-> set interface ethernet3/1.2 ip 172.168.40.3/24 tag 3
*HWWLQJ 6WDUWHG
$YDLODELOLW\ RI &/, &RPPDQGV 6ZLWFKHV DQG 3DUDPHWHUV
$9$,/$%,/,7< 2) &/, &200$1'6 6:,7&+(6 $1' 3$5$0(7(56

As you execute CLI commands using the syntax descriptions in this manual, you may find that certain commands and command features are unavailable for your NetScreen device model. A good example is the set vsys command, which is available on a NetScreen-500 device, but not on a NetScreen-5xp device. Similarly, some command options are unavailable on certain models, as with the df-bit option of the set vpn command. This option is available on the NetScreen-500, but not on the NetScreen-5xp. Because NetScreen devices treat unavailable features as improper syntax, attempting to use such a feature usually generates the unknown keyword error message. When this message appears, confirm the features availability using the ? switch. For example, the following commands list available options for the set vpn command: ns-> set vpn ? ns-> set vpn vpn_name ? ns-> set vpn gateway gate_name ?
6HW &RPPDQGV
Use the set commands to enter system configuration parameters.
Note: As you execute CLI commands using the syntax descriptions in this chapter, you may find that certain commands and command features are unavailable on your NetScreen device model. A good example is the set vsys command, which is available on a NetScreen-500 device, but not on a NetScreen-5xp device. Similarly, some command options are unavailable on certain models, as with the df-bit option of the set vpn command. This option is available on a NetScreen-500, but not on a NetScreen-5xp.
6HW &RPPDQGV
VHW DGGUHVV
Description: Use the set address command to define an entry in the address book of a security zone. You use address book entries to identify addressable entities in policy definitions.
6\QWD[
set address <zone> <name_str> { <dom_name> | <ip_addr> { <mask> } } [ <string> ] | } unset address <zone>
$UJXPHQW
<zone>
The name of the security zone. The default security zones to which you can bind an address book include Trust, Untrust, Global, DMZ, V1-Trust, V1-Untrust, and V1-DMZ. You can also assign address book entries to user-defined zones. For more information on zones, see Security Zones in USGA
Features
<name_str> <dom_name> <ip_addr> <mask> <string> The name of the address book entry. The host domain name. The host IP address. The host subnet mask. A character string containing a comment line.
'HIDXOWV
Most zones have the following system-defined Address Book entries:
6HW &RPPDQGV
Any any host connected through an interface bound to the zone Dial-Up VPN any dialup hosts connected through an interface bound to the zone
([DPSOHV
To define an entry named webserver in the address book of the DMZ zone, with an IP address 172.16.50.9 and a netmask 255.255.255.254: ns -> set address dmz webserver 172.16.50.9 255.255.255.254 To define an entry named odie in the address book of the Trust zone, with an IP address 172.16.10.1 and a netmask 255.255.255.255, with a comment of Mary_Desktop: ns-> set address trust odie 172.16.10.1 255.255.255.255 Mary_Desktop To delete an entry named my-partner from the address book of the Untrust zone: ns-> unset address untrust my-partner
6HH $OVR
See the set policy and get address command.
6HW &RPPDQGV
VHW DGPLQ
Description: Use the set admin command to configure the administrative parameters for the NetScreen device.
6\QWD[
set admin { auth { radius-port <port_num> | secret <shar_secr> | server-name { <name_str> | <ip_addr> } | timeout <number> | type { local | radius } | device-reset | format { dos | unix } | hw-reset | mail { alert | mail-addr1 <ip_addr> | mail-addr2 <ip_addr> | server-name { <ip_addr> | <name_str> } | traffic-log } | manager-ip <ip_addr> [ <mask> ] | name <name_str> | password <pswd_str> | port <port_num> | scs { password { disable | enable { username <name_str> } } | port <port_num> } | sys-ip <ip_addr> | telnet port <port_num> | user <name_str> { password <pswd_str> } [ privilege { all | read-only } ] }
6HW &RPPDQGV
unset admin { auth { radius-port | secret | server-name | timeout | type } | device-reset | format | hw-reset | mail { alert | mail-addr1 | mail-addr2 | server-name | traffic-log } | manager-ip { <ip_addr> | all } | name | password | port | scs port | sys-ip | telnet port | user <name_str> }
$UJXPHQWV
auth radius-port <port_num> Server port for a RADIUS server. The possible range of port numbers is from 1024 to 65535. secret <shar_secr> Shared secret for a RADIUS server. server-name <name_str> The IP address or the server name (DNS configured and enabled) of the RADIUS server. timeout <number> Specifies the length of idle time (in minutes) before the NetScreen device automatically closes the administrative session. The value can be up 999 minutes. A <number> value of 0 indicates that an inactive administrative session never times out.
6HW &RPPDQGV
type { local | radius } local: Checks the admin name in the internal database only. radius: Checks for the admin name in the internal database. If the admin name is not found, checks in the RADIUS server. device-reset format { dos | unix } Enables device reset for asset recovery. Applies to all NetScreen devices. This switch determines the format used to generate a configuration file. On some Netscreen device models, you can download this file to a TFTP server or PCMCIA card using the CLI, and to a local directory using WebUI. Executes a hardware reset for asset recovery. (Not available on all NetScreen device models.) Enables email for sending alerts and traffic logs. alert Collects system alarms from the device for sending to an email address. traffic-log Collects a log of network traffic handled by the NetScreen device. The traffic log can contain a maximum of 4,096 entries. The NetScreen device sends a copy of the log file to each specified email address (see the mail-addr1 and mail-addr2 switches below). This happens when the log is full, or every 24 hours, depending upon which occurs first. mail-addr1 <ip_addr> Sets the first email address for sending alert and traffic logs. mail-addr2 <ip_addr> Sets a second email address for sending alert and traffic logs. server-name { <ip_addr> | <name_str> } The IP address or name of the Simple Mail Transfer Protocol (SMTP) server that receives email notification of system alarms and traffic logs.
hw-reset mail
6HW &RPPDQGV
manager-ip <ip_addr> | <mask> Restricts management to an IP address for a remote host or subnet. The default IP address is 0.0.0.0, which allows management from any workstation. All NetScreen devices allow you to specify up to six hosts or subnets at once. When using the unset admin manager-ip command, specify one or all of the six possible management IP addresses. name <name_str> The login name of the root user for the NetScreen device. The maximum length of the name is 31 characters, including all symbols except ?. The name is case-sensitive. Specifies the password of the root user. The maximum length of the password is 31 characters, including all symbols except the special command character ?. Sets the port number for detecting configuration changes when using the web. Use any number between 1024 and 32767, or use the default port number80. Changing the admin port number might require resetting the device (see the reset command). Provides access to the Secure Command Shell (SCS) utility. SCS allows you to administer NetScreen devices from an Ethernet connection or a dial-in modem, thus providing CLI access over unsecure channels. port <port_num> Specifies the logical SSH port through which the SCS communication occurs. password Sets the password for the user that establishes the SCS session. The enable | disable switch enables or disables password authentication. The username <name_str> option specifies the admin user name.
password <pswd_str> port <port_num>
scs
6HW &RPPDQGV
sys-ip <ip_addr>
The system IP address for managing the NetScreen device. If the NetScreen device is in NAT or Route mode, the system IP address must be in the same subnet as the physical interface through which you plan to access the system IP address. Provides CLI access through a TELNET connection. The login name of non-root administrators (super- administrators and sub-administrators) for the NetScreen device. The maximum length of the user name is 31 characters, including all symbols except ?. The user name is case-sensitive. Defines the administrative privilege level:
- all sets the level of privilege to super-administrator. This administrator can execute all commands except those that modify the root user or other super-administrators. A super-administrator cannot change his or her own name. - read-only sets the level of privilege to sub-administrator. This administrator can only execute the enter, trace-route, exit, get, and ping commands.
telnet port <port_num> user <name_str>
privilege { all | read-only }
'HIDXOWV
The default admin name and password are netscreen. The default manager-ip is 0.0.0.0, and the default subnet mask is 255.255.255.255. The default sys-ip is 192.168.1.1 (it is 209.125.148.254 before firmware 1.61). The default privilege for a super-administrator is read only. The default admin port is 80. The default mail alert setting is off.
([DPSOHV
To change the root administrator user name to paul:
6HW &RPPDQGV
ns-> set admin name paul To change the root administrator login password to build4you: ns-> set admin password build4you To assign a level-2 administrator named joe with the password angel: ns-> set admin user joe password angel privilege all To generate the configuration file in UNIX format: ns-> set admin format unix To change the port number for the Web administrative interface to 8000: ns-> set admin port 8000 To enable email notification for system alarms: ns-> set admin mail alert To enable email notification of traffic logging: ns-> set admin mail traffic-log To configure john@abc.com as the email address to receive updates on administrative issues: ns-> set admin mail mail-addr1 john@abc.com To specify 172.16.34.100 as the email server to receive administrative email notification: ns-> set admin mail server-ip 172.16.34.100 To set the administrator password back to netscreen: ns-> unset admin password To disable email notification of system alarms: ns-> unset admin mail alert
6HH $OVR
See the get admin and reset commands.
6HW &RPPDQGV
VHW DODUP
Description: Use the set alarm command to set alarm parameters.
6\QWD[
set alarm threshold { CPU <number> | memory <number> } unset alarm threshold { CPU | memory }
$UJXPHQWV
threshold CPU <number> Percentage of CPU used (1 to 100%). memory <num> Percentage of threshold memory used (1 to 100%).
'HIDXOWV
Default thresholds are 95% for memory and 90% for CPU utilization.
([DPSOHV
To set the CPU utilization to 90%: ns-> set alarm threshold CPU 90
6HH $OVR
See the get alarm and clear alarm commands.

6HW &RPPDQGV
VHW DOLDV
Description: Use the set alias command to create and alias for a CLI command.
6\QWD[
set alias <name_str> <string> unset alias <name_str>
$UJXPHQWV
<name_str> <string> The name of the CLI command alias. The CLI command to which you assign the alias.
'HIDXOWV
None
([DPSOHV
The following commands assign an alias to the command get interface ethernet1/1, then execute the command using the alias. ns-> set alias int_1 "get interface ethernet1/1" ns-> int_1
6HH $OVR
See the get alias command.

6HW &RPPDQGV
VHW DUS
Description: Use the set arp command to create an entry for an interface in the ARP (Address Resolution Protocol) table.
6\QWD[
set arp { <ip_addr> <mac_addr> <interface> age <number> | always-on-dest | no-cache } unset arp { <ip_addr> | age | always-on-dest | no-cache }
$UJXPHQWV
<ip_addr> <mac_addr> <interface> age <number> Specifies the IP address for the interface in the ARP table entry. Specifies the MAC address for the interface in the ARP table entry. The name of the ARP interface in the ARP table entry. For more information on interfaces, refer to Interfaces in USGA Features. Sets the age-out value (in seconds) for ARP entries.

6HW &RPPDQGV
always-on-dest
Directs the NetScreen device to send an ARP request and obtain a MAC address for any incoming packet whose heading contains a MAC address not yet listed in the devices MAC address table. This option may be required when packets originate from server load-balancing (SLB) switches or from devices using the Hot Standby Router Protocol/Virtual Router Redundancy Protocol (HSRP/VRRP). Turns off the cache capability.
no-cache
'HIDXOWV
The always-on-dest setting is disabled by default.
([DPSOHV
To create an entry in the ARP table for physical interface ethernet4/2 with IP address 10.1.1.1 and MAC address 00104587bd22: ns-> set arp 10.1.1.1 00104587bd22 ethernet4/2 To delete an ARP entry for an interface ethernet3/1 with IP address 172.16.9.23 and MAC address 00201034a98c: ns-> unset arp 172.16.9.23 ethernet3/1
6HH $OVR
See the clear arp and get arp commands.
1RWHV
To display the current always-on-dest setting, use the get arp command.

6HW &RPPDQGV
VHW DXGLEOHDODUP
Description: Use the set audible-alarm command to activate the audible alarm feature.
6\QWD[
set audible-alarm { all | fan-failed | module-failed | power-failed | temperature } unset audible-alarm { all | fan-failed | module-failed | power-failed | temperature }
$UJXPHQWV
all fan-failed module-failed power-failed temperature Enables the audible alarm in the event of a fan failure, a interface module failure, a power supply failure, or a temperature increase above an admin-defined threshold. Enables the audible alarm in the event of a fan failure. Enables the audible alarm in the event of an interface module failure. Enables the audible alarm in the event of a power supply failure. Enables the audible alarm if the temperature rises above an admin-defined threshold.

6HW &RPPDQGV
'HIDXOWV
The audible alarm is inactive by default.
([DPSOHV
To enable the audible alarm to sound in the event that one or more of the fans in the fan assembly fails: ns-> set audible-alarm fan-failed
6HH $OVR
See the set temperature-threshold, get temperature, get audible-alarm, and clear audible-alarm commands.

6HW &RPPDQGV
VHW DXWK
Description: Use the set auth command to specify a method for user authentication. The four available methods are: a built-in database a RADIUS server SecurID Lightweight Directory Access Protocol (LDAP)
When the NetScreen device is using SecurID to authenticate users and is not communicating properly with the ACE server, check the clear node_secret command to clear the current SecurID shared secret so that you can reset.
6\QWD[
set auth { ldap server-name { <ip_addr> | <name_str> } { <port_num> { <name_str> { <name_str> } } } | radius-port <port_num> | secret <shar_secr> | securid { auth-port <port_num> | duress <number> | encr <number> | master { <ip_addr> | <name_str> } | retries <number> | slave { <ip_addr> | <name_str> } | timeout <number> } | server-name <serv_name> | timeout <number> | type { 0 | 1 | 2 | 3 } }

6HW &RPPDQGV
unset auth { radius-port | secret | server-name | securid | ldap | timeout | type }
$UJXPHQWV
ldap server-name Defines the RADIUS server for user authentication. <ip_addr> Specifies the IP address of the RADIUS server. <name_str> The LDAP distinguished name (the directory path where users are listed in the LDAP server). <port_num> The listening port number of the LDAP server. <name_str> The LDAP common name identifier (the user name in the LDAP server directory) radius-port <port_num> secret <shar_secr> securid Specifies the RADIUS server port number. Valid range is 1024 to 65535. Defines the password shared between the NetScreen device and the RADIUS server. It is used to authenticate all transactions between the two devices. auth-port <port_num> Specifies the port number to use for communications with the SecurID server. slave <ip_addr> | <name_str> Specifies either the IP address or the name for the secondary SecurID server. duress <number> Specifies if the SecurID server is licensed to use duress mode. For <number>, a 0 defines False, and 1 defines True. encr <number> Specifies the encryption algorithm for SecurID network traffic. A value of 0 specifies SDI, and 1 specifies DES. The default type DES is recommended.

6HW &RPPDQGV
master <ip_addr> | <name_str> Specifies either the IP address or the name for the primary SecurID server. retries <number> Specifies the number of retries allowed for attempting authentication with the SecurID server. timeout <number> Specifies the length of time (in seconds) that the NetScreen device waits between authentication retry attempts. server-name <serv_name> timeout <number> type { 0 | 1 | 2 | 3 } Specifies the RADIUS servers IP address or server name. Specifies the length of idle time in minutes before terminating authentication status. Valid range is from 0-255 minutes. Specifies the type of authentication to use. Specify 0 for the built-in NetScreen database, 1 for a RADIUS server, 2 for SecurID, and 3 for an LDAP server.
'HIDXOWV
The NetScreen built-in user database is used by default. The SecurID authentication port is 5500 with DES encryption type. The number of client retries is 3 and timeout is 3 seconds. The user authentication idle timeout is 10 minutes.
([DPSOHV
To define the RADIUS shared secret to mysecret: ns-> set auth secret mysecret To specify the SecurID servers IP address as 172.16.22.1 with authentication port 500, and using the Data Encryption Standard (DES) algorithm: ns-> set auth securid master 172.16.22.1 ns-> set auth securid auth-port 500 ns-> set auth securid encr 1

6HW &RPPDQGV
To use the built-in user database of the NetScreen device for user authentication: ns-> set auth type 0
1RWHV
When the NetScreen device is using SecurID to authenticate users and is not communicating properly with the ACE server, execute the clear node_secret command to ensure it is set correctly for both machines.
6HH $OVR
See the clear auth, get auth, and clear node_secret commands.

6HW &RPPDQGV
VHW FORFN
Description: Use the set clock command to set the system time on the NetScreen device.
6\QWD[
set clock { <date> | dst-off | ntp | timezone <number> } unset clock { dst-off | ntp | zone }
$UJXPHQWV
<date> dst-off ntp zone <number> Specifies the month, day, year, and 24-hour time. Specify the hour and minutes in the following format: (<mm/dd/yyyy hh:mm>). Turns off the automatic time adjustment for daylight saving time. Configures the device for Network Time Protocol (NTP), which synchronizes computer clocks in the Internet. Sets the current time zone offset compared to the GMT standard time. Set the number between -12 and 12.
'HIDXOWV
The NetScreen device automatically adjusts its system clock for daylight saving time.
([DPSOHV
To define the system time as November 3, 2001 at 1:30PM: ns-> set clock 11/03/2001 13:30 To turn off daylight saving time: ns-> set clock dst-off

6HW &RPPDQGV
6HH $OVR
See the get clock, set ntp, get ntp, and exec ntp commands.

6HW &RPPDQGV
VHW FRQVROH
Description: Use the set console command to define the console parameters. When the debug mode is enabled on the NetScreen device, all debugging messages are displayed in the console. If this generates too much information at once, use the dbuf parameter to store the messages in a buffer so that you can later retrieve them with the get dbuf command. Enable console access with the unset disable command through a Telnet connection.
6\QWD[
set console { dbuf | disable | page <number> | timeout <number> } unset console { dbuf | disable | page | timeout }
$UJXPHQWV
dbuf disable page <number> Stores the console messages in a buffer for later retrieval. Disables access to the console. Two confirmations are required to disable access to the console. Saves the current NetScreen configuration and closes the current login session. An integer value specifying how many lines appear on each page.

6HW &RPPDQGV
timeout <number>
Determines how much time (in minutes) the device waits before logging out the administrator from the console session when the administrator stops making keyboard entries. A value of 0 means the console never times out.
'HIDXOWV
Access to the console is enabled by default. The console displays 22 lines per page by default. The default login timeout is set to 10 minutes. The NetScreen device sends console messages to the buffer by default.
([DPSOHV
To redirect all debugging messages to the buffer: ns-> set console dbuf To disable console access: ns-> set console disable To define 20 lines per page displayed on the console: ns-> set console page 20 To define the console timeout value to 40 minutes: ns-> set console timeout 40
6HH $OVR
See the get console, clear dbuf, and get dbuf commands.

6HW &RPPDQGV
1RWHV
When debug mode is enabled, the NetScreen device displays all debugging messages in the console. If this generates too much information at once, use the dbuf option to store the messages in a buffer so that you can retrieve them later with the get dbuf command. Enable console access with the unset disable command through a Telnet connection.

6HW &RPPDQGV
VHW GEXI
Description: Use the set dbuf command to adjust the system buffer size dynamically.
6\QWD[
set dbuf size <num> unset dbuf size
$UJXPHQWV
size <num> Indicates the size of the system buffer in kilobytes
'HIDXOWV
The default buffer sizes for the various NetScreen devices are:
NetScreen-1000 NetScreen-500 NetScreen-100p NetScreen-100 NetScreen-10 NetScreen-5 1024 kilobytes 1024 kilobytes 1024 kilobytes 512 kilobytes 128 kilobytes 32 kilobytes
The range of value for the buffer size is from 32 to 4096 kilobytes.
([DPSOHV
To change the buffer size to the maximum size allowed:

6HW &RPPDQGV
ns-> set dbuf size 4096
6HH $OVR
See also the get memory command.

6HW &RPPDQGV
VHW GLDOXSJURXS
Description: Use the set dialup-group command to create a group of remote users. Different platforms can have different numbers of users in a dialup group. An access policy for a dialup group applies to all the members in the group. Consequently, all the group members must be the same kindeither IKE/2TP users, or Manual Key users.
6\QWD[
set dialup-group <name_str> [ { + | - } <name_str> ] unset dialup-group <name_str>
$UJXPHQWV
<name_str> Assigns a name to the dialup group. { + <name_str> } Adds a remote VPN user to the group, where <name_str> is the name of the user. { - <name_str> } Deletes a remote VPN user from the group, where <name_str> is the name of the user.
'HIDXOWV
None.
([DPSOHV
To define a dialup user group called telecommuters: ns-> set dialup-group telecommuters To add a remote VPN user named john-home to the telecommuters group: ns-> set dialup-group telecommuters + john_home

6HW &RPPDQGV
To delete a remote VPN user named amy-home from the telecommuters group: ns-> set dialup-group telecommuters - amy_home To delete the telecommuters group: ns-> unset dialup-group telecommuters
6HH $OVR
See the get dialup-group command.
1RWHV
A dialup-group may contain a maximum of 100 remote dialup users. An Access Policy for a dialup-group applies to all the members in the group. Consequently, all the group members must be the same kindeither IKE dynamic peers (Auto Key), or VPN dialup users (Manual Key).

6HW &RPPDQGV
VHW GLS
Use the set dip command to set up a Dynamic IP (DIP) pool configuration.
6\QWD[
set dip { <ip_addr>-<ip_addr> | <ip_addr> <mask> } unset dip <id_num>
$UJXPHQWV
<ip_addr>-<ip_addr> <ip_addr> <mask> A range of addresses to include in the DIP. A range of addresses expressed with subnet mask.
'HIDXOWV
None.
([DPSOHV
To create DIP encompassing an IP range from 172.16.10.10 to 172.16.10.100: ns-> set dip 172.16.10.10-172.16.10.100
6HH $OVR
See the get dip, set vip, and set interface commands.

6HW &RPPDQGV
VHW GQV
Description: Use the set dns command to configure Domain Name Services.
6\QWD[
set dns { forward | host { dns1 <ip_addr> | dns2 <ip_addr> | schedule <string> } } unset dns { forward | host { dns1 | dns2 | schedule } }
$UJXPHQWV
forward host Sets up forward DNS requests. dns1 <ip_addr> Specifies the DNS host. dns2 <ip_addr> Specifies the DNS host. schedule <string> Specifies the time of day to refresh DNS entries. The format of this parameter is hh:dd.

6HW &RPPDQGV
([DPSOHV
To set up a host as the primary DNS server at 172.16.10.101: ns-> set dns host dns1 172.16.10.101 To schedule a refresh time at 23:59 each day: ns-> set dns host schedule 23:59
6HH $OVR
See the get dns, clear dns, and exec dns commands.

6HW &RPPDQGV
VHW GRPDLQ
Description: Use the set domain command to set the domain name of the NetScreen device.
6\QWD[
set domain <name_str> unset domain
$UJXPHQWV
<string> Defines the domain name of the NetScreen device.
'HIDXOWV
None.
([DPSOH
To set the domain of the NetScreen device to netscreen: ns-> set domain netscreen
6HH $OVR
See the get domain and the unset domain commands.

6HW &RPPDQGV
VHW HQYDU
Description: Use the set envar command to define the location of the environment variables files.
6\QWD[
set envar <loc_str> unset envar <loc_str>
$UJXPHQWV
<loc_str> The location of the environment variables files.
'HIDXOWV
On the NetScreen-1000, the default slot is slot 1.
([DPSOHV
To define the location of the system configuration as file2.cfg in slot2: ns-> set envar slot2:file2.cfg
6HH $OVR
See the get envar command.

6HW &RPPDQGV
VHW IILOWHU
Description: Use the set ffilter command to create filters for the debug flow output. These filters allow display only traffic related to one or a combination of the following: a specific source IP address destination IP address source port destination port IP protocol
6\QWD[
set ffilter [ src-ip <ip_addr> ] [ dst-ip <ip_addr> ] [ ip-proto <ptcl_num> ] [ src-port <port_num> ] [ dst-port <port_num> ] unset ffilter [ <id_num> ]
$UJXPHQWV
src-ip <ip_addr> dst-ip <ip_addr> ip-proto <ptcl_num> src-port <port_num> dst-port <port_num> Defines the source IP address. Defines the destination IP address. Defines the assigned IP protocol number, where <ptcl_num> is a value between 0 and 255. Defines the port number for the source IP address. Port numbers range from 0 to 65535. Defines the port number for the destination IP address. Port numbers range from 0 to 65535.

6HW &RPPDQGV
'HIDXOWV
None.
([DPSOHV
To create a filter for all traffic from a host with IP address 172.16.10.1: ns-> set ffilter src-ip 172.16.10.1 To create a filter for all SMTP traffic designated to a host with IP address 192.168.3.2: ns-> set ffilter dst-ip 192.168.3.2 dst-port 25 To set a filter for all packets between the source IP address 172.16.10.88 and destination IP 192.168.9.77: ns-> set ffilter src-ip 172.16.10.88 dst-ip 192.168.9.77 To set a filter for all packets with the IP protocol number 17, for the User Datagram Protocol (UDP): ns-> set ffilter ip-proto 17 To erase all filter settings: ns-> unset ffilter
6HH $OVR
See the get ffilter command.
1RWHV
When necessary, you can add more arguments to an existing debug filter. For example, if you have already set a filter for packets between a source IP and a destination IP, you can later specify port numbers for the packets. Adding a new argument to an existing filter actually modifies an existing argument. For example, if you configure a filter to trap IP packets having IP protocol 51, and you then set a trap for IP packets having IP protocol 200, the NetScreen device replaces the 51 trap with the 200 trap. To prevent this, create new filters.

6HW &RPPDQGV
VHW ILSVPRGH
Description: Use the set fips-mode command to put a NetScreen device in FIPS mode. In FIPS mode, certain security features are disabled. For information on these features, refer to the Cryptographic Module Security Policy manual.
6\QWD[
set fips-mode { enable } unset fips-mode { enable }
'HIDXOWV
The default mode is non-FIPS mode.
([DPSOHV
To put a NetScreen device in FIPS mode: ns-> set fips-mode enable To take a NetScreen device out of FIPS mode: ns-> unset fips-mode enable

6HW &RPPDQGV
VHW ILUHZDOO
Description: Use the set firewall command to enable logging of dropped packets. Note: NetScreen devices perform most firewall services at the interface level. Consequently, you configure individual interfaces to perform firewall services. For more information, refer to the set interface command.
6\QWD[
set firewall { log-self { ike | snmp } } unset firewall { log-self { ike | snmp } }
$UJXPHQWV
log-self Enables logging of dropped packets and pings received by the NetScreen device. The ike switch enables logging of IKE packets, and the snmp switch enables logging of SNMP packets.
'HIDXOWV
The following firewall features are enabled by default: log-self off ike on snmp off
([DPSOHV
To enable logging of dropped IKE packets:

6HW &RPPDQGV
ns-> set firewall log-self ike To enable logging of dropped SNMP packets: ns-> set firewall log-self snmp
6HH $OVR
See the get firewall, set interface, and get interface commands.

6HW &RPPDQGV
VHW IORZ
Description: Use the set flow command, when the NetScreen device is in Transparent mode, to adjust the initial session timeout value and avoid packet fragmentation.
6\QWD[
set flow { allow-dns-reply | check-session | initial-timeout <number> | mac-flooding | max-frag-pkt-size <number> | no-tcp-seq-check | path-mtu | tcp-mss | tcp-syn-check } unset flow { allow-dns-reply | check-session | initial-timeout | mac-flooding | max-frag-pkt-size | no-tcp-seq-check | path-mtu | tcp-mss | tcp-syn-check }
$UJXPHQWV
allow-dns-reply Allows DNS reply packet without a matched request.

6HW &RPPDQGV
check-session initial-timeout <number>
Creates lookup session on management slot to avoid duplication. Defines the length of time in minutes that the NetScreen device keeps an initial session in the session table before dropping it, or until the device receives a FIN or RST packet. The range of time is from 1 to 6 minutes. Enables path-MTU (maximum transmission unit) discovery. If the NetScreen device receives a packet that must be fragmented, it sends an ICMP packet suggesting a smaller packet size. Enables the NetScreen device to pass a packet across the firewall even if its destination MAC address is not in the MAC learning table. The maximum allowable size for a packet fragment. Skips the sequence number check in stateful inspection. Enables the TCP-MSS (TCP-Maximum Segment Size) option. The NetScreen device modifies the MSS value in the TCP packet to avoid fragmentation caused by the IPSec operation. Checks the tcp syn bit before creating a session.
path-mtu
mac-flooding max-frag-pkt-size <number> no-tcp-seq-check tcp-mss
tcp-syn-check
'HIDXOWV
The default initial timeout value is 1 minute. The MAC-flooding feature is enabled by default.
([DPSOHV
To change the length of time that an initial session remains in the session table to 2 minutes: ns-> set flow initial-timeout 2 To enable the TCP-MSS feature: ns-> set flow tcp-mss

6HW &RPPDQGV
1RWHV
This command can be configured in any mode, but is active only in Transparent mode.

6HW &RPPDQGV
VHW IWS
Description: Use the set ftp command to allow FTP services for non-port-20 traffic to negotiate any data port number. In the unset condition, a NetScreen device does not recognize certain FTP services that negotiate a data port other than port 20. When this feature is enabled, it allows FTP servers to negotiate dynamically any data port that the FTP server proposes. The session is still metered by the stateful inspection monitor.
6\QWD[
set ftp { data-port any } unset ftp { data-port any }
$UJXPHQWV
data-port any Specifies any FTP data port except port 20.
'HIDXOWV
The default condition is unset.
([DPSOH
To enable a NetScreen device to negotiate the data port number for a Quick FTP service: ns-> set ftp data-port any

6HW &RPPDQGV
1RWHV
In the unset condition, a NetScreen device does not recognize certain FTP services that negotiate a data port other than port 20. When this feature is enabled, it allows FTP servers to negotiate dynamically any data port that the FTP server proposes. The stateful inspection monitor still monitors the session.

6HW &RPPDQGV
VHW JURXS
Description: Use the set group command to group several addresses or several services under a single name. This allows you to reference a group of addresses or services by name in an access policy.
6\QWD[
set group { address <zone> { <name_str> [ add ] [ <string> ] } | service <name_str> [ add <name_str> [ comment <string> ] ] | unset group { address { trust | untrust | <name_str> | v1-trust | v1-untrust | v1-dmz | global | dmz | untrust-tun | null | self | ha | mgt } <name_str> [ remove <name_str> | clear ] | service <name_str> [ remove <name_str> | clear ] }
$UJXPHQWV
address Specifies the zone to which the address group is bound. The default security zones include Trust, Untrust, Global, DMZ, V1-Trust, V1-Untrust, and v1-DMZ. You can also specify user-defined zones. For more information on zones, see Security Zones in USGA Features. Adds the address named <name_str> to the address group. Adds a comment <string> to the entry.
add <name_str> comment <string>

6HW &RPPDQGV
service <name_str> add <name_str> remove <name_str>
Defines the group as a service group, and defines its name. Adds the service named <name_str> to the service group. Removes the address named <name_str> from the address group. If you do not specify an address group member, the unset group address command deletes the entire address group. Removes all the members of an address or service group. Removes the service named <name_str> from the service group. If you do not specify a service group member, the unset group service command deletes that entire service group.
clear remove <name_str>
'HIDXOWV
None.
([DPSOHV
To create an empty address group for the trusted interface and name it headquarters: ns-> set group address trust headquarters To create an empty service group and name it web-browsing; ns-> set group service web-browsing To create an address group named engineering for the trusted interface and add the address hw-eng to the group: ns-> set group address trust engineering add hw-eng To remove the address for admin-pc from the engineering address group: ns-> unset group address trust engineering remove admin-pc To create a service group named inside-sales and add the service AOL to the group: ns-> set group service inside-sales add AOL To remove the service PC-Anywhere from the service group named inside-sales:

6HW &RPPDQGV
ns-> unset group service inside-sales remove PC-Anywhere To remove the trusted address group named engineering: ns-> unset group address trust engineering To remove the service group named inside-sales: ns-> unset group service inside-sales
6HH $OVR
See the set address, set service, and get group commands.
1RWHV
You cannot include addresses for trusted, untrusted and dmz interfaces within the same group. Each address group and service group you create must have a unique name. For example, you cannot create a trusted group and an untrusted group each named outside-sales. Similarly, you cannot use the same address group name as a service group name. You cannot add the following addresses to a group: inside any outside any dialup vpn dmz any
You cannot add the ANY server to a group: While an access policy references a group, you cannot remove the group, although you can modify it. You can add only one member to a group at a time.

6HW &RPPDQGV
The maximum number of groups that you can create and the maximum number of members for each group varies with the NetScreen device model.
NetScreen Device NetScreen-5 NetScreen-5xp NetScreen-10 NetScreen-100 NetScreen-204 NetScreen-208 NetScreen-500 NetScreen-5000 Number of Address Groups Number of Members per Group 16 16 32 64 64 64 128 16000 16 16 32 64 128 128 128 1024
6HH $OVR
See the get group command.

6HW &RPPDQGV
VHW KD
Description: Use the set ha command to enable and configure High Availability (HA) for a NetScreen device.
6\QWD[
set ha { arp <number> | auth password <pswd> | encrypt { password <pswd> } fast-mode | group <id_num> | interface <name_str> | link-hold-time <number> | monitor <name_str> priority <number> | second-path [ <name_str> ] | session off | track { ip [ <ip_addr> [ interval <number> | method { arp | ping } | threshold <number> | weight <number> ] ] | threshold <number> } }

6HW &RPPDQGV
unset ha { arp <number> | auth | encrypt | fast-mode | group | interface | link-hold-time | monitor [ dmz | trust | untrust ] | priority | second-path | session off }
$UJXPHQWV
arp auth password encrypt password fast-mode Sets the number of ARP requests that a newly elected master unit sends out, notifying other network devices of its presence. The default is 2. Specifies that the NetScreen device performs HA communications authentication using the specified password. Valid passwords contain from 1 to 16 characters. Specifies that the NetScreen device encrypts HA communications using the specified password. Valid passwords contain from 1 to 16 characters. When a redundant group has only two members (a master and a backup) you can quicken the failover procedure by using the fast-mode option. This option essentially eliminates the election process. Because there is only one possible candidate to become the master, there is no need to determine which unit to promote. Defines an identification number for the redundant group, where <number> can be between 0 and 255. If you specify 0, high availability (HA) is disabled. The name of the interface. For more information on interfaces, refer to Interfaces in USGA Features. Sets the link down time on the backup unit.
group interface <name_str> link-hold-time

6HW &RPPDQGV
monitor <name_str>
Sets the monitor interface. The interfaces you can specify for monitoring are as follows.
- ethernet<n> - ethernet<n1>.<n2> - ethernet<n1>/<n2> - ethernet<n1>/<n2>.<n3> - mgt
For more information on interfaces, refer to Interfaces in USGA Features. priority Assigns a number to define:
- which unit is the master unit when two NetScreen devices in a redundant group power up simultaneously - which backup unit becomes the next master during a failover - the unit with the number closest to 1 becomes the master unit
second-path <name_str> Specifies a backup unit interface for HA communication, should the primary link fail. The interfaces you can set up for backup are as follows.
- ethernet<n> - ethernet<n1>.<n2> - ethernet<n1>/<n2> - ethernet<n1>/<n2>.<n3> - mgt - ha | ha1 | ha2
For more information on interfaces, refer to Interfaces in USGA Features. session off track ip <ip_addr> Stops the master HA from propagating a sessions services to the other members of the redundant group. Enables path tracking, which is a means for checking the network connection between a NetScreen interface and that of another device. The IP address <ip_addr> indicates the the other network device to be checked. interval <number> Defines the frequency for checking an IP address. You can set the interval between 1 and 200 seconds.

6HW &RPPDQGV
method { arp | ping } Determines the method to perform path tracking. threshold <number> Specifies the number of consecutive unanswered requests required to constitute a failed attempt at reaching a remote network device. weight <number> Assigns an importance to the tracked remote address. A value of 16 denotes the most important, and 1 the least. For example, if a NetScreen device fails to get 3 consecutive responses from an IP address with a weight of 16, the number of failed attempts is 48. track threshold <number> Sets the number of failed attempts required to initiate a failover. The range is between 1 and 255.
'HIDXOWV
The default group ID number is 0, which means that HA is disabled. The default priority number is 100. The default method for path tracking is pinging. The default interval for path tracking is 1 second. The default number of unanswered requests considered as a failed attempt is 3. The default weight is 1. The default track threshold required to initiate a failover is 255.
([DPSOHV
To define the HA group ID as 3: ns-> set ha group 3 To disable high availability: ns-> unset ha group or
6HW &RPPDQGV
ns-> set ha group 0 To enable path tracking to IP address 172.16.66.170 every 5 seconds: ns-> set ha track ip 172.16.66.170 interval 5
1RWHV
The color of the Status LED indicates whether a NetScreen device is operating as a master or a backup unit. Green indicates the device is running in master mode, and yellow indicates the backup mode. The key <hex_key> and the password <pswd> option are both available when the device is in FIPS mode. The key <hex_key> option is unavailable when the NetScreen device is not in FIPS mode.
6HH $OVR
See the get ha and exec ha commands.

6HW &RPPDQGV
VHW KRVWQDPH
Description: Use the set hostname command to define the name of the NetScreen device. This is the name that appears in the console.
6\QWD[
set hostname <name_str> unset hostname
$UJXPHQWV
<name_str> Sets the name of the NetScreen device.
'HIDXOWV
For NetScreen-5xp, it is ns5xp. For NetScreen-10, it is ns10. For NetScreen-100, it is ns100. For NetScreen-500, it is ns500. For NetScreen-1000, it is ns1000.
([DPSOHV
To change the a NetScreen device hostname to acme: ns-> set hostname acme To reset the NetScreen device hostname to the default value: acme-> unset hostname
6HW &RPPDQGV
6HH $OVR
See the get hostname command.

6HW &RPPDQGV
VHW LNH
Definition: Use the set ike command to define the Phase 1 and Phase 2 proposals and the gateway for an AutoKey IKE (Internet Key Exchange) VPN tunnel, and to specify other IKE parameters.
6\QWD[
3KDVH 3URSRVDO
set ike p1-proposal <name_str> [ DSA-Sig | RSA-Sig | preshare [ group1 | group2 | group5 ] ] { esp { 3des | des | aes128 { md5 | sha-1 [ days <number> | hours <number> | minutes <number> | seconds <number> ] } } }
3KDVH 3URSRVDO
set ike p2-proposal <name_str> [ group1 | group2 | group5 | no-pfs ] { esp { 3des | des | aes128 | null } | ah } [ md5 | null | sha-1

6HW &RPPDQGV
[ days <number> | hours <number> | minutes <number> | seconds <number> ] ] [ kbyte <number> ] ] }
*DWHZD\
set ike gateway <name_str> { dialup <name_str> | dynamic <name_str> | heartbeat { hello <number> | threshold <number> } | ip <ip_addr> [ id <id_str> ] } [ aggressive | main ] [ local-id <id_str> ] [ preshare <key_str> ] { proposal <name_str> [ <name_str> ] [ <name_str> ] [ <name_str> ] } | { cert { my-cert <id_num> | peer-ca <id_num> | peer-cert-type {

6HW &RPPDQGV
pkcs7 | x509-sig } } | nat-traversal [ udp-checksum | keepalive-frequency <number> ] | disable-udp-checksum | enable-udp-checksum }
2WKHU ,.( &RPPDQG 6ZLWFKHV

set ike { accept-all-proposal | heartbeat | policy-checking | single-ike-tunnel <name_str> | soft-lifetime-buffer <number> | respond-bad-spi <spi_num> | initiator-set-commit | responder-set-commit | id-mode { ip | subnet } } set ike initial-contact [ all-peers | single-gateway <name_str> | single-user <name_str> ] unset ike { accept-all-proposal | gateway | initial-contact |
6HW &RPPDQGV
p1-proposal <name_str> | p2-proposal <name_str> | accept-all-proposal | policy-checking | heartbeat | initial-contact | initiator-set-commit | respond-bad-spi | responder-set-commit | single-ike-tunnel <name_str> } unset ike gateway <name> [ my-cert | peer-ca | peer-cert-type | nat-traversal [ udp-checksum ] ]
$UJXPHQWV
p1-proposal <name_str> Names the IKE Phase 1 proposal, which contains parameters for creating and exchanging session keys and establishing security associations. You can specify up to four Phase 1 proposals. Specifies the method to authenticate the source of IKE messages. preshare refers to a Preshared key; that is, a key for encryption and decryption that both participants have before beginning tunnel negotiations. RSA-Sig and DSA-Sig refer to two kinds of digital signatures which are certificates testifying that the certificate holder is who he or she claims to be. Preshared key is the default method. Specifies Encapsulating Security Payload, a protocol that provides both encryption and authentication. Specifies the encryption algorithm used in ESP protocol.
DSA-Sig | RSA-Sig | preshare
esp des | 3des | aes128

6HW &RPPDQGV
md5 | null | sha-1 group1 | group2 | group5
Specifies the authentication (hashing) algorithm used in ESP protocol. The default algorithm is SHA-1, the stronger of the two algorithms. Identifies the Diffie-Hellman group, a technique that allows two parties to negotiate encryption keys over an insecure medium; such as, the Internet. Group2 is the default group. Defines the elapsed time between each attempt to renegotiate another security association. The minimum allowable lifetime is 180 seconds. The default lifetime is 28800 seconds. Names the IKE Phase 2 proposal, which defines the parameters for creating and exchanging session key and security association for securing data to be sent through the IPSec tunnel. You can specify up to four Phase 2 proposals. Defines how the NetScreen device generates the encryption key. Perfect Forward Secrecy (PFS) is a method for generating each new encryption key independently from the previous key. Selecting no-pfs turns this feature off, specifying that IKE generates the Phase 2 key from the key generated in the Phase 1 exchange. If you specify one of the Diffie-Hellman groups, IKE automatically uses PFS when generating the encryption key. The default is Group 2. In a Phase 2 proposal, identifies the IPSec protocoleither Authentication Header (AH), which provides authentication, or Encapsulating Security Payload (ESP), which provides encryption (and/or authentication). Specifies that either no encryption or no authentication applies. You cannot select null for both encryption and authentication. Indicates the maximum allowable data flow in kilobytes before NetScreen renegotiates another security association. The default value is 0 (infinity). Specifies the name of the remote tunnel gateway.
days <number> hours <number> minutes <number> seconds <number> p2-proposal <name_str>
group1 | group2 | group5 | no-pfs
ah | esp
null kbytes <number> gateway <name_str>

6HW &RPPDQGV
heartbeat Specifies the IKE heartbeat protocol parameters. hello <number> Sets the IKE heartbeat protocol interval in seconds. threshold <number> Sets the number of retries before the NetScreen device forces renegotiation of the Phase 1 and Phase 2 keys. dialup <name_str> Identifies an IKE dialup user or dialup group. To specify a users attributes, use the set user command. To specify a dialup groups attributes, use the set dialup command. Specifies that the remote gateway has a dynamically assigned IP address. <name_str> defines the IKE identity of the remote peer device. Defines the static IP address of the remote gateway. Enables or disables IPsec NAT-Traversal, a feature that allows transmission of encrypted traffic through a NAT device. The NAT Traversal feature encapsulates ESP packets into UDP packets. This prevents the NAT device from altering ESP packet headers in transit, thus preventing authentication failure on the peer NetScreen device. udp-checksum enables the NAT-Traversal UDP checksum operation (used for UDP packet authentication). keepalive-frequency specifies how many seconds of inactivity the NetScreen device allows before disabling NAT Traversal. (Optional) Identifies the remote gateway. Identification can be in one of the following three forms:
- an IP address - a fully qualified domain name (FQDN); for example, www.netscreen.com - a RFC822 name; that is, an email name such as joe@netscreen.com.
dynamic <name_str> ip <ip_addr> nat-traversal
id <id_str>
Include the peer ID only when you want to enforce identifying the peer gateway with the specified ID. The NetScreen device checks the peers ID payload to see if it matches the specified ID.

6HW &RPPDQGV
aggressive | main
Defines the mode used for Phase 1 negotiations. Use Aggressive mode only when you need to initiate an IKE key exchange without ID protection such as when one of the participants has a dynamically assigned IP address. Main mode is the recommended key-exchange method because it conceals the identities of the parties during the key exchange. Defines the IKE NetScreen identity of the local device. Use only when the local NetScreen device has a dynamically assigned IP address (Note: If either of the participants has a dynamically assigned IP address, use Aggressive mode for Phase 1). Defines the Preshared key used in the Phase 1 proposal. (If you use an RSA- or DSA-signature in the Phase 1 proposal, do not include this reference). Specifies the name of a proposal. You can specify up to four Phase 1 proposals. Uses a digital certificate to authenticate the VPN initiator and receipient. Specifies one certificate if the local NetScreen device has multiple certificates loaded. Specifies a preferred certificate authority (CA). Specifies a preferred type of certificatePKCS7 or X509. Accepts all incoming proposals. The default is to accept only those proposals matching predefined or user-defined proposals. Checks if the access policies of the two VPN participants match before establishing a connection. Use policy checking when multiple tunnels are supported between two peer gateways. Otherwise, the IKE session fails. For backwards compatibility with ScreenOS 2.0 and earlier, you can disable policy checking when only one policy is configured between two peers. Specifies a single Phase 2 SA for all policies to the same remote peer. (Note: This feature has been implemented to ensure backward compatibility with ScreenOS 2.0.) Sets a time in seconds to initiate a rekeying operation before the current IPSec SA key lifetime expires.
local-id <id_str>
preshare <key_str> proposal <name_str> cert my-cert <name_str> peer-ca <name_str> peer-cert-type { pkcs7 | x509 } accept-all-proposal policy-checking
single-ike-tunnel <name_str>
soft-lifetime-buffer <number>

6HW &RPPDQGV
respond-bad-spi <spi_num> initiator-set-commit
Responds to a specified number of packets with a bad security parameter index (SPI) value after a reboot. Requests the responder to confirm that the new IPSec SA is established. The initiator will not use the new SA until this confirmation is received. The default is unset. Requests the initiator to confirm that the new IPSec SA is established before using it. The default is unset. Defines the IKE ID mode in the Phase 2 exchange as either a host (IP) address or a gateway (subnet). If you choose ip, no Phase 2 ID is sent. If you choose subnet, proxy Phase 2 IDs are sent. (Use IP when setting up a VPN tunnel between a NetScreen device and a CheckPoint 4.0 device. Otherwise, use the subnet option.) By specifying all-peers, the NetScreen device deletes all SAs, and sends an initial contact notification to each IKE peer. If you do not specify anything, the NetScreen device sends an initial contact notification to all peers during the first IKE single-user session with that peer after a system reset. By specifying single-gateway <name_str> or single-user <string>, the NetScreen device deletes all SAs associated with the specified IKE gateway or IKE user, then sends an initial contact notification. The default is unset.
responder-set-commit id-mode { ike ip | subnet }
initial-contact { all-peers | single-gateway <name_str> | single-user <user_name> }
'HIDXOWV
Main mode is the default method for Phase 1 negotiations. 3DES and SHA-1 are the default algorithms for encryption and authentication. The default time intervals before the NetScreen mechanism renegotiates another security association are 28,800 seconds in a Phase 1 proposal, and 3600 seconds in a Phase 2 proposal. The default ID mode is subnet. (Changing the ID mode to IP is only necessary if the data traffic is between two security gateways, one of which is a CheckPoint 4.0 device.) The default soft-lifetime-buffer size is 10 seconds.
6HW &RPPDQGV
By default, the single-ike-tunnel flag is not set. By default, the commit bit is not set when initiating or responding to a Phase 2 proposal.
([DPSOHV
To define a Phase 1 proposal named pre-gl-3des-md5 with the following attributes: Preshared key and a group 1 Diffie-Hellman exchange Encapsulating Security Payload (ESP) protocol using the 3DES and MD5 algorithms Lifetime of 3 minutes: ns-> set ike p1-proposal sf1 preshare group1 esp 3des md5 minutes 3 To define a Phase 2 proposal named g2-esp-3des-null with the following attributes: Group 2 Diffie-Hellman exchange ESP using 3DES without authentication Lifetime of 15 minutes: ns-> set ike p2-proposal g2-esp-3des-null group2 esp 3des null minutes 15 To define a remote gateway named san_fran with the following attributes: Main mode Preshared Key with the value bi273T1L Reference to the Phase 1 proposal pre-g2-3des-md5 ns-> set ike gateway san_fran ip 172.16.10.11 preshare bi273T1L proposal pre-g2-3des-md5 For an example of the complete procedure for setting up a VPN tunnel, see the Notes section below. To enable NAT traversal for a gateway named mktg: ns-> set ike gateway mktg nat-traversal To enable the UDP checksum setting: ns-> set ike gateway mktg nat-traversal udp-checksum
6HW &RPPDQGV
To disable the UDP checksum setting: ns-> unset ike gateway mktg nat-traversal udp-checksum To set the Keepalive setting to 25 seconds: ns-> set ike gateway mktg nat-traversal keepalive-frequency 25
6HH $OVR
See the clear ike, get ike, set policy, set user, set vpn, and get sa commands.
1RWHV
Setting up a VPN tunnel for a remote gateway with a static IP address requires up to five steps. To set up one end of a VPN tunnel gateway 1 (GW1) in the illustration for bidirectional traffic, follow the steps below.
1.
2. 3.
Set the addresses for the trusted and untrusted parties at the two ends of the VPN tunnel: ns-> set address trust host1 10.0.1.1 255.255.255.255 ns-> set address untrust host2 10.0.2.1 255.255.255.255 Define the IKE Phase 1 proposal and Phase 2 proposal. If you use the default proposals, you do not need to define Phase 1 and Phase 2 proposals. Define the remote gateway:

6HW &RPPDQGV
4. 5.
ns-> set ike gateway gw2 ip 204.0.0.2 preshare netscreen proposal pre-g2-3des-md5 Define the VPN tunnel as AutoKey IKE: ns-> set vpn vpn1 gateway gw2 proposal g2-esp-des-md5 Define an outgoing incoming access policy: ns-> set policy outgoing host1 host2 any tunnel vpn vpn1 ns-> set policy incoming host2 host1 any tunnel vpn vpn1 Define the trusted address that the user will access. (See the set address command.) Define the user as an IKE user. See the set user command on page 2-122. Define the IKE Phase 1 proposal, Phase 2 proposal, and remote gateway. (Note: If you use the default proposals, you do not need to define a Phase 1 or Phase 2 proposal.) Define the VPN tunnel as AutoKey IKE. See the set vpn command on page 2-131. Define an incoming access policy, with Dial-Up VPN as the source address and the VPN tunnel you configured in step 3 specified. See the set policy command on page 2-92.
The procedure for setting up a VPN tunnel for a dialup user with IKE constitutes up to five steps. 1. 2. 3. 4. 5.
6HH $OVR
See the get ike and clear ike-cookie commands.

6HW &RPPDQGV
VHW LQWHUIDFH
Description: Use the set interface command to define the interface settings for network, virtual private network (VPN), High Availability (HA), and administrative traffic.
6\QWD[
set interface { ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3> { bandwidth <number> | dip <number> [ <ip_addr> [ <ip_addr> [ fix-port ] ] ] | ident-reset | ip <ip_addr>/<mask> { tag <id_num> } | manage-ip <ip_addr> | mip <ip_addr> { host <ip_addr> [ netmask <mask> ] [ vrouter <name_str> ] } | nat | route | secondary | vip <ip_addr> [ <port_num> | + [ <name_str> <ip_addr> [ manual ] ] ] | zone <name_str> } | ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3> | mgt | vlan1 { ip <ip_addr>/<mask> | manage-ip <ip_addr> | phy { auto | full | half } { 10mb | 100mb } } | vlan1 { broadcast < flood | arp [ trace-route ] | bypass-non-ip |

6HW &RPPDQGV
bypass-others-ipsec | vlan { trunk } } }
'+&3 6HWWLQJV
set interface { ethernet<n> | ethernet<n1>/<n2> | ethernet<n1>/<n2>.<n3> | v1-trust dhcp { relay { server-name { <name_str> | <ip_addr> } service | vpn } server { ip <ip_addr> { mac <mac_addr> | to <ip_addr> } | option { dns1 | dns2 | dns3 | gateway | news | { <ip_addr> } | nis1 | nis2 | pop3 | smtp | { <ip_addr> } | domainname <name_str> | lease <number> | netmask <mask> | nistag <name_str> | wins1 <ip_addr> |
6HW &RPPDQGV
wins2 <ip_addr> } service } } {
)LUHZDOO 6HWWLQJV
set interface { ethernet<n> | ethernet<n1>/<n2> | v1-trust | v1-untrust | v1-dmz } { ident-reset | manage { ping | scs | snmp | ssl | telnet | web } | screen { component-block | fin-no-ack | icmp-flood { threshold <number> } | icmp-fragment | icmp-large | ip-bad-option | ip-filter-src | ip-loose-src-route | ip-record-route | ip-security-opt | ip-spoofing | ip-stream-opt | ip-strict-src-route | ip-sweep { threshold <number> } | ip-timestamp-opt | land | limit-session [ source-ip-based <number> ] | mal-url { code-red | mal-url <name_str> <id_str> <number> } ping-death | port-scan { threshold <number> } |

6HW &RPPDQGV
syn-fin | syn-flood [ alarm-threshold <number> attack-threshold <number> queue-size <number> source-threshold <number> timeout <number> ] | syn-frag | tcp-no-flag | tear-drop | udp-flood { threshold <number> } | unknown-protocol | winnuke } } }
+LJK $YDLODELOLW\ 6HWWLQJV

set interface { ha | ha1 | ha2 } { phy { 10mb | 100mb } }
7XQQHO 6HWWLQJV
set interface tunnel/<n> { zone <name_str> | ip <ip_addr>/<mask> }

6HW &RPPDQGV
$UJXPHQWV
interface tunnel/<number> bandwidth <number> The name of the interface. For more information on interfaces, refer to Interfaces in
USGA Features.
The interface for a VPN tunnel. The <number> parameter identifies the tunnel interface. The guaranteed maximum bandwidth in kilobits per second for all traffic traversing the specified interface.
dip <id_num> <ip_addr> Sets a Dynamic IP (DIP) pool. The NetScreen device uses the pool to dynamically [ <ip_addr> ] allocate source addresses when it applies Network Address Translation (NAT) to packets traversing the specified interface. The ID number <id_num> identifies the DIP pool. The IP address <ip_addr> represents the start of the IP address range. (Note: A single IP address can comprise an entire DIP pool.) The second IP address <ip_addr> represents the end of the IP address range. Be sure to exclude the following IP addresses from a DIP pool:
- the interface and gateway IP addresses - any Virtual IP and Mapped IP addresses
ident-reset manage-ip <ip_addr>
Enables the NetScreen device to send a TCP Reset announcement in response to an IDENT request to port 113. Defines the Manage IP address for the specified physical interface. The Manage IP address can be used to access the NetScreen device for management purposes on a per-interface basis. The IP address <ip_addr> and netmask <mask> for the specified interface or subinterface. The [ tag <id_num> ] switch assigns the interface to VLAN tag <id_num>. Defines a Mapped IP (MIP) address so that traffic sent to the MIP <ip_addr> is directed to the host with the IP address <ip_addr>. The netmask can specify a single one-to-one mapping or a mapping of one IP address range to another. (Note: Be careful to exclude the interface and gateway IP addresses, and any Virtual IP addresses in the subnet from the MIP address range.) Specifies whether to perform Network Address Translation (NAT) on outbound traffic from the trusted LAN or to route the outbound traffic without performing NAT.
ip <ip_addr>/<mask> [ tag <id_num> ] mip <ip_addr> host <ip_addr> [ netmask <mask> ]
nat | route

6HW &RPPDQGV
secondary-ip ( route-deny ) vip <ip_addr>
Prevents the NetScreen device from automatically routing traffic from a host on one secondary IP address to a host on another secondary IP address. Defines a Virtual IP (VIP) address (<ip_addr>) for the interface so you can map routable IP addresses to internal servers and access their services. The <port_num> parameter specifies the port number. The <name_str> and <ip_addr> parameters specify the service name and the IP address of the server providing the service, respectively. The manual switch turns off server auto detection. Using the + operator adds another service to the VIP. Specifies the zone to which the new interface binds. For more information on zones, see
zone <name_str> phy { auto | full | half }
Security Zones in USGA Features.

auto | full | half defines the physical connection mode on the specified interface. The NetScreen unit automatically decides whether to operate at full or half duplex (as required by the network device connected to NetScreen unit). Controls how the NetScreen device determines reachability of other devices while the device is in transparent (L2) mode.
The flood switch instructs the NetScreen device to flood frames received from an unknown host out all other interfaces that are in transparent mode. In the process, the device might attempt to copy frames out of ports that cannot access the destination address, thus consuming network bandwidth. The arp switch instructs the NetScreen device to generate an Address Resolution Protocol (ARP) broadcast. If the ARP broadcast finds the unknown destination IP address, the NetScreen device loads its ARP table with the appropriate MAC address and interface. The device uses this entry to reach the destination device directly, and only sends frames through the correct port, thus saving bandwidth. The process of generating the initial ARP can cause delay, but only for the first frame.
vlan1 broadcast
bypass-non-ip
Allows non-IP traffic, such as IPX, to pass through a NetScreen device in Transparent mode. (ARP is a special case for non-IP traffic. It is always passed, even if when feature is disabled.) Openly passes all IPSec traffic through a NetScreen device in Transparent mode. The NetScreen device does not act as a VPN tunnel gateway but passes the IPSec packets onward to other gateways.
bypass-others-ipsec

6HW &RPPDQGV
vlan { trunk }
Determines whether the NetScreen device accepts or drops Layer-2 frames. The device makes this decision only when the following conditions apply:
- The NetScreen device is in transparent mode. - The device receives VLAN tagged frames on an interface.
The device then performs one of two actions.

- Drop the frames because they have tags. - Ignore the tags and forward the frames according to MAC addresses.
The vlan { trunk } switch determines which action the device performs. For example, the command set vlan1 vlan trunk instructs the NetScreen device to ignore the tags and forward the frames. This action closely follows that of a Layer-2 switch trunk port. relay Configures the NetScreen interface such that the NetScreen device can serve as a DHCP relay agent. server-name <name_str> | <ip_addr> Defines the domain name or IP address of the DHCP server from which the NetScreen device receives the IP addresses and TCP/IP settings that it relays to hosts on the trusted LAN. service Enables the the NetScreen device to act as a DHCP relay agent through the interface. vpn Allows the DHCP communications to pass through a VPN tunnel. You must first set up a VPN tunnel between the NetScreen device and the DHCP server. server Makes the NetScreen interface a DHCP server. ip <ip_addr> mac <mac_addr> (In Reserved mode) The DHCP server assigns a designated IP address (<ip_addr>) to a machine specified by its MAC address (<mac_addr>). ip <ip_addr> to <ip_addr> (In Dynamic mode) Defines a range of IP addresses to use when the DHCP server is filling client requests. Enter the starting IP address and the ending IP address. The IP pool can include up to 64 entries, and can support up to 255 IP addresses. service Enables DHCP operation.

6HW &RPPDQGV
option Specifies the DHCP server options for which you can define settings.
dns1 <ip_addr> | dns2 <ip_addr> | dns3 <ip_addr> Defines the IP addresses of the primary, secondary, and tertiary Domain Name Service (DNS) servers. gateway <ip_addr> Defines the IP address of the default trusted gateway used by the clients. news <ip_addr> Specifies the IP address of a news server for receiving and storing postings for news groups. nis1 <ip_addr> | nis2 <ip_addr> Defines the IP addresses of the primary and secondary NetInfo servers, which provide the distribution of administrative data within a LAN. pop3 <ip_addr> Specifies the IP address of a Post Office Protocol version 3 (POP3) mail server. smtp <ip_addr> Defines the IP address of a Simple Mail Transfer Protocol (SMTP) mail server. domainname <name_str> Defines the registered domain name of the network. lease <number> Defines the length of time in minutes for which an IP address supplied by the DHCP server is leased. For an unlimited lease, enter 0. netmask <ip_addr> Defines the netmask of the default gateway on the trusted side. nistag <string> Defines the identifying tag used by the Apple NetInfo database. wins1 <ip_addr> | wins2 <ip_addr> Specifies the IP address of the primary and secondary Windows Internet Naming Service (WINS) servers.
service
Enables the the NetScreen device to act as a DHCP relay agent through the interface.

6HW &RPPDQGV
manage
Enables or disables monitoring and management capability through the interface.

ping Enables (or disables) pinging through the interface. scs Enables (or disables) SCS management through the interface. snmp Enables (or disables) SNMP management through the interface. ssl Enables (or disables) SSL management through the interface. telnet Enables (or disables) telnet management through the interface. web Enables (or disables) web management through the interface
screen
Enables or disables firewall services through the interface.

component-block Attackers can hide malicious Java or ActiveX components in Web pages, and these components can install a Trojan Horse on the victim host. A Trojan Horse contains applets that allow an outside party to access the victim host directly. Attackers can hide these components in compressed files, such as .zip, .gzip, and .tar, as well as in executable (.exe) files. Enabling the component-block feature blocks all embedded Java and ActiveX applets from Web pages. fin-no-ack Detects an illegal combination of flags, and rejects packets that have them. icmp-flood [threshold <number>] Detects Internet Control Message Protocol (ICMP) floods. An ICMP flood occurs when an attacker broadcasts ICMP echo requests in order to flood the system with data. This causes the system to slow down, time out, and then disconnect. The threshold defines the number of ICMP packets per second allowed to ping the same destination address before the NetScreen device rejects further ICMP packets. The range is 1 to 1,000,000. icmp-fragment Detects any ICMP frame with the More Fragments flag set, or with an offset indicated in the offset field. icmp-large Detects any ICMP frame with an IP length greater the 1024. ip-bad-option Discards all received frames where the list of IP Options is malformed or incomplete.

6HW &RPPDQGV
ip-filter-src Blocks all packets with the Source Route Option enabled. The Source Route Option can allow a hacker to use a false IP address to access a network, and have the traffic returned to their real IP address. The administrator can block all IP Source Routed frames, only those with Strict Source Routing , or only those with Loose Source Routing. ip-loose-src-route Detects packet IPs with the loose source route option enabled. ip-record-route Discards all frames with the Record Route option enabled. With the Record Route option enabled, attackers might access information concerning the path between the attacker and the target device, thus gaining information about the protected network. ip-security-opt Discards all received frames with IP Security options set. These option settings conform to RFCs 1038 and 1108, which define various protection levels for frames, and the configuration of internetworking devices for forwarding frames throughout an internetwork. ip-spoofing Prevents spoofing attacks. Spoofing attacks occur when unauthorized agents attempt to bypass firewall security by imitating valid client IP addresses. Using the ip-spoofing option invalidates such false source IP address connections. Only NetScreen devices running in NAT or Route mode can use this option. ip-stream-opt Discards all frames with the IP SATNET Stream identifier set. ip-strict-src-route Detects frames with the strict source route option enabled. ip-sweep threshold <number> Detects and prevents an IP Sweep attack. An IP Sweep attack occurs when an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, it reveals the targets IP address to the attacker. Set the IP Sweep threshold to between 1 and 1,000,000 microseconds. Each time ICMP echo requests occur with greater frequency than this limit, the NetScreen device drops further echo requests from the remote source address. ip-timestamp-opt Discards all frames with the timestamp option set.

6HW &RPPDQGV
land Prevents Land attacks by combining the SYN flood defense mechanism with IP spoofing protection. Land attacks occur when an attacker sends spoofed IP packets with headers containing the targets IP address for both the source and destination IP addresses. The attacker sends these packets with the SYN flag set to any available port. This induces the target to create empty sessions with itself, filling its session table and overwhelming its resources. limit-session [ source-ip-based <number> ] Lets you define the maximum number of sessions the NetScreen device can establish per second by a single source IP address. mal-URL [ <name_str> | code-red] Sets up a filter that scans HTTP packets for suspect URLs. The NetScreen device drops packets that contain such URLs. The code-red-worm switch enables blocking of the code-red-worm virus. Using the <name_str> option works as follows. - <name_str> A user-defined identification name. - <id_str> Specifies the starting pattern to search for in the HTTP packet. Typically, this starting pattern begins with the HTTP command GET, followed by at least one space, plus the beginning of a URL. (The NetScreen device treats multiple spaces between the command GET and the character / at the start of the URL as a single space.) - <number> Specifies a minimum length for the URL before the CR-LF. ping-of-death Detects and rejects oversized and irregular ICMP packet sizes. Although the TCP/IP specification requires a specific packet size, many ping implementations allow larger packet sizes. This can trigger a range of adverse system reactions including crashing, freezing, and rebooting. port-scan threshold <number> Prevents port scan attacks. A port scan attack occurs when an attacker sends packets with different port numbers to scan available services. The attack succeeds if a port responds. To prevent this attack, the NetScreen device internally logs the number of different ports scanned from a single remote source. For example, if a remote host scans 10 ports in 0.05 seconds (the default threshold setting), the NetScreen device flags this as a port scan attack, and rejects further packets from the remote source. The port-scan threshold <number> value determines the threshold setting, which can be from 1000 to 1,000,000 milliseconds.

6HW &RPPDQGV
syn-fin Detects an illegal combination of flags attackers can use to consume sessions on the target device, thus resulting in a denial of service. SYN flood Prevents SYN flood attacks. Such attacks occur when the connecting host continuously sends TCP SYN requests without replying to the corresponding ACK responses. Detects SYN Flood attacks. - [ alarm-threshold <number> ] defines the number of proxied, half-complete connections per second at which the NetScreen device makes enteries in the event alarm log. - [ attack_threshold <number> ] defines the number of SYN packets per second required to trigger the SYN proxying mechanism. - [queue-size <number>] defines the number of proxied connection requests held in the proxied connection queue before the system starts rejecting new connection requests. - [ source-threshold <number>] defines the number of SYN packets received (per second) from a single source IP address, before the NetScreen device executes the SYN proxing mechanism. - [ timeout <number> ] defines the maximum length of time before a half-completed connection is dropped from the queue. You can set it between 1 and 50 seconds. syn-frag Detects a SYN fragment attack, and drops any packet fragments used for the attack. A SYN fragment attack floods the target host with SYN packet fragments. The host caches these fragments, waiting for the remaining packets to arrive so it can reassemble them. By flooding a server or host with connections that cannot be completed, the hosts memory buffer eventually fills. No further connections are possible, and damage to the hosts operating system can occur. tcp-no-flag Drops an illegal packet with missing or malformed flags field. tear-drop Blocks the Teardrop attack. Teardrop attacks occur when fragmented IP packets overlap and cause the host attempting to reassemble the packets to crash. The tear-drop option directs the NetScreen device to drop any packets that have such a discrepancy.

6HW &RPPDQGV
udp-flood threshold <number> UDP flooding occurs when UDP packets are sent with the purpose of slowing down the system to the point that it can no longer process valid connection requests. The number of packets allowed per second to the same destination IP address/port pair. When this number is exceeded, the NetScreen device generates an alarm and drops subsequent packets. The valid range is from 1 to 1,000,000. unknown-protocol Discards all received IP frames with protocol numbers greater than 100. Such protocol numbers are undefined or reserved. winnuke Detects attacks on Windows NetBios communications, modifies the packet as necessary, and passes it on. (Each WinNuke attack triggers an attack log entry in the event alarm log.)
fix-port gateway <ip_addr> ip <ip_addr>/<mask> [ secondary ]
Keeps the original source port number in the packet header. The Port Address Translation (PAT) is not applied. The IP address for the default gateway to which the NetScreen device forwards packets that are destined for networks beyond the immediate subnet of the specified interface. The IP address <ip_addr> and netmask <ip_addr> for the specified interface or subinterface.
([DPSOHV
To set up the Level-2 interface to perform land attack detection: ns-> set interface v1-dmz screen land To bind interface ethernet4/1 to the Trust zone and enable Web management for the interface : ns-> set interface ethernet4/1 zone trust ns-> set interface ethernet4/1 manage web To bind the ethernet4/2 to the untrusted interface and enable ping for the interface: ns-> set interface ethernet4/1 zone untrust ns-> set interface ethernet4/1 manage ping To enable the ability to reset ident requests through the ethernet3/2 interface:

6HW &RPPDQGV
ns-> set interface ethernet4/1 ident-reset To create a subinterface for physical interface ethernet3/1 and bind it to the Untrust zone: ns-> set interface ethernet3/1.2 zone untrust To assign IP address 172.168.40.3/24 to subinterface ethernet3/1.2 and assign it VLAN tag 3: ns-> set interface ethernet3/1.2 ip 172.168.40.3/24 tag 3 To create a tunnel interface named tunnel/2 with IP address 172.10.10.5/24: ns-> set interface tunnel/2 zone untrust ns-> set interface tunnel/2 ip 172.10.10.5/24 To configure interface ethernet3/2 to receive its address dynamically from a DHCP server: ns-> set interface ethernet3/2 dhcp server service To unset the tunnel interface named tunnel/1: ns-> unset interface tunnel/1
6HH $OVR
See the get interface, set vsys, set dhcp, exec dhcp, set pppoe, and exec pppoe commands.
1RWHV
The manage-ip option supersedes the sys-ip option and applies on a per interface basis. When set, the IP address is for managing the device. If both the per-interface manage-ip and the global sys-ip are set to 0.0.0.0, the interface IP is used to manage the device. Note: The manage-ip takes precedence over sys-ip. If the sys-ip is 0.0.0.0, the administrator can use the interface IP address to manage the device, with the exception of those interfaces and set with manage-ip.

6HW &RPPDQGV

6HW &RPPDQGV
VHW LQWHUYODQWUDIILF
Description: Use the set intervlan-traffic deny command to disable inter-VLAN traffic through a NetScreen device. It is possible to configure a virtual system (VSYS) with two trusted interfaces, such that traffic can enter the VSYS through one interface and exit through the other without undergoing any security services such as authentication or encryption. This is known as inter-VLAN traffic. When inter-VLAN traffic poses a security risk, you can disable it using the set intervlan-traffic deny command. To enable inter-VLAN traffic, use the unset intervlan-traffic command.
6\QWD[
set intervlan-traffic { deny } unset intervlan-traffic [ deny ]
$UJXPHQWV
set intervlan-traffic deny unset intervlan-traffic deny Disables inter-VLAN traffic. Disables inter-VLAN traffic.
([DPSOHV
To disable inter-VLAN traffic: ns-> set intervlan-traffic deny To enable inter-VLAN traffic: ns-> unset intervlan-traffic deny

6HW &RPPDQGV
6HH $OVR
See the set vsys and set interface commands.

6HW &RPPDQGV
VHW LS
Description: Use the set ip command to set IP parameters for communication with the TFTP server.
6\QWD[
set ip { tftp } { retry <number> | timeout <number> } unset ip tftp
$UJXPHQWV
retry <number> timeout <number> The number of times to retry a TFTP communcation before the NetScreen device ends the attempt and generates an error message. Determines how the long the NetScreen device waits before terminating an inactive TFTP connection.
'HIDXOWV
The number of retries is 10. The default timeout period is 2 seconds.
([DPSOHV
To set the number of retries to 7: ns-> set ip tftp retry 7 To set the timeout period to 15 seconds:

6HW &RPPDQGV
ns-> set ip tftp timeout 15
6HH $OVR
See the get ip tftp command.

6HW &RPPDQGV
VHW LSSRRO
Definition: Use the set ippool command to associate the name of an IP pool with a range of IP addresses. IP pools are used when assigning addresses to dialup users via the Layer 2 Tunneling Protocol (L2TP).
6\QWD[
set ippool { <string> <ip_addr> <ip_addr> } unset ippool <string>
$UJXPHQWV
<string> <ip_addr> <ip_addr> Defines the name of the IP pool. Sets the starting IP address in the IP pool. Sets the ending IP address in the IP pool.
'HIDXOWV
None.
([DPSOHV
To configure the IP pool named office with the IP addresses 172.16.10.100 through 172.16.10.200: ns-> set ippool office 172.16.10.100 172.16.10.200
6HH $OVR
See the get ippool command.

6HW &RPPDQGV
VHW OWS
Description: Use the set l2tp command to configure L2TP tunnels and default L2TP settings. This command is available for the root administrator, not a virtual system administrator.
6\QWD[
set l2tp { <string> { [ id <id_num> ] user <name_str> } [ peer-ip <ip_addr> [ host <string> ] [ outgoing-interface ] ] [ secret <string> ] [ keepalive <number> ] | default { auth { local | radius } | dns1 <ip_addr> | dns2 <ip_addr> | ippool <string> | ppp-auth { any | chap [ pap ] | pap } | radius-port <port_num> | radius-secret <string> | server-name <string> | wins1 <ip_addr> | wins2 <ip_addr> } } unset l2tp { <string> default {

6HW &RPPDQGV
dns1 | dns2 | ippool | ppp-auth { any | chap [ pap ] | pap } | radius-port radius-secret | server-name | wins1 | wins2 } }
$UJXPHQWV
l2tp <string> id <id_num> user <string> peer-ip <ip_addr> host <string> The L2TP tunnel name. The ID number for the L2TP tunnel. The name of the L2TP user. Specifies the IP address of the L2TP access concentrator (LAC), if it has a static IP address. Specifies the name of the computer acting as the LAC.
outgoing-interface <name_str> Specifies the outgoing interface for the L2TP tunnels. secret <string> keepalive <number> default auth { local | radius } dns1 <ip_addr> dns2 <ip_addr> Defines a shared secret used for authentication between the L2TP network server (LNS), which the NetScreen device is asting as, and the LAC. Defines how many seconds of inactivity, the NetScreen device (LNS) waits before sending a hello message to the dialup client (LAC). Defines the default L2TP settings. Specifies the type of user authentication databasethe NetScreen internal database (local) or a remote RADIUS server database. The IP address of the primary DNS server. The IP address of the secondary DNS server.

6HW &RPPDQGV
ippool <string> ppp-auth { any | chap | pap }
The name of the L2TP IP pool, from which IP addresses are drawn to be assigned to L2TP users. Specifies the authentication type in response to a dialup users request to make a Point-to-Point Protocol (PPP) link.
- chap specifies Challenge Handshake Authentication Protocol (CHAP), which encrypts the users login name and password during transmission. - pap specifies Password Authentication Protocol (PAP), which does not use encryption. - any instructs the NetScreen device to negotiate CHAP and then, if that attempt fails, PAP.
radius-port <port_num> radius-secret <string> default server-name <string> default wins1 <ip_addr> default wins2 <ip_addr>
Defines the port number of the RADIUS server. The number can be between 1024 and 65,535. The shared secret used by the NetScreen device and the RADIUS server. The IP address or domain name of the RADIUS server. The IP address of the primary WINS server. The IP address of the secondary WINS server.
'HIDXOWV
The default L2TP UDP port number is 1701. By default, no L2TP secret is used to authenticate the LAC-LNS pair. The default interval for sending a keepalive message is 60 seconds. PPP-auth type is any.
([DPSOHV
To create an L2TP tunnel named west_coast for a dialup user named jking: ns-> set l2tp west_coast user jking

6HW &RPPDQGV
To create an L2TP tunnel named east_coast with a keep alive value of 120 seconds for a dialup user named dd: ns-> set l2tp west_coast user dd keepalive 120 To create a set of default L2TP settings, using an IP pool named chiba, the local database, CHAP for L2TP authentication, primary and secondary DNS servers at 192.168.2.1 and 192.168.4.71, and primary and secondary WINS servers at 10.20.1.16 and 10.20.5.101: ns-> ns-> ns-> ns-> ns-> ns-> ns-> set set set set set set set l2tp l2tp l2tp l2tp l2tp l2tp l2tp default default default default default default default ippool chiba auth local ppp-auth chap dns1 192.168.2.1 dns2 192.168.4.71 wins1 10.20.1.16 wins2 10.20.5.101
6HH $OVR
See the get l2tp, clear l2tp, and set ippool commands.

6HW &RPPDQGV
VHW OFG
Description: Use the set lcd command to activate the LCD on the front panel of a NetScreen device.
6\QWD[
set lcd { display | key-in } unset lcd { display | key-in }
$UJXPHQWV
display key Turns the LCD off or on and locks the control keys. Locks and unlocks the control keys, but does not affect the LCD display.
([DPSOHV
To turn off the LCD and lock the control keys: ns-> unset lcd display To leave the LCD on but lock the control keys: ns-> set lcd key-in To turn on the LCD but leave the control keys locked: ns-> set lcd display To turn on the LCD and unlock the control keys: ns-> unset lcd key
6HH $OVR
See the get lcd command.

6HW &RPPDQGV
VHW ORJ
Description: Use the set log command to generate log messages and specify their destinations.
6\QWD[
set log { module <name_str> { level <string> { destination <string> } } } unset log { module <name_str> { level <string> { destination <string> } } }
$UJXPHQWV
module <name_str> level <string> Specifies the name of the ScreenOS module that generates the log message. The minimum urgency level of the generated log messages. Starting with the most urgent, these levels are as follows.
emergency alert critical error warning notification information debugging

6HW &RPPDQGV
destination <string>
The destination of the generated log messages. The permissable destinations are as follows.
console internal email snmp syslog webtrends onesecure pcmcia
([DPSOHV
To generate log messages generated from module system, and to generate only messages that are critical or greater: ns-> set log module system level alert destination email
6HH $OVR
See the unset log command.

6HW &RPPDQGV
VHW PDF
Description: Use the set mac command to configure a static Media Access Control (MAC) address for a NetScreen interface.
6\QWD[
set mac <mac_addr> <interface> unset mac <mac_addr>
$UJXPHQWV
<mac_addr> <interface> Specifies the MAC address. Specifies the name of the interface, as with ethernet1.
'HIDXOWV
None.
([DPSOHV
To set the MAC address on an NetScreen device to 111144446666 for the ethernet1 interface: ns-> set mac 111144446666 ethernet1
6HH $OVR
See the get mac-learn, clear mac-learn, get mac-count, and clear mac-count commands.

6HW &RPPDQGV
VHW PLS
Definition: Use the set mip command to define and modify Mapped IP address (MIP) configurations.
6\QWD[
set mip <ip_addr1> host <ip_addr2> [ netmask <mask> ] unset mip <ip_addr> [ netmask <mask> ]
$UJXPHQWV
<ip_addr1> The MIP address. host netmask The IP address <ip_addr2> of the host (or subnet) to receive the mapped traffic. Defines the subnet mask of the mapped IP address.
'HIDXOWV
The default subnet mask is 255.255.255.255.
([DPSOHV
To define a one-to-one Mapped IP configuration for a server with the IP address 172.16.10.92 to the valid external IP address 192.168.192.1: ns-> set mip 172.16.10.92 host 192.168.192.1 To define a one-to-one Mapped IP configuration for a machine with IP address 172.16.10.92 to a specific host with an IP address 192.168.175.1: ns-> set mip 172.16.10.92 host 192.168.175.1 netmask 255.255.255.255 To define a subnet-to-subnet Mapped IP configuration for a subnet with IP address starting from 192.168.15.1 to an actual subnet with IP addresses starting from 10.1.1.1 using a netmask of 255.255.255.248:

6HW &RPPDQGV
ns-> set mip 192.168.15.1 host 10.1.1.1 netmask 255.255.255.248
1RWHV
Use the unset mip command to delete a Mapped IP configuration. Mapping is allowed for a one-to-one or subnet-to-subnet relationship. When a subnet-to-subnet Mapped IP configuration is defined, the subnet mask is applied to both the Mapped IP subnet and the actual IP subnet. Note: For the Trust and Tunnel interfaces, the MIP must be on the same subnet as its associated interface IP address. For the Untrust interface, the MIP may be located on a different subnet than its associated interface IP address. When creating a new MIP, check for overlapping with other MIPs or DIPs. Be sure to check Virtual IPs (VIPs) as well.
6HH $OVR
See the set interface and get mip commands.

6HW &RPPDQGV
VHW QDWW
Description: Use the set natt command to set the NAT-T keepalive frequency.
6\QWD[
set natt frequency <number> unset natt frequency
$UJXPHQWV
<number> The keepalive frequency expressed in 10-second intervals.
([DPSOHV
To set the NAT-T keepalive frequency to one hour: ns-> set natt frequency 6
6HH $OVR
See the unset natt command.

6HW &RPPDQGV
VHW QWS
Description: Use the set ntp command to configure the NetScreen device for Simple Network Time Protocol (SNTP). To enable the SNTP feature, use the set clock command.
6\QWD[
set ntp { interval <number> | server <ip_addr> | zone <number1> <number2> } unset ntp { server | interval | zone }
$UJXPHQWV
interval <number> Defines in minutes how often the NetScreen device updates its clock time by synchronizing with the NTP server. The range for the synchronization interval is from 1 to 300 minutes. Defines the NTP server with which the NetScreen device synchronizes time. Replace <ip_addr> with the IP address of the NTP server.
server <ip_addr>
zone <number1> <number2> Defines the Time Zone, expressed as an integer <number1> between -12 and 12 inclusive. A value of zero denotes GMT (Greenwich Mean Time). <number2> expresses minutes.
'HIDXOWV
This is a list of system defaults: The NTP service is off by default.

6HW &RPPDQGV
The IP address for the NTP server is set to 0.0.0.0. The frequency (time interval) for synchronizing clock time is every 10 minutes. The Time Zone is set to 0, which translates to GMT (Greenwich Mean Time).
([DPSOHV
To enable NTP: ns-> set clock ntp To define the NTP server with IP address of 172.10.10.6 with which to synchronize clock time: ns-> set ntp server 172.10.10.6 To configure the NetScreen device to synchronize its clock time every 20 minutes: ns-> set ntp interval 20 To disable the NTP feature: ns-> unset clock ntp To disable the NTP server and set its default IP address back to 0.0.0.0: ns-> unset ntp server To set the default synchronization interval back to 10 minutes: ns-> unset ntp interval
6HH $OVR
See the set clock, get ntp and exec ntp commands.
1RWHV
NetScreens implementation is based upon Simple Network Time Protocol (SNTP) and is therefore a subset of NTP. It is used to synchronize computer clocks in the Internet. In its simplified version, SNTP is adequate for devices that do not require a high level of synchronization and accuracy.
6HW &RPPDQGV
VHW SNL
Definition: Use the set pki command to designate the certificate authority servers IP and e-mail addresses, to retrieve local certificate requests, and to create new RSA key pairs for public key encryption.
6\QWD[
set pki { convert-cert | authority { <id_num> | default } { cert-status { crl { refresh { daily | default | monthly | weekly } | url <url_str> } ocsp { refresh <number> | url <url_str> [ id-type { certhash | certid | issuer-serial | name | pkcert

6HW &RPPDQGV
} [ l-sign-request ] [ no-nonce ] [ no-response-type ] [ not-verify-resp-cert ] ] } | revocation-check { none all | crl | ocsp } } | scep { authentication { failed | passed } | ca-cgi <string> | ca-id <name_str> | challenge <pswd_str> | current | mode { auto | manual } | polling-int <number> | ra-cgi <string> | renew-start <number> } } | ldap { server-name { <name_str> | <ip_addr> } | crl-url <url_str> } | x509 { default { cert-path { full | partial } | crl-refresh {
6HW &RPPDQGV
daily | default | monthly | weekly } | send-to <string> } | dn { country-name <name_str> | email <string> | ip <ip_addr> | local-name <name_str> | name <name_str> | org-name <name_str> | org-unit-name <name_str> | phone <string> | state-name <name_str> } | raw-cn { enable } } } unset pki { authority <id_num> { cert-status { crl { refresh { daily | default | monthly | weekly | }

6HW &RPPDQGV
url <name_str> } ocsp { refresh <number> | url <url_str> [ id-type { certhash | certid | issuer-serial | name | pkcert } [ l-sign-request ] [ no-nonce ] [ no-response-type ] [ not-verify-resp-cert ] ] } revocation-check { all | crl | ocsp } } | scep { authentication | ca-cgi | ca-id | challenge | current | mode | polling-int | ra-cgi | renew-start }
6HW &RPPDQGV
} | ldap { crl-url | server-name } | x509 { default | dn | raw-cn } }
$UJXPHQWV
convert-cert Converts old VSYS certificate to new style. authority <id_num> Defines how the NetScreen device uses the CAs authorization services. cert-status crl Defines how the NetScreen device verifies certificate status. The revocation-check option directs the NetScreen device to check certificates to see if they are currently revoked. Uses the Certificate Revocation List (CRL) to determine the certificates revokation status. The both option of the revocation-check directs the NetScreen device to use both the CRL and the OCSP. The refresh setting determines how often the NetScreen device checks for revocation. The url <url_str> setting specifies the URL for accessing the Certificate Revocation List. ocsp Uses Online Certificate Status Protocol (OSCP) to determine the certificates revokation status. The refresh setting determines how often the NetScreen device uses OCSP to check for revocation. The url <url_str> setting specifies the URL for accessing the OCSP responder.

6HW &RPPDQGV
id-type
The id-type is the type of certificate ID used to identify the certificate. The certhash type specifies the hashing value for the certificate. The certid type specifies the certificate identification value, which includes the hash algorithm, the hash of the issuer distinguished name (DN), the hash of the issuers public key, and the certificates serial number. The issuer-serial type specifies the CA issuer name and serial number. The name type specifies the general name of the certificate. The pkcert type specifies the entire certificate. l-sign-request Specifies that the NetScreen device signs the request for revocation verification. no-nonce Prevents the NetScreen device from sending a nonce value with the request. no-response-type Prevents the NetScreen device from specifying an acceptable response type. not-verify-resp-cert Prevents the NetScreen device from verifying the responders certificate.
scep
Sets Simple Certificate Enrollment Protocol (SCEP) parameters.

- authentication sets the result of the CA authentication, failed or passed. - ca-cgi <url-str> specifies the path to the CAs SCEP server. - ca-id <string> specifies the identity of the CAs SCEP server. - challenge <pswd_str> specifies the Challenge password. - current directs the NetScreen device to use the current SCEP setting as default. - mode { auto | manual } specifies the authentication mode for CAs SCEP server. - polling-int <number> Determines the retrieval polling interval (in minutes). - ra-cgi <url_str> specifies the CGI path to the RAs SCEP server. - renew-start <number> specifies the number of days before starting the renewal process.
ldap
Specifies settings for the LDAP server. server-name { <name_str> | <ip_addr> } Defines the domain name or IP address of the default Lightweight Directory Access Protocol (LDAP) server for the certificate authority (CA) that validates the X.509 certificate. crl-url <url-str> Sets the default LDAP URL for the CA certificate revocation list (CRL) to be used for X.509 CRL retrieval purposes.

6HW &RPPDQGV
x509
Specifies settings for the x509 certificate. default Specifies a type of digital certificate with the default X.509 certificate settings. The cert-path option configures the path to the X.509 CRL. The full | partial option determines if the NetScreen device uses the full path to the X.509 CRL or only a part of the path. crl-refresh Sets the refreshment frequency of the X.509 CRL. The default option uses the validation date decided by each CRL. send-to <string> Assigns the destination e-mail address where the PKCS10 certificate request file is sent.
dn
Specifies a distinguished name to uniquely identify the user for whom the certificate is being requested. country-name <name_str> Sets the country name as the X.509 certificate subject name of the NetScreen device. email <string> Sets the contact e-mail address of the NetScreen device administrator as the X.509 certificate subject name of the NetScreen device. ip <ip_addr> Sets the IP address of the NetScreen device as its X.509 certificate subject name. local-name <string> Sets the name of the locality as the X.509 certificate subject name of the NetScreen device. name <string> Sets the name of the NetScreen device as its X.509 certificate subject name. This name uniquely identifies NetScreen X.509 certificates with the same RSA key, but issued by different Certificate Authorities. org-name <string> Sets the organization name as the X.509 certificate subject name of the NetScreen device. org-unit-name <string> Sets the organization unit name as the X.509 certificate subject name of the NetScreen device. phone <string> Sets the contact phone number of the NetScreen device administrator as the X.509 certificate subject name of the NetScreen device. state-name <string> Sets the state name as the X.509 certificate subject name of the NetScreen device.

6HW &RPPDQGV
raw-cn { enable }
Enables the raw common name (CN). You specify the certificates raw-cn with the command set pki x509 dn name <name_str>, where <name_str> is a string of characters comprising the CN.
'HIDXOWV
The RSA key length is set to 1024 bits.
([DPSOHV
To identify 162.128.20.12 as the CA servers IP address: ns-> set pki ldap server-name 162.128.20.12 To specify the destination e-mail address where the NetScreen device sends the PKCS10 certificate request: ns-> set pki x509 default send-to caServer@somewhere.com To refresh the certificate revocation list on a daily basis: ns-> set pki x509 default crl-refresh daily To define a distinguished name for Ed Jones, who works in marketing at NetScreen Technologies in Santa Clara, California: ns-> ns-> ns-> ns-> ns-> ns-> set set set set set set pki pki pki pki pki pki x509 x509 x509 x509 x509 x509 dn dn dn dn dn dn country-name US state-name CA local-name santa clara org-name netscreen technologies org-unit-name marketing name ed jones
You use the set pki, get pki, and exec pki commands to request an x509 CA certificate from a certificate authority. The following commands provide a typical example:

6HW &RPPDQGV
1.
Specify a certificate authority CA CGI path. set pki auth -1 scep ca-cgi http://pilotonsiteipsec.verisign.com /cgi-bin/pkiclient.exe Note: The Common Gateway Interface (CGI) is a standard way for a web server to pass a user request to an application program, and to receive data back. CGI is part of the webs Hypertext Transfer Protocol (HTTP).
2.
Specify a registration authority RA CGI path set pki auth -1 scep ra-cgi http://pilotonsiteipsec.verisign.com /cgi-bin/pkiclient.exe Note: You must specify an RA CGI path even if the RA does not exist. If the RA does not exist, use the value specified for the CA CGI.
3. 4. 5.
Generate an RSA key pair, specifying a key length of 1024 bits. exec pki rsa new 1024 Initiate the SCEP operation to request a local certificate. exec pki x509 scep -1 If this is the first attempt to apply for a certificate from this certificate authority, a prompt appears presenting a fingerprint value for the CA certificate. (Otherwise, go on to Step 6.) You need to contact the certificate authority to confirm that this is the correct CA certificate. Execute the following command to get the devices authentication mode. get pki auth default scep If the authentication mode is auto, go on to Step 6. Otherwise, execute:
6. 7.
set pki auth default scep auth passed When the confirmation prompt appears, contact your certificate authority administrator to approve the local certificate request. (Optional) Display a list of pending certificates. This allows you to see and record the index number identifying the certificate.

6HW &RPPDQGV
8.
get pki x509 list pending-cert (Optional) Obtain the local certificate from the CA (using the index number obtained in Step 7) to identify the certificate. exec pki x509 scep 1 If you do not execute Steps 7 and 8, the NetScreen device will still retrieve the certificate automatically from the CA. However, there will be a time delay of at least 15 minutes. This delay period depends upon how you configured the device. The configuration command for this feature is: set pki auth -1 scep polling-int <number> where <number> is time in minutes. The minimum is 15.
6HH $OVR
See the get pki and exec pki commands.

6HW &RPPDQGV
VHW SROLF\
Description: Use the set policy command to define access policies to control network and VPN traffic.
6\QWD[
set policy { id <id_num> [ disable ] | [ id <id_num> ] [ before <pol_num> ] [ name <name_str> ] { from <zone1> to <zone2> <addr_str1> <addr_str2> <name_str> } [ nat [ dip-id <id_num> [ fix-port ] ] ] } { tunnel { l2tp <name_str> | vpn-dialup <name_str> | vpn <name_str> | vpn-tunnel <name_str> [ id <id_num> ] [ l2tp <name_str> ] } [ auth ] | deny | permit [ auth ] } [ schedule <name_str> ] [ log [ alert ] [ count [ alarm <number> <number> ] ] ] [ traffic { gbw <number> } { priority <number> } { mbw [ <number> ] dscp { disable | enable } } ] | move <number>

6HW &RPPDQGV
{ before <id_num> | after <id_num> } | default-permit-all | } unset policy { [ id ] <id_number> [ disable ] | default-permit-all }
$UJXPHQWV
id <id_num> Specifies an access policy ID number. disable Disables the policy. before <pol_num> name <name_str> from <zone1> to <zone2> <addr_str1> <addr_str2> <name_str> Specifies the position of the access policy in the access control list (ACL) before another policy. Names the access policy. Specifies two zones between which the policies apply. <zone1> is the name of the source security zone. <zone2> is the name of the destination security zone. <addr_str1> is the name of the source address. <addr_str2> is the destination address. <name_str> is the name of the service. For more information on zones, see Security Zones in USGA Features. Enables or disables Network Address Translation policies. Specifies the ID number of the Dynamic IP (DIP) pool. This number can be between 4 and 255.
nat dip-id <id_num>

6HW &RPPDQGV
fix-port tunnel l2tp <id_num> vpn-dialup <name_str> vpn [ l2tp <name_str> ]
Keeps the original source port number in the packet header; that is, Port Address Translation (PAT) is not applied. Encapsulates and encrypts outgoing IP packets, and decapsulates and decrypts incoming IP packets. Specifies a Layer 2 Tunneling Protocol (L2TP) tunnel. For an incoming dialup VPN tunnel connection, specify vpn-dialup and the name of the dialup user or dialup group. For an IPSec VPN tunnel, specify vpn and the name of the VPN tunnel. For IPSec-over-L2TP, specify both vpn (and the name of the VPN tunnel) and l2tp (and the name of the L2TP tunnel). Specifies an active tunnel. permit allows the specified service to pass from the source address across the firewall to the destination address. deny blocks the service at the firewall. Requires the user to provide a login name and password to authenticate his or her identity before access to cross the firewall is granted. Applies the access policy only at times defined in the specified schedule. Maintains a log of all connections to which the access policy applies. alert enables the Syslog alert feature. Maintains a count in bytes of all network traffic to which the access policy is applied. Enables the alarm feature so that you can view alarms. You must enter the number of bytes per second (<number>) and the number of bytes per minute (<number>) required to trigger an alarm. Defines the guaranteed bandwidth (GBW) in kilobits per second. The NetScreen device passes traffic below this threshold with the highest priority, without performing traffic shaping. Specifies one of the eight traffic priority levels. When traffic falls between the guaranteed and maximum bandwidth settings, the NetScreen device passes traffic with higher priority first. Lower priority traffic is passed only if there is no higher priority traffic.
vpn-tunnel permit | deny
auth schedule <name_str> log [ alert ] count alarm <number> <number> traffic gbw <number>
priority <number>

6HW &RPPDQGV
mbw <number> dscp { enable | disable }
Defines the maximum bandwidth (mbw) in kilobits per second. Traffic beyond this limit is throttled and dropped. Enables or disables a mapping of the NetScreen priority levels to the Differentiated Services Codepoint (DSCP) marking system.
move <id_num> { before | Repositions an access policy with one ID number before or after another policy with after } <id_num> another ID number in the access control list (ACL). default-permit-all disable Allows access without checking the access control list (ACL) for a matching policy. Disables the policy without removing it from the configuration.
([DPSOHV
To define an incoming access policy for an IPSec-over-L2TP tunnel (where the VPN tunnel name is home2office and the L2TP tunnel name is home-office) for a dialup VPN group named home_office: ns-> set policy from untrust to trust dialup_vpn our_side any tunnel vpn home2office l2tp home_office To create an outgoing access policy from the Sales department on the trusted network using NAT and the DIP pool with ID #7: ns-> set policy from trust to untrust sales out_there any nat dip-id 7 permit To define the DIP with a fixed port on the trusted interface: ns-> set policy outgoing 10.1.1.9 10.150.42.41 any nat dip-id 7 fix The following example configures a NetScreen device to allow traffic between a private telephony endpoint host with an H.323 gatekeeper through a NetScreen device to telephony endpoint hosts on the public side.
,QWHUIDFHV 6HFXULW\ =RQHV

1. 2. 3. 4. set interface ethernet1 zone trust set interface ethernet1 ip 10.10.1.1/24 set interface ethernet1 nat set interface ethernet3 zone untrust

6HW &RPPDQGV
5.
set interface ethernet3 ip 210.10.1.1/24
$GGUHVVHV
6. 7. 8. set address trust IP_Phone1 10.10.1.2/32 set address trust gatekeeper 10.10.1.10/32 set address untrust IP_Phone2 200.20.1.2/32
0DSSHG ,3 $GGUHVVHV
9. set interface ethernet3 mip 210.10.1.2 host 10.10.1.2 10. set interface ethernet3 mip 210.10.1.10 host 10.10.1.10
5RXWHV
11. set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr 12. set vrouter untrust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22.3.20
3ROLFLHV
13. 14. 15. 16. 17. set policy from trust to untrust IP_Phone1 IP_Phone2 h.323 permit set policy from trust to untrust gatekeeper IP_Phone2 h.323 permit set policy from untrust to trust IP_Phone2 mip(210.10.1.2) h.323 permit set policy from untrust to trust IP_Phone2 mip (210.10.1.10) h.323 permit save
6HH $OVR
See the get policy, set address, set vpn, set l2tp, set user, set schedule, and set traffic-shaping commands.

6HW &RPPDQGV
VHW SSSRH
Description: Use the set pppoe command to configure PPPoE.
6\QWD[
set pppoe { ac <name_str> | authentication { CHAP | PAP | any } | auto-connect <number> | idle-interval <number> | interface [ <name_str> ] | ppp { lcp-echo-retries <number> | lcp-echo-timeout <number> } | service <name_str> | static-ip | username <name_str> { password <string> } | } unset pppoe { ac | authentication { CHAP | PAP } | idle-interval | interface [ <name_str> ] | service| static-ip | username | }
$UJXPHQWV
ac <name_str> Allows the interface to connect only to the specified AC.

6HW &RPPDQGV
authentication { CHAP | PAP | any } Sets the authentication methods to CHAP, PAP, or both. The default of authentication is any (both CHAP and PAP). To set authentication to CHAP only, first execute unset pppoe authenticaton PAP. auto-connect <number> idle-interval <number> Specifies the number of seconds that elapse before automatic re-initiation of a previously-closed connection occurs. Valid range is 0-10000. (0 to disable.) Sets the idle timeout, which is time elapsed (in minutes) before the NetScreen device terminates a tunnel due to inactivity. Specifying 0 turns off the idle timeout and the device never terminates the tunnel. Specifies the interface for PPPoE encapsulation. Specifies
lcp-echo-retries the number of unacked Lcp Echo requests before connection is terminated. Valid range is 1-30. lcp-echo-timeout the time that elapses between transmission of two Lcp Echo requests. Valid range is 1-1000 seconds.
interface <name_str> ppp
service <name_str> static-ip username <name_str>
Allows the interface to connect only to the specified service. Specifies that your connection uses the IP addresses assigned by the AC. Sets the user name and password.
'HIDXOWV
The command is disabled by default. The default authentication method is any. The default idle timeout is 30 minutes.
([DPSOHV
To set the username to Phred, and Phreds password to !@%)&&: ns-> set pppoe username Phred password !@%)&&

6HW &RPPDQGV
6HH $OVR
See get pppoe, clear pppoe, and exec pppoe commands.

6HW &RPPDQGV
VHW VFKHGXOHU
Description: Use the set scheduler command to create or modify a schedule. Schedules are used to enforce access policies at certain times.
6\QWD[
set scheduler <name_str> [ once { start <date> <time> stop <date> <time> } [ comment <string> ] | recurrent { monday | tuesday | wednesday | thursday | friday | saturday | sunday } { start <time> stop <time> } [ start <time> stop <time> ] [ comment <string> ] ] unset scheduler <name_str>
$UJXPHQWV
<name_str> once start Defines a name for the schedule. Apply the schedule once, starting on the day, month, year, hour, and minute defined, and stopping on the month, day, year, hour, and minute defined. Defines when to start the schedule.

6HW &RPPDQGV
stop <date> <time> recurrent monday tuesday wednesday thursday friday saturday sunday
Defines when to stop the schedule. Defines the day, month, and year in USA format (mm/dd/yyyy). Defines the hour and minutes in the 24-hour clock format (hh:mm). Directs the NetScreen device to repeat the schedule according to the defined day of the week, hour, and minutes. Repeat every Monday. Repeat every Tuesday. Repeat every Wednesday. Repeat every Thursday. Repeat every Friday. Repeat every Saturday. Repeat every Sunday.
'HIDXOWV
None.
([DPSOHV
To create a schedule definition named mytime which starts on 1/10/1999 at 11:00 AM and ends on 2/12/1999 at 7:00 PM: ns-> set scheduler mytime once start 1/10/1999 11:00 stop 2/12/1999 19:00 To create a schedule definition named weekend which starts at 8:00 AM and ends at 5:00 PM and repeats every Saturday and Sunday: ns-> set scheduler weekend recurrent saturday start 8:00 stop 17:00 ns-> set scheduler weekend recurrent sunday start 8:00 stop 17:00

6HW &RPPDQGV
6HH $OVR
See the get scheduler command.

6HW &RPPDQGV
VHW VFV
Description: Use the set scs command to enable a secure command shell (SCS) to display information or configure a NetScreen device from a remote system.
6\QWD[
set scs { enable | key-gen-time <number> | pka-rsa { tftp { file name | username <name_str> file-name <filename> } { ip-addr <ip_addr> } [ username <name_str> ] key <number> <number> <number> } | } unset scs { enable | hash <name_str> <name_str> | key-gen-time | pka-rsa { all | username <name_str> { all | index <id_num> } | } }

6HW &RPPDQGV
$UJXPHQWV
enable key-gen-time <number> pka-rsa Enables the Secure Command Shell (SCS) shell. Specifies the SCS key regenerating time (in minutes). Public Key Authenticaion (PKA) using RSA. tftp Loads and binds the PKA key using TFTP. key <number> <number> <number> Binds a PKA key to the current user. The <number> values represent the key length, the exponent, and the modulus, respectively. Read-only users cannot execute this option. username <name_str> Specifies the name of the user to bind the PKA key. file-name <filename> Specifies the file containing the key to bind to the user. unset scs pka-rsa Unsets Public Key Authenticaion (PKA) using RSA. all Deletes all keys bound to all users in the active root/VSYS. Admin users and read-only users cannot execute this option. username <name_str> Unbinds and deletes all keys bound to the specified user, but only if <name_str> is the name of the current admin user. Read-only users cannot execute
this option.
The index option unbinds and deletes the key identified by <id_num>. This option allows the root admin user to unbind a key for any user (identified by user <name_str>). Read-only users cannot execute this option.
'HIDXOWV
This feature is disabled by default. The default key generation time is 60 minutes.
([DPSOHV
To enable Secure Command Shell (SCS) on a NetScreen device: ns-> set scs enable
6HW &RPPDQGV
To set the key regeneration time to 15 minutes: ns-> set scs key-gen-time 15 To bind a hypothetical key to a user named chris:
ns-> set scs pka-rsa username chris key 512 655376875272488448958071956054093391935033213724 61558279681375742271564397062612879336559999265828980111611537652715077837089019119296718115 311887359071551679
6HH $OVR
See the get scs and exec scs commands.

6HW &RPPDQGV
VHW VHUYLFH
Description: Use the set service command to create custom services for use in Access Policies.
6\QWD[
set service <name_str> [ + { <number> | tcp | udp { src <number>-<number> { dst <number>-<number> } } } protocol { <number> | tcp | udp } [ src-port <number>-<number> ] [ dst-port <number>-<number> ] [ timeout { <number> | never } ] [ group [ email | info | remote | security | other ] ] | group { email | info | remote | security | other } { <number> | tcp | udp { src <number>-<number>

6HW &RPPDQGV
{ dst <number>-<number> } } } timeout { <number> | never } clear ] unset service <name_str>
$UJXPHQWV
<string> + Defines a name for the service. Appends a service entry to the custom services list.
group { email | info | other | remote | Assigns the service entry to one of the following groups, or categories: security } - email: Services used for sending and receiving e-mail; for example, IMAP and POP 3.
- info: Services used for seeking and retrieving information; for example, HTTP and DNS. - remote: Services used for remote access; for example, FTP or R LOGIN. - security: Services used for security-related traffic such as encryption, decryption, and authentication; for example, HTTPS and PPTP. - other: Services used for traffic other than that covered by the other four groups; for example, SNMP for network management.
protocol <ptcl_num> tcp udp src <number> <number>
Defines the service by IP protocol. Defines a protocol number for the specified service. Defines a TCP-based service. Defines a UDP-based service. Defines a range of source port numbers valid for the service. For example, 100 to 250.

6HW &RPPDQGV
dst <number> <number> clear timeout {<number> | never} unset service <name_str>
Defines a range of destination port numbers that receive the service request. For example. 300 to 400. Clears all service entries. Defines the session timeout value for the service in minutes or as never. Removes the specified service from the custom services list.
'HIDXOWV
The default timeout for TCP connections is 30 minutes. The default timeout for UDP connections is 1 minute.
([DPSOHV
To clear all service entries named test: ns-> set service test clear To set a service named ipsec that uses protocol 50: ns-> set service ipsec protocol 50 To set a service named test1 that uses destination tcp port 1001: ns-> set service test1 protocol tcp src-port 0-65535 dst-port 1001-1001 To set a service named test2 that is categorized as a service for remote access and that uses tcp with a port number 10115: ns-> set service test2 group remote tcp src 0-65535 dst 10115-10115 ns-> set service test2 + udp src 0-65535 dst 10115-10115 To set a service named telnet with a timeout value of 10 minutes: ns-> set service telnet timeout 10 To unset a service named test:

6HW &RPPDQGV
ns-> unset service test
6HH $OVR
See the get service command.
1RWHV
The maximum timeout value for TCP connections is 40 minutes. The maximum timeout value for UDP connections is 40 minutes.

6HW &RPPDQGV
VHW VQPS
Description: Use the set snmp command to configure the NetScreen device for Simple Network Management Protocol (SNMP) to gather statistical information from the NetScreen device and receive notification when events of interest occur.
6\QWD[
set snmp { auth-trap { enable } | community <name_str> { read-only | read-write } [ trap-off | trap-on [ traffic ] ] | contact <name_str> | host <name_str> <ip_addr> | location <string> | name <name_str> | port { listen [ <port_num> ] | trap [ <port_num> ] } | vpn } unset snmp { auth-trap { enable } | community <name_str> | contact | host <name_str> <ip_addr> | location | name |
6HW &RPPDQGV
port { listen [ <port_num> ] | trap [ <port_num> ] } | vpn }
$UJXPHQWV
auth-trap enable community read-only read-write trap-on traffic trap-off contact host host ip location name Enables Simple Network Management Protocol (SNMP) authentication traps. Defines the name for the SNMP community. It supports maximum 3 communities in all products. Defines the permission for the community as read-only. Defines the permission for the community as read-write. Enables SNMP traps for the community. Includes traffic alarms as SNMP traps. Disables SNMP traps for the community. Defines the system contact. Defines the IP address of the SNMP host. Sets the hosts IP address. Defines the physical location of the system. Defines the name of the system.
port { listen | trap } Specifies the SNMP listen and trap port. vpn SNMP VPN encryption
([DPSOHV
To configure a community named public that allows hosts to read Management Information Base II (MIB II) data, as defined in RFC-1213, and to receive traps:
6HW &RPPDQGV
ns-> set snmp community public read-only trap-on To configure an SNMP host with IP address 10.20.25.30 for the community named public: ns-> set snmp host public 10.20.25.30 To configure an SNMP host with IP address 10.40.40.15 for a community named netscreen with read and write permission, and allow traps to be sent to all hosts in this community: ns-> set snmp community netscreen read-write trap-on ns-> set snmp host netscreen 10.40.40.15
6HH $OVR
See the get snmp command.
1RWHV
Note: The community must exist before a host may be added to it. To browse the MIB II data and receive traps, an SNMP manager applications (such as HP OpenView) is required. Many shareware and freeware SNMP manager applications are available from the Internet.

6HW &RPPDQGV
VHW VVO
Description: Use the set ssl command to configure a Secure Sockets Layer connection.
6\QWD[
set ssl { cert <number> | enable | encrypt { 3des { sha-1 } | des { sha-1} | rc4 { md5 } | rc4-40 { md5 } } port <port_num> } unset ssl { cert | enable | encrypt | port }
$UJXPHQWV
cert <number> enable encrypt 3des des rc4 md5 rc4-40 md5 port Specifies that the named certificate is required. Turns on SSL. Enables encryption over the SSL connection. Set the 3DES security level. Sets the DES security level. Sets the RC4 MD3 security level. Sets the RC4-40 MD3 security level. Specifies the SSL port number.

6HW &RPPDQGV
'HIDXOWV
The default SSL port is 443.
([DPSOHV
To change the SSL port to 11533: ns-> set ssl port 11533 To specify triple-DES encryption with SHA-1 authentication hashing: ns-> set ssl encrypt 3des sha-1
6HH $OVR
See the get ssl command.

6HW &RPPDQGV
VHW V\VORJ
Description: Use the set syslog command to configure the NetScreen device to send traffic and event messages to the Syslog host.
6\QWD[
set syslog { VPN | config { <name_str> | <ip_addr> } { AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 } { AUTH/SEC | local0 | local1 | local2 | local3 | local4 | local5 | local6 | local7 } enable | port <port_num> | traffic }

6HW &RPPDQGV
unset syslog { <string> | VPN | config | enable | hostname | port | traffic }
$UJXPHQWV
VPN Allows the NetScreen device to send Syslog traffic through a VPN tunnel to the Syslog server. By default, the NetScreen device sends syslog traffic through the Untrusted interface. Executing the VPN option directs the device to send syslog traffic through the Trusted interface. The device uses a security policy to secure this traffic. If the policy specifies encryption, the device encrypts the traffic according to the policys VPN configuration before transmission. Executing the unset syslog VPN command resets the device to the default behavior. Defines the configuration settings for the Syslog utility. Defines the name or the IP address of the Syslog host device. Defines the security facility level and the regular facility level. The security facility classifies and sends messages to the Syslog host for security-related actions such as attacks. The regular facility classifies and sends messages for events unrelated to security, such as user logins and logouts, and system status reports. Enables the NetScreen device to send messages to the Syslog host. Enables the NetScreen device to send traffic logs to the Syslog host. Defines the port number on the Syslog host that receives the User Datagram Protocol (UDP) packets from the NetScreen device.
config <name_str> | <ip_addr> AUTH/SEC | local07
enable traffic port

6HW &RPPDQGV
'HIDXOWV
This feature is disabled by default. The default Syslog port number is 514, and the default WebTrends port number is 514.
([DPSOHV
To set the Syslog host configuration with the ability to report all logs: ns-> set syslog config 172.16.20.249 AUTH/SEC local0 debug To turn on the Syslog feature: ns-> set syslog enable Note: The Syslog host must be enabled before you can enable Syslog. To change the Syslog port number to 911: ns-> set syslog port 911
6HH $OVR
See the get syslog command.

6HW &RPPDQGV
VHW WHPSHUDWXUHWKUHVKROG
Description: Use the set temperature-threshold command to set the normal and severe temperature thresholds for triggering temperature alarms.
6\QWD[
set temperature-threshold { alarm { celsius <number> | fahrenheit <number> } | severe { celsius <number> | fahrenheit <number> } } unset temperature-threshold { alarm { celsius <number> | fahrenheit <number> } | severe { celsius <number> | fahrenheit <number> } }
$UJXPHQWV
severe { celsius <number> Defines the temperature required to trigger a severe alarm, which increases the | fahrenheit <number> } frequency of audible alarms and entries to the alarm event log.
([DPSOHV
To set the normal temperature alarm threshold at 150 Fahrenheit: ns-> set temperature-threshold alarm fahrenheit 150 To set the severe temperature alarm threshold at 70 Celsius: ns-> set temperature-threshold severe celsius 70

6HW &RPPDQGV
6HH $OVR
See the get temperature command.

6HW &RPPDQGV
VHW WLPHU
Description: Use the set timer command to configure the NetScreen device to automatically execute a management or diagnosis functionality at a specified time. All timer settings remain in the configuration script even after the specified time has expired.
6\QWD[
set timer <date_str> <time_str> action reset unset timer <id_num>
$UJXPHQWV
<date_str> <time_str> action reset <number> Specifies the date when the NetScreen device executes the defined action. Date is in <mm/dd/yyyy> format. Specifies the time when the NetScreen device executes the defined action. Time is in <hh:mm> format. Defines the event that the command triggers at the given date and time. Resets the timer. Identifies the specific action by its ID number in the list of timer settings generated by the set timer command.
'HIDXOWV
None.
([DPSOHV
To configure NetScreen to reset at a given time and date: ns-> set timer 1/31/2000 19:00 action reset

6HW &RPPDQGV
6HH $OVR
See the get timer command.

6HW &RPPDQGV
VHW WUDIILFVKDSLQJ
Description: Use the set traffic-shaping command to determine the settings for the system with the traffic-shaping function.
6\QWD[
set traffic-shaping { ip_precedence <number> <number> <number> <number> <number> <number> <number> <number> | mode { auto | off | on } } unset traffic-shaping mode { ip_precedence | mode }
$UJXPHQWV
ip_precedence mode { auto | off | on } Specifies the Priorities 0 through 7 for IP precedence (TOS) mapping. Each setting should be a single-digit value. Defines the mode settings for the system with the traffic-shaping function. If you select auto, the system automatically determines the mode settings. If there is at least one policy in the system with traffic-shaping turned on, the system automatically sets the mode to on. If there is no such policy, the auto mode default setting is off.
'HIDXOWV
By default, the traffic shaping function is set up to automatic mode.
([DPSOHV
To turn on the traffic shaping function: ns-> set traffic-shaping mode on
6HW &RPPDQGV
6HH $OVR
See the get traffic-shaping command.

6HW &RPPDQGV
VHW XUO
Description: Use the set url command to enable URL filtering. URL filtering is provided by a Websense server.
6\QWD[
set url { config { disable | enable } | fail-mode { block | permit } | message <string> | msg-type <number> | no-block <name_str> <name_str> | server { <name_str> | <ip_addr> } { <port_num> <number> } } unset url { config | fail-mode | message | msg-type | server }

6HW &RPPDQGV
$UJXPHQWV
config { enable | disable } fail-mode { block | permit } message <string> msg-type <number> Enables or disables URL filtering by the Websense server. If connection to the Websense server is lost, this either blocks or permits all HTTP requests. Defines a custom message, fewer than 220 characters in length, to send to the client who is blocked from reaching a URL. A 0 uses the message sent by the Websense server. A 1 uses the user-defined message from the NetScreen device.
no-block <name_str1> <name_str2> Disables blocking from one interface (<name_str1>) to another interface (<name_str2>). server <name_str> | <ip_addr> Defines communication with a Websense server with a domain name (www.abc.com) or IP address <ip_addr>, using port number <port_number> with a timeout value <number> in seconds. The timeout value specifies how long the NetScreen device waits for a response from the Websense server before it either blocks or permits traffic to the URL.
'HIDXOWV
The default port number for a Websense server is 15868. The default failmode behavior is to block all HTTP requests. The Websense server is the default source of a message which indicates that user access to a URL is blocked.
([DPSOHV
To disable blocking from interface ethernet3/1 to interface ethernet4/2: ns-> set url no-block ethernet3/1 ethernet4/2 To enable the URL blocking feature: ns-> set url config enable

6HW &RPPDQGV
To define the URL blocking message to This site is blocked: ns-> set url message This site is blocked To use the message from the NetScreen device: ns-> set url msg-type 1 To specify communication with a Websense server with the IP address 172.16.150.6 at port 15868 and a timeout value of 10 seconds: ns-> set url server 172.16.150.6 15868 10
6HH $OVR
See the get url and get url-filter commands.

6HW &RPPDQGV
VHW XVHU
Description: Use the set user command to create entries in the internal user authentication database. There are the four basic categories of users: Dialup users (for using Manual Key VPNs) Authentication users (for using network connections) IKE users (for using AutoKey IKE VPNs) Authentication/IKE users
6\QWD[
set user <name_str> { dialup <spi_num> <spi_num> { ah { md5 | sha-1 } { key <key_hex> | password <pswd_str> } | esp { 3des | des | aes128 { key <key_hex> | password <pswd_str> } | null [ auth { md5 | sha-1 { key <key_hex> | password <pswd_str> } } ] } outgoing-interface <interface> } | disable | enable |

6HW &RPPDQGV
ike-id { ip <ip_addr> | fqdn <name_str> | u-fqdn <name_str> | asn1-dn { [ container <name_str> ] { wildcard <name_str> } [ share-limit <number> ] | password <pswd-str> | remote-settings { dns1 <ip_addr> | dns2 <ip_addr> | ipaddr <ip_addr> | ippool <name_str> | wins1 <ip_addr> | wins2 <ip_addr> } | type { [ auth ] [ ike ] [ l2tp ] } } unset user <string> [ type { auth [ ike ] } ]
$UJXPHQWV
user <name_str> dialup <spi_num> <spi-num> Defines the users name. For Manual Key VPN method only. Defines local and remote security parameter index (SPI) numbers that uniquely distinguish a particular encrypted tunnel from any others. This parameter must be a hexidecimal value between 1000 and 2fffffff. The local SPI number at one end serves as the remote SPI number at the other end and vice-versa.

6HW &RPPDQGV
esp 3des aes128 key <key_hex> password <pswd_str>
For VPN dialup users and dynamic peers. Defines the use of the Encapsulating Security Payload (ESP) protocol. Specifies the Triple Data Encryption Standard (3DES) algorithm. Specifies the Advanced Encryption Standard (AES), 128-bit encryption. Defines the 192-bit hexidecimal key used in the 3DES algorithm. This value must be between 1000 and 2fffffff. Defines a password for the generation of a hexidecimal key. The NetScreen device creates a hexidecimal key for the user based upon the password string that the user provides. Specifies the DES encryption algorithm. Defines the 64-bit hexidecimal key used in the DES algorithm. Defines no encryption method for the ESP protocol. Defines the use of an authentication method. Choices are MD5 or SHA-1. (Note: Some NetScreen devices do not support SHA-1.) Defines the use of the Authentication Header (AH) protocol. Choices are MD5 and SHA-1. (Note: Some NetScreen devices do not support SHA-1.) Sets the device to use the Message Digest version 5 (MD5) algorithm for authentication. Defines the 16-byte hexidecimal key used in the MD5 algorithm. Sets the device to use the Secure Hash Algorithm (SHA-1) algorithm for authentication. Defines the 20-byte hexidecimal key used in the SHA-1 algorithm. Sets the user type, which can be one of the following: authentication, IKE, L2TP, authentication/IKE, authentication/L2TP, authentication/IKE/L2TP, or IKE/L2TP. Disables or enables the user in the internal database. By default, the user is enabled.
des key <key_hex> null auth ah md5 key <key_hex> sha-1 key <key_hex> type { [ auth ] [ ike ] [ l2tp ] } disable | enable

6HW &RPPDQGV
ike-id { <ip_addr> | <name_str> }
Adds and defines an AutoKey IKE dialup user.

ip <ip_addr> The IP address of the dialup user. fqdn <name_str> The Fully Qualified Domain Name, the complete string, such as www.netscreen.com. u-fqdn <name_str> Specifies the dialup user identity, usually equivalent to an email address, such as admin@acme.com. asn1-dn { wildcard <name_str> } Specifies the user certificate distinguished name fields and field values that define user identity.
Example: o=ACME,ou=Marketing This user identity automatically allows tunnel communication with any user having a certificate containing these field values. The NetScreen device does not check any fields not defined here. The number of users that can establish tunnels concurrently using this identity is set by the share-limit <number> parameter. If the VPN gateway uses preshared keys, the share limit is limited to 1, so only a single user can log in with that identity. password <pswd_str> outgoing-interface <interface> The password used for user authentication. For authentication/L2TP users, the same password is for both network and L2TP authentication. The name of the ARP interface in the ARP table entry. The interfaces you can use for the ARP interface are as follows.
- ethernet<n> - ethernet<n1>/<n2> - ethernet<n1>.<n2> - ethernet<n1>/<n2>.<n3> - v1-trust - v1-untrust - v1-dmz
For more information on interfaces, refer to Interfaces in USGA Features.

6HW &RPPDQGV
remote settings dns1 <ip_addr> dns2 <ip_addr> idaddr <ip_addr> ippool <name_str> wins1 <ip_addr> wins2 <ip_addr>
Defines user-specific remote L2TP settings that supersede the default L2TP settings. The IP address of the primary DNS server assigned to an L2TP user. The IP address of the secondary DNS server assigned to an L2TP user. Assigns a specific IP address to an L2TP user. Specifies the L2TP IP pool with the name <name_str>. The IP address of the primary WINS server assigned to an L2TP user. The IP address of the secondary WINS server assigned to an L2TP user.
'HIDXOWV
Users are enabled by default.
([DPSOHV
To create an authentication user in the NetScreen internal database for user guest with the password JnPc3g12: ns-> set user guest password JnPc3g12 To change the user guest to an authentication/L2TP user: ns-> set user guest type auth l2tp To create a dialup user named maryj using DES encryption based on the password ipsecmaryj, and with a local-spi defined as 3456 and remote-spi defined as 7890: ns-> set user maryj dialup 3456 7890 esp des password ipsecmaryj To create an IKE user named branchsf with the IKE-ID number 2.2.2.2: ns-> set user branchsf ike-id 2.2.2.2 To delete the user named jane: ns-> unset user jane

6HW &RPPDQGV
To create a new user definition named marketing that recognizes up to 10 hosts possessing certificates containing ACME in the O field, and Marketing in the OU field: ns-> set user marketing ike-id asn1-dn wildcard o=ACME,ou=Marketing share-limit 10 This command uses Group IKE ID, which allows multiple hosts to use a single user definition.
6HH $OVR
See the get user, set ike, set l2tp, set ippool, and set vpn commands.

6HW &RPPDQGV
VHW YSQ
Description: Use the set vpn command to create a Virtual Private Network (VPN) tunnel. NetScreen devices support two key methods for VPNs, AutoKey IKE and Manual Key. AutoKey IKE (Internet Key Exchange) is a standard protocol that automatically regenerates encryption keys at user-defined intervals. By contrast, Manual Key VPNs use predefined keys that are unchanged until the participants change them explicitly. Attempting to use the SHA-1 parameter with a NetScreen device that does not support it generates the error message This device doesnt support SHA-1 Authentication. Entering the set vpn <name_str> trust gateway command generates the error message AutoKey VPN is not supported on trust interface.
6\QWD[
set vpn <name_str> [ trust ] { monitor | gateway { <name_str> | <ip_addr> } { [ replay | no-replay ] [ transport | tunnel ] [ idletime <number> ] [ proposal [ <name_str> [ <name_str> [ <name_str> [ <name_str> ] ] ] ] ] } | manual <32_bit_hex> <32_bit_hex> { gateway { <ip_addr> }

6HW &RPPDQGV
{ [ nat-traversal [ keepalive-frequency <number> ] [ udp-checksum ] [ ip-gateway-public <ip_addr> ] { port-gateway-public <number> } ] [ outgoing-interface <interface> ] { ah { md5 | sha-1 } | { key <16_byte_hex> | password <pswd-str> } esp { 3des { key <192-bit_hex> | password <pswd_str> } des { key <64-bit_hex> | password <pswd_str> } aes128 { key <128-bit_hex> | password <pswd_str> null [ auth md5 | sha-1 { key <16_byte_hex> | password <pswd-str> } ] {
6HW &RPPDQGV
} } proxy-id <name_str> { local-ip <ip_addr>/<mask> } { remote-ip <ip_addr>/<mask> } { <name_str> } | df-bit { clear | copy | set } | bind { interface <interface> | zone <name_str> } } unset vpn <vpn_name> [ monitor ]
$UJXPHQWV
vpn <name_str>
Defines a name for the VPN. Specifies the Trusted interface. Specifies the name of the remote security gateway. (This can be a NetScreen unit or any other IPSec-compatible device). Enables or disables replay protection. The default setting is no-replay. Defines the IPSec mode. In tunnel mode, the active IP packet is encapsulated. In transport mode, no encapsulation occurs. Tunnel mode is appropriate when both of end points in an exchange lie beyond gateway devices. Transport mode is appropriate when either end point is a gateway. The length of time in minutes that a connection can remain inactive before the NetScreen device terminates it.
trust gateway <name_str> replay | no-replay transport | tunnel
idletime<number>

6HW &RPPDQGV
proposal <name_str> manual <32_bit_hex> <32_bit_hex>
Defines up to four Phase 2 proposals. A Phase 2 proposal determines how a NetScreen device sends VPN session traffic. Specifies a Manual Key VPN. When the NetScreen device is in Manual mode, you can encrypt and authenticate by HEX key or password. <32_bit_hex> and <32_bit_hex> are 32-bit local and remote specurity parameters index (SPI) numbers. Each SPI number uniquely distinguishes a particular tunnel from any other active tunnel. Each must be a hexidecimal value between 3000 and 2fffffff. The local SPI corresponds to the remote SPI at the other end of the tunnel, and vice-versa. Defines the Untrusted IP address of the remote security gateway. This can be a NetScreen unit or any other IPSec-compatible device. Specifies Authentication Header (AH) protocol to authenticate IP packet content. Hashing algorithm choices are MD5 and SHA-1. Specifies the local interface of the NetScreen device. Specifies the Message Digest 5 (MD5) algorithm for authentication. Defines a 16-byte hexidecimal key, which the NetScreen device uses to produce a 128-bit message digest (or hash) from the message. Specifies the Secure Hash Algorithm (version) 1 (SHA-1) algorithm for authentication. Specifies the use of the Encapsulating Security Payload (ESP) protocol, which the NetScreen device uses to encrypt and authenticate IP packets. Encryption algorithm choices are DES, 3DES and Null (for no encryption). Specifies the Triple Data Encryption Standard (3DES) encryption algorithm. Defines a 192-bit hexadecimal key for 3DES encryption. Specifies the Data Encryption Standard (DES) encryption algorithm. Defines a 64-bit hexidecimal key for DES encryption. Specifies the Advanced Encryption Standard (AES), 128-bit encryption.
gateway <ip_addr> ah local-interface md5 key <16_byte_hex> sha-1 esp
3des key <192_bit_hex> des key <64-bit hex> aes128

6HW &RPPDQGV
key <128-bit hex> null password <pswd_str> nat-traversal
Defines a 128-bit hexidecimal key for DES encryption. When used with ESP, specifies no encryption method. When used with auth, specifies no authentication method. Specifies a password that the NetScreen device uses to generate an encryption or authentication key automatically. Configures the VPN to work with NAT.
ip-gateway-public <ip_addr> Specifies the peer gateways public IP address. keepalive-frequency <number> Specifies the keepalive frequency. port-gateway-public <number> Specifies the peer gateways public IKE port number. udp-checksum Enables the NAT-Traversal UDP checksum.
outgoing-interface <interface>
The name of the outgoing interface. The interfaces you can use for the outgoing interface are as follows.
- ethernet<n> - ethernet<n1>.<n2> - ethernet<n1>/<n2> - ethernet<n1>/<n2>.<n3> - v1-trust - v1-untrust - v1-dmz
For more information on interfaces, refer to Interfaces in USGA Features.

6HW &RPPDQGV
proxy-id
Specifies the combination of local and remote addresses used by the VPN tunnel, and specifies the service provided.
local-ip <ip_addr>/<mask> The IP address and subnet mask of the local subnet. remote-ip <ip_addr>/<mask> The IP address of the remote subnet. <name_str> The name of the service, such as FTP, TELNET, DNS or HTTP.
auth
Specifies the use of an authentication (hashing) method. The available choices are MD5 or SHA-1. (Some NetScreen devices do not support SHA-1. See below for more information.) Monitors the specified VPN sending SNMP MIB3 data and traps to an SNMP community. Determines how the NetScreen device handles the Dont Fragment (DF) bit in the outer header.
clear clears (disables) DF bit from the outer header. copy copies the DF bit to the outer header. set sets (enables) the DF bit in the outer header.
monitor df-bit
bind
Performs VPN binding.

- interface <interface> specifies the tunnel interface to use for VPN binding. - zone <name_str> specifies the security zone to use for VPN binding.
'HIDXOWV
The key lifetime is set to 3600 seconds. The ESP authentication algorithm is NONE when not specified otherwise.

6HW &RPPDQGV
([DPSOHV
To create a manual VPN named judy with the following features: local and remote SPIs defined as 00001111 and 00002222 the remote gateway IP address set at 172.16.33.2 ESP with DES and MD5 using keys generated from the password judyvpn ns-> set vpn judy manual 00001111 00002222 gateway 172.16.33.2 esp des password judyvpn auth md5 password judyvpn To specify a vpn proxy configuration named prx_main: ns-> set vpn x proxy-id local-ip 172.16.1.1/24 remote-ip 192.168.2.2/24 prx_main To create an AutoKey IKE VPN named tuval with the following features: remote gateway funaf (previously specified using the set ike gateway command) replay protection enabled a Phase 2 proposal consisting of a Diffie-Hellman Group 2 exchange ESP with Triple DES and SHA-1 ns-> set vpn tuval gateway funaf.com replay proposal g2-esp-3des-sha
6HH $OVR
See the get vpn, set vpnmonitor, and set ike commands. The set ike command section contains the complete steps for setting up a VPN tunnel.

6HW &RPPDQGV
VHW YSQPRQLWRU
Description: Use the set vpnmonitor command to set the monitor frequency.
6\QWD[
set vpnmonitor frequency { <number> } unset vpnmonitor frequency
$UJXPHQWV
frequency <number> Specifies the monitor frequency interval. The interval length in seconds is <number> multiplied by 10.
'HIDXOWV
None.
([DPSOHV
To set a vpnmonitor with a frequency of 30 seconds: ns-> set vpnmonitor frequency 3
6HH $OVR
See the get vpnmonitor, get vpn, and set ike commands.

6HW &RPPDQGV
VHW YURXWHU
Description: Use the set vrouter command to configure a virtual router.
6\QWD[
set vrouter <name_str> [ access-list <number> { deny | permit } { ip <ip_addr>/<mask> } | auto-route-export | import-from | export-to { vrouter <name_str> } { ip <ip_addr>/<mask> } | id <number> | max-routes <number> | route <ip_addr>/<mask> { [ interface <interface> ] gateway <ip_addr> [ metric <number> ] | vrouter <name_str> } | router-id <number> | <ip_addr> ] unset config
$UJXPHQWV
access-list <number> Adds IP addresses to the virtual router, and specifies which addresses the NetScreen device routs (permit) and does not rout (deny). The <ip_addr>/<mask> value identifies the IP address to place in the virtual router. Exports public interface routes to the untrust-vr virtual router.
auto-route-export

6HW &RPPDQGV
import-from | export-to
Imports routes from another virtual router (import-from) or exports routes to another virtual router (export-to). The vrouter <name_str> parameter identifies the other virtual router by name. The <ip_addr>/<mask> value identifies the IP address route to import or export. Creates a new virtual router with ID number <number>. Specifies the maximum number of routing entries allowed in the vrouter. Configures a route in the virtual routing table.
id <number> max-routes <number> route <ip_addr>/<mask>
router-id <number> | <ip_addr> Specifies the virtual router ID for ospf/bgp.
([DPSOHV
To create a new virtual router named Out_Route, with ID number 1035: ns-> set vrouter Out_Route id 1035 To import a route with IP address 192.168.2.3/24 to vrouter Out_Route from virtual router untrust-vr. ns-> set vrouter Out_Route import-from vrouter untrust-vr ip 192.168.2.3/24
6HH $OVR
See the get vrouter command.

6HW &RPPDQGV
VHW YV\V
Description: Use the set vsys command to create virtual systems from the root level of a NetScreen device.
6\QWD[
set vsys <name_str> unset vsys <name_str>
$UJXPHQWV
<name_str> Defines the name of a virtual system and automatically places the root level admin within the virtual system. Subsequent commands configure the newly created virtual system.
'HIDXOWV
The default condition is no virtual systems configured.
([DPSOHV
To create a virtual system named organization3 and switch the console to the new virtual system: ns-> set vsys organization3
6HH $OVR
See the get vsys, set interface and enter vsys commands.
1RWHV
The NetScreen-500 and -1000 provide multi-tenant services through virtual systems, each a unique security domain with its own settings and management.

6HW &RPPDQGV
When you execute the set vsys command, the command prompt changes to indicate that you are now operating within a virtual system. To access an existing virtual system, execute the enter vsys command.Use the unset vsys command to remove a specific virtual system and all its settings. Note: The number of virtual systems depends on the quantity obtained via the virtual system software_key feature. The virtual system user software_key only allows you to configure up to 25 virtual systems.

6HW &RPPDQGV
VHW ZHEWUHQGV
Description: Use the set webtrends command to configure WebTrends.
6\QWD[
set webtrends { VPN enable host-name <name_str> port <port_num> } unset webtrends { VPN enable host-name <name_str> port <port_num> }
$UJXPHQWV
vpn enable Enables WebTrends VPN encryption. Enables WebTrends.
host-name <name_str> Specifies the WebTrends host name. port <port_num> Specifies the WebTrends host port.
$YDLODELOLW\
This feature is supported on all NetScreen devices.

6HW &RPPDQGV
'HIDXOWV
None.
([DPSOHV
To set the WebTrends VPN encryption: ns-> set webtrends vpn To enable WebTrends: ns-> set webtrends enable
6HH $OVR
See the set vsys-traffic command.

6HW &RPPDQGV
VHW ]RQH
Description: Use the set zone command to create or configure a security zone.
6\QWD[
set zone { id <id_num> | <name_str> { block | vrouter <name_str> } | name <zone> { L2 <id_num> | tunnel <name_str> } } unset zone <interface> [ name <name_str> ]
$UJXPHQWV
id <id_num> <name_str> block vrouter <name_str> name <zone> The identification number of the zone. The name of the zone. For more information on zones and zone names, see Security
Zones in USGA Features.

Imposes intra-zone blocking. Binds the zone to a virtual router. Creates a new zone with name <zone>.
L2 <id_num> specifies that the zone is Layer-2. Use Layer-2 zones when you need to run the NetScreen device in Transparent Mode. tunnel <name_str> specifies that the zone is a VPN tunnel zone.

6HW &RPPDQGV
([DPSOHV
To create a new Layer-2 zone named Marketing, with VLAN ID number 3: ns-> set zone name Marketing L2 3 To impose inter-zone blocking on the Trust zone: ns-> set zone trust block To create a tunnel zone named Engineering: ns-> set zone name Engineering tunnel Tunn_Zone
6HH $OVR
See the get zone and set config commands.

6HW &RPPDQGV

*HW &RPPDQGV
Use the get commands to display system configuration parameters and data on the console.
If you wish to redirect the output of a get command to a TFTP server as a text file, enter a greater-than sign ( > ) for every get command. get address > tftp <ip_addr> <filename>
([DPSOH
ns-> get address > tftp 172.16.3.4 addr.txt
As you execute CLI commands using the syntax descriptions in this chapter, you may find that certain commands and command features are unavailable on your NetScreen device model. A good example is the get vsys command, which is available on a NetScreen-500 device, but not on a NetScreen-208 device. Similarly, some command options are unavailable on certain models. For example, the ha1 and ha2 switches under the get counter flow interface command are available on the NetScreen-500 but not on the NetScreen-208.
*HW &RPPDQGV
JHW DGGUHVV
Description: Use the get address command to display the address book entries assigned to security zones.
6\QWD[
get address <zone> [ group <name_str> ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
zone
The address books security zone. For more information on zones, see Security Zones in USGA Features.
group <name_str> specifies an address group within the address book. > tftp <ip_addr> <filename> Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display only Address Book entries for the Trusted interface: ns-> get address trust To display a specific address group named sales on the Trusted interface: ns-> get address trust group sales To direct Address Book entries for the Untrusted interface to a file named genr.otp on the TFTP server: ns-> get address untrust > tftp 172.16.10.10 genr.otp
6HH $OVR
See the set address command.
*HW &RPPDQGV
1RWHV
The display for each Address Book entry shows the name, IP address, netmask, flag, and comments for the entry.
*HW &RPPDQGV
JHW DGPLQ
Description: Use the get admin command to display the system administration parameters. The display for each address book entry shows the name, IP address, and netmask, or domain name, flag, and comments for the entry.
6\QWD[
get admin [ auth [ settings ] | current-user | manager-ip | user [ cache | login ] | scs { all } ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
auth [ settings ] Displays authentication settings for administrators. (Compare this command with the get auth command, which displays the authentication settings for users.) For admin authentication, you can use the internal database or a RADIUS server. For user authentication, you can use the internal database, a RADIUS server or an LDAP server. Lists only the name of the current user; that is, the one entering the command. Displays the IP address and netmask of the management workstation.
current-user manager-ip
*HW &RPPDQGV
user
Lists the names of the administrators for the device: cache: Lists all remote admin users. login: Lists current users of all login sessions. Lists all admin users, and indicates which users are SCS password authentication (PWA) enabled. Directs generated output to a file (<filename>) on the TFTP server (<ip_addr>).
scs { all } > tftp <ip_addr> <filename>
([DPSOHV
To show all the administrative parameters for the NetScreen device: ns-> get admin To show the names of the administrators: ns-> get admin user
6HH $OVR
See the set admin command.
1RWHV
The get admin command displays the following system administration and configuration parameters: The system IP address and port number for Web management The e-mail alert status The e-mail server IP address or server name The remote e-mail address or addresses for the recipients of e-mail alerts The remote e-mail address or addresses for the recipients of e-mail alert notification The configuration formatDOS or UNIX
*HW &RPPDQGV
JHW DODUP
Description: Use the get alarm command to display alarm entries.
6\QWD[
get alarm { event [ type <number> [ -<number> ] | module { system | all-modules } | [ level { emergency | alert | critical | error | warning | notification | information | debugging | all-levels } [ type ] ] ] [ start-time <string> ] [ end-time <string> ] [ include <string> ] [ exclude <string> ] | traffic [ policy { <pol_num> [ -<pol_num> ] } ] [ service <name_str> ] [ src-address <ip_addr> ] [ dst-address <ip_addr> ] [ detail [ start-time <string> ] [ end-time <string> ] [ minute | second [ threshold <number> [ -<number> ] ]
*HW &RPPDQGV
[ rate <number> [ -<number> ] ] ] ] | threshold } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
event level module type <number> [ -<number> ] begin <string> end-time <string> Specifies event alarm entries. Specifies the security level of alarms to display. The all-levels option display all security levels. Specifies alarms to display according to the ScreenOS module that generated them. Message type. Enter a specific type, or a range of types. Displays event alarm entries that follow a specified alarm event. Displays event alarm entries or traffic alarm entries that occurred at and before the time specified. The format for <string> is: mm/dd[/yy-hh:mm:ss. You can omit the year (the current year is the default), or express the year using the last two digits or all four digits. The hour, minute, and second are optional. The delimiter between the date and the time can be a space, a dash, or an underscore: 12/31/2001-23:59:00 12/31/2001_23:59:00 Displays event alarm entries that exclude the detail specified. Displays event alarm entries that include the detail specified.
exclude <string> include <string>
*HW &RPPDQGV
start-time <string>
Displays event alarm entries or traffic alarm entries that occurred at the specified time or after. The format for <string> is: mm/dd[/yy-hh:mm:ss. You can omit the year (the current year is the default), or express the year using the last two digits or all four digits. The hour, minute, and second are optional. The delimiter between the date and the time can be a space, a dash, or an underscore: 12/31/2001-23:59:00 12/31/2001_23:59:00 Specifies traffic alarm entries. Displays traffic alarm entries for an Access Policy specified by its ID number or for several Access Policies specified by a range of ID numbers. The ID number can be any value between 0 and the total number of established Access Policies. To define a range, enter the starting and ending ID numbers as follows: <pol_num> - <pol_num> Displays traffic alarm entries for a specified Service, such as TCP, ICMP, or FTP. (To display all services, make the <name_str> value Any.) The name does not have to be complete; for example, both TC and CP are recognized as TCP. Although you cannot specify a Service group, note that because TP is recognized as FTP, HTTP, and TFTP, entering TP displays traffic alarm entries for all three of these Services. Displays traffic alarm entries originating from a specified IP address or from a specified direction, such as Inside_Any or Outside_Any. Displays traffic alarm entries destined for a specified IP address or for a specified direction, such as inside_any or outside_any. Displays detailed information for each Access Policy, including all traffic alarm entries that occurred under the policy. If you omit this option, the output contains only general information and the time of the most recent alarm for each policy.
traffic policy { <pol_num> | <pol_num> | <pol_num> }
service <name_str>
src-address <ip_addr> dst-address <ip_addr> detail
*HW &RPPDQGV
second | minute threshold { <number> | <number>-<number> }
Displays traffic alarm entries for Access Policies with threshold settings at bytes/second or bytes/minute. Displays traffic alarm entries for Access Policies with threshold settings at a specified value or within a specified range.
rate { <number> | <number>-<number> } Displays traffic alarm entries for Access Policies with a flow rate at a specified value or within a specified range. > tftp <ip_addr> <filename> Directs generated output to a file <filename> on the TFTP server <ip_addr>.
'HIDXOWV
If you execute get alarm without options or parameters, the command displays all alarm entries and Access Policy information. The get alarm event command displays all event alarm entries, and the get alarm traffic command displays all traffic alarm entries.
([DPSOHV
To display all alarm entries: ns-> get alarm To show event alarm entries: ns-> get alarm event To show all traffic alarm entries: ns-> get alarm traffic To show traffic alarm entries for an Access Policy with ID number 4: ns-> get alarm traffic policy 4 To show all event alarm entries from 1:30 P.M. on February 28, 2000: ns-> get alarm event start-time 02/28/2000-13:30 To show all event alarm entries from 1:30 P.M. to 1:39:59 P.M. on February 28, 2000:
*HW &RPPDQGV
ns-> get alarm event start-time 02/28/00_13:30 end-time 02/28_13:39:59 To show all event alarm entries from 1:30 P.M. to 1:39:59 P.M. on February 28, 2000 except for Access Policy changes: ns-> get alarm event start-time 02/28/00_13:30 end-time 02/28_13:39:59 exclude policy change To show all event alarm entries on traffic originating from the Trusted side: ns-> get alarm event include trust exclude untrust Note: Because strings are not considered whole words, include trust shows all events for the Trusted as well as Untrusted interfaces. To restrict the display to events from the Trusted side, add the exclude untrust string. To show traffic alarm entries for HTTP service: ns-> get alarm traffic service http To show traffic alarm entries for all traffic originating from the Untrusted side: ns-> get alarm traffic src outside_any To show traffic alarm entries for all incoming traffic destined for the server with IP address 172.16.1.24: ns-> get alarm traffic src outside_any dst 172.16.1.24 To show emergency-level alarms:
ns->
get alarm event level emergency
To show detailed information on all traffic alarm entries: ns-> get alarm traffic detail To show detailed information on traffic alarm entries for all Access Policies with alarm thresholds set within the range of 1000 to 20,000 bytes/second: ns-> get alarm traffic detail second threshold 1000-20000 To show detailed information on all traffic alarm entries with the following characteristics: outgoing traffic

*HW &RPPDQGV
using TCP operating under Access Policies within the ID range of 3 to 7 on May 27, 2000 from 4:00 P.M. to 4:59:59 P.M ns-> get alarm traffic policy 3-7 service TCP src inside_any detail start-time 05/27/00_16:00 end-time 05/27_16:59:59
6HH $OVR
See the clear alarm command.
1RWHV
The console displays the maximum number of alarms that the NetScreen device can maintain and the current number of entries in the table. When you executie get alarm from within a Virtual System or from within the main system on the NetScreen-1000, the command displays only entries from that system. Alarm entries from other Virtual Systems do not appear.

*HW &RPPDQGV
JHW DOLDV
Description: Use the get alias command to list aliases representing CLI commands.
6\QWD[
get alias
$UJXPHQWV
None.
'HIDXOWV
None
([DPSOHV
The following command lists all alias assignments. ns-> get alias
6HH $OVR
See the set alias command.

*HW &RPPDQGV
JHW DUS
Description: Use the get arp command to display the entries in the Address Resolution Protocol (ARP) table. The get arp command displays the following information for each entry: The IP address of the system sending network traffic through the NetScreen device The systems MAC address The name of the interface connected to the system The age of the entry in seconds
The ARP table contains a maximum of 256 entries.
6\QWD[
get arp [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
> tftp <ip_addr> <filename> Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display all the entries in the arp table: ns-> get arp
6HH $OVR
See the set arp and clear arp commands.

*HW &RPPDQGV
JHW DXGLEOHDODUP
Description: Use the get audible-alarm command to view the audible alarm settings on a NetScreen device.
6\QWD[
get audible-alarm [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To view the audible alarm settings: ns-> get audible-alarm
6HH $OVR
See the set audible-alarm and clear audible-alarm commands.

*HW &RPPDQGV
JHW DXWK
Description: Use the get auth command to display the user authentication configuration settings.
6\QWD[
get auth [ history | queue | settings | table ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
history queue settings Displays the authentication history. Applies only if using a RADIUS server or SecurID server to authenticate users. Displays a list of authentication requests waiting to be processed. Displays settings according to the current authentication method. When the NetScreen internal database is in use, get auth settings displays the timeout value for the authenticated entry. Displays a table of IP addresses from which the authentication requests originate, and how much time each entry has before automatic deletion. Also displays whether authentication attempt is successful or not. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
table
> tftp <ip_addr> <filename>
([DPSOHV
To display the authentication queue: ns-> get auth queue
*HW &RPPDQGV
To display the authentication settings: ns-> get auth settings To display the authentication table: ns-> get auth table
6HH $OVR
See the set auth and clear auth commands.
1RWHV
When a user authentication attempt is successful, the NetScreen device creates an entry in the NetScreen authentication table, and assigns the entry a timeout value. When the timeout limit expires, the device deletes the entry, and any newly initiated traffic requires new authentication. NetScreen supports a maximum of 4096 entries in this table. When the table is full, the NetScreen device rejects any new authentication attempts until a current entry expires. When the RADIUS server is in use, get auth settings displays the timeout value for the authenticated entry, the IP address for the RADIUS server, and the shared secret. When the SecurID server is in use, get auth settings displays the following values: The authentication port number The SecurID Master server name, and the SecurID Slave server name, if used Whether duress is used The type of encryption The maximum number of retries The communication timeout value The authenticated entry timeout value

*HW &RPPDQGV
When the LDAP server is in use, get auth settings displays the authenticated entry timeout value, the IP address of the LDAP server, and its listening port. The command also displays the distinguished name and common name identifier.

*HW &RPPDQGV
JHW FORFN
Description: Use the get clock command to display the system time on the NetScreen device.
6\QWD[
get clock [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOH
To display the system time for the NetScreen device: ns-> get clock
6HH $OVR
See the set clock command.
1RWHV
The display includes the current date in calendar format and the number of seconds since 1/1/1970 GMT. The display also includes the NetScreen devices uptime since the last power-up.

*HW &RPPDQGV
JHW FRQILJ
Description: Use the get config command to display the current or saved configuration settings for a NetScreen device.
6\QWD[
get config [ saved ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
saved > tftp <ip_addr> <filename> Displays the configuration file saved in flash memory. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display the current runtime configuration on the console: ns-> get config To display the configuration that has been saved in the flash memory: ns-> get config saved To download a configuration file named new_cnfg from a TFTP server at 172.16.54.9: ns-> get config > tftp 172.16.54.9 new_cnfg
6HH $OVR
See the save command.

*HW &RPPDQGV
JHW FRQVROH
Description: Use the get console command to display the console parameters.
6\QWD[
get console [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display all the console parameters: ns-> get console
6HH $OVR
See the set console command.
1RWHV
The get console command displays this console configuration information: The timeout value The number of lines to display per screen Where the debug messages are displayed The number of active connections to the NetScreen device through the console or Telnet, and the duration of these connections For a Telnet connection, the IP address for the client machine.

*HW &RPPDQGV
JHW FRXQWHU
Description: Use the get counter command to display system and traffic information on the NetScreen interfaces.
6\QWD[
get counter { flow | statistics | screen [ interface <name_str> ] | policy <pol_num> { day | hour | minute | month | second } } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
flow Specifies counters for packets inspected at the flow level. A flow-level inspection examines various aspects of a packet to gauge its nature and intent. Displays the counter statistics. Displays screen counter statistics. The name of the interface. Specifies counters for packets inspected at the interface level. An interface-level inspection checks for packet errors and monitors the quantity of packets in light of established threshold settings. For more information on interfaces, refer to Interfaces in USGA Features.
statistics screen interface <name_str>

*HW &RPPDQGV
policy <pol_num> day | hour| minute | month | second > tftp <ip_addr> <filename>
Identifies a particular access policy, allowing the administrator to monitor the amount of traffic it permits. Specifies the period of time for monitoring traffic permitted by a particular access policy. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOH
To list the counters for the Truster interface: ns-> get counter flow interface trust
1RWHV
This command is used only for technical support. This system information is displayed for flow-level counters: tiny frag the number of tiny fragmented packets received tear drop the number of oversize Internet Control Message Protocol (ICMP) packets received src route the number of packets dropped because of the filter source route option pingdeath the number of suspected ping-of-death attack packets received addr spf the number of suspected address spoofing attack packets received land att the number of suspected land attack packets received no route the number of unroutable packets received no conn the number of packets dropped because of unavailable Network Address Translation (NAT) connections poli deny the number of packets denied by a defined access policy auth fail the number of times user authentication failed no dip the number of packets dropped because of unavailable Dynamic IP (DIP) addresses no map the number of packets dropped because there was no map to the trusted side

*HW &RPPDQGV
url block the number of HTTP requests that were blocked tcp proxy the number of packets dropped from using a tcp proxy such as syn flood protection or user authentication no gate the number of packets dropped because no gate was available no parent the number of packets dropped because the parent connection could not be found no g-gate the number of packets dropped because the Network Address Translation (NAT) connection was unavailable for the gate nvec err the number of packets dropped because of NAT vector error trmn drp the number of packets dropped by traffic management trmng que the number of packets waiting in the queue big bkstr an excessively large number of Address Resolution Protocol (ARP) packets attempting to uncover the Media Access Control (MAC) address for an IP address enc fai the number of failed Point to Point Tunneling Protocol (PPTP) packets lpbk deny the number of packets dropped because the packets cant be looped back no sa the number of packets dropped because no Security Associations (SA) was defined no sapoli the number of packets dropped because no access policy was associated with an SA sa inact the number of packets dropped because of an inactive SA sapoli dn the number of packets denied by an SA policy illegal the number of packets dropped because they are illegal packets
The get counter command displays the following traffic information for interface-level counters: in pak the number of packets received in vpn the number of IPSec packets received out pak the number of packets sent out bpak the number of packets held in back store while searching for an unknown MAC address in crc the number of incoming packets with a cyclic redundancy check (CRC) error in alg the number of incoming packets with an alignment error in the bit stream

*HW &RPPDQGV
in nobuf the number of unreceivable packets because of unavailable buffers in short the number of incoming packets with an in-short error in err the number of incoming packets with at least one error in coll the number of incoming collision packets out unr the number of transmitted underrun packets early fr counters used in an ethernet driver buffer descriptor management late fr counters used in an ethernet driver buffer descriptor management in icmp the number of Internet Control Message Protocol (ICMP) packets received in self the number of packets addressed to the NetScreen Management IP address in unk the number of UNKNOWN packets received connection the number of sessions established since the last boot

*HW &RPPDQGV
JHW GLDOXSJURXS
Description: Use the get dialup-group command to display the dialup group configuration parameters.
6\QWD[
get dialup-group { all | id <id_num> } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
all id <id_num> Displays the dialup group ID, name, and the total number of members for all the configured dialup groups. Displays detailed information for a specific dialup group with ID <id_num>. The information includes the names of the group members and their SPI values for the manual key dialup user, or the ID and ID-type for the the IKE dialup user.
([DPSOHV
To display all the dialup-group configurations: ns-> get dialup-group all To display the configuration settings for the dialup-group with ID number 4: ns-> get dialup-group id 4

*HW &RPPDQGV
6HH $OVR
See the set dialup-group command.

*HW &RPPDQGV
JHW GLS
Description: Use the get dip command to display the following dynamic IP (DIP) settings for a NetScreen device: the DIP pool ID number the range of IP addresses in the DIP pool the interface to which the pool is associated whether the pool supports Port Address Translation (PAT) or fixed port numbers.
6\QWD[
get dip [ all ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
all > tftp <ip_addr> <filename> Displays all DIPs for every virtual system (VSYS). Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display all DIP configurations: ns-> get dip To display all DIP configurations and direct the output to a file on the TFTP server: ns-> get dip > tftp 172.16.10.10 outp.txt
6HH $OVR
See the set interface command, which is the command to use to configure a DIP pool for a particular interface.

*HW &RPPDQGV
JHW GQV
Description: Use the get dns command to verify the Domain Name Service (DNS) settings on the NetScreen device.
6\QWD[
get dns { forward | host { cache | report | settings } | name <name_str> } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
forward host Shows the DNS forwarding information. cache Displays the DNS cache table. report Displays the DNS lookup table. settings Displays the DNS settings. name <string> Specifies the domain name.

*HW &RPPDQGV
([DPSOH
To get the DNS host report information on a NetScreen device: ns-> get dns host report
6HH $OVR
See the set dns command.

*HW &RPPDQGV
JHW GRPDLQ
Description: Use the get domain command to view the domain name of the NetScreen device.
6\QWD[
get domain [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOH
To get the domain name of the NetScreen device: ns-> get domain
6HH $OVR
See the set domain command.

*HW &RPPDQGV
JHW HQYDU
Description: Use the get envar command to display the environment variable settings.
6\QWD[
get envar [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOH
To display the environment variable settings you specified with the set envar command: ns-> get envar
6HH $OVR
See the set envar command.

*HW &RPPDQGV
JHW ILOH
Description: Use the get file command to display information for files stored in the flash memory.
6\QWD[
get file [ <filename> | info ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
<filename> info Defines the file name stored in the flash card memory. Displays the base sector and address.
([DPSOHV
To display the configuration files stored in flash memory: ns-> get file To display information for the file named corpnet from the flash card memory: ns-> get file corpnet
6HH $OVR
See the clear file and save commands.

*HW &RPPDQGV
JHW ILUHZDOO
Description: Use the get firewall command to display firewall protection settings and to note which features are enabled.
6\QWD[
get firewall [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display the firewall protection settings: ns-> get firewall
6HH $OVR
See the set firewall command.
1RWHV
The output from the get firewall command lists elements configured with the set firewall command, showing if each is enabled. On means the feature is enabled. Off means the feature is disabled.

*HW &RPPDQGV
JHW JDWH
Description: Use the get gate command to check if any gates are available on the NetScreen device, or if all are in use.
6\QWD[
get gate [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
'HIDXOWV
The default number of gates on NetScreen devices are:
NetScreen-5xp NetScreen-5 NetScreen-10 NetScreen-100 NetScreen-500 NetScreen-1000 256 256 256 1024 1024 4096
([DPSOHV
To display the number of gates on the NetScreen device: ns-> get gate

*HW &RPPDQGV
1RWHV
Gates are holes in the firewall for FTP and similar applications. The NetScreen device creates the gate first. When the real data traffic occurs, the device converts the gate to an actual session. If the system reports alloc
failed,
all gates are currently in use.

*HW &RPPDQGV
JHW JOREDO
Description: Use the get global command to display the NetScreen-Global Manager settings.
6\QWD[
get global [ > tftp <ip_addr> <filename> ] $UJXPHQWV
([DPSOH
To display the NetScreen-Global Manager configuration and reporting settings: ns-> get global
1RWHV
The get global command displays: Whether the NetScreen-Global Manager feature is enabled or not The IP address or the server name of the NetScreen-Global Manager station The NetScreen-Global Manager server configuration port and the server reporting port The local listening port for the NetScreen device Whether the VPN encryption feature is enabled or not The type of reports that the NetScreen-Global Manager station requests
6HH $OVR
See the set global command.

*HW &RPPDQGV
JHW JOREDOSUR
Description: Use the get global-pro command to display the NetScreen-Global PRO settings.
6\QWD[
get global-pro { config | proto-dist { table { bytes | packets } | user-service } } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
config proto-dist table proto-dist user-service > tftp <ip_addr> <filename> Display the NetScreen-Global PRO configuration settings. Displays the NetScreen-Global PRO protocol distribution settings in bytes or in packets. Displays the NetScreen-Global PRO protocol distribution settings for user-defined services. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display the firewall protection settings:

*HW &RPPDQGV
ns-> get global-pro
6HH $OVR
See the set global-pro command.

*HW &RPPDQGV
JHW JORJ
Description: Use the get glog command to display the contents of the global log file.
6\QWD[
get glog [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display all log entries in the global log file: ns-> get glog
1RWHV
Log entries of all categories go to the global log file initially. The display shows the total number of entries in the file and the category to which each entry belongs.
6HH $OVR
See the set glog command.

*HW &RPPDQGV
JHW JURXS
Description: Use the get group command to display the address groups and service groups configured on the NetScreen device.
6\QWD[
get group { address { <zone> <name_str> } service [ <name_str> ] } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
address <zone> Assigns the group to the address book of a security zone.
The name of the address books security zone. For more information on zones, see Security Zones in USGA Features.
<name_str> specifies the name of the address group. service Defines the group as a service group, and specifies its name. If you do not include a service group name, the command displays all service groups. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display a trusted address group named engineering: ns-> get group address trust engineering To display a service group named inside-sales:

*HW &RPPDQGV
ns-> get group service inside-sales To display all untrusted address groups: ns-> get group address untrust To display all service groups: ns-> get group service
6HH $OVR
See the set group, set address, get address, set service, and get service commands.

*HW &RPPDQGV
JHW KD
Description: Use the get ha command to display the status and configuration settings for high availability (HA).
6\QWD[
get ha [ counter | detail | track ip ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
counter detail track ip Displays the number of sent, received, and dropped HA packets. Displays general high availability information. Displays the path tracking status and settings.
([DPSOHV
To display the high availability group information: ns-> get ha
1RWHV
The get ha command displays: The software version The redundant group to which the NetScreen device belongs Whether the NetScreen device is designated as master or slave The MAC addresses for all devices in the group Whether encryption and authentication are enabled or not

*HW &RPPDQGV
The arp count The monitor port(s) The ha mode The session synchronization The slave linkup
6HH $OVR
See the set ha and exec ha commands.

*HW &RPPDQGV
JHW KRVWQDPH
Description: Use the get hostname command to display the hostname of the NetScreen device.
6\QWD[
get hostname [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display the name of the NetScreen device: ns-> get hostname
6HH $OVR
See the set hostname command.

*HW &RPPDQGV
JHW LNH
Description: Use the get ike command to display various settings for Internet Key Exchange (IKE).
6\QWD[
get ike { accept-all-proposal | ca-and-type | cert | conn-entry | cookies | gateway [ <ip_addr> | <name_str> ] | heartbeat | id-mode | initial-contact [ all-peers | single-gateway [ <name_str> ] | single-user <name_str> ] | initiator-set-commit | p1-proposal <name_str> | p2-proposal <name_str> | policy-checking | respond-bad-spi | responder-set-commit | single-ike-tunnel <name_str> | soft-lifetime-buffer } [ > tftp <ip_addr> <filename> ]

*HW &RPPDQGV
$UJXPHQWV
accept-all-proposal ca-and-type cert conn-entry cookies gateway [ <string> ] Shows if the NetScreen device accepts all incoming proposals, or only specified preconfigured ones. Displays the types of certificates supported by the NetScreen device. Displays all local certificates loaded in the NetScreen device. Displays the current IKE connections. Displays all IKE cookies. Shows the following details for all remote gateways: gateway ID number gateway name gateway IP address, if it uses Main or Aggressive mode the preshared key (if used) all Phase 1 proposals Specifying a gateway name displays more details. Displays IKE heartbeat information, including the hello interval and the number of heartbeat retries before expiration. Shows if the IKE ID mode uses a host (IP) or a gateway (subnet). Displays if the NetScreen device sends an initial contact notification to its IKE peers when it reboots. Notes if the commit bit is set when initiating a Phase 2 proposal.
heartbeat id-mode initial-contact initiator-set-commit

*HW &RPPDQGV
p1-proposal [ <string> ]
Shows the following details of all the Phase 1 proposals or just for the proposal specified: Proposal ID number Proposal name Authentication method preshared key, RSA signature, or DSA signature Diffie-Hellman Group 1, 2, or 5 ESP encryption algorithm DES or 3DES ESP authentication algorithm MD5 or SHA-1 Key lifetime Shows the following details of all the Phase 1 proposals or just for the proposal specified: Proposal ID number Proposal name Diffie-Hellman Group 1, 2, or 5; 0 indicates no Perfect Forward Secrecy (PFS), and so there is no Diffie-Hellman exchange IPSec protocol Authentication Header (AH) or Encapsulating Security Payload (ESP) Encryption algorithm DES or 3DES Authentication algorithm MD5 or SHA-1 Key lifetime (in seconds) Key lifesize (in kilobytes) Shows if the access policies for both VPN participants must match before a VPN connection is established. Displays the number of times the NetScreen device responds to a remote peer with a bad security parameter index (SPI). Shows if the commit bit is set when the NetScreen device responds to a Phase 2 proposal. Notes if the single-ike-tunnel flag is enabled for VPN connections with the specified remote gateway. Displays the soft-lifetime buffer size (in seconds).
p2-proposal [ <string> ]
policy-checking respond-bad-spi responder-set-commit single-ike-tunnel soft-lifetime-buffer

*HW &RPPDQGV
([DPSOHV
To display all the details of the Phase 1 proposal sf1: ns-> get ike p1-proposal sf1 To display all the currently running IKE connections: ns-> get ike conn-entry To display all IKE cookies: ns-> get ike cookies
6HH $OVR
See the set ike and clear ike commands.

*HW &RPPDQGV
JHW LQWHUIDFH
Description: Use the get interface command to display the physical and logical interface settings for the NetScreen device.
6\QWD[
get interface <name_str> [ dhcp { relay | server { ip { allocate | idle } | option } } screen [ all | attack | counter | info | ] secondary ] | [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
<interface> The name of the interface. For more information on interfaces, refer to Interfaces in USGA Features.

*HW &RPPDQGV
dhcp
Lists DHCP information for the specified interface.

- relay Displays information on the DHCP relay agent. - server Displays information on the DHCP server. The ip allocate suboption displays the IP addresses allocated by the DHCP server. The ip idle suboption displays information on the DHCP idle IP, including IP address, state, MAC address, and lease time. The option switch displays all DHCP options.
screen
Lists screen information for the specified interface.

- all Lists all screen information. - attack Displays the screen attack type counters. - counter Displays all screen counters. - info Displays the screen information type counters.
secondary
Displays the secondary IP for the specified interface.
([DPSOHV
To display general information for all physical and logical interfaces at the level (root or virtual system) in which you issue the command: ns-> get interface To display detailed information for the trusted interface: ns-> get interface trust To display information on secondary interfaces for the DMZ interface: ns-> get interface dmz secondary To display information on the DHCP server for interface ethernet2/1: ns-> get interface ethernet2/1 dhcp server

*HW &RPPDQGV
6HH $OVR
See the set interface command.

*HW &RPPDQGV
JHW LQWHUYODQ
Description: Use the get intervlan command to show if intervlan traffic is currently enabled or denied.
6\QWD[
get intervlan [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOH
To display the current intervlan enable/disable status and send the output to a file on the TFTP server: ns-> get intervlan > tftp 172.16.10.10 outp.txt
6HH $OVR
See the set intervlan-traffic command.

*HW &RPPDQGV
JHW LS
Description: Use the get ip tftp command to display IP parameters for communication with the TFTP server. These parameters include: The number of times to retry a TFTP communcation before the NetScreen device ends the attempt and generates an error message. The length of time before the NetScreen device terminates an inactive TFTP connection.
6\QWD[
get ip { tftp } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
'HIDXOWV
The default number of retries is 10. The default timeout period is 2 seconds.
([DPSOH
To display IP parameters for TFTP server communication: ns-> get ip tftp
6HH $OVR
See the set ip tftp command.

*HW &RPPDQGV
JHW LSSRRO
Description: Use the get ippool command to display information about all of the IP pools that can be used for assigning addresses via the Layer 2 Tunneling Protocol (L2TP).
6\QWD[
get ippool [ <name_str> ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
<name_str> > tftp <ip_addr> <filename> Returns information about the specified IP pool, showing its ID number, its name, and its starting and ending IP addresses. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display the values for all the IP pools: ns-> get ippool
ID 1 2 IP Pool pool 1 pool 2 Start IP 10.1.1.1 10.1.1.11 End IP 10.1.1.10 10.1.1.20
6HH $OVR
See the set ippool command.

*HW &RPPDQGV
JHW OWS
Description: Use the get l2tp command to view the L2TP status and settings.
6\QWD[
get l2tp { <string> | all [ active ] | default } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
<string> Displays the ID number, tunnel name, user, peer IP address, peer host name, L2TP tunnel shared secret, and keepalive value for the specified L2TP tunnel. active displays the current state of the specified L2TP tunnel. Displays the ID number, tunnel name, user, peer IP address, peer host name, L2TP tunnel shared secret, and keepalive value for every L2TP tunnel. active displays the current state of all the L2TP tunnels. Displays all the default L2TP settings. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
all
default > tftp <ip_addr> <filename>
([DPSOHV
To display the current state of an L2TP tunnel named home2work: ns-> get l2tp home2work active To display the L2TP default settings: ns-> get l2tp default

*HW &RPPDQGV
6HH $OVR
See the set l2tp, clear l2tp, and get ippool commands.

*HW &RPPDQGV
JHW ODQFH
Description: Use the get lance { info } command to get internal debug information for the 10/100 MAC chips on a NetScreen device.
6\QWD[
get lance { info } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To view 10/100 MAC chip-specific debug information: ns-> get lance info
1RWHV
You can also see the initial part of the get lance info output by using the get interface command.

*HW &RPPDQGV
JHW OFG
Description: Use the get lcd command to view the status of the LCD and the control keys on a NetScreen device.
6\QWD[
get lcd [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To view the status of the LCD and control keys: ns-> get lcd
6HH $OVR
See the set lcd command.

*HW &RPPDQGV
JHW ORJ
Description: Use the get log command to display all the entries in the log table.
6\QWD[
get log { device-reset | event [ type <number> [ -<number> ] | module { system | all-modules } | [ level { emergency | alert | critical | error | warning | notification | information | debugging | all-levels } ] [ start-time <string> ] [ end-time <string> ] [ include <string> ] [ exclude <string> ] ] | self | traffic [ policy <pol_num> | <pol_num>-<pol_num> ] [ start-time <string> ] [ end-time <string> ] [ min-duration <string> ] [ max-duration <string> ] [ service <name_str> ] [ src-ip <ip_addr> [ -<ip_addr> ] [ src-netmask <mask> ]

*HW &RPPDQGV
[ src-port <port_num> ] ] [ dst-ip <ip_addr> [ -<ip_addr> ] [ dst-netmask <mask> ] ] [ no-rule-displayed ] | system [ reversely | saved ] | setting [ module { system | all } ] } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
event level module Specifies event log entries. Specifies the security level of log entries to display. The all-levels option display all security levels. Specifies log entries to display according to the ScreenOS module that generated them.
type <number> [ -<number> ] Message type. Enter a specific type, or a range of types. start time <string> Displays event log entries that occurred at or after the time specified day/month/year hour:minute:second. You can omit the year, in which case the current year is assumed, and you can choose to write the year with either just the last two digits or with all four. The hour, minute, and second can be omitted. Separate the date from the time with a space, a dash, or an underscore: 12/31/2001-23:59:00 12/31/2001_23:59:00 Displays event log entries that occurred at and before the time specified. Displays event log entries that include the detail specified. Displays event log entries that exclude the detail specified. Displays event log entries that follow a specified event. Specifies traffic log entries.
end-time <string> include <string> exclude <string> begin <string> traffic

*HW &RPPDQGV
policy { <pol_num> | <pol_num> - <pol_num> }
Displays traffic log entries for an Access Policy specified by its ID number or for several Access Policies specified by a range of ID numbers. The ID number can be any value between 0 and the total number of established Access Policies. To define a range, enter the starting and ending ID numbers using this syntax: <pol_num> - <pol_num> Displays traffic log entries for traffic whose duration was longer than or equal to the minimum duration specified. Displays traffic log entries for traffic whose duration was shorter than or equal to the maximum duration specified. Displays traffic log entries for a specified Service, such as TCP, ICMP, FTP, or Any. The name does not have to be complete; for example, both TC and CP are recognized as TCP. Although you cannot specify a Service group, note that because TP is recognized as FTP, HTTP, and TFTP, entering TP displays log entries for all three Services. Displays traffic log entries for a specified source IP address or range of source IP addresses. Include the subnet mask for a source IP address to display traffic entries for all IP addresses in the same subnet as the specified source IP address. A source IP range and a source subnet mask cannot be specified simultaneously. Displays traffic log entries for a specified port number or range of source port numbers. Displays traffic log entries for a specified destination IP address or range of destination IP addresses. You can specify the subnet mask for a destination IP address, but you cannot specify a destination IP range and destination subnet mask simultaneously. Displays traffic log entries, but does not display Access Policy information. Displays current system log information. Displays saved system log information. Directs generated output to a file <filename> on the TFTP server <ip_addr>. Displays log setting information. The module <string> value specifies the name of the module for which the log settings apply.
min-duration <string> max-duration <string> service <name_str>
src-ip { <ip_addr> [ <ip_addr> - <ip_addr> ] }
src-port { <port_num> | <port_num> - <port_num> } dst-ip { <ip_addr> [ <ip_addr> - <ip_addr> ] }
no-rule-displayed system system saved > tftp <ip_addr> <filename> setting

*HW &RPPDQGV
'HIDXOWV
If no arguments are entered, the get log command displays all log entries.
([DPSOHV
To display all entries in the log table: ns-> get log To display the entries in the traffic log table for an Access Policy with ID 3: ns-> get log traffic policy 3 To display event log entries from 3:00 P.M. on March 4, 2001: ns-> get log event start-time 03/04/01_15:00 To display event log entries from 3:00 P.M. on March 4, 2001 to 2:59:59 P.M. on March 6: ns-> get log event start-time 03/04/01_15:00 end-time 03/06_14:59:59 To display traffic log entries for traffic for a period between 5 minutes and 1 hour: ns-> get log traffic min-duration 00:05:00 max-duration 01:00:00 To display traffic log entries for the range of destination IP addresses 172.16.20.5172.16.20.200: ns-> get log traffic dst-ip 172.16.20.5-172.16.20.200 To display traffic log entries from the source port 8081: ns-> get log traffic src-port 8081 To display traffic log entries without displaying Access Policy information: ns-> get log traffic no-rule-displayed
6HH $OVR
See the clear log command.

*HW &RPPDQGV
JHW PDFOHDUQ
Description: Use the get mac-learn command to display the entries in the MAC learning table.
6\QWD[
get mac-learn [ trust | untrust ]
$UJXPHQWV
trust untrust Specifies the trust interface. Specifies the untrust interface.
([DPSOHV
To display all entries in the MAC learning table: ns-> get mac-learn To display the MAC learning table entries on the Trusted interface only: ns-> get mac-learn trust
'HIDXOWV
None.
6HH $OVR
See the clear mac-learn, get mac-count, and clear mac-count commands. Note: This command is available only when the NetScreen-10 device is running in Transparent mode.

*HW &RPPDQGV
JHW PDVWHU
Use the get master command to display the master devices configuration information. You can use this command only on a slave device.
6\QWD[
get master { config } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
'HIDXOWV
None.
([DPSOHV
To display information about the master device configuration: ns-> get master config
6HH $OVR
See the get system command.

*HW &RPPDQGV
JHW PHPRU\
Description: Use the get memory command to display the memory allocation status.
6\QWD[
get memory [ <id_num> | all | error | free | mempool | used ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
<id_num> all error free mempool used minsize <number> > tftp <ip_addr> <filename> Displays the task ID number. Displays memory fragments. Displays erroneous memory fragments. Displays free memory. Displays pooled memory. Displays used memory. Show all memory fragments that are larger than <number>. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display the memory usage status:

*HW &RPPDQGV
ns-> get memory To display all erroneous memory fragments: ns-> get memory error
1RWHV
The get memory command displays information about the amount of memory allocated, the amount remaining, and the number of fragments.

*HW &RPPDQGV
JHW PLS
Description: Use the get mip command to display the Mapped IP (MIP) configurations. The get mip command displays the IP address, the host IP address, and the subnet mask address for the Mapped IP.
6\QWD[
get mip [ all ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
all Shows all Mapped IPs for all virtual systems. > tftp <ip_addr> <filename> Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOH
To display all MIP configurations and direct the output to a file on the TFTP server:
ns->
get mip all > tftp 172.16.10.10 outp.txt
6HH $OVR
See also the set mip command.

*HW &RPPDQGV
JHW QDWWBND
Description: Use the get natt_ka command to list the NATT keepalive parameters, such as the current VPN monitory frequency.
6\QWD[
get natt_ka
$UJXPHQWV
None.
'HIDXOWV
None
([DPSOHV
The following command lists the current VPN monitor frequency. ns-> get natt_ka
6HH $OVR
See the get vpn command.

*HW &RPPDQGV
JHW QVSWXQQHO
Description: Use the get nsp-tunnel command to get the flow tunnel information.
6\QWD[
get nsp-tunnel [ info <number> ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
info <number> > tftp <ip_addr> <filename> Specifies the flow tunnel information with the info value <number>. The value must start with 0x, as with 0x2. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display the flow tunnel information: ns-> get nsp-tunnel info 0x3
6HH $OVR
See the set nsp-tunnel command.

*HW &RPPDQGV
JHW QWS
Description: Use the get ntp command to display the settings for the Network Time Protocol (NTP).
6\QWD[
get ntp [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display the settings for NTP on the NetScreen device: ns-> get ntp
6HH $OVR
See the set ntp and exec ntp commands.

*HW &RPPDQGV
JHW RV
Description: Use the get os command to display mail and task information for the device operating system. Syntax get os { mail | task <name_str> } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
mail task <name_str> > tftp <ip_addr> <filename> Displays the mail information. Displays the task information. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display the operating system information: ns-> get os
6HH $OVR
See the set os command.

*HW &RPPDQGV
JHW SHUIRUPDQFH
Description: Use the get performance cpu command to retrieve CPU utitlization information on the NetScreen device.
6\QWD[
get performance { cpu } [ detail ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
detail Displays cpu performance detail. > tftp <ip_addr> <filename> Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display the CPU utilization for the NetScreen device and send the output to a file on the TFTP server: ns-> get performance cpu > tftp 170.16.10.10 outp.txt
6HH $OVR

*HW &RPPDQGV
JHW SNL
Description: Use the get pki command to show the CA (certificate authority) servers IP address and e-mail address, the certificate administrators e-mail address, and the RSA key length.
6\QWD[
get pki { authority <id_num> { cert-status | scep } | ldap | x509 { cert-path | crl-refresh | dn | list { ca-cert | cert | local-cert } | ns-cert | pkcs10 | raw-cn } } [ > tftp <ip_addr> <filename> ]

*HW &RPPDQGV
$UJXPHQWV
authority <id_num> Shows authority references for the Certificat Authority (CA). The cert-status option displays information on the x509 CA certificate. the scep option displays information on the SCEP server. Shows the default certificate authority servers address and the default LDAP URL for the certificate revocation list (CRL) retrieval. Specifies an International Telecommunications Union (ITU-T) X.509/PKCS digital certificate for these types: cert-path Displays the default X509 certificate path validation level. crl-refresh Displays the X.509 CRL refresh frequency rate. dn Displays the distinguished name on the NetScreen X.509 digital certificate. list Displays the X.509 object list loaded in the NetScreen device. ca-cert Displays the certificate authority (CA) X.509 certificates currently loaded in the NetScreen device. cert Displays the X.509 certificates currently loaded in the NetScreen device. local-cert Displays the local (non-CA) X.509 certificates currently loaded in the NetScreen device. ns-cert Displays the NetScreen devices X509 certificate. pkcs10 Shows the destination of the PKCS10 file and generates the file in that location. (PKCS is the Public Key Cryptography Standard.) raw-cn Shows if the raw-certificate name feature is enabled or disabled. The raw-cn is the CN value you specify with the command set pki x509 dn name
<name_str>, where <name_str> is a string of characters comprising the CN.
ldap
x509

*HW &RPPDQGV
([DPSOHV
To display the URL and the IP address or name of the default certificate authoritys LDAP server: ns-> get pki ldap To display a list of certificate authority (CA) certificates loaded in the NetScreen device: ns-> get pki x509 list ca-cert
6HH $OVR
See the set pki command.

*HW &RPPDQGV
JHW SROLF\
Description: Use the get policy command to display access policy configuration information.
6\QWD[
get policy [ id <id_num> | from <name_str> to <name_str> ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
id <id_num> Displays detailed information for the access policy with the ID number <id_num>. from <name_str> to <name_str> Displays a summary of access policies between two specified security zones (<name_str> and <name_str>). > tftp <ip_addr> <filename> Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display all access policy configurations: ns-> get policy To display all incoming access policy configurations: ns-> get policy from trust to untrust To display detailed information for an access policy with ID number 5: ns-> get policy id 5

*HW &RPPDQGV
6HH $OVR
See the set policy command.

*HW &RPPDQGV
JHW SSSRH
Description: Use the get pppoe command to configure PPPoE.
6\QWD[
get pppoe [ configuration | statistics ]
$UJXPHQWV
configuration statistics Specifies the configuration options. Specifies the statistics information.
'HIDXOWV
None.
([DPSOHV
To get the PPPoE configuration: ns-> get pppoe configuration To get the PPPoE statistics: ns-> get pppoe statistics
6HH $OVR
See the set pppoe, clear pppoe, and exec pppoe commands.

*HW &RPPDQGV
JHW URXWH
Description: Use the get route command to display entries in the static route table.
6\QWD[
get route [ id <id_num> | ip <ip_addr> ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
ip <ip_addr> id <id_num> > tftp <ip_addr> <filename> Displays a specific static route for the target IP address <ip_addr>. Displays a specific static route for the ID number <id_num>. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
'HIDXOWV
The get route command displays all entries in the static route table unless a particular target IP address is specified.
([DPSOHV
To display all the entries in the static route table: ns-> get route To display the static route information to a machine with the IP address 172.16.60.1: ns-> get route ip 172.16.60.1 To display the static route information for a route with ID number 477:

*HW &RPPDQGV
ns-> get route id 477
6HH $OVR
See the set route command.
1RWHV
The get route command displays: The IP address, netmask, interface, gateway, metric, and flag The Flag value is 8000 for a well-known route generated from the interface IP address and interface gateway The Flag value is 0000 if the entry uses the gateway from the interface listed of a specified IP address
When you specify an IP address in the get route command, the output appears in this format: ns-> <ip-addr> => <interface>/<gateway>, <metric> Use the get route command to find out if the NetScreen device is routing a packet with a particular IP address to the correct interface.

*HW &RPPDQGV
JHW VD
Description: Use the get sa command to display the IPSec security associations (SA) only when you define VPN policies for a manual VPN.
6\QWD[
get sa [ id <id_num> | [ active | inactive ] [ stat ] ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
id <number> active | inactive stat Displays a specific IPSec Security Association (SA) entry with the ID number. Displays only active or inactive SAs. Shows the SA statistics for the device. Displays these statistics for all incoming / outgoing SA pairs: Fragment: The total number of fragmented incoming and outgoing packets. Auth-fail: The total number of packets for which authentication has failed. Other: The total number of miscellaneous internal error conditions other than those listed in the auth-fail category. Total Bytes: The amount of active incoming and outgoing traffic Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display all the IPSec SA entries:

*HW &RPPDQGV
ns-> get sa To display a specific IPSec SA entry with ID number 5: ns-> get sa id 5
6HH $OVR
See the set vpn, set ike, and clear sa-statistics commands.

*HW &RPPDQGV
JHW VFKHGXOHU
Description: Use the get scheduler command to display the schedules configured for the NetScreen device.
6\QWD[
get scheduler [ name <name_str> | once | recurrent ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
name once recurrent Displays the schedule of the specified device. Displays all one-time schedules. Displays all recurrent schedules.
([DPSOHV
To display all the schedule definitions: ns-> get scheduler all To display a specific schedule definition with ID number 0: ns-> get scheduler id 0
6HH $OVR
See the set scheduler command.

*HW &RPPDQGV
JHW VFV
Description: Use the get scs command to display the SCS keys used to establish a secure command shell to a NetScreen device from a remote system.
6\QWD[
get scs [ host-key ] | [ pka-rsa ] [ all | username <name_str> [ index <number> ] [ > tftp <ip_addr> <filename> ] ]
$UJXPHQWV
scs Displays these items: If SCS is enabled or not SCS status Key regeneration time Current number of SCS connections Details of current connections Shows the SCS host key (RSA public key) for the active root/VSYS, including the fingerprint of the host key. Shows current user-specific information on Public Key Authenticaion (PKA) using RSA. all Shows all PKA public keys bound to all users. You must be the root user to execute this option; admin users and read-only users cannot execute this command.
host-key pka-rsa

*HW &RPPDQGV
username Shows all PKA public keys bound to a specified user <name_str>. Admin users and read-only users can execute this option only if <name_str> identifies the current admin user or read-only user. The index <number> parameter allows the admin user and read-only user to view the details of a key bound to the user name. It also allows the root user to view the details of a key bound to the specified user. > tftp <ip_addr> <filename> Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display all users and keys for the secure command shell feature on a NetScreen device: ns-> get scs pka-rsa all To display PKA public keys for a user named chris: ns-> get scs pka-rsa username chris
6HH $OVR
See the set scs command.

*HW &RPPDQGV
JHW VHUYLFH
Description: Use the get service command to display the entries in the service list.
6\QWD[
get service [ <name_str> group <name_str> | pre-defined | user ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
<name_str> group pre-defined user > tftp <ip_addr> <filename> The name of a specific service. Displays all service groups. Displays all the pre-defined services. Displays all user-defined services. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
'HIDXOWV
Using the get service command without any arguments displays all pre-defined, user-defined, and service group information in the service book.
([DPSOHV
To display all entries in the service book:

*HW &RPPDQGV
ns-> get service To display all user-defined entries in the service book: ns-> get service user To display a specific service named ftp: ns-> get service ftp
6HH $OVR
See the set service command.

*HW &RPPDQGV
JHW VHVVLRQ
Description: Use the get session command to display the entries in the session table.
6\QWD[
get session [ id <id_num> | fragment | [ tunnel ] [ src-ip <ip_addr> [ netmask <mask> ] ] [ dst-ip <ip_addr> [ netmask <mask> ] ] [ src-mac <mac_addr> ] [ dst-mac <mac_addr> ] [ protocol <ptcl_num> [ <ptcl_num> ] ] [ src-port <port_num> [ <port_num> ] ] [ dst-port <port_num> [ <port_num> ] ] ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
id <id_num> fragment tunnel src-ip <ip_addr> Directs the NetScreen device to clear a specific session with Session Identification number <id_num>. Displays fragment sessions. Displays VPN tunnel sessions. Directs the NetScreen device to clear all sessions intitated by packets containing source IP address <ip_addr>. For example, <ip_addr> could be the source IP address in the first TCP SYN packet. Directs the NetScreen device to clear all sessions intitated by packets containing destination IP address <ip_addr>. Directs the NetScreen device to clear all sessions intitated by packets containing source MAC address <mac_addr>.
dst-ip <ip_addr> src-mac <mac_addr>

*HW &RPPDQGV
dst-mac <mac_addr>
Directs the NetScreen device to clear all sessions intitated by packets containing destination MAC address <mac_addr>.
protocol <ptcl_num> [ <ptcl_num> ] Directs the NetScreen device to clear all sessions that use protocol <ptcl_num>. You can also specify any protocol within a range (<ptcl_num> <ptcl_num>). src-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all sessions intitated by packets that contain the layer 4 source port <port_num> in the layer 4 protocol header. You can also specify any layer 4 destination port within a range (<port_num> <port_num>). dst-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all sessions intitated by packets that contain the layer 4 destination port <port_num> in the layer 4 protocol header. You can also specify any layer 4 destination port within a range (<port_num> <port_num>).
'HIDXOWV
If no arguments are specified, the get session command displays information for all entries in the session table by default.
([DPSOHV
To display all the entries in the session table: ns-> get session To display all the entries in the session table for a specific source IP address: ns-> get session src-ip 172.16.10.92 To display all the entries in the session table for port 80: ns-> get session dst-port 80 To display all the entries in the session table for protocol 5 and for source ports 2 through 5:

*HW &RPPDQGV
ns-> get session protocol 5 src-port 2 5 To display the session table entry for the session with ID 5116: ns-> get session id 5116
6HH $OVR
See the clear session command.
1RWHV
The get session command displays: The Network Address Translation (NAT) mode The sessions in the normal session table The sessions in the external session table The packets coming into the sessions trusted IP address The packets going out of the untrusted IP address The currently active normal and external sessions The sessions ID number in the session table. The pseudo port, flag, and PID for the session The load-balancing server index The vector ID (VID) The session timeout specification The Gateway IP address The sessions security association

*HW &RPPDQGV
JHW VQPS
Description: Use the get snmp command to display the NetScreen device settings for Simple Network Management Protocol (SNMP).
6\QWD[
get snmp { auth-trap | community <name_str> | settings | vpn } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
auth-trap community <name_str> settings vpn > tftp <ip_addr> <filename> Displays the status of SNMP authentication traps. Displays the permissions assigned to the named SNMP community. Displays the name of the contact person, and the name and physical location of the NetScreen device. Displays SNMP VPN encryption status (Enabled or Disabled). Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display the settings for an SNMP community named public: ns-> get snmp community public To display the settings for all the communities: ns-> get snmp all
*HW &RPPDQGV
To display the name of the contact person and the name and physical location of the NetScreen device: ns-> get snmp settings
6HH $OVR
See the set snmp command.

*HW &RPPDQGV
JHW VRFNHW
Description: Use the get socket command to display socket information on a NetScreen device.
6\QWD[
get socket [ id <id_num> ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
id > tftp <ip_addr> <filename> Displays the socket ID value. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
$YDLODELOLW\
All NetScreen device models support this feature.
([DPSOHV
To display socket information: ns-> get socket To display the information concerning socket 3001: ns-> get socket id 3001
6HH $OVR
See the set socket command.

*HW &RPPDQGV
JHW VRIWZDUHNH\
Description: Use the get software-key command to display the software-key information on the NetScreen device.
6\QWD[
get software-key [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display the software key on a Netscreen device: ns-> get software-key
6HH $OVR
See the set software-key command.
1RWH
The get software-key command displays this information: VSYS key NSRP key Maximum number of virtual systems allowed Whether NSRP is enabled

*HW &RPPDQGV
JHW VVO
Description: Use the get ssl command to display the Secure Socket Layers (SSL) on a NetScreen device.
6\QWD[
get ssl [ cert-list ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
cert-list Displays currently available certificates. > tftp <ip_addr> <filename> Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display the SSL information on a NetScreen device: ns-> get ssl To display the SSL certicate list: ns-> get ssl cert-list
6HH $OVR
See the set ssl command.

*HW &RPPDQGV
JHW V\VORJ
Description: Use the get syslog command to display the syslog configuration.
6\QWD[
get syslog [ VPN | config enable | port | traffic ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
vpn config enable port traffic > tftp <ip_addr> <filename> Shows if syslog encryption is enabled for a particular virtual private network. Shows whether the syslog mechanism is configured or not. Shows whether syslog is enabled or not. Displays the port used to communicate with the syslog server. Indicates whether the traffic log is sent to syslog. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display all syslog configuration information: ns-> get syslog To display whether the syslog mechanism has been configured or not:

*HW &RPPDQGV
ns-> get syslog config To display whether the syslog mechanism is enabled or not: ns-> get syslog enable To display the port used to communicated with the syslog server: ns-> get syslog port To display if sending the traffic log through syslog is enabled or not: ns-> get syslog traffic To display if communication with the Webtrends server is enabled or not: ns-> get syslog webtrends
6HH $OVR
See the set syslog command.

*HW &RPPDQGV
JHW V\VWHP
Description: Use the get system command to display general system information.
6\QWD[
get system [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display the general system information: ns-> get system
6HH $OVR
See the set admin and set interface commands.

*HW &RPPDQGV
JHW WHFKVXSSRUW
Description: Use the get tech-support command to display system information for troubleshooting the NetScreen device.
6\QWD[
get tech-support [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display information for troubleshooting purposes: ns-> get tech-support
6HH $OVR

*HW &RPPDQGV
JHW WHPSHUDWXUH
Description: Use the get temperature command to view the current system temperature, and the normal and severe temperature thresholds for triggering temperature alarms.
6\QWD[
get temperature [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
'HIDXOWV
The default temperature thresholds in Fahrenheit and Celsius are as follows: Normal alarm temperature threshold: 113 Fahrenheit, 50 Celsius Severe alarm temperature threshold: 122 Fahrenheit, 60 Celsius
([DPSOHV
To view the temperature settings: ns-> get temperature
1RWH
The output is displayed as shown below: Current system temperature is 113F, 45C. The normal alarm temperature is 122F, 50C. The severe alarm temperature is 140F, 60C.

*HW &RPPDQGV
JHW WLPHU
Description: Use the get timer command to display the current timer settings.
6\QWD[
get timer [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display the timer settings: ns-> get timer
6HH $OVR
See the set timer command.

*HW &RPPDQGV
JHW WUDIILFVKDSLQJ
Description: Use the get traffic-shaping command to display traffic management information device interfaces. If no interface name is specified, the information for all interfaces is displayed.
6\QWD[
get traffic-shaping { interface [ <name_str> ] | ip_precedence | mode }
$UJXPHQWV
<name_str> interface ip_precedence mode Defines the name of the interface. Displays the traffic shaping info for an interface. Displays the priority to IP precedence (TOS) mapping. Displays the traffic shaping mode.
([DPSOHV
To display traffic management information for all interfaces: ns-> get traffic-shaping interface
6HH $OVR
See the get interface command.

*HW &RPPDQGV
JHW XUOILOWHU
Description: Use the get url-filter command to display the URL blocking configuration settings.
6\QWD[
get url-filter [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display information about the URL blocking settings: ns-> get url-filter
6HH $OVR
See the set url command.
1RWHV
NetScreen monitors the status of the Websense server once a minute. When the Websense server does not respond, this is reported in the WebUI. Also, an entry is added to the Event Alarm log in the status line of the CLI, and all URL requests are blocked. All sessions waiting to be acknowledged by the Websense server are listed in the order the request is received. The waiting queue can have a maximum of 256 requests.

*HW &RPPDQGV
JHW XVHU
Description: Use the get user command to display the user authentication database.
6\QWD[
get user { <name_str> | all | id <id_num> } [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
<name_str> Displays this information with the name <name_str>:
- User ID number - User name - Status (enabled or disabled) - Type: manual, auth, ike 12tp, auth/ike, auth/12tp, auth/ike/12tp, ike/12tp - IKE ID types email address, IP address, or domain name - IKE identities - Manual Key settings - Remote L2TP settings
all
Displays a this information for all the entries in the internal user database:
- User ID number - User name - Status (enabled or disabled) - User type - IKE ID types email address, IP address, or domain name - IKE identities - Manual Key settings

*HW &RPPDQGV
id <id_num> > tftp <ip_addr> <filename>
Displays the same information as does the get user <name_str> option. Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display a particular user named roger: ns-> get user roger To display all the users in the NetScreen internal database: ns-> get user all To display a particular user with user ID 10: ns-> get user id 10
6HH $OVR
See the set user command.

*HW &RPPDQGV
JHW YLS
Description: Use the get vip command to display the Virtual IP (VIP) configuration settings.
6\QWD[
get vip [ server | session ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
server session Displays the load balance status of servers receiving traffic to VIPs. Displays the load balance session table, which shows balanced distribution of currently active VIP sessions.
'HIDXOWV
If no server or session is specified, the get vip command displays all configured VIPs by default.
([DPSOHV
To display all the configured VIPs: ns-> get vip
6HH $OVR
See the set vip command.

*HW &RPPDQGV
JHW YSQ
Description: Use the get vpn command to display Virtual Private Network (VPN) configurations.
6\QWD[
get vpn [ <name_str> [ detail ] | auto | manual | proxy-id ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
<name_str> Displays the following information for a specific AutoKey IKE VPN with the name <name_str>:
- VPN name and VPN gateway name - IPSec modetunnel or transport - Replay protection (enabled or disabled) - Phase 2 proposals - VPN monitoring (enabled or disabled) - The number of access policies using the VPN - The number of security associations (SAs) using the VPN - The idle timeout value after which the VPN is closed - A 16-bit VPN flag that provides internal information about the VPN. For debugging purposes only.

*HW &RPPDQGV
Displays the following information for a specific Manual Key VPN with the name <string>:
- Local and remote security parameter index (SPI) numbers - The number of security associations (SAs) using the VPN - An 8-bit flag indicating internal information for debugging purposes - The IPSec protocol used in the VPNeither Encapsulating Security Payload (ESP) or Authentication Header (AH) - The encryption and/or authentication algorithms employed, any passwords used to generate encryption and/or authentication keys, and the keys themselves - VPN monitoring (enabled or disabled)
detail
Provides a detailed profile of the VPN, including the encryption and authentication keys, its current state of activity, and the ID numbers of the incoming and outgoing access policies that reference the VPN. Displays all Manual Key VPNs. Displays all AutoKey IKE VPNs. Displays proxy-id configurations. A proxy-id configuration consists of local and remote addresses used by a VPN tunnel, and specifies the services provided.
manual auto proxy-id
([DPSOHV
To display all VPN definitions: ns-> get vpn To display a VPN named branch: ns-> get vpn branch To display all AutoKey IKE VPNs: ns-> get vpn auto

*HW &RPPDQGV
To display all Manual Key VPNs: ns-> get vpn manual To display all proxy-id configurations: ns-> get vpn proxy-id
6HH $OVR
See the set vpn command.

*HW &RPPDQGV
JHW YSQPRQLWRU
Description: Use the get vpnmonitor command to display VPN Monitor parameters.
6\QWD[
get vpnmonitor [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display the firewall protection settings: ns-> get vpnmonitor
6HH $OVR
See the set vpnmonitor command.

*HW &RPPDQGV
JHW YURXWHU
Description: Use the set vrouter command to configure a virtual router.
6\QWD[
get vrouter [ <name_str> [ interface | route { id <id_num> | ip <ip_addr> } | rule | zone ] ] unset config
$UJXPHQWV
<name_str> interface route The name of the virtual router. Displays the interface entries in the virtual router. Displays the contents of the routing table. The id <id_num> parameter displays the route identified by an ID number. The <ip_addr> parameter displays the route identified by an IP address. Displays the import and export rules. Displays the zones bound to the virtual router.
rule zone

*HW &RPPDQGV
([DPSOHV
To display the interface entries in a virtual router named Marketing: ns-> get vrouter Marketing interface To display the route with ID of 1 in the untrust-vr virtual router: ns-> get vrouter untrust-vr route id 1
6HH $OVR
See the set vrouter command.

*HW &RPPDQGV
JHW YV\V
Description: Use the get vsys command to display a specific virtual system or all the virtual systems on a NetScreen device.
6\QWD[
get vsys [ <name_str> ] [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
<name_str> Displays the configuration settings for a virtual system with the name <name_str>. > tftp <ip_addr> <filename> Directs generated output to a file <filename> on the TFTP server <ip_addr>.
([DPSOHV
To display all virtual systems on the NetScreen-1000 device: ns-> get vsys To display the sub-interface (SIF) identifying number, the name of the VLAN associated with the SIF, and the IP address and netmask for a virtual system named organization3: ns-> get vsys organization3
6HH $OVR
See the set interface, set vsys, enter vsys, and exit commands.

*HW &RPPDQGV
JHW ZHEWUHQGV
Description: Use the get webtrends command to display the WebTrends server settings.
6\QWD[
get webtrends [ > tftp <ip_addr> <filename> ]
$UJXPHQWV
([DPSOHV
To display the WeTrends server settings: ns-> get webtrends
6HH $OVR
See the set webtrends command.

*HW &RPPDQGV
JHW ]RQH
Description: Use the get zone command to display information about security zones.
6\QWD[
get zone [ id <id_num> | <name_str> | all ]
$UJXPHQWV
id <id_num> <name_str> all The identification number of the zone. The name of the zone. For more information on zones, see Security Zones in USGA
Features.
Displays information on all zones.
([DPSOHV
To create a new Layer-2 zone named Marketing, with VLAN ID number 3: ns-> set zone name Marketing L2 3 To impose inter-zone blocking on the Trust zone: ns-> set zone trust block To create a tunnel zone named Engineering: ns-> set zone name Engineering tunnel Tunn_Zone
6HH $OVR
See the get config command.

*HW &RPPDQGV

&OHDU &RPPDQGV
Use the clear commands to remove data stored in log tables, remove information stored in memory, and remove information stored on the flash card. Note: As you execute CLI commands using the syntax descriptions in this chapter, you may find that certain commands and command features are unavailable on your NetScreen device model. A good example is the clear pppoe command, which is available on a NetScreen-208 device, but not on a NetScreen-500 device.
&OHDU &RPPDQGV
FOHDU DGPLQ
Description: Use the clear admin command to remove remote administrator information.
6\QWD[
clear admin { user { cache | login } }
$UJXPHQWV
cache login Remote admin users Current users of all the login sessions
([DPSOHV
To clear the profiles for all remote administrators: ns-> clear admin user cache
6HH $OVR
See the get admin command.
&OHDU &RPPDQGV
FOHDU DODUP
Description: Use the clear alarm command to clear the entries in the alarm table.
6\QWD[
clear alarm { event [ end-time <string> ] | traffic [ policy { <id_num> [ -<id_num> ] } ] [ end-time <string> ] }
$UJXPHQWV
event traffic end-time <string> Specifies entries in the event alarm table. Specifies entries in the traffic alarm table. Clears alarm entries that occurred at and before the time specified. The format for <string> is: mm/dd[/yy-hh:mm:ss. You can omit the year (the current year is the default), or express the year with using the last two digits or all four. The hour, minute, and second are optional. The delimiter between the date and the time can be a dash or an underscore: 12/31/2001-23:59:00 12/31/2001_23:59:00 Clears entries from the traffic alarm table for an Access Policy specified by its ID number or for several Access Policies specified by a range of ID numbers. The ID number can be any value between 0 and the total number of established Access Policies. To define a range, enter the starting and ending ID numbers as follows: <id_num>-<id_num>
policy
&OHDU &RPPDQGV
'HIDXOWV
If you specify no arguments, the clear alarm command removes all entries from both the event alarm table and the traffic alarm table.
([DPSOHV
To clear all entries in the event alarm table: ns-> clear alarm event To clear all entries in the traffic alarm table: ns-> clear alarm traffic To clear alarm entries for an Access Policy with ID number 4 from the traffic alarm table: ns-> clear alarm traffic policy 4 To clear alarm entries for Access Policies within the ID range of 5 to 8 from the traffic alarm table: ns-> clear alarm traffic policy 5-8 To clear alarm entries at or before July 15, 2000 11:00 A.M. from the traffic alarm table: ns-> clear alarm traffic end-time 07/15/00-11:00
6HH $OVR
See the get alarm command.
&OHDU &RPPDQGV
FOHDU DUS
Description: Use the clear arp command to clear entries in the Address Resolution Protocol (ARP) table.
6\QWD[
clear arp
$UJXPHQWV
None.
([DPSOHV
To clear the entries in the ARP table: ns-> clear arp
6HH $OVR
See the get arp command.
&OHDU &RPPDQGV
FOHDU DXGLEOHDODUP
Description: Use the clear audible-alarm command to turn off an alarm sounding on a NetScreen device.
6\QWD[
clear audible-alarm
$UJXPHQWV
None.
([DPSOHV
To turn off an audible alarm: ns-> clear audible-alarm
6HH $OVR
See the set audible-alarm and get audible-alarm commands.
&OHDU &RPPDQGV
FOHDU DXWK
Description: Use the clear auth command to clear the authentication queue which stores the ongoing authentication process.
6\QWD[
clear auth [ history ]
$UJXPHQWV
history Clears the authentication history which stores the authenticated events and timeout values.
([DPSOHV
To clear all entries in the authentication table: ns-> clear auth To clear user authentication history: ns-> clear auth history
6HH $OVR
See the get auth and set auth commands.
&OHDU &RPPDQGV
FOHDU FRXQWHU
Description: Use the clear counter command to clear interface and flow counters.
6\QWD[
clear counter { all | ha screen [ interface <interface> ] }
$UJXPHQWV
ha Specifies counters for packets transmitted across a high-availability (HA) link between two NetScreen devices. An HA-level inspection keeps count of the number of packets and packet errors. Clears the screen counters. The interface <interface> parameter specifies the name of a particular interface. For more information on interfaces, refer to Interfaces in USGA Features.
screen
([DPSOHV
To clear the ha counter: ns-> clear counter ha
6HH $OVR
See the get counter command.
&OHDU &RPPDQGV
FOHDU FU\SWR
Description: Use the clear crypto command to delete the crypto file (image signing key) as FIPS requires when you want to reset the whole NetScreen device.
6\QWD[
clear crypto { auth-key | file }
$UJXPHQWV
auth-key file Deletes the image authentication key. Deletes all crypto files.
([DPSOHV
To clear the crypto authentication key: ns-> clear crypto auth-key To clear the crypto file: ns-> clear crypto file
6HH $OVR
See the ping crypto and trace-route crypto commands.
&OHDU &RPPDQGV
FOHDU GEXI
Description: Use the clear dbuf command to clear the contents of the debug buffer.
6\QWD[
clear dbuf
$UJXPHQWV
None.
([DPSOHV
To clear the contents of the debug buffer: ns-> clear dbuf
6HH $OVR
See the get dbuf and set console commands.

&OHDU &RPPDQGV
FOHDU GKFS
Description: Use the clear dhcp command to release the IP address the NetScreen device is using for its untrusted interface. The device obtains this IP address from the DHCP server. You can also use clear dhcp to return a specific IP address to the Dynamic Host Configuration Protocol (DHCP) pool of IP addresses, or to return all IP addresses to the pool.
6\QWD[
clear dhcp { client | server { <interface> } }
$UJXPHQWV
client server <interface> Clears the DHCP client IP which obtained by the NetScreen device untrusted interface. Clears the IP in the DHCP server IP address pool. For more information on interfaces, refer to Interfaces in USGA Features.
([DPSOHV
To release the IP address that the NetScreen device obtained from the DHCP server: ns-> clear dhcp client To return the IP address for interface ethernet1 to the DHCP server pool: ns-> clear dhcp server ethernet1 To return the IP address for interface ethernet3/1 to the DHCP server pool: ns-> clear dhcp server ethernet3/1

&OHDU &RPPDQGV
6HH $OVR
See the set dhcp, unset dhcp, get dhcp, and exec dhcp client commands.

&OHDU &RPPDQGV
FOHDU GQV
Description: Use the clear dns command to clear the DNS cache table.
6\QWD[
clear dns
$UJXPHQWV
None.
([DPSOHV
To clear the dns cache table: ns-> clear dns
6HH $OVR
See the set dns, unset dns, get dns, and exec dns commands.

&OHDU &RPPDQGV
FOHDU ILOH
Description: Use the clear file command to delete a specific file from the flash card memory.
6\QWD[
clear file <dev_name>:<filename>
$UJXPHQWV
<dev_name>:<filename> Deletes the file with the name <filename> from the flash card memory.
([DPSOHV
To delete a file named myconfig in the flash memory on the memory board: ns-> clear file flash:myconfig
6HH $OVR
See the get file command.

&OHDU &RPPDQGV
FOHDU LNHFRRNLH
Description: Use the clear ike-cookie command to clear the entries in the Internet Key Exchange (IKE) cookie table.
6\QWD[
clear ike-cookie { <ip_addr> | all }
$UJXPHQWV
<ip_addr> all Clear the entries for IP address <ip_addr> in the IKE cookie table. Clears all entries in the IKE cookie table.
([DPSOHV
To clear all entries in the IKE cookie table: ns-> clear ike-cookie all To clear entries for IP address 100.2.30.1 in the IKE cookies table: ns-> clear ike-cookie 100.2.30.1
6HH $OVR
See the set ike, unset ike, and get ike commands.

&OHDU &RPPDQGV
FOHDU OWS
Description: Use the clear l2tp command to remove all of the active L2TP tunnels or a specific L2TP tunnel whose peer is at specified IP addresses.
6\QWD[
clear l2tp { all | ip <ip_addr> }
$UJXPHQWV
all ip <ip_addr> Clears all active L2TP tunnels. Specifies the peer IP address.
([DPSOHV
To clear all active L2TP tunnels: ns-> clear l2tp all To clear the l2tp tunnel whose peer is at IP 1.1.1.1: ns-> clear L2TP ip 1.1.1.1
6HH $OVR
See the set l2tp, unset l2tp, get l2tp, and unset l2tp commands.

&OHDU &RPPDQGV
FOHDU OHG
Description: When either an event alarm or a firewall attack occurs, the LED glows red to signal that alarm attack. Use the clear led command to return an ALARM or FW (firewall) LED to green after an event alarm or a firewall attack occurs.
6\QWD[
clear led { alarm | firewall }
$UJXPHQWV
alarm firewall Specifies the ALARM LED. Specifies the firewall (FW) LED.
([DPSOHV
To return the FW LED to green after a firewall attack occurs: ns-> clear led firewall To change the ALARM LED to green after an event alarm occurs: ns-> clear led alarm

&OHDU &RPPDQGV
FOHDU ORJ
Description: Use the clear log command to clear the entries in the log table.
6\QWD[
clear log { event [ end-time <string> ] | self [ end-time <string> ] | system [ saved ] | traffic [ policy { <id_num>-<id_num> | <id_num> } ] [ end-time <string> ] }
$UJXPHQWV
event self traffic end-time <string> Clears event entries from the log. Clears self-log entries from the log. Clears traffic entries from the log. Clears log entries that occurred at and before the time specified. The format for <string> is: mm/dd[/yy-hh:mm:ss. You can omit the year (the current year is the default), or express the year with using the last two digits or all four. The hour, minute, and second are optional. The delimiter between the date and the time can be a dash or an underscore: 12/31/2001-23:59:00 12/31/2001_23:59:00

&OHDU &RPPDQGV
policy <id_num>-<id_num> | <id_num> Clears the traffic entries in the log table for the access policy with ID number <id_num> - <id_num> or <id_num>, or for access policies within the range of specified ID numbers.
([DPSOHV
To clear entries in the event log: ns-> clear log event To clear all entries in the traffic log: ns-> clear log traffic To clear all entries for an access policy with ID number 4 in the traffic log: ns-> clear log traffic policy 4 To clear event log entries that occurred at or before 5:00 P.M. April 10, 2000: ns-> clear log event end-time 04/10/00-17:00 To clear traffic log entries that occurred at or before 3:15 P.M. on June 3, 2001 for access policies ranging from ID 510: ns-> clear log traffic policy 5-10 end-time 06/03/01_15:15
6HH $OVR
See the get log command.

&OHDU &RPPDQGV
FOHDU PDFOHDUQ
Description: Use the clear mac-learn command to clear the entries in the Media Access Control (MAC) learning table. This command functions only when the NetScreen device is in Transparent mode.
6\QWD[
clear mac-learn [ stats ]
$UJXPHQWV
stats Clears the MAC learning table statistics.
([DPSOHV
To clear the statistics in the MAC learning table: ns-> clear mac-learn stats
6HH $OVR
See the get mac-learn, get mac-count, and clear mac-count commands.

&OHDU &RPPDQGV
FOHDU QRGHBVHFUHW
Description: Use the clear node_secret command when the NetScreen device is using SecurID to authenticate users and is not communicating properly with the ACE Server. If the system IP or interface IP address changes, it is necessary to clear and reset the node secret on both the NetScreen device and the ACE server.
6\QWD[
clear node_secret [ ipaddr <ip_addr> ]
$UJXPHQWV
ipaddr <ip_addr> Specifies the outgoing IP address for communication with the SecurID server.
'HIDXOWV
None.
([DPSOHV
To clear and prompt the NetScreen device to request the node secret from the ACE server: ns-> clear node_secret
1RWHV
If you remove, move, or reconfigure a NetScreen device, it might stop communicating with the ACE Server. If this happens, the ACE Server log displays a message saying that the node secret is invalid. Use the clear node_secret command to resynchronize communication between the two.

&OHDU &RPPDQGV
The node secret bit tells the ACE server to negotiate an encryption secret as soon as possible. When the first successful authentication occurs, the ACE server negotiates an encryption secret. The NetScreen device stores the node secret in nonvolatile memory.
Because the node secret does not reside in the configuration, the unset all command does not clear it. Reset the node secret whenever you change the NetScreen IP address or if the ACE server administrator deletes and recreates the client.
Caution

&OHDU &RPPDQGV
FOHDU SSSRH
Description: Use the clear pppoe command to reset PPPoE statistical registers.
6\QWD[
clear pppoe
$UJXPHQWV
None.
([DPSOHV
To reset the statistics for the PPPoE connection: ns-> clear pppoe
6HH $OVR
See set pppoe, unset pppoe, get pppoe, and exec pppoe commands.

&OHDU &RPPDQGV
FOHDU VD
Description: Use the clear sa command to clear the IKE value for the specified Security Association (SA).
6\QWD[
clear sa { <number> }
$UJXPHQWV
<number> Specifies the SA index number.
([DPSOHV
To clear the IKE value for SA 2: ns-> clear sa 2
6HH $OVR
See the clear sa-statistics and the get sa commands.

&OHDU &RPPDQGV
FOHDU VDVWDW
Description: Use the clear sa-stat command to clear all statistical information (such as number of fragmentations and total bytes through the tunnel) in a Security Association (SA) for an AutoKey IKE VPN tunnel.
6\QWD[
clear sa-stat [ id <id_num> ]
$UJXPHQWV
id <id_num> Clears statistics in a particular Security Association.
([DPSOHV
To clear the SA statistics for SA 2: ns-> clear sa-stat id 2 To clear the SA statistics for all security associations: ns-> clear sa-stat
6HH $OVR
See the clear sa and the get sa commands.

&OHDU &RPPDQGV
FOHDU VHVVLRQ
Description: Use the clear session command to clear entries in the NetScreen devices session table.
6\QWD[
clear session [ all | id <id_num> | [ src-ip <ip_addr> [ netmask <mask> ] ] [ dst-ip <ip_addr> [ netmask <mask> ] ] [ src-mac <mac_addr> ] [ dst-mac <mac_addr> ] [ protocol <ptcl_num> [ <ptcl_num> ] ] [ src-port <port_num> [ <port_num> ] ] [ dst-port <port_num> [ <port_num> ] ] [ vsd-id <id_num> ] ]
$UJXPHQWV
all id <id_num> src-ip <ip_addr> Directs the NetScreen device to clear all sessions. Directs the NetScreen device to clear a specific session with Session Identification number <id_num>. Directs the NetScreen device to clear all sessions intitated by packets containing source IP address <ip_addr>. For example, <ip_addr> could be the source IP address in the first TCP SYN packet. Directs the NetScreen device to clear all sessions intitated by packets containing destination IP address <ip_addr>. Directs the NetScreen device to clear all sessions intitated by packets containing source MAC address <mac_addr>. Directs the NetScreen device to clear all sessions intitated by packets containing destination MAC address <mac_addr>.
dst-ip <ip_addr> src-mac <mac_addr> dst-mac <mac_addr>

&OHDU &RPPDQGV
protocol <ptcl_num> [ <ptcl_num> ] Directs the NetScreen device to clear all sessions that use protocol <ptcl_num>. You can also specify any protocol within a range (<ptcl_num> <ptcl_num>). src-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all sessions intitated by packets that contain the layer 4 source port <port_num> in the layer 4 protocol header. You can also specify any layer 4 destination port within a range (<port_num> <port_num>). dst-port <port_num> [ <port_num> ] Directs the NetScreen device to clear all sessions intitated by packets that contain the layer 4 destination port <port_num> in the layer 4 protocol header. You can also specify any layer 4 destination port within a range (<port_num> <port_num>). vsd-id <id_num> Directs the NetScreen device to clear all sessions that belong the VSD group <id_num>.
([DPSOHV
To clear all entries in the session table: ns-> clear session To clear all sessions belonging to VSD group 2001, and initiated from the host at IP address 172.16.10.12: ns-> clear session src-ip 172.16.10.12 vsd-id 2001
6HH $OVR
See the get session command.

&OHDU &RPPDQGV
FOHDU XUO
Description: Use the clear url command to disable URL blocking for an interface pair.
6\QWD[
clear url { no-block { <interface> { <interface> } } }
$UJXPHQWV
no-block <interface> <interface> Disables URL blocking for the inteface pair <interface> <interface>.
([DPSOHV
To remove URL blocking for the interfaces ethernet1 and ethernet2: ns-> clear url no-block ethernet1 ethernet2
6HH $OVR
See the get file command.

This chapter contains miscellaneous commands that do not fit into the other categories.
Note: As you execute CLI commands using the syntax descriptions in this manual, you may find that certain commands and command features are unavailable on your NetScreen device model. A good example is the exec pppoe command, which is available on a NetScreen-208 device, but not on a NetScreen-500 device.
H[HF GKFS
Description: Use the exec dhcp command to renew the lease for an IP address from a DHCP server.
6\QWD[
exec dhcp { client { renew } | server { sync } }
$UJXPHQWV
client server renew sync Executes the DHCP client. Executes the DHCP server. Renews the DHCP client lease. Syncs the DHCP server IP allocation (for HA).
([DPSOHV
To renew a lease for an IP address from the DHCP server immediately: ns-> exec dhcp client renew
6HH $OVR
See the set dhcp, get dhcp, and clear dhcp commands.
1RWHV
The exec dhcp command can be useful if the DHCP server fails. When this happens, the system administrator can request a new lease for the NetScreen device immediately after the DHCP server reboots. The NetScreen device may or may not be assigned the same IP address it used on the previous lease.
H[HF GQV
Description: Use the exec dns command to refresh all DNS entries.
6\QWD[
exec dns { refresh }
$UJXPHQWV
refresh Refreshes all DNS entries.
([DPSOHV
To refresh all DNS entries: ns-> exec dns refresh
6HH $OVR
See the set dns, unset dns, get dns, and clear dns commands.
H[HF KD
Description: Use the exec ha command to copy files from a master unit to a backup unit. Execute this command in the master unit.
6\QWD[
exec ha { file-sync [ <filename> ] }
$UJXPHQWV
file-sync <filename> Specifies the name of a particular file to copy from the master unit to a backup unit. Executing this command without specifying a file name copies all the files.
([DPSOHV
To copy all files from the master unit to a backup unit: ns-> exec ha file-sync To copy the environment variable records from the master unit to a backup unit: ns-> exec ha file-sync envar.rec The command cannot take effect until you reboot the backup unit. ns-> reboot ns-> configuration modified, save? [y]/n n ns-> system reset, are you sure? y/[n] y
6HH $OVR
See the set ha, unset ha, and get ha commands.
H[HF QWS
Description: Use the exec ntp command to immediately update the NetScreen device clock using Network Time Protocol (NTP).
6\QWD[
exec ntp { update }
$UJXPHQWV
update Updates the time setting on a NetScreen device to synchronize it with the time setting on an NTP server.
([DPSOHV
To update the NetScreen device time by synchronizing it with the NTP server: ns-> exec ntp update
6HH $OVR
See the set ntp, unset ntp, and get ntp commands.
H[HF SLQJ
Description: Use the exec ping command to check the network connection to another system.
6\QWD[
exec ping [ <ip_addr> | <name_str> ] [ count <number> [ size <number> [ time-out <number> ] ] ] [ from <interface> ]
$UJXPHQWV
<ip_addr> | <name_str> count <number> size <number> time-out <number> from <interface> Pings the host with the IP address <ip_addr> or name <name_str>. The ping count. The packet size for each ping. The ping timeout in seconds. The source interface for an extended ping. For more information on interfaces, refer to Interfaces in USGA Features.
([DPSOHV
To ping a host with IP address 172.16.11.2: ns-> exec ping 172.16.11.2 To ping a host with IP address 192.168.11.2 and have the results sent to 10.1.1.3: ns-> exec ping 192.168.11.2 from mip 10.1.1.3 To ping a host with IP address 172.16.11.2 from interface ethernet2: ns-> exec ping 172.16.11.2 from ethernet2
1RWHV
An extended ping (using the from option) allows the user to ping a host on the Untrusted network from any of the MIPs or from the Trusted interface IP address.
H[HF SNL
Description: Use the exec pki commands to manage RSA key pair generation and X.509 certificate requests and removals for public-key infrastructure (PKI).
6\QWD[
exec pki { convert-cert | dsa new-key <key_num> | rsa new-key <key_num> | x509 { delete <number> | pkcs10 | tftp <ip_addr> { cert-name <name_str> | crl-name <name_str> } | scep <number> } }
$UJXPHQWV
convert-cert dsa new-key rsa new-key x509 Moves the local certificate to the VSYS environment. Generates a new DSA public/private key pair with a specified bit length. Key length is 512, 786, 1024, or 2048. Generates a new RSA public/private key pair with a specified bit length. Key length is 512, 786, 1024, or 2048. delete: Deletes a specified X.509 certificate from a NetScreen device. pkcs10: Generates a PKCS10 file for an X.509 certificate request for the NetScreen device.
tftp: Uploads the specified certificate or CRL file for the specified TFTP server. The TFTP server is identified by its IP address <ip_hddr>. scep: Initiates Simple Certificate Enrollment Protocol (SCEP) operation to retrieve certificates from a certificate authority server. cert-name <string> crl-name <string> Specifies the name of the certificate. Specifies the name of the revocation list.
([DPSOHV
To create a new RSA key pair with a length of 1024 bits: ns-> exec pki rsa new-key 1024 To remove an X.509 certificate with the ID number 3 from the NetScreen device: ns-> exec pki x509 delete 3 To obtain an x509 CA certificate from a certificate authority to sign your local certificates: ns-> set pki auth -1 scep ca-cgi http://pilotonsiteipsec.verisign.com /cgi-bin/pkiclient.exe ns-> set pki auth -1 scep ra-cgi http://pilotonsiteipsec.verisign.com /cgi-bin/pkiclient.exe ns-> exec pki rsa new 1024 ns-> exec pki x509 scep -1 ns-> get pki x509 list pending-cert ns-> exec pki x509 scep 1 These commands perform the following operations: 1. 2. 3. 4. Specify CA and RA CGI paths to a certificate authority (CA) server. Execute RSA private/pulic key configuration, specifying a key length of 1024 bits. Initiate the SCEP operation to retrieve certificates. Display a list of pending certificates, allowing you to see and record the index number identifying the certificate.

5.
Obtain a CA certificate from the CA server (using the index number obtained in Step 4) to identify the certificate.
6HH $OVR
See also the set pki, unset pki, and get pki commands.

H[HF SSSRH
Description: Use the exec pppoe command to set up or take down a PPPoE connection.
6\QWD[
exec pppoe { connect | disconnect }
$UJXPHQWV
connect disconnect Starts PPPoE connection. Takes down a PPPoE connection.
([DPSOHV
To setup a PPPoE connection: ns-> exec pppoe connect
6HH $OVR
See set pppoe, unset pppoe, get pppoe, and clear pppoe commands.

H[HF VDYH
Description: Use the exec save command to save the NetScreen device configuration settings either to the flash card memory or to a Trivial File Transfer Protocol (TFTP) server connected to the trusted interface on the NetScreen device.
6\QWD[
exec save [ config [ [ from { flash | slot1 <name_str> | tftp <ip_addr> <name_str> } ] [ append | to { flash | slot1 <name_str> | tftp <ip_addr> <name_str> } ] | all-virtual-system | ha-master ] | software from { flash | slot1 <name_str> | tftp <ip_addr> <name_str> }

to { flash | slot1 <name_str> | tftp <ip_addr> <name_str> } | image-key { tftp <ip_addr> <filename> } ]
$UJXPHQWV
config Saves configurations according to argument: all-virtual-system: Saves all virtual system configurations. from: Saves from the specified source. flash: Saves from flash, and if selected, appends to the current configuration. slot1: Saves from the pccard in slot 1. tftp: Saves the configuration settings from a TFTP server with the IP address <ip_addr>. Appends the configuration information to the current configuration file on the NetScreen device. ha-master: Saves master configuration. At the slave unit console, use this command to pass the configuration settings from the Master unit to the slave unit. Reset the slave unit after the configuration settings are passed. to: Saves to following destination type: flash: Saves to flash, and if selected, appends to the current configuration. slot1: Saves to pccard in slot1. tftp: Saves the configuration settings to a TFTP server with the IP address <ip_addr>. Loads image key from TFTP server, and specifically from the TFTP <ip_addr> if specified. Saves software.
image-key software

from Saves the software from the source: flash: Downloads system image from flash slot1: Downloads system image from slot 1 tftp: Downloads system image from the TFTP server with the IP address <ip_addr> to the NetScreen device. image { tftp <ip_addr> <filename> } Loads image key from TFTP server, and specifically from the TFTP <ip_addr>, file name <filename> if specified.
([DPSOHV
To save the current configuration settings to the flash memory: ns-> exec save To save the current configuration settings to a file named my_config on a TFTP server with IP address 192.16.11.9: ns-> exec save config to tftp 192.16.11.9 my_config To download a configuration file named my_config from a TFTP server with the IP address 172.16.30.10 and overwrite the current saved configuration settings on the NetScreen device: ns-> exec save config from tftp 172.16.30.10 my_config To download the software file ns5.165 from a TFTP server with the IP address 172.16.20.10 to flash: ns-> exec save software from tftp 172.16.20.10 ns5.165 to flash To copy a configuration file named cnfg5 from the PCMCIA card in slot 1 to a file named ns_cnfg5 in a TFTP server at 172.16.156.9: ns-> exec save config from slot1 cnfg5 to tftp 172.16.156.9 ns_cnfg To load an authentication key on a FIPS-compliant NetScreen device from a file named nskey.cer on a TFTP server at 10.10.1.2: ns-> exec save image-key tftp 10.10.1.2 nskey.cer

6HH $OVR

H[HF VFV
Description: Use the exec scs command to load a key from a file on a TFTP server and bind the key to a user.
6\QWD[
exec scs { tftp {pka-rsa } [ username <name_str> ] { file-name <filename> ip-addr <ip_addr> }
$UJXPHQWV
tftp { pka-rsa } Specifies a TFTP server from which to load and bind a pka-rsa key from a file. username <name_str> Loads and binds the key to a specific user. file-name <filename> and ip-addr <ip_addr> Loads and binds the key to the current user, specifies the IP address (<ip_addr>) of the TFTP server, and specifies the file name (<filename>) of the file containing the key.
([DPSOHV
To load and bind a key contained in a file named key_file to a user named chris from a server at IP address 172.16.10.11: ns-> exec scs tftp pka-rsa username chris file-name key_file ip-addr 172.16.10.11
6HH $OVR
See the set scs and get scs commands.

H[HF VRIWZDUHNH\
Description: Use the exec software-key command to upgrade device features and their options.
6\QWD[
exec software-key { vpn <key_str> | vsys <key_str> | zone <key_str> }
$UJXPHQWV
vpn <key_str> vsys <key_str> zone <key_str> Specifies the key for VPN capability upgrade. Specifies the VSYS capability upgrade. Specifies key for zone capability upgrade.
([DPSOHV
To upgrade zone capability: ns-> exec software-key zone 2d2b340097de5000 To upgrade the VPN feature: ns-> exec software-key vpn 3d2c340187de5401
6HH $OVR
See the get software-key command.

H[HF WUDFHURXWH
Description: Use the trace-route command to obtain the host name.
6\QWD[
exec trace-route { <name_str> | <ip_addr> } [ hop <number> [ time-out <number> ] ]
$UJXPHQWV
<name_str> | <ip_addr> hop <number> time-out <number> Specifies the name or IP address of the host to trace. Specifies the number of gateway devices to traverse before abandoning the trace-route attempt. Specifies the length of time, in seconds, before the NetScreen device abandons tha trace-route attempt.
([DPSOHV
To execute the trace-route command from the NetScreen device to a host named myhost: ns-> trace-route myhost To execute the trace-route through up to 3 hops to a host named ourhost: ns-> trace-route ourhost hop 3 To execute the trace-route through up to 5 hops to a host named thishost, with a time-out interval of 10 seconds: ns-> trace-route thishost hop 3 time-out 10
6HH $OVR
See the ping and exec trace-route commands.

H[LW
Description: Use the exit command to exit from the console and command-line interface.
6\QWD[
exit
$UJXPHQWV
None.
([DPSOHV
To log off the console: ns-> exit
1RWHV
After issuing the exit command at the console, you must log back in to the console to configure a NetScreen device. After issuing the exit command as root, you remain logged in to the console.

SLQJ
Description: Use the ping command to check the network connection to another system.
6\QWD[
ping [ <ip_addr> | <name_str> ] [ count <number> [ size <number> [ time-out <number> ] ] ] [ from <interface> ]
$UJXPHQWV
<ip_addr> | <name_str> count <number> size <number> time-out <number> from <interface> Pings the host with the IP address <ip_addr> or name <name_str>. The ping count. The packet size for each ping. The ping timeout in seconds. The source interface for an extended ping. For more information on interfaces, refer to Interfaces in USGA Features.
([DPSOHV
To ping a host with IP address 172.16.11.2: ns-> ping 172.16.11.2 To ping a host with IP address 192.168.11.2 and have the results sent to 10.1.1.3: ns-> ping 192.168.11.2 from mip 10.1.1.3 To ping a host with IP address 172.16.11.2 from interface ethernet2: ns-> ping 172.16.11.2 from ethernet2

1RWHV
An extended ping (using the from option) allows the user to ping a host on the Untrusted network from any of the MIPs or from the Trusted interface IP address.

UHVHW
Description: Use the reset command to reboot the NetScreen device.
6\QWD[
reset [ no-prompt | save-config { no | yes } [ no-prompt ] ]
$UJXPHQWV
no-prompt save-config { no | yes } Indicates no confirmation. Saves the configurations: no: Does not save configuration yes: Saves the configurations no-prompt: Does not display a confirmation.
([DPSOHV
To reboot a NetScreen device: ns-> reset

VDYH
Description: Use the save command to save the NetScreen device configuration settings either to the flash card memory or to a Trivial File Transfer Protocol (TFTP) server connected to the trusted interface on the NetScreen device.
6\QWD[
save [ config [ [ from { flash | slot1 <name_str> | tftp <ip_addr> <name_str> } ] [ append | to { flash | slot1 <name_str> | tftp <ip_addr> <name_str> } ] | all-virtual-system | ha-master ] | software from { flash | slot1 <name_str> | tftp <ip_addr> <name_str> }

to { flash | slot1 <name_str> | tftp <ip_addr> <name_str> } | image-key { tftp <ip_addr> <filename> } ]
$UJXPHQWV
config Saves configurations according to argument: all-virtual-system: Saves all virtual system configurations. from: Saves from the specified source. flash: Saves from flash, and if selected, appends to the current configuration. slot1: Saves from the pccard in slot 1. tftp: Saves the configuration settings from a TFTP server with the IP address <ip_addr>. Appends the configuration information to the current configuration file on the NetScreen device. ha-master: Saves master configuration. At the slave unit console, use this command to pass the configuration settings from the Master unit to the slave unit. Reset the slave unit after the configuration settings are passed. to: Saves to following destination type: flash: Saves to flash, and if selected, appends to the current configuration. slot1: Saves to pccard in slot1. tftp: Saves the configuration settings to a TFTP server with the IP address <ip_addr>. Loads image key from TFTP server, and specifically from the TFTP <ip_addr> if specified. Saves software.
image-key software

from Saves the software from the source: flash: Downloads system image from flash slot1: Downloads system image from slot 1 tftp: Downloads system image from the TFTP server with the IP address <ip_addr> to the NetScreen device. image { tftp <ip_addr> <filename> } Loads image key from TFTP server, and specifically from the TFTP <ip_addr>, file name <filename> if specified.
([DPSOHV
To save the current configuration settings to the flash memory: ns-> save To save the current configuration settings to a file named my_config on a TFTP server with IP address 192.16.11.9: ns-> save config to tftp 192.16.11.9 my_config To download a configuration file named my_config from a TFTP server with the IP address 172.16.30.10 and overwrite the current saved configuration settings on the NetScreen device: ns-> save config from tftp 172.16.30.10 my_config To download a configuration file named my_config from a TFTP server with the IP address 172.16.30.10 and append the current configuration settings on the NetScreen device: ns-> save config from tftp 172.16.30.10 my_config append To download the software file ns5.165 from a TFTP server with the IP address 172.16.20.10 to flash: ns-> save software from tftp 172.16.20.10 ns5.165 to flash To copy a configuration file named cnfg5 from the PCMCIA card in slot 1 to a file named ns_cnfg5 in a TFTP server at 172.16.156.9: ns-> save config from slot1 cnfg5 to tftp 172.16.156.9 ns_cnfg

To load an authentication key on a FIPS-compliant NetScreen device from a file named nskey.cer on a TFTP server at 10.10.1.2: ns-> save image-key tftp 10.10.1.2 nskey.cer
6HH $OVR

WUDFHURXWH
Description: Use the trace-route command to obtain the host name.
6\QWD[
trace-route <name_str> [ hop { <number> [ time-out <number> ] } ]
$UJXPHQWV
<name_str> hop <number> time-out <number> The host name. The number of trace route hops to Specifies the amount of time to elapse before abandoning the route trace.
([DPSOHV
ns-> trace-route

6rqv6
5HVHWWLQJ WKH 'HYLFH WR )DFWRU\ 'HIDXOW 6HWWLQJV
If the admin password is lost, you can use the following procedure to reset the NetScreen device to its default settings. The configurations will be lost, but access to the device will be restored. To perform this operation, you need to make a console connection, which is described in detail in the NetScreen CLI Reference Guide and the installers guides. By default the device recovery feature is enabled. You can disable it by entering the unset admin device-reset command. Also, if the NetScreen-100 is in FIPS mode, the recovery feature is automatically disabled. 1. 2. At the login prompt, type the serial number of the device. At the password prompt, type the serial number again. The following message appears: !!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration, keys and settings. Would you like to continue? y/[n] 3. Press the y key. The following message appears: !! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. In addition, a permanent counter will be incremented to signify that this device has been reset. This is your last chance to cancel this command. If you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen; password: netscreen. Would you like to continue? y/[n] 4. Press the y key to rest the device. You can now login in using netscreen as the default username and password.
$SSHQGL[ $ 5HVHWWLQJ WKH 'HYLFH WR )DFWRU\ 'HIDXOW 6HWWLQJV
6rqv7
86*$ )HDWXUHV
Security zones Interfaces
This appendix contains information on features of the NetScreen Universal Security Gateway Architecture (USGA). These features include the following.
$SSHQGL[ % 86*$ )HDWXUHV
6HFXULW\ =RQHV
6(&85,7< =21(6
NetScreen devices use zones to host physical and logical interfaces, tunnels, and special-purpose items. These zones are as follows.
Layer-2 security zones Use Layer-2 security zones when the NetScreen device operates in Transparent mode.
v1-trust specifies the V1-Trust zone, which hosts physical interfaces that communicate with trusted network space. v1-untrust specifies the V1-Untrust zone, which hosts physical interfaces that communicate with untrusted network space. v1-dmz specifies the DMZ zone, which hosts the DMZ physical interface. name <name_str> specifies a user-defined Layer-2 security zone. (You create such zones using the set zone name <name_str> L2 command.)
Layer-3 security zones
Use Layer-3 security zones when the NetScreen device operates in NAT mode or Router mode.
trust specifies the Trust zone, which hosts physical interfaces (and logical sub-interfaces) that communicate with trusted network space. untrust specifies the Untrust zone, which hosts physical interfaces (and logical sub-interfaces) that communicate with untrusted network space. global specifies the Global zone, which serves as a storage area for mapped IP (MIP) and virtual IP (VIP) addresses. Because traffic going to these addresses is mapped to other addresses, the Global zone does not require an interface. dmz specifies the DMZ zone, which hosts the DMZ physical interface. name <name_str> specifies a user-defined Layer-2 security zone. (You create such zones using the set zone name <name_str> command.)
Tunnel zones
Use tunnel zones to set up VPN tunnels with other NetScreen security devices.
untrust-tun specifies the Untrust-Tun zone, which hosts VPN tunnels. name <name_str> specifies a user-defined tunnel zone. (You create such zones using the set zone name <name_str> tunnel command.)
6HFXULW\ =RQHV
Function zones
Use function zones as described below.

null specifies the Null zone, which serves as temporary storage for any interfaces that are not currently bound to another zone. self specifies the Self zone, which hosts the interface for remote management connections. For example, when you connect to the NetScreen device via HTTP, SCS, or Telnet, you connect to the Self zone. ha specifies the HA zone, which hosts the high-availability interfaces, HA1 and HA2. mgt specifies the MGT zone, which hosts the out-of-band management interface, MGT.
,QWHUIDFHV
,17(5)$&(6
Most security zones exchange traffic with other zones (or with other devices) through physical interfaces or logical sub-interfaces. The interfaces are as follows.
Ethernet interfaces
- ethernet<n> specifies a physical ethernet interface, denoted by an interface port <n> and no slots. - ethernet<n1>.<n2> specifies a logical interface, denoted by an interface port (<n1>) with no slots. The .<n2> parameter identifies the logical interface. - ethernet<n1>/<n2> specifies a physical ethernet interface, denoted by an interface slot (<n1>) and a port (<n2>). - ethernet<n1>/<n2>.<n3> specifies a logical interface, denoted by an interface slot (<n1>) and a port (<n2>). The .<n3> parameter identifies the logical interface.
Layer-2 interfaces
- vlan1 specifies the interface used in for VPNs while the NetScreen device is in transparent mode. - v1-trust specifies a Layer-2 interface bound to the Trust zone. Use this interface when the device is in Transparent mode. - v1-untrust specifies a Layer-2 interface bound to the Untrust zone. Use this interface when the device is in Transparent mode. - v1-dmz specifies a Layer-2 interface bound to the DMZ zone. Use this interface when the device is in Transparent mode.
Tunnel interfaces Function interfaces
- tunnel.<n> specifies a tunnel interface. Use this interface for VPN traffic. - mgt specifies an interface bound to the MGT zone. - ha | ha1 | ha2 the name of the dedicated HA port.
,QGH[
$
access policies defining 109 displaying 76 ACE Server 21 ACE Server log 21 Address Book entries, default 2, 81, 85 address book adding entries 2, 81 address book entry 4 domain name 4 flag 4 IP address 4 name 4 netmask 4 Address Resolution Protocol (ARP) 13, 23 addresses entering 2, 81 grouping 44, 40 admin authentication 4 administration parameters 4 aggressive mode 46 alarms, clearing 3 alarms, displaying 6 all 86 append 26 ARP (Address Resolution Protocol) table 13 ARP table, clearing 5 authentication table 15 authentication, users 16
%
back store 23 bit stream 23 buffer, clearing 10
&
CA (certificate authority) 73 CGI path 107 cAH 106 CheckPoint 62 clear 5, 8 Address Resolution Protocol (ARP) table 5 flow counters 8 interface counters 8 clear commands active-user 2 alarm 3 arp 5 audible-alarm 6 auth 7 counter 8, 9, 16 dbuf 10 dhcp client ip 11, 13 file 14, 28 ike cookie 15 led 17 log 18 mac-learn 20 session 26 clearing alarms 3 CLI 103 command
clear active-user 2 clear alarm 3 clear arp 5 clear audible-alarm 6 clear auth 7 clear counter 8, 9, 16 clear dbuf 10 clear dhcp client ip 11, 13 clear file 14, 28 clear ike cookie 15 clear led 17 clear log 18 clear mac-learn 20 clear node_secret 21 clear session 26 conventions 4 exec dhcp client renew 2, 4, 17, 18 exec ha file-sync 5 exec ntp 6 exec pki 9 exit 20 get alarm 6 get arp 13 get audible-alarm 14 get auth 15 get clock 18 get config 19 get console 20 get counter 21 get dialup-group 25 get dip 27 get file 32
6XE 7LWOH
,QGH[
get firewall 33, 34, 37, 69, 71, 93, 94, 95, 110, 114 get global 36 get glog 39 get group 40 get ha 42 get hostname 44 get ike 45 get interface 49 get ippool 54 get l2tp 55 get lance info 57 get lcd 58 get log 59 get mac-learn 63 get mip 67, 73 get ntp 70 get policy 76 get route 79 get sa 81 get scheduler 83 get service 86 get session 88 get snmp 91 get ssh 84 get syslog 96 get system 98 get tech-support 99 get temperature 100 get timer 101 get traffic-shaping interface 102 get url 103 get user 104 get vip 106 get vpn 107 get vsys 113 ping 7, 21
reset 23 save 13, 24 set address 2, 11, 81, 12, 68 set admin 4 set arp 12 set audible-alarm 14 set auth 16 set clock 20 set console 22 set dbuf 25 set dialup-group 27 set domain 32 set envar 33 set ffilter 34 set firewall 36, 37 set flow 39 set ftp data-port any 42 set group 44 set ha 48 set hostname 53 set ike 55 set interface 66 set ippool 85 set l2tp 86 set lcd 90 set mip 94, 99 set ntp 97 set policy 109 set proto-dist 114, 78 set scheduler 117 set service 123 set snmp 127 set ssh 120 set syn-threshold 130 set syslog 132 set temperature-threshold 135
set timer 137 set traffic-shaping mode 139 set url 141 set user 144 set vpn 83, 150, 53 set vsys 160 communication requirements, console 2 configuration settings, saving 19 console displaying configuration 20 exiting 20 log back 20 parameters, defining 22 console and command-line interface 20 exit 20 console communication requirements 2 console parameters 20 conventions 4 cookie table 15 copying environment variable records 5 copying files 5 counter 8
'
debug buffer 10 default Address Book entries 2, 81, 85 defining a schedule 117 a Service 123 access policies 109 console parameters 22 users for authentication 144 DHCP client IP address, clearing 11, 13 client, renewing an IP address 2, 4, 17, 18
%RRN7LWOH
DHCP client 2 DHCP client lease 2 DHCP server 2 DHCP server IP allocation 2 DHCP server reboot 3 dialup group configuration parameters 25 defining 27 display 2 displaying access policies 76 alarms 6 console configuration 20 dynamic IP settings 27 entries in the log table 59 entries in the MAC table 63 files in flash card memory 32 firewall settings 33, 34, 37, 69, 71, 93, 94, 95, 110, 114 general system information 98 high availability settings 42 IKE information 45 interface settings 49 mapped IPs 67, 73 NetScreen-Global Manager settings 36 schedules 83 security associations 81 service entries 86 syslog configuration 96 system time 18 the global log file 39 the hostname of the NetScreen device 44 the sessions table 88 the static route table 79 the user authentication table 15 traffic information 21
URL blocking 103 user database 104 VIP settings 106 VPN information 107 DNS cache 13 DNS entries 4, 17 refresh 4 Dynamic Host Configuration Protocol (DHCP) 11 dynamic IP 27 Dynamic IP (DIP) 22
flow counters 8 flow level 21 flow-level counters 22 flow-level counters, system information 22
*
Gateway IP address 90 general information, displaying 98 get 2, 4 get admin command 4 display system administration parameters 4 get alarm command 6 display alarm entries 6 Get commands 1 display data on the console 1 display system configuration parameters 1 redirect the output of a Get command 1 get commands alarm 6 arp 13 audible-alarm 14 auth 15 clock 18 config 19 console 20 counter 21 dialup-group 25 dip 27 file 32 firewall 33, 34, 37, 69, 71, 93, 94, 95, 110, 114 global 36 glog 39 group 40 ha 42 hostname 44
(
encryption secret 22 entries in the alarm table 3 environment variable 31 Event Alarm log 103 event entries 18 exec dhcp client renew command 2, 4, 17, 18 exec ha file-sync command 5 exec ntp command 6 exec pki command 9 exit command 20 Extended ping 8, 22
)
filter source route 22 filtering traffic 34 firewall protection 33 firewall settings, displaying 33, 34, 37, 69, 71, 93, 94, 95, 110, 114 flash card clearing files 14, 28 memory 32 flash card memory 14, 13, 24 flash memory 19
6XE 7LWOH
,QGH[
ike 45 interface 49 ippool 54 l2tp 55 lance info 57 lcd 58 log 59 mac-learn 63 mip 67, 73 ntp 70 policy 76 route 79 sa 81 scheduler 83 service 86 session 88 snmp 91 ssh 84 syslog 96 system 98 tech-support 99 temperature 100 timer 101 traffic-shaping interface 102 url 103 user 104 vip 106 vpn 107 vsys 113 global log file, displaying 39 Group user dialup 149 grouping addresses 44, 40 remote users 27 services 44, 40
+
high availability defining a group 48 displaying 42 hostname 53
0
MAC address 13 MAC learning table 20 MAC table clearing 20 displaying 63 main mode 46 manual VPN 81 Mapped IP (MIP) 67 mapped IPs creating 94 displaying 67, 73 Master unit 14, 25 Media Access Control (MAC) 23, 20 memory allocation status 65 memory usage status 65 MIPs 8, 22 miscellaneous commands 1
,
id-mode 62 IKE (Internet Key Exchange) 55 IKE cookie table 15 IKE cookie table, clearing 15 IKE ID 104 IKE information, displaying 45 inactive SA 23 in-short error 24 Interface Web User 103 interface counter 8 interface settings, displaying 49 interface-level counters 23 interface-level counters, traffic information 23 internal database 4 Internet Control Message Protocol (ICMP) 22 Internet Key Exchange (IKE) 45, 15 IP address 90 IP pools 54 IPSec security associations (SA) 81
1
NAT vector error 23 NetScreen device displaying hostname 44 setting the hostname 53 NetScreen-Global Manager 36 displaying settings 36 Network Address Translation (NAT) 22 network connection check 7, 21 ping 7, 21 Network Time Protocol (NTP) 70, 6 network traffic 13 node secret 21 nonvolatile memory 22 NTP 6
/
load balance session table 106 log table, displaying 59 logical interface 50 logs, clearing 18
%RRN7LWOH
2
overwrite 15, 26
3
packet errors 21 packets 22 Address Resolution Protocol (ARP) 23 address spoofing attack 22 collision 24 Control Message Protocol (ICMP) 22 denied 22 dropped 22 fragmented 22 illegal 23 incoming 23 Internet Control Message Protocol (ICMP) 24 IPSec 23 land attack 22 Network Address Translation (NAT) 22 ping-of-death attack 22 Point to Point Tunneling Protocol (PPTP) 23 received 23 transmitted underrun 24 UNKNOWN 24 unreceivable 24 unroutable 22 parent connection 23 PCMCIA card 15, 26 physical interface 50 ping command 7, 21 Point to Point Tunneling Protocol (PPTP) 23 pool of IP addresses 11 PPPoE connection 12 set up 12
take down 12 PPPoE statistical registers 23 preshared key 46 Protocol ESP 106 pseudo port 90
5
RADIUS server 4 reboot NetScreen device 23 reset 23 remote gateway 46 remove 2 data stored in log tables 1 information stored in memory 1 information stored on the flash card 1 remote administrator profile 2 renewing the lease 2 reset command 23 resetting a device 23 RSA key length 73
6
SA policy 23 save command 13, 24 saving a configuration file 13, 24 schedule creating or modifying 117 displaying 83 secure shell 120, 84 SecurID, resetting communication 21 Security Association (SA) 24 Security Associations (SA) 23 security associations, displaying 81 self-log entries 18
Server 4 server LDAP 4 RADIUS 4 server configuration port 36 server reporting port 36 service 86 groups 86 pre-defined 86 specific 86 user-defined 86 service entries, displaying 86 Services creating custom 123 grouping 44, 40 Session table clearing 26 displaying 88 session table, entries 88 set commands address 2, 11, 81, 12, 68 admin 4 arp 12 audible-alarm 14 auth 16 clock 20 console 22 dbuf 25 dialup-group 27 domain 32 envar 33 ffilter 34 firewall 36, 37 flow 39 ftp data-port any 42 group 44
6XE 7LWOH
,QGH[
ha 48 hostname 53 ike 55 interface 66 ippool 85 l2tp 86 lcd 90 mip 94, 99 ntp 97 policy 109 proto-dist 114, 78 scheduler 117 service 123 snmp 127 ssh 120 syn-threshold 130 syslog 132 temperature-threshold 135 timer 137 traffic-shaping mode 139 url 141 user 144 vpn 83, 150, 53 vsys 160 setting system time 20 Simple Network Management Protocol (SNMP) 91 Slave unit console 14, 25 SNMP 91 displaying configuration 91 enabling 127 SNTP 97 source route 22 static route table 79 static route table, displaying 79 subnet 46
subnet mask 67 syn flood protection 23 synchronizing 6 Syslog 132 syslog configuration 96 syslog configuration, displaying 96 syslog mechanism 96 system administration configuration parameters 5 addresses for the recipients of e-mail alerts 5 configuration format 5 domain name 5 e-mail alert status 5 e-mail server IP address 5 port number for Web management 5 remote e-mail address 5 system IP address 5 system time displaying 18 setting 20
8
untrusted interface 11 updating NetScreen device clock 6 URL blocking displaying 103 enabling 141 URL blocking configuration 103 URL blocking setting 103 user authentication clearing 7 creating entries 16 displaying table 15 user authentication configuration settings 15 user database, displaying 104 users, creating 144
9
vector ID 90 VID 90 VIP 106 VIP settings, displaying 106 Virtual IP (VIP) 106 Virtual Private Network (VPN) 107 virtual system creating 160 displaying 113 exiting 20 VPN (Virtual Private Network) 83, 150, 53 VPN encryption 36 VPN information, displaying 107 VPN policies 81
7
TCP proxy 23 tftp server 1 timer settings 101 traffic entries 18 traffic information 21 traffic information, displaying 21 traffic management information 102 traffic, filtering 34 traffic-shaping interface 102 Transparent mode 63, 20 Trivial File Transfer Protocol (TFTP) 13, 24 troubleshooting 99 trusted interface 50
:
WebTrends 141 WebTrends server 97
%RRN7LWOH

NetScreen CLI Reference Guide Version 3.1

Transféré par

Informations du document

Description originale:

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

NetScreen CLI Reference Guide Version 3.1

Transféré par

Droits d'auteur :

Formats disponibles

NetScreen CLI Reference Guide (Pre-Release Version)

31  5HY $

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

Licenses, Copyrights, and Trademarks

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

PRODUCT LICENSE AGREEMENT

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

FOHDU SSSRH  FOHDU VD  FOHDU VDVWDW  FOHDU VHVVLRQ  FOHDU XUO 

5HVHWWLQJ WKH 'HYLFH WR )DFWRU\ 'HIDXOW 6HWWLQJV  86*$ )HDWXUHV 

:+2 6+28/' 5($' 7+,6 0$18$/"

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

%HIRUH <RX %HJLQ

%()25( <28 %(*,1

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

&RQQHFWLQJ WKH 1HW6FUHHQ 'HYLFH WR WKH 3&

&211(&7,1* 7+( 1(76&5((1 '(9,&( 72 7+( 3&

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

&/, &RPPDQG 6\QWD[ )RUPDW

&/, &200$1' 6<17$; )250$7

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

&/, &RPPDQG 6\QWD[ )RUPDW

$YDLODELOLW\ RI &/, &RPPDQGV DQG )HDWXUHV

6DPSOH 6\QWD[ 3UHVHQWDWLRQ )RUPDW

&/, &RPPDQG 6\QWD[ )RUPDW

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

$YDLODELOLW\ RI &/, &RPPDQGV 6ZLWFKHV DQG 3DUDPHWHUV

$9$,/$%,/,7< 2) &/, &200$1'6 6:,7&+(6 $1' 3$5$0(7(56

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

password <pswd_str> port <port_num>

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

telnet port <port_num> user <name_str>

privilege { all | read-only }

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

unset auth { radius-port | secret | server-name | securid | ldap | timeout | type }

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

1HW6FUHHQ &/, 5HIHUHQFH *XLGH

ns-> set dbuf size 4096

31 5HY $

FOHDU SSSRH FOHDU VD FOHDU VDVWDW FOHDU VHVVLRQ FOHDU XUO

5HVHWWLQJ WKH 'HYLFH WR )DFWRU\ 'HIDXOW 6HWWLQJV 86*$ )HDWXUHV

$YDLODELOLW\ RI &/, &RPPDQGV 6ZLWFKHV DQG 3DUDPHWHUV

$9$,/$%,/,7< 2) &/, &200$1'6 6:,7&+(6 $1' 3$5$0(7(56