Interface
| get counter statistics | Show interface statistics (CRC errors etc) |
| get interface trust port phy | Show physical ports for a certain zone |
| get driver phy | Show all link states of interfaces |
| get counter statistics interface ethernet3 | Show hardware stats on interface |
| set interface [interface] no-subnet-conflict-check | Allows you to configure multiple interfaces in the same IP broadcast domain. |
Current Settings /
Values
Values
| get envar | get environment variable |
| get config | get device configuration |
| get system | get system information |
| get arp | get arp cache |
| get route | get routing table |
| get system | i Box | get port-mode |
| get alg h323 counters | get the ALG counters |
| get alg | get status of ALGs (disabled or enabled) |
| get sys-cfg | get default settings for the device |
| get sys scale | get basic system limits |
| get debug | get currently enabled debug level |
| get tcp | get system socket information |
NAT
| get mip | get mip (nat) |
| get vip | get vip (nat) |
| get nat cookie | get show nat cookies |
Statistics /
Performance
Performance
| get perf cpu detail | get cpu performance |
| get session info | get load on firewall |
| get counter flow | Show flow stats (fragmentation etc) |
| get counter screen | Show screen stats (SYN Floods etc) |
VPN
| clear ike-cookie [gateway ip] | clear ike cookies |
| clear sa [id] | clear sa |
| get vpn | show vpns |
NSRP
| get nsrp cluster | Show cluster info |
| get nsrp monitor | Show list of monitored interfaces |
| get nsrp vsd id 0 | Show VSD id 0 |
| get counters ha | Show HA interface hardware counters |
| exec nsrp sync global-config check-sum | Allows you to see if the cluster configs are syncronised |
| exec nsrp sync global save | Sync's the nodes.A reboot is required to complete the update. |
| exec nsrp vsd-group 0 mode | Fails over the cluster. Run this command on the Master node. |
IGMP
| set interface ethernet0/1 igmp router | enable IGMP on interface eth0/1 |
| get vrouter trust-vr protocol pim | get the multicast sources visible to your ScreenOS device |
Misc
| set exec port-mode | set the port mode |
| set flow tcp-mss 1460 | sets the MSS |
get config : to get device configuration
save : to save changes to config
get system : gets system information, Netscreen mode
get session info : shows load on the firewall 85+ implies there will be some latency
get interface : shows interfaces, zones
get address trust/unturst: shows defined network objects
get Arp : shows firewall Arp entries
get route : shows firewall routes
get service : shows firewall services
get group address : network groups
get group service : service groups
get policy in/out : shows applied firewall policies
get log traffic : shows firewall logs – options: based on src/dst/IP/port
unset : to remove a config statement
get user all : shows vpn users
get log event : shows vpn logs
get MIP : shows one to one Nat’s
get VIP : shows configured port forwarding rules
get route ip x.x.x.x: finds the specific route for an ip
set policy id xx : put you in a specific policy then you can add more objects it instead of creating a group
define networks & network groups:
Set address trust int-10.1.1.0_24 10.1.1.0/24
Set address untrust ext-192.168.15.15 192.168.15.15/32
Set group address untrust Remote
Set group address untrust Remote add ext-192.168.15.15
define services & service groups:
Set service tcp_445 protocol tcp src-port 1024-65535 dst-port 445-445 timeout 120
Set service tcp_3399 protocol tcp src-port 1024-65535 dst-port 3390-3390 timeout 120
Set group service outsrvgroup1
Set group service outsrvgroup1 add http
Set group service outsrvgroup1 add https
Define policies:
set policy from trust to untrust int-10.1.1.0_24 any outsrvgrp1 permit log count
define one to one NAT (MIP):
Set interface untrust MIP 192.168.1.15 host 10.1.1.15 netmask 255.255.255.255
Set group service insrvgroup1
Set group service insrvgroup1 add http
Set group service insrvgroup1 add https
Set policy from untrust to trust any MIP(192.168.1.15) insrvgroup1 permit log count
Set policy move 59 before 4
define port forwarding (VIP):
Set interface untrust VIP 192.168.1.55 443 https 10.1.1.55
Set policy from untrust to trust any VIP::1 https permit log count
define routes:
Set route 10.1.1.0/24 gateway 192.168.1.254
No comments:
Post a Comment