c

c
c

get address/get group address (GUI: Home > Objects > Addresses >)

Output Analysis:

The command get address <zone> displays the address book entries and address
groups for all the zones.

The command get group address <zone> displays the group name and the number of
address book entries in each group. In the case below, group name ´Allowed IPsµ
has 11 address book entries and is user-defined.

Configuration:

set address "<Zone>" "<Address Name>" <IP Address> <Mask>

set group address "<Zone>" "<Group Name>"

set group address "<Zone>" "<Group Name>" add "<Address Name>"

c
c
c

Eg:

set address "Tunnels" "207.152.233.151/32" 207.152.233.151 255.255.255.255

set address "Tunnels" "207.152.233.199/32" 207.152.233.199 255.255.255.255

set address "Tunnels" "207.152.233.22/32" 207.152.233.22 255.255.255.255

set group address "Tunnels" "Allowed IPs"

set group address "Tunnels" "Allowed IPs" add "207.152.233.151/32"

set group address "Tunnels" "Allowed IPs" add "207.152.233.199/32"

set group address "Tunnels" "Allowed IPs" add "207.152.233.22/32"

c
c
c

get admin (GUI: Home > Configuration > Admin >)

Terminologies:

©c Management Port: Ports through which the device can be accessed by the
admin
©c Manager IP: You can administer a NetScreen device from one or multiple
addresses of a subnet. By default, any host on the trust interface can
administer a NetScreen device. To restrict this ability to specific
workstations, you must configure permitted IP addresses.
Note: A policy must be added apart from the Manager-IP in case you want to
allow a user from WAN to access the device

Output Analysis:

The command get admin displays administrative parameters for the security device.

These parameters determine the following:

©c Characteristics for each administrator, such as password and privilege level

©c How the device performs administrator authentication
©c Methods administrators can use to access the device
©c An IP address or address range from which one or more administrators can
connect to the device
©c Which port the device uses to detect administrative traffic
©c Whether the device automatically sends generated alerts and traffic alarms
via email
©c Whether the device is enabled for reset

c
c
c
c

Configuration:

To configure username and password

set admin name "<username>"

set admin password "<password>"

set admin user "<username>" password "<password>" privilege "all"

set admin user "<username>" password "<password>" privilege "read-only"

Eg:

set admin name "fiberlink"

set admin password "nN5MGarJIRIBcFWHcs/MjbHtXdLPjn"

set admin user "fccadmin" password "nECGA3r7N2bAcl/EIsiEn2DtdyHsgn" privilege "all"

set admin user "readonly" password "nLm8Azr4DYvCc3QB5s6GCaAtJ+JYhn" privilege "read-only"

To configure manager IP

set admin manager-ip <IP> <mask>

Eg:

set admin manager-ip 208.246.148.0 255.255.255.0

c
c
c

get arp

Terminologies:

©c ËSYS: A virtual system (vsys) or virtual firewall is a logical

firewall that is contained in a single physical firewall. Firewalls that support
virtual systems enable you to create as many virtual firewall as you are
licensed for, in case of the 5GT none (Check get license-key)

Output Analysis:

The command get arp lists all current ARP entries for every existing virtual system
(vsys).

c
c
c
c

get clock (GUI: Home > Configuration > Date/Time)

Output Analysis:

The command get clock displays the Device Uptime and the System time:

©c Up time: indicates the elapsed time (in number of days, hours, minutes, and
seconds) since the NetScreen device was first powered on

©c System time: indicates the set time on the NetScreen device including the
date, time (hh:mm:ss) and the GMT time zone (hh:ss)

Configuration:

set clock ntp

set clock timezone -5 (Note: -5 from GMT)

get memory (GUI: Home)

Output Analysis:

The command get memory displays the allocated memory, unused memory and frags.

c
c
c
c

get config (GUI: Home > Configuration > Update > Config File)

Output Analysis:

The command get config displays the entire configuration on the NetScreen device.

A configuration file contains all the information that administrators configured on the
NetScreen device such as system parameters, access policies, ËPN configurations,
user-defined addresses and services, and user database settings
c
c
c

get counter statistics (GUI: Home > Reports > Counters >)

Output Analysis:

The command get counter <statistics/flow> displays the Interface Statistics report
and the Interface Flow Counters.

The Interface Statistics report displays hardware counters to help monitor the
NetScreen device. The hardware counters provide information on hardware
performance.

The Interface Flow Counters report helps monitor interfaces on the NetScreen
device. The report provides information for monitoring the number of packets
inspected at the flow level
c
c
c

get dns host settings (GUI: Home > Network > DNS >)

Terminologies:

Domain Name Servers: A Domain Name Server (DNS) keeps a table of the IP
addresses associated with domain names. Using DNS makes it possible to reference
locations by domain name instead of using the routable IP address.

Output Analysis:

The command get dns host settings displays Primary and Secondary DNS
server IP addresses and specifies a daily time (in 24 hour format) or an
interval of time at which the NetScreen device resolves DNS settings

Configuration:

set dns host dns1 <Primary DNS IP Address>

set dns host dns2 <Secondary DNS IP Address>

Eg:

set dns host dns1 209.53.200.2

set dns host dns2 209.53.200.3

c
c
c

get dhcp server option (GUI: Home > Network > DNS >)

Terminologies:

©c DHCP: Dynamic Host Configuration Protocol (DHCP) was designed to reduce

the demands on network administrators by automatically assigning the TCP/IP
settings for the hosts on a network. Instead of requiring administrators to
assign, configure, track, and change (when necessary) all the TCP/IP settings
for every machine on a network, DHCP does it all automatically. Furthermore,
DHCP ensures that duplicate addresses are not used, reassigns unused
addresses, and automatically assigns IP addresses appropriate for the subnet
on which a host is connected.
©c Lease: An IP address supplied by the DHCP server is either Unlimited or
leased for a limited period of time. If the lease is limited, you must specify the
limitation in days, hours, and minutes.
©c IP Range (Address Pool): An address pool is a defined range of IP addresses
within the same subnet from which a device can draw DHCP address
assignment. You can group upto 255 IP addresses in upto 64 address pools.

Output Analysis:

The command get dhcp server ip displays the lease time, address pool, Domain
Name, DNS servers IP·s etc.,
c
c
c

Configuration:

To configure and enable DHCP in server mode on an interface

set interface trust dhcp server service

service - Enables the security device to act as a DHCP server agent through the interface.

set interface trust dhcp server enable

enable - Causes the DHCP server to always be on. The DHCP server on the security device
always starts when the device is powered on.

To define DHCP gateway

set interface <interface> dhcp server option gateway <IP address>

set interface <interface> dhcp server option netmask <Mask>

Eg:

set interface trust dhcp server option gateway 216.163.226.129

set interface trust dhcp server option netmask 255.255.255.192

To define DNS servers

set interface <interface> dhcp server option dns1 <Primary DNS IP address>

set interface <interface> dhcp server option dns2 <Secondary DNS IP address>

Eg:

set interface trust dhcp server option dns1 207.152.236.2

set interface trust dhcp server option dns2 207.152.233.199

To define a DHCP pool

set interface <interface> dhcp server ip <First IP in range> to <Last IP in range>

Eg:

set interface trust dhcp server ip 216.163.226.143 to 216.163.226.190

c
c
c

get dhcp server ip (GUI: Home > Network > DNS >)

Terminologies:

©c DHCP Client: Some devices can act as DHCP clients, receiving a dynamically
assigned IP address for any physical interface in any zone.
©c DHCP Server: Some devices can also act as DHCP servers, allocating dynamic
IP addresses to hosts (acting as DHCP clients) on any physical or ËLAN
interface in any zone.
©c Lease Time: Indicates the time limit for which the IP address (IP address pool
or reserved IP address) is leased to the client.

Output Analysis:

The command get dhcp server ip displays the IP·s that are allocated/unallocated
from the address pool defined.

Note: The above configuration is only for a DHCP server. To check if DHCP is enabled on a
device or the interface on which it is enabled issue the get dhcp command.
c
c
c

get event (GUI: Home > Reports > System Log > Event)

Output Analysis:

NetScreen provides an Event Log for monitoring system events on the NetScreen
device.

The command get event displays system events and helps gather information about
hardware or software problems. The Event Log categorizes system events by
severity level.

The event log displays the following information for each event:

Date/Time: Indicates the date and time of the system event.

Level: Indicates the severity level of the system event.

Description: Describes the system events or changes and, if applicable, the

source of the events.

Command Extension:

get event type <message type>

Few useful <message types> in our environment:

40 - ËPN up

41 - ËPN down

90 Recovery to primary untrust interface/Failover to secondary untrust

62 - Track IP success/Failure
c
c
c

get failover (GUI: Home > Network > Untrust Failover)

Terminologies:

©c Track-IP: Layer 3 path monitoring, or IP tracking, sends ICMP requests on a

specified interface to monitor up to four IP addresses at user-determined
intervals and then checks to see if the targets respond.

IP Address: Identifies the tracked IP address.

Interval (sec): Indicates the interval of time between ping requests.
Threshold: Indicates the number of consecutive failures to elicit a ping
response from a specific IP address required to be considered a failed
attempt.
Interface: Identifies the interface from which the ping request is sent.
Weight: Indicates the weight of the IP address.
Method: Indicates that the device uses ping requests to poll the remote
device.

Output Analysis:

When there are both primary and backup interfaces bound to the Untrust zone, you
can switch traffic from the primary interface to the backup interface, and from the
backup to the primary. By default, there is a 30-second interval before the
switchover occurs.

You can also configure the NetScreen device to automatically switch to the backup
interface if ScreenOS detects a failure on the primary interface connection. When
the connection through the primary interface is restored, ScreenOS automatically
switches traffic from the backup interface to the primary.

c
c
c
c

Configuration:

set failover auto

set failover holddown <in secs> (Default 30 sec)

set interface untrust monitor track-ip ip

set interface untrust monitor track-ip ip <IP address> interval <in secs>

set interface untrust monitor track-ip ip <IP address>threshold <value>

set interface untrust monitor track-ip ip <IP address> weight <value>

Eg:

set failover auto

set failover holddown 3

set interface ethernet3 monitor track-ip ip

set interface ethernet3 monitor track-ip ip 12.14.170.77 interval 4

set interface ethernet3 monitor track-ip ip 12.14.170.77 threshold 5

set interface ethernet3 monitor track-ip ip 12.14.170.77 weight 12

get file

Output Analysis:

The command get file displays a list of files in flash memory.

c
c
c
c

get ike cookies (GUI: Home > ËPNs > AutoKey Advanced > Gateway)c

Terminologies:

©c DH Group: Indicates the Diffie-Hellman Group used: Group 1, Group 2, or Group

5.
©c Encrypt/Auth: Indicates the encryption algorithm (3DES-CBC, DES-CBC, or AES-
CBC), and the hash algorithm (MD5 or SHA-1) used.
©c Life Time: Indicates the life of the key, as determined by the amount of time in
Sec (seconds), Min (minutes), Hours, or Days.
©c Rekey: To keep a security association (SA) active even if there is no other
ËPN traffic except the ICMP echo requests (pings) sent by the ËPN monitoring
module a rekey is used. When the key lifetime for a Phase 1 or Phase 2
security association (SA) is about to expire, the rekey option renews the key,
resets the key lifetime, and keeps the SA active.
©c ËPN Monitor: The NetScreen device activates its SNMP ËPN monitoring
objects, which note data on such aspects of the ËPN tunnel as the number of
active ËPN sessions, the time a session began, the SA elements for each
session, and session status parameters.

Output Analysis:

The command get ike cookies displays the local and the remote gateways, gateway
name and Phase 1 proposals and used to verify if Phase 1 of the ËPN is active.
c
c
c

Configuration:

set ike gateway "<Gateway Name>" address <IP address> aggressive local-id "can2665" outgoing-
interface "<Interface Name>" preshare "<KEY>" proposal "<Proposal>"

Eg:

set ike gateway "gwWescoCore" address 12.29.179.250 aggressive local-id "can2665" outgoing-interface
"untrust" preshare "yA6Ë+ËHwNw6ghBsebnCj9iWIoqn4QZ+mzA==" proposal "pre-g2-3des-sha"

get sa (GUI: Home > ËPNs > Monitor Status)

Output Analysis:

The command get sa displays the following information:

©c HEX ID
©c Remote Gateway
©c UDP Port
©c Phase 2 Proposal
©c SPI(Security Parameter Index)
©c Lifetime in secs
©c Life Size in kb
©c Status(A/U, A/- , I/-, I/I)
©c PID
©c Ësys

c
c
c
c

get interface (GUI: Home > Network > Interfaces)

Output Analysis:

The command get interface displays a list of the all interfaces on the NetScreen
device.

These include physical, ËLAN1, tunnel, redundant, virtual security (ËSI) interfaces³
and for NetScreen devices that support them³aggregate and sub- interfaces.
Because there is a physical interface for each port on your NetScreen device,
physical interfaces are always listed regardless of whether or not you configure
them. By default, ScreenOS creates the ËLAN1interface.

The interface list provides the following information on each interface:

Name: Identifies the name of the interface.

IP/Netmask: Identifies the IP address and netmask address of the interface.

Zone: Identifies the zone to which the interface is bound.

MAC: Identifies the MAC address of the interface.

Link: Identifies whether the interface is active, inactive, up or down.

Configuration:

set interface untrust ip <IP address>

set interface untrust <route/NAT>

c
c
c
set interface untrust manage <Enable ping/Web UI/Telnet/SSH/SNMP/SSL for the interface>

Eg:

set interface untrust ip 208.181.126.184/24

set interface untrust route

set interface untrust manage ping

get log traffic (GUI: Home > Reports > Policies > Traffic Log)

Output Analysis:

The command get log traffic displays the following information:

Date/Time: Indicates the date and time of the start of the session for the packet.

Source Address/Port: Indicates the source IP address and port number for the
packet.

Destination Address/Port: Indicates the destination IP address and port number

for the packet.

Translated Source Address/Port: Indicates the corresponding NetScreen-

translated source IP address and port number for the packet.

Translated Destination Address/Port: Indicates the corresponding NetScreen-

translated destination IP address and port number for the packet.

Service: Indicates the service associated with the packet.

Duration: Indicates the time in seconds between the start and end of the session
for the packet.

Bytes Sent: The number of bytes transmitted from the source to the destination.

Bytes Received: The number of bytes transmitted from the destination to the
source.

c
c
c
c

get license-key (GUI: Home > Configuration > Update > ScreenOS/Keys)

Output Analysis:

The command get license-key displays the license key information such as:

©c Sessions
©c Capacity
©c NSRP
©c ËPN tunnels
©c Ësys
©c Ërouters
©c Zones
©c ËLANs
©c Drp
©c Deep Inspection
©c Deep Inspection Database Expired
©c AË
©c Update server url
c

c
c
c
c

get modem (GUI: Home > Network > Interfaces > Edit > Modem)

Output Analysis:

The command get modem displays the ISP Information and the Modem Information.

©c Modem Name: Name to identify the modem.

©c Init String: Initialization string for the modem.
©c Retry Number: The number of times that device retries the dial-up connection
if the line is busy or there is no response.
©c Retry Interval: The interval, in seconds, between dial-up retries.
©c Inactivity Timeout: The amount of time, in minutes, that the modem can be
idle before device disconnects the modem.
©c Interface Speed: The baud rate for the dial-up connection.

On some NetScreen devices, a dial back-up interface can be configured to the

Untrust zone. You can connect an external modem to the RS-232 serial port to allow
the NetScreen device to have a dial-up backup interface to the Untrust zone. The
serial interface is used if there is a failure on the connection through the primary,
Ethernet interface to the Untrust zone.

The NetScreen device can be configured to automatically dial to an ISP account

when failover to the serial interface occurs. Up to four modem settings can be
configured.

c
c
c
c

Configuration:

set modem settings "<Modem Name>" active

set modem settings "<Modem Name>" init "<Initialization string for the modem>"

set modem isp "<Primary ISP name>" priority 1

set modem isp "<Primary ISP name>" primary-number "<Primary number to be dialed>" alternative-number
"<Secondary number to be dialed>"

set modem isp "<Primary ISP name>" account login "<username>" password "<password>"

set modem isp "<Secondary ISP name>" priority 2

set modem isp "<Secondary ISP name>" account login " " password "<password>"

set modem speed <Speed in BPS>

set modem retry <Number of attempts>

set modem interval <In seconds>

set modem idle-time <In minutes>

Eg:

set modem settings "USR" active

set modem settings "USR" init "AT&F1E1Q0Ë1S7=60S19=0M1&M4&K1&H1&R1&I0B0X4"

set modem isp "PrimaryISP" priority 1

set modem isp "PrimaryISP" primary-number "5674002" alternative-number "5440024"

set modem isp "PrimaryISP" account login "[email protected]" password

"7FIz+Q7fNdcPTCsEfNCË5623tXnmezyKFw=="

set modem isp "SecondaryISP" priority 2

set modem isp "SecondaryISP" account login " " password "cUhJhRDpNypCo/sEjQCLbuJL00noHCoJxQ=="

set modem speed 115200

set modem retry 2

set modem interval 10

set modem idle-time 0

c
c
c

get policy (GUI: Home > Policies)

Output Analysis:

The command get policy displays the information on policies for specific source-
destination zones.

The following information is shown for each policy:

ID: Indicates the number assigned to the policy to identify it.

Source: Indicates the name of the source address in the policy.

Destination: Indicates the name of the destination address in the policy.

Service: Indicates the service associated with the policy.

Action: Indicates the action selected for this policy against traffic that matches
the policy criteria such as Permit, Deny and Tunnel.

c
c
c
c
c

get pppoe (GUI: Home > Network > PPPoE)

Terminologies:

PPPoE: Point-to-Point Protocol over Ethernet (PPPoE) merges PPP, which is usually
used for dialup connections, with the Ethernet protocol, which can connect multiple
users at a site to the same customer premises equipment. This allows many users to
share the same physical connection, while access control, billing, and type of
service is handled on a per-user basis

Output Analysis:

The command get pppoe displays the following information:

©c PPPoE Instance: Name of the instance.

©c Bound to Interface: Interface to which you want to bind the PPPoE instance.
©c PPPoE Username: User name for the PPPoE connection.
©c PPPoE Password: Password for the PPPoE connection.
©c Access Concentrator (AC): Specifies the AC to be used for the PPPoE
connection.
©c Service: Specifies the service for the PPPoE connection.
©c PPP lcp Echo Retries: Specifies the number of unacknowledged LCP Echo
requests that occur before the connection is terminated. Specify a value
between 1-30.
©c PPP lcp Echo Timeout: Specifies the number of seconds between LCP echo
request transmissions. Specify a value between 1-1000.
©c Auto-Connect: Specifies the number of seconds before a previously-closed
connection is automatically reinitiated. Specify a value between 0-10000. A
value of 0 disables this function.
©c Idle Disconnect: Specifies the number of minutes that the connection is idle
before the NetScreen device terminates the connection. A value of 0 disables
this function and the connection is never terminated.
©c Static IP: Specifies that the connection uses the IP address assigned to the
device's interface.
©c Automatic Update of DHCP Servers DNS Parameters: When you initiate a
PPPoE connection, your ISP automatically provides the IP addresses for the
Untrust zone interface and the IP addresses for the Domain Name Service
(DNS) servers. Enable this option if you want the NetScreen device to
overwrite the local settings with the DNS settings it receives via PPPoE.

c
c
c
c

Configuration:

set pppoe name "<PPPoE instance>"

set pppoe name "<PPPoE instance>" username "<username>" password "<password>"

set pppoe name "<PPPoE instance>" idle <time, in minutes>

set pppoe name "<PPPoE instance>" interface <Interface to be bound to>

Eg:

set pppoe name "untrust"

set pppoe name "untrust" username "[email protected]" password

"0wefxQURNMXLHas7bgC1hwT/UpnMeqseAQ=="

set pppoe name "untrust" idle 0

set pppoe name "untrust" interface untrust

c
c
c

get route (GUI: Home > Network > Routing >)

Output Analysis:

The command get route displays the routing table for all configured virtual routers.

The routes are organized in the table by the virtual router to which each route
belongs. A route with an asterisk (*) designation indicates it is the best route for the
specified subnet. The route table provides a read-only summary of all routes³
organized in the table by the virtual router to which each route belongs³and
displays information in the following columns:

IP/Netmask: The IP address and netmask of the target address to which the
route entry leads.

Gateway: Either the IP address of the next hop router or the name of the next hop
virtual router to which the NetScreen device forwards traffic destined for the
target address.

Interface: The interface (physical or tunnel) through which the NetScreen device
must send traffic to reach the target address.

Protocol: The manner in which the route entry is added to the table:

* Indicates the best route for the specified subnet.

S indicates a static route entry, made manually by an

administrator.

A indicates an auto-exported route entry, made when a virtual

router automatically acquires a route from another virtual router
(such as when a route appears in ËR-1 because you have defined
a security zone interface in Route mode in ËR-2, which has route
exporting enabled).

C indicates an entry originated by an external router that sent a

router advertisement that has an interface with a defined IP
address.

I indicates a route entry that the current virtual routing instance

imported from a router running a different protocol.

eB indicates a route entry originated by an Exterior Border

Gateway Protocol (EBGP) router.

iB indicates a route entry originated by an Interior Border

Gateway Protocol (IBGP) router.

O indicates a route entry originated by an Open Shortest Path

First (OSPF) router.
c
c
c

E1 indicates a route entry originated by an OSPF router running

type 1 metrics.

E2 indicates a route entry originated by an OSPF router running

type 2 metrics.

R indicates a route entry originated by a Routing Information

Protocol (RIP) router.

Metric: A predefined parameter that defines the priority of the route. All route table
entries that are automatically created or acquired when you define an interface (in
NAT or Route mode) receive a value of 0, and any user-defined routes are valued at
1.

Ësys: In devices that support virtual systems, the virtual system name appears in the
corresponding cell in this column for each route specific to that virtual system. If a
route belongs to the root system or is shared by one or more virtual systems and the
root system, the corresponding cell in this column for that route remains blank.

c
c
c
c
c

get system

Output Analysis:

The command get system provides useful and important information, most of which
cannot be found on GUI, like:

©c Serial Number of the device

©c ScreenOS version
©c Hardware platform, including hardware version, MAC address and type
©c Chronological and timekeeping information, like device uptime, current date
and time etc.,
©c Displays the number of times the device has been hard reset and the last time
device was reset
©c Current operational mode (transparent, NAT, or route)
©c Configuration port and user IP
©c Interface settings