!! Snoop Filter - More basic capture
!! Enable
snoop filter ip src-ip <src IP> dst-ip <dest IP>
snoop
!! Disable
snoop off
snoop filter del

!! Flow Filter - Much more information on the packet flow
!! Enable
set ff src-ip <src IP> dst-ip <dest IP>
debug flow basic
!! Disable
undebug all
unset ff  !! Unset the filter op

Notes:

  • Use 'get db st' to view the output
  • Use 'clear db' to clear the capture but keep it running

[ # ]

get vpn
get ike cookies
get sa active
get event include vpn

SRC    DEST    PROXY ID (SRC/DEST)
Group  Group   0.0.0.0/0.0.0.0 > 0.0.0.0/0.0.0.0
Group  Subnet  0.0.0.0/0.0.0.0 > Subnet
Subnet Subnet  Subnet > Subnet

Notes:

  • Use subnets instead of groups to solve issues with proxy id / encryption domains. 1 rule per subnet pair

[ # ]

save software fom tftp <ip> <filename> to flash

[ # ]

set routing-options static route <ip/cidr> next-hop <gw>

[ # ]

!! Create the capture
edit security flow traceoptions
set security flow traceoptions file <captureFileName>
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions level 15
set security flow traceoptions packet-filter filter1 source-prefix <ip>
set security flow traceoptions packet-filter filter1 destination-prefix <ip>
set security flow traceoptions packet-filter filter2 source-prefix <ip>
set security flow traceoptions packet-filter filter2 destination-prefix <ip>
commit
run monitor start <captureFileName>

!! Kill the capture
monitor stop <captureFileName>
clear log <captureFileName>            !! Clear the log file
delete security flow traceoptions
commit
file delete <captureFileName>

[ # ]

show | compare  !! View what will be pushed on commit
commit  !! Push change
commit check  !! Verify change has no errors and can be pushed
commit confirm  !! Rollback to last configuration if current commit isn\'t confirmed
commit at <HH:MM:SS>  !! Push at a specific time
rollback 0  !! Undo stage, rollback to current firewall configuration

[ # ]

set security flow traceoptions file <filename>
set security flow traceoptions file size 100000
set security flow traceoptions file files 5
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter <name> source-prefix <ip/cidr>
set security flow traceoptions packet-filter <name> destination-prefix <ip/cidr>
commit

!! Run the following from the shell to view the capture
egrep 'matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if' <filename> | sed -e 's/.*RT://g' | sed -e 's/tcp, flag 2 syn/--TCP SYN--/g' | sed -e 's/tcp, flag 12 syn ack/--TCP SYN\/ACK--/g' | sed -e 's/tcp, flag 10/--TCP ACK--/g' | sed -e 's/tcp, flag 4 rst/--TCP RST--/g' | sed -e 's/tcp, flag 14 rst/--TCP RST\/ACK--/g' | sed -e 's/tcp, flag 18/--TCP PUSH\/ACK--/g' | sed -e 's/tcp, flag 11 fin/--TCP FIN\/ACK--/g' | sed -e 's/tcp, flag 5/--TCP FIN\/RST--/g' | sed -e 's/icmp, (0\/0)/--ICMP Echo Reply--/g' | sed -e 's/icmp, (8\/0)/--ICMP Echo Request--/g' | sed -e 's/icmp, (3\/0)/--ICMP Destination Unreachable--/g' | sed -e 's/icmp, (11\/0)/--ICMP Time Exceeded--/g' | awk '/matched/ {print "\n\t\t\t=== PACKET START ==="}; {print};'

Notes:

  • The egrep outputs the capture into an easier to read format. It is not necessary to run this command to read the capture file.
  • Make sure to replace in the egrep
  • Capture is bidirectional

[ # ]

set interface <interface> monitor track-ip ip
set interface <interface> monitor track-ip threshold 255
set interface <interface> monitor track-ip ip <IP-to-monitor> threshold 10
set interface <interface> monitor track-ip ip <IP-to-monitor> weight 255

Notes:

  • Interface will be brought down after 10 failed pings

[ # ]

!! Configure the Zone, Tunnel Interface, and Route
set zone "VPN" tcp-rst 
set zone "VPN" screen syn-flood queue-size 1024

set interface "tunnel.<#>" zone "VPN"
set interface tunnel.<#> ip unnumbered interface <External-Interface>

set route <Pool-Network>/<CIDR> interface tunnel.<#>

!! Configuring ACE/RSA Settings
set auth-server "<Ace-Name>" server-name "<Primary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" backup1 "<Secondary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" account-type xauth 
set auth-server "<Ace-Name>" timeout 0
set auth-server "<Ace-Name>" forced-timeout 2
set auth-server "<Ace-Name>" radius secret "<Ace-Password>" 

!! Configure the pool
set ippool "<VPN-Pool-Name>" <Pool-Start-IP> <Pool-End-IP>

!! Configuring User VPN Defaults
set xauth default ippool "<VPN-Pool-Name>"
set xauth default dns1 <Primary-DNS-Server>
set xauth default dns2 <Secondary-DNS-Server>
set xauth default wins1 <Primary-WINS-Server>
set xauth default wins2 <Secondary-WINS-Server>
set xauth default auth server "<Ace-Name>"

!! Configuring the Users And VPNs
set user "<username>" ike-id fqdn "<username>" share-limit 1            !! Share-limit for each user MUST be 1 if more than 1 user will be added to the group
set user "<username>" type ike xauth
unset user "<username>" type auth
set user "<username>" "enable"
set user-group "<Group-Name>" user "<username>"

set ike gateway "<Gateway-Name>" dialup "<User-Group>" Aggr outgoing-interface "<External-Interface>" preshare "<PSK>" proposal "pre-g2-3des-sha"
set ike gateway "<Gateway-Name>" nat-traversal udp-checksum
set ike gateway "<Gateway-Name>" nat-traversal keepalive-frequency 5
set ike gateway "<Gateway-Name>" xauth server "<Ace-Name>"

set vpn "<VPN-Name>" gateway "<Gateway-Name>" no-replay tunnel idletime 10 proposal "nopfs-esp-3des-sha" 
set vpn "<VPN-Name>" bind interface tunnel.<#>

!! Configure the policies to use Accept - Example Below
set address "VPN" "VPN-Pool" 10.100.100.0 255.255.255.0
set policy from "VPN" to "Trust" "VPN-Pool" "Any" "Any" Permit log

Notes:

  • This configuration would tunnel ALL traffic and not split-tunnel. Split tunneling will require multiple VPNs with proxy-ids

Documentation

[ # ]

get log traffic src-ip <ip> dst-ip <ip>
get session src-ip <src IP> dst-ip <dst IP>

[ # ]