Website of latouche

Basic commands on Juniper Netscreen (Screen0S)

The full documentation can be found on Juniper website (http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/index.html).

Console

To get help, use the traditional “?”.

If a command gives to much information it's possible to filter using include and exclude:

netscreen-> get policy from untrust to trust | include toto
		

Administration access

Allow an interface to be manageable: set interface <interface> ip manageable.

Disable telnet: unset interface <interface> manage telnet.

Enable SSH:

• set ssh version 2
• set ssh enable
• set interface <interface> manage ssh

Enable HTTP:

• set interface <interface> manage web
• Change HTTP port: set admin port <port>
• Activate redirect HTTP -> HTTPs: set admin redirect

SNMP configuration:

• set interface <interface> manage snmp
• set snmp name <“name”>
• set snmp port listen 161
• set snmp port trap 162
• set snmp community <“community”> (Read-Write|Read-Only) [(Trap-on|Trap-off) traffic] version (any|v1|v2c)
• set snmp host <“community”> <IP/netmask> [src-interface <interface>] trap (v2|v1)

List of connected users: get console. To kick a connected user: clear admin (all|name), this didn't worked when I tried. You can also kill the sockets: get the socket id with get socket [src-addr|dst-addr|...] and clear socket <socket_id> (hidden command).

Network configuration

The following convention applies to interface naming:

• Normal interface: ethernetN or untrust/trust for NS5GT
• Tagged interface: ethernetN.vlan_number
• Aliasing: ethernetN/M

• Set an IP to an interface: set interface <interface> ip <IP>
• Bind an interface to a zone: set interface <interface> [tag <vlan_number>] zone <zone>
• Allow ping: set interface <interface> manage ping
• Add a route: set route <dest_ip> interface <interface> (gateway <gateway_ip>)

DNS configuration:

• Domain name: set domain <domain-name>
• Hostname: set hostname <hostname>
• DNS servers: set dns host dns(1|2) <server_IP>

NAT N:M

Nat can be specified for a policy: set policy ... nat (src|dst).

Nat can also be set at the interface level: set interface <interface> nat. In the following example, all traffic from ethernet3 to ethernet4 will be natted:

set interface ethernet3 ip 192.168.1.1/24
set interface ethernet3 nat
set interface ethernet4 ip 1.1.1.2/30
set interface ethernet4 route

PAT inbound (VIP)

PAT is called VIP (Virtual IP). To do PAT: set interface <interface> vip <IP@> <port> <service> <dest_ip>.

To build a policy from this VIP, the src-address or dst-address are called “VIP(<IP>)”.

Note: this can also be achieved using policies.

NAT 1:1 bidirectionnal (MIP)

MIP stands for Mapped IP. With it, it's possible to add IPs (and even subnets) to an interface and translate them to other IPs.

To add a MIP: set interface <interface> mip <@IP> host <mapped_to_IP> [netmask <netmask>] [vrouter <virtual_router>]. The following example will make it clear:

set interface “ethernet3” mip 1.1.1.16 host 10.0.0.32 netmask 255.255.255.252 vr “trust-vr”

To build a policy from this MIP, the src-address or dst-address are called “MIP(<IP>)”. The following allows any service from outside to the MIP:

policy from untrust to trust any MIP(1.1.1.16) any permit

Set up a VPN

• Create a tunnel interface: set interface tunnel.n zone <zone>
• Configure the network for the tunnel interface: set interface tunnel.n ip unnumbered interface ethernet.m
• Create the gateway: set ike gateway <gateway_name> address <remove_ip> Main outgoing-interface ethernet.m preshare <preshare_key> sec-level standart
• Create the tunnel: set vpn <vpn_name> gateway <gateway_name> replay tunnel idletime 0 sec-level stantard
• Bind tunnel to an interface : set vpn <vpn_name> bind interface tunnel.n

Dealing with policies

Create a policy: set policy name <policy_name> [before|after <policy_id>] from <zone_from> to <zone_to> <source_addr> <dst_addr> <service> (permit|deny|reject) [log] [nat src|nat dst]. The Netscreen will return the policy id.

Modify a policy: set policy id <policy_id>. You can now:

• Add/Remove a source: set src-addr
• Add/Remove a destination: set dst-addr
• Add/Remove a services: set service
• ...

List policies: get policy from <zone1> to <zone2>

Show a policy: get policy id <policy_id>

Move a policy: set policy move <policy_id> (before|after) <policy_id>

Services

When creating a policy, you do not allow/deny TCP/UDP ports but services instead. If the service you want to filter doesn't exist, create it:

• set service <service_name> protocol (tcp|udp) src-port <range> dst-port <range>
• to add ports, enter service mode: set service <service_name> and then do what you want

Address names & groups

IP addresses and networks can be named (policies are thus more readable) and even grouped:

• Name an address/network: set address <“zone”> <“name”> <IP> <netmask>
• To group them: set group address <“zone”> <“group_name”> and then: set group address <“zone”> <“group_name”> add <“address_name”>

OSPF

How to configure:

• set vrouter x-vr protocol ospf
• set vrouter x-vr protocol ospf enable
• set interface X protocol ospf area X
• set interface X protocol ospf enable
• set interface X protocol ospf priority X
• set interface X protocol ospf cost X
• set interface X protocol ospf hello-interval X
• set interface X protocol ospf link-type (p2p|p2mp)

And how to check:

• get route protocol ospf
• get vr x-vr protocol ospf config
• get vr x-vr protocol ospf neighbor

Debug commands

Debug functions are hidden in screenOS, you can't see them with the traditional “?”. Here is the way to debug:

• Clear buffer: clear dbuf
• Start debug: debug <what you want to debug>
• Stop debugging: undebug all
• Read log: get dbuf stream