Website of latouche

[home] [Computers and networks] [User guides]

Basic commands on Juniper Netscreen (Screen0S)

The full documentation can be found on Juniper website (


To get help, use the traditional “?”.

If a command gives to much information it's possible to filter using include and exclude:

netscreen-> get policy from untrust to trust | include toto
It is also possible to display in page mode (terminal length under IOS), n lines by n lines, using set console page <n> where n is the number of lines to display - set it to "0" deactivate this function.

Administration access

Allow an interface to be manageable: set interface <interface> ip manageable.

Disable telnet: unset interface <interface> manage telnet.

Enable SSH:

Enable HTTP:

SNMP configuration:

List of connected users: get console. To kick a connected user: clear admin (all|name), this didn't worked when I tried. You can also kill the sockets: get the socket id with get socket [src-addr|dst-addr|...] and clear socket <socket_id> (hidden command).

Network configuration

The following convention applies to interface naming:

To configure an interface, do the following:

DNS configuration:


Nat can be specified for a policy: set policy ... nat (src|dst).

Nat can also be set at the interface level: set interface <interface> nat. In the following example, all traffic from ethernet3 to ethernet4 will be natted:

set interface ethernet3 ip
set interface ethernet3 nat
set interface ethernet4 ip
set interface ethernet4 route

PAT inbound (VIP)

PAT is called VIP (Virtual IP). To do PAT: set interface <interface> vip <IP@> <port> <service> <dest_ip>.

To build a policy from this VIP, the src-address or dst-address are called “VIP(<IP>)”.

Note: this can also be achieved using policies.

NAT 1:1 bidirectionnal (MIP)

MIP stands for Mapped IP. With it, it's possible to add IPs (and even subnets) to an interface and translate them to other IPs.

To add a MIP: set interface <interface> mip <@IP> host <mapped_to_IP> [netmask <netmask>] [vrouter <virtual_router>]. The following example will make it clear:

set interface “ethernet3” mip host netmask vr “trust-vr”
With this configuration, will be IP addresses attached to ethernet3 and each packet going to will be translated into, to and so on. It works also for outgoing packets: is translated into

To build a policy from this MIP, the src-address or dst-address are called “MIP(<IP>)”. The following allows any service from outside to the MIP:

policy from untrust to trust any MIP( any permit

Set up a VPN

Dealing with policies

Create a policy: set policy name <policy_name> [before|after <policy_id>] from <zone_from> to <zone_to> <source_addr> <dst_addr> <service> (permit|deny|reject) [log] [nat src|nat dst]. The Netscreen will return the policy id.

Modify a policy: set policy id <policy_id>. You can now:

List policies: get policy from <zone1> to <zone2>

Show a policy: get policy id <policy_id>

Move a policy: set policy move <policy_id> (before|after) <policy_id>


When creating a policy, you do not allow/deny TCP/UDP ports but services instead. If the service you want to filter doesn't exist, create it:

Address names & groups

IP addresses and networks can be named (policies are thus more readable) and even grouped:


How to configure:

And how to check:

Debug commands

Debug functions are hidden in screenOS, you can't see them with the traditional “?”. Here is the way to debug:

Created: 2007/06/07 Last update: 2016/02/05