Netscreen firewalls are very popular firewalls with many features, but it lacks auto command completion like that in JUNOS. Below is the reference card for the most commonly used commands, which will be handy when working with Netscreen firewalls.
| Common usage | Commands | Comment |
| Show what command is available at current path (level) | -> ? | This is your best friend if you want to find what commands are available to you |
| Show complete configuration for the system | -> get config | This is all you need for reviewing the configuration |
| Show system OS version, interfaces, manager-ips | -> get system | |
| Show all the zones | -> get zone | |
| Show configured firewall rules | -> get policy | |
| Show traffic log including denied traffic log | -> get log traffic | You can find denial logs here |
| Show currently active sessions | -> get session | |
| Show BGP config | -> get vrouter trust-vr protocol bgp config | |
| Show BGP neighbors | -> get vrouter trust-vr protocol bgp neig | |
| Enable BGP | -> set vrouter trust-vr protocol bgp enable | To disable, use “unset” |
| Update or restore system configuration from tftp server | -> save config from tftp <ip> <config.file> to flash | |
| Patch kernel from tftp server | -> save software from tftp <ip> image to flash | |
| Backup configuration to tftp server | -> save cofig from flash to tftp <ip> <backupfilename> | Handy for restoring configuration |
| Backup system image remotely | -> save software from flash to tftp <ip> <backupimagefilename> | |
| Make firewalls manageable by NSM | -> set nsmgmt server <primary|secondary> <nsm_ip> | This setup the NSM manageability for the firewall |
| Show NSM manageability info | -> get nsmgmt | |
| Setup a read only user | -> set admin user <userid> password <pwd> priv read-only | |
| Find out CPU usage | -> set performance cpu | |
| Find out memory usage | -> set memory | |
| Show various counters | -> get count statistics|flow|policy|screen | |
| Show cluster setup info | -> get nsrp | |
| How to setup debug? | -> debug bgp-> debug flow basic-> get ffilter-> set ffilter src-ip <sip> dst-ip <dip> ip-prot 6
-> undebug all -> unset ffilter |
This useful debug option will show you the policy processing sequences, and indicating possible issue such as missing routes or missing rules.Don’t forget to unset the filters and debug flag. |
| How to setup traffic snoop? | -> snoop info-> snoop filter ip ?-> clear db-> snoop
-> get db str -> snoop off |
This provides snoop/tcpdump like traffic for packet analysis. Do not forget to delete the filters when done. |
Tags: Juniper firewall, Netscreen, ScreenOS, ScreenOS commands
Glad I stumbled on this blog. You’ve posted a bunch of fantastic information. Cheers!