Netscreen useful commands

Here is list of some useful Netscreen commands:

1. Search for the virtual firewall context from main context:
get conf | i context-name

2. Get into the vsys context:
enter vsys context-name

3. Identificy policy action is denying/allowing packing from source 
to destion using service:
get policy src-ip x.x.x.x dst-ip x.x.x.x "service name eg HTTPS"

4. Define an IP addresss in a zone:
set address "zone-name" "address-book-name" x.x.x.x 255.255.255.255

5. Define a group in a zone and add an address into group:
set group address "zone-name" "Public_Networks"
set group address "zone-name" "Public_Networks" add "address-book-name"

6. Define a service/port and add it into a group (optional):
set service "tcp_41458" protocol tcp src-port 0-65535 dst-port 41458-41458
set group service "TCP_Citrix" add "tcp_41458"

7. Define a policy to permit https traffic from inside zone to outside 
zone and NAT the outgoing traffic and log as well. Let Policy id auto created:
set policy top from "inside" to "outside" "inside-address-book-name" "outside-address-book-name" "HTTPS" nat src permit log

8. Define a policy id manualy:
set policy id 102 from "inside" to "outside" "inside-address-book-name" "outside-address-book-name" "HTTPS" permit log

9. Add an additional service of "DNS" in existing policy 102:
set service "DNS" protocol tcp src-port 0-65535 dst-port 53-53
set policy id 102
set service "DNS"
exit

10. Unset an existing policy 102
unset policy id 102

11. Check general overview of VPN configured
netscreen(M)-> get vpn

12. Confirm Phase 1:
To confirm whether IKE has been successful you can run the following command. 
You may find though that there is no IKE cookie but there is a Phase 2 Security Assicoation. 
This is due to the Phase 1 IKE lifetime being set to a value less then the IKE Phase 2 lifetime. 
netscreen(M)->get ike cookie | i [remote peer ip]
81182f/0003, [REMOTE-PEER-IP]:500->[LOCAL-PEER-IP]:500, PRESHR/grp5/AES128/SHA, xchg(5) (VPN-gateway/grp-1/usr-1)

13. Confirm Phase 2:
From the get sa command you can see the status and various details of the Security Assiociations. 
The section below which is highlighted in bold shows the status of the vpn tunnel (left) and the 
status of the VPN monitor (right). In this case the VPN tunnel is active and the VPN monitor is 
dashed out as it isnt enabled.
netscreen(M)-> get sa | i [peer ip]
00000007<       [peer ip]  500 esp:3des/md5  zbcA14zz  3317 unlim A/-    22 0
00000007>       [peer ip]  500 esp:3des/md5  fbcb64ee  3317 unlim A/-    -1 0

Using the SA ID we can confirm additional details of the Phase 2 SA.

netscreen(M)-> get sa id 0x00000007
index 49, name Example, peer gateway ip [remote peer]. vsys<Root>
auto key. policy node, tunnel mode, policy id in:<10104> out:<10103> vpngrp:<-1>. sa_list_nxt:<-1>.
tunnel id 662, peer id 52, NSRP Active. Vsd 0   site-to-site. Local interface is ethernet5 
<[local peer]>.
  esp, group 0, a256 encryption, sha1 authentication
  autokey, IN active, OUT active
  monitor<0>, latency: 0, availability: 0
  DF bit: clear
  app_sa_flags: 0x2067
  proxy id: local 0.0.0.0/0.0.0.0, remote 0.0.0.0/0.0.0.0, proto 0, port 0
  ike activity timestamp: 590051543
nat-traversal map not available
incoming: SPI 9j32882e, flag 00004000, tunnel info 40000296, pipeline
  life 86400 sec, 19761 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0xb6840, window 0xffffffff, idle timeout value <0>, idled 0 seconds
  next pak sequence number: 0x0
outgoing: SPI 7bz2a942, flag 00000000, tunnel info 40000296, pipeline
  life 86400 sec, 19761 remain, 0 kb, 0 bytes remain
  anti-replay on, last 0x0, window 0x0, idle timeout value <0>, idled 0 seconds
  next pak sequence number: 0x89j9c

14. Netscreen - Rekeying a VPN / Clearing the SA`s
In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 "keys" from the gateway. 
Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association).

To see an overview of your VPN`s run the command:
get vpn

In order to find the current IKE Cookies or SA`s, run either of the following commands,
get ike cookies 
get sa active

To clear either of these run either or of the following commands:
clear ike-cookie [gateway ip] 
clear sa [id] 

Below shows you an example of clear a VPN`s SA`s,

ns5gt-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000007<       10.1.1.25  500 esp:3des/md5  ef1d167f  3317 unlim A/-    22 0
00000007>       10.1.1.25  500 esp:3des/md5  fbcb64ee  3317 unlim A/-    -1 0

ns5gt-> clear sa 00000007
ns5gt-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000007<       10.1.1.25  500 esp:3des/md5  ef1d1680  3592 unlim A/-    22 0
00000007>       10.1.1.25  500 esp:3des/md5  bd1cbef7  3592 unlim A/-    -1 0

The main thing to ensure is that you show only the active sa`s as the firewall will not let you clear 
inactive sa`s. You can tell that they are active as the "Sta" (State) is A/- which is active. 
Also note that the Hex ID was used when using the `clear sa` command.

15. RUNNING A DEBUG
Here we will run a debug so we can obtain a more verbose view of what is happening to our traffic.
netscreen(M)-> set ff src-ip [local endpoint] dst-ip [remote endpoint] 
netscreen(M)-> undebug all
netscreen(M)-> clear db
netscreen(M)-> debug ike basic
netscreen(M)-> debug flow basic
netscreen(M)-> get db str
!
!
Permitted by policy 109
  No src xlate   choose interface ethernet5 as outgoing phy if
  check nsrp pak fwd: in_tun=0xffffffff, VSD 0 for out ifp ethernet5
  vsd 0 is active
  no loop on ifp ethernet5.
  session application type 0, name None, nas_id 0, timeout 60sec
  service lookup identified service 0.
  flow_first_final_check: in , out 
  existing vector list 25-6870620.
  Session (id:127345) created for first pak 25
  flow_first_install_session======>
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (ethernet5, [remote endpoint]->[local endpoint]) in vr trust-vr for vsd-0/flag-3000/ifp-ethernet2
  [Dest] 10.route [local endpoint]->[next hop], to ethernet2
  route to [next hop]
  nsrp msg sent.
  flow got session.
  flow session id 127345
  vsd 0 is active
  skipping pre-frag 
  going into tunnel 40000266.
  flow_encrypt: pipeline.
chip info: DMA. Tunnel id 00000266
(vn2)  doing ESP encryption and size =64
ipsec encrypt prepare engine done
ipsec encrypt set engine done
ipsec encrypt engine released
ipsec encrypt done
    put packet(557a0f0) into flush queue.
    remove packet(557a0f0) out from flush queue.

If the tunnel does not come up you can use the following debug:
netscreen(M)-> ike detail set sa-filter [IP] 

16. EVENT LOGS
In addition to check the Logs that the traffic is being passed you can check for 
Phase 1 and Phase 2 errors from the devices event logs. 

netscreen(M)-> get event include [peer ip]
Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s