diag hardware sysinfo shm

Notes:

The following are possible results for 'conservemode'

  • 0 - Not in Conserve Mode
  • 1 - Conserve Mode
  • 2 - Kernel Conserve Mode

Documentation

[ # ]

execute restore image <firmware_filename> <tftp server ip>

[ # ]

show system interface <optional:interface name>  !! View interface configuration (mode will be dhcp client or static)
show dhcp system server  !! View DHCP server information (if empty, it's disabled)
show router static  !! View Static Routes ("device" is the interface, if no "set dst" then it is the default route)
execute ping <ip>
execute traceroute <ip>
get system status  !! View version information

!! Packet Capture (additional commands needed if traffic is hardware accelerated)    
diag sniffer packet <interface> 'src host <src-ip> and dst host <ip> and (port <port> or port <port>)' <verbosity_1-6> <count> a   !! count of 0 means continuous, 'a' means show actual timestamp of packet

Example:

diag sniffer packet internal 'src host 192.168.0.130 and dst host 192.168.0.1' 4 0 a

Notes:

  • if you wanna see bidirectional traffic, omit src and dst. just like tcpdump

[ # ]

set log exclude-id <#> user-id <username> event-type <event-id> scr-ip <ip> src-netmask <netmask> dst-ip <ip> dst-netmask <netmask> dst-port <port> <success|failure>

You can set any of the above options to attempt to hide specific log messages. For instance, let's assume I wanted to stop logging the following admin login messages:

Feb 10 00:00:01 192.168.1.1 LocalFirewall: NetScreen device_id=LocalFirewall [Root]system-information-00519: ADM: Local admin authentication successful for login name admin (2014-02-10 00:00:01)

The following would work to suppress all successful logins with mesage id 00519 for the 'admin' user

set log exclude-id 1 user-id "admin" event-type 519 success

Notes

  • ScreenOS version 6.2+ required
  • A maximum of 10 exclude rules are allowed

Documentation

[ # ]

execute ha manage <device-id>

Notes:

  • You can question mark after 'manage' to view available devices and their IDs

Documentation

[ # ]

config system interface
 edit wan1    // Some name
  set ip <ip>/<cidr>
  set allowaccess ping https ssh    !! All protocols needed, usually need ping ssh and https access
  end

!! Aggregate interfaces using LACP 802.3AD (example: assign port8 and port9 to \"aggr1\", aggr1 is a name we can make up, then assign IP like above as normal)
config system interface
 edit aggr1
  set member "port8" "port9"
  end

!! Add VLAN to Aggregate or interface (create int aggr1_30 and assign IP and VLAN 30)
configure system interface
 edit aggr1_30
  set ip <ip>/<cidr>
  set interface "aggr1"
  set vlanid 30
  end

!! Configure a zone (zones are optional, not required unless desired)
config system zone
 edit <some zone name>
  set interface <interface1> <interface2> <etc>
  set intrazone allow     // Only enable if needed as it is insecure (allows 2 ints in the same zone talk to each other without a policy)
  end

[ # ]

config system ha
    set group-name <cluster_name>
    set mode <a-a|a-p|standalone>        !! Active-Active, Active-Passive, or Standalone
    set password <HA_Password>
    set hbdev <heartbeat-port>            !! This port cannot be an interface with an IP and in use
    set session-pickup <enable|disable>    !! Sync of sessions (not failover multicast or SSLVPN sessions)
    set override <enable|disable>        !! Preempt
    set monitor <int1> <int2> <etc>        
    set priority <#>                    !! Default is 128
end

Notes:

  • To bring a new device into the cluster, ensure the new device has a lower priority than the active device. After connecting to the network and configuring the above settings, the configuration should by pulled from the active unit

Documentation

[ # ]

config system global
 set admin-sport 8443
 set sslvpn-sport 443
 end

[ # ]

!! Ensure ssh is allowed on the interface you are attempting to access
config system interface
edit <interface>
set allowaccess ping https ssh  !! SSH added to the other allowed admin options
end

!! Enable SCP
config system global
set admin-scp enable
end

!! To backup the system
scp admin@<ip>:sysconfig <local-file>

Notes:

  • SCP is disabled by default and may become disabled after an upgrade

[ # ]

sync-prefs

[ # ]