get vpn
get ike cookies
get sa active
get event include vpn
SRC DEST PROXY ID (SRC/DEST)
Group Group 0.0.0.0/0.0.0.0 > 0.0.0.0/0.0.0.0
Group Subnet 0.0.0.0/0.0.0.0 > Subnet
Subnet Subnet Subnet > Subnet
Notes:
- Use subnets instead of groups to solve issues with proxy id / encryption domains. 1 rule per subnet pair
set interface <interface> monitor track-ip ip
set interface <interface> monitor track-ip threshold 255
set interface <interface> monitor track-ip ip <IP-to-monitor> threshold 10
set interface <interface> monitor track-ip ip <IP-to-monitor> weight 255
Notes:
- Interface will be brought down after 10 failed pings
!! Configure the Zone, Tunnel Interface, and Route
set zone "VPN" tcp-rst
set zone "VPN" screen syn-flood queue-size 1024
set interface "tunnel.<#>" zone "VPN"
set interface tunnel.<#> ip unnumbered interface <External-Interface>
set route <Pool-Network>/<CIDR> interface tunnel.<#>
!! Configuring ACE/RSA Settings
set auth-server "<Ace-Name>" server-name "<Primary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" backup1 "<Secondary-Server-IP/Domain-Name>"
set auth-server "<Ace-Name>" account-type xauth
set auth-server "<Ace-Name>" timeout 0
set auth-server "<Ace-Name>" forced-timeout 2
set auth-server "<Ace-Name>" radius secret "<Ace-Password>"
!! Configure the pool
set ippool "<VPN-Pool-Name>" <Pool-Start-IP> <Pool-End-IP>
!! Configuring User VPN Defaults
set xauth default ippool "<VPN-Pool-Name>"
set xauth default dns1 <Primary-DNS-Server>
set xauth default dns2 <Secondary-DNS-Server>
set xauth default wins1 <Primary-WINS-Server>
set xauth default wins2 <Secondary-WINS-Server>
set xauth default auth server "<Ace-Name>"
!! Configuring the Users And VPNs
set user "<username>" ike-id fqdn "<username>" share-limit 1 !! Share-limit for each user MUST be 1 if more than 1 user will be added to the group
set user "<username>" type ike xauth
unset user "<username>" type auth
set user "<username>" "enable"
set user-group "<Group-Name>" user "<username>"
set ike gateway "<Gateway-Name>" dialup "<User-Group>" Aggr outgoing-interface "<External-Interface>" preshare "<PSK>" proposal "pre-g2-3des-sha"
set ike gateway "<Gateway-Name>" nat-traversal udp-checksum
set ike gateway "<Gateway-Name>" nat-traversal keepalive-frequency 5
set ike gateway "<Gateway-Name>" xauth server "<Ace-Name>"
set vpn "<VPN-Name>" gateway "<Gateway-Name>" no-replay tunnel idletime 10 proposal "nopfs-esp-3des-sha"
set vpn "<VPN-Name>" bind interface tunnel.<#>
!! Configure the policies to use Accept - Example Below
set address "VPN" "VPN-Pool" 10.100.100.0 255.255.255.0
set policy from "VPN" to "Trust" "VPN-Pool" "Any" "Any" Permit log
Notes:
- This configuration would tunnel ALL traffic and not split-tunnel. Split tunneling will require multiple VPNs with proxy-ids
unset nsm enable
set nsm enable
!! Node A - Master
set nsrp rto-mirror sync
set nsrp monitor interface eth1
set nsrp monitor interface eth3
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 100
!! Node B - Backup
set nsrp rto-mirror sync
set nsrp monitor interface eth1
set nsrp monitor interface eth3
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 90
save
exec nsrp sync global-config save !! Performed on the backup device
Notes:
- Configure the interfaces PRIOR to performing NSRP configuration
- After syncing config, reboot the secondary firewall
exec licese-key <key>
get license
Notes:
- Refers to what follows "advanced=", no spaces or line breaks
get sys !! Uptime
get perf session !! Connection Count
get perf cpu detail
get perf cpu all detail !! * means above threshold
get event level critical !! View failovers or other critical evens
get counter statistics !! CRC errors, etc
get log traffic src-ip <ip> dst-ip <ip>
get session src-ip <src IP> dst-ip <dst IP>
set log exclude-id <#> user-id <username> event-type <event-id> scr-ip <ip> src-netmask <netmask> dst-ip <ip> dst-netmask <netmask> dst-port <port> <success|failure>
You can set any of the above options to attempt to hide specific log messages. For instance, let's assume I wanted to stop logging the following admin login messages:
Feb 10 00:00:01 192.168.1.1 LocalFirewall: NetScreen device_id=LocalFirewall [Root]system-information-00519: ADM: Local admin authentication successful for login name admin (2014-02-10 00:00:01)
The following would work to suppress all successful logins with mesage id 00519 for the 'admin' user
set log exclude-id 1 user-id "admin" event-type 519 success
Notes
- ScreenOS version 6.2+ required
- A maximum of 10 exclude rules are allowed