!! Node A - Master
set nsrp rto-mirror sync
set nsrp monitor interface eth1
set nsrp monitor interface eth3
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 100

!! Node B - Backup
set nsrp rto-mirror sync
set nsrp monitor interface eth1
set nsrp monitor interface eth3
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 90
save
exec nsrp sync global-config save  !! Performed on the backup device

Notes:

  • Configure the interfaces PRIOR to performing NSRP configuration
  • After syncing config, reboot the secondary firewall

[ # ]

exec nsrp vsd-group <group ID> mode master

Notes:

  • Performed on the standby/backup firewall

[ # ]

exec licese-key <key>
get license

Notes:

  • Refers to what follows "advanced=", no spaces or line breaks

[ # ]

get sys  !! Uptime
get perf session  !! Connection Count
get perf cpu detail
get perf cpu all detail  !! * means above threshold
get event level critical  !! View failovers or other critical evens
get counter statistics  !! CRC errors, etc

[ # ]

get log traffic src-ip <ip> dst-ip <ip>
get session src-ip <src IP> dst-ip <dst IP>

[ # ]

!! Configure the Zone, Tunnel Interface, and Route
set zone "VPN" tcp-rst 
set zone "VPN" screen syn-flood queue-size 1024

set interface "tunnel.<#>" zone "VPN"
set interface tunnel.<#> ip unnumbered interface <External-Interface>

set route <Pool-Network>/<CIDR> interface tunnel.<#>

!! Configuring ACE/RSA Settings
set auth-server "<Ace-Name>" server-name "<Primary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" backup1 "<Secondary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" account-type xauth 
set auth-server "<Ace-Name>" timeout 0
set auth-server "<Ace-Name>" forced-timeout 2
set auth-server "<Ace-Name>" radius secret "<Ace-Password>" 

!! Configure the pool
set ippool "<VPN-Pool-Name>" <Pool-Start-IP> <Pool-End-IP>

!! Configuring User VPN Defaults
set xauth default ippool "<VPN-Pool-Name>"
set xauth default dns1 <Primary-DNS-Server>
set xauth default dns2 <Secondary-DNS-Server>
set xauth default wins1 <Primary-WINS-Server>
set xauth default wins2 <Secondary-WINS-Server>
set xauth default auth server "<Ace-Name>"

!! Configuring the Users And VPNs
set user "<username>" ike-id fqdn "<username>" share-limit 1            !! Share-limit for each user MUST be 1 if more than 1 user will be added to the group
set user "<username>" type ike xauth
unset user "<username>" type auth
set user "<username>" "enable"
set user-group "<Group-Name>" user "<username>"

set ike gateway "<Gateway-Name>" dialup "<User-Group>" Aggr outgoing-interface "<External-Interface>" preshare "<PSK>" proposal "pre-g2-3des-sha"
set ike gateway "<Gateway-Name>" nat-traversal udp-checksum
set ike gateway "<Gateway-Name>" nat-traversal keepalive-frequency 5
set ike gateway "<Gateway-Name>" xauth server "<Ace-Name>"

set vpn "<VPN-Name>" gateway "<Gateway-Name>" no-replay tunnel idletime 10 proposal "nopfs-esp-3des-sha" 
set vpn "<VPN-Name>" bind interface tunnel.<#>

!! Configure the policies to use Accept - Example Below
set address "VPN" "VPN-Pool" 10.100.100.0 255.255.255.0
set policy from "VPN" to "Trust" "VPN-Pool" "Any" "Any" Permit log

Notes:

  • This configuration would tunnel ALL traffic and not split-tunnel. Split tunneling will require multiple VPNs with proxy-ids

Documentation

[ # ]

request system snapshot slice alternate

[ # ]

system time-zone Europe/London
set date ntp <ip>

set system ntp server <ntp server 1 ip> prefer
set system ntp server <ntp server 2 ip>

[ # ]

!! Snoop Filter - More basic capture
!! Enable
snoop filter ip src-ip <src IP> dst-ip <dest IP>
snoop
!! Disable
snoop off
snoop filter del

!! Flow Filter - Much more information on the packet flow
!! Enable
set ff src-ip <src IP> dst-ip <dest IP>
debug flow basic
!! Disable
undebug all
unset ff  !! Unset the filter op

Notes:

  • Use 'get db st' to view the output
  • Use 'clear db' to clear the capture but keep it running

[ # ]

  • fxp1 - Control link - Enables sync of config
  • fxp0 - Management interface - Can be used for OOB
  • fab# - Data link - Session sync (packets known as "real-time object" or RTO), transit traffic link for active/active, fragmentation not supported, jumbo frames supported
  • reth - Each reth is a logical interface containing 1 physical interface from each firewall

Redundant Group 0 is always routing engine, Group 1 is what has been configured for failover such as the interfaces

[ # ]