!! Snoop Filter - More basic capture
!! Enable
snoop filter ip src-ip <src IP> dst-ip <dest IP>
!! Disable
snoop off
snoop filter del

!! Flow Filter - Much more information on the packet flow
!! Enable
set ff src-ip <src IP> dst-ip <dest IP>
debug flow basic
!! Disable
undebug all
unset ff  !! Unset the filter op


  • Use 'get db st' to view the output
  • Use 'clear db' to clear the capture but keep it running

[ # ]

set interface "tunnel.<#>" ip unnumbered interface <outgoing-interface>  !! If not using NHTB routes
set interface "tunnel.<#>" ip <ip>/<cidr>  !! If NHTB route is needed - A random IP such as will work
set interface "tunnel.<#>" zone "<zone>"
set interface "tunnel.<#>" mip <Mapped-IP> host <real-ip> netmask vr "trust-vr"  !! If Needed

set ike p1-proposal "pre-g2-aes265-sha" preshare group2 esp aes256 sha-1 second 28800
set ike p2-proposal "nopfs-esp-aes256-sha" no-pfs esp aes256 sha-1 second 28800

set ike gateway "<gateway-name>" address <gateway-ip> Main outgoing-interface "<outgoing-interface>" preshare "<psk>" proposal "<p1-proposal>"
set vpn "<vpn_name-#>" gateway "<gateway-name>" no-replay tunnel idletime 0 proposal "<p2-proposal>" 
set vpn "<vpn_name-#>" bind interface tunnel.<#>
set vpn "<vpn_name-#>" proxy-id local-ip <ip/cidr> remote-ip <ip/cidr> "ANY"   !! Only necessary if you NEED to define proxy-ids, for instance to Cisco devices

!! Create the security rules as 'accept' rules

set route <remote-ip/cidr> interface tunnel.<#>  !! Without NHTB

set interface tunnel.<#> nhtb <IP-on-tunnel-interface-network> vpn "<vpn_name-1>"  !! With NHTB
set route <remote-ip/cidr> interface tunnel.<#> gateway <nhtb-ip>  !! With NHTB


  • Rules should use accept action
  • Create more vpns (like vpn_name-1) for each proxy-id combination needed
  • NHTB routes are necessary if binding multiple VPNs to the same tunnel interface (for instance, when multiple proxy-IDs are required)


[ # ]