Netscreen CLI Commands
Netscreen CLI Commands
Netscreen CLI Commands
c
c
get address/get group address (GUI: Home > Objects > Addresses >)
Output Analysis:
The command get address <zone> displays the address book entries and address
groups for all the zones.
The command get group address <zone> displays the group name and the number of
address book entries in each group. In the case below, group name ´Allowed IPsµ
has 11 address book entries and is user-defined.
Configuration:
Eg:
Terminologies:
©c Management Port: Ports through which the device can be accessed by the
admin
©c Manager IP: You can administer a NetScreen device from one or multiple
addresses of a subnet. By default, any host on the trust interface can
administer a NetScreen device. To restrict this ability to specific
workstations, you must configure permitted IP addresses.
Note: A policy must be added apart from the Manager-IP in case you want to
allow a user from WAN to access the device
Output Analysis:
The command get admin displays administrative parameters for the security device.
c
c
c
c
Configuration:
Eg:
To configure manager IP
Eg:
get arp
Terminologies:
Output Analysis:
The command get arp lists all current ARP entries for every existing virtual system
(vsys).
c
c
c
c
Output Analysis:
The command get clock displays the Device Uptime and the System time:
©c Up time: indicates the elapsed time (in number of days, hours, minutes, and
seconds) since the NetScreen device was first powered on
©c System time: indicates the set time on the NetScreen device including the
date, time (hh:mm:ss) and the GMT time zone (hh:ss)
Configuration:
Output Analysis:
The command get memory displays the allocated memory, unused memory and frags.
c
c
c
c
get config (GUI: Home > Configuration > Update > Config File)
Output Analysis:
The command get config displays the entire configuration on the NetScreen device.
A configuration file contains all the information that administrators configured on the
NetScreen device such as system parameters, access policies, ËPN configurations,
user-defined addresses and services, and user database settings
c
c
c
get counter statistics (GUI: Home > Reports > Counters >)
Output Analysis:
The command get counter <statistics/flow> displays the Interface Statistics report
and the Interface Flow Counters.
The Interface Statistics report displays hardware counters to help monitor the
NetScreen device. The hardware counters provide information on hardware
performance.
The Interface Flow Counters report helps monitor interfaces on the NetScreen
device. The report provides information for monitoring the number of packets
inspected at the flow level
c
c
c
get dns host settings (GUI: Home > Network > DNS >)
Terminologies:
Domain Name Servers: A Domain Name Server (DNS) keeps a table of the IP
addresses associated with domain names. Using DNS makes it possible to reference
locations by domain name instead of using the routable IP address.
Output Analysis:
The command get dns host settings displays Primary and Secondary DNS
server IP addresses and specifies a daily time (in 24 hour format) or an
interval of time at which the NetScreen device resolves DNS settings
Configuration:
Eg:
get dhcp server option (GUI: Home > Network > DNS >)
Terminologies:
Output Analysis:
The command get dhcp server ip displays the lease time, address pool, Domain
Name, DNS servers IP·s etc.,
c
c
c
Configuration:
service - Enables the security device to act as a DHCP server agent through the interface.
enable - Causes the DHCP server to always be on. The DHCP server on the security device
always starts when the device is powered on.
Eg:
set interface <interface> dhcp server option dns1 <Primary DNS IP address>
set interface <interface> dhcp server option dns2 <Secondary DNS IP address>
Eg:
Eg:
get dhcp server ip (GUI: Home > Network > DNS >)
Terminologies:
©c DHCP Client: Some devices can act as DHCP clients, receiving a dynamically
assigned IP address for any physical interface in any zone.
©c DHCP Server: Some devices can also act as DHCP servers, allocating dynamic
IP addresses to hosts (acting as DHCP clients) on any physical or ËLAN
interface in any zone.
©c Lease Time: Indicates the time limit for which the IP address (IP address pool
or reserved IP address) is leased to the client.
Output Analysis:
The command get dhcp server ip displays the IP·s that are allocated/unallocated
from the address pool defined.
Note: The above configuration is only for a DHCP server. To check if DHCP is enabled on a
device or the interface on which it is enabled issue the get dhcp command.
c
c
c
get event (GUI: Home > Reports > System Log > Event)
Output Analysis:
NetScreen provides an Event Log for monitoring system events on the NetScreen
device.
The command get event displays system events and helps gather information about
hardware or software problems. The Event Log categorizes system events by
severity level.
The event log displays the following information for each event:
Command Extension:
40 - ËPN up
41 - ËPN down
62 - Track IP success/Failure
c
c
c
Terminologies:
Output Analysis:
When there are both primary and backup interfaces bound to the Untrust zone, you
can switch traffic from the primary interface to the backup interface, and from the
backup to the primary. By default, there is a 30-second interval before the
switchover occurs.
You can also configure the NetScreen device to automatically switch to the backup
interface if ScreenOS detects a failure on the primary interface connection. When
the connection through the primary interface is restored, ScreenOS automatically
switches traffic from the backup interface to the primary.
c
c
c
c
Configuration:
set interface untrust monitor track-ip ip <IP address> interval <in secs>
Eg:
get file
Output Analysis:
c
c
c
c
get ike cookies (GUI: Home > ËPNs > AutoKey Advanced > Gateway)c
Terminologies:
Output Analysis:
The command get ike cookies displays the local and the remote gateways, gateway
name and Phase 1 proposals and used to verify if Phase 1 of the ËPN is active.
c
c
c
Configuration:
set ike gateway "<Gateway Name>" address <IP address> aggressive local-id "can2665" outgoing-
interface "<Interface Name>" preshare "<KEY>" proposal "<Proposal>"
Eg:
set ike gateway "gwWescoCore" address 12.29.179.250 aggressive local-id "can2665" outgoing-interface
"untrust" preshare "yA6Ë+ËHwNw6ghBsebnCj9iWIoqn4QZ+mzA==" proposal "pre-g2-3des-sha"
Output Analysis:
©c HEX ID
©c Remote Gateway
©c UDP Port
©c Phase 2 Proposal
©c SPI(Security Parameter Index)
©c Lifetime in secs
©c Life Size in kb
©c Status(A/U, A/- , I/-, I/I)
©c PID
©c Ësys
c
c
c
c
Output Analysis:
The command get interface displays a list of the all interfaces on the NetScreen
device.
These include physical, ËLAN1, tunnel, redundant, virtual security (ËSI) interfaces³
and for NetScreen devices that support them³aggregate and sub- interfaces.
Because there is a physical interface for each port on your NetScreen device,
physical interfaces are always listed regardless of whether or not you configure
them. By default, ScreenOS creates the ËLAN1interface.
Configuration:
Eg:
get log traffic (GUI: Home > Reports > Policies > Traffic Log)
Output Analysis:
Date/Time: Indicates the date and time of the start of the session for the packet.
Source Address/Port: Indicates the source IP address and port number for the
packet.
Duration: Indicates the time in seconds between the start and end of the session
for the packet.
Bytes Sent: The number of bytes transmitted from the source to the destination.
Bytes Received: The number of bytes transmitted from the destination to the
source.
c
c
c
c
get license-key (GUI: Home > Configuration > Update > ScreenOS/Keys)
Output Analysis:
The command get license-key displays the license key information such as:
©c Sessions
©c Capacity
©c NSRP
©c ËPN tunnels
©c Ësys
©c Ërouters
©c Zones
©c ËLANs
©c Drp
©c Deep Inspection
©c Deep Inspection Database Expired
©c AË
©c Update server url
c
c
c
c
c
get modem (GUI: Home > Network > Interfaces > Edit > Modem)
Output Analysis:
The command get modem displays the ISP Information and the Modem Information.
c
c
c
c
Configuration:
set modem settings "<Modem Name>" init "<Initialization string for the modem>"
set modem isp "<Primary ISP name>" primary-number "<Primary number to be dialed>" alternative-number
"<Secondary number to be dialed>"
set modem isp "<Primary ISP name>" account login "<username>" password "<password>"
set modem isp "<Secondary ISP name>" account login " " password "<password>"
Eg:
set modem isp "SecondaryISP" account login " " password "cUhJhRDpNypCo/sEjQCLbuJL00noHCoJxQ=="
Output Analysis:
The command get policy displays the information on policies for specific source-
destination zones.
Action: Indicates the action selected for this policy against traffic that matches
the policy criteria such as Permit, Deny and Tunnel.
c
c
c
c
c
Terminologies:
PPPoE: Point-to-Point Protocol over Ethernet (PPPoE) merges PPP, which is usually
used for dialup connections, with the Ethernet protocol, which can connect multiple
users at a site to the same customer premises equipment. This allows many users to
share the same physical connection, while access control, billing, and type of
service is handled on a per-user basis
Output Analysis:
c
c
c
c
Configuration:
Eg:
Output Analysis:
The command get route displays the routing table for all configured virtual routers.
The routes are organized in the table by the virtual router to which each route
belongs. A route with an asterisk (*) designation indicates it is the best route for the
specified subnet. The route table provides a read-only summary of all routes³
organized in the table by the virtual router to which each route belongs³and
displays information in the following columns:
IP/Netmask: The IP address and netmask of the target address to which the
route entry leads.
Gateway: Either the IP address of the next hop router or the name of the next hop
virtual router to which the NetScreen device forwards traffic destined for the
target address.
Interface: The interface (physical or tunnel) through which the NetScreen device
must send traffic to reach the target address.
Protocol: The manner in which the route entry is added to the table:
Metric: A predefined parameter that defines the priority of the route. All route table
entries that are automatically created or acquired when you define an interface (in
NAT or Route mode) receive a value of 0, and any user-defined routes are valued at
1.
Ësys: In devices that support virtual systems, the virtual system name appears in the
corresponding cell in this column for each route specific to that virtual system. If a
route belongs to the root system or is shared by one or more virtual systems and the
root system, the corresponding cell in this column for that route remains blank.
c
c
c
c
c
get system
Output Analysis:
The command get system provides useful and important information, most of which
cannot be found on GUI, like: