Wednesday, May 19, 2010

Basic Netscreen SSG / ISG Commands

Basic NETSCREEN Firewall Commands
If you are new to managing the Netscreen Firewall, then these commands will help you in managing the Netscreen Firewall from the Command Line Interface.

NETSCREEN
Note:Always remember to use the TAB when you are not sure the syntax of the command for a Netscreen Firewall. When you press TAB on your keyboard, it would give you what the next options are, and you can chose from the same. TAB is your best friend.
Step 1: define networks & network groups
***********************************************
Set address trust int-10.1.1.0_24 10.1.1.0/24
Set address untrust ext-192.168.15.15 192.168.15.15/32
Set group address untrust Remote
Set group address untrust Remote add ext-192.168.15.15
Step 2: define services & service groups
**********************************************
Set service tcp_445 protocol tcp src-port 1024-65535 dst-port 445-445 timeout 120
Set service tcp_3399 protocol tcp src-port 1024-65535 dst-port 3390-3390 timeout 120
Set group service outsrvgroup1
Set group service outsrvgroup1 add http
Set group service outsrvgroup1 add https
Step 3: Define policies
*************************
set policy from trust to untrust int-10.1.1.0_24 any outsrvgrp1 permit log count
Note: policies are applied from zone to zone.
Step 4: define NAT
**********************
NAPT is on by default.
Step 5: define one to one NAT (MIP)
*****************************************
Set interface untrust MIP 192.168.1.15 host 10.1.1.15 netmask 255.255.255.255
Set group service insrvgroup1
Set group service insrvgroup1 add http
Set group service insrvgroup1 add https
Set policy from untrust to trust any MIP(192.168.1.15) insrvgroup1 permit log count
Set policy move 59 before 4
(Move the new policy is before the default deny policy)
Step 6: define port forwarding (VIP)
*****************************************
Set interface untrust VIP 192.168.1.55 443 https 10.1.1.55
Set policy from untrust to trust any VIP::1 https permit log count
Step 6: define routes
************************
Set route 10.1.1.0/24
gateway 192.168.1.254

No comments: