show configuration security ike
show configuration security ipsec
show security ike security-associations
show security ipsec security-associations
show security ipsec satatisticss index <IndexFromSA>
clear security ike security-associations
clear security ipsec security-associations

[ # ]

show | compare  !! View what will be pushed on commit
commit  !! Push change
commit check  !! Verify change has no errors and can be pushed
commit confirm  !! Rollback to last configuration if current commit isn\'t confirmed
commit at <HH:MM:SS>  !! Push at a specific time
rollback 0  !! Undo stage, rollback to current firewall configuration

[ # ]

set security flow traceoptions file <filename>
set security flow traceoptions file size 100000
set security flow traceoptions file files 5
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter <name> source-prefix <ip/cidr>
set security flow traceoptions packet-filter <name> destination-prefix <ip/cidr>
commit

!! Run the following from the shell to view the capture
egrep 'matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if' <filename> | sed -e 's/.*RT://g' | sed -e 's/tcp, flag 2 syn/--TCP SYN--/g' | sed -e 's/tcp, flag 12 syn ack/--TCP SYN\/ACK--/g' | sed -e 's/tcp, flag 10/--TCP ACK--/g' | sed -e 's/tcp, flag 4 rst/--TCP RST--/g' | sed -e 's/tcp, flag 14 rst/--TCP RST\/ACK--/g' | sed -e 's/tcp, flag 18/--TCP PUSH\/ACK--/g' | sed -e 's/tcp, flag 11 fin/--TCP FIN\/ACK--/g' | sed -e 's/tcp, flag 5/--TCP FIN\/RST--/g' | sed -e 's/icmp, (0\/0)/--ICMP Echo Reply--/g' | sed -e 's/icmp, (8\/0)/--ICMP Echo Request--/g' | sed -e 's/icmp, (3\/0)/--ICMP Destination Unreachable--/g' | sed -e 's/icmp, (11\/0)/--ICMP Time Exceeded--/g' | awk '/matched/ {print "\n\t\t\t=== PACKET START ==="}; {print};'

Notes:

  • The egrep outputs the capture into an easier to read format. It is not necessary to run this command to read the capture file.
  • Make sure to replace in the egrep
  • Capture is bidirectional

[ # ]

!! Create the capture
edit security flow traceoptions
set security flow traceoptions file <captureFileName>
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions level 15
set security flow traceoptions packet-filter filter1 source-prefix <ip>
set security flow traceoptions packet-filter filter1 destination-prefix <ip>
set security flow traceoptions packet-filter filter2 source-prefix <ip>
set security flow traceoptions packet-filter filter2 destination-prefix <ip>
commit
run monitor start <captureFileName>

!! Kill the capture
monitor stop <captureFileName>
clear log <captureFileName>            !! Clear the log file
delete security flow traceoptions
commit
file delete <captureFileName>

[ # ]

set routing-options static route <ip/cidr> next-hop <gw>

[ # ]

get vpn
get ike cookies
get sa active
get event include vpn

SRC    DEST    PROXY ID (SRC/DEST)
Group  Group   0.0.0.0/0.0.0.0 > 0.0.0.0/0.0.0.0
Group  Subnet  0.0.0.0/0.0.0.0 > Subnet
Subnet Subnet  Subnet > Subnet

Notes:

  • Use subnets instead of groups to solve issues with proxy id / encryption domains. 1 rule per subnet pair

[ # ]

save software fom tftp <ip> <filename> to flash

[ # ]

set log exclude-id <#> user-id <username> event-type <event-id> scr-ip <ip> src-netmask <netmask> dst-ip <ip> dst-netmask <netmask> dst-port <port> <success|failure>

You can set any of the above options to attempt to hide specific log messages. For instance, let's assume I wanted to stop logging the following admin login messages:

Feb 10 00:00:01 192.168.1.1 LocalFirewall: NetScreen device_id=LocalFirewall [Root]system-information-00519: ADM: Local admin authentication successful for login name admin (2014-02-10 00:00:01)

The following would work to suppress all successful logins with mesage id 00519 for the 'admin' user

set log exclude-id 1 user-id "admin" event-type 519 success

Notes

  • ScreenOS version 6.2+ required
  • A maximum of 10 exclude rules are allowed

Documentation

[ # ]

set interface <interface> monitor track-ip ip
set interface <interface> monitor track-ip threshold 255
set interface <interface> monitor track-ip ip <IP-to-monitor> threshold 10
set interface <interface> monitor track-ip ip <IP-to-monitor> weight 255

Notes:

  • Interface will be brought down after 10 failed pings

[ # ]

unset nsm enable
set nsm enable

[ # ]