Scribd Logo
Cargar

¡Te damos la bienvenida a Scribd!

  • ScreenOS command reference guide for basic operations, security, policies, network configuration, and troubleshooting

    Cargado por

    Prateek Porwal
    23 vistas5 páginas
    The document provides examples of ScreenOS commands for configuring and managing a Palo Alto Networks firewall. It includes commands for viewing and setting system information, interfaces, policies, routing, SNMP, syslog, NTP, and troubleshooting sessions. Example commands are provided for tasks like setting the hostname, enabling interfaces, creating zones and policies, configuring DHCP, and viewing active sessions.

    Descripción original:

    Título original

    SSG Firewall

    Derechos de autor

    © © All Rights Reserved

    Formatos disponibles

    DOCX, PDF, TXT o lea en línea desde Scribd

    ¿Le pareció útil este documento?

    ¿Este contenido es inapropiado?

    Denunciar este documento
    The document provides examples of ScreenOS commands for configuring and managing a Palo Alto Networks firewall. It includes commands for viewing and setting system information, interfaces, policies, routing, SNMP, syslog, NTP, and troubleshooting sessions. Example commands are provided for tasks like setting the hostname, enabling interfaces, creating zones and policies, configuring DHCP, and viewing active sessions.

    Copyright:

    © All Rights Reserved
    Descargue como DOCX, PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    23 vistas5 páginas

    ScreenOS command reference guide for basic operations, security, policies, network configuration, and troubleshooting

    Cargado por

    Prateek Porwal
    The document provides examples of ScreenOS commands for configuring and managing a Palo Alto Networks firewall. It includes commands for viewing and setting system information, interfaces, policies, routing, SNMP, syslog, NTP, and troubleshooting sessions. Example commands are provided for tasks like setting the hostname, enabling interfaces, creating zones and policies, configuring DHCP, and viewing active sessions.

    Copyright:

    © All Rights Reserved
    Descargue como DOCX, PDF, TXT o lea en línea desde Scribd
    Marcar por contenido inapropiado
    de 5

    The colors designate the actual ScreenOS command in blue, while the user input (policy name, numeric

    value, etc) is red.

    Basic Operation
    get hostame - Displays the hostname of the device
    set hostname atlanta-firewall - Sets the hostname to atlanta-firewall
    get domain - Displays the domain name of the device
    set domain skullbox.net - Sets the domain name to skullbox.net
    get chassis - Displays chassis information such as temperature, fan status, and slot information
    get system - Displays hardware and software information
    get config - Displays the complete running configuration
    get zone - Displays all zones present in device
    set zone name warehouse - Create new zone named warehouse
    unset zone warehouse - Removes zone warehouse
    get interface - Displays all physical and sub-interfaces
    get interface | include tun - Displayes all intefaces starting with tun (tunnel intefaces)
    get interface ethernet0/2 mip - Displays MIP information on specified interface
    get arp - Displays all number of sessions, MAC addresses,and IP addresses learned by the device
    get ssh - display active management SSH sessions

    get counter statistics - Displays statistics for all interfaces


    get counter statistics interface ethernet0/2 - Displays statistics for ONLY specific interface
    get performance cpu - Displays CPU utilization over the last 1,5, and 15 minutes
    get performance session - Displays session utilization over the last 1,5, and 15 minutes
    get dns host settings - Displays DNS servers and assigned interfaces
    get dhcp - Displays DHCP information and assigned interfaces
    get admin - Displays management information such as access ports and filtered IP addresses
    get event - See Troubleshooting Section
    get session - See Troubleshooting Section
    get address untrust - Displays addresses in the untrust zone

    get ike gateway - Displays all gateways configured for VPN


    get vrouter trust-vr - Displays all vrouter information and routes associated with trust-vr
    get sa - Displays information about IKE (VPN) Gateways
    get ntp - Displays network time protocol information
    get service - Displays protocols both native and custom
    set service "RDP" protocol tcp src-port 0-65535 dst-port 3389-3389 Creates a service named RDP
    with source ports from 0-65535 and a destination port of 3389.

    Security
    set admin manager-ip 10.15.15.0 255.255.255.0 - Sets administrator access from 10.15.15.0/24

    Policies
    set policy from Cisco2821 to DMZ902 192.168.105.0/24 Any HTTP permit log - Sets policy from
    zone Cisco2821 to DMZ902 allowing 192.168.105.0/24 (from Cisco2821) and allows communication to any
    IP range in zone DMZ902 over port 80 (HTTP) and logs all traffic. This assumes 192.168.105.0/24 is
    contained in the address list.
    set policy from Cisco2821 to DMZ902 192.168.105.0/24 Any ANY nat src permit log - Sets policy
    from zone Cisco2821 to DMZ902 allowing 192.168.105.0/24 (from Cisco2821) and allows communication to
    any IP range in zone DMZ902 over any port and logs all traffic. This assumes 192.168.105.0/24 is contained
    in the address list and this policy also performs NAT.
    set policy from Untrust to warehouse Any MIP(216.93.242.16) DNS permit - Sets policy allowing
    any IP from Untrust (Internet) zone to MIP with IP 216.93.242.16 allowing ONLY DNS traffic
    set policy from Untrust to warehouse Any MIP(216.93.242.16) ANY deny log - Sets policy allowing
    any IP from Untrust (Internet) zone to MIP with IP 216.93.242.16 specifically DENYING ALL traffic and
    logging it
    set policy from Guest to Untrust 192.168.109.0/24 Any HTTP nat src dip-id 5 permit - Sets policy
    from zone Guest with IP192.168.109.0/24 to Untrust (Internet) with any IP allowing port 80 (HTTP)
    performing NAT and using DIP with ID five
    set policy from Untrust to warehouse ras.skullbox.net VIP(ethernet0/2) RDP permit log - Sets
    policy from zone Utrust (Internet) with hostname ras.skullbox.net to zone wharehouse using the specified
    VIP on Ethernet0/2 allowing RDP traffic and logging it
    set policy id 43 disable - Keeps policy id 43 in the configuration, but disables it
    set
    set
    set
    set
    set

    policy id 13 - Modifies policy ID 13


    src-address fin_servers - Adds group fin_servers from address book
    src-address fin_users - Adds group fin_users from address book
    src-address fin_network - Adds group fin_network from address book
    src-address sales_department - Adds group sales_department from address book

    set policy id 43 - Modifies policy ID 43


    set service DNS - Adds service DNS to policy

    set service FTP - Adds service FTP to policy


    set service HTTPS - Adds service HTTPS to policy
    set service ICMP-ANY - Adds service ICMP-ANY to policy
    set
    set
    set
    set

    zone
    zone
    zone
    zone

    Untrust
    Untrust
    Untrust
    Untrust

    screen
    screen
    screen
    screen

    tear-drop - Sets a screen on interface Untrust for tear drop attacks


    syn-flood - Sets a screen on interface Untrust for syn flood attacks
    ping-death - Sets a screen on interface Untrust for ping of death attacks
    land - Sets a screen on interface Untrust for land attacks

    Network Configuration
    set interface ethernet0/2 phy full 1000mb - Sets Ethernet0/2 to full-duplex and 1Gbps (not autonegotiate)

    set interface ethernet0/0 ip 216.93.242.12/26 - Sets IP information on Ethernet0/0


    set interface ethernet3/0.1 tag 205 zone warehouse - Creates a sub-interface from Ethernet3/0 using
    802.11q VLAN tag 205 and puts the new interface into the warehouse zone
    set inteface ethernet0/3 route - sets interface Ethernet0/3 to route mode
    set inteface ethernet0/5 nat - sets interface Ethernet0/5 to NAT mode
    set brgroup 3 0 - Enables group number zero on PIM slot 3. A maximum of 8 bgroups can be configured

    Bgroup Configuration
    set interface bgroup 3/0 port ethernet3/1 - Add physical interfaces to Bgroup3/0
    set interface bgroup 3/0 port ethernet3/2 - Add physical interfaces to Bgroup3/0
    set interface bgroup3/0 zone warehouse - Assigns bgroup3/0 to the warehouse zone
    set interface ethernet0/5 phy link-down - Physically disables ports
    unset interface ethernet0/5 phy link-down - Physically enables ports
    set interface tunnel.5 zone Untrust - Creates tunnel interface with ID 5 assigned to zone Untrust
    set interface tunnel.5 ip unnumbered interface ethernet0/2 - Sets tunnel.5 as an unnumbered
    interface with Ethernet0/2 as a gateway
    set interface ethernet3/10 ip managable - Enables management interface on IP address assigned to
    Ethernet3/10
    set
    set
    set
    set
    set

    interface
    interface
    interface
    interface
    interface

    ethernet3/10
    ethernet3/10
    ethernet3/10
    ethernet3/10
    ethernet3/10

    DHCP Configuration

    manage
    manage
    manage
    manage
    manage

    ping - Enables ping on Ethernet3/10


    ssh - Enables ssh on Ethernet3/10
    snmp - Enables snmp on Ethernet3/10
    web - Enables web on Ethernet3/10
    telnet - Enables telnet on Ethernet3/10

    set interface ethernet3/3


    set interface ethernet3/3
    set interface ethernet3/3
    DHCP
    set interface ethernet3/3
    by DHCP
    set interface ethernet3/3
    provided by DHCP
    set interface ethernet3/3
    set interface ethernet3/3
    set interface ethernet3/3
    addresses for DHCP lease

    dhcp server service - Enables DHCP server on Ethernet3/3


    dhcp server option lease 1440 - Sets DHCP lease time (in minutes)
    dhcp server option gateway 192.168.101.1 - Sets gateway provided by
    dhcp server option netmask 255.255.255.0 - Sets subnet mask provided
    dhcp server option domainname skullbox.lan - Sets domain suffix
    dhcp server option dns1 8.8.8.8 - Sets DNS provided by DHCP
    dhcp server option dns1 4.4.4.2 - Sets DNS provided by DHCP
    dhcp server ip 192.168.115.200 to 192.168.115.200 - Sets range of IP

    set interface ethernet 0/2 dip 4 216.93.242.13 216.93.242.13 - Sets interface Ethernet0/2 with a DIP
    address (ID four) with a range of 216.93.242.13 to 216.93.242.13
    set
    interface ethernet0/2 mip 216.93.242.14 host 192.168.152.15 netmask 255.255.255.255 vr "tru
    st-vr" - Sets Ethernet0/2 to use 216.93.242.14 as a mapped IP to 192.168.152.15/32 using virtual router
    trust-vr
    set interface ethernet0/2 vip interface-ip 3389 RDP 192.168.131.15

    Routing
    set route 10.145.12.0/24 interface bgroup3/0 gateway 10.145.12.254 description "extranet" Sets routing desinated for10.145.12.0/24 to use interface bgroup3/0 with a gateway of 10.145.12.254 and a
    description called extranet
    set route 192.168.99.0/24 interface tunnel.5 description "dr-vpn" - Sets routing desinated for
    10.192.168.99.0/24 to use interface tunnel.5 with a description called dr-vpn

    SNMP Configuration
    set snmp community "xoop" Read-Write Trap-on traffic version v1 - Specifies a read-write
    community called xoop
    set snmp host "xoop" 10.16.0.92/32 src-interface bgroup3/0 trap v1 - sets the source interface and
    destination for SNMP (version one) requests
    set snmp location "rack 34" - Specifies SNMP location information
    set snmp contact "Erik Rodriguez" - Specifies SNMP contact information
    set snmp name "corp-firewall" - Specifies SNMP device information
    set snmp port listen 161 - Specifies SNMP listen port (default is UDP 161)
    set snmp port trap 162 - Specifies SNMP trap port (default is UDP 162)

    Syslog Configuration
    set
    set
    set
    set

    syslog
    syslog
    syslog
    syslog

    config 192.168.105.76 - Sets the syslog destination IP


    config 192.168.105.76 facilities local0 local1 - Sets the syslog facilities
    src-interface ethernet3/2 - Sets the interface used to reach the syslog server
    enable

    NTP Configuration
    set ntp server 216.93.242.12 - Enables NTP with 216.93.242.12 as time source
    set ntp server src-interface ethernet3/0 - Uses interface Ethernet3/0 to reach NTP update source
    set clock ntp - Enables system clock to sync with NTP
    exec ntp update - Forces snyc of clock with NTP server

    Troubleshooting
    trace-route 216.93.242.12 from ethernet3/0 - Performs a traceroute from a specific interface
    ping 216.93.242.12 count 100 from ethernet3/11 - Performs ping to 216.93.242.12 with 100 ICMP
    echos from interface Ethernet3/11

    Sessions
    get session src-ip 192.168.1.35 - Displays session information for source device 192.168.1.35
    get session dst-ip 216.93.242.12 - Displays session information for destination device 216.93.242.12
    get session src-port 3636 - Displays session information for source port 3636
    get session dst-port 3389 - Displays session information for destination port 3389
    clear session Immediately clears all software sessions

    Events
    get event policy-id 35 - Displays any events logged regarding policy ID 35
    get event level alert Displays any logged events deemed Alerts (requiring immediate action)
    get event start-date 2011-05-03 Displays events starting from May 3rd 2011
    get event start-time 21:26:42 Displays events starting from 9:26:42 PM
    get event include SPI Displays events which include SPI (IKE activity)

    También podría gustarte