The full documentation can be found on Juniper website (http://www.juniper.net/techpubs/software/screenos/screenos6.3.0/index.html).
To get help, use the traditional “?”.
If a command gives to much information it's possible to filter using
netscreen-> get policy from untrust to trust | include totoIt is also possible to display in page mode (terminal length under IOS), n lines by n lines, using
set console page <n>where n is the number of lines to display - set it to "0" deactivate this function.
Allow an interface to be manageable:
set interface <interface> ip manageable.
unset interface <interface> manage telnet.
set admin port <port>
set admin redirect
set interface <interface> manage snmp
set snmp name <“name”>
set snmp port listen 161
set snmp port trap 162
set snmp community <“community”> (Read-Write|Read-Only) [(Trap-on|Trap-off) traffic] version (any|v1|v2c)
set snmp host <“community”> <IP/netmask> [src-interface <interface>] trap (v2|v1)
List of connected users:
get console. To kick a connected user:
clear admin (all|name), this didn't worked when I tried. You can also kill the sockets: get the socket id with
get socket [src-addr|dst-addr|...] and
clear socket <socket_id> (hidden command).
The following convention applies to interface naming:
set interface <interface> ip <IP>
set interface <interface> [tag <vlan_number>] zone <zone>
set interface <interface> manage ping
set route <dest_ip> interface <interface> (gateway <gateway_ip>)
set domain <domain-name>
set hostname <hostname>
set dns host dns(1|2) <server_IP>
Nat can be specified for a policy:
set policy ... nat (src|dst).
Nat can also be set at the interface level:
set interface <interface> nat. In the following example, all traffic from ethernet3 to ethernet4 will be natted:
set interface ethernet3 ip 192.168.1.1/24 set interface ethernet3 nat set interface ethernet4 ip 22.214.171.124/30 set interface ethernet4 route
PAT is called VIP (Virtual IP). To do PAT:
set interface <interface> vip <IP@> <port> <service> <dest_ip>.
To build a policy from this VIP, the src-address or dst-address are called “VIP(<IP>)”.
Note: this can also be achieved using policies.
MIP stands for Mapped IP. With it, it's possible to add IPs (and even subnets) to an interface and translate them to other IPs.
To add a MIP:
set interface <interface> mip <@IP> host <mapped_to_IP> [netmask <netmask>] [vrouter <virtual_router>]. The following example will make it clear:
set interface “ethernet3” mip 126.96.36.199 host 10.0.0.32 netmask 255.255.255.252 vr “trust-vr”With this configuration, 188.8.131.52/30 will be IP addresses attached to ethernet3 and each packet going to 184.108.40.206 will be translated into 10.1.1.32, 220.127.116.11 to 10.1.1.33 and so on. It works also for outgoing packets: 10.1.1.32 is translated into 18.104.22.168
To build a policy from this MIP, the src-address or dst-address are called “MIP(<IP>)”. The following allows any service from outside to the MIP:
policy from untrust to trust any MIP(22.214.171.124) any permit
set interface tunnel.n zone <zone>
set interface tunnel.n ip unnumbered interface ethernet.m
set ike gateway <gateway_name> address <remove_ip> Main outgoing-interface ethernet.m preshare <preshare_key> sec-level standart
set vpn <vpn_name> gateway <gateway_name> replay tunnel idletime 0 sec-level stantard
set vpn <vpn_name> bind interface tunnel.n
Create a policy:
set policy name <policy_name> [before|after <policy_id>] from <zone_from> to <zone_to> <source_addr> <dst_addr> <service> (permit|deny|reject) [log] [nat src|nat dst]. The Netscreen will return the policy id.
Modify a policy:
set policy id <policy_id>. You can now:
get policy from <zone1> to <zone2>
Show a policy:
get policy id <policy_id>
Move a policy:
set policy move <policy_id> (before|after) <policy_id>
When creating a policy, you do not allow/deny TCP/UDP ports but services instead. If the service you want to filter doesn't exist, create it:
set service <service_name> protocol (tcp|udp) src-port <range> dst-port <range>
set service <service_name>and then do what you want
IP addresses and networks can be named (policies are thus more readable) and even grouped:
set address <“zone”> <“name”> <IP> <netmask>
set group address <“zone”> <“group_name”>and then:
set group address <“zone”> <“group_name”> add <“address_name”>
How to configure:
set vrouter x-vr protocol ospf
set vrouter x-vr protocol ospf enable
set interface X protocol ospf area X
set interface X protocol ospf enable
set interface X protocol ospf priority X
set interface X protocol ospf cost X
set interface X protocol ospf hello-interval X
set interface X protocol ospf link-type (p2p|p2mp)
And how to check:
get route protocol ospf
get vr x-vr protocol ospf config
get vr x-vr protocol ospf neighbor
Debug functions are hidden in screenOS, you can't see them with the traditional “?”. Here is the way to debug:
debug <what you want to debug>
get dbuf stream