Instructor: Jai A Singla

SSH to Netscreen (CLI)

-Hummingbird Connectivity 9.0

-MCI-Hosts
-SSH
-SSH Template

CLI Commands
Juniper uses get rather than show.
However, we have aliased show into the
netscreens with the following:

set alias show "get"

set alias sh "get"
set alias sho "get"

Security Zones

Creates security zones

The security zones regulate inbound and
outbound traffic via policies
The security zones are logical to a physical
interface
There are pre-defined zones and you can
also create zones
Pre-defined zones = trust, untrust, DMZ
To permit traffic to flow from zone to zone,
you bind an interface to the zone

Policies

NetScreen devices secure a network by

inspecting, and then allowing or denying, all
connection attempts from one security zone to
another
Through the creation of policies, you can control
the traffic flow from zone to zone
Define the types of traffic permitted to pass from
specified sources to specified destinations at
scheduled times
For any traffic to pass from one zone to another,
there must be a policy that permits it

***By default, a NetScreen device denies all traffic in

all directions

A policy permits, denies, or tunnels specified

types of traffic unidirectionally between two
points
Required Elements:
Direction The direction of traffic between two security
zones (from a source zone to a destination zone)
Source address The address from which traffic initiates
Destination address The address to which traffic is sent
Service The type of traffic
Action permit, deny, or tunnel

Every policy has an ID number, whether you define one or

the NetScreen automatically assigns it.
You can only define an ID number for a policy through the
set policy command in the CLI: set policy id number

Policy Example
The policy stated in the following CLI command permits FTP
traffic from any address in the Trust zone to an FTP server
named server1 in the DMZ zone:
set policy from trust to untrust any server1 ftp permit

Direction: from trust to untrust (that is, from the Trust zone
to the Untrust zone)
Source Address: any (that is, any address in the Trust zone.
The term any stands for a predefined address that applies to
any address in a zone)
Destination Address: server1 (a user-defined address in the
Untrust zone address book)
Service: ftp (File Transfer Protocol)
Action: permit (that NetScreen device permits this traffic to
traverse its firewall)

Services

Services are objects that identify

application protocols using layer 4
information such as standard and accepted
TCP and UDP port numbers for application
services like Telnet, FTP, SMTP, and HTTP
The ScreenOS includes predefined core
Internet services
Can define custom services
Can define policies that specify which
services are permitted, denied, encrypted,
authenticated, logged, or counted.

Netscreen Process Incoming

Packet
1.
2.
3.

Checks the incoming interface/source zone

Performs SCREEN operation (anomalous behavior)
Performs session lookup
If the packet matches an existing session, perform operation
If the packet does not match an existing session go to the next step

4.
5.

MIP/VIP -> Host IP

Performs route lookup
Checks destination interface/destination zone

6.

Performs policy lookup

Checks policy (Permit/Deny)

7.
8.
9.

NAT
If permitted, it creates a session and performs the
operation
If denied, it is dropped

Procedures

User opens ticket for suspected filter

problem or network issues between
Verizon Core and VzB
ENOC2L investigates Checks the firewall
policy
Contact the 4th Level IDN On-Call for any
possible Netscreen problems, filter issues,
or changes

***Only 4th Level IDN is allowed to make

changes on the Netscreen at this time***

Filter Requests

ALL filter requests from Verizon Core sites to VzB

need to go through http://faas.verizon.com/
Verizon Core FAAS will then contact VzB for any
possible filter issues on VzB side
Users are opening firewall tickets on the IDN side
Check IDN filter requests and implementations
Verify they have opened a filter request on the verizon

core side

To open a firewall request on the VzB IDN side,

the customer must go to
http://netconnect.mcilink.com
Click on service request
Click on Filter & External Project Requests
Click on Filter Change Request Form
Fill out the form and be as specific as possible

Logging

When you enable logging in a policy, the

NetScreen device logs all connections to
which that particular policy applies
You can view the logs through either the
WebUI or CLI
In the WebUI, click Reports > Policies >

(for the policy whose log you want to see)

In the CLI, use the get log traffic policy
id_num command

Enable Logging

Go to WebUI
Click on Policies
Locate the correct policy number
Click on Edit
Click/check the box next to logging
Optional at session beginning
Go to policy

Show config include

Example:
sh config | include 166.37.217.172
set address Trust "166.37.217.172/32" 166.37.217.17
255.255.255.255 "OMZESMOH5.mcilink.com"
associating to trust zone quotes = name associated
to ip
set policy id 67 name "ONEVIEW #13272" from
"Untrust" to
"Trust" "Any" "166.37.217.172/32" "TCP-8700"
permit count
from verizon to idn any verizon source ip to

show log traffic

show log traffic dst-ip 166.37.217.172
Example:
show log traffic dst-ip 166.37.217.172
PID 91, from Untrust to Trust, src 131.146.128.0/20 131.146.144.0/22, dst Any,
service ANY, action Permit
Total traffic entries matched under this policy = 64
=============================================================
=====================
Date
Time
Duration Source IP
Port Destination IP Port Service
Xlated Src IP Port Xlated Dst IP Port ID
=============================================================
=====================
2006-05-30 18:36:11 0:01:29 131.146.128.20 1659 166.37.217.172 8700
TCP PORT 8700
131.146.128.20 1659 166.37.217.172 8700
2006-05-30 18:36:07 0:01:25 131.146.128.20 1663 166.37.217.172 8700
TCP PORT 8700
131.146.128.20 1663 166.37.217.172 8700
*******Output cut off go to netscreen for full output

The TLS 1.0 option should NOT be checked in your Internet Explorer settings.
Please follow the instructions below before connecting to the site to assure that
this setting is correct.
-Open Internet Explorer
-Select Tools
-Select Internet Options

-Select the Advanced tab

-Scroll down to the Security section
-Locate the TLS 1.0 and assure it is NOT checked

Open your browser and go

to https://vzbgw.mcilink.com

You will be prompted to login with your OneWorld Number (not User ID)
And OneWorld Password (instructions on how to locate this information is below)

Once you see the following page, you are successfully connected to the Verizon
Business Network and may close the window and begin accessing Verizon
Business resources.

Open your browser and go to https://OneWorld.mcilink.com

Select To edit your contact information, please click here

Your OneWorld number is located in the banner of the next page

If you do not know your OneWorld password:

Open your browser and go to https://OneWorld.mcilink.com
Select Password Reset and follow the instructions.