null  null
ProSafe Gigabit Quad WAN
SSL VPN Firewall SRX5308
C L I Reference M a nua l
350 East Plumeria Drive
San Jose, CA 95134
USA
August 2012
202-11138-01
v1.0
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
© 2012 NETGEAR, Inc. All rights reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language in any form or by any means without the written permission of NETGEAR, Inc.
NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of
NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change
without notice. Other brand and product names are registered trademarks or trademarks of their respective
holders. © 2012 All rights reserved.
Technical Support
Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or
for more information about the topics covered in this manual, visit the Support website at
http://support.netgear.com.
Phone (US & Canada only): 1-888-NETGEAR
Phone (Other Countries): Check the list of phone numbers at
http://support.netgear.com/app/answers/detail/a_id/984.
Statement of Conditions
To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes
to the products described in this document without notice. NETGEAR does not assume any liability that may occur
due to the use, or application of, the product(s) or circuit layout(s) described herein.
Revision History
Publication Part Number
Version
Publish Date
Comments
202-11138-01
1.0
August 2012
First publication
2
Contents
Chapter 1 Introduction
Command Syntax and Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Command Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Description of a Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Common Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The Four Categories of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
The Four Main Modes for Configuration Commands . . . . . . . . . . . . . . . . . 10
Save Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
The Three Basic Types of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Command Autocompletion and Command Abbreviation . . . . . . . . . . . . . . 15
CLI Line-Editing Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Chapter 2 Overview of the Configuration Commands
Network Settings (Net Mode) Configuration Commands . . . . . . . . . . . . . . 17
Security Settings (Security Mode) Configuration Commands . . . . . . . . . . 20
Administrative and Monitoring Settings (System Mode)
Configuration Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
VPN Settings (VPN Mode) Configuration Commands . . . . . . . . . . . . . . . . 24
Chapter 3 Net Mode Configuration Commands
General WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
IPv4 WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
IPv6 WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
IPv6 Tunnel Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Dynamic DNS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
IPv4 LAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
IPv6 LAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
IPv4 DMZ Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
IPv6 DMZ Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
WAN QoS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
IPv4 Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
IPv6 Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Chapter 4 Security Mode Configuration Commands
Security Services Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Security Schedules Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
3
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
IPv4 Add Firewall Rule and Edit Firewall Rule Commands . . . . . . . . . . . 112
IPv4 General Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
IPv6 Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Attack Check Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Session Limit, Time-Out, and Advanced Commands. . . . . . . . . . . . . . . . 165
Address Filter and IP/MAC Binding Commands . . . . . . . . . . . . . . . . . . . 168
Port Triggering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
UPnP Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Bandwidth Profile Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
Content Filtering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Chapter 5 System Mode Configuration Commands
Remote Management Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
Time Zone Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
WAN Traffic Meter Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
Firewall Logs and Email Alerts Commands . . . . . . . . . . . . . . . . . . . . . . . 201
Chapter 6 VPN Mode Configuration Commands
IPSec VPN Wizard Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
IPSec IKE Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
IPSec VPN Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
IPSec VPN Mode Config Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
SSL VPN Portal Layout Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
SSL VPN Authentication Domain Commands . . . . . . . . . . . . . . . . . . . . . 234
SSL VPN Authentication Group Commands . . . . . . . . . . . . . . . . . . . . . . 238
SSL VPN User Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
SSL VPN Port Forwarding Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 246
SSL VPN Client and Client Route Commands. . . . . . . . . . . . . . . . . . . . . 248
SSL VPN Resource Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
SSL VPN Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
RADIUS Server Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
PPTP Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
L2TP Server Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
Chapter 7 Overview of the Show Commands
Network Settings (Net Mode) Show Commands . . . . . . . . . . . . . . . . . . . 267
Security Settings (Security Mode) Show Commands. . . . . . . . . . . . . . . . 269
Administrative and Monitoring Settings (System Mode)
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
VPN Settings (VPN Mode) Show Commands . . . . . . . . . . . . . . . . . . . . . 271
Chapter 8 Show Commands
Network Settings (Net Mode) Show Commands . . . . . . . . . . . . . . . . . . . 273
WAN IPv4 and WAN IPv6 Show Commands . . . . . . . . . . . . . . . . . . . . 273
4
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Network Settings (Net Mode) Show Commands . . . . . . . . . . . . . . . . . . . 273
WAN IPv4 and WAN IPv6 Show Commands . . . . . . . . . . . . . . . . . . . . 273
IPv6 Mode, IPv6 Tunnel, and SIIT Show Commands . . . . . . . . . . . . . 277
LAN DHCP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Dynamic DNS Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
IPv4 LAN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
IPv6 LAN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
DMZ Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
Routing Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
Network Statistics Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Security Settings (Security Mode) Show Commands. . . . . . . . . . . . . . . . 290
Services Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 290
Schedules Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Firewall Rules Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
Attack Checks Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
Session Limits Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
Advanced Firewall Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Address Filter Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Port Triggering Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
UPnP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Bandwidth Profiles Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . 298
Content Filtering Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Administrative and Monitoring Settings (System Mode)
Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Remote Management Show Command . . . . . . . . . . . . . . . . . . . . . . . . 301
SNMP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
Time Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Firmware Version Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
Status Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
WAN Traffic Meter Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Logging Configuration Show Commands . . . . . . . . . . . . . . . . . . . . . . . 307
Logs Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
VPN Settings (VPN Mode) Show Commands . . . . . . . . . . . . . . . . . . . . . 311
IPSec VPN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
SSL VPN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
SSL VPN User Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
RADIUS Server Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
PPTP Server Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
L2TP Server Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Chapter 9 Utility Commands
Overview Util Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Firmware Backup, Restore, and Upgrade Commands. . . . . . . . . . . . . . . 322
Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
CLI Command Index
5
1.
Introduction
1
This document describes the command-line interface (CLI) for the NETGEAR ProSafe Gigabit
Quad WAN SSL VPN Firewall SRX5308.
This chapter introduces the CLI interface. It includes the following sections:
•
Command Syntax and Conventions
•
The Four Categories of Commands
•
The Four Main Modes for Configuration Commands
•
Global Commands
•
The Three Basic Types of Commands
•
Command Autocompletion and Command Abbreviation
•
Access the CLI
Note: For more information about the topics covered in this manual, visit
the support website at http://support.netgear.com.
Note: For more information about the features that you can configure
using the CLI, see the ProSafe Gigabit Quad WAN SSL VPN
Firewall SRX5308 Reference Manual.
Note: You cannot generate and upload a certificate through the CLI. You
need to access the web management interface to manage these
tasks.
6
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Command Syntax and Conventions
A command is one or more words that can be followed by one or more keywords and
parameters. Keywords and parameters can be required or optional:
•
A keyword is a predefined string (word) that narrows down the scope of a command. A
keyword can be followed by an associated parameter or by associated keywords. In
many cases, these associated keywords are mutually exclusive, so you need to select
one of them. In some cases, this manual refers to a group of words as a keyword.
•
A parameter is a variable for which you need to type a value. You need to replace the
parameter name with the appropriate value, which might be a name or number. A
parameter can be associated with a command or with a keyword.
This manual lists each command by its full command name and provides a brief description
of the command. In addition, for each command, the following information is provided:
•
Format. Shows the command keywords and the required and optional parameters.
•
Mode. Identifies the command mode you need to be in to access the command. (With
some minor exceptions, the mode is always described using lower-case letters.)
•
Related show command or commands. Identifies and links to the show command or
commands that can display the configured information.
For more complicated commands, in addition to the format, mode, and related show
command or commands, the following information is provided:
•
Table. Explains the keywords and parameters that you can use for the command.
•
Example. Shows a CLI example for the command.
Command Conventions
In this manual, the following type font conventions are used:
•
A command name is stated in bold font.
•
A keyword name is stated in bold font.
•
A parameter name is stated in italic font.
The keywords and parameters for a command might include mandatory values, optional
values, or choices. The following table describes the conventions that this manual uses to
distinguish between value types:
Table 1. Command conventions
Symbol
Example
Description
< > angle brackets
<value>
Indicate that you need to enter a value in place of the
brackets and text inside them. (value is the parameter.)
[ ] square brackets
[value]
Indicate an optional parameter that you can enter in place of
the brackets and text inside them. (value is the parameter.)
Introduction
7
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 1. Command conventions (continued)
Symbol
Example
Description
{ } curly braces
{choice1 | choice2}
Indicate that you need to select a keyword from the list of
choices. (choice1 and choice1 are keywords.)
| vertical bars
choice1 | choice2
Separate the mutually exclusive choices. (choice1 and
choice1 are keywords.)
[ { } ] braces within
square brackets
[{choice1 | choice2}] Indicate a choice within an optional element. (choice1 and
choice1 are keywords.)
Description of a Command
The following example describes the net radvd pool lan edit <row id> command:
net radvd pool lan edit is the command name.
<row id> is the required parameter for which you need to enter a value after you type
the command words.
The command lets you enter the net-config [radvd-pool-lan] mode, from which you can
issue the following keywords and parameters:
prefix_type {6To4 {sla_id <id number>} | {Global-Local-ISATAP}
{prefix_address <ipv6-address>} {prefix_length
<prefix length>}}
prefix_life_time <seconds>
Explanation of the keywords and parameters:
prefix_type is a keyword. The required associated keyword that you need to
select is either 6To4 or Global-Local-ISATAP.
•
If you select 6To4, you also need to issue the sla_id keyword and enter a
value for the <id number> parameter.
•
If you select Global-Local-ISATAP, you also need to issue the
prefix_address keyword and enter a value for the <ipv6-address>
parameter, and you need to issue the prefix_length keyword and enter a
value for the <prefix length> parameter.
prefix_life_time is a keyword. <seconds> is the required parameter for which
you need to enter a value.
Command example:
SRX5308> net radvd pool lan
net-config[radvd-pool-lan]>
net-config[radvd-pool-lan]>
net-config[radvd-pool-lan]>
net-config[radvd-pool-lan]>
net-config[radvd-pool-lan]>
edit 12
prefix_type Global-Local-ISATAP
prefix_address 10FA:2203:6145:4201::
prefix_length 10
prefix_life_time 3600
save
Introduction
8
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Common Parameters
Parameter values might be names (strings) or numbers. To use spaces as part of a name
parameter, enclose the name value in double quotes. For example, the expression “System
Name with Spaces” forces the system to accept the spaces. Empty strings (“”) are not valid
user-defined strings. The following table describes common parameter values and value
formatting:
Table 2. Common parameters
Parameter
Description
ipaddr
This parameter is a valid IPv4 address. You need to enter the IP address in the a.b.c.d
format, in which each octet is a number in the range from 0 to 255 (both inclusive), for
example, 10.12.140.218.
The CLI accepts decimal, hexadecimal, and octal formats through the following input
formats (where n is any valid decimal, hexadecimal, or octal number):
• 0xn (CLI assumes hexadecimal format)
• 0n (CLI assumes octal format with leading zeros)
• n (CLI assumes decimal format)
ipv6-address
This parameter is a valid IPv6 address. You can enter the IPv6 address in the following
formats:
• FE80:0000:0000:0000:020F:24FF:FEBF:DBCB, or
• FE80:0:0:0:20F:24FF:FEBF:DBCB, or
• FE80::20F:24FF:FEBF:DBCB, or
• FE80:0:0:0:20F:24FF:128:141:49:32
For additional information, see RFC 3513.
Character strings
Use double quotation marks to identify character strings, for example, “System Name with
Spaces”. An empty string (“”) is not valid.
The Four Categories of Commands
There are four CLI command categories:
•
Configuration commands with four main configuration modes. For more information, see
the following section, The Four Main Modes for Configuration Commands). Save
commands also fall into this category (see Save Commands on page 12).
•
Show commands that are available for the four main configuration modes (see Chapter 7,
Overview of the Show Commands and Chapter 8, Show Commands).
•
Utility commands (see Chapter 9, Utility Commands).
•
Global commands (see Global Commands on page 13).
Introduction
9
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
The Four Main Modes for Configuration Commands
For the configuration commands, there are four main modes in the CLI: net, security, system,
and vpn. Chapter 2, Overview of the Configuration Commands lists all commands in these
modes, and each of these modes is described in detail in a separate chapter (see Chapter 3
through Chapter 6).
The following table lists the main configuration modes, the configuration modes, the features
that you can configure in each configuration mode, and, for orientation, the basic web
management interface (GUI) path to the feature.
Table 3. Main configuration modes
__________________________CLI________________________ ___Web Management Interface (GUI)___
Main Mode Submode
Feature That You Can Configure Basic Path
Network configuration commands
net
ddns
Dynamic DNS
Network Configuration > Dynamic DNS
dmz
DMZ for IPv4
DMZ for IPv6
Network Configuration > DMZ Setup
ethernet
VLAN assignment to LAN interface Network Configuration > LAN Setup
ipv6
IPv4 or IPv4/IPv6 mode
Network Configuration > WAN Settings
ipv6_tunnel
IPv6 tunnels
Network Configuration > WAN Settings
lan
IPv4 LAN settings and VLANs
LAN groups for IPv4
Secondary IPv4 LAN addresses
Advanced IPv4 LAN settings
Fixed and reserved DHCP IPv4
addresses
LAN IPv4 traffic meter profiles
IPv6 LAN settings
Secondary IPv6 LAN addresses
IPv6 LAN DHCP address pools
IPv6 prefix delegation for the LAN
Network Configuration > LAN Setup
protocol_binding Protocol bindings
Network Configuration > Protocol Binding
qos
WAN QoS profiles
Network Configuration > QoS
radvd
IPv6 RADVD and pools for the
LAN
IPv6 RADVD and pools for the
DMZ
Network Configuration > LAN Setup
Network Configuration > DMZ Setup
routing
Dynamic IPv4 routes
Static IPv4 routes
Static IPv6 routes
Network Configuration > Routing
Introduction
10
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 3. Main configuration modes (continued)
__________________________CLI________________________ ___Web Management Interface (GUI)___
Main Mode Submode
Feature That You Can Configure Basic Path
net
siit
(continued)
wan
Stateless IP/ICMP Translation
Network Configuration > SIIT
IPv4 WAN (Internet) settings
Secondary IPv4 WAN addresses
IPv6 WAN (Internet) settings
MTU, port speed, and MAC
address, failure detection method,
and upload/download settings
Network Configuration > WAN Settings
NAT or Classical Routing
Load balancing settings for IPv4
Network Configuration > WAN Settings
wan_settings
Security configuration commands
security
address_filter
Source MAC filters
IP/MAC bindings for IPv4
IP MAC bindings for IPv6
Security > Address Filter
bandwidth
Bandwidth profiles
Security > Bandwidth Profile
content_filter
Group filtering
Blocked keywords
Web components
Trusted domains
Security > Content Filtering
firewall
All IPv4 firewall rules
All IPv6 firewall rules
Attack checks
Session limits and time-outs
SIP ALG
Security > Firewall
porttriggering_rules
Security > Port Triggering
schedules
Security > Schedule
services
Custom services
LAN and WAN IP groups
LAN QoS profiles
upnp
Security > Services
Security > UPnP
Administration and monitoring configuration commands
system
logging
Monitoring > Firewall Logs & E-mail
remote_management
Administration > Remote Management
snmp
Administration > SNMP
Introduction
11
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 3. Main configuration modes (continued)
__________________________CLI________________________ ___Web Management Interface (GUI)___
Main Mode Submode
Feature That You Can Configure Basic Path
system
time
(continued)
traffic_meter
Administration > Time Zone
WAN traffic meters
Monitoring > Traffic Meter
VPN configuration commands
vpn
ipsec
IKE policies
VPN policies
VPN IPSec Wizard
Mode Config records
RADIUS servers
VPN > IPSec VPN
l2tp
L2TP server
VPN > L2TP Server
pptp
PPTP server
VPN > PPTP Server
sslvpn
SSL policies
Resources and resource objects
Portal layouts
SSL VPN clients
Client routes
Port forwarding
VPN > SSL VPN
Domains
Groups
User accounts
User login and IP policies
Users
Save Commands
The following table describes the configuration commands that let you save or cancel
configuration changes in the CLI. You can use these commands in any of the four main
configuration modes. These commands are not preceded by a period.
Table 4. Save commands
Command
Description
save
Save the configuration changes.
exit
Save the configuration changes and exit the current configuration mode.
cancel
Roll back the configuration changes.
Introduction
12
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Commands That Require Saving
After you have issued a command that includes the word configure, add, or edit, you
enter a configuration mode from which you can issue keywords and associated parameters.
These are examples of commands for which you need to save your changes:
•
net lan ipv4 configure <vlan id> lets you enter the net-config [lan-ipv4]
configuration mode. After you made your changes, issue save or exit to save your
changes.
•
security content_filter trusted_domain add lets you enter the
security-config [approved-urls] configuration mode. After you made your changes, issue
save or exit to save your changes.
•
vpn sslvpn users groups add lets you enter the vpn-config [user-groups]
configuration mode. After you made your changes, issue save or exit to save your
changes.
Commands That Do Not Require Saving
You do not need to save your changes after you have issued a command that deletes,
disables, or enables a row ID, name, IP address, or MAC address, or that lets you make a
configuration change without entering another configuration mode.
These are examples of commands that you do not need to save:
•
net lan dhcp reserved_ip delete <mac address>
•
vpn ipsec vpnpolicy disable <vpn policy name>
•
security firewall ipv4 enable <row id>
•
security firewall ipv4 default_outbound_policy {Allow | Block}
Global Commands
The following table describes the global commands that you can use anywhere in the CLI.
These commands need to be preceded by a period.
Table 5. Global CLI commands
Command
Description
.exit
Exit the current session.
.help
Display an overview of the CLI syntax.
.top
Return to the default command mode or root.
.reboot
Reboot the system.
.history
Display the command-line history of the current session.
Introduction
13
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
The Three Basic Types of Commands
You can encounter the following three basic types of commands in the CLI:
•
Entry commands to enter a configuration mode. Commands that let you enter a
configuration mode from which you can configure various keywords and associated
parameters and keywords. For example, the net wan wan1 ipv4 configure
command lets you enter the net-config [wan1-ipv4] mode, from which you can configure
the IPv4 WAN settings.
This type of command is the most common in the CLI and is always indicated by two
steps in this manual, each one showing the format and mode:
Step 1
Step 2
Format
net wan wan ipv4 configure <wan interface>
Mode
net
Format
This section shows the keywords and associated parameters, for example:
isp_connection_type {STATIC | DHCPC | PPPoE | PPTP}
Mode
net-config [wan1-ipv4]
Sometimes, you need to enter a parameter to enter a configuration mode. For example,
security schedules edit <row id> requires you to enter the row ID parameter to
enter the security-config [schedules] mode, from which you can modify various keywords
and associated parameters and keywords.
•
Commands with a single parameter. Commands that require you to supply one or more
parameters and that do not let you enter another configuration mode. The parameter is
usually a row ID or a name. For example, security firewall ipv4 delete
<row id> requires you to enter the row ID parameter to delete the firewall rule.
For this type of command, the format and mode are shown in this manual:
•
Format
security firewall ipv4 delete <row id>
Mode
security
Commands without parameters. Commands that do not require you to supply a
parameter after the command and that do not let you enter another configuration mode.
For example, util restore_factory_defaults does not require parameters.
For this type of command also, the format and mode are shown in this manual:
Format
util restore_factory_defaults
Mode
util
Introduction
14
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Command Autocompletion and Command Abbreviation
Command autocompletion finishes spelling the command when you type enough letters of a
command to uniquely identify the command keyword. You need to type all of the required
keywords and parameters before you can use autocompletion.
The following keys both perform autocompletion for the current command. If the command
prefix is not unique, a subsequent repeat of the key displays possible completions.
•
Enter or Return key. Autocompletes, syntax-checks, and then executes the command. If
there is a syntax error, the offending part of the command is highlighted and explained.
•
Spacebar. Autocompletes, or if the command is already resolved, inserts a space.
CLI Line-Editing Conventions
The following table describes the key combinations that you can use to edit commands or
increase the speed of command entry. Access this list from the CLI by issuing .help.
Table 6. CLI editing conventions
Key or Key Sequence Description
Invoking context-sensitive help
?
Displays context-sensitive help. The information that displays consists either of a list of
possible command completions with summaries or of the full syntax of the current
command. When a command has been resolved, a subsequent repeat of the help key
displays a detailed reference.
Autocompleting
Note: Command autocompletion finishes spelling the command when you type enough letters of a command
to uniquely identify the command keyword. However, you need to type all of the required keywords and
parameters before you use autocompletion.
Enter (or Return)
Autocompletes, syntax-checks, and then executes a command. If there is a syntax
error, the offending part of the command line is highlighted and explained. If the
command prefix is not unique, a subsequent repeat of the key displays possible
completions.
Spacebar
Autocompletes, or if the command is already resolved, inserts a space. If the command
prefix is not unique, a subsequent repeat of the key displays possible completions.
Moving around
Ctrl-A
Go to the beginning of the line.
Ctrl-E
Go to the end of the line.
Up arrow
Go to the previous line in the history buffer.
Down arrow
Go to the next line in the history buffer.
Left arrow
Go backward one character.
Introduction
15
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 6. CLI editing conventions (continued)
Key or Key Sequence Description
Right arrow
Go forward one character.
Deleting
Ctrl-C
Delete the entire line.
Ctrl-D
Delete the next character.
Ctrl-K
Delete all characters to the end of the line from where the cursor is located.
Backspace
Delete the previous character.
Invoking escape sequences
!!
Substitute the previous line.
!N
Substitute the Nth line, in which N is the absolute line number as displayed in the
output of the history command.
!-N
Substitute the line that is located N lines before the current line, in which N is a relative
number in relation to the current lint.
Access the CLI
You can access the CLI by logging in with the same user credentials (user name and
password) that you use to access the web management interface. SRX5308> is the CLI
prompt.
SRX5308 login: admin
Password:
************************************************
Welcome to SRX5308 Command Line Interface
************************************************
SRX5308>
Introduction
16
2.
Overview of the Configuration
Commands
2
This chapter provides an overview of all configuration commands in the four configuration
command modes. The keywords and associated parameters that are available for these
commands are explained in the following chapters. The chapter includes the following sections:
•
Network Settings (Net Mode) Configuration Commands
•
Security Settings (Security Mode) Configuration Commands
•
Administrative and Monitoring Settings (System Mode) Configuration Commands
•
VPN Settings (VPN Mode) Configuration Commands
Network Settings (Net Mode) Configuration Commands
Enter the net ? command at the CLI prompt to display the submodes in the net mode. The
following table lists the submodes and their commands in alphabetical order:
Table 7. Net mode configuration commands
Submode
Command Name
Purpose
ddns
net ddns configure
Enable, configure, or disable DDNS service.
net dmz ipv4 configure
Enable, configure, or disable the IPv4 DMZ.
net dmz ipv6 configure
Enable, configure, or disable the IPv6 DMZ.
net dmz ipv6 pool configure <ipv6 address>
Configure a new or existing IPv6 DMZ DHCP
address pool.
net dmz pool ipv6 delete < ipv6 address>
Delete an IPv6 DMZ DHCP address pool.
ethernet
net ethernet configure <interface name or
number>
Configure a VLAN for a LAN interface.
ipv6
net ipv6 ipmode configure
Configure the IP mode (IPv4 only or
IPv4/IPv6).
net ipv6_tunnel isatap add
Configure a new IPv6 ISATAP tunnel.
net ipv6_tunnel isatap delete <row id>
Delete an IPv6 ISATAP tunnel.
dmz
ipv6_tunnel
17
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 7. Net mode configuration commands (continued)
Submode
Command Name
Purpose
ipv6_tunnel
(continued)
net ipv6_tunnel isatap edit <row id>
Configure an existing IPv6 ISATAP tunnel.
net ipv6_tunnel six_to_four configure
Enable or disable automatic (6to4) tunneling.
net lan dhcp reserved_ip configure
<mac address>
Bind a MAC address to an IP address for
DHCP reservation or change an existing
binding, and assign a LAN group.
net lan dhcp reserved_ip delete
<mac address>
Delete the binding of a MAC address to an IP
address.
net lan ipv4 advanced configure
Configure advanced LAN settings such as the
MAC address for VLANs and ARP broadcast.
net lan ipv4 configure <vlan id>
Configure a new or existing VLAN.
net lan ipv4 default_vlan
Configure the default VLAN for each port.
net lan ipv4 delete <vlan id>
Delete a VLAN.
net lan ipv4 disable <vlan id>
Disable a VLAN.
net lan ipv4 enable <vlan id>
Enable a VLAN.
net lan ipv4 multi_homing add
Configure a new secondary IPv4 address.
net lan ipv4 multi_homing delete <row id>
Delete a secondary IPv4 address.
net lan ipv4 multi_homing edit <row id>
Configure an existing secondary IPv4
address.
net lan ipv4 traffic_meter configure
<ip address>
Configure a traffic meter profile for an IPv4
address.
net lan ipv4 traffic_meter delete <row id>
Delete a traffic meter profile.
net lan ipv6 configure
Configure the IPv6 LAN address settings and
DHCPv6.
net lan ipv6 multi_homing add
Configure a new secondary IPv6 address.
net lan ipv6 multi_homing delete <row id>
Delete a secondary IPv6 address.
net lan ipv6 multi_homing edit <row id>
Configure an existing secondary IPv6
address.
net lan ipv6 pool add
Configure a new IPv6 LAN DHCP address
pool.
net lan ipv6 pool delete <row id>
Delete an IPv6 LAN DHCP address pool.
net lan ipv6 pool edit <row id>
Configure an existing IPv6 LAN DHCP
address pool.
net lan ipv6 prefix_delegation add
Configure a new prefix for IPv6 LAN prefix
delegation.
lan
Overview of the Configuration Commands
18
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 7. Net mode configuration commands (continued)
Submode
Command Name
Purpose
net lan ipv6 prefix_delegation delete <row id> Delete a prefix for IPv6 LAN prefix delegation.
lan
(continued)
net lan ipv6 prefix_delegation edit <row id>
Configure an existing prefix for IPv6 LAN
prefix delegation.
net lan lan_groups edit <row id>
<new group name>
Change an existing LAN default group name.
net protocol_binding add
Configure a new protocol binding.
net protocol_binding delete
Delete a protocol binding.
protocol binding net protocol_binding disable
qos
radvd
Disable a protocol binding.
net protocol_binding edit <row id>
Configure an existing protocol binding.
net protocol_binding enable
Enable a protocol binding.
net qos configure
Configure the QoS mode for the WAN
interfaces.
net qos profile add
Configure a new WAN QoS profile.
net qos profile delete <row id>
Delete a WAN QoS profile.
net qos profile disable <row id>
Disable a WAN QoS profile.
net qos profile edit <row id>
Configure an existing WAN QoS profile.
net qos profile enable <row id>
Enable a WAN QoS profile.
net radvd configure dmz
Configure the IPv6 RADVD for the DMZ.
net radvd configure lan
Configure the IPv6 RADVD for the LAN.
net routing dynamic configure
Configure RIP and the associated MD5 key
information.
net routing static ipv4 configure <route name> Configure a new or existing IPv4 static route.
routing
net routing static ipv4 delete <route name>
Delete an IPv4 static route.
net routing static ipv4 delete_all
Delete all IPv4 routes.
net routing static ipv6 configure <route name> Configure a new or existing IPv6 static route.
siit
net routing static ipv6 delete <route name>
Delete an IPv6 static route.
net routing static ipv6 delete_all
Delete all IPv6 routes.
net siit configure
Configure Stateless IP/ICMP Translation
Overview of the Configuration Commands
19
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 7. Net mode configuration commands (continued)
Submode
Command Name
Purpose
net wan port_setup configure <wan interface> Configure the MTU, port speed, and MAC
address of the VPN firewall.
wan
wan_settings
net wan wan ipv4 configure <wan interface>
Configure the IPv4 settings of the WAN
interface.
net wan wan ipv4 secondary_address add
<wan interface>
Configure a secondary IPv4 WAN address.
net wan wan ipv4 secondary_address delete
<row id>
Delete a secondary IPv4 WAN address.
net wan wan ipv6 configure <wan interface>
Configure the IPv6 settings of the WAN
interface.
net wan_settings load_balancing configure
Configure the load balancing settings for two
WAN interfaces that are configured for IPv4.
net wan_settings wanmode configure
Configure the mode of IPv4 routing (NAT or
classical routing) between the WAN interface
and LAN interfaces.
Security Settings (Security Mode) Configuration
Commands
Enter the security ? command at the CLI prompt to display the submodes in the security
mode. The following table lists the submodes and their commands in alphabetical order:
Table 8. Security mode configuration commands
Submode
address_filter
Command Name
Purpose
security address_filter ip_or_mac_binding add
Configure a new IP/MAC binding rule.
security address_filter ip_or_mac_binding
delete <row id>
Delete an IP/MAC binding rule.
security address_filter ip_or_mac_binding edit
<row id>
Configure an existing IP/MAC binding
rule.
security address_filter ip_or_mac_binding
enable_email_log <ip version>
Configure the email log for IP/MAC
Binding violations.
security address_filter mac_filter configure
Configure the source MAC address filter.
security address_filter mac_filter source add
Configure a new MAC source address.
security address_filter mac_filter source delete
<row id>
Delete a MAC source address.
Overview of the Configuration Commands
20
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 8. Security mode configuration commands (continued)
Submode
bandwidth
Command Name
Purpose
security bandwidth profile add
Configure a new bandwidth profile.
security bandwidth profile delete <row id>
Delete a bandwidth profile.
security bandwidth profile edit <row id>
Configure an existing bandwidth profile.
security bandwidth enable_bandwidth_profiles
{Y | N}
Enable or disable bandwidth profile
globally.
security content_filter block_group disable
Remove content filtering from groups.
security content_filter block_group enable
Apply content filtering to groups.
security content_filter blocked_keywords add
Configure a new blocked keyword.
security content_filter blocked_keywords delete Delete a blocked keyword.
<row id>
content_filter
security content_filter blocked_keywords edit
<row id>
Configure an existing blocked keyword.
security content_filter content_filtering configure Configure web content filtering.
firewall
security content_filter trusted_domain add
Configure a new trusted domain.
security content_filter trusted_domain delete
<row id>
Delete a trusted domain.
security content_filter trusted_domain edit
<row id>
Configure an existing trusted domain.
security firewall advanced algs
Configure SIP support for the ALG.
security firewall attack_checks configure ipv4
Configure WAN and LAN security attack
checks for IPv4 traffic.
security firewall attack_checks configure ipv6
Configure WAN security attack checks
for IPv6 traffic.
security firewall attack_checks igmp configure
Enable or disable multicast pass-through
for IPv4 traffic.
security firewall attack_checks
vpn_passthrough configure
Configure VPN pass-through for IPv4
traffic.
security firewall ipv4 add_rule dmz_wan
inbound
Configure a new IPv4 DMZ WAN
inbound firewall rule.
security firewall ipv4 add_rule dmz_wan
outbound
Configure a new IPv4 DMZ WAN
outbound firewall rule.
security firewall ipv4 add_rule lan_dmz inbound Configure a new IPv4 LAN DMZ inbound
firewall rule.
security firewall ipv4 add_rule lan_dmz
outbound
Configure a new IPv4 LAN DMZ
outbound firewall rule.
Overview of the Configuration Commands
21
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 8. Security mode configuration commands (continued)
Submode
Command Name
Purpose
security firewall ipv4 add_rule lan_wan inbound Configure a new IPv4 LAN WAN
inbound firewall rule.
security firewall ipv4 add_rule lan_wan
outbound
Configure a new IPv4 LAN WAN
outbound firewall rule.
security firewall ipv4 default_outbound_policy
{Allow | Block}
Configure the default outbound policy for
IPv4 traffic.
security firewall ipv4 delete <row id>
Delete an IPv4 firewall rule.
security firewall ipv4 disable <row id>
Disable an IPv4 firewall rule.
security firewall ipv4 edit_rule dmz_wan
inbound <row id>
Configure an existing IPv4 DMZ WAN
inbound firewall rule.
security firewall ipv4 edit_rule dmz_wan
outbound <row id>
Configure an existing IPv4 DMZ WAN
outbound firewall rule.
security firewall ipv4 edit_rule lan_dmz inbound Configure an existing IPv4 LAN DMZ
<row id>
inbound firewall rule.
firewall
(continued)
security firewall ipv4 edit_rule lan_dmz
outbound <row id>
Configure an existing IPv4 LAN DMZ
outbound firewall rule.
security firewall ipv4 edit_rule lan_wan inbound Configure an existing IPv4 LAN WAN
<row id>
inbound firewall rule.
security firewall ipv4 edit_rule lan_wan
outbound <row id>
Configure an existing IPv4 LAN WAN
outbound firewall rule.
security firewall ipv4 enable <row id>
Enable an IPv4 firewall rule.
security firewall ipv6 configure
Configure a new IPv6 firewall rule.
security firewall ipv6 default_outbound_policy
{Allow | Block}
Configure the default outbound policy for
IPv6 traffic.
security firewall ipv6 delete <row id>
Delete an IPv6 firewall rule.
security firewall ipv6 disable <row id>
Disable an IPv6 firewall rule.
security firewall ipv6 edit <row id>
Configure an existing IPv6 firewall rule.
security firewall ipv6 enable <row id>
Enable an IPv6 firewall rule.
security firewall session_limit configure
Configure global session limits.
security firewall session_settings configure
Configure global session time-outs.
security porttriggering_rules add
Configure a new port triggering rule.
porttriggering_rules security porttriggering_rules delete <row id>
security porttriggering_rules edit <row id>
Delete a port triggering rule.
Configure an existing port triggering rule.
Overview of the Configuration Commands
22
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 8. Security mode configuration commands (continued)
Submode
Command Name
Purpose
schedules
security schedules edit {1 | 2 | 3}
Configure one of the three security
schedules.
security services add
Configure a new custom service.
security services delete <row id>
Delete a custom service.
security services edit <row id>
Configure an existing custom service.
security services ip_group add
Configure a new LAN or WAN IP group.
security services ip_group add_ip_to
<group name>
Add an IP address to a LAN or WAN IP
group.
security services ip_group delete <row id>
Delete a LAN or WAN IP group.
security services ip_group delete_ip <row id>
Remove an IP address from a LAN or
WAN IP group.
security services ip_group edit <row id>
Configure an existing LAN or WAN IP
group.
security services qos_profile add
Add a QoS profile.
security services qos_profile delete <row id>
Delete a QoS profile.
security services qos_profile edit <row id>
Configure an existing QoS profile.
security upnp configure
Configure UPnP.
services
upnp
Administrative and Monitoring Settings (System Mode)
Configuration Commands
Enter the system ? command at the CLI prompt to display the submodes in the system
mode. The following table lists the submodes and their commands in alphabetical order:
Table 9. System mode configuration commands
Submode
logging
Command Name
Purpose
system logging configure
Configure routing logs for accepted and
dropped IPv4 and IPv6 packets.
system logging remote configure
Configure email logs and alerts, schedule
email logs and alerts, and configure a syslog
server.
Overview of the Configuration Commands
23
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 9. System mode configuration commands (continued)
Submode
Command Name
Purpose
system remote_management https
configure
Configure remote management over HTTPS.
system remote_management telnet
configure
Configure remote management over Telnet.
snmp
system snmp sys configure
Configure the SNMP system information.
time
system time configure
Configure the system time, date, and NTP
servers.
traffic_meter
system traffic_meter configure
<wan interface>
Configure the WAN traffic meter.
remote_management
VPN Settings (VPN Mode) Configuration Commands
Enter the vpn ? command at the CLI prompt to display the submodes in the vpn mode. The
following table lists the submodes and their commands in alphabetical order:
Table 10. Configuration commands: vpn mode
Submode
Command Name
Purpose
vpn ipsec ikepolicy configure <ike policy name>
Configure a new or existing manual IPSec
IKE policy.
vpn ipsec ikepolicy delete <ike policy name>
Delete an IPSec policy.
vpn ipsec mode_config configure <record name>
Configure a new or existing Mode Config
record.
vpn ipsec mode_config delete <record name>
Delete a Mode Config record.
vpn ipsec radius configure
Configure the RADIUS servers.
vpn ipsec vpnpolicy configure <vpn policy name>
Configure a new or existing auto IPSec
VPN policy or manual IPSec VPN policy.
vpn ipsec vpnpolicy connect <vpn policy name>
Establish a VPN connection.
vpn ipsec vpnpolicy delete <vpn policy name>
Delete an IPSec VPN policy.
vpn ipsec vpnpolicy disable <vpn policy name>
Disable an IPSec VPN policy.
vpn ipsec vpnpolicy drop <vpn policy name>
Terminate an IPSec VPN connection.
vpn ipsec vpnpolicy enable <vpn policy name>
Enable an IPSec VPN policy.
ipsec
vpn ipsec wizard configure <Gateway | VPN_Client> Configure the IPSec VPN wizard for a
gateway-to-gateway or gateway-to-VPN
client connection.
l2tp
vpn l2tp server configure
Configure the L2TP server.
Overview of the Configuration Commands
24
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 10. Configuration commands: vpn mode (continued)
Submode
Command Name
Purpose
pptp
vpn pptp server configure
Configure the PPTP server.
radius
vpn ipsec radius configure
Configure the RADIUS server.
vpn sslvpn client ipv4
Configure the SSL client IPv4 address
range.
vpn sslvpn client ipv6
Configure the SSL client IPv6 address
range.
vpn sslvpn policy add
Configure a new SSL VPN policy.
vpn sslvpn policy delete <row id>
Delete an SSL VPN policy.
vpn sslvpn policy edit <row id>
Configure an existing SSL VPN policy.
vpn sslvpn portal_layouts add
Configure a new SSL VPN portal layout.
vpn sslvpn portal_layouts delete <row id>
Delete an SSL VPN portal layout.
vpn sslvpn portal_layouts edit <row id>
Configure an existing SSL VPN portal
layout.
vpn sslvpn portal_layouts set-default <row id>
Configure the default SSL VPN portal
layout.
vpn sslvpn portforwarding appconfig add
Configure a new SSL port forwarding
application.
sslvpn
vpn sslvpn portforwarding appconfig delete <row id> Delete an SSL VPN port forwarding
application.
vpn sslvpn portforwarding hostconfig add
Configure a new host name for an SSL port
forwarding application.
vpn sslvpn portforwarding hostconfig delete
<row id>
Delete a host name for an SSL port
forwarding application.
vpn sslvpn resource add
Add a new SSL VPN resource.
vpn sslvpn resource configure add
<resource name>
Configure an SSL VPN resource object.
vpn sslvpn resource configure delete <row id>
Deletes an SSL VPN resource object.
vpn sslvpn resource delete <row id>
Delete an SSL VPN resource.
vpn sslvpn route add
Add an SSL VPN client route.
vpn sslvpn route delete <row id>
Delete an SSL VPN client route.
vpn sslvpn users domains add
Configure a new authentication domain.
vpn sslvpn users domains delete <row id>
Delete an authentication domain.
vpn sslvpn users domains
disable_Local_Authentication {Y | N}
Enable or disable local authentication for
users.
Overview of the Configuration Commands
25
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 10. Configuration commands: vpn mode (continued)
Submode
sslvpn
(continued)
Command Name
Purpose
vpn sslvpn users domains edit <row id>
Configure an existing authentication
domain.
vpn sslvpn users groups add
Configure a new authentication group.
vpn sslvpn users groups delete <row id>
Delete an authentication group.
vpn sslvpn users groups edit <row id>
Configure an existing authentication group.
vpn sslvpn users users add
Add a new user account.
vpn sslvpn users users browser_policies <row id>
Configure the client browsers from which a
user is either allowed or denied access.
vpn sslvpn users users delete <row id>
Delete a user account.
vpn sslvpn users users edit <row id>
Configure an existing user account.
vpn sslvpn users users ip_policies configure
<row id>
Configure source IP addresses from which
a user is either allowed or denied access.
vpn sslvpn users users ip_policies delete <row id>
Delete a source IP address for a user.
vpn sslvpn users users login_policies <row id>
Configure the login policy for a user.
Overview of the Configuration Commands
26
3.
Net Mode Configuration Commands
3
This chapter explains the configuration commands, keywords, and associated parameters in the
net mode. The chapter includes the following sections:
•
General WAN Commands
•
IPv4 WAN Commands
•
IPv6 WAN Commands
•
IPv6 Tunnel Commands
•
Dynamic DNS Commands
•
IPv4 LAN Commands
•
IPv6 LAN Commands
•
IPv4 DMZ Setup Commands
•
IPv6 DMZ Setup Commands
•
WAN QoS Commands
•
IPv4 Routing Commands
•
IPv6 Routing Commands
IMPORTANT:
After you have issued a command that includes the word
configure, add, or edit, you need to save (or cancel) your
changes. For more information, see Save Commands on page 12.
General WAN Commands
net wan port_setup configure <wan interface>
This command configures the advanced WAN settings for a WAN interface, that is, the MTU,
port speed, MAC address, failure detection method, and upload and download settings of the
VPN firewall. After you have issued the net wan port_setup configure command to
specify one of the four WAN interfaces (that is, WAN1, WAN2, WAN3, or WAN4), you enter
the net-config [port_setup] mode, and then you can configure the advanced settings for the
specified interface in the order that you prefer.
27
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 1
Step 2
Format
net wan port_setup configure <wan interface>
Mode
net
Format
def_mtu {Default | Custom {mtu_size <number>}}
port_speed {Auto_Sense | 10_BaseT_Half_Duplex |
10_BaseT_Full_Duplex | 100_BaseT_Half_Duplex |
100_BaseT_Full_Duplex | 1000_BaseT_Full_Duplex}
mac_type {Use-Default-Mac | Use-This-Computers-Mac |
Use-This-Mac {mac_address <mac address>}}
failover_method type {None | WAN-DNS {failover_method
retry_interval <seconds>} {failover_method retry_attempts
<number>}| CUSTOM-DNS {failover_method dns_ipaddress_wan
<ipaddress>} {failover_method retry_interval <seconds>}
{failover_method retry_attempts <number>}|
Ping {failover_method ping_ipaddress_wan <ipaddress>}
{failover_method retry_interval <seconds>} {failover_method
retry_attempts <number>}}
upload_download wan_conn_type {DSL | ADSL | T1 | T3 | Other}
upload_download upload_speed_type {56-Kbps | 128-Kbps |
256-Kbps | 384-Kbps | 512-Kbps | 768-Kbps | 1500-Kbps |
1544-Kbps | 10-Mbps | 44.736-Mbps | 100-Mbps | 1-Gbps |
Custom {upload_download upload_speed <speed>}}
upload_download download_speed_type {56-Kbps | 128-Kbps |
256-Kbps | 384-Kbps | 512-Kbps | 768-Kbps | 1500-Kbps |
1544-Kbps | 10-Mbps | 44.736-Mbps | 100-Mbps | 1-Gbps |
Custom {upload_download download_speed <speed>}}
Mode
Keyword
net-config [port_setup]
Associated Keyword to
Select or Parameter to Type
Description
def_mtu
Default or Custom
Specifies whether the default MTU or a custom
MTU is used. If you select Custom, you need to
issue the mtu_size keyword and specify the size
of the MTU.
mtu_size
number
The size of the default MTU in bytes for the WAN
port:
• If you have configured IPv4 mode, type a
number between 68 and 1500 bytes.
• If you have configured IPv4/IPv6 mode, type a
number between 1280 and 1500 bytes.
MTU
Net Mode Configuration Commands
28
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Select or Parameter to Type
Description
Auto_Sense,
10_BaseT_Half_Duplex,
10_BaseT_Full_Duplex,
100_BaseT_Half_Duplex,
100_BaseT_Full_Duplex,
or
1000_BaseT_Full_Duplex
Specifies the port speed and duplex mode of the
WAN port. The keywords are self-explanatory.
mac_type
Use-Default-Mac,
Use-This-Computers-Mac,
or Use-This-Mac
Specifies the source for the MAC address. The
default setting is Use-Default-Mac.
If your ISP requires MAC authentication and
another MAC address has been previously
registered with your ISP, select either
Use-This-Computers-Mac or select
Use-This-Mac. If you select the latter keyword,
you need to issue the mac_address keyword and
specify the MAC address that is expected by your
ISP.
mac_address
mac address
The MAC address that the ISP requires for MAC
authentication when the mac_type keyword is set
to Use-This-Mac.
failover_method
type
None, WAN-DNS,
CUSTOM-DNS, or Ping
Specifies the type of failover method for IPv4
connections. You can specify only one type of
method:
• None. There is no failover method configured.
• WAN-DNS. DNS queries are sent to the DNS
server that you configure through the net wan
wan ipv4 configure <wan interface> command.
• CUSTOM-DNS. DNS queries are sent to the
DNS server that you need to specify with the
failover_method dns_ipaddress_wan
keyword.
• Ping. Pings are sent to a server with a public IP
address that you need to specify with the
failover_method ping_ipaddress_wan
keyword.
For all three failover methods, you also need to
issue the failover_method retry_interval
keyword to specify and interval and the and
failover_method retry_attempts
keywords to specify the number of attempts.
failover_method
retry_interval
seconds
The retry interval in seconds, from 5 to 999
seconds. The DNS query or ping is sent
periodically after every test period.
Port speed
port_speed
MAC address
Failure detection method
Net Mode Configuration Commands
29
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Select or Parameter to Type
Description
failover_method
retry_attempts
number
The number of failover attempts, from 2 to 999.
The primary WAN interface is considered down
after the specified number of queries have failed to
elicit a reply. The backup interface is brought up
after this situation has occurred.
failover_method
dns_ipaddress_wan
ipaddress
The address of the DNS server to which the DNS
queries are sent if the failover method is set to
CUSTOM-DNS.
failover_method
ping_ipaddress_wan
ipaddress
The ping address to which the pings are sent if the
failover method is set to Ping.
Upload and download settings
upload_download
wan_conn_type
DSL, ADSL, T1, T3, or
Other
Specifies the type of WAN connection that the
VPN firewall uses to connect to the Internet.
upload_download
upload_speed_type
56-Kbps, 128-Kbps,
256-Kbps, 384-Kbps,
512-Kbps, 768-Kbps,
1500-Kbps, 1544-Kbps,
10-Mbps, 44.736-Mbps,
100-Mbps, 1-Gbps, or
Custom
Specifies the maximum upload speed that is
provided by your ISP. If you select Custom, you
need to specify the speed in Kbps with the
upload_download upload_speed keyword.
upload_download
upload_speed
speed
The upload speed in Kbps if the type of WAN
connection is Custom.
upload_download
56-Kbps, 128-Kbps,
download_speed_type 256-Kbps, 384-Kbps,
512-Kbps, 768-Kbps,
1500-Kbps, 1544-Kbps,
10-Mbps, 44.736-Mbps,
100-Mbps, 1-Gbps, or
Custom
Specifies the maximum download speed that is
provided by your ISP. If you select Custom, you
need to specify the speed in Kbps with the
upload_download download_speed
keyword.
upload_download
download_speed
The download speed in Kbps if the type of WAN
connection is Custom.
speed
Command example:
SRX5308> net wan port_setup configure WAN1
net-config[port_setup]> def_mtu Custom
net-config[port_setup]> mtu_size 1498
net-config[port_setup]> port_speed 1000_BaseT_Full_Duplex
net-config[port_setup]> mac_type Use-This-Computers-Mac
net-config[port_setup]> failover_method type Ping
net-config[port_setup]> failover_method ping_ipaddress_wan 10.147.38.217
net-config[port_setup]> failover_method retry_interval 30
net-config[port_setup]> failover_method retry_attempts 4
net-config[port_setup]> upload_download wan_conn_type DSL
net-config[port_setup]> upload_download upload_speed_type 1-Gbps
Net Mode Configuration Commands
30
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net-config[port_setup]> upload_download download_speed_type 1-Gbps
net-config[port_setup]> save
Related show command: show net wan port_setup <wan interface>
IPv4 WAN Commands
net wan_settings wanmode configure
This command configures the mode of IPv4 routing between the WAN interface and LAN
interfaces. After you have issued the net wan_settings wanmode configure
command, you enter the net-config [routing-mode] mode, and then you can configure NAT or
classical routing.
WARNING!
Changing the mode of IPv4 routing causes all LAN–WAN and
DMZ–WAN inbound firewall settings to revert to default settings.
Step 1
Step 2
Format
net wan_settings wanmode configure
Mode
net
Format
type {NAT | Classical_Routing}
Mode
net-config [routing-mode]
Keyword
Associated Keyword
to Select
Description
type
NAT or
Classical_Routing
Specifies the IPv4 routing mode.
Command example:
FVS318N> net wan_settings wanmode configure
net-config[routing-mode]> NAT
net-config[routing-mode]> save
Related show command: show net wan_settings wanmode
Net Mode Configuration Commands
31
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net wan wan ipv4 configure <wan interface>
This command configures the IPv4 settings for a WAN interface. After you have issued the
net wan wan ipv4 configure command to specify one of the four WAN interfaces (that
is, WAN1, WAN2, WAN3, or WAN4), you enter the net-config [wan-ipv4] mode. First, specify
the ISP connection type (you can select only a single type). Then, for the selected ISP
connection type, configure one keyword and associated parameter or associated keyword at
a time in the order that you prefer. If you select a static ISP connection type, there is no
further configuration required.
Step 1
Step 2
Format
net wan wan ipv4 configure <wan interface>
Mode
net
Format
isp_connection_type {static | dhcp | pppoe | pptp} Yes
isp_login_required {Y | N}
static
static
static
static
static
ip_address <ipaddress>
subnet_mask <subnet mask>
gateway_address <ipaddress>
primary_dns <ipaddress>
secondary_dns <ipaddress>
dhcpc account_name <account name>
dhcpc domain_name <domain name>
dhcpc client_identifier {Y | N}
dhcpc vendor_identifier {Y | N}
dhcpc get_dns_from_isp {Y | N {dhcpc primary_dns <ipaddress>}
[dhcpc secondary_dns <ipaddress>]}
pppoe username <user name>
pppoe password <password>
pppoe AccountName <account name>
pppoe DomainName <domain name>
pppoe connectivity_type {keepalive | idletimeout {idletime
<minutes>}}
pppoe connection_reset {N | Y {reset_hour <hour>}
{reset_min <minutes>} {delay_in_reset <seconds>}}
pppoe get_ip_dynamically {Y | N {static_ip <ipaddress>}
{subnet_mask <subnet mask>}}
pppoe get_dns_from_isp {Y | N {primary_dns <ipaddress>}
[secondary_dns <ipaddress>]}
Net Mode Configuration Commands
32
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
pptp username <user name>
pptp password <password>
pptp AccountName <account name>
pptp DomainName <domain name>
pptp connectivity_type {keepalive | idletimeout
{pptp idle_time <seconds>}}
pptp my_address <ipaddress>
pptp server_address <ipaddress>
pptp get_dns_from_isp {Y | N {pptp primary_dns <ipaddress>}
[pptp secondary_dns <ipaddress>]}
Mode
net-config [wan-ipv4]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
isp_connection_type
static, dhcp, pppoe, or
pptp
Yes
Specifies the type of ISP connection. You
can specify only one type of connection:
• static. Configure the keywords and
parameters in the STATIC section of this
table.
• dhcp. Configure the keywords and
parameters in the DHCPC section of this
table.
• pppoe. Configure the keywords and
parameters in the PPPoE section of this
table.
• pptp. Configure the keywords and
parameters in the PPTP section of this
table.
You need to confirm your selection by typing
Yes (that is, Yes, and not just Y).
Y or N
Enables or disables the ISP login
requirement if the type of ISP connection is
PPPoE or PPTP.
static ip_address
ipaddress
The static IP address.
static subnet_mask
subnet mask
The subnet mask that is associated with the
static IP address.
static gateway_address
ipaddress
The IP address of the ISP gateway.
static primary_dns
ipaddress
The IP address of the primary DNS server.
static secondary_dns
ipaddress
The IP address of the optional secondary
DNS server.
isp_login_required
Static
Net Mode Configuration Commands
33
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
DHCPC (These keywords consist of two separate words)
dhcpc account_name
account name
The ISP account name (alphanumeric
string).
dhcpc domain_name
domain name
The ISP domain name (alphanumeric string).
dhcpc client_identifier
Y or N
Enables or disables the DHCP
client-identifier option. If enabled, the DHCP
client-identifier is sent to the ISP server. By
default, the option is not sent.
dhcpc vendor_identifier
Y or N
Enables or disables the DHCP
vendor-class-identifier option. If enabled, the
DHCP vendor-class-identifier is sent to the
ISP server. By default, the option is not sent.
dhcpc get_dns_from_isp
Y or N
Specifies whether or not the IP address of
the DNS server is dynamically received from
the ISP. If you select N, you need to issue the
dhcpc primary_dns keyword and enter
the IP address of the primary DNS server.
For a secondary DNS server, issue the
dhcpc secondary_dns keyword, and
enter the IP address.
dhcpc primary_dns
ipaddress
The IP address of the primary DNS server if
your IP address is not dynamically received
from the ISP.
dhcpc secondary_dns
ipaddress
The IP address of the optional secondary
DNS server if your IP address is not
dynamically received from the ISP.
PPPoE (These keywords consist of two separate words)
pppoe username
user name
The user name (alphanumeric string) to log
in to the PPPoE service, if required.
pppoe password
password
The password (alphanumeric string) to log in
to the PPPoE service, if required.
pppoe AccountName
account name
The PPPoE account name (alphanumeric
string).
pppoe DomainName
domain name
The PPPoE domain name (alphanumeric
string).
pppoe connectivity_type
keepalive or
idletimeout
Specifies he type of PPPoE connection. If
you select idletimeout, you need to issue
the idle_time keyword and enter the idle
time-out in minutes.
pppoe idle_time
minutes
The idle time-out period in minutes, from 5 to
999 minutes.
Net Mode Configuration Commands
34
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
pppoe connection_reset
Y or N
Specifies whether or not the PPPoE
connection is automatically reset. If it is
reset, you need to issue the reset_hour
and reset_min keywords and enter the
hour and minutes after which the connection
is reset. You also need to issue the
delay_in_reset keyword and enter the
number of seconds of delay.
pppoe reset_hour
hour
The hour at which the PPPoE connection is
reset.
pppoe reset_min
minutes
The minutes at which the PPPoE connection
is reset.
pppoe delay_in_reset
seconds
After the connection has been reset, the
number of seconds of delay before an
PPPoE connection attempt is made.
pppoe get_ip_dynamically Y or N
Specifies whether or not the IP address is
dynamically received from the ISP. If it is not,
you need to issue the static_ip keyword
and enter the static IP address, and issue the
subnet_mask keyword and enter the
subnet mask.
pppoe static_ip
ipaddress
The static IP address if your IP address is not
dynamically received from the ISP.
pppoe subnet_mask
subnet mask
The subnet mask if your IP address is not
dynamically received from the ISP.
pppoe get_dns_from_isp
Y or N
Specifies whether or not the IP address of
the DNS server is dynamically received from
the ISP. If you select N, you need to issue the
pppoe primary_dns keyword and enter the
IP address of the primary DNS server. For a
secondary DNS server, issue the
pppoe secondary_dns keyword, and
enter the IP address.
pppoe primary_dns
ipaddress
The IP address of the primary DNS server if
your IP address is not dynamically received
from the ISP.
pppoe secondary_dns
ipaddress
The IP address of the optional secondary
DNS server if your IP address is not
dynamically received from the ISP.
PPTP (These keywords consist of two separate words)
pptp username
The user name (alphanumeric string) to log
in to the PPTP service, if required.
user name
Net Mode Configuration Commands
35
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
pptp password
password
The password (alphanumeric string) to log in
to the PPTP service, if required.
pptp AccountName
account name
The PPPoE account name (alphanumeric
string).
pptp DomainName
domain name
The PPPoE domain name (alphanumeric
string).
pptp connectivity_type
keepalive or
idletimeout
Specifies the type of PPTP connection. If you
select idletimeout, you need to issue the
pptp idle_time keyword and enter the
idle time-out period.
pptp idle_time
minutes
The idle time-out period in minutes (5 to
999), if the PPTP connection is configured
for idle time-out,
pptp my_address
ipaddress
The IP address that was assigned by the ISP
to make a connection with the ISP’s PPTP
server.
pptp server_address
ipaddress
The IP address of the PPTP server.
pptp get_dns_from_isp
Y or N
Specifies whether or not the IP address of
the DNS server is dynamically received from
the ISP. If you select N, you need to issue the
pptp primary_dns keyword and enter the
IP address of the primary DNS server. For a
secondary DNS server, issue the
pptp secondary_dns keyword, and enter
the IP address.
pptp primary_dns
ipaddress
The IP address of the primary DNS server if
your IP address is not dynamically received
from the ISP.
pptp secondary_dns
ipaddress
The IP address of the optional secondary
DNS server if your IP address is not
dynamically received from the ISP.
Command example:
SRX5308> net wan wan ipv4 configure WAN2
net-config[wan-ipv4]> isp_connection_type dhcp
net-config[wan-ipv4]> dhcpc client_identifier Y
net-config[wan-ipv4]> dhcpc get_dns_from_isp N
net-config[wan-ipv4]> dhcpc primary_dns 10.124.56.118
net-config[wan-ipv4]> dhcpc secondary_dns 10.124.56.132
net-config[wan-ipv4]> save
Net Mode Configuration Commands
36
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show commands: show net wan wan ipv4 setup <wan interface> and show net wan wan
ipv4 status <wan interface>
net wan wan ipv4 secondary_address add <wan interface>
This command configures a secondary IPv4 WAN address. After you have issued the net
wan wan ipv4 secondary_address add command to specify one of the four WAN
interfaces (that is, WAN1, WAN2, WAN3, or WAN4), you enter the
net-config [wan-secondary-address] mode, and then you can configure the secondary WAN
address and subnet mask in the order that you prefer.
Step 1
Step 2
Format
net lan ipv4 multi_homing add {WAN1 | WAN2 | WAN3 | WAN4}
Mode
net
Format
ip_address <ipaddress>
subnet_mask <subnet mask>
Mode
net-config [wan-secondary-address]
Keyword
Associated
Description
Parameter to Type
ip_address
ipaddress
The secondary IPv4 address for the selected WAN interface.
subnet_mask
subnet mask
The subnet mask for the secondary IP address.
Command example:
SRX5308> net wan wan ipv4 secondary_address add WAN2
net-config[wan-secondary-address]> ip_address 10.168.50.1
net-config[wan-secondary-address]> subnet_mask 255.255.255.0
net-config[wan-secondary-address]> save
Related show commands: show net wan wan ipv4 secondary_addresses <wan interface>
net wan wan ipv4 secondary_address delete <row id>
This command deletes a secondary IPv4 WAN address by deleting its row ID.
Format
net wan wan ipv4 secondary_address delete <row id>
Mode
net
Related show commands: show net wan wan ipv4 secondary_addresses <wan interface>
Net Mode Configuration Commands
37
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net wan_settings load_balancing configure
This command configures the load balancing settings for two WAN interfaces that are
configured for IPv4. After you have issued the net wan_settings load_balancing
configure command, you enter the net-config [load-balancing] mode, and then you can
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer. However, note that the setting of the wan_mode_type keyword
determines which other keywords and parameters can you can apply.
Note: You can configure the load balancing settings only if the net ipv6
ipmode configure command is set to IPv4_Only.
Step 1
Step 2
Format
net wan_settings load-balancing configure
Mode
net
Format
wan_mode_type {Primary-WAN {primary_wan_interface {WAN1 | WAN2 |
WAN3 | WAN4}} {auto_rollover {N | Y {secondary_wan_interface
{WAN1 | WAN2 | WAN3 | WAN4}}}} | Load-Balancing {loadbal_algo
{Round-Robin | Weighted-LB}}}
Mode
net-config [load-balancing]
Keyword
Associated Keyword to
Select or Parameter to
Type
Description
Primary-WAN or
Load-Balancing
Specifies the load balancing settings:
• Primary-WAN. One WAN interface is made the
primary interface. The other three interfaces are
disabled. As an option, another WAN interface
can be made the rollover link. The remaining
two interfaces are disabled. Configure the
keywords and parameters in the Primary WAN
mode and auto-rollover mode settings section
of this table.
• Load-Balancing. The VPN firewall distributes
the outbound traffic equally among the WAN
interfaces that are functional. Configure the
keywords and parameters in the Load balancing
settings section of this table, that is, issue the
loadbal_algo keyword and specify the load
balancing method.
Common settings
wan_mode_type
Primary WAN mode and auto-rollover mode settings
primary_wan_interface
WAN1, WAN2, WAN3, or
WAN4
Specifies the interface that functions as the
primary WAN interface.
Net Mode Configuration Commands
38
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Select or Parameter to
Type
Description
auto_rollover
Y or N
Enables or disables auto-rollover mode. Issue the
secondary_wan_interface keyword to
specify the secondary WAN interface.
secondary_wan_interface WAN1, WAN2, WAN3, or
WAN4
The interface that functions as the secondary
WAN interface if auto-rollover mode is enabled.
Load balancing settings
loadbal_algo
Specifies the load balancing method:
• Round-robin. With round-robin load balancing,
new traffic connections are sent over a WAN
link in a serial method irrespective of bandwidth
or link speed. This load-balancing method
ensures that a single WAN interface does not
carry a disproportionate distribution of sessions.
• Weighted LB. With weighted load balancing,
balance weights are calculated based on WAN
link speed and available WAN bandwidth. This
is the most efficient load-balancing algorithm.
Round-Robin or
Weighted-LB
Command example:
SRX5308> net wan_settings load_balancing configure WAN1
net-config[load-balancing]> wan_mode_type Primary-WAN
net-config[load-balancing]> primary_wan_interface WAN1
net-config[load-balancing]> auto_rollover Y
net-config[load-balancing]> secondary_wan_interface WAN2
net-config[load-balancing]> save
Related show command: show net wan port_setup <wan interface>
net protocol_binding add
This command configures a new protocol binding, that is, it binds a service to a WAN
interface. After you have issued the net protocol_binding add command, you enter
the net-config [protocol-binding] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Format
net protocol_binding add
Mode
net
Net Mode Configuration Commands
39
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
local gateway {WAN1 | WAN2 | WAN3 | WAN4}
source_network_type {address_wise {ANY | SINGLE_ADDRESS
{source_network_start_ip <ipaddress>} | ADDRESS_RANGE
{source_network_start_ip <ipaddress>}
{source_network_end_ip <ipaddress>}} | group_wise
<group name>}
destination_network_type {address_wise {ANY | SINGLE_ADDRESS
{destination_network_start_ip <ipaddress>} | ADDRESS_RANGE
{destination_network_start_ip <ipaddress>}
{destination_network_end_ip <ipaddress>}} | group_wise
<group name>}
Mode
net-config [protocol-binding]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
service_name
default_services
ANY, AIM, BGP,
Specifies the default service and
BOOTP_CLIENT,
protocol to which the protocol binding
BOOTP_SERVER,
applies.
CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP,
DNS:TCP, FINGER, FTP,
HTTP, HTTPS, ICMP-TYPE-3,
ICMP-TYPE-4,
ICMP-TYPE-5,
ICMP-TYPE-6,
ICMP-TYPE-7,
ICMP-TYPE-8,
ICMP-TYPE-9,
ICMP-TYPE-10,
ICMP-TYPE-11,
ICMP-TYPE-13, ICQ, IMAP2,
IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP,
RCMD, REAL-AUDIO, REXEC,
RLOGIN, RTELNET,
RTSP:TCP, RTSP:UDP, SFTP,
SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP,
STRMWORKS, TACACS,
TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP,
IDENT, VDOLIVE, SSH,
SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name custom_services custom service name
The custom service that you have
configured with the security services
add command and to which the
protocol binding applies.
Net Mode Configuration Commands
40
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
local_gateway
WAN1, WAN2, WAN3, or
WAN4
Specifies the interface to which the
service is bound.
source_network_type
address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN source
address. The address_wise and
group_wise keywords are mutually
exclusive.
source_network_start_ip
ipaddress
There are two options:
• The IP address if the
source_network_type
address_wise keywords are set to
SINGLE_ADDRESS.
• The start IP address if the
source_network_type
address_wise keywords are set to
ADDRESS_RANGE.
source_network_end_ip
ipaddress
The end IP address if the
source_network_type
address_wise keywords are set to
ADDRESS_RANGE.
source_network_type
group_wise
group name
The name of the LAN group or LAN IP
group. The LAN group name is either a
default name (Group1, Group2,
Group3, and so on) or a custom name
that you have specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that you
have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are mutually
exclusive.
destination_network_type
address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN destination
address. The address_wise and
group_wise keywords are mutually
exclusive.
There are two options:
• The IP address if the
source_network_type
address_wise keywords are set to
SINGLE_ADDRESS.
• The start IP address if the
source_network_type
address_wise keywords are set to
ADDRESS_RANGE.
destination_network_start_ip ipaddress
Net Mode Configuration Commands
41
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
destination_network_end_ip
ipaddress
The end IP address if the
source_network_type
address_wise keywords are set to
ADDRESS_RANGE.
destination_network_type
group_wise
group name
The name of the WAN IP group. The
WAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are mutually
exclusive.
Command example:
SRX5308> net protocol_binding add
net-config[protocol-binding]> service_name default_services FTP
net-config[protocol-binding]> local_gateway WAN1
net-config[protocol-binding]> source_network_type address_wise ANY
net-config[protocol-binding]> destination_network_type address_wise SINGLE_ADDRESS
net-config[protocol-binding]> destination_network_start_ip 10.122.178.214
net-config[protocol-binding]> save
Related show command: show net protocol_binding setup
net protocol_binding edit <row id>
This command configures an existing protocol binding, that is, it binds a service to a WAN
interface. After you have issued the net protocol_binding edit command to specify
the row to be edited, you enter the net-config [protocol-binding] mode, and then you can
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Format
net protocol_binding edit <row id>
Mode
net
Net Mode Configuration Commands
42
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
local gateway {WAN1 | WAN2 | WAN3 | WAN4}
source_network_type {address_wise {ANY | SINGLE_ADDRESS
{source_network_start_ip <ipaddress>} | ADDRESS_RANGE
{source_network_start_ip <ipaddress>}
{source_network_end_ip <ipaddress>}} | group_wise
<group name>}
destination_network_type {address_wise {ANY | SINGLE_ADDRESS
{destination_network_start_ip <ipaddress>} | ADDRESS_RANGE
{destination_network_start_ip <ipaddress>}
{destination_network_end_ip <ipaddress>}} | group_wise
<group name>}
Mode
net-config [protocol-binding]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
service_name
default_services
Specifies the default service and
ANY, AIM, BGP,
protocol to which the protocol binding
BOOTP_CLIENT,
applies.
BOOTP_SERVER,
CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP,
DNS:TCP, FINGER, FTP,
HTTP, HTTPS, ICMP-TYPE-3,
ICMP-TYPE-4,
ICMP-TYPE-5,
ICMP-TYPE-6,
ICMP-TYPE-7,
ICMP-TYPE-8,
ICMP-TYPE-9,
ICMP-TYPE-10,
ICMP-TYPE-11,
ICMP-TYPE-13, ICQ, IMAP2,
IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP,
RCMD, REAL-AUDIO, REXEC,
RLOGIN, RTELNET,
RTSP:TCP, RTSP:UDP, SFTP,
SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP,
STRMWORKS, TACACS,
TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP,
IDENT, VDOLIVE, SSH,
SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name custom_services custom service name
The custom service that you have
configured with the security services
add command and to which the
protocol binding applies.
Net Mode Configuration Commands
43
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
local_gateway
WAN1, WAN2, WAN3, or
WAN4
Specifies the interface to which the
service is bound.
source_network_type
address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN source
address. The address_wise and
group_wise keywords are mutually
exclusive.
source_network_start_ip
ipaddress
There are two options:
• The IP address if the
source_network_type
address_wise keywords are set to
SINGLE_ADDRESS.
• The start IP address if the
source_network_type
address_wise keywords are set to
ADDRESS_RANGE.
source_network_end_ip
ipaddress
The end IP address if the
source_network_type
address_wise keywords are set to
ADDRESS_RANGE.
source_network_type
group_wise
group name
The name of the LAN group or LAN IP
group. The LAN group name is either a
default name (Group1, Group2,
Group3, and so on) or a custom name
that you have specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that you
have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are mutually
exclusive.
destination_network_type
address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN destination
address. The address_wise and
group_wise keywords are mutually
exclusive.
There are two options:
• The IP address if the
source_network_type
address_wise keywords are set to
SINGLE_ADDRESS.
• The start IP address if the
source_network_type
address_wise keywords are set to
ADDRESS_RANGE.
destination_network_start_ip ipaddress
Net Mode Configuration Commands
44
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
destination_network_end_ip
ipaddress
The end IP address if the
source_network_type
address_wise keywords are set to
ADDRESS_RANGE.
destination_network_type
group_wise
group name
The name of the WAN IP group. The
WAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are mutually
exclusive.
Related show command: show net protocol_binding setup
net protocol_binding delete
This command deletes a protocol binding by deleting its row ID.
Format
net protocol_binding delete <row id>
Mode
net
Related show command: show net protocol_binding setup
net protocol_binding disable
This command disables a protocol binding by specifying its row ID.
Format
net protocol binding disable <row id>
Mode
security
Related show command: show net protocol_binding setup
Net Mode Configuration Commands
45
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net protocol_binding enable
This command enables a protocol binding by specifying its row ID.
Format
net protocol binding enable <row id>
Mode
security
Related show command: show net protocol_binding setup
IPv6 WAN Commands
net ipv6 ipmode configure
This command configures the IPv6 mode. After you have issued the net ipv6 ipmode
configure command, you enter the net-config [mode] mode, and then you can configure
the IP mode. You can select support for IPv4 only or for both IPv4 and IPv6.
WARNING!
Changing the IP mode causes the VPN firewall to reboot.
Step 1
Step 2
Format
net ipv6 ipmode configure
Mode
net
Format
ip_type {IPv4_Only | IPv4/IPv6}
Mode
net-config [mode]
Keyword
Associated Keyword to
Select
Description
ip_type
IPv4_Only or IPv4/IPv6 Specifies the IPv6 routing mode.
Command example:
FVS318N> net ipv6 ipmode configure
net-config[mode]> ip_type IPv4/IPv6
net-config[mode]> save
Related show command: show net ipv6 ipmode setup
Net Mode Configuration Commands
46
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net wan wan ipv6 configure <wan interface>
This command configures the IPv6 settings for a WAN interface. After you have issued the
net wan wan ipv6 configure command to specify one of the four WAN interfaces (that
is, WAN1, WAN2, WAN3, or WAN4), you enter the net-config [wan-ipv6] mode. First, specify
the ISP connection type (you can select only a single type). Then, for the selected ISP
connection type, configure one keyword and associated parameter or associated keyword at
a time in the order that you prefer.
Step 1
Step 2
Format
net wan wan ipv6 configure
Mode
net
Format
isp type {STATIC | DHCPC | PPPoE}
static
static
static
static
static
ip_address <ipv6-address>
prefix <prefix-length>
gateway_address <ipv6-address>
primary_dns <ipv6-address>
secondary_dns <ipv6-address>
dhcpc stateless_mode_enable {StatelessAddrAutoConfig
[prefix_delegation_enable {Y | N}] | StatefulAddrAutoConfig}
pppoe user_name <user name>
pppoe password <password>
pppoe dhcpv6_option {Disable-DHCPv6 {pppoe primary_dns
<ipv6-address>} {pppoe secondary_dns <ipv6-address>} |
DHCPv6-StatelessMode | DHCPv6-StatefulMode |
DHCPv6-Prefix-Delegation}
Mode
net-config [wan-ipv6]
Keyword (consists of two
separate words)
Associated Keyword to Select Description
or Parameter to Type
isp type
STATIC, DHCPC, or PPPoE
Specifies the type of ISP connection:
• STATIC. Configure the keywords and
parameters in the Static section of
this table.
• DHCPC. Configure the keywords
and parameters in the DHCPC
section of this table.
• PPPoE. Configure the keywords and
parameters in the PPPoE section of
this table.
Net Mode Configuration Commands
47
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (consists of two
separate words)
Associated Keyword to Select Description
or Parameter to Type
Static
static ip_address
ipv6-address
The IPv6 address of the WAN
interface.
static prefix
prefix-length
The prefix length (integer) for the static
address.
static gateway_address
ipv6-address
The IPv6 address of the gateway.
static primary_dns
ipv6-address
The IPv6 address of the primary DNS
server.
static secondary_dns
ipv6-address
The IPv6 address of the secondary
DNS server.
DHCPC
dhcpc stateless_mode_enable StatelessAddrAutoConfig
or
StatefulAddrAutoConfig
Specifies the type of DHCPv6 mode
(stateless or stateful). If you set the
dhcpc stateless_mode_enable
keywords to
StatelessAddrAutoConfig, you
have the option to set the dhcpc
prefix_delegation_enable
keywords and associated parameter.
prefix_delegation_enable
Y or N
Enables or disables prefix delegation if
the dhcpc
stateless_mode_enable keywords
are set to
StatelessAddrAutoConfig. Prefix
delegation allows the ISP’s stateful
DHCPv6 server to assign a prefix.
pppoe user_name
user name
The PPPoE user name that is provided
by the ISP.
pppoe password
password
The PPPoE password that is provided
by the ISP.
PPPoE
Net Mode Configuration Commands
48
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (consists of two
separate words)
Associated Keyword to Select Description
or Parameter to Type
pppoe dhcpv6_option
Disable-DHCPv6,
Specifies the DHCPv6 server options
DHCPv6-StatelessMode,
for the PPPoE configuration:
DHCPv6-StatefulMode, or • Disable-DHCPv6. DHCPv6 is
DHCPv6-Prefix-Delegation disabled. You need to issue the
pppoe primary_dns and pppoe
secondary_dns keywords and
specify DNS servers to receive an IP
address from the ISP.
• DHCPv6-StatelessMode. The VPN
firewall generates its own IP address
by using a combination of locally
available information and router
advertisements, but receives DNS
server information from the ISP’s
DHCPv6 server. Router
advertisements include a prefix that
identifies the subnet that is
associated with the WAN port. The
IP address is formed by combining
this prefix and the MAC address of
the WAN port. The IP address is a
dynamic address.
• DHCPv6-StatefulMode. The VPN
firewall obtains an interface address,
configuration information such as
DNS server information, and other
parameters from the ISP’s DHCPv6
server. The IP address is a dynamic
address.
• DHCPv6-Prefix-Delegation. The
VPN firewall obtains a prefix from the
ISP’s DHCPv6 server through prefix
delegation. The VPN firewall’s own
stateless DHCPv6 server can assign
this prefix to its IPv6 LAN clients.
pppoe primary_dns
ipv6-address
The IPv6 address of the primary DNS
server if the DHCPv6 server option is
Disable-DHCPv6.
pppoe secondary_dns
ipv6-address
The IPv6 address of the secondary
DNS server if the DHCPv6 server
option is Disable-DHCPv6.
Command example:
SRX5308> net wan wan
net-config[wan-ipv6]>
net-config[wan-ipv6]>
net-config[wan-ipv6]>
net-config[wan-ipv6]>
ipv6 configure WAN2
isp type DHCPC
dhcpc stateless_mode_enable StatelessAddrAutoConfig
prefix_delegation_enable Y
save
Net Mode Configuration Commands
49
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show commands: show net wan wan ipv6 setup <wan interface> and show net wan wan
ipv6 status <wan interface>
net siit configure
This command enables and configures Stateless IP/ICMP Translation (SIIT). After you have
issued the net siit configure command, you enter the net-config [siit] mode, and then
you can enable SIIT and configure the IPv4 address.
Step 1
Step 2
Format
net siit configure
Mode
net
Format
enable {Y | N}
ipv4_address <ipaddress>
Mode
net-config [siit]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable
Y or N
Enables or disables SIIT.
ipv4_address
subnet mask
The IPv4 address for the SIIT configuration.
Command example:
SRX5308> net siit
net-config[siit]>
net-config[siit]>
net-config[siit]>
configure
enable Y
ipv4_address 192.168.5.117
save
Related show command: show net siit setup
IPv6 Tunnel Commands
net ipv6_tunnel isatap add
This command configures a new ISATAP tunnel. After you have issued the net
ipv6_tunnel isatap add command, you enter the net-config [isatap-tunnel] mode, and
then you can configure one keyword and associated parameter or associated keyword at a
time in the order that you prefer.
Net Mode Configuration Commands
50
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Note: To be able to configure an ISATAP tunnel, you first need to set the IP
mode to IPv4/IPv6 (see net ipv6 ipmode configure).
Step 1
Step 2
Format
net ipv6_tunnel isatap add
Mode
net
Format
subnet_prefix <subnet prefix>
end_point_type {LAN | Other_IP {ipv4_address <address>}}
Mode
net-config [isatap-tunnel]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
subnet_prefix
subnet prefix
The IPv6 64-bit subnet prefix (string) that is assigned to
the logical ISATAP subnet for this intranet.
end_point_type LAN or Other_IP
Specifies the local endpoint IP address for the tunnel that
is initiated on the VPN firewall. The endpoint can be the
LAN interface or a specific LAN IPv4 address. If you select
Other_IP, you also need to issue the ipv4_address
keyword to specify an IPv4 address.
ipv4_address
The IPv4 address of a local endpoint that is not a LAN IPv4
address.
ipaddress
Command example:
SRX5308> net ipv6_tunnel isatap add
net-config[isatap-tunnel]> subnet_prefix 2004::
net-config[isatap-tunnel]> end_point_type Other_IP
net-config[isatap-tunnel]> ipv4_address 10.29.33.4
net-config[isatap-tunnel]> save
Related show commands: show net ipv6_tunnel setup and show net ipv6_tunnel status
net ipv6_tunnel isatap edit <row id>
This command configures an existing ISATAP tunnel. After you have issued the net
ipv6_tunnel isatap edit command to specify the row to be edited, you enter the
net-config [isatap-tunnel] mode, and then you can change the subnet prefix only.
Step 1
Format
net ipv6_tunnel isatap edit <row id>
Mode
net
Net Mode Configuration Commands
51
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
subnet_prefix <subnet prefix>
Mode
net-config [isatap-tunnel]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
subnet_prefix
subnet prefix
The IPv6 64-bit subnet prefix (string) that is assigned to the
logical ISATAP subnet for this intranet.
Related show commands: show net ipv6_tunnel setup and show net ipv6_tunnel status
net ipv6_tunnel isatap delete <row id>
This command deletes an ISATAP tunnel by deleting its row ID.
Note: To be able to delete an ISATAP tunnel, you first need to set the IP
mode to IPv4/IPv6 (see net ipv6 ipmode configure).
Format
net ipv6_tunnel isatap delete <row id>
Mode
net
Related show commands: show net ipv6_tunnel setup and show net ipv6_tunnel status
net ipv6_tunnel six_to_four configure
This command enables or disables automatic tunneling, which allows traffic from an IPv6
LAN to be tunneled through an IPv4 WAN to reach an IPv6 network. After you have issued
the net ipv6_tunnel six_to_four configure command, you enter the
net-config [six-to-four-tunnel] mode, and then you can configure automatic tunneling.
Step 1
Step 2
Format
net ipv6_tunnel six_to_four configure
Mode
net
Format
automatic_tunneling_enable {Y | N}
Mode
net-config [six-to-four-tunnel]
Net Mode Configuration Commands
52
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword
to Select
Description
Enables or disables automatic tunneling.
automatic_tunneling_enable Y or N
Command example:
FVS318N> net ipv6_tunnel six_to_four configure
net-config[six-to-four-tunnel]> automatic_tunneling_enable Y
net-config[six-to-four-tunnel]> save
Related show commands: show net ipv6_tunnel setup and show net ipv6_tunnel status
Dynamic DNS Commands
net ddns configure
This command enables, configures, or disables Dynamic DNS (DDNS) service. After you
have issued the net ddns configure command, you enter the net-config [ddns] mode,
and then you can configure one keyword and associated parameter or associated keyword at
a time in the order that you prefer. Before you specify a keyword, you need to specify the
WAN interface to which the configuration applies.
Step 1
Step 2
Format
net ddns configure
Mode
net
Format
{wan1 | wan2 | wan3 | wan4}
DNS_Oray | 3322_DDNS}
{wan1 | wan2 | wan3 | wan4}
{wan1 | wan2 | wan3 | wan4}
{wan1 | wan2 | wan3 | wan4}
{wan1 | wan2 | wan3 | wan4}
{wan1 | wan2 | wan3 | wan4}
Mode
enable {Disable | DynDNS | TZO |
hostname <host name>
username <user name>
password <password>
wild_flag_enable {Y | N}
time_update_enable {Y | N}
net-config [ddns]
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
{wan1 | wan2 | wan3 | wan4}
enable
Disable, DynDNS, TZO,
DNS_Oray, or 3322_DDNS
Specifies whether DDNS is disabled or
enabled with a particular service. Use the
Disable keyword to disable DDNS after
you had first enabled the service. The
other keywords represent DDNS service
providers and are self-explanatory.
{wan1 | wan2 | wan3 | wan4}
hostname
host name
Configures a host name (string) for a
DDNS server.
Net Mode Configuration Commands
53
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
{wan1 | wan2 | wan3 | wan4}
username
user name
Configures a user name (string) for a
DDNS server.
{wan1 | wan2 | wan3 | wan4}
password
password
Configures a password (string) for a
DDNS server.
{wan1 | wan2 | wan3 | wan4}
wild_flag_enable
Y or N
Enables or disables the use of wildcards
for DDNS.
{wan1 | wan2 | wan3 | wan4}
time_update_enable
Y or N
Enables or disables the automatic update
of the DDNS service after 30 days.
Command example:
SRX5308> net ddns
net-config[ddns]>
net-config[ddns]>
net-config[ddns]>
net-config[ddns]>
net-config[ddns]>
net-config[ddns]>
net-config[ddns]>
configure
wan2 enable DynDNS
wan2 hostname adminnetgear.dyndns.org
wan2 username jaybrown
wan2 password 4hg!RA278s
wan2 wild_flag_enable N
wan2 time_update_enable Y
save
Related show command: show net ddns setup
IPv4 LAN Commands
net lan ipv4 configure <vlan id>
This command configures a new or existing VLAN, that is, a VLAN ID and a VLAN profile.
After you have issued the net lan ipv4 configure command to specify a new or
existing VLAN ID, you enter the net-config [lan-ipv4] mode, and then you can configure one
keyword and associated parameter or associated keyword at a time in the order that you
prefer.
Step 1
Format
net lan ipv4 configure <vlan id>
Mode
net
Net Mode Configuration Commands
54
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
profile_name <name>
port_membership {[port 1 {Y | N}] | [port 2 {Y | N}] |
[port 3 {Y | N}] | [port 4 {Y | N}]}
static address <ipaddress>
static subnet_mask <subnet mask>
dhcp mode {None | DHCP-Server | DHCP-Relay}
proxy dns_enable {Y | N}
dhcp domain_name <domain name>
dhcp start_address <ipaddress>
dhcp end_address <ipaddress>
dhcp primary_dns <ipaddress>
dhcp secondary_dns <ipaddress>
dhcp wins_server <ipaddress>
dhcp lease_time <hours>
enable_ldap {Y | N}
ldap_serverip <ipaddress>
ldap_search_base <search base>
ldap_port <number>
dhcp relay_gateway <ipaddress>
inter_vlan_routing {Y | N}
Mode
net-config [lan-ipv4]
Keyword (might consist of Associated Keyword to
Description
two separate words)
Select or Parameter to Type
name
The name of the VLAN profile.
Y or N
Specifies whether or not the port is a member of
the VLAN. You need to specify each port
individually.
static address
ipaddress
The static IPv4 address for the VLAN.
static subnet_mask
subnet mask
The IPv4 subnet mask for the VLAN profile.
profile_name
port_membership port1
port_membership port2
port_membership port3
port_membership port4
Net Mode Configuration Commands
55
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of Associated Keyword to
Description
two separate words)
Select or Parameter to Type
dhcp mode
None, DHCP-Server, or
DHCP-Relay
Specifies the DHCP mode for the devices that
are connected to the VLAN:
• None. The DHCP server is disabled. No further
DHCP configuration is required.
• DHCP-Server. Configure the keywords and
parameters in the DHCP server section of this
table.
• DHCP-Relay. Configure the keywords and
parameters in the DHCP relay section of this
table.
proxy dns_enable
Y or N
Enables or disables the LAN DNS proxy.
inter_vlan_routing
Y or N
Enables or disables inter-VLAN routing.
dhcp domain _name
domain name
The FQDN or domain name of the DHCP server.
dhcp start_address
ipaddress
The start IP address for the DHCP address
range.
dhcp end_address
ipaddress
The end IP address for the DHCP address
range.
dhcp primary_dns
ipaddress
The IP address of the primary DNS server for the
DHCP server.
dhcp secondary_dns
ipaddress
The IP address of the secondary DNS server for
the DHCP server.
dhcp wins_server
ipaddress
The IP address of the WINS server for the DHCP
server.
dhcp lease_time
hours
The DHCP lease time in hours.
enable_ldap
Y or N
Enables or disables LDAP.
ldap_serverip
ipaddress
The IP address of the LDAP server.
ldap_search_base
search base
The search base (string) for LDAP
ldap_port
number
The port number for the LDAP server.
ipaddress
The IP address of the DHCP relay gateway.
DHCP Server
DHCP Relay
dhcp relay_gateway
Command example:
SRX5308> net lan ipv4 configure 4
net-config[lan-ipv4]> profile_name Marketing
net-config[lan-ipv4]> port_membership port 1 Y
net-config[lan-ipv4]> port_membership port 3 Y
net-config[lan-ipv4]> port_membership port 4 Y
Net Mode Configuration Commands
56
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net-config[lan-ipv4]>
net-config[lan-ipv4]>
net-config[lan-ipv4]>
net-config[lan-ipv4]>
net-config[lan-ipv4]>
net-config[lan-ipv4]>
net-config[lan-ipv4]>
static address 192.168.1.1
static subnet_mask 255.255.255.0
dhcp mode DHCP-Relay
dhcp relay_gateway 10.172.214.198
proxy dns_enable N
inter_vlan_routing Y
save
Related show command: show net lan ipv4 setup
net lan ipv4 delete <vlan id>
This command deletes a VLAN by deleting its ID. You cannot delete VLAN 1, the default
VLAN.
Format
net lan ipv4 delete <vlan id>
Mode
net
Related show command: show net lan ipv4 setup
net lan ipv4 disable <vlan id>
This command disables a VLAN by specifying its ID. You cannot disable VLAN 1, the default
VLAN.
Format
net lan ipv4 disable <vlan id>
Mode
net
Related show command: show net lan ipv4 setup
net lan ipv4 enable <vlan id>
This command enables a VLAN by specifying its ID. VLAN 1, the default VLAN, is always
enabled.
Format
net lan ipv4 enable <vlan id>
Mode
net
Net Mode Configuration Commands
57
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show net lan ipv4 setup
net ethernet configure <interface name or number>
This command configures a VLAN for a LAN interface. After you have issued the net
ethernet configure command to specify a LAN interface, you enter net-config [ethernet]
mode, and then you can configure one keyword and associated parameter or associated
keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net ethernet configure <interface name or number>
Mode
net
Format
vlanid <number>
vlan-enable {Y | N}
native-vlan {Y | N}
Mode
net-config [ethernet]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
vlanid
number
The VLAN ID.
vlan-enable
Y or N
Enables or disables the VLAN for this interface.
native-vlan
Y or N
Enables or disables the default (native) VLAN for this
interface.
Command example:
SRX5308> net ethernet configure eth0
net-config[ethernet]> vlanid 12
net-config[ethernet]> vlan-enable Y
net-config[ethernet]> native-vlan N
net-config[ethernet]> save
Note: To enter the net-config [ethernet] mode, you can issue the net
ethernet configure command with either an interface name
such as eth0 or an interface number such as 0.
Related show command: show net ethernet {interface name | all}
Net Mode Configuration Commands
58
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net lan ipv4 default_vlan
This command configures the default VLAN for each port. After you have issued the net
lan ipv4 default_vlan command, you enter the net-config [lan-ipv4-defvlan] mode,
and then you can configure one keyword and associated parameter or associated keyword at
a time in the order that you prefer.
Step 1
Step 2
Format
net lan ipv4 default_vlan
Mode
net
Format
port1
port2
port3
port4
Mode
net-config [lan-ipv4-defvlan]
Keyword
<vlan
<vlan
<vlan
<vlan
name>
name>
name>
name>
Associated
Description
Parameter to Type
port1
port2
vlan name
port3
Specifies the default VLAN name. You need to specify the name
for each port individually.
port4
Command example:
SRX5308> net lan ipv4 default_vlan
net-config[lan-ipv4-defvlan]> port1
net-config[lan-ipv4-defvlan]> port2
net-config[lan-ipv4-defvlan]> port3
net-config[lan-ipv4-defvlan]> port4
net-config[lan-ipv4-defvlan]> save
Default
Default
Management
Sales
Related show command: show net lan ipv4 setup
net lan ipv4 advanced configure
This command configures advanced LAN settings such as the MAC address for VLANs and
ARP broadcast. After you have issued the net lan ipv4 advanced configure
command, you enter the net-config [lan-ipv4-adv] mode, and then you can configure one
Net Mode Configuration Commands
59
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
keyword and associated parameter or associated keyword at a time in the order that you
prefer.
Step 1
Step 2
Format
net lan ipv4 advanced configure
Mode
net
Format
vlan_mac_offset_type {Same | Unique}
enable_arp_broadcast {Y | N}
Mode
net-config [lan-ipv4-adv]
Keyword
Associated
Description
Keyword to Select
vlan_mac_offset_type
Same or Unique
Specifies the MAC address for VLANs:
• Same. All VLAN profiles use the same MAC address as
the LAN ports. (All LAN ports share the same MAC
address.)
• Unique. Each VLAN (up to 16 VLANs) is assigned a
unique MAC address.
enable_arp_broadcast
Y or N
Enables or disables ARP broadcast.
Command example:
SRX5308> net lan ipv4 advanced configure
net-config[lan-ipv4-adv]> vlan_mac_offset_type Same
net-config[lan-ipv4-adv]> enable_arp_broadcast Y
net-config[lan-ipv4-adv]> save
Related show command: show net lan ipv4 advanced setup
net lan dhcp reserved_ip configure <mac address>
This command binds a MAC address to an IP address for DHCP reservation or lets you edit
an existing binding. The command also assigns the device or computer to which the MAC
address belongs to one of eight LAN groups. After you have issued the net lan dhcp
reserved_ip configure command to configure the MAC address, you enter the
net-config [dhcp-reserved-ip] mode, and then you can configure the IP address for the
binding configuration.
Step 1
Format
net lan dhcp reserved_ip configure <mac address>
Mode
net
Net Mode Configuration Commands
60
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
ip_mac_name <device name>
ip_addr_type {Fixed_set_on_PC | Dhcp_Reserved_IP}
ip_address <ipaddress>
group_name {Group1 | Group2 | Group3 | Group4 | Group5 | Group6 |
Group7 | Group8 | <custom group name>}
vlan_profile <vlan name>
Mode
net-config [dhcp-reserved-ip]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
ip_mac_name
device name
The name of the computer or device.
ip_addr_type
Fixed_set_on_PC or
Dhcp_Reserved_IP
Specifies the IP address type:
• Fixed_set_on_PC. The IP address is statically
assigned on the computer or device.
• Dhcp_Reserved_IP. The DHCP server of the wireless
VPN firewall always assigns the specified IP address to
this client during the DHCP negotiation.
ip_address
ipaddress
The IP address that needs to be bound to the specified
MAC address. The IP address needs to be in the IP
subnet of the VLAN to which the computer or device is
assigned.
group_name
Group1, Group2,
Group3, Group4,
Group5, Group6,
Group7, or Group8, or
custom group name
Specifies the group to which the computer or device
needs to be assigned.
You can also enter a custom group name that you have
specified with the net lan lan_groups edit <row id>
<new group name> command.
vlan_profile
vlan name
The name of the VLAN to which the computer or device
needs to be assigned.
Command example:
SRX5308> net lan dhcp reserved_ip configure AA:BB:CC:1A:2B:3C
net-config[dhcp-reserved-ip]> ip_addr_type Dhcp_Reserved_IP
net-config[dhcp-reserved-ip]> ip_address 192.168.27.219
net-config[dhcp-reserved-ip]> group_name Group3
net-config[dhcp-reserved-ip]> vlan_profile Default
net-config[dhcp-reserved-ip]> save
Related show commands: show net lan dhcp reserved_ip setup and show net lan dhcp
leased_clients list
Net Mode Configuration Commands
61
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net lan dhcp reserved_ip delete <mac address>
This command deletes the binding of a MAC address to an IP address.
Format
net lan dhcp reserved_ip delete <mac address>
Mode
net
Related show commands: show net lan dhcp reserved_ip setup and show net lan dhcp
leased_clients list
net lan lan_groups edit <row id> <new group name>
This command specified an IPv4 LAN group name, that is, it changes a default group name
such as Group1, Group2, or Group3. You need to specify both the row id that represents the
group (for example, 2 for Group2, or 5 for Group5) and the new name for the group.
Format
net lan lan_group edit <row id> <new group name>
Mode
net
Related show command: show net lan lan_groups
net lan ipv4 multi_homing add
This command configures a new IPv4 alias, that is, a secondary IPv4 address. After you have
issued the net lan ipv4 multi_homing add command, you enter the
net-config [lan-ipv4-multihoming] mode, and then you can configure the secondary address
and subnet mask in the order that you prefer.
Step 1
Step 2
Format
net lan ipv4 multi_homing add
Mode
net
Format
ip_address <ipaddress>
subnet_mask <subnet mask>
Mode
net-config [lan-ipv4-multihoming]
Keyword
Associated Parameter to Type
Description
ip_address
ipaddress
The secondary IPv4 address for the LAN.
subnet_mask
subnet mask
The subnet mask for the secondary IPv4 address.
Net Mode Configuration Commands
62
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Command example:
SRX5308> net lan ipv4 multi_homing add
net-config[lan-ipv4-multihoming]> ip_address 192.168.16.110
net-config[lan-ipv4-multihoming]> subnet_mask 255.255.255.248
net-config[lan-ipv4-multihoming]> save
Related show command: show net lan ipv4 multiHoming
net lan ipv4 multi_homing edit <row id>
This command configures an existing IPv4 alias, that is, a secondary IPv4 address. After you
have issued the net lan ipv4 multi_homing edit command to specify the row to be
edited, you enter the net-config [lan-ipv4-multihoming] mode, and then you can configure the
secondary address and subnet mask in the order that you prefer.
Step 1
Step 2
Format
net lan ipv4 multi_homing edit
Mode
net
Format
ip_address <ipaddress>
subnet_mask <subnet mask>
Mode
net-config [lan-ipv4-multihoming]
Keyword
Associated Parameter to Type
Description
ip_address
ipaddress
The secondary IPv4 address for the LAN.
subnet_mask
subnet mask
The subnet mask for the secondary IPv4 address.
Related show command: show net lan ipv4 multiHoming
net lan ipv4 multi_homing delete <row id>
This command deletes a secondary IPv4 address by specifying its row ID.
Format
net lan ipv4 multi_homing delete <row id>
Mode
net
Related show command: show net lan ipv4 multiHoming
Net Mode Configuration Commands
63
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net lan ipv4 traffic_meter configure <ip address>
This command configures a LAN traffic meter profile for an IP address. When the traffic limit
has been reached, further traffic for that IP address is blocked. After you have issued the net
lan ipv4 traffic_meter configure command to specify the IP address, you enter
the net-config [lan-ipv4-traffic-meter] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net lan ipv4 traffic_meter configure <ip address>
Mode
net
Format
direction {Downloadonly | BothDirections}
limit <number>
counter {RestartCounter | SpecificTime {day_of_month <day>}
{time_hour <hour>} {time_meridian {AM | PM}} {time_minute
<minute>}}
send_email_report {Y | N}
send_email_alert {Y | N}
Mode
net-config [lan-ipv4-traffic-meter]
Keyword
Associated Keyword to Select or
Parameter to Type
Description
direction
Downloadonly or BothDirections
Specifies the type of traffic limit:
• Downloadonly. The traffic limit
applies to downloaded traffic only.
• BothDirections. The traffic limit
applies to both downloaded and
uploaded traffic.
limit
number
The limit for the traffic meter in MB.
Traffic meter configuration
Traffic counter configuration
counter
SpecificTime or RestartCounter
Specifies how the traffic counter is
restarted:
• SpecificTime. Restarts the traffic
counter on a specific day and time.
You need to set the
day_of_month, time_hour,
time_meridian, and
time_minute keywords and
associated parameters.
• RestartCounter. Restarts the traffic
counter after you have saved the
command.
Net Mode Configuration Commands
64
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to Select or
Parameter to Type
Description
day_of_month
day
The day in the format DD (01 to 31)
that the traffic counter restarts. This
keyword applies only if you have set
the counter keyword to
SpecificTime.
time_hour
hour
The hour in the format HH (00 to 12)
that the traffic counter restarts. This
keyword applies only if you have set
the counter keyword to
SpecificTime.
time_meridian
AM or PM
Specifies the meridiem for the hour
that the traffic counter restarts. This
keyword applies only if you have set
the counter keyword to
SpecificTime.
time_minute
minutes
The minutes in the format MM (00 to
59) that the traffic counter restarts.
This keyword applies only if you have
set the counter keyword to
SpecificTime.
send_email_report
Y or N
Specifies whether or not an email
report is sent when the traffic counter
restarts.
Action when limit is reached
send_email_alert
Y or N
Specifies whether or not an email alert
is sent when the traffic limit is reached
and further traffic is blocked.
Command example:
SRX5308> net lan ipv4 traffic_meter configure 192.168.11.204
net-config[lan-ipv4-traffic-meter]> direction BothDirections
net-config[lan-ipv4-traffic-meter]> limit 45000
net-config[lan-ipv4-traffic-meter]> counter RestartCounter
net-config[lan-ipv4-traffic-meter]> send_email_report N
net-config[lan-ipv4-traffic-meter]> send_email_alert N
net-config[lan-ipv4-traffic-meter]> save
Related show command: show net lan ipv4 traffic_meter setup and show net lan ipv4 traffic_meter
detailed_setup <row id>
Net Mode Configuration Commands
65
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net lan ipv4 traffic_meter delete <row id>
This command deletes a LAN traffic meter profile by specifying its row ID.
Format
net lan ipv4 traffic_meter delete <row id>
Mode
net
Related show command: show net lan ipv4 traffic_meter setup
IPv6 LAN Commands
net lan ipv6 configure
This command configures the IPv6 LAN address settings and DHCPv6. After you have
issued the net lan ipv6 configure command, you enter the net-config [lan-ipv6] mode,
and then you can configure one keyword and associated parameter or associated keyword at
a time in the order that you prefer.
Step 1
Step 2
Format
net lan ipv6 configure
Mode
net
Format
static address <ipv6-address>
static prefix_length <prefix length>
dhcp server_enable {N | Y {dhcp mode {Stateless | Stateful}}}
prefix_delegation_enable {Y | N}
dhcp domain name <domain name>
dhcp server_preference <number>
dhcp dns_type {useDnsProxy | useDnsFromISP | useEnteredDns
{dhcp primary_dns <ipv6-address>} [dhcp secondary_dns
<ipv6-address>]}
dhcp rebind_time <seconds>
Mode
net-config [lan-ipv6]
Keyword (consists of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
static address
ipv6-address
The link-local IPv6 address.
static prefix_length
prefix length
The IPv6 prefix length (integer) of the
link-local IPv6 address.
dhcp server_enable
Y or N
Enables or disables DHCPv6. If you enable
DHCPv6, you also need to issue the dhcp
mode keywords to specify a stateless or
stateful DCHPv6 server, and configure the
server.
Net Mode Configuration Commands
66
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (consists of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
dhcp mode
Stateless or Stateful
Specifies the DHCPv6 mode (stateless or
stateful).
dhcp
Y or N
prefix_delegation_enable
Enables or disables prefix delegation. This
option is available only if the dhcp mode
keywords are set to Stateless. To
configure prefixes, see the net lan ipv6
prefix_delegation add command.
dhcp domain_name
domain name
The server domain name (string) or FQDN
for the DHCP server.
dhcp server_preference
number
The preference number (integer) of the
DHCP server.
dhcp dns_type
useDnsProxy,
useDnsFromISP, or
useEnteredDns
Specifies the DNS server type. If you select
useEnteredDns, you also need to issue the
dhcp primary_dns keyword and
associated parameter. The dhcp
secondary_dns keyword and associated
parameter are optional.
dhcp primary_dns
ipv6-address
The IPv6 address for the primary DNS server
in the DHCP configuration if the dhcp
dns_type keywords are set to
useEnteredDns.
dhcp secondary_dns
ipv6-address
The IPv6 address for the secondary DNS
server in the DHCP configuration if the dhcp
dns_type keywords are set to
useEnteredDns.
dhcp rebind_time
seconds
The lease time in seconds (integer), from 0 to
604800 seconds.
Command example:
SRX5308> net lan ipv6 configure
net-config[lan-ipv6]> static address fec0::3
net-config[lan-ipv6]> static prefix_length 64
net-config[lan-ipv6]> dhcp server_enable Y
net-config[lan-ipv6]> dhcp mode Stateless
net-config[lan-ipv6]> dhcp prefix_delegation_enable Y
net-config[lan-ipv6]> dhcp domain name netgear.com
net-config[lan-ipv6]> dhcp server_preference 236
net-config[lan-ipv6]> dhcp dns_type useDnsProxy
net-config[lan-ipv6]> dhcp rebind_time 43200
net-config[lan-ipv6]> save
Related show command: show net lan ipv6 setup
Net Mode Configuration Commands
67
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net lan ipv6 pool add
This command configures a new IPv6 DHCP address pool for the LAN. After you have issued
the net lan ipv6 pool add command, you enter the net-config [lan-ipv6-pool] mode,
and then you can configure the IPv6 start and end addresses and the IPv6 prefix length for
the IPv6 pool in the order that you prefer.
Step 1
Step 2
Format
net lan ipv6 pool add
Mode
net
Format
start_address <ipv6-address>
end_address <ipv6-address>
prefix_length <prefix length>
Mode
net-config [lan-ipv6-pool]
Keyword
Associated
Parameter to Type
Description
start_address
ipv6-address
The start address of the IPv6 address pool.
end_address
ipv6-address
The end address of the IPv6 address pool.
prefix_value
prefix length
The prefix length for the IPv6 address pool.
Command example:
SRX5308> net lan ipv6 pool add
net-config[lan-ipv6-pool]> start_address 2001::1025
net-config[lan-ipv6-pool]> end_address 2001::1030
net-config[lan-ipv6-pool]> prefix_length 56
net-config[lan-ipv6-pool]> save
Related show command: show net lan ipv6 setup
net lan ipv6 pool edit <row id>
This command configures an existing IPv6 DHCP address pool for the LAN. After you have
issued the net lan ipv6 pool edit command to specify the row to be edited, you enter
the net-config [lan-ipv6-pool] mode, and then you can configure the IPv6 start and end
addresses and the IPv6 prefix length for the IPv6 pool in the order that you prefer.
Step 1
Format
net lan ipv6 pool edit <row id>
Mode
net
Net Mode Configuration Commands
68
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
start_address <ipv6-address>
end_address <ipv6-address>
prefix_length <prefix length>
Mode
net-config [lan-ipv6-pool]
Keyword
Associated
Parameter to Type
Description
start_address
ipv6-address
The start address of the IPv6 address pool.
end_address
ipv6-address
The end address of the IPv6 address pool.
prefix_value
prefix length
The prefix length for the IPv6 address pool.
Related show command: show net lan ipv6 setup
net lan ipv6 pool delete <row id>
This command deletes an IPv6 DHCP address pool by specifying its row ID.
Format
net lan ipv6 pool delete <row id>
Mode
net
Related show command: show net lan ipv6 setup
net lan ipv6 multi_homing add
This command configures a new IPv6 alias, that is, a secondary IPv6 address. After you
have issued the net lan ipv6 multi_homing add command, you enter the
net-config [lan-ipv6-multihoming] mode, and then you can configure the secondary address
and IPv6 prefix length in the order that you prefer.
Step 1
Step 2
Format
net lan ipv6 multi_homing add
Mode
net
Format
ip_address <ipv6-address>
prefix_length <prefix length>
Mode
net-config [lan-ipv6-multihoming]
Net Mode Configuration Commands
69
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated
Parameter to Type
Description
ip_address
ipv6-address
The secondary IPv6 address for the LAN.
prefix_length
prefix length
The prefix length for the secondary IPv6 address.
Command example:
SRX5308> net lan ipv6 multi_homing add
net-config[lan-ipv6-multihoming]> ip_address 2002::1006
net-config[lan-ipv6-multihoming]> prefix_length 10
net-config[lan-ipv6-multihoming]> save
Related show command: show net lan ipv6 multiHoming
net lan ipv6 multi_homing edit <row id>
This command configures an existing IPv6 alias, that is, a secondary IPv6 address. After you
have issued the net lan ipv6 multi_homing edit command to specify the row to be
edited, you enter the net-config [lan-ipv6-multihoming] mode, and then you can configure the
secondary address and IPv6 prefix length in the order that you prefer.
Step 1
Step 2
Format
net lan ipv6 multi_homing edit <row id>
Mode
net
Format
ip_address <ipv6-address>
prefix_length <prefix length>
Mode
net-config [lan-ipv6-multihoming]
Keyword
Associated
Parameter to Type
Description
ip_address
ipv6-address
The secondary IPv6 address for the LAN.
prefix_length
prefix length
The prefix length for the secondary IPv6 address.
Related show command: show net lan ipv6 multiHoming
Net Mode Configuration Commands
70
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net lan ipv6 multi_homing delete <row id>
This command deletes a secondary IPv6 address by specifying its row ID.
Format
net lan ipv6 multi_homing delete <row id>
Mode
net
Related show command: show net lan ipv6 multiHoming
net radvd configure lan
This command configures the Router Advertisement Daemon (RADVD) for the link-local
advertisements of IPv6 router addresses and prefixes in the LAN. After you have issued the
net radvd configure lan command, you enter the net-config [radvd-lan] mode, and
then you can configure one keyword and associated parameter or associated keyword at a
time in the order that you prefer.
Step 1
Step 2
Format
net radvd configure lan
Mode
net
Format
enable {Y | N}
mode {Unsolicited-Multicast | Unicast-Only}
interval <seconds>
flags {Managed | Other}
preference {Low | Medium | High}
mtu <number>
life_time <seconds>
Mode
net-config [radvd-lan]
Keyword (might consist
of two separate words)
Associated Keyword to
Description
Select or Parameter to Type
enable
Y or N
Enables the RADVD process to allow stateless
autoconfiguration of the IPv6 LAN or disables the
RADVD process.
mode
Unsolicited-Multicast
or Unicast-Only
Specifies the advertisement mode:
• Unsolicited-Multicast. Allows unsolicited
multicast and unicast communication with the
hosts. Router advertisements (RAs) are sent to
all interfaces at the rate that is defined by the
interval keyword and parameter.
• Unicast-Only. Responds to unicast packet
requests only. No unsolicited packets are
advertised.
Net Mode Configuration Commands
71
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist
of two separate words)
Associated Keyword to
Description
Select or Parameter to Type
interval
seconds
The interval in seconds (integer) between
unsolicited multicast RAs. Enter a period from 10
to 1800 seconds. The default is 30 seconds.
flags
Managed or Other
Specifies the flag:
• Managed. The DHCPv6 stateful protocol is
used for autoconfiguration of the address.
• Other. The DHCPv6 stateful protocol is used for
autoconfiguration of other (that is, nonaddress)
information.
preference
Low, Medium, or High
Specifies the VPN firewall’s preference in relation
to other hosts and routers in the LAN.
mtu
number
The MTU size (integer) that is used in the RAs to
ensure that all nodes in the network use the same
MTU size. The default is 1500 seconds.
life_time
seconds
The advertisement lifetime in seconds (integer) of
the route. The default is 3600 seconds.
Command example:
SRX5308> net radvd configure lan
net-config[radvd-lan]> enable Y
net-config[radvd-lan]> mode Unsolicited-Multicast
net-config[radvd-lan]> interval 60
net-config[radvd-lan]> flags Managed
net-config[radvd-lan]> preference Medium
net-config[radvd-lan]> mtu 1496
net-config[radvd-lan]> life_time 7200
net-config[radvd-lan]> save
Related show command: show net radvd lan setup
net lan ipv6 prefix_delegation add
This command configures a new IPv6 prefix for LAN prefix delegation. To enable prefix
delegation for the IPv6 LAN, see the net lan ipv6 configure command. After you have issued
the net lan ipv6 prefix_delegation add command, you enter the net-config
[lan-prefix-delegation] mode, and then you can configure the IPv6 prefix and IPv6 prefix
length in the order that you prefer.
Step 1
Format
net lan ipv6 prefix_delegation add
Mode
net
Net Mode Configuration Commands
72
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
prefix <prefix>
prefix_length <prefix length>
Mode
net-config [lan-prefix-delegation]
Keyword
Associated
Parameter to Type
Description
prefix
prefix
The IPv6 prefix.
prefix_length
prefix length
The prefix length for IPv6 prefix.
Command example:
SRX5308> net lan ipv6 prefix_delegation add
net-config[lan-prefix-delegation]> prefix 2001:db8::
net-config[lan-prefix-delegation]> prefix_length 64
net-config[lan-prefix-delegation]> save
Related show command: show net lan ipv6 setup
net lan ipv6 prefix_delegation edit <row id>
This command configures an existing IPv6 prefix for LAN prefix delegation. After you have
issued the net lan ipv6 prefix_delegation edit command to specify the row to be
edited, you enter the net-config [lan-prefix-delegation] mode, and then you can configure the
IPv6 prefix and IPv6 prefix length in the order that you prefer.
Step 1
Step 2
Format
net lan ipv6 prefix_delegation edit <row id>
Mode
net
Format
prefix <prefix>
prefix_length <prefix length>
Mode
net-config [lan-prefix-delegation]
Keyword
Associated
Parameter to Type
Description
prefix
prefix
The IPv6 prefix.
prefix_length
prefix length
The prefix length for IPv6 prefix.
Related show command: show net lan ipv6 setup
Net Mode Configuration Commands
73
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net lan ipv6 prefix_delegation delete <row id>
This command deletes an IPv6 prefix for LAN prefix delegation by deleting its row ID.
Format
net lan ipv6 prefix_delegation delete <row id>
Mode
net
Related show command: show net lan ipv6 setup
IPv4 DMZ Setup Commands
net dmz ipv4 configure
This command enables, configures, or disables the IPv4 DMZ. After you have issued the net
dmz ipv4 configure command, you enter the net-config [dmz-ipv4] mode, and then you
can configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
net dmz ipv4 configure
Mode
net
Format
enable_dmz {Y | N}
ip_address <ipaddress>
subnet_mask <subnet mask>
dhcp_mode {None | DHCP-Server | DHCP-Relay}
dns_proxy_enable {Y | N}
domain_name <domain name>
starting_ip_address <ipaddress>
ending_ip_address <ipaddress>
primary_dns_server <ipaddress>
secondary_dns_server <ipaddress>
wins_server <ipaddress>
lease_time <hours>
enable_ldap {Y | N}
ldap_serverip <ipaddress>
ldap_search_base <search base>
ldap_port <number>
relay_gateway <ipaddress>
Mode
net-config [dmz-ipv4]
Net Mode Configuration Commands
74
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable_dmz
Y or N
Enables or disables the DMZ.
ip_address
ipaddress
The IP address of the DMZ port.
subnet_mask
subnet mask
The subnet mask of the DMZ port.
dhcp_mode
None,
DHCP-Serves or
DHCP-Relay
Specifies the DHCP mode:
• None. DHCP is disabled for the DMZ.
• DHCP-Server. DHCP is enabled for the DMZ.
You can configure all keywords and parameters
except the relay_gateway keyword and
associated parameter.
• DHCP-Relay. Addresses are assigned in the
DMZ by a DHCP Relay. Configure the
relay_gateway keyword and associated
parameter.
dns_proxy_enable
Y or N
Enables or disables the DNS proxy.
domain_name
domain name
The server domain name (string) or FQDN for the
DHCP server.
starting_ip_address
ipaddress
The start IP address for the DHCP address pool.
ending_ip_address
ipaddress
The end IP address for the DHCP address pool.
primary_dns_server
ipaddress
The IP address of the primary DNS server in the
DMZ DHCP configuration.
DHCP server
secondary_dns_server ipaddress
The IP address of the secondary DNS server in
the DMZ DHCP configuration.
wins_server
ipaddress
The IP address of the WINS server in the DMZ
DHCP configuration.
lease_time
hours
The duration in hours for which an IP address is
leased.
enable_ldap
Y or N
Enables or disables LDAP.
ldap_serverip
ipaddress
The IP address of the LDAP server.
ldap_search_base
search base
The search base (string) for LDAP
ldap_port
number
The port number for the LDAP server.
ipaddress
Set DHCP relay gateway server.
DHCP relay
relay_gateway
Command example:
SRX5308> net dmz ipv4 configure
net-config[dmz-ipv4]> enable_dmz
Net Mode Configuration Commands
75
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net-config[dmz-ipv4]>
net-config[dmz-ipv4]>
net-config[dmz-ipv4]>
net-config[dmz-ipv4]>
net-config[dmz-ipv4]>
ip_address 10.126.32.59
subnet_mask 2525.255.255.0
dhcp_mode None
dns_proxy_enable Y
save
Related show command: show net dmz ipv4 setup
IPv6 DMZ Setup Commands
net dmz ipv6 configure
This command enables, configures, or disables the IPv6 DMZ. After you have issued the net
dmz ipv6 configure command, you enter the net-config [dmz-ipv6] mode, and then you
can configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
net dmz ipv6 configure
Mode
net
Format
enable_dmz {Y | N}
ip_address <ipv6-address>
prefix_length <prefix length>
dhcp_enable {N | Y {dhcp_mode {Stateless | Stateful}}}
domain name <domain-name>
server_preference <number>
dns_server_option {useDnsProxy | useDnsFromISP | useEnteredDns
{primary_dns_server <ipv6-address>} [secondary_dns_server
<ipv6-address>]}
lease_time <seconds>
Mode
net-config [dmz-ipv6]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable_dmz
Y or N
Enables or disables the DMZ.
ip_address
ipv6-address
The IPv6 address of the DMZ port.
prefix_length
prefix length
The prefix length (integer) for the DMZ port.
Net Mode Configuration Commands
76
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
DHCPv6 server
dhcp_enable
Y or N
Enables or disables the DHCP server for the
DMZ.
dhcp_mode
Stateless or Stateful
Specifies the DHCPv6 mode (Stateless or
Stateful).
domain_name
domain name
The server domain name (string) for the DHCP
server.
server_preference
number
The preference number (integer) of the DHCP
server.
dns_server_option
useDnsProxy,
useDnsFromISP, or
useEnteredDns
Specifies the DNS server type. If you select
useEnteredDns, you also need to issue the
primary_dns_server keyword and associated
parameter. The secondary_dns_server
keyword and associated parameter are optional.
primary_dns_server
ipv6-address
The IPv6 address for the primary DNS server in
the DMZ configuration.
secondary_dns_server ipv6-address
The IPv6 address of the secondary DNS server in
the DMZ configuration.
lease_time
The duration in seconds for which an IP address
is leased.
seconds
Command example:
SRX5308> net dmz ipv6 configure
net-config[dmz-ipv6]> enable_dmz Y
net-config[dmz-ipv6]> ip_address 2001:176::1
net-config[dmz-ipv6]> prefix_length 64
net-config[dmz-ipv6]> dhcp_enable Y
net-config[dmz-ipv6]> dhcp_mode Stateful
net-config[dmz-ipv6]> domain_name netgear.com
net-config[dmz-ipv6]> server_preference 210
net-config[dmz-ipv6]> dns_server_option useDnsProxy
net-config[dmz-ipv6]> lease_time 43200
net-config[dmz-ipv6]> save
Related show command: show net dmz ipv6 setup
net dmz ipv6 pool configure <ipv6 address>
This command configures a new or existing IPv6 DHCP address pool for the DMZ. After you
have issued the net dmz ipv6 pool configure command to specify the IPv6 start
address of the IPv6 pool, you enter the net-config [dmz-ipv6-pool] mode, and then you can
Net Mode Configuration Commands
77
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
configure the IPv6 end address and the IPv6 prefix length for the IPv6 pool in the order that
you prefer.
Step 1
Step 2
Format
net dmz ipv6 pool configure <ipv6-address>
Mode
net
Format
ending_ip_address <ipv6-address>
prefix_value <prefix length>
Mode
net-config [dmz-ipv6-pool]
Keyword
Associated
Parameter to Type
Description
ending_ip_address ipv6-address
The end address of the IPv6 address pool.
prefix_value
The prefix length for the IPv6 address pool.
prefix length
Command example:
SRX5308> net dmz ipv6 pool configure 2001::1100
net-config[dmz-ipv6-pool]> ending_ip_address 2001::1120
net-config[dmz-ipv6-pool]> prefix_value 56
net-config[dmz-ipv6-pool]> save
Related show command: show net dmz ipv6 setup
net dmz pool ipv6 delete < ipv6 address>
This command deletes an IPv6 DHCP address pool for the DMZ by deleting the start address
of the pool.
Format
net radvd pool dmz delete <ipv6-address>
Mode
net
Related show command: show net dmz ipv6 setup
net radvd configure dmz
This command configures the Router Advertisement Daemon (RADVD) process for the
link-local advertisements of IPv6 router addresses and prefixes in the DMZ. After you have
issued the net radvd configure dmz command, you enter the net-config [radvd-dmz]
Net Mode Configuration Commands
78
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
mode, and then you can configure one keyword and associated parameter or associated
keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net radvd configure dmz
Mode
net
Format
enable {Y | N}
mode {Unsolicited-Multicast | Unicast-Only}
interval <seconds>
flags {Managed | Other}
preference {Low | Medium | High}
mtu <number>
life_time <seconds>
Mode
net-config [radvd-dmz]
Keyword (might consist
of two separate words)
Associated Keyword to
Description
Select or Parameter to Type
enable
Y or N
Enables the RADVD process to allow stateless
autoconfiguration of the IPv6 DMZ or disables the
RADVD process.
mode
Unsolicited-Multicast
or Unicast-Only
Specifies the advertisement mode:
• Unsolicited-Multicast. Allows unsolicited
multicast and unicast communication with the
hosts. Router advertisements (RAs) are sent to
all interfaces at the rate that is defined by the
interval keyword and associated parameter.
• Unicast-Only. Responds to unicast packet
requests only. No unsolicited packets are
advertised.
interval
seconds
The interval in seconds (integer) between
unsolicited multicast RAs. Enter a period from 10
to 1800 seconds. The default is 30 seconds.
flags
Managed or Other
Specifies the flag:
• Managed. Specifies that the DHCPv6 stateful
protocol is used for autoconfiguration of the
address.
• Other. Specifies that the DHCPv6 stateful
protocol is used for autoconfiguration of other
(that is, nonaddress) information.
preference
Low, Medium, or High
Specifies the VPN firewall’s preference in relation
to other hosts and routers in the DMZ.
mtu
number
The MTU size (integer) that is used in the RAs to
ensure that all nodes in the network use the same
MTU size. The default is 1500 seconds.
life_time
seconds
The advertisement lifetime in seconds (integer) of
the route. The default is 3600 seconds.
Net Mode Configuration Commands
79
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Command example:
SRX5308> net radvd configure dmz
net-config[radvd-dmz]> enable Y
net-config[radvd-dmz]> mode Unicast-Only
net-config[radvd-dmz]> flags Managed
net-config[radvd-dmz]> preference High
net-config[radvd-dmz]> mtu 1500
net-config[radvd-dmz]> life_time 7200
net-config[radvd-dmz]> save
Related show command: show net radvd dmz setup
WAN QoS Commands
net qos configure
This command configures the QoS mode for the WAN interfaces. After you have issued the
net qos configure command, you enter the net-config [network-qos] mode, and then you
can enable QoS and set the QoS mode to rate control or priority.
The configured QoS mode determines which WAN QoS profiles can be active, that is, you
can add both rate control or priority WAN QoS profiles (see the net qos profile add
command), but only the profiles for the configured QoS mode can be active. For example, if
you set the QoS mode to priority, then only the profiles with a priority configuration can be
active.
Step 1
Step 2
Format
net qos configure
Mode
net
Format
enable {Y | N}
qos_type {Rate-Control | Priority}
Mode
net-config [network-qos]
Keyword
Associated
Keyword to Select
Description
enable
Y or N
Enables or disables QoS for all WAN interfaces.
qos_type
Rate-Control or
Priority
Specifies whether QoS uses rate control or priority profiles.
Related show command: show net qos setup
Net Mode Configuration Commands
80
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net qos profile add
This command configures a new WAN QoS profile. After you have issued the net qos
profile add command, you enter the net-config [network-qos-profile] mode, and then you
can configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
net qos profile add
Mode
net
Format
The following settings apply to both rate control profiles and priority profiles:
qos_type {Rate-Control | Priority}
interface {WAN1 | WAN2 | WAN3 | WAN4}
service_name {default_services <default service name> |
{custom_services <custom service name>}
diffserv_qos_match <number>
diffserv_qos_remark <number>
The following settings apply only to rate control profiles:
direction_for_rate_control {Inbound | Outbound | Both}
congestion_priority {Default | High | Medium-high | Medium | Low}
hosts {Single-IP-Address {hosts_start_ip <ipaddress>} |
IP-Address-Range {hosts_start_ip <ipaddress>} {hosts_end_ip
<ipaddress>} | Group {hosts_group {Group1 | Group2 | Group3 |
Group4 | Group5 | Group6 | Group7 | Group8}}}
bandwidth_allocation {Shared | Individual}
outbound_min_bandwidth <bandwidth>
outbound_max_bandwidth <bandwidth>
inbound_min_bandwidth <bandwidth>
inbound_max_bandwidth <bandwidth>
The following settings apply only to priority profiles:
direction_for_priority {Inbound-Traffic | Outbound-Traffic}
priority {Low | High}
Mode
net-config [network-qos-profile]
Net Mode Configuration Commands
81
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
Common settings
qos_type
Rate-Control or
Priority
Specifies the type of profile:
• Rate-Control. Configure the keywords
and parameters in the Common settings
section and Rate control profile settings
section of this table.
• Priority. Configure the keywords and
parameters in the Common settings
section and Priority profile settings
section of this table.
interface
WAN1, WAN2, WAN3, or
WAN4
Specifies the interface to which the profile
applies.
service_name
default_services
Specifies the default service and protocol
ANY, AIM, BGP,
to which the profile applies.
BOOTP_CLIENT,
BOOTP_SERVER,
CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP,
DNS:TCP, FINGER, FTP,
HTTP, HTTPS, ICMP-TYPE-3,
ICMP-TYPE-4,
ICMP-TYPE-5,
ICMP-TYPE-6,
ICMP-TYPE-7,
ICMP-TYPE-8,
ICMP-TYPE-9,
ICMP-TYPE-10,
ICMP-TYPE-11,
ICMP-TYPE-13, ICQ, IMAP2,
IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP,
RCMD, REAL-AUDIO, REXEC,
RLOGIN, RTELNET,
RTSP:TCP, RTSP:UDP, SFTP,
SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP,
STRMWORKS, TACACS,
TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP,
IDENT, VDOLIVE, SSH,
SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
The custom service that you have
configured with the security services add
command and to which the profile applies
Net Mode Configuration Commands
82
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
diffserv_qos_match
number
(Optional) The DSCP value, from 0
through 63. Packets are classified against
this value.
diffserv_qos_remark
number
(Optional) The DSCP value, from 0
through 63. Packets are marked with this
value.
Rate control profile settings
direction_for_rate_control Inbound, Outbound, or
Both
Specifies the direction to which rate
control is applied:
• Inbound. Rate control is applied to
inbound packets only. You need to issue
the inbound_min_bandwidth and
inbound_max_bandwidth keywords
and specify the bandwidth that is
allocated.
• Outbound. Rate control is applied to
outbound packets only. You need to
issue the outbound_min_bandwidth
and outbound_max_bandwidth
keywords and specify the bandwidth that
is allocated.
• Both. Rate control is applied to both
inbound and outbound packets. You
need to issue the
inbound_min_bandwidth,
inbound_max_bandwidth,
outbound_min_bandwidth, and
outbound_max_bandwidth keywords
and specify the bandwidth that is
allocated.
Net Mode Configuration Commands
83
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
congestion_priority
Default, High,
Medium-high, Medium,
or Low
Specifies the priority queue that
determines the allocation of excess
bandwidth and the classification level of
the packets among other priority queues
on the VPN firewall:
• Default. Traffic is mapped based on the
ToS field in the packet’s IP header.
• High. This queue includes the following
DSCP values: AF41, AF42, AF43, AF44,
and CS4.
• Medium-high. This queue includes the
following DSCP values: AF31, AF32,
AF33, AF34, and CS3.
• Medium. This queue includes the
following DSCP values: AF21, AF22,
AF23, AF24, and CS2.
• Low. This queue includes the following
DSCP values: AF11, AF12, AF13, AF14,
CS1, 0, and all other values.
hosts
Single-IP-Address,
IP-Address-Range, or
Group
Specifies the IP address, range of IP
addresses, or group to which the profile is
applied:
• Single-IP-Address. The profile is
applied to a single IP address. Issue the
hosts_start_ip keyword to specify
the IP address.
• IP-Address-Range. The profile is
applied to an IP address range. Issue
the hosts_start_ip and
hosts_end_ip keywords to specify the
start and end IP addresses of the range.
In addition, issue the
bandwidth_allocation keyword to
specify if bandwidth is shared between
all IP addresses in the range or is
allocated to each IP address in the
range.
• Group. The profile is applied to a group.
Issue the hosts_group to specify the
group. In addition, issue the
bandwidth_allocation keyword to
specify if bandwidth is shared between
all members of the group or is allocated
to each member in the group.
hosts_start_ip
ipaddress
There are two options:
• The IP address if the hosts keyword is
set to Single-IP-Address.
• The start IP address if the hosts
keyword is set to IP-Address-Range.
Net Mode Configuration Commands
84
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
hosts_end_ip
ipaddress
The end IP address if the hosts keyword
is set to IP-Address-Range.
hosts_group
Group1, Group2, Group3,
Group4, Group5, Group6,
Group7, or Group8
Specifies the group if the hosts keyword
is set to Group.
Note: You cannot enter group names
that you have specified with the net lan
lan_groups edit <row id>
<new group name> command.
bandwidth_allocation
Shared or Individual
Specifies how bandwidth is allocated.
These options apply when the hosts
keyword is set to IP-Address-Range or
to group.
• Shared. The bandwidth is shared
among all IP addresses in a range or all
members of a group.
• Individual. The bandwidth is allocated
to each IP address in the range or each
member of a group.
outbound_min_bandwidth
bandwidth
The outbound minimum bandwidth in
Kbps, from 0 to 100,000. This option
applies when the
direction_for_rate_control
keyword is set to outbound or both.
outbound_max_bandwidth
bandwidth
The outbound maximum bandwidth in
Kbps, from 100 to 100,000. This option
applies when the
direction_for_rate_control
keyword is set to outbound or both.
inbound_min_bandwidth
bandwidth
The inbound minimum bandwidth in Kbps,
from 0 to 100,000. This option applies
when the
direction_for_rate_control
keyword is set to inbound or both.
inbound_max_bandwidth
bandwidth
The inbound maximum bandwidth in
Kbps, from 100 to 100,000. This option
applies when the
direction_for_rate_control
keyword is set to inbound or both.
Net Mode Configuration Commands
85
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
Priority profile settings
direction_for_priority
Inbound-Traffic or
Outbound-Traffic
Specifies the direction to which the priority
queue is applied:
• Inbound-Traffic. The priority queue is
applied to inbound traffic only.
• Outbound-Traffic. The priority queue is
applied to outbound traffic only.
priority
Low or High
Specifies the priority queue that
determines the allocation of bandwidth:
• Low. All services that are assigned a
low-priority queue share 10 percent of
interface bandwidth.
• High. All services that are assigned a
high-priority queue share 60 percent of
interface bandwidth.
Note: By default, all services are
assigned the medium-priority queue in
which they share 30 percent of the
interface bandwidth.
Command example:
SRX5308> net qos profile add
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
net-config[network-qos-profile]>
qos_type Rate-Control
interface WAN2
service_name default_services http
direction_for_rate_control Inbound
congestion_priority High
hosts IP-Address-Range
hosts_start_ip 192.168.110.2
hosts_end_ip 192.168.110.199
bandwidth_allocation Shared
inbound_min_bandwidth 7500
inbound_max_bandwidth 15000
diffserv_qos_match 5
diffserv_qos_remark 12
save
Related show command: show net qos setup
net qos profile edit <row id>
This command configures an existing WAN QoS profile. After you have issued the net qos
profile edit command to specify the row to be edited, you enter the net-config
Net Mode Configuration Commands
86
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
[network-qos-profile] mode, and then you can configure one keyword and associated
parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net qos profile edit <row id>
Mode
net
Format
The following settings apply to both rate control profiles and priority profiles:
qos_type {Rate-Control | Priority}
interface {WAN1 | WAN2 | WAN3 | WAN4}
service_name {default_services <default service name> |
{custom_services <custom service name>}
diffserv_qos_match <number>
diffserv_qos_remark <number>
The following settings apply only to rate control profiles:
direction_for_rate_control {Inbound | Outbound | Both}
congestion_priority {Default | High | Medium-high | Medium | Low}
hosts {Single-IP-Address {hosts_start_ip <ipaddress>} |
IP-Address-Range {hosts_start_ip <ipaddress>} {hosts_end_ip
<ipaddress>} | Group {hosts_group {Group1 | Group2 | Group3 |
Group4 | Group5 | Group6 | Group7 | Group8}}}
bandwidth_allocation {Shared | Individual}
outbound_min_bandwidth <bandwidth>
outbound_max_bandwidth <bandwidth>
inbound_min_bandwidth <bandwidth>
inbound_max_bandwidth <bandwidth>
The following settings apply only to priority profiles:
direction_for_priority {Inbound-Traffic | Outbound-Traffic}
priority {Low | High}
Mode
net-config [network-qos-profile]
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
Common settings
qos_type
Rate-Control or
Priority
Specifies the type of profile:
• Rate-Control. Configure the keywords
and parameters in the Common settings
section and Rate control profile settings
section of this table.
• Priority. Configure the keywords and
parameters in the Common settings
section and Priority profile settings
section of this table.
interface
WAN1, WAN2, WAN3, or
WAN4
Specifies the interface to which the profile
applies.
Net Mode Configuration Commands
87
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
service_name
default_services
ANY, AIM, BGP,
Specifies the default service and protocol
BOOTP_CLIENT,
to which the profile applies.
BOOTP_SERVER,
CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP,
DNS:TCP, FINGER, FTP,
HTTP, HTTPS, ICMP-TYPE-3,
ICMP-TYPE-4,
ICMP-TYPE-5,
ICMP-TYPE-6,
ICMP-TYPE-7,
ICMP-TYPE-8,
ICMP-TYPE-9,
ICMP-TYPE-10,
ICMP-TYPE-11,
ICMP-TYPE-13, ICQ, IMAP2,
IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP,
RCMD, REAL-AUDIO, REXEC,
RLOGIN, RTELNET,
RTSP:TCP, RTSP:UDP, SFTP,
SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP,
STRMWORKS, TACACS,
TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP,
IDENT, VDOLIVE, SSH,
SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
The custom service that you have
configured with the security services add
command and to which the profile applies.
diffserv_qos_match
number
(Optional) The DSCP value, from 0
through 63. Packets are classified against
this value.
diffserv_qos_remark
number
(Optional) The DSCP value, from 0
through 63. Packets are marked with this
value.
Net Mode Configuration Commands
88
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
Rate control profile settings
direction_for_rate_control Inbound, Outbound, or
Both
Specifies the direction to which rate
control is applied:
• Inbound. Rate control is applied to
inbound packets only. You need to issue
the inbound_min_bandwidth and
inbound_max_bandwidth keywords
and specify the bandwidth that is
allocated.
• Outbound. Rate control is applied to
outbound packets only. You need to
issue the outbound_min_bandwidth
and outbound_max_bandwidth
keywords and specify the bandwidth that
is allocated.
• Both. Rate control is applied to both
inbound and outbound packets. You
need to issue the
inbound_min_bandwidth,
inbound_max_bandwidth,
outbound_min_bandwidth, and
outbound_max_bandwidth keywords
and specify the bandwidth that is
allocated.
congestion_priority
Specifies the priority queue that
determines the allocation of excess
bandwidth and the classification level of
the packets among other priority queues
on the VPN firewall:
• Default. Traffic is mapped based on the
ToS field in the packet’s IP header.
• High. This queue includes the following
DSCP values: AF41, AF42, AF43, AF44,
and CS4.
• Medium-high. This queue includes the
following DSCP values: AF31, AF32,
AF33, AF34, and CS3.
• Medium. This queue includes the
following DSCP values: AF21, AF22,
AF23, AF24, and CS2.
• Low. This queue includes the following
DSCP values: AF11, AF12, AF13, AF14,
CS1, 0, and all other values.
Default, High,
Medium-high, Medium,
or Low
Net Mode Configuration Commands
89
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
hosts
Single-IP-Address,
IP-Address-Range, or
Group
Specifies the IP address, range of IP
addresses, or group to which the profile is
applied:
• Single-IP-Address. The profile is
applied to a single IP address. Issue the
hosts_start_ip keyword to specify
the IP address.
• IP-Address-Range. The profile is
applied to an IP address range. Issue
the hosts_start_ip and
hosts_end_ip keywords to specify the
start and end IP addresses of the range.
In addition, issue the
bandwidth_allocation keyword to
specify if bandwidth is shared between
all IP addresses in the range or is
allocated to each IP address in the
range.
• Group. The profile is applied to a group.
Issue the hosts_group to specify the
group. In addition, issue the
bandwidth_allocation keyword to
specify if bandwidth is shared between
all members of the group or is allocated
to each member in the group.
hosts_start_ip
ipaddress
There are two options:
• The IP address if the hosts keyword is
set to Single-IP-Address.
• The start IP address if the hosts
keyword is set to IP-Address-Range.
hosts_end_ip
ipaddress
The end IP address if the if the hosts
keyword is set to IP-Address-Range.
hosts_group
Group1, Group2, Group3,
Group4, Group5, Group6,
Group7, or Group8
Specifies the group if the hosts keyword
is set to Group.
Note: You cannot enter group names
that you have specified with the net lan
lan_groups edit <row id>
<new group name> command.
Net Mode Configuration Commands
90
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
bandwidth_allocation
Shared or Individual
Specifies how bandwidth is allocated.
These options apply when the hosts
keyword is set to IP-Address-Range or
to group.
• Shared. The bandwidth is shared
among all IP addresses in a range or all
members of a group.
• Individual. The bandwidth is allocated
to each IP address in the range or each
member of a group.
outbound_min_bandwidth
bandwidth
The outbound minimum bandwidth in
Kbps, from 0 to 100,000. This option
applies when the
direction_for_rate_control
keyword is set to outbound or both.
outbound_max_bandwidth
bandwidth
The outbound maximum bandwidth in
Kbps, from 100 to 100,000. This option
applies when the
direction_for_rate_control
keyword is set to outbound or both.
inbound_min_bandwidth
bandwidth
The inbound minimum bandwidth in Kbps,
from 0 to 100,000. This option applies
when the
direction_for_rate_control
keyword is set to inbound or both.
inbound_max_bandwidth
bandwidth
The inbound maximum bandwidth in
Kbps, from 100 to 100,000. This option
applies when the
direction_for_rate_control
keyword is set to inbound or both.
Inbound-Traffic or
Outbound-Traffic
Specifies the direction to which the priority
queue is applied:
• Inbound-Traffic. The priority queue is
applied to inbound traffic only.
• Outbound-Traffic. The priority queue is
applied to outbound traffic only.
Priority profile settings
direction_for_priority
Net Mode Configuration Commands
91
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
priority
Low or High
Specifies the priority queue that
determines the allocation of bandwidth:
• Low. All services that are assigned a
low-priority queue share 10 percent of
interface bandwidth.
• High. All services that are assigned a
high-priority queue share 60 percent of
interface bandwidth.
Note: By default, all services are
assigned the medium-priority queue in
which they share 30 percent of the
interface bandwidth.
Related show command: show net qos setup
net qos profile delete <row id>
This command deletes a WAN QoS profile by deleting its row ID.
Format
net qos profile delete <row id>
Mode
net
Related show command: show net qos setup
net qos profile disable <row id>
This command disables a WAN QoS profile by specifying its row ID.
Format
net qos profile disable <row id>
Mode
net
Related show command: show net qos setup
Net Mode Configuration Commands
92
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net qos profile enable <row id>
This command enables a WAN QoS profile by specifying its row ID.
Format
net qos profile enable <row id>
Mode
net
Related show command: show net qos setup
IPv4 Routing Commands
net routing static ipv4 configure <route name>
This command configures an IPv4 static route. After you have issued the net routing
static ipv4 configure command to specify the name of the new route, you enter the
net-config [static-routing-ipv4] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net routing static ipv4 configure <route name>
Mode
net
Format
active_flag {Y | N}
private_flag {Y | N}
destination_address <ipaddress>
subnet_mask <subnet mask>
interface {custom_vlan <VLAN name> | dmz | lan | wan {WAN1 | WAN2
| WAN3 | WAN4}}
gateway_address <ipaddress>
metric <number>
Mode
net-config [static-routing-ipv4]
Keyword
Associated Keyword to Select Description
or Parameter to Type
active_flag
Y or N
Specifies whether or not the route is an active
route.
private_flag
Y or N
Specifies whether or not the route can be shared
with other gateways when RIP is enabled.
destination_address ipaddress
The destination IP address.
subnet_mask
The destination subnet mask.
subnet mask
Net Mode Configuration Commands
93
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to Select Description
or Parameter to Type
interface
custom_vlan <VLAN name>,
dmz, lan, or wan {WAN1,
WAN2, WAN3, WAN4}
Specifies the interface for which the route is
applied. The dmz and lan keywords do not
require additional selections. The custom vlan
and wan keywords require additional selections:
• If you issue the custom_vlan keyword, you
also need to specify the VLAN name.
• If you issue the wan keyword, you also need to
specify the WAN interface (WAN1, WAN2,
WAN3, or WAN4).
gateway_address
ipaddress
The gateway IP address.
metric
number
The metric (integer) for this route. The number
can be from 2 to 15.
Command example:
SRX5308> net routing static ipv4 configure Orly
net-config[static-routing-ipv4]> active_flag Y
net-config[static-routing-ipv4]> private_flag Y
net-config[static-routing-ipv4]> destination_address 10.118.215.178
net-config[static-routing-ipv4]> subnet_mask 255.255.255.0
net-config[static-routing-ipv4]> interface wan WAN1
net-config[static-routing-ipv4]> gateway_address 10.192.44.13
net-config[static-routing-ipv4]> metric 7
net-config[static-routing-ipv4]> save
Related show command: show net routing static ipv4 setup
net routing static ipv4 delete <route name>
This command deletes a static IPv4 route by deleting its name.
Format
net routing static ipv4 delete <route name>
Mode
net
Related show command: show net routing static ipv4 setup
Net Mode Configuration Commands
94
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net routing static ipv4 delete_all
This command deletes all static IPv4 routes.
Format
net routing static ipv4 delete_all
Mode
net
Related show command: show net routing static ipv4 setup
net routing dynamic configure
This command configures RIP and the associated MD5 key information. After you have
issued the net routing dynamic configure command, you enter the
net-config [dynamic-routing] mode, and then you can configure one keyword and associated
parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net routing dynamic configure
Mode
net
Format
authentication_enable {Y | N}
direction {None | In-only | Out-only | Both}
version {Disabled | Rip1 | Rip2B | Rip2M}
first_key
first_key
first_key
first_key
first_key
first_key
first_key
first_key
first_key
first_key
first_key
first_key
first_key
first_key
authentication_id <authentication key>
id_number <number>
valid_from {day <day>}
valid_from {month <month>}
valid_from {year <year>}}
valid_from {hour <hour> |
valid_from {minute <minute>}
valid_from {second <second>}
valid_to {day <day>}
valid_to {month <month>}
valid_to {year <year>}}
valid_to {hour <hour> |
valid_to {minute <minute>}
valid_to {second <second>}
Net Mode Configuration Commands
95
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
second_key
second_key
second_key
second_key
second_key
second_key
second_key
second_key
second_key
second_key
second_key
second_key
second_key
second_key
Mode
authentication_id <authentication key>
id_number <number>
valid_from {day <day>}
valid_from {month <month>}
valid_from {year <year>}}
valid_from {hour <hour> |
valid_from {minute <minute>}
valid_from {second <second>}
valid_to {day <day>}
valid_to {month <month>}
valid_to {year <year>}}
valid_to {hour <hour> |
valid_to {minute <minute>}
valid_to {second <second>}
net-config [dynamic-routing]
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
General
authentication_enable
Y or N
Enables or disables authentication for
RIP-2B or RIP-2M.
direction
None, In-only, Out-only,
or Both.
Specifies the RIP direction.
version
Disabled, Rip1, Rip2B, or
Rip2M
Specifies the RIP version.
First key
first_key authentication_id authentication key
The first MD5 authentication key
(alphanumeric string).
first_key id_number
The first MD5 key ID (integer).
number
Net Mode Configuration Commands
96
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
first_key valid_from day
day
The day in the format DD
(01 to 31).
first_key valid_from month
month
The month in the format
MM (01 to 12).
first_key valid_from year
year
The year in the format
YYYY (1970 to 2037).
first_key valid_from hour
hour
The hour in the 24-hour
format HH (00 to 23).
first_key valid_from minute
minute
The minute in the format
MM (00 to 59).
first_key valid_from second
second
The second in the format
SS (00 to 59).
first_key valid_to day
day
The day in the format DD
(01 to 31).
first_key valid_to month
month
The month in the format
MM (01 to12).
first_key valid_to year
year
The year in the format
YYYY (1970 to 2037).
first_key valid_to hour
hour
The hour in the 24-hour
format HH (00 to 23).
first_key valid_to minute
minute
The minute in the format
MM (00 to 59).
first_key valid_to second
second
The second in the format
SS (00 to 59).
The day and
time on which
the validity of
the first MD5
authentication
key starts.
The day and
time on which
the validity of
the first MD5
authentication
key expires.
Second key
Note: The keywords and parameters for the second key follow the same format as those for the first key.
Command example:
SRX5308> net routing dynamic configure
net-config[dynamic-routing]> authentication_enable Y
net-config[dynamic-routing]> direction Both
net-config[dynamic-routing]> version Rip2M
net-config[dynamic-routing]> first_key authentication_id 2rt!00jkl26ll7Oo0
net-config[dynamic-routing]> first_key id_number 1
net-config[dynamic-routing]> first_key valid_from day 01
net-config[dynamic-routing]> first_key valid_from month 12
net-config[dynamic-routing]> first_key valid_from year 2011
net-config[dynamic-routing]> first_key valid_from hour 07
net-config[dynamic-routing]> first_key valid_from minute 00
net-config[dynamic-routing]> first_key valid_from second 00
net-config[dynamic-routing]> first_key valid_to day 31
Net Mode Configuration Commands
97
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
net-config[dynamic-routing]>
first_key valid_to month 12
first_key valid_to year 2011
first_key valid_to hour 23
first_key valid_to minute 59
first_key valid_to second 59
second_key authentication_id 3gry!!99OoiI
second_key id_number 2
second_key valid_from day 31
second_key valid_from month 12
second_key valid_from year 2011
second_key valid_from hour 24
second_key valid_from minute 00
second_key valid_from second 00
second_key valid_to day 31
second_key valid_to month 03
second_key valid_to year 2012
second_key valid_to hour 23
second_key valid_to minute 59
second_key valid_to second 59
save
Related show command: show net routing dynamic setup
IPv6 Routing Commands
net routing static ipv6 configure <route name>
This command configures an IPv6 static route. After you have issued the net routing
static ipv6 configure command to specify the name of the new route, you enter the
net-config [static-routing-ipv6] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
net routing static ipv6 configure <route name>
Mode
net
Format
active_flag {Y | N}
destination_address <ipv6-address>
prefix <prefix length>
gateway_address {6to4_gateway <ipv6-address> | ipv6_gateway
<ipv6-address>}
interface {WAN1 | WAN2 | WAN3 | WAN4 | Sit0-WAN | LAN | DMZ}
metric <number>
Mode
net-config [static-routing-ipv6]
Net Mode Configuration Commands
98
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
active_flag
Y or N
Specifies whether or not the route is an active route.
destination_address ipv6-address
The destination IP address.
prefix
prefix length
The IPv6 prefix length (integer). This is a decimal
value that indicates the number of contiguous,
higher-order bits of the address that make up the
network portion of the address.
interface
WAN1, WAN2, WAN3, WAN4,
Sit0-WAN, LAN, or DMZ
Specifies the physical or virtual network interface
through which the route is accessible:
• WAN1, WAN2, WAN3, or WAN4. The selected
WAN interface.
• Sit0-WAN1. The 6to4-WAN interface.
• LAN. The LAN interface.
• DMZ. The LAN interface.
gateway_address
6to4_gateway
ipv6-address
The gateway IP address for a route that uses a 6to4
tunnel. The 6to4_gateway and ipv6_gateway
keywords are mutually exclusive.
gateway_address
ipv6_gateway
ipv6-address
The gateway IP address for a route in an IPv6 to
IPv6 network. The 6to4_gateway and
ipv6_gateway keywords are mutually exclusive.
metric
number
The metric (integer) for this route. The number can
be from 2 to 15.
Command example:
SRX5308> net routing static ipv6 configure SFO2
net-config[static-routing-ipv6]> active_flag Y
net-config[static-routing-ipv6]> destination_address 2002:201b:24e2::1001
net-config[static-routing-ipv6]> prefix 64
net-config[static-routing-ipv6]> interface WAN1
net-config[static-routing-ipv6]> gateway_address ipv6_gateway FE80::2001:5efe:ab23
net-config[static-routing-ipv6]> metric 2
net-config[static-routing-ipv6]> save
Related show command: show net routing static ipv6 setup
net routing static ipv6 delete <route name>
This command deletes a static IPv6 route by deleting its name.
Format
net routing static ipv6 delete <route name>
Mode
net
Net Mode Configuration Commands
99
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show net routing static ipv6 setup
net routing static ipv6 delete_all
This command deletes all static IPv6 routes.
Format
net routing static ipv6 delete_all
Mode
net
Related show command: show net routing static ipv6 setup
Net Mode Configuration Commands
100
4.
Security Mode Configuration
Commands
4
This chapter explains the configuration commands, keywords, and associated parameters in the
security mode. The chapter includes the following sections:
•
Security Services Commands
•
Security Schedules Commands
•
IPv4 Add Firewall Rule and Edit Firewall Rule Commands
•
IPv4 General Firewall Commands
•
IPv6 Firewall Commands
•
Attack Check Commands
•
Session Limit, Time-Out, and Advanced Commands
•
Address Filter and IP/MAC Binding Commands
•
Port Triggering Commands
•
UPnP Command
•
Bandwidth Profile Commands
•
Content Filtering Commands
IMPORTANT:
After you have issued a command that includes the word
configure, add, or edit, you need to save (or cancel) your
changes. For more information, see Save Commands on page 12.
Security Services Commands
security services add
This command configures a new firewall custom service. After you have issued the
security services add command, you enter the security-config [custom-service] mode,
and then you can configure one keyword and associated parameter or associated keyword
at a time in the order that you prefer.
101
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 1
Step 2
Format
security services add
Mode
security
Format
name <service name>
protocol {TCP {start_port <number>} {finish_port <number>} |
UDP {start_port <number>} {finish_port <number>} |
ICMP {icmp_type <number> | ICMPv6 {icmp_type <number>}}
Mode
security-config [custom-service]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
name
service name
The name (alphanumeric string) of the service.
protocol
TCP, UDP, ICMP, or ICMPv6
Specifies the protocol type that applies to the service.
start_port
number
For TCP and UDP, the start port number (integer) of the
range used by the destination user. Valid numbers are from
1 to 65535.
finish_port
number
For TCP and UDP, the end port number (integer) of the range
used by the destination user. Valid numbers are from 1 to
65535.
icmp_type
number
The ICMP type (integer) used by the destination user.
Command example:
SRX5308> security services add
security-config[custom-service]>
security-config[custom-service]>
security-config[custom-service]>
security-config[custom-service]>
name Traceroute
protocol ICMP
icmp_type 20
save
Related show command: show security services setup
security services edit <row id>
This command configures an existing firewall custom service. After you have issued the
security services edit command to specify the row to be edited, you enter the
security-config [custom-service] mode, and then you can edit the service. You cannot change
the service name.
Step 1
Format
security services edit <row id>
Mode
security
Security Mode Configuration Commands
102
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
protocol {TCP {start_port <number>} {finish_port <number>} |
UDP {start_port <number>} {finish_port <number>} |
ICMP {icmp_type <number> | ICMPv6 {icmp_type <number>}}
Mode
security-config [custom-service]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
protocol
TCP, UDP, ICMP, or ICMPv6
Specifies the protocol type that applies to the service.
start_port
number
For TCP and UDP, the start port number (integer) of the
range used by the destination user. Valid numbers are from
1 to 65535.
finish_port
number
For TCP and UDP, the end port number (integer) of the
range used by the destination user. Valid numbers are from
1 to 65535.
icmp_type
number
The ICMP type (integer) used by the destination user.
Related show command: show security services setup
security services delete <row id>
This command deletes a custom security service by deleting its row ID.
Format
security services delete <row id>
Mode
security
Related show command: show security services setup
security services qos_profile add
This command configures a new Quality of Service (QoS) profile that you can associate with
a nonblocking inbound or outbound IPv4 firewall rule. After you have issued the security
services qos_profile add command, you enter the security-config [qosProfile] mode,
and then you can configure one keyword and associated parameter or associated keyword at
a time in the order that you prefer.
Step 1
Format
security services qos_profile add
Mode
security
Security Mode Configuration Commands
103
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
profile_name <profile name>
remark {N | Y {qos_type {IP-Precedence | DSCP} {qos_value
<number>}}}
qos_priority {Default | High | Medium-high | Medium | Low}
Mode
security-config [qosProfile]
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
profile_name
profile name
The name (alphanumeric string) of the
profile.
remark
Y or N
Specifies whether or not packets are
remarked. If you select Y, you also need to
issue the qos_type keyword to specify
the traffic classification method and the
qos_value keyword to specify the
associated value.
qos_type
IP-Precedence or DSCP
Specifies the traffic classification method:
• IP-Precedence. A legacy method that
sets the priority in the ToS byte of an IP
header. You need to issue the
qos_value keyword to specify the IP
precedence value.
• DSCP. A method that sets the
Differentiated Services Code Point
(DSCP) in the Differentiated Services
(DS) field (which is the same as the ToS
byte) of an IP header. You need to issue
the qos_value keyword to specify the
DSCP value.
qos_value
number
There are two options:
• If the qos_type keyword is set to
IP-Precedence, the IP precedence
value, from 0 through 7. Packets are
remarked with this value.
• If the qos_type keyword is set to DSCP,
the DSCP value, from 1 through 63.
Packets are remarked with this value.
Security Mode Configuration Commands
104
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
qos_priority
Default, High,
Medium-high, Medium,
or Low
Specifies the priority queue that
determines the allocation of excess
bandwidth and the classification level of
the packets among other priority queues
on the VPN firewall:
• Default. Traffic is mapped based on the
ToS field in the packet’s IP header.
• High. This queue includes the following
DSCP values: AF41, AF42, AF43, AF44,
and CS4.
• Medium-high. This queue includes the
following DSCP values: AF31, AF32,
AF33, AF34, and CS3.
• Medium. This queue includes the
following DSCP values: AF21, AF22,
AF23, AF24, and CS2.
• Low. This queue includes the following
DSCP values: AF11, AF12, AF13, AF14,
CS1, 0, and all other values.
Command example:
SRX5308> security services qos_profile add
security-config[qosProfile]> profile name Voice
security-config[qosProfile]> remark Y
security-config[qosProfile]> qos_type DSCP
security-config[qosProfile]> qos_value 24
security-config[qosProfile]> qos_priority High
security-config[qosProfile]> save
Related show command: show security services qos_profile setup
security services qos_profile edit <row id>
This command configures an existing Quality of Service (QoS) profile that you can associate
with a nonblocking inbound or outbound IPv4 firewall rule. After you have issued the
security services qos_profile edit command to specify the row to be edited, you
enter the security-config [qosProfile] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer. You
cannot change the name of the profile.
Step 1
Format
security services qos_profile edit <row id>
Mode
security
Security Mode Configuration Commands
105
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
remark {N | Y {qos_type {IP-Precedence | DSCP} {qos_value
<number>}}}
qos_priority {Default | High | Medium-high | Medium | Low}
Mode
security-config [qosProfile]
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
remark
Y or N
Specifies whether or not packets are
remarked. If you select Y, you also need to
issue the qos_type keyword to specify
the traffic classification method and the
qos_value keyword to specify the
associated value.
qos_type
IP-Precedence or DSCP
Specifies the traffic classification method:
• IP-Precedence. A legacy method that
sets the priority in the ToS byte of an IP
header. You need to issue the
qos_value keyword to specify the IP
precedence value.
• DSCP. A method that sets the
Differentiated Services Code Point
(DSCP) in the Differentiated Services
(DS) field (which is the same as the ToS
byte) of an IP header. You need to issue
the qos_value keyword to specify the
DSCP value.
qos_value
number
There are two options:
• If the qos_type keyword is set to
IP-Precedence, the IP precedence
value, from 0 through 7. Packets are
remarked with this value.
• If the qos_type keyword is set to DSCP,
the DSCP value, from 1 through 63.
Packets are remarked with this value.
Security Mode Configuration Commands
106
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
qos_priority
Default, High,
Medium-high, Medium,
or Low
Specifies the priority queue that
determines the allocation of excess
bandwidth and the classification level of
the packets among other priority queues
on the VPN firewall:
• Default. Traffic is mapped based on the
ToS field in the packet’s IP header.
• High. This queue includes the following
DSCP values: AF41, AF42, AF43, AF44,
and CS4.
• Medium-high. This queue includes the
following DSCP values: AF31, AF32,
AF33, AF34, and CS3.
• Medium. This queue includes the
following DSCP values: AF21, AF22,
AF23, AF24, and CS2.
• Low. This queue includes the following
DSCP values: AF11, AF12, AF13, AF14,
CS1, 0, and all other values.
Related show command: show security services qos_profile setup
security services qos_profile delete <row id>
This command deletes a QoS profile by deleting its row ID.
Format
security services qos_profile delete <row id>
Mode
security
Related show command: show security services qos_profile setup
security services ip_group add
This command configures a new LAN or WAN IP group. After you have issued the security
services ip_group add command, you enter the security-config [ipGroup] mode, and
then you can configure the group type and name in the order that you prefer.
Step 1
Format
security services ip_group add
Mode
security
Security Mode Configuration Commands
107
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
ip_group_type {LAN-Group | WAN-Group}
ip_group_name <group name>
Mode
security-config [ipGroup]
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
ip_group_type
LAN-Group or WAN-Group Specifies the type of IP group:
• LAN-Group. The group can be used as
a firewall object in an IPv4 LAN firewall
rule.
• WAN-Group. The group can be used as
a firewall object in an IPv4 WAN firewall
rule.
ip_group_name
group name
The name (alphanumeric string) of the
group.
Command example:
SRX5308> security services ip_group add
security-config[ipGroup]> ip_group_type LAN-Group
security-config[ipGroup]> ip_group_name TechSupport
security-config[ipGroup]> save
Related show command: show security services ip_group ip_setup
security services ip_group edit <row id>
This command configures an existing LAN or WAN IP group. After you have issued the
security services ip_group edit command to specify the row to be edited, you
enter the security-config [ipGroup] mode, and then you can configure the group type and
name in the order that you prefer.
Step 1
Step 2
Format
security services ip_group edit <row id>
Mode
security
Format
ip_group_type {LAN-Group | WAN-Group}
ip_group_name <group name>
Mode
security-config [ipGroup]
Security Mode Configuration Commands
108
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
ip_group_type
LAN-Group or WAN-Group Specifies the type of IP group:
• LAN-Group. The group can be used as
a firewall object in an IPv4 LAN firewall
rule.
• WAN-Group. The group can be used as
a firewall object in an IPv4 WAN firewall
rule.
ip_group_name
group name
The name (alphanumeric string) of the
group.
Related show command: show security services ip_group ip_setup
security services ip_group add_ip_to <group name>
This command adds an IPv4 address to a LAN or WAN IP group. After you have issued the
security services ip_group add_ip_to command to specify the LAN IP or WAN IP
group name to which an IP address is to be added, you enter the security-config [ipGroup-Ip]
mode, and then you can add the IP address.
Step 1
Step 2
Format
security services ip_group add_ip_to <group name>
Mode
security
Format
ip_address <ipaddress>
Mode
security-config [ipGroup-Ip]
Keyword
Associated
Description
Parameter to Type
ip_address
ipaddress
The IPv4 address that needs to be assigned to the IP group.
Command example:
SRX5308> security services ip_group add_ip_to TechSupport
security-config[ipGroup-Ip]> ip_address 10.55.3.201
security-config[ipGroup-Ip]> save
Related show command: show security services ip_group ip_setup
Security Mode Configuration Commands
109
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security services ip_group delete <row id>
This command deletes a LAN or WAN IP group by deleting its row ID.
Format
security services ip_group delete <row id>
Mode
security
Related show command: show security services ip_group ip_setup
security services ip_group delete_ip <row id>
This command removes an IP address from a LAN or WAN IP group by deleting the row ID of
the IP address.
Format
security services ip_group delete_ip <row id>
Mode
security
Related show command: show security services ip_group ip_setup
Security Schedules Commands
security schedules edit {1 | 2 | 3}
This command configures one of the three security schedules. After you have issued the
security schedule edit command to specify the row (that is, the schedule: 1, 2, or 3)
to be edited, you enter the security-config [schedules] mode, and then you can configure one
keyword and associated parameter or associated keyword at a time in the order that you
prefer.
Step 1
Step 2
Format
security schedules edit {1 | 2 | 3}
Mode
security
Format
days {all {Y | N {[days sunday {Y | N}] [days monday {Y | N}]
[days tuesday {Y | N}] [days wednesday {Y | N}] [days thursday
{Y | N}] [days friday {Y | N}] [days saturday {Y | N}]}}}
time_of-day {all_enable {Y | N {time_of_day start hours <hour>}
{time_of_day start mins <minute>} {time_of_day start meridiem
{AM | PM}} {time_of_day end hours <hour>} {time_of_day end
mins <minute>} {time_of_day end meridiem {AM | PM}}}}
Mode
security-config [schedules}
Security Mode Configuration Commands
110
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (consists of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
days all
Y or N
Specifies whether or not the schedule is
active on all days.
days sunday
Y or N
Specifies whether or not the schedule is
active on Sundays.
days monday
Y or N
Specifies whether or not the schedule is
active on Mondays.
days tuesday
Y or N
Specifies whether or not the schedule is
active on Tuesdays.
days wednesday
Y or N
Specifies whether or not the schedule is
active on Wednesdays.
days thursday
Y or N
Specifies whether or not the schedule is
active on Thursdays.
days friday
Y or N
Specifies whether or not the schedule is
active on Fridays.
days saturday
Y or N
Specifies whether or not the schedule is
active on Saturdays.
time_of_day all_enable
Y or N
Specifies whether or not the schedule is
active all day.
time_of_day start hours
hour
The schedule starts at the specified hour
in the 12-hour format HH (00 to 12).
time_of_day start mins
minute
The schedule starts at the specified
minute in the format MM (00 to 59).
time_of_day start meridiem
AM or PM
Specifies the meridiem for the start time.
time_of_day end hours
hour
The schedule ends at the specified hour
in the 12-hour format HH (00 to 12).
time_of_day end mins
minute
The schedule ends at the specified
minute in the format MM (00 to 59).
time_of_day end meridiem
AM or PM
Specifies the meridiem for the end time.
Command example:
SRX5308> security schedule
security-config[schedules]>
security-config[schedules]>
security-config[schedules]>
security-config[schedules]>
security-config[schedules]>
security-config[schedules]>
security-config[schedules]>
security-config[schedules]>
security-config[schedules]>
edit 1
days monday Y
days tuesday Y
days wednesday Y
days thursday Y
days friday Y
time_of_day start hours 07
time_of_day start mins 30
time_of_day start meridiem AM
time_of_day end hours 08
Security Mode Configuration Commands
111
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security-config[schedules]> time_of_day end mins 00
security-config[schedules]> time_of_day end meridiem PM
security-config[schedules]> save
Related show command: show security schedules setup
IPv4 Add Firewall Rule and Edit Firewall Rule Commands
security firewall ipv4 add_rule lan_wan outbound
This command configures a new IPv4 LAN WAN outbound firewall rule. After you have
issued the security firewall ipv4 add_rule lan_wan outbound command, you
enter the security-config [firewall-ipv4-lan-wan-outbound] mode, and then you can configure
one keyword and associated parameter or associated keyword at a time in the order that you
prefer. However, note that the setting of the action keyword determines which other
keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule lan_wan outbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
bandwidth_profile <profile name>
{nat_ip type {Auto | WAN1 | WAN2 | WAN3 | WAN4} | address
<ipaddress>}
Mode
security-config [firewall-ipv4-lan-wan-outbound]
Security Mode Configuration Commands
112
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW, enforced by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
LAN user addresses or LAN group and WAN user addresses
lan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
lan_user_start_ip
ipaddress
There are two options:
• The IP address if the lan_users
address_wise keywords are set
to SINGLE_ADDRESS.
• The start IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
Security Mode Configuration Commands
113
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
lan_user_end_ip
ipaddress
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
lan_users group_wise
group name
The name of the LAN group or LAN
IP group. The LAN group name is
either a default name (Group1,
Group2, Group3, and so on) or a
custom name that you have
specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are
mutually exclusive.
wan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
wan_user_start_ip
ipaddress
There are two options:
• The IP address if the wan_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
wan_users keyword is set to
ADDRESS_RANGE.
wan_user_end_ip
ipaddress
The end IP address if the
wan_users keyword is set to
ADDRESS_RANGE.
wan_users group_wise
group name
The name of the WAN IP group.
The WAN IP group name is a name
that you have specified with the
security services ip_group add
command.
The address_wise and
group_wise keywords are
mutually exclusive.
QoS profile, logging, bandwidth profile, and NAT IP address
qos_profile
The name of the QoS profile that
you have specified with the security
services qos_profile add command.
profile name
Security Mode Configuration Commands
114
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
bandwidth_profile
profile name
The name of the bandwidth profile
that you have specified with the
security bandwidth profile add
command.
nat_ip type
Auto, WAN1, WAN2, WAN3, or
WAN4
Specifies the type of NAT IP
address for a nonblocking rule:
• Auto. The source address of the
outgoing packets is autodetected
through the configured routing
and load balancing rules.
• WAN1, WAN2, WAN3, or WAN4.
The IP address of the selected
WAN interface.
Note: The nat_ip type and
nat_ip address keywords are
mutually exclusive.
nat_ip address
The NAT IP address, if the address
is different from the IP address of a
WAN interface, for example, a
secondary WAN IP address.
ipaddress
Note: The nat_ip type and
nat_ip address keywords are
mutually exclusive.
Command example:
SRX5308> security firewall ipv4 add_rule lan_wan outbound
security-config[firewall-ipv4-lan-wan-outbound]> service_name default_services HTTP
security-config[firewall-ipv4-lan-wan-outbound]> action ALWAYS_ALLOW
security-config[firewall-ipv4-lan-wan-outbound]> lan_users group_wise SalesAmericas
security-config[firewall-ipv4-lan-wan-outbound]> wan_users address_wise ANY
security-config[firewall-ipv4-lan-wan-outbound]> bandwidth profile PriorityQueue
security-config[firewall-ipv4-lan-wan-outbound]> nat_ip type Auto
security-config[firewall-ipv4-lan-wan-outbound]> log NEVER
security-config[firewall-ipv4-lan-wan-outbound]> save
Related show command: show security firewall ipv4 setup lan_wan
Security Mode Configuration Commands
115
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security firewall ipv4 edit_rule lan_wan outbound <row id>
This command configures an existing IPv4 LAN WAN outbound firewall rule. After you have
issued the security firewall ipv4 edit_rule lan_wan outbound command to
specify the row to be edited (for row information, see the output of the show security firewall
ipv4 setup lan_wan command), you enter the security-config [firewall-ipv4-lan-wan-outbound]
mode. You can then edit one keyword and associated parameter or associated keyword at a
time in the order that you prefer. However, note that the setting of the action keyword
determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule lan_wan outbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
bandwidth_profile <profile name>
{nat_ip type {Auto | WAN1 | WAN2 | WAN3 | WAN4} | address
<ipaddress>}
Mode
security-config [firewall-ipv4-lan-wan-outbound]
Security Mode Configuration Commands
116
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW, enforced by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
LAN user addresses or LAN group and WAN user addresses
lan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
lan_user_start_ip
ipaddress
There are two options:
• The IP address if the lan_users
address_wise keywords are set
to SINGLE_ADDRESS.
• The start IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
Security Mode Configuration Commands
117
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
lan_user_end_ip
ipaddress
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
lan_users group_wise
group name
The name of the LAN group or LAN
IP group. The LAN group name is
either a default name (Group1,
Group2, Group3, and so on) or a
custom name that you have
specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are
mutually exclusive.
wan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
wan_user_start_ip
ipaddress
There are two options:
• The IP address if the wan_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
wan_users keyword is set to
ADDRESS_RANGE.
wan_user_end_ip
ipaddress
The end IP address if the
wan_users keyword is set to
ADDRESS_RANGE.
wan_users group_wise
group name
The name of the WAN IP group.
The WAN IP group name is a name
that you have specified with the
security services ip_group add
command.
The address_wise and
group_wise keywords are
mutually exclusive.
QoS profile, logging, bandwidth profile, and NAT IP address
qos_profile
The name of the QoS profile that
you have specified with the security
services qos_profile add command.
profile name
Security Mode Configuration Commands
118
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
bandwidth_profile
profile name
The name of the bandwidth profile
that you have specified with the
security bandwidth profile add
command.
nat_ip type
Auto, WAN1, WAN2, WAN3, or
WAN4
Specifies the type of NAT IP
address for a nonblocking rule:
• Auto. The source address of the
outgoing packets is autodetected
through the configured routing
and load balancing rules.
• WAN1, WAN2, WAN3, or WAN4.
The IP address of the selected
WAN interface.
Note: The nat_ip type and
nat_ip address keywords are
mutually exclusive.
nat_ip address
The NAT IP address, if the address
is different from the IP address of a
WAN interface, for example, a
secondary WAN IP address.
ipaddress
Note: The nat_ip type and
nat_ip address keywords are
mutually exclusive.
Command example: See the command example for the security firewall ipv4 add_rule lan_wan
outbound command.
Related show command: show security firewall ipv4 setup lan_wan
Security Mode Configuration Commands
119
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security firewall ipv4 add_rule lan_wan inbound
This command configures a new IPv4 LAN WAN outbound firewall rule. After you have
issued the security firewall ipv4 add_rule lan_wan inbound command, you
enter the security-config [firewall-ipv4-lan-wan-inbound] mode, and then you can configure
one keyword and associated parameter or associated keyword at a time in the order that you
prefer. However, note that the setting of the action keyword determines which other
keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule lan_wan inbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
send_to_lan_server {SINGLE_ADDRESS {send_to_lan_server_start_ip
<ipaddress>} | ADDRESS_RANGE {send_to_lan_server_start_ip
<ipaddress>} {send_to_lan_server_end_ip <ipaddress>}}
translate_to_port_number enable {N | Y
{translate_to_port_number port <number>}}
wan_destination_ip_address {{WAN1 | WAN2 | WAN3 | WAN4} | RANGE
{wan_destination_ip_address_start <ipaddress>}
{wan_destination_ip_address_end <ipaddress>}}
lan_user {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
bandwidth_profile <profile name>
Mode
security-config [firewall-ipv4-lan-wan-inbound]
Security Mode Configuration Commands
120
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
applies.
CU-SEEME:TCP, DNS:UDP,
DNS:TCP, FINGER, FTP, HTTP,
HTTPS, ICMP-TYPE-3,
ICMP-TYPE-4, ICMP-TYPE-5,
ICMP-TYPE-6, ICMP-TYPE-7,
ICMP-TYPE-8, ICMP-TYPE-9,
ICMP-TYPE-10, ICMP-TYPE-11,
ICMP-TYPE-13, ICQ, IMAP2,
IMAP3, IRC, NEWS, NFS, NNTP,
PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP,
IDENT, VDOLIVE, SSH, SIP-TCP,
SIP-UDP, NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW,
enforced by the rule.
or ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
LAN server addresses, port number translation, and WAN destination addresses
send_to_lan_server
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
send_to_lan_server_start_ip
ipaddress
There are two options:
• The IP address if the
send_to_lan_server
keyword is to SINGLE_ADDRESS.
• The start IP address if the
send_to_lan_server
keyword is set to
ADDRESS_RANGE.
send_to_lan_server_end_ip
ipaddress
The end IP address if the
send_to_lan_server keyword
is set to ADDRESS_RANGE.
Security Mode Configuration Commands
121
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
translate_to_port_number
enable
Y or N
Enables or disables port
forwarding.
translate_to_port_number
port
number
The port number (integer) if port
forwarding is enabled. Valid
numbers are 0 through 65535.
wan_destination_ip_address
WAN1, WAN2, WAN3, WAN4, or RANGE Specifies the type of destination
WAN address for an inbound rule:
• WAN1, WAN2, WAN3, or WAN4.
The IP address of the selected
WAN interface.
• RANGE. A range of public IP
addresses, which you need to
configure by issuing the
wan_destination_ip_address_start
and
wan_destination_ip_address_end
keywords and specifying IPv4
addresses.
wan_destination_ip_address_start
The start IP address if the
ipaddress
wan_destination_ip_address
keyword is set to RANGE.
wan_destination_ip_address_end
The end IP address if the
ipaddress
wan_destination_ip_address
keyword is set to RANGE.
LAN user addresses or LAN group and WAN user addresses
lan_user address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
For an inbound rule, this option is
available only when the WAN mode
is Classical Routing.
lan_user_start_ip
ipaddress
There are two options:
• The IP address if the lan_user
address_wise keywords are
set to SINGLE_ADDRESS.
• The start IP address if the
lan_user address_wise
keywords are set to
ADDRESS_RANGE.
lan_user_end_ip
ipaddress
The end IP address if the
lan_user address_wise
keywords are set to
ADDRESS_RANGE.
Security Mode Configuration Commands
122
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
lan_user group_wise
group name
The name of the LAN group or LAN
IP group. The LAN group name is
either a default name (Group1,
Group2, Group3, and so on) or a
custom name that you have
specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are
mutually exclusive.
For an inbound rule, this option is
available only when the WAN mode
is Classical Routing.
wan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
wan_user_start_ip
ipaddress
There are two options:
• The IP address if the wan_user
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_user_end_ip
ipaddress
The end IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_users group_wise
group name
The name of the WAN IP group.
The WAN IP group name is a name
that you have specified with the
security services ip_group add
command.
The address_wise and
group_wise keywords are
mutually exclusive.
QoS profile, logging, and bandwidth profile
qos_profile
profile name
The name of the QoS profile that
you have specified with the security
services qos_profile add command.
Security Mode Configuration Commands
123
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
bandwidth_profile
profile name
The name of the bandwidth profile
that you have specified with the
security bandwidth profile add
command.
Command example:
SRX5308> security firewall ipv4 add_rule lan_wan inbound
security-config[firewall-ipv4-lan-wan-inbound]> service_name default_services FTP
security-config[firewall-ipv4-lan-wan-inbound]> action ALWAYS_ALLOW
security-config[firewall-ipv4-lan-wan-inbound]> send_to_lan_server SINGLE_ADDRESS
security-config[firewall-ipv4-lan-wan-inbound]> send_to_lan_server_start_ip 192.168.5.71
security-config[firewall-ipv4-lan-wan-inbound]> wan_destination_ip_address_start 10.168.50.1
security-config[firewall-ipv4-lan-wan-inbound]> wan_user ANY
security-config[firewall-ipv4-lan-wan-inbound]> qos_profile Standard
security-config[firewall-ipv4-lan-wan-inbound]> log NEVER
security-config[firewall-ipv4-lan-wan-inbound]> save
Related show command: show security firewall ipv4 setup lan_wan
security firewall ipv4 edit_rule lan_wan inbound <row id>
This command configures an existing IPv4 LAN WAN inbound firewall rule. After you have
issued the security firewall ipv4 edit_rule lan_wan inbound command to
specify the row to be edited (for row information, see the output of the show security firewall
ipv4 setup lan_wan command), you enter the security-config [firewall-ipv4-lan-wan-outbound]
mode. You can then edit one keyword and associated parameter or associated keyword at a
time in the order that you prefer. However, note that the setting of the action keyword
determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule lan_wan inbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Security Mode Configuration Commands
124
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
send_to_lan_server {SINGLE_ADDRESS {send_to_lan_server_start_ip
<ipaddress>} | ADDRESS_RANGE {send_to_lan_server_start_ip
<ipaddress>} {send_to_lan_server_end_ip <ipaddress>}}
translate_to_port_number enable {N | Y
{translate_to_port_number port <number>}}
wan_destination_ip_address {{WAN1 | WAN2 | WAN3 | WAN4} | RANGE
{wan_destination_ip_address_start <ipaddress>}
{wan_destination_ip_address_end <ipaddress>}}
lan_user {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
bandwidth_profile <profile name>
Mode
security-config [firewall-ipv4-lan-wan-inbound]
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP,
applies.
DNS:TCP, FINGER, FTP, HTTP,
HTTPS, ICMP-TYPE-3,
ICMP-TYPE-4, ICMP-TYPE-5,
ICMP-TYPE-6, ICMP-TYPE-7,
ICMP-TYPE-8, ICMP-TYPE-9,
ICMP-TYPE-10, ICMP-TYPE-11,
ICMP-TYPE-13, ICQ, IMAP2,
IMAP3, IRC, NEWS, NFS, NNTP,
PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP,
IDENT, VDOLIVE, SSH, SIP-TCP,
SIP-UDP, NFS-TCP, or RPC-TCP
Security Mode Configuration Commands
125
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
service_name
custom_services
custom service name
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW,
enforced by the rule.
or ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
Specifies the schedule, if any, that
is applicable to the rule.
LAN server addresses, port number translation, and WAN destination addresses
send_to_lan_server
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
send_to_lan_server_start_ip
ipaddress
There are two options:
• The IP address if the
send_to_lan_server
keyword is to SINGLE_ADDRESS.
• The start IP address if the
send_to_lan_server
keyword is set to
ADDRESS_RANGE.
send_to_lan_server_end_ip
ipaddress
The end IP address if the
send_to_lan_server keyword
is set to ADDRESS_RANGE.
translate_to_port_number
enable
Y or N
Enables or disables port
forwarding.
translate_to_port_number
port
number
The port number (integer) if port
forwarding is enabled. Valid
numbers are 0 through 65535.
wan_destination_ip_address
WAN1, WAN2, WAN3, WAN4, or RANGE Specifies the type of destination
WAN address for an inbound rule:
• WAN1, WAN2, WAN3, or WAN4.
The IP address of the selected
WAN interface.
• RANGE. A range of public IP
addresses, which you need to
configure by issuing the
wan_destination_ip_address_start
and
wan_destination_ip_address_end
keywords and specifying IPv4
addresses.
wan_destination_ip_address_start
The start IP address if the
ipaddress
wan_destination_ip_address
keyword is set to RANGE.
Security Mode Configuration Commands
126
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
wan_destination_ip_address_end
ipaddress
Description
The end IP address if the
wan_destination_ip_address
keyword is set to RANGE.
LAN user addresses or LAN group and WAN user addresses
lan_user address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
For an inbound rule, this option is
available only when the WAN mode
is Classical Routing.
lan_user_start_ip
ipaddress
There are two options:
• The IP address if the lan_user
address_wise keywords are
set to SINGLE_ADDRESS.
• The start IP address if the
lan_user address_wise
keywords are set to
ADDRESS_RANGE.
lan_user_end_ip
ipaddress
The end IP address if the
lan_user address_wise
keywords are set to
ADDRESS_RANGE.
lan_user group_wise
group name
The name of the LAN group or LAN
IP group. The LAN group name is
either a default name (Group1,
Group2, Group3, and so on) or a
custom name that you have
specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are
mutually exclusive.
For an inbound rule, this option is
available only when the WAN mode
is Classical Routing.
wan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
Security Mode Configuration Commands
127
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
wan_user_start_ip
ipaddress
There are two options:
• The IP address if the wan_user
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_user_end_ip
ipaddress
The end IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_users group_wise
group name
The name of the WAN IP group.
The WAN IP group name is a name
that you have specified with the
security services ip_group add
command.
The address_wise and
group_wise keywords are
mutually exclusive.
QoS profile, logging, and bandwidth profile
qos_profile
profile name
The name of the QoS profile that
you have specified with the security
services qos_profile add command.
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
bandwidth_profile
profile name
The name of the bandwidth profile
that you have specified with the
security bandwidth profile add
command.
Command example: See the command example for the security firewall ipv4 add_rule lan_wan
inbound command.
Related show command: show security firewall ipv4 setup lan_wan
Security Mode Configuration Commands
128
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security firewall ipv4 add_rule dmz_wan outbound
This command configures a new IPv4 DMZ WAN outbound firewall rule. After you have
issued the security firewall ipv4 add_rule dmz_wan outbound command, you
enter the security-config [firewall-ipv4-dmz-wan-outbound] mode, and then you can configure
one keyword and associated parameter or associated keyword at a time in the order that you
prefer. However, note that the setting of the action keyword determines which other
keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule dmz_wan outbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
{nat_ip type {Auto | WAN1 | WAN2 | WAN3 | WAN4} | address
<ipaddress>}
Mode
security-config [firewall-ipv4-dmz-wan-outbound]
Security Mode Configuration Commands
129
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT,
Specifies the default service and
BOOTP_SERVER, CU-SEEME:UDP,
protocol to which the firewall rule
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW, enforced by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
DMZ user addresses and WAN user addresses
dmz_users
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of DMZ address.
dmz_user_start_ip
ipaddress
There are two options:
• The IP address if the dmz_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
dmz_user_end_ip
ipaddress
The end IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
Security Mode Configuration Commands
130
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
wan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
wan_user_start_ip
ipaddress
There are two options:
• The IP address if the wan_user
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_user_end_ip
ipaddress
The end IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_users group_wise
group name
The name of the WAN IP group.
The WAN IP group name is a name
that you have specified with the
security services ip_group add
command.
The address_wise and
group_wise keywords are
mutually exclusive.
QoS profile, logging, and NAT IP address
qos_profile
profile name
The name of the QoS profile that
you have specified with the security
services qos_profile add command.
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
nat_ip type
Auto, WAN1, WAN2, WAN3, or
WAN4
Specifies the type of NAT IP
address for a nonblocking rule:
• Auto. The source address of the
outgoing packets is autodetected
through the configured routing
and load balancing rules.
• WAN1, WAN2, WAN3, or WAN4.
The IP address of the selected
WAN interface.
Note: The nat_ip type and
nat_ip address keywords are
mutually exclusive.
Security Mode Configuration Commands
131
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
nat_ip address
ipaddress
The NAT IP address, if the address
is different from the IP address of a
WAN interface, for example, a
secondary WAN IP address.
Note: The nat_ip type and
nat_ip address keywords are
mutually exclusive.
Command example:
SRX5308> security firewall ipv4 add_rule dmz_wan outbound
security-config[firewall-ipv4-dmz-wan-outbound]> service_name default_services CU-SEEME:TCP
security-config[firewall-ipv4-dmz-wan-outbound]> action BLOCK_BY_SCHEDULE_ELSE_BLOCK
security-config[firewall-ipv4-dmz-wan-outbound]> schedule Schedule2
security-config[firewall-ipv4-dmz-wan-outbound]> dmz_users ANY
security-config[firewall-ipv4-dmz-wan-outbound]> wan_users ANY
security-config[firewall-ipv4-dmz-wan-outbound]> qos_profile Video
security-config[firewall-ipv4-dmz-wan-outbound]> log Never
security-config[firewall-ipv4-dmz-wan-outbound]> nat_ip type WAN1
security-config[firewall-ipv4-dmz-wan-outbound]> save
Related show command: show security firewall ipv4 setup dmz_wan
security firewall ipv4 edit_rule dmz_wan outbound <row id>
This command configures an existing IPv4 DMZ WAN outbound firewall rule. After you have
issued the security firewall ipv4 edit_rule dmz_wan outbound command to
specify the row to be edited (for row information, see the output of the show security firewall
ipv4 setup dmz_wan command), you enter the security-config
[firewall-ipv4-dmz-wan-outbound] mode. You can then edit one keyword and associated
parameter or associated keyword at a time in the order that you prefer. However, note that
the setting of the action keyword determines which other keywords and parameters you
can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule dmz_wan outbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Security Mode Configuration Commands
132
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
{nat_ip type {Auto | WAN1 | WAN2 | WAN3 | WAN4} | address
<ipaddress>}
Mode
security-config [firewall-ipv4-dmz-wan-outbound]
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT,
Specifies the default service and
BOOTP_SERVER, CU-SEEME:UDP,
protocol to which the firewall rule
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW, enforced by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
Security Mode Configuration Commands
133
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
DMZ user addresses and WAN user addresses
dmz_users
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of DMZ address.
dmz_user_start_ip
ipaddress
There are two options:
• The IP address if the dmz_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
dmz_user_end_ip
ipaddress
The end IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
wan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
wan_user_start_ip
ipaddress
There are two options:
• The IP address if the wan_user
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_user_end_ip
ipaddress
The end IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_users group_wise
group name
The name of the WAN IP group.
The WAN IP group name is a name
that you have specified with the
security services ip_group add
command.
The address_wise and
group_wise keywords are
mutually exclusive.
QoS profile, logging, and NAT IP address
qos_profile
profile name
The name of the QoS profile that
you have specified with the security
services qos_profile add command.
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
Security Mode Configuration Commands
134
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
nat_ip type
Auto, WAN1, WAN2, WAN3, or
WAN4
Specifies the type of NAT IP
address for a nonblocking rule:
• Auto. The source address of the
outgoing packets is autodetected
through the configured routing
and load balancing rules.
• WAN1, WAN2, WAN3, or WAN4.
The IP address of the selected
WAN interface.
Note: The nat_ip type and
nat_ip address keywords are
mutually exclusive.
nat_ip address
The NAT IP address, if the address
is different from the IP address of a
WAN interface, for example, a
secondary WAN IP address.
ipaddress
Note: The nat_ip type and
nat_ip address keywords are
mutually exclusive.
Command example: See the command example for the security firewall ipv4 add_rule dmz_wan
outbound command.
Related show command: show security firewall ipv4 setup dmz_wan
security firewall ipv4 add_rule dmz_wan inbound
This command configures a new IPv4 DMZ WAN inbound firewall rule. After you have issued
the security firewall ipv4 add_rule dmz_wan inbound command, you enter the
security-config [firewall-ipv4-dmz-wan-inbound] mode, and then you can configure one
keyword and associated parameter or associated keyword at a time in the order that you
prefer. However, note that the setting of the action keyword determines which other
keywords and parameters can you can apply to a rule.
Step 1
Format
security firewall ipv4 add_rule dmz_wan inbound
Mode
security
Security Mode Configuration Commands
135
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
send_to_dmz_server_ip <ipaddress>
translate_to_port_number enable {N | Y
{translate_to_port_number port <number>}}
{wan_destination_ip_address {WAN1 | WAN2 | WAN3 | WAN4}
wan_destination_ip_address_start <ipaddress>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
qos_profile <profile name>
log {NEVER | ALWAYS}
Mode
security-config [firewall-ipv4-dmz-wan-inbound]
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
applies.
CU-SEEME:TCP, DNS:UDP,
DNS:TCP, FINGER, FTP, HTTP,
HTTPS, ICMP-TYPE-3,
ICMP-TYPE-4, ICMP-TYPE-5,
ICMP-TYPE-6, ICMP-TYPE-7,
ICMP-TYPE-8, ICMP-TYPE-9,
ICMP-TYPE-10, ICMP-TYPE-11,
ICMP-TYPE-13, ICQ, IMAP2,
IMAP3, IRC, NEWS, NFS, NNTP,
PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP,
IDENT, VDOLIVE, SSH, SIP-TCP,
SIP-UDP, NFS-TCP, or RPC-TCP
Security Mode Configuration Commands
136
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
service_name
custom_services
custom service name
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW,
enforced by the rule.
or ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
Specifies the schedule, if any, that
is applicable to the rule.
DMZ server address, port number translation, and WAN destination address
send_to_dmz_server_ip
ipaddress
The IP address of the DMZ server.
translate_to_port_number
enable
Y or N
Enables or disables port
forwarding.
translate_to_port_number
port
number
The port number (integer) if port
forwarding is enabled. Valid
numbers are 0 through 65535.
wan_destination_ip_address
WAN1, WAN2, WAN3, or WAN4
Specifies the IP address of the
selected WAN interface as the
destination address.
Note: The
wan_destination_ip_address
and
wan_destination_ip_address_start
keywords are mutually exclusive.
wan_destination_ip_address_start
The WAN IP address, if the
destination address is different
from the IP address of a WAN
interface, for example, a secondary
WAN IP address.
ipaddress
Note: The
wan_destination_ip_address
and
wan_destination_ip_address_start
keywords are mutually exclusive.
DMZ user addresses and WAN user addresses
dmz_users
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of DMZ address.
For an inbound rule, this option is
available only when the WAN mode
is Classical Routing.
Security Mode Configuration Commands
137
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
dmz_user_start_ip
ipaddress
There are two options:
• The IP address if the dmz_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
dmz_user_end_ip
ipaddress
The end IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
wan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
wan_user_start_ip
ipaddress
There are two options:
• The IP address if the wan_user
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_user_end_ip
ipaddress
The end IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_users group_wise
group name
The name of the WAN IP group.
The WAN IP group name is a name
that you have specified with the
security services ip_group add
command.
The address_wise and
group_wise keywords are
mutually exclusive.
qos_profile
profile name
The name of the QoS profile that
you have specified with the security
services qos_profile add command.
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
QoS profile and logging
Command example:
SRX5308> security firewall ipv4 add_rule dmz_wan inbound
security-config[firewall-ipv4-dmz-wan-inbound]> service_name custom_services BOOTP_CLIENT
security-config[firewall-ipv4-dmz-wan-inbound]> action ALWAYS_ALLOW
security-config[firewall-ipv4-dmz-wan-inbound]> send_to_dmz_server_ip 192.168.24.112
security-config[firewall-ipv4-dmz-wan-inbound]> translate_to_port_number enable Y
Security Mode Configuration Commands
138
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security-config[firewall-ipv4-dmz-wan-inbound]>
security-config[firewall-ipv4-dmz-wan-inbound]>
security-config[firewall-ipv4-dmz-wan-inbound]>
security-config[firewall-ipv4-dmz-wan-inbound]>
security-config[firewall-ipv4-dmz-wan-inbound]>
security-config[firewall-ipv4-dmz-wan-inbound]>
translate_to_port_number port 6700
wan_destination_ip_address_start 10.168.50.1
wan_users Single_Address
wan_user_start_ip 10.132.215.4
log Always
save
Related show command: show security firewall ipv4 setup dmz_wan
security firewall ipv4 edit_rule dmz_wan inbound <row id>
This command configures an existing IPv4 DMZ WAN inbound firewall rule. After you have
issued the security firewall ipv4 edit_rule dmz_wan inbound command to
specify the row to be edited (for row information, see the output of the show security firewall
ipv4 setup dmz_wan command), you enter the security-config [firewall-ipv4-dmz-wan-inbound]
mode. You can then edit one keyword and associated parameter or associated keyword at a
time in the order that you prefer. However, note that the setting of the action keyword
determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule dmz_wan inbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
send_to_dmz_server_ip <ipaddress>
translate_to_port_number enable {N | Y
{translate_to_port_number port <number>}}
{wan_destination_ip_address {WAN1 | WAN2 | WAN3 | WAN4}
wan_destination_ip_address_start <ipaddress>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>}
{wan_user_end_ip <ipaddress>}} | group_wise <group name>}
log {NEVER | ALWAYS}
Mode
security-config [firewall-ipv4-dmz-wan-inbound]
Security Mode Configuration Commands
139
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
applies.
CU-SEEME:TCP, DNS:UDP,
DNS:TCP, FINGER, FTP, HTTP,
HTTPS, ICMP-TYPE-3,
ICMP-TYPE-4, ICMP-TYPE-5,
ICMP-TYPE-6, ICMP-TYPE-7,
ICMP-TYPE-8, ICMP-TYPE-9,
ICMP-TYPE-10, ICMP-TYPE-11,
ICMP-TYPE-13, ICQ, IMAP2,
IMAP3, IRC, NEWS, NFS, NNTP,
PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP,
IDENT, VDOLIVE, SSH, SIP-TCP,
SIP-UDP, NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW,
enforced by the rule.
or ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
DMZ server address, port number translation, and WAN destination address
send_to_dmz_server_ip
ipaddress
The IP address of the DMZ server.
translate_to_port_number
enable
Y or N
Enables or disables port
forwarding.
translate_to_port_number
port
number
The port number (integer) if port
forwarding is enabled. Valid
numbers are 0 through 65535.
Security Mode Configuration Commands
140
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
wan_destination_ip_address
WAN1, WAN2, WAN3, or WAN4
Specifies the IP address of the
selected WAN interface as the
destination address.
Note: The
wan_destination_ip_address
and
wan_destination_ip_address_start
keywords are mutually exclusive.
wan_destination_ip_address_start
The WAN IP address, if the
destination address is different
from the IP address of a WAN
interface, for example, a secondary
WAN IP address.
ipaddress
Note: The
wan_destination_ip_address
and
wan_destination_ip_address_start
keywords are mutually exclusive.
DMZ user addresses and WAN user addresses
dmz_users
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of DMZ address.
For an inbound rule, this option is
available only when the WAN mode
is Classical Routing.
dmz_user_start_ip
ipaddress
There are two options:
• The IP address if the dmz_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
dmz_user_end_ip
ipaddress
The end IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
wan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of WAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
wan_user_start_ip
ipaddress
There are two options:
• The IP address if the wan_user
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
Security Mode Configuration Commands
141
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
wan_user_end_ip
ipaddress
The end IP address if the
wan_user keyword is set to
ADDRESS_RANGE.
wan_users group_wise
group name
The name of the WAN IP group.
The WAN IP group name is a name
that you have specified with the
security services ip_group add
command.
The address_wise and
group_wise keywords are
mutually exclusive.
qos_profile
profile name
The name of the QoS profile that
you have specified with the security
services qos_profile add command.
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
QoS profile and logging
Command example: See the command example for the security firewall ipv4 add_rule dmz_wan
inbound command.
Related show command: show security firewall ipv4 setup dmz_wan
security firewall ipv4 add_rule lan_dmz outbound
This command configures a new IPv4 LAN DMZ outbound firewall rule. After you have issued
the security firewall ipv4 add_rule lan_dmz outbound command, you enter
the security-config [firewall-ipv4-lan-dmz-outbound] mode, and then you can configure one
keyword and associated parameter or associated keyword at a time in the order that you
prefer. However, note that the setting of the action keyword determines which other
keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule lan_dmz outbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Security Mode Configuration Commands
142
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS}
Mode
security-config [firewall-ipv4-lan-dmz-outbound]
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW, enforced by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
Security Mode Configuration Commands
143
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
LAN user addresses or LAN group and DMZ user addresses
lan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
lan_user_start_ip
ipaddress
There are two options:
• The IP address if the lan_users
address_wise keywords are set
to SINGLE_ADDRESS.
• The start IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
lan_user_end_ip
ipaddress
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
lan_users group_wise
group name
The name of the LAN group or LAN
IP group. The LAN group name is
either a default name (Group1,
Group2, Group3, and so on) or a
custom name that you have
specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are
mutually exclusive.
dmz_users
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of DMZ address.
dmz_user_start_ip
ipaddress
There are two options:
• The IP address if the dmz_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
dmz_user_end_ip
ipaddress
The end IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
Security Mode Configuration Commands
144
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
Logging
log
Command example:
SRX5308> security firewall ipv4 add_rule lan_dmz outbound
security-config[firewall-ipv4-lan-dmz-outbound]> service_name default_services FTP
security-config[firewall-ipv4-lan-dmz-outbound]> action ALWAYS_ALLOW
security-config[firewall-ipv4-lan-dmz-outbound]> lan_users group_wise GROUP4
security-config[firewall-ipv4-lan-dmz-outbound]> dmz_users ADDRESS_RANGE
security-config[firewall-ipv4-lan-dmz-outbound]> dmz_user_start_ip 176.14.2.30
security-config[firewall-ipv4-lan-dmz-outbound]> dmz_user_end_ip 176.14.2.79
security-config[firewall-ipv4-lan-dmz-outbound]> log Never
security-config[firewall-ipv4-lan-dmz-outbound]> save
Related show command: show security firewall ipv4 setup lan_dmz
security firewall ipv4 edit_rule lan_dmz outbound <row id>
This command configures an existing IPv4 LAN DMZ outbound firewall rule. After you have
issued the security firewall ipv4 edit_rule lan_dmz outbound command to
specify the row to be edited (for row information, see the output of the show security firewall
ipv4 setup lan_dmz command), you enter the security-config [firewall-ipv4-lan-dmz-outbound]
mode. You can then edit one keyword and associated parameter or associated keyword at a
time in the order that you prefer. However, note that the setting of the action keyword
determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule lan_dmz outbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
Security Mode Configuration Commands
145
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS}
Mode
security-config [firewall-ipv4-lan-dmz-outbound]
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT,
Specifies the default service and
BOOTP_SERVER, CU-SEEME:UDP,
protocol to which the firewall rule
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW, enforced by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
Security Mode Configuration Commands
146
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
LAN user addresses or LAN group and DMZ user addresses
lan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
lan_user_start_ip
ipaddress
There are two options:
• The IP address if the lan_users
address_wise keywords are set
to SINGLE_ADDRESS.
• The start IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
lan_user_end_ip
ipaddress
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
lan_users group_wise
group name
The name of the LAN group or LAN
IP group. The LAN group name is
either a default name (Group1,
Group2, Group3, and so on) or a
custom name that you have
specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are
mutually exclusive.
dmz_users
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of DMZ address.
dmz_user_start_ip
ipaddress
There are two options:
• The IP address if the dmz_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
dmz_user_end_ip
ipaddress
The end IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
Security Mode Configuration Commands
147
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
Logging
log
Command example: See the command example for the security firewall ipv4 add_rule lan_dmz
outbound command.
Related show command: show security firewall ipv4 setup lan_dmz
security firewall ipv4 add_rule lan_dmz inbound
This command configures a new IPv4 LAN DMZ inbound firewall rule. After you have issued
the security firewall ipv4 add_rule lan_dmz inbound command, you enter the
security-config [firewall-ipv4-lan-dmz-outbound] mode, and then you can configure one
keyword and associated parameter or associated keyword at a time in the order that you
prefer. However, note that the setting of the action keyword determines which other
keywords and parameters can you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 add_rule lan_dmz inbound
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS}
Mode
security-config [firewall-ipv4-lan-dmz-inbound]
Security Mode Configuration Commands
148
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW, enforced by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
Specifies the custom service that
you have configured with the
security services add command
and to which the firewall rule
applies.
Specifies the schedule, if any, that
is applicable to the rule.
LAN user addresses or LAN group and DMZ user addresses
lan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
lan_user_start_ip
ipaddress
There are two options:
• The IP address if the lan_users
address_wise keywords are set
to SINGLE_ADDRESS.
• The start IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
Security Mode Configuration Commands
149
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
lan_user_end_ip
ipaddress
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
lan_users group_wise
group name
The name of the LAN group or LAN
IP group. The LAN group name is
either a default name (Group1,
Group2, Group3, and so on) or a
custom name that you have
specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are
mutually exclusive.
dmz_users
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of DMZ address.
dmz_user_start_ip
ipaddress
There are two options:
• The IP address if the dmz_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
dmz_user_end_ip
ipaddress
The end IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
Logging
log
Command example:
SRX5308> security firewall ipv4 add_rule lan_dmz inbound
security-config[firewall-ipv4-lan-dmz-inbound]> service_name default_services SSH:UDP
security-config[firewall-ipv4-lan-dmz-inbound]> action BLOCK_BY_SCHEDULE_ELSE_ALLOW
security-config[firewall-ipv4-lan-dmz-inbound]> schedule Schedule1
security-config[firewall-ipv4-lan-dmz-inbound]> lan_users address_wise SINGLE_ADDRESS
security-config[firewall-ipv4-lan-dmz-inbound]> lan_user_start_ip 192.168.5.108
security-config[firewall-ipv4-lan-dmz-inbound]> dmz_users SINGLE_ADDRESS
security-config[firewall-ipv4-lan-dmz-inbound]> dmz_user_start_ip 176.16.2.101
security-config[firewall-ipv4-lan-dmz-inbound]> log Always
security-config[firewall-ipv4-lan-dmz-inbound]> save
Security Mode Configuration Commands
150
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show security firewall ipv4 setup lan_dmz
security firewall ipv4 edit_rule lan_dmz inbound <row id>
This command configures an existing IPv4 LAN DMZ inbound firewall rule. After you have
issued the security firewall ipv4 edit_rule lan_dmz inbound command to
specify the row to be edited (for row information, see the output of the show security firewall
ipv4 setup lan_dmz command), you enter the security-config [firewall-ipv4-lan-dmz-outbound]
mode. You can then edit one keyword and associated parameter or associated keyword at a
time in the order that you prefer. However, note that the setting of the action keyword
determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv4 edit_rule lan_dmz inbound <row id>
Mode
security
Format
service_name {default_services <default service name> |
{custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip
<ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}
{lan_user_end_ip <ipaddress>}} | group_wise <group name>}
dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>}
| ADDRESS_RANGE {dmz_user_start_ip <ipaddress>}
{dmz_user_end_ip <ipaddress>}}
log {NEVER | ALWAYS}
Mode
security-config [firewall-ipv4-lan-dmz-inbound]
Security Mode Configuration Commands
151
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Service name, action, and schedule
service_name
default_services
ANY, AIM, BGP, BOOTP_CLIENT,
Specifies the default service and
BOOTP_SERVER, CU-SEEME:UDP,
protocol to which the firewall rule
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW, enforced by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
LAN user addresses or LAN group and DMZ user addresses
lan_users address_wise
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of LAN address.
The address_wise and
group_wise keywords are
mutually exclusive.
lan_user_start_ip
ipaddress
There are two options:
• The IP address if the lan_users
address_wise keywords are set
to SINGLE_ADDRESS.
• The start IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
Security Mode Configuration Commands
152
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
lan_user_end_ip
ipaddress
The end IP address if the
lan_users address_wise
keywords are set to
ADDRESS_RANGE.
lan_users group_wise
group name
The name of the LAN group or LAN
IP group. The LAN group name is
either a default name (Group1,
Group2, Group3, and so on) or a
custom name that you have
specified with the net lan
lan_groups edit <row id>
<new group name> command. The
LAN IP group name is a name that
you have specified with the security
services ip_group add command.
The address_wise and
group_wise keywords are
mutually exclusive.
dmz_users
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of DMZ address.
dmz_user_start_ip
ipaddress
There are two options:
• The IP address if the dmz_users
keyword is set to
SINGLE_ADDRESS.
• The start IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
dmz_user_end_ip
ipaddress
The end IP address if the
dmz_users keyword is set to
ADDRESS_RANGE.
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
Logging
log
Command example: See the command example for the security firewall ipv4 add_rule lan_dmz
inbound command.
Related show command: show security firewall ipv4 setup lan_dmz
Security Mode Configuration Commands
153
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
IPv4 General Firewall Commands
security firewall ipv4 default_outbound_policy {Allow | Block}
This command allows or blocks the IPv4 firewall default outbound policy.
Format
security firewall ipv4 default_outbound_policy {Allow | Block}
Mode
security
Related show command: show security firewall ipv4 setup lan_wan, show security firewall ipv4 setup
dmz_wan, and show security firewall ipv4 setup lan_dmz
security firewall ipv4 delete <row id>
This command deletes an IPv4 firewall rule by deleting its row ID.
Format
security firewall ipv4 delete <row id>
Mode
security
Related show command: show security firewall ipv4 setup lan_wan, show security firewall ipv4 setup
dmz_wan, and show security firewall ipv4 setup lan_dmz
security firewall ipv4 disable <row id>
This command disables an IPv4 firewall rule by specifying its row ID.
Format
security firewall ipv4 disable <row id>
Mode
security
Related show command: show security firewall ipv4 setup lan_wan, show security firewall ipv4 setup
dmz_wan, and show security firewall ipv4 setup lan_dmz
security firewall ipv4 enable <row id>
This command enables an IPv4 firewall rule by specifying its row ID.
Format
security firewall ipv4 enable <row id>
Mode
security
Security Mode Configuration Commands
154
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show security firewall ipv4 setup lan_wan, show security firewall ipv4 setup
dmz_wan, and show security firewall ipv4 setup lan_dmz
IPv6 Firewall Commands
security firewall ipv6 default_outbound_policy {Allow | Block}
This command allows or blocks the IPv6 firewall default outbound policy.
Format
security firewall ipv6 default_outbound_policy {Allow | Block}
Mode
security
Related show command: show security firewall ipv6 setup
security firewall ipv6 configure
This command configures a new IPv6 firewall rule. After you have issued the security
firewall ipv6 configure command, you enter the security-config [firewall-ipv6] mode,
and then you can configure one keyword and associated parameter or associated keyword at
a time in the order that you prefer. However, note that the setting of the action keyword
determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv6 configure
Mode
security
Format
from_zone {LAN | WAN | DMZ}
to_zone {LAN | WAN | DMZ}
service_name {default_services <default service name> |
custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
source_address_type {ANY | SINGLE_ADDRESS {source_start_address
<ipv6-address>} | ADDRESS_RANGE {source_start_address
<ipv6-address>} {source_end_address <ipv6-address>}}
destination_address_type {ANY | SINGLE_ADDRESS
{destination_start_address <ipv6-address>} | ADDRESS_RANGE
{destination_start_address <ipv6-address>}
{destination_end_address <ipv6-address>}}
Security Mode Configuration Commands
155
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
log {NEVER | ALWAYS}
Mode
security-config [firewall-ipv6]
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Direction of service, service name, action, and schedule
from_zone
LAN, WAN, or DMZ
Specifies the outbound direction:
• LAN. From the LAN.
• WAN. From the WAN.
• DMZ. From the DMZ.
to_zone
LAN, WAN, or DMZ
Specifies the inbound direction:
• LAN. To the LAN.
• WAN. To the WAN.
• DMZ. To the DMZ.
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
Specifies the type of action to be
ALWAYS_BLOCK, ALWAYS_ALLOW,
BLOCK_BY_SCHEDULE_ELSE_ALLOW, taken by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
Security Mode Configuration Commands
156
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
schedule
Schedule1, Schedule2, or
Schedule3
Specifies the schedule, if any, that
is applicable to the rule.
LAN, WAN, and DMZ source and destination IP addresses
source_address_type
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of source
address.
source_start_address
ipv6-address
There are two options:
• The IPv6 address if the
source_address_type
keyword is set to
SINGLE_ADDRESS.
• The start IPv6 address if the
source_address_type
keyword is set to
ADDRESS_RANGE.
source_end_address
ipv6-address
The end IPv6 address if the
source_address_type
keyword is set to
ADDRESS_RANGE.
destination_address_type
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of destination
address.
destination_start_address
ipv6-address
There are two options:
• The IPv6 address if the
destination_address_type
keyword is set to
SINGLE_ADDRESS.
• The start IPv6 address if the
destination_address_type
keyword is set to
ADDRESS_RANGE.
destination_end_address
ipv6-address
The end IPv6 address if the
destination_address_type
keyword is set to
ADDRESS_RANGE.
qos_priority
Normal-Service, Minimize-Cost,
Maximize-Reliability,
Maximize-Throughput, or
Minimize-Delay
Specifies the type of QoS that
applies to the rule. You can apply
QoS to LAN WAN and DMZ WAN
outbound rules only.
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
QoS priority and logging
Security Mode Configuration Commands
157
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Command example:
SRX5308> security firewall ipv6 configure
security-config[firewall-ipv6]> from_zone WAN
security-config[firewall-ipv6]> to_zone LAN
security-config[firewall-ipv6]> service_name default_services RTELNET
security-config[firewall-ipv6]> action ALWAYS_ALLOW
security-config[firewall-ipv6]> source_address_type SINGLE_ADDRESS
security-config[firewall-ipv6]> source_start_address 2002::B32:AAB1:fD41
security-config[firewall-ipv6]> destination_address_type SINGLE_ADDRESS
security-config[firewall-ipv6]> destination_start_address FEC0::db8:145
security-config[firewall-ipv6]> log ALWAYS
security-config[firewall-ipv6]> save
Related show command: show security firewall ipv6 setup
security firewall ipv6 edit <row id>
This command configures an existing IPv6 firewall rule. After you have issued the security
firewall ipv6 edit command to specify the row to be edited (for row information, see
the output of the show security firewall ipv6 setup command), you enter the security-config
[firewall-ipv6] mode.You can then edit one keyword and associated parameter or associated
keyword at a time in the order that you prefer. However, note that the setting of the action
keyword determines which other keywords and parameters you can apply to a rule.
Step 1
Step 2
Format
security firewall ipv6 edit <row id>
Mode
security
Format
from_zone {LAN | WAN | DMZ}
to_zone {LAN | WAN | DMZ}
service_name {default_services <default service name> |
custom_services <custom service name>}
action {ALWAYS_BLOCK | ALWAYS_ALLOW |
BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 |
Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK
{schedule {Schedule1 | Schedule2 | Schedule3}}}
source_address_type {ANY | SINGLE_ADDRESS {source_start_address
<ipv6-address>} | ADDRESS_RANGE {source_start_address
<ipv6-address>} {source_end_address <ipv6-address>}}
destination_address_type {ANY | SINGLE_ADDRESS
{destination_start_address <ipv6-address>} | ADDRESS_RANGE
{destination_start_address <ipv6-address>}
{destination_end_address <ipv6-address>}}
Security Mode Configuration Commands
158
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
qos_priority {Normal-Service | Minimize-Cost |
Maximize-Reliability | Maximize-Throughput | Minimize-Delay}
log {NEVER | ALWAYS}
Mode
security-config [firewall-ipv6]
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
Direction of service, service name, action, and schedule
from_zone
LAN, WAN, or DMZ
Specifies the outbound direction:
• LAN. From the LAN.
• WAN. From the WAN.
• DMZ. From the DMZ.
to_zone
LAN, WAN, or DMZ
Specifies the inbound direction:
• LAN. To the LAN.
• WAN. To the WAN.
• DMZ. To the DMZ.
service_name
default_services
Specifies the default service and
ANY, AIM, BGP, BOOTP_CLIENT,
protocol to which the firewall rule
BOOTP_SERVER, CU-SEEME:UDP,
CU-SEEME:TCP, DNS:UDP, DNS:TCP, applies.
FINGER, FTP, HTTP, HTTPS,
ICMP-TYPE-3, ICMP-TYPE-4,
ICMP-TYPE-5, ICMP-TYPE-6,
ICMP-TYPE-7, ICMP-TYPE-8,
ICMP-TYPE-9, ICMP-TYPE-10,
ICMP-TYPE-11, ICMP-TYPE-13,
ICQ, IMAP2, IMAP3, IRC, NEWS, NFS,
NNTP, PING, POP3, PPTP, RCMD,
REAL-AUDIO, REXEC, RLOGIN,
RTELNET, RTSP:TCP, RTSP:UDP,
SFTP, SMTP, SNMP:TCP, SNMP:UDP,
SNMP-TRAPS:TCP,
SNMP-TRAPS:UDP, SQL-NET,
SSH:TCP, SSH:UDP, STRMWORKS,
TACACS, TELNET, TFTP, RIP, IKE,
SHTTPD, IPSEC-UDP-ENCAP, IDENT,
VDOLIVE, SSH, SIP-TCP, SIP-UDP,
NFS-TCP, or RPC-TCP
service_name
custom_services
custom service name
action
ALWAYS_BLOCK, ALWAYS_ALLOW,
Specifies the type of action to be
BLOCK_BY_SCHEDULE_ELSE_ALLOW, taken by the rule.
or
ALLOW_BY_SCHEDULE_ELSE_BLOCK
schedule
Schedule1, Schedule2, or
Schedule3
Security Mode Configuration Commands
159
The custom service that you have
configured with the security
services add command and to
which the firewall rule applies.
Specifies the schedule, if any, that
is applicable to the rule.
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to Select or
Parameter to Type
Description
LAN, WAN, and DMZ source and destination IP addresses
source_address_type
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of source
address.
source_start_address
ipv6-address
There are two options:
• The IPv6 address if the
source_address_type
keyword is set to
SINGLE_ADDRESS.
• The start IPv6 address if the
source_address_type
keyword is set to
ADDRESS_RANGE.
source_end_address
ipv6-address
The end IPv6 address if the
source_address_type
keyword is set to
ADDRESS_RANGE.
destination_address_type
ANY, SINGLE_ADDRESS, or
ADDRESS_RANGE
Specifies the type of destination
address.
destination_start_address
ipv6-address
There are two options:
• The IPv6 address if the
destination_address_type
keyword is set to
SINGLE_ADDRESS.
• The start IPv6 address if the
destination_address_type
keyword is set to
ADDRESS_RANGE.
destination_end_address
ipv6-address
The end IPv6 address if the
destination_address_type
keyword is set to
ADDRESS_RANGE.
qos_priority
Normal-Service, Minimize-Cost,
Maximize-Reliability,
Maximize-Throughput, or
Minimize-Delay
Specifies the type of QoS that
applies to the rule. You can apply
QoS to LAN WAN and DMZ WAN
outbound rules only.
log
NEVER or ALWAYS
Specifies whether logging is
disabled or enabled.
QoS profile and logging
Security Mode Configuration Commands
160
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Command example: See the command example for the security firewall ipv6 configure command.
Related show command: show security firewall ipv6 setup
security firewall ipv6 delete <row id>
This command deletes an IPv6 firewall rule by deleting its row ID.
Format
security firewall ipv6 delete <row id>
Mode
security
Related show command: show security firewall ipv6 setup
security firewall ipv6 disable <row id>
This command disables an IPv6 firewall rule by specifying its row ID.
Format
security firewall ipv6 disable <row id>
Mode
security
Related show command: show security firewall ipv6 setup
security firewall ipv6 enable <row id>
This command enables an IPv6 firewall rule by specifying its row ID.
Format
security firewall ipv6 enable <row id>
Mode
security
Related show command: show security firewall ipv6 setup
Security Mode Configuration Commands
161
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Attack Check Commands
security firewall attack_checks configure ipv4
This command configures ipv4 WAN and LAN security attack checks. After you have issued
the security firewall attack_checks configure ipv4 command, you enter the
security-config [attack-checks-ipv4] mode, and then you can edit one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security firewall attack_checks configure ipv4
Mode
security
Format
respond_to_ping_on_internet_ports {Y | N}
enable_stealth_mode {Y | N}
block_tcp_flood {Y | N}
block_udp_flood {Y | N}
disable_ping_reply_on_lan {Y | N}
Mode
security-config [attack-checks-ipv4]
Keyword
Associated Keyword Description
to Select
WAN security checks
respond_to_ping_on_internet_ports Y or N
Enables or disables the response to a
ping from the WAN port.
enable_stealth_mode
Y or N
Enables or disables stealth mode.
block_tcp_flood
Y or N
Blocks or allows TCP floods on the WAN
port.
block_udp_flood
Y or N
Blocks or allows UDP floods on LAN
ports.
disable_ping_reply_on_lan
Y or N
Enables or disables ping replies from
LAN ports.
LAN security checks
Command example:
SRX5308> security firewall attack_checks configure ipv4
security-config[attack-checks-ipv4]> respond_to_ping_on_internet_ports N
security-config[attack-checks-ipv4]> enable_stealth_mode Y
security-config[attack-checks-ipv4]> block_tcp_flood Y
security-config[attack-checks-ipv4]> block_udp_flood N
security-config[attack-checks-ipv4]> disable_ping_reply_on_lan Y
security-config[attack-checks-ipv4]> save
Security Mode Configuration Commands
162
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show security firewall attack_checks setup ipv4
security firewall attack_checks igmp configure
This command enables or disables multicast pass-through by enabling or disabling the IGMP
proxy for IPv4 traffic. After you have issued the security firewall attack_checks
igmp configure command, you enter the security-config [igmp] mode, and then you can
enable or disable the IGMP proxy.
Step 1
Step 2
Format
security firewall attack_checks igmp configure
Mode
security
Format
enable_igmp_proxy {Y | N}
Mode
security-config [igmp]
Related show command: show security firewall attack_checks igmp
security firewall attack_checks vpn_passthrough configure
This command configures VPN pass-through for IPv4 traffic. After you have issued the
security firewall attack_checks vpn_passthrough configure command, you
enter the security-config [vpn-passthrough] mode, and then you can configure one keyword
and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security firewall attack_checks vpn_passthrough configure
Mode
security
Format
ipsec_enable {Y | N}
l2tp_enable {Y | N}
pptp_enable {Y | N}
Mode
security-config [vpn-passthrough]
Keyword
Associated Keyword Description
to Select
ipsec_enable
Y or N
Enables or disables IPSec pass-through.
l2tp_enable
Y or N
Enables or disables L2TP pass-through.
pptp_enable
Y or N
Enables or disables PPTP pass-through.
Command example:
SRX5308> security firewall attack_checks vpn_passthrough configure
security-config[vpn-passthrough]> ipsec_enable Y
Security Mode Configuration Commands
163
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security-config[vpn-passthrough]> l2tp_enable Y
security-config[vpn-passthrough]> pptp_enable N
security-config[vpn-passthrough]> save
Related show command: show security firewall attack_checks vpn_passthrough setup
security firewall attack_checks configure ipv6
This command configures ipv6 WAN security attack checks. After you have issued the
security firewall attack_checks configure ipv6 command, you enter the
security-config [attack-checks-ipv6] mode, and then you can edit one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security firewall attack_checks configure ipv6
Mode
security
Format
respond_to_ping_on_internet_ports {Y | N}
vpn_ipsec_passthrough {Y | N}
Mode
security-config [attack-checks-ipv6]
Keyword
Associated Keyword Description
to Select
respond_to_ping_on_internet_ports Y or N
vpn_ipsec_passthrough
Y or N
Enables or disables the response to a
ping from the WAN port.
Enables or disables IPSec VPN traffic
that is initiated from the LAN to reach the
WAN, irrespective of the default firewall
outbound policy and custom firewall
rules.
Command example:
SRX5308> security firewall attack_checks configure ipv6
security-config[attack-checks-ipv6]> respond_to_ping_on_internet_ports N
security-config[attack-checks-ipv6]> vpn_ipsec_passthrough Y
security-config[attack-checks-ipv6]> save
Related show command: show security firewall attack_checks setup ipv6
Security Mode Configuration Commands
164
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Session Limit, Time-Out, and Advanced Commands
security firewall session_limit configure
This command configures global session limits. After you have issued the security
firewall session_limit configure command, you enter the
security-config [session-limit] mode, and then you can configure one keyword and associated
parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security firewall session_limit configure
Mode
security
Format
enable {Y | N}
session_limit_control {Single_IP_cannot_Exceed |
When_Single_IP_Exceed}
conn_limit_type {Percentage_Of_MaxSessions | Number_Of_Sessions}
user_limit <number>
block_new_session {Block_IP_to_add_new_session
{block_IP_to_add_new_session_for_time <seconds>} |
Block_IPs_all_connections {block_IPs_all_connections_for_time
<seconds>}}
Mode
security-config [session-limit]
Keyword
Associated Keyword to Select or
Parameter to Type
Description
enable
Y or N
Enables or disables session limits.
session_limit_control
When_Single_IP_Exceed or
Single_IP_cannot_Exceed
Specifies how limit control is
implemented:
• When_Single_IP_Exceed. When
the limit is reached, no new
session is allowed from the IP
address for a specified period, or
all sessions from the IP address
are terminated and new sessions
are blocked for a specified period.
Issue the conn_limit_type
keyword to specify the type of
session limit and issue the
block_new_session keyword
to specify the type of blockage.
• Single_IP_cannot_Exceed.
When the limit is reached, no new
session is allowed from the IP
address. A new session is
allowed only when an existing
session is terminated or times
out. Issue the
conn_limit_type keyword to
specify the type of session limit.
Security Mode Configuration Commands
165
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to Select or
Parameter to Type
Description
conn_limit_type
Percentage_Of_MaxSessions or Specifies the type of session limits:
Number_Of_Sessions
• Percentage_Of_MaxSessions.
Specifies a percentage of the total
session-connection capacity on
the VPN firewall. Issue the
user_limit keyword to specify
a percentage of the total session
connection.
• Number_Of_Sessions. Specifies
an absolute number of maximum
sessions. Issue the user_limit
keyword to specify an absolute
number of maximum sessions.
user_limit
number
block_new_session
Block_IP_to_add_new_session Specifies the type of blockage:
or Block_IPs_all_connections • Block_IP_to_add_new_session.
No new session is allowed from
the IP address for a period. Issue
the
The percentage of the total
session-connection capacity on the
VPN firewall or an absolute number
of maximum sessions.
block_IP_to_add_new_session_
for_time keyword to specify the
period in seconds.
• Block_IPs_all_connections. All
sessions from the IP address are
terminated, and new sessions are
blocked for a period. Issue the
block_IPs_all_connections
_for_time keyword to specify
the period in seconds.
These options are available only if
the session_limit_control
keyword is set to
When_Single_IP_Exceed.
block_IP_to_add_new_session seconds
_for_time
The period during which no new
session is allowed from the IP
address.
block_IPs_all_connections_ seconds
for_time
The period during which all
sessions are blocked from the IP
address.
Command example:
SRX5308> security firewall session_limit configure
security-config[session-limit]> enable Y
security-config[session-limit]> session_limit_control When_Single_IP_Exceed
Security Mode Configuration Commands
166
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security-config[session-limit]>
security-config[session-limit]>
security-config[session-limit]>
security-config[session-limit]>
security-config[session-limit]>
conn_limit_type Percentage_Of_MaxSessions
user_limit 80
block_new_session Block_IP_to_add_new_session
block_IP_to_add_new_session_for_time 60
save
Related show command: show security firewall session_limit
security firewall session_settings configure
This command configures global session time-outs. After you have issued the security
firewall session_settings configure command, you enter the
security-config [session-settings] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security firewall session_settings configure
Mode
security
Format
tcp_session_timeout <seconds>
udp_session_timeout <seconds>
icmp_session_timeout <seconds>
Mode
security-config [session-settings]
Keyword
Associated Parameter Description
to Type
tcp_session_timeout
seconds
Specifies the TCP session timeout period (integer) in
seconds.
udp_session_timeout
seconds
Specifies the UDP session timeout period (integer) in
seconds.
icmp_session_timeout seconds
Specifies the ICMP session timeout period (integer) in
seconds.
Command example:
SRX5308> security firewall session_settings configure
security-config[session-settings]> tcp_session_timeout 3600
security-config[session-settings]> udp_session_timeout 180
security-config[session-settings]> icmp_session_timeout 120
security-config[session-settings]> save
Related show command: show security firewall session_settings
Security Mode Configuration Commands
167
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security firewall advanced algs
This command configures Session Initiation Protocol (SIP) support for the application level
gateway (ALG). After you have issued the security firewall advanced algs
command, you enter the security-config [firewall-alg] mode, and then you can enable or
disable SIP support.
Step 1
Step 2
Format
security firewall advanced algs
Mode
security
Format
sip {Y | N}
Mode
security-config [firewall-alg]
Keyword
Associated Keyword Description
to Select
Sip
Y or N
Enables or disables SIP for the ALG.
Command example:
FVS318N> security firewall advanced algs
security-config[firewall-alg]> Sip N
security-config[firewall-alg]> save
Related show command: show security firewall advanced algs
Address Filter and IP/MAC Binding Commands
security address_filter mac_filter configure
This command configures the source MAC address filter. After you have issued the
security address_filter mac_filter configure command, you enter the
security-config [mac-filter] mode, and then you can configure one keyword and associated
parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security address_filter mac_filter configure
Mode
security
Format
enable {N | Y {policy {Permit-And-Block-Rest |
Block-And-Permit-Rest}}
Mode
security-config [mac-filter]
Security Mode Configuration Commands
168
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable
Y or N
Enables or disables the source MAC address filter.
policy
Permit-And-Block-Rest
or
Block-And-Permit-Rest
Specifies the policy of the source MAC address filter.
Command example:
SRX5308> security address_filter mac_filter configure
security-config[mac-filter]> enable Y
security-config[mac-filter]> policy Block-And-Permit-Rest
security-config[mac-filter]> save
Related show command: show security address_filter mac_filter setup
security address_filter mac_filter source add
This command adds a new MAC address to the MAC address table for the source MAC
address filter. After you have issued the security address_filter mac_filter
source add command, you enter the security-config [mac-filter-source] mode, and then you
can add a MAC address.
Step 1
Step 2
Format
security address_filter mac_filter source add
Mode
security
Format
address <mac address>
Mode
security-config [mac-filter-source]
Keyword
Associated
Description
Parameter to Type
address
mac address
The MAC address that needs to be added to the MAC address
table for the source MAC address filter.
Command example:
FVS318N> security address_filter mac_filter source add
security-config[mac-filter-source]> address a1:b2:c3:de:11:22
security-config[mac-filter-source]> save
security-config[mac-filter-source]> address a1:b2:c3:de:11:25
security-config[mac-filter-source]> save
Related show command: show security address_filter mac_filter setup
Security Mode Configuration Commands
169
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security address_filter mac_filter source delete <row id>
This command deletes a MAC address from the MAC address table by deleting its row ID.
Format
security address_filter mac_filter source delete <row id>
Mode
security
Related show command: show security address_filter mac_filter setup
security address_filter ip_or_mac_binding add
This command configures a new IP/MAC binding rule. After you have issued the security
address_filter ip_or_mac_binding add command, you enter the
security-config [ip-or-mac-binding] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security address_filter ip_or_mac_binding add
Mode
security
Format
name <rule name>
mac_address <mac address>
ip_version {IPv4 {ip_address <ipaddress>} | IPv6 {ip_address6
<ipv6-address>}}
log_dropped_packets {Y | N}
Mode
security-config [ip-or-mac-binding]
Keyword
Associated Keyword to
Select or Parameter to Type
Description
name
rule name
The name (alphanumeric string) of the IP/MAC
binding rule.
mac_address
mac address
The MAC address to which the IP/MAC binding
rule is applied.
ip_version
IPv4 or IPv6
Specifies the type of IP address to which the
IP/MAC binding rule is applied:
• IPv4. You need to issue the ip_address
keyword and specify an IPv4 address.
• IPv6. You need to issue the ip_address6
keyword and specify an IPv6 address.
ip_address
ipaddress
The IPv4 address to which the IP/MAC binding
rule is applied.
Security Mode Configuration Commands
170
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Select or Parameter to Type
Description
ip_address6
ipv6-address
The IPv6 address to which the IP/MAC binding
rule is applied.
log_dropped_packets
Y or N
Enables or disables logging for the IP/MAC
binding rule.
Command example:
SRX5308> security address_filter ip_or_mac_binding add
security-config[ip-or-mac-binding]> name PhoneConfRoom52
security-config[ip-or-mac-binding]> mac_address d1:e1:55:54:8e:7f
security-config[ip-or-mac-binding]> ip_version IPv4
security-config[ip-or-mac-binding]> ip_address 192.151.1.107
security-config[ip-or-mac-binding]> log_dropped_packets N
security-config[ip-or-mac-binding]> save
Related show command: show security address_filter ip_or_mac_binding setup
security address_filter ip_or_mac_binding edit <row id>
This command configures an existing IP/MAC binding rule. After you have issued the
security address_filter ip_or_mac_binding edit command to specify the row
to be edited, you enter the security-config [ip-or-mac-binding] mode, and then you can
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer. You cannot change the name of the rule.
Step 1
Step 2
Format
security address_filter ip_or_mac_binding edit <row id>
Mode
security
Format
mac_address <mac address>
ip_version {IPv4 {ip_address <ipaddress>} | IPv6 {ip_address6
<ipv6-address>}}
log_dropped_packets {Y | N}
Mode
security-config [ip-or-mac-binding]
Keyword
Associated Keyword to
Select or Parameter to Type
Description
mac_address
mac address
The MAC address to which the IP/MAC binding
rule is applied.
Security Mode Configuration Commands
171
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Select or Parameter to Type
Description
ip_version
IPv4 or IPv6
Specifies the type of IP address to which the
IP/MAC binding rule is applied:
• IPv4. You need to issue the ip_address
keyword and specify an IPv4 address.
• IPv6. You need to issue the ip_address6
keyword and specify an IPv6 address.
ip_address
ipaddress
The IPv4 address to which the IP/MAC binding
rule is applied.
ip_address6
ipv6-address
The IPv6 address to which the IP/MAC binding
rule is applied.
log_dropped_packets
Y or N
Enables or disables logging for the IP/MAC
binding rule.
Related show command: show security address_filter ip_or_mac_binding setup
security address_filter ip_or_mac_binding delete <row id>
This command deletes an IP/MAC binding rule by deleting its row ID.
Format
security address_filter ip_or_mac_binding delete <row id>
Mode
security
Related show command: show security address_filter ip_or_mac_binding setup
security address_filter ip_or_mac_binding enable_email_log <ip version>
This command configures the email log for IP/MAC binding violations. After you have issued
the security address_filter ip_or_mac_binding enable_email_log command
to specify the IP version, you enter the security-config [ip-or-mac-binding] mode, and then
you can configure the email log setting.
Step 1
Step 2
Format
security address_filter ip_or_mac_binding enable_email_log
{IPv4 | IPv6}
Mode
security
Format
enable_email_logs {Y | N}
Mode
security-config [ip-or-mac-binding]
Security Mode Configuration Commands
172
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword Description
to Select
enable_email_logs
Y or N
Enables or disables the email log or IP/MAC Binding violations.
Command example:
FVS318N> security address_filter ip_or_mac_binding enable_email_log IPv4
security-config[ip-or-mac-binding]> enable_email_logs Y
security-config[ip-or-mac-binding]> save
Related show command: show security address_filter enable_email_log
Port Triggering Commands
security porttriggering_rules add
This command configures a new port triggering rule. After you have issued the security
porttriggering_rules add command, you enter the
security-config [porttriggering-rules] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security porttriggering_rules add
Mode
security
Format
name <rule name>
enable_rule {Y | N}
protocol {TCP | UDP}
outgoing_start_port <number>
outgoing_end_port <number>
incoming_start_port <number>
incoming_end_port <number>
Mode
security-config [porttriggering-rules]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
name
rule name
The name (alphanumeric string) of the port
triggering rule.
enable_rule
Y or N
Enables or disables the port triggering rule.
protocol
TCP or UDP
Specifies whether the port uses the TCP or UDP
protocol.
Security Mode Configuration Commands
173
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
outgoing_start_port number
The start port number (integer) of the outgoing
traffic range. Valid numbers are from 1025 to
65535.
outgoing_end_port
The end port number (integer) of the outgoing
traffic range. Valid numbers are from 1025 to
65535.
number
incoming_start_port number
The start port number (integer) of the incoming
traffic range. Valid numbers are from 1025 to
65535.
incoming_end_port
The end port number (integer) of the incoming
traffic range. Valid numbers are from 1025 to
65535.
number
Command example:
SRX5308> security porttriggering_rules add
security-config[porttriggering-rules]> name Skype
security-config[porttriggering-rules]> enable_rule Y
security-config[porttriggering-rules]> protocol TCP
security-config[porttriggering-rules]> outgoing_start_port 61196
security-config[porttriggering-rules]> outgoing_end_port 61196
security-config[porttriggering-rules]> incoming_start_port 61197
security-config[porttriggering-rules]> incoming_end_port 61197
security-config[porttriggering-rules]> save
Related show command: show security porttriggering_rules setup and show security
porttriggering_rules status
security porttriggering_rules edit <row id>
This command configures an existing port triggering rule. After you have issued the
security porttriggering_rules edit command to specify the row to be edited, you
enter the security-config [porttriggering-rules] mode, and then you can configure one keyword
and associated parameter or associated keyword at a time in the order that you prefer. You
cannot change the name of the rule.
Step 1
Format
security porttriggering_rules edit <row id>
Mode
security
Security Mode Configuration Commands
174
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
enable_rule {Y | N}
protocol {TCP | UDP}
outgoing_start_port <number>
outgoing_end_port <number>
incoming_start_port <number>
incoming_end_port <number>
Mode
security-config [porttriggering-rules]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable_rule
Y or N
Enables or disables the port triggering rule.
protocol
TCP or UDP
Specifies whether the port uses the TCP or UDP
protocol.
outgoing_start_port number
The start port number (integer) of the outgoing
traffic range. Valid numbers are from 1025 to 65535.
outgoing_end_port
number
The end port number (integer) of the outgoing traffic
range. Valid numbers are from 1025 to 65535.
incoming_start_port number
The start port number (integer) of the incoming
traffic range. Valid numbers are from 1025 to 65535.
incoming_end_port
The end port number (integer) of the incoming traffic
range. Valid numbers are from 1025 to 65535.
number
Related show command: show security porttriggering_rules setup and show security
porttriggering_rules status
security porttriggering_rules delete <row id>
This command deletes a port triggering rule by deleting its row.
Format
security porttriggering_rules delete <row id>
Mode
security
Related show command: show security porttriggering_rules setup and show security
porttriggering_rules status
Security Mode Configuration Commands
175
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
UPnP Command
security upnp configure
This command configures Universal Plug and Play (UPnP). After you have issued the
security upnp configure command, you enter the security-config [upnp] mode, and
then you can configure one keyword and associated parameter or associated keyword at a
time in the order that you prefer.
Step 1
Step 2
Format
security upnp configure
Mode
security
Format
enable {Y | N}
advertisement period <seconds>
advertisement time_to_live <number>
Mode
security-config [upnp]
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
enable
Y or N
Enables or disables UPnP.
advertisement period
seconds
The advertisement period in seconds,
from 1 to 1440 seconds.
The advertisement time-to-live period in
hops, from 1 to 255 hops.
advertisement time_to_live number
Command example:
SRX5308> security upnp configure
security-config[upnp]> enable Y
security-config[upnp]> advertisement period 60
security-config[upnp]> advertisement time_to_live 6
security-config[upnp]> save
Related show command: show security upnp setup and show security upnp portmap
Security Mode Configuration Commands
176
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Bandwidth Profile Commands
security bandwidth enable_bandwidth_profiles {Y | N}
This command enables or disables bandwidth profiles globally. Select Y to enable bandwidth
profiles globally or N to disable bandwidth profiles globally.
Format
security bandwidth enable_bandwidth_profiles {Y | N}
Mode
security
Related show command: show security bandwidth profile setup
security bandwidth profile add
This command configures a new bandwidth profile. After you have issued the security
bandwidth profile add command, you enter the security-config [bandwidth-profile]
mode, and then you can configure one keyword and associated parameter or associated
keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security bandwidth profile add
Mode
security
Format
name <profile name>
direction {Inbound | Outbound | Both _Directions}
inbound_minimum_rate <kbps>
inbound_maximum_rate <kbps>
outbound_minimum_rate <kbps>
outbound_maximum_rate <kbps>
is_group {Individual | Group}
max_instances <number>
Mode
security-config [bandwidth-profile]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
name
profile name
The profile name (alphanumeric string).
direction
Inbound, Outbound, or
Both_Directions
Specifies the direction to which the bandwidth
profile applies.
inbound_minimum_rate
kbps
The minimum inbound bandwidth in kbps (0 to
100000) provided to the group or individual user.
inbound_maximum_rate
kbps
The maximum inbound bandwidth in kbps (100 to
100000) provided to the group or individual user.
Security Mode Configuration Commands
177
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
outbound_minimum_rate kbps
The minimum outbound bandwidth in kbps (0 to
100000) provided to the group or individual user.
outbound_maximum_rate kbps
The maximum outbound bandwidth in kbps (100
to 100000) provided to the group or individual
user.
is_group
Individual or Group
Specifies the type for the bandwidth profile:
• Individual. The profile applies to an individual
user. Issue the max_instances keyword to
specify the maximum number of users.
• Group. The profile applies to a group.
max_instances
number
If the is_group keyword is set to Individual,
specify the maximum number of class instances
that can be created by the individual bandwidth
profile.
Command example:
SRX5308> security bandwidth profile add
security-config[bandwidth-profile]> name BusinessLevelI
security-config[bandwidth-profile]> direction Both _Directions
security-config[bandwidth-profile]> inbound_minimum_rate 7500
security-config[bandwidth-profile]> inbound_maximum_rate 25000
security-config[bandwidth-profile]> outbound_minimum_rate 5000
security-config[bandwidth-profile]> outbound_maximum_rate 10000
security-config[bandwidth-profile]> is_group Group
security-config[bandwidth-profile]> save
Related show command: show security bandwidth profile setup
security bandwidth profile edit <row id>
This command configures an existing bandwidth profile. After you have issued the security
bandwidth profile edit command to specify the row to be edited, you enter the
security-config [bandwidth-profile] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer. You
cannot change the name of the profile.
Step 1
Format
security bandwidth profile edit <row id>
Mode
security
Security Mode Configuration Commands
178
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
direction {Inbound | Outbound | Both _Directions}
inbound_minimum_rate <kbps>
inbound_maximum_rate <kbps>
outbound_minimum_rate <kbps>
outbound_maximum_rate <kbps>
is_group {Individual | Group}
max_instances <number>
Mode
security-config [bandwidth-profile]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
direction
Inbound, Outbound, or
Both_Directions
Specifies the direction to which the bandwidth
profile applies.
inbound_minimum_rate
kbps
The minimum inbound bandwidth in kbps (0 to
100000) provided to the group or individual user.
inbound_maximum_rate
kbps
The maximum inbound bandwidth in kbps (100 to
100000) provided to the group or individual user.
outbound_minimum_rate kbps
The minimum outbound bandwidth in kbps (0 to
100000) provided to the group or individual user.
outbound_maximum_rate kbps
The maximum outbound bandwidth in kbps (100
to 100000) provided to the group or individual
user.
is_group
Individual or Group
Specifies the type for the bandwidth profile:
• Individual. The profile applies to an individual
user. Issue the max_instances keyword to
specify the maximum number of users.
• Group. The profile applies to a group.
max_instances
number
If the is_group keyword is set to Individual,
specify the maximum number of class instances
that can be created by the individual bandwidth
profile.
Related show command: show security bandwidth profile setup
security bandwidth profile delete <row id>
This command deletes a bandwidth profile by deleting its row ID.
Format
net bandwidth profile delete <row id>
Mode
security
Security Mode Configuration Commands
179
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show security bandwidth profile setup
Content Filtering Commands
security content_filter content_filtering configure
This command globally enables or disables content filtering and configures web components
After you have issued the security content_filter content_filtering configure command, you
enter the security-config [content-filtering] mode, and then you can configure one keyword
and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
security content_filter content_filtering configure
Mode
security
Format
content_filtering {Y | N}
activex_enable {Y | N}
cookies_enable {Y | N}
java_enable {Y | N}
proxy_enable {Y | N}
Mode
security-config [content-filtering]
Keyword
Associated Keyword Description
to Select
content_filtering
Y or N
Enables or disables content filtering globally.
activex_enable
Y or N
Enables or disables ActiveX.
cookies_enable
Y or N
Enables or disables cookies.
java_enable
Y or N
Enables or disables Java.
proxy_enable
Y or N
Enables or disables the proxy server.
Command example:
SRX5308> security content_filter content_filtering configure
security-config[content-filtering]> content_filtering Y
security-config[content-filtering]> activex_enable Y
security-config[content-filtering]> cookies_enable Y
security-config[content-filtering]> java_enable Y
security-config[content-filtering]> proxy_enable N
security-config[content-filtering]> save
Related show command: show security content_filter content_filtering
Security Mode Configuration Commands
180
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security content_filter block_group enable
This command applies content filtering to selected groups or to all groups. After you have
issued the security content_filter block_group enable command, you enter the
security-config [block-group-enable] mode, and then you can select a group, several groups,
or all groups.
Step 1
Step 2
Format
security content_filter block_group enable
Mode
security
Format
group
group
group
group
group
group
group
group
group
Mode
security-config [block-group-enable]
all {Y}
group1 {Y}
group2 {Y}
group3 {Y}
group4 {Y}}
group5 {Y}
group6 {Y}
group7 {Y}
group8 {Y}
Keyword
Associated Keyword Description
to Select
group all
Y
group group1
Y
group group2
Y
group group3
Y
group group4
Y
group group5
Y
group group6
Y
group group7
Y
group group8
Y
Enables content filtering for all groups.
Enables content filtering for the selected group.
Command example:
SRX5308> security content_filter blocked_group enable
security-config[block-group-enable]> group group1 Y
security-config[block-group-enable]> group group2 Y
security-config[block-group-enable]> group group3 Y
security-config[block-group-enable]> group group8 Y
security-config[block-group-enable]> save
Security Mode Configuration Commands
181
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show security content_filter block_group
security content_filter block_group disable
This command removes content filtering from selected groups or from all groups. After you
have issued the security content_filter block_group disable command, you
enter the security-config [block-group-disable] mode, and then you can select a group,
several groups, or all groups.
Step 1
Step 2
Format
security content_filter block_group disable
Mode
security
Format
group
group
group
group
group
group
group
group
group
Mode
security-config [block-group-disable]
all {Y}
group1 {Y}
group2 {Y}
group3 {Y}
group4 {Y}}
group5 {Y}
group6 {Y}
group7 {Y}
group8 {Y}
Keyword
Associated Keyword Description
to Select
group all
Y
group group1
Y
group group2
Y
group group3
Y
group group4
Y
group group5
Y
group group6
Y
group group7
Y
group group8
Y
Disables content filtering for all groups.
Disables content filtering for the selected group.
Command example:
SRX5308> security content_filter blocked_group disable
security-config[block-group-disable]> group group3 Y
security-config[block-group-disable]> group group8 Y
security-config[block-group-disable]> save
Security Mode Configuration Commands
182
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show security content_filter block_group
security content_filter blocked_keywords add
This command configures a new blocked keyword for content filtering. After you have issued
the security content_filter blocked_keywords add command, you enter the
security-config [blocked-keywords] mode, and then you can configure one keyword a time.
Step 1
Step 2
Format
security content_filter blocked_keywords add
Mode
security
Format
blocked_keyword <keyword>
Mode
security-config [blocked-keywords]
Keyword
Associated
Description
Parameter to Type
blocked_keyword
keyword
The keyword (string) that needs to be blocked.
Command example:
FVS318N> security content_filter blocked_keywords add
security-config[blocked-keywords]> blocked_keyword casino
security-config[blocked-keywords]> save
security-config[blocked-keywords]> blocked_keyword gambl*
security-config[blocked-keywords]> save
Related show command: show security content_filter blocked_keywords
security content_filter blocked_keywords edit <row id>
This command configures an existing blocked keyword for content filtering. After you have
issued the security content_filter blocked_keywords edit command to specify
the row to be edited, you enter the security-config [blocked-keywords] mode, and then you
can edit the keyword.
Step 1
Step 2
Format
security content_filter blocked_keywords edit
Mode
security
Format
blocked_keyword <keyword>
Mode
security-config [blocked-keywords]
Security Mode Configuration Commands
183
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated
Description
Parameter to Type
blocked_keyword
keyword
The keyword (string) that needs to be blocked.
Related show command: show security content_filter blocked_keywords
security content_filter blocked_keywords delete <row id>
This command deletes a blocked keyword by deleting its row ID.
Format
security content_filter blocked_keywords delete <row id>
Mode
security
Related show command: show security content_filter blocked_keywords
security content_filter trusted_domain add
This command configures a new trusted domain for content filtering. After you have issued
the security content_filter trusted_domain add command, you enter the
security-config [approved-urls] mode, and then you can add a URL or domain name.
Step 1
Step 2
Format
security content_filter trusted_domain add
Mode
security
Format
url <url>
Mode
security-config [approved-urls]
Keyword
Associated
Description
Parameter to Type
url
url
The URL or domain name that needs to be blocked.
Command example:
FVS318N> security content_filter trusted_domain add
security-config[approved-urls]> url netgear
security-config[approved-urls]> save
security-config[approved-urls]> url google.com
security-config[approved-urls]> save
security-config[approved-urls]> url www.irs.gov
security-config[approved-urls]> save
Security Mode Configuration Commands
184
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show security content_filter trusted_domains
security content_filter trusted_domain edit <row id>
This command configures an existing trusted domain for content filtering. After you have
issued the security content_filter trusted_domain edit command to specify
the row to be edited, you enter the security-config [approved-urls] mode, and then you can
edit the URL or domain name.
Step 1
Step 2
Format
security content_filter trusted_domain edit <row id>
Mode
security
Format
url <url>
Mode
security-config [approved-urls]
Keyword
Associated
Description
Parameter to Type
url
url
The URL or domain name that needs to be blocked.
Related show command: show security content_filter trusted_domains
security content_filter trusted_domain delete <row id>
This command deletes a trusted domain by deleting its row ID.
Format
security content_filter trusted_domain delete <row id>
Mode
security
Related show command: show security content_filter trusted_domains
Security Mode Configuration Commands
185
5.
System Mode Configuration Commands
5
This chapter explains the configuration commands, keywords, and associated parameters in the
system mode. The chapter includes the following sections:
•
Remote Management Commands
•
SNMP Commands
•
Time Zone Command
•
WAN Traffic Meter Command
•
Firewall Logs and Email Alerts Commands
IMPORTANT:
After you have issued a command that includes the word
configure, add, or edit, you need to save (or cancel) your
changes. For more information, see Save Commands on page 12.
Remote Management Commands
system remote_management https configure
This command configures remote management over HTTPS. After you have issued the
system remote_management https configure command, you enter the
system-config [https] mode, and then you can configure one keyword and associated
parameter or associated keyword at a time in the order that you prefer.
Note: You can configure remote management over HTTPS for both IPv4
and IPv6 connections because these connections are not mutually
exclusive.
Step 1
Format
system remote_management https configure
Mode
system
186
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
ip_version {IPv4 | IPv6}
enable_ipv4 {Y | N}
access_type {Everyone | IP_Range {from_address <ipaddress>}
{end_address <ipaddress>} | To_this_PC_only {only_this_pc_ip
<ipaddress>}}
port <number>
enable_ipv6 {Y | N}
access_type6 {Everyone | IP_Range {from_address6
<ipv6-address>} {end_address6 <ipv6-address>} |
To_this_PC_only {only_this_pc_ipv6 <ipv6-address>}}
port <number>
Mode
system-config [https]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
ip_version
IPv4 or IPv6
Specifies the configuration of IPv4 or IPv6.
HTTPS over an IPv4 connection
enable_ipv4
Y or N
Enables or disables remote management over
HTTPS for an IPv4 connection.
access_type
Everyone, IP_Range, or
To_this_PC_only
Specifies the type of access:
• Everyone. Enables access to all IP addresses.
You do not need to configure any IP address.
• IP_Range. Enables access to a range of IP
addresses. You also need to configure the
from_address and end_address keywords and
associated parameters.
• To_this_PC_only. Enables access to a single IP
address. You also need to configure the
only_this_pc_ip keyword and associated
parameter.
from_address
ipaddress
The start IP address if you have set the
access_type keyword to IP_Range.
end_address
ipaddress
The end IP address if you have set the
access_type keyword to IP_Range.
only_this_pc_ip
ipaddress
The single IP address if you have set the
access_type keyword to To_this_PC_only.
port
number
The number of the port through which access is
allowed.
HTTPS over an IPv6 connection
enable_ipv6
Y or N
Enables or disables remote management over
HTTPS for an IPv6 connection.
System Mode Configuration Commands
187
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
access_type6
Everyone, IP_Range, or
To_this_PC_only
Specifies the type of access:
• Everyone. Enables access to all IP addresses.
You do not need to configure any IP address.
• IP_Range. Enables access to a range of IP
addresses. You also need to configure the
from_address6 and end_address6 keywords
and associated parameters.
• To_this_PC_only. Enables access to a single IP
address. You also need to configure the
only_this_pc_ipv6 keyword and associated
parameter.
from_address6
ipv6-address
The start IP address if you have set the
access_type6 keyword to IP_Range.
end_address6
ipv6-address
The end IP address if you have set the
access_type6 keyword to IP_Range.
only_this_pc_ipv6
ipaddress
The single IP address if you have set the
access_type6 keyword to To_this_PC_only.
port
number
The number of the port through which access is
allowed.
Command example:
SRX5308> system remote_management https configure
system-config[https]> ip_version IPv4
system-config[https]> enable_ipv4 Y
system-config[https]> access_type Everyone
system-config[https]> port 445
system-config[https]> save
Related show command: show system remote_management setup
system remote_management telnet configure
This command configures remote management over Telnet. After you have issued the
system remote_management telnet configure command, you enter the
system-config [telnet] mode, and then you can configure one keyword and associated
parameter or associated keyword at a time in the order that you prefer.
Note: You can configure remote management over Telnet for both IPv4
and IPv6 connections because these connections are not mutually
exclusive.
System Mode Configuration Commands
188
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 1
Step 2
Format
system remote_management telnet configure
Mode
system
Format
ip_version {IPv4 | IPv6}
enable_ipv4 {Y | N}
access_type {Everyone | IP_Range {from_address <ipaddress>}
{to_address <ipaddress>} | To_this_PC_only {only_this_pc_ip
<ipaddress>}}
enable_ipv6 {Y | N}
access_type6 {Everyone | IP_Range {from_address6
<ipv6-address>} {to_address6 <ipv6-address>} |
To_this_PC_only {only_this_pc_ip6 <ipv6-address>}}
Mode
system-config [telnet]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
ip_version
IPv4 or IPv6
Specifies the configuration of IPv4 or IPv6.
Telnet over an IPv4 connection
enable_ipv4
Y or N
Enables or disables remote management over Telnet
for an IPv4 connection.
access_type
Everyone, IP_Range, or
To_this_PC_only
Specifies the type of access:
• Everyone. Enables access to all IP addresses. You
do not need to configure any IP address.
• IP_Range. Enables access to a range of IP
addresses. You also need to configure the
from_address and to_address keywords and
associated parameters.
• To_this_PC_only. Enables access to a single IP
address. You also need to configure the
only_this_pc_ip keyword and associated
parameter.
from_address
ipaddress
The start IP address if you have set the
access_type keyword to IP_Range.
to_address
ipaddress
The end IP address if you have set the access_type
keyword to IP_Range.
only_this_pc_ip
ipaddress
The single IP address if you have set the
access_type keyword to To_this_PC_only.
Telnet over an IPv6 connection
enable_ipv6
Y or N
Enables or disables remote management over Telnet
for an IPv6 connection.
System Mode Configuration Commands
189
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
access_type6
Everyone, IP_Range, or
To_this_PC_only
Specifies the type of access:
• Everyone. Enables access to all IP addresses. You
do not need to configure any IP address.
• IP_Range. Enables access to a range of IP
addresses. You also need to configure the
from_address6 and to_address6 keywords and
associated parameters.
• To_this_PC_only. Enables access to a single IP
address. You also need to configure the
only_this_pc_ip6 keyword and associated
parameter.
from_address6
ipv6-address
The start IP address if you have set the
access_type6 keyword to IP_Range.
to_address6
ipv6-address
The end IP address if you have set the
access_type6 keyword to IP_Range.
only_this_pc_ip6
ipaddress
The single IP address if you have set the
access_type6 keyword to To_this_PC_only.
Command example:
SRX5308> system remote_management telnet configure
system-config[telnet]> ip_version IPv6
system-config[telnet]> enable_ipv6 Y
system-config[telnet]> access_type6 IP_Range
system-config[telnet]> from_address6 FEC0::3001
system-config[telnet]> end_address6 FEC0::3100
system-config[telnet]> save
Related show command: show system remote_management setup
System Mode Configuration Commands
190
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
SNMP Commands
system snmp sys configure
This command configures the SNMP system information. After you have issued the system
snmp sys configure command, you enter the system-config [snmp-system] mode, and
then you can configure one keyword and associated parameter or associated keyword at a
time in the order that you prefer.
Step 1
Step 2
Format
system snmp sys configure
Mode
system
Format
sys_contact <contact name>
sys_location <location name>
sys_name <system name>
Mode
system-config [snmp-system]
Keyword
Associated
Description
Parameter to Type
sys_contact
contact name
The system contact name (alphanumeric string).
sys_location
location name
The system location name (alphanumeric string).
sys_name
system name
The system name (alphanumeric string).
Command example:
SRX5308> system snmp sys configure
system-config[snmp-system]> sys_contact [email protected]
system-config[snmp-system]> sys_location San Jose
system-config[snmp-system]> sys_name SRX5308-Bld3
system-config[snmp-system]> save
Related show command: show system snmp sys
System Mode Configuration Commands
191
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Time Zone Command
system time configure
This command configures the system time, date, and NTP servers. After you have issued the
system time configure command, you enter the system-config [time] mode, and then
you can configure one keyword and associated parameter or associated keyword at a time in
the order that you prefer.
Step 1
Step 2
Format
system time configure
Mode
system
Format
timezone <timezone>
auto_daylight {Y | N}
resolv_ipv6_ddress {Y | N}
ntp_mode {Authoritative_Mode {stratum <number>} |
Sync_to_NTP_Servers_on_Internet | Sync_to_NTP_Servers_on_VPN}
{vpn_policy <vpn policy name>}}
set_date_time_manually {N | Y {ntp_hour <hour> | ntp_minutes
<minutes> | ntp_seconds <seconds> | ntp_day <day> | ntp_month
<month> | ntp_year <year>}}
use_default_servers {Y | N}
configure_ntp_servers {Y | N {ntp_server1 {<ipaddress> |
<domain name>}} {ntp_server2 {<ipaddress> | <domain name>}}}
Mode
system-config [time]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
timezone
timezone keyword
For a list of time zones that you can enter,
see Table 11.
auto_daylight
Y or N
Enables or disables automatic adjustment for
daylight savings time.
resolv_ipv6_ddress
Y or N
Specifies whether or not the VPN firewall
automatically resolves a domain name for an
NTP server to an IPv6 address:
• Y. A domain name is resolved to an IPv6
address.
• N. A domain name is resolved to an IPv4
address.
System Mode Configuration Commands
192
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
ntp_mode
Authoritative_Mode,
Specifies the NTP mode:
Sync_to_NTP_Servers_on • Authoritative_Mode. The VPN firewall
_Internet, or
synchronizes its clock with the specified NTP
Sync_to_NTP_Servers_on server or servers on the Internet. If external
_VPN
servers are unreachable, the VPN firewall’s
real-time clock (RTC) provides time service to
clients. Issue the stratum keyword to
specify the stratum value. As an option, issue
the set_date_time_manually value
keyword to enable manual configuration of
the date and time.
• Sync_to_NTP_Servers_on_Internet. The
VPN firewall synchronizes its clock with the
specified NTP server or servers on the
Internet. If external servers are unreachable,
the VPN firewall does not use its RTC.
• Sync_to_NTP_Servers_on_VPN. The VPN
firewall synchronizes its clock with the
specified NTP server on the VPN. If the
server is unreachable, the VPN firewall does
not use its RTC. Issue the vpn_policy
keyword to specify a VPN policy that enables
the VPN firewall to contact the NTP server on
the VPN.
stratum
number
If the ntp_mode keyword is set to
Authoritative_Mode, the stratum value.
This value indicates the distance between the
RTC of the VPN firewall and a reference clock.
set_date_time_manually Y or N
Enables or disables manual configuration of the
date and time. If you enable manual
configuration, issue the ntp_hour,
ntp_minutes, ntp_seconds, ntp_day,
ntp_month, and ntp_year keywords to
specify the date and time manually.
ntp_hour
hour
The hour in the format HH (00 to 24) for manual
configuration.
ntp_minutes
minutes
The minutes in the format MM (00 to 59) for
manual configuration.
ntp_seconds
seconds
The seconds in the format SS (00 to 59) for
manual configuration.
ntp_day
day
The day in the format DD (00 to 31) for manual
configuration.
ntp_month
month
The month in the format MM (01 to 12) for
manual configuration.
ntp_year
year
The year in the format YYYY for manual
configuration.
System Mode Configuration Commands
193
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
vpn_policy
vpn policy name
If the ntp_mode keyword is set to
Sync_to_NTP_Servers_on_VPN, the name
of the VPN policy that enables the VPN firewall
to contact the NTP server on the VPN.
use_default_servers
Y or N
Enables or disables the use of default NTP
servers.
configure_ntp_servers
Y or N
Enables or disables the use of custom NTP
servers. If you enable the use of custom NTP
servers, you need to specify the server IP
addresses or domain names with the
ntp_server1 and ntp_server2 keywords.
ntp_server1
ipaddress or domain name The IP address of domain name of the first
custom NTP server.
ntp_server2
ipaddress or domain name The IP address of domain name of the second
custom NTP server.
Table 11. Timezone keywords
GMT time and location
Note: Enter the keywords exactly as stated (you can use autocompletion keys). If
there are two locations for the same time zone, enter the location exactly as stated.
For example, either enter GMT-11:00::Samoa or enter GMT-10:00::Hawaii.
GMT::Greenwich-Mean-Time:Edinburgh,London
GMT-12:00::Eniwetok
GMT-12:00::Kwajalein
GMT-11:00::Midway_Island
GMT-11:00::Samoa
GMT-10:00::Hawaii
GMT-09:30::Marquesas_Is
GMT-09:00::Alaska
GMT-08:30::Pitcairn_Is
GMT-08:00::Pacific_Time-Canada
GMT-08:00::Pacific_Time-US
GMT-08:00::Tijuana
GMT-07:00::Mountain_Time-Canada
GMT-07:00::Mountain_Time-US
System Mode Configuration Commands
194
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 11. Timezone keywords (continued)
GMT time and location
Note: Enter the keywords exactly as stated (you can use autocompletion keys). If
there are two locations for the same time zone, enter the location exactly as stated.
For example, either enter GMT-11:00::Samoa or enter GMT-10:00::Hawaii.
GMT-06:00::Central_Time-Canada
GMT-06:00::Central_Time-US
GMT-05:00::Eastern_Time-Canada
GMT-05:00::Eastern_Time-Lima
GMT-05:00::Eastern_Time-US
GMT-04:30::Caracas
GMT-04:00::Atlantic_Time-Canada
GMT-03:30::Newfoundland
GMT-03:00::Brasilia,Buenos_Aires
GMT-02:00::Mid-Atlantic
GMT-01:00::Azores
GMT-01:00::Cape_Verde_Is
GMT+01:00::Europe
GMT+02:00::Athens
GMT+02:00::Istanbul
GMT+02:00::Minsk
GMT+02:00::Cairo
GMT+03:00::Baghdad
GMT+03:00::Kuwait
GMT+03:00::Moscow
GMT+03:30::Tehran
GMT+04:00::Abu-Dhabi
GMT+04:00::Muscat
GMT+04:00::Baku
GMT+04:30::Kabul
GMT+05:00::Ekaterinburg
GMT+05:00::Islamabad
System Mode Configuration Commands
195
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 11. Timezone keywords (continued)
GMT time and location
Note: Enter the keywords exactly as stated (you can use autocompletion keys). If
there are two locations for the same time zone, enter the location exactly as stated.
For example, either enter GMT-11:00::Samoa or enter GMT-10:00::Hawaii.
GMT+05:00::Karachi
GMT+05:30::Bombay,Calcutta,Madras,Delhi
GMT+05:30::Colombo
GMT+06:00::Almaty
GMT+06:00::Dhaka
GMT+06:30::Burma
GMT+07:00::Bangkok
GMT+07:00::Hanoi
GMT+07:00::Jakarta
GMT+08:00::Beijing,Chongqing,Hong_Kong
GMT+08:00::AWST-Perth
GMT+09:00::Osaka,Sapporo,Tokyo
GMT+09:00::Seoul
GMT+09:30::ACST-Adelaide
GMT+09:30::ACST-Darwin
GMT+09:30::ACST--Broken_Hill,NSW
GMT+10:00::AEST-Brisbane
GMT+10:00::Guam
GMT+10:00::Port_Moresby
GMT+10:00::AEST-Canberra
GMT+10:00::AEST-Melbourne
GMT+10:00::AEST-Sydney
GMT+10:00::AEST-Hobart
GMT+10:30::Lord_Howe_Is
GMT+11:00::Magadan
GMT+11:00::Solomon_Is
GMT+11:00::New_Caledonia
System Mode Configuration Commands
196
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 11. Timezone keywords (continued)
GMT time and location
Note: Enter the keywords exactly as stated (you can use autocompletion keys). If
there are two locations for the same time zone, enter the location exactly as stated.
For example, either enter GMT-11:00::Samoa or enter GMT-10:00::Hawaii.
GMT+11:30::Norfolk_I
GMT+12:00::Auckland
GMT+12:00::Wellington
GMT+12:00::New_Zealand
GMT+12:00::Fiji
GMT+13:00::Tonga
GMT+14:00::Kiribati
Command example:
SRX5308> system time configure
system-config[time]> timezone GMT-08:00::Pacific_Time-US
system-config[time]> auto_daylight Y
system-config[time]> resolve_ipv6_address N
system-config[time]> ntp_mode Sync_to_NTP_Servers_on_Internet
system-config[time]> use_default_servers Y
system-config[time]> configure_ntp_servers N
system-config[time]> save
Related show command: show system time setup
System Mode Configuration Commands
197
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
WAN Traffic Meter Command
system traffic_meter configure <wan interface>
This command configures the traffic meter. After you have issued the system
traffic_meter configure command to specify one of the four WAN interfaces (that is,
WAN1, WAN2, WAN3, or WAN4), you enter the system-config [traffic-meter] mode, and then
you can configure one keyword and associated parameter or associated keyword at a time in
the order that you prefer.
Step 1
Step 2
Format
system traffic_meter configure {WAN1 | WAN2 | WAN3 | WAN4}
Mode
system
Format
enable {Y | N}
limit_type {Nolimit | Downloadonly | Directions}
monthly_limit <number>
increase_limit_enable {N | Y {increase_limit_by <number>}}
counter {RestartCounter | SpecificTime {day_of_month <day>}
{time_hour <hour>} {time_meridian {AM | PM}} {time_minute
<minute>}}
send_email_report {Y | N}
block_type {Block-all-traffic | Block-all-traffic-except-email}
send_email_alert {Y | N}
Mode
system-config [traffic-meter]
Keyword
Associated Keyword to Select or
Parameter to Type
Description
enable
Y or N
Enables or disables the traffic meter.
limit_type
Nolimit, Downloadonly, or
Directions
Specifies the type of traffic limit, if any:
• Nolimit. There is no traffic limit.
• Downloadonly. The traffic limit
applies to downloaded traffic only.
• Directions. The traffic limit applies
to both downloaded and uploaded
traffic.
monthly_limit
number
The monthly limit for the traffic meter
in MB.
Traffic meter configuration
System Mode Configuration Commands
198
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to Select or
Parameter to Type
Description
increase_limit_enable Y or N
Enables or disables automatic
increase of the limit after the meter
has exceeded the configured limit. If
you enable an automatic increase,
issue the increase_limit_by
keyword to specify the number of MB.
increase_limit_by
The number in MB to increase the
configured limit of the traffic meter.
number
Traffic counter configuration
counter
SpecificTime or RestartCounter
Specifies how the traffic counter is
restarted:
• SpecificTime. Restarts the traffic
counter on a specific day and time.
You need to set the
day_of_month, time_hour,
time_meridian, and
time_minute keywords and
associated parameters.
• RestartCounter. Restarts the traffic
counter after you have saved the
command.
day_of_month
day
The day in the format DD (01 to 31)
that the traffic counter restarts. This
keyword applies only if you have set
the counter keyword to
SpecificTime.
time_hour
hour
The hour in the format HH (00 to 12)
that the traffic counter restarts. This
keyword applies only if you have set
the counter keyword to
SpecificTime.
time_meridian
AM or PM
Specifies the meridiem for the hour
that the traffic counter restarts. This
keyword applies only if you have set
the counter keyword to
SpecificTime.
time_minute
minutes
The minutes in the format MM (00 to
59) that the traffic counter restarts.
This keyword applies only if you have
set the counter keyword to
SpecificTime.
send_email_report
Y or N
Specifies whether or not an email
report is sent when the traffic counter
restarts.
System Mode Configuration Commands
199
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to Select or
Parameter to Type
Description
Action when limit is reached
block_type
Block-all-traffic, or
Block-all-traffic-except-email
Specifies the type of traffic blocking
after the meter has exceeded the
configured limit.
send_email_alert
Y or N
Specifies whether or not an email alert
is sent when the traffic limit is
reached.
Command example:
SRX5308> system traffic_meter configure WAN1
system-config[traffic-meter]> enable Y
system-config[traffic-meter]> limit_type Downloadonly
system-config[traffic-meter]> monthly_limit 150000
system-config[traffic-meter]> increase_limit_enable Y
system-config[traffic-meter]> increase_limit_by 50000
system-config[traffic-meter]> counter SpecificTime
system-config[traffic-meter]> day_of_month 01
system-config[traffic-meter]> time_hour 00
system-config[traffic-meter]> time_meridian AM
system-config[traffic-meter]> time_minute 00
system-config[traffic-meter]> send_email_report Y
system-config[traffic-meter]> block_type Block-all-traffic-except-email
system-config[traffic-meter]> send_email_alert Y
system-config[traffic-meter]> save
Related show command: show system traffic_meter setup <wan interface>
System Mode Configuration Commands
200
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Firewall Logs and Email Alerts Commands
system logging configure
This command configures routing logs for accepted and dropped IPv4 and IPv6 packets,
selected system logs, and logs for other events. After you have issued the system
logging configure command, you enter the system-config [logging-ipv4-ipv6] mode, and
then you can configure one keyword and associated parameter or associated keyword at a
time in the order that you prefer.
Step 1
Step 2
Format
system logging configure
Mode
system
Format
lan_wan_accept_packet_logs {Y
lan_wan_drop_packet_logs {Y |
lan_dmz_accept_packet_logs {Y
lan_dmz_drop_packet_logs {Y |
dmz_wan_accept_packet_logs {Y
dmz_wan_drop_packet_logs {Y |
wan_lan_accept_packet_logs {Y
wan_lan_drop_packet_logs {Y |
dmz_lan_accept_packet_logs {Y
dmz_lan_drop_packet_logs {Y |
wan_dmz_accept_packet_logs {Y
wan_dmz_drop_packet_logs {Y |
| N}
N}
| N}
N}
| N}
N}
| N}
N}
| N}
N}
| N}
N}
change_of_time_by_NTP_logs {Y | N}
login_attempts_logs {Y | N}
secure_login_attempts_logs {Y | N}
reboot_logs {Y | N}
unicast_traffic_logs {Y | N}
broadcast_or_multicast_traffic_logs {Y | N}
wan_status_logs {Y | N}
resolved_DNS_names_logs {Y | N}
vpn_logs {Y | N}
dhcp_server_logs {Y | N}
source_mac_filter_logs {Y | N}
session_limit_logs {Y | N}
bandwidth_limit_logs {Y | N}
Mode
system-config [logging-ipv4-ipv6]
System Mode Configuration Commands
201
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated
Description
Keyword to Select
Routing logs
lan_wan_accept_packet_logs
Y or N
lan_wan_drop_packet_logs
Y or N
lan_dmz_accept_packet_logs
Y or N
lan_dmz_drop_packet_logs
Y or N
dmz_wan_accept_packet_logs
Y or N
dmz_wan_drop_packet_logs
Y or N
wan_lan_accept_packet_logs
Y or N
wan_lan_drop_packet_logs
Y or N
dmz_lan_accept_packet_logs
Y or N
dmz_lan_drop_packet_logs
Y or N
wan_dmz_accept_packet_logs
Y or N
wan_dmz_drop_packet_logs
Y or N
Enables or disables packet logging for
the traffic direction and type of packet
(accepted or dropped) that is defined in
the keyword.
System logs
change_of_time_by_NTP_logs
Y or N
Enables or disables logging of time
changes of the VPN firewall.
login_attempts_logs
Y or N
Enables or disables logging of login
attempts.
secure_login_attempts_logs
Y or N
Enables or disables logging of secure
login attempts.
reboot_logs
Y or N
Enables or disables logging of
rebooting of the VPN firewall.
unicast_traffic_logs
Y or N
Enables or disables logging of unicast
traffic.
broadcast_or_multicast_traffic_logs
Y or N
Enables or disables logging of
broadcast and multicast traffic.
wan_status_logs
Y or N
Enables or disables logging of WAN
link–status-related events.
resolved_DNS_names_logs
Y or N
Enables or disables logging of resolved
DNS names.
vpn_logs
Y or N
Enables or disables logging of VPN
negotiation messages.
dhcp_server_logs
Y or N
Enables or disables logging of DHCP
server events.
System Mode Configuration Commands
202
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated
Description
Keyword to Select
Other event logs
source_mac_filter_logs
Y or N
Enables or disables logging of packets
from MAC addresses that match the
source MAC address filter settings.
session_limit_logs
Y or N
Enables or disables logging of packets
that are dropped because the session
limit has been exceeded.
bandwidth_limit_logs
Y or N
Enables or disables logging of packets
that are dropped because the
bandwidth limit has been exceeded.
Command example:
SRX5308> system logging configure
system-config[logging-ipv4-ipv6]> lan_wan_drop_packet_logs Y
system-config[logging-ipv4-ipv6]> wan_lan_drop_packet_logs Y
system-config[logging-ipv4-ipv6]> change_of_time_by_NTP_logs Y
system-config[logging-ipv4-ipv6]> secure_login_attempts_logs Y
system-config[logging-ipv4-ipv6]> reboot_logs Y
system-config[logging-ipv4-ipv6]> unicast_traffic_logs Y
system-config[logging-ipv4-ipv6]> bandwidth_limit_logs Y
system-config[logging-ipv4-ipv6]> save
Related show command: show system logging setup and show system logs
system logging remote configure
This command configures email logs and alerts, schedules email logs and alerts, and
configures a syslog server. After you have issued the system logging remote
configure command, you enter the system-config [logging-remote] mode, and then you
can configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
system logging remote configure
Mode
system
Format
log_identifier <identifier>
System Mode Configuration Commands
203
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
email_logs_enable {Y | N}
email_server {ipaddress | domain name}
return_email <email address>
send_to_email <email address>
smtp_custom_port <number>
smtp_auth type {None | Plain {smtp_auth username <user name>}
{smtp_auth password <password>} | CRAM-MD5 {smtp_auth
username <user name>} {smtp_auth password <password>}}
identd_from_smtp_server_enable {Y | N}
schedule unit {Never | Hourly | Daily {schedule time {0:00 |
1:00 | 2:00 | 3:00 | 4:00 | 5:00 | 6:00 | 7:00 | 8:00 |
9:00 | 10:00 | 11:00}} {schedule meridiem {AM | PM}} | Weekly
{schedule day {Sunday | Monday | Tuesday | Wednesday |
Thursday | Friday | Saturday}} {schedule time {0:00 | 1:00 |
2:00 | 3:00 | 4:00 | 5:00 | 6:00 | 7:00 | 8:00 | 9:00 |
10:00 | 11:00}} {schedule meridiem {AM | PM}}}
syslog_server {ipaddress | domain name}
syslog_severity {LOG_EMERG | LOG_ALERT | LOG_CRITICAL |
LOG_ERROR | LOG_WARNING | LOG_NOTICE | LOG_INFO | LOG_DEBUG}
Mode
system-config [logging-remote]
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
Log identifier
identifier
The log identifier (alphanumeric
string).
email_logs_enable
Y or N
Enables or disables emailing of logs.
email_server
ipaddress or domain name The IP address or domain name of
the SMTP server.
return_email
email address
The email address (alphanumeric
string) to which the SMTP server
replies are sent.
send_to_email
email address
The email address (alphanumeric
string) to which the logs and alerts
are sent.
smtp_custom_port
number
The port number of the SMTP server
for the outgoing email. The default
port number is 25.
log_identifier
Email log configuration
System Mode Configuration Commands
204
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
smtp_auth type
None, Plain, or CRAM-MD5
Specifies the type of authentication
for the SMTP server. If you select
Plain or CRAM-MD5, you also need
to configure the
smtp_auth username and
smtp_auth password keywords
and associated parameters.
smtp_auth username
user name
The user name for SMTP
authentication if you have set the
smtp_auth type keyword type to
Plain or CRAM-MD5.
smtp_auth password
password
The password for SMTP
authentication if you have set
smtp_auth type keyword to
Plain or CRAM-MD5.
identd_from_smtp_server_enable Y or N
Allows or rejects Identd protocol
messages from the SMTP server.
Email log schedule
schedule unit
Never, Hourly, Daily, or
Weekly
Specifies the type of schedule for
emailing logs and alerts:
• If you select Never or Hourly,
you do not need to further
configure the schedule.
• If you select Daily, you also need
to configure the schedule time
and schedule meridiem
keywords and their associated
keywords.
• If you select Weekly, you also
need to configure the
schedule day,
schedule time, and
schedule meridiem keywords
and their associated keywords.
schedule day
Sunday, Monday, Tuesday,
Wednesday, Thursday,
Friday, or Saturday
Specifies the scheduled day if you
have set the schedule unit
keyword to Weekly.
schedule time
0:00, 1:00, 2:00, 3:00,
4:00, 5:00, 6:00, 7:00,
8:00, 9:00, 10:00, or
11:00
Specifies the scheduled time if you
have set the schedule unit
keyword to Daily or Weekly.
schedule meridiem
AM or PM
Specifies the meridiem for the start
time if you have set the schedule
unit keyword to Daily or Weekly.
System Mode Configuration Commands
205
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two
separate words)
Associated Keyword to
Description
Select or Parameter to Type
Syslog server
syslog_server
ipaddress or domain name The IP address or domain name of
the syslog server.
syslog_severity
LOG_EMERG, LOG_ALERT,
LOG_CRITICAL,
LOG_ERROR, LOG_WARNING,
LOG_NOTICE, LOG_INFO, or
LOG_DEBUG
Specifies the syslog severity level.
The keywords are self-explanatory.
Note: All the logs with a severity
that is equal to and above the
severity that you specify are logged
on the specified syslog server. For
example, if you select
LOG_CRITICAL as the severity,
then the logs with the severities
LOG_CRITICAL, LOG_ALERT, and
LOG_EMERG are logged.
Command example:
SRX5308> system logging remote configure
system-config[logging-remote]> log_identifier SRX5308-Bld3
system-config[logging-remote]> email_logs_enable Y
system-config[logging-remote]> email_server SMTP.Netgear.com
system-config[logging-remote]> return_email [email protected]
system-config[logging-remote]> send_to_email [email protected]
system-config[logging-remote]> smtp_custom_port 2025
system-config[logging-remote]> smtp_auth type None
system-config[logging-remote]> schedule unit Weekly
system-config[logging-remote]> schedule day Sunday
system-config[logging-remote]> schedule time 00
system-config[logging-remote]> schedule meridiem AM
system-config[logging-remote]> syslog_server fe80::a0ca:f072:127f:b028%21
system-config[logging-remote]> syslog_severity LOG_EMERG
system-config[logging-remote]> save
Related show command: show system logging remote setup
System Mode Configuration Commands
206
6.
VPN Mode Configuration Commands
6
This chapter explains the configuration commands, keywords, and associated parameters in the
vpn mode. The chapter includes the following sections:
•
IPSec VPN Wizard Command
•
IPSec IKE Policy Commands
•
IPSec VPN Policy Commands
•
IPSec VPN Mode Config Commands
•
SSL VPN Portal Layout Commands
•
SSL VPN Authentication Domain Commands
•
SSL VPN Authentication Group Commands
•
SSL VPN User Commands
•
SSL VPN Port Forwarding Commands
•
SSL VPN Client and Client Route Commands
•
SSL VPN Resource Commands
•
SSL VPN Policy Commands
•
RADIUS Server Command
•
PPTP Server Commands
•
L2TP Server Commands
IMPORTANT:
After you have issued a command that includes the word
configure, add, or edit, you need to save (or cancel) your
changes. For more information, see Save Commands on page 12.
207
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
IPSec VPN Wizard Command
vpn ipsec wizard configure <Gateway | VPN_Client>
This command configures the IPSec VPN wizard for a gateway-to-gateway or
gateway-to-VPN client connection. After you have issued the vpn ipsec wizard
configure command to specify the type of peer for which you want to configure the wizard,
you enter the vpn-config [wizard] mode, and then you can configure one keyword and
associated parameter or associated keyword or associated keyword at a time in the order
that you prefer.
Step 1
Step 2
Format
vpn ipsec wizard configure {Gateway | VPN_Client}
Mode
vpn
Format
ip_version {IPv4 | IPv6}
conn_name <name>
preshared_key <key>
local_wan_interface {WAN1 | WAN2 | WAN3 | WAN4}
enable_rollover {N | Y {rollover_gateway {WAN1 | WAN2 | WAN3 |
WAN4})
remote_wan_ipaddress {<ipaddress> | <ipv6-address> |
<domain name>}
local_wan_ipaddress {<ipaddress> | <ipv6-address> |
<domain name>}
remote_lan_ipaddress <ipaddress>
remote_lan_net_mask <subnet mask>
remote_lan_ipv6address <ipv6-address>
remote_lan_prefixLength <prefix length>
Mode
vpn-config [wizard]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
ip_version
IPv4 or IPv6
Specifies the IP address version for both the
local and remote endpoints:
• IPv4. Both endpoints use IPv4 addresses.
For the remote LAN IP address, you need to
issue the remote_lan_ipaddress and
remote_lan_netMask keywords and
specify the associated parameters.
• IPv6. Both endpoints use IPv6 addresses.
For the remote LAN IP address, you need to
issue the remote_lan_ipv6address and
remote_lan_prefixLength keywords
and specify the associated parameters.
VPN Mode Configuration Commands
208
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
conn_name
connection name
The unique connection name (alphanumeric
string).
preshared_key
key
The key (alphanumeric string) that needs to
be entered on both peers.
local_wan_interface
WAN1, WAN2, WAN3, or
WAN4
Specifies the local WAN interface that the VPN
tunnel uses as the local endpoint.
enable_rollover
Y or N
Enables or disables VPN rollover mode. If
VPN rollover mode is enabled, you need to
issue the rollover_gateway keyword to
specify the WAN interface to which the VPN
rollover should occur.
Note: Rollover mode functions only when the
IP version is IPV4.
rollover_gateway
WAN1, WAN2, WAN3, or
WAN4
If VPN rollover mode is enabled, specifies the
WAN interface to which the rollover should
occur.
Remote WAN and local WAN address information
remote_wan_ipaddress
ipaddress,
ipv6-address, or domain
name
Depending on the setting of the ip_version
keyword, specifies an IPv4 or IPv6 local WAN
address. You can also specify a domain name.
local_wan_ipaddress
ipaddress,
ipv6-address, or domain
name
Depending on the setting of the ip_version
keyword, specifies an IPv4 or IPv6 local WAN
address. You can also specify a domain name.
Remote LAN IPv4 address information
remote_lan_ipaddress
ipaddress
The IPv4 remote LAN address when the
ip_version keyword is set to IPv4.
remote_lan_net_mask
subnet mask
The IPv4 remote LAN subnet mask when the
ip_version keyword is set to IPv4.
Remote LAN IPv6 address information
remote_lan_ipv6address
The IPv6 remote LAN address when the
ip_version keyword is set to IPv6.
ipv6-address
The IPv6 remote LAN prefix length when the
ip_version keyword is set to IPv6.
remote_lan_prefixLength prefix length
Command example:
SRX5308> vpn ipsec
vpn-config[wizard]>
vpn-config[wizard]>
vpn-config[wizard]>
vpn-config[wizard]>
wizard configure Gateway
ip_version IPv6
conn_name SRX5308-to-Peer44
preshared_key 2%sgd55%[email protected]
local_wan_interface WAN1
VPN Mode Configuration Commands
209
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn-config[wizard]>
vpn-config[wizard]>
vpn-config[wizard]>
vpn-config[wizard]>
vpn-config[wizard]>
vpn-config[wizard]>
enable_rollover N
remote_wan_ipaddress peer44.com
local_wan_ipaddress fe80::a8ab:bbff:fe00:2
remote_lan_ipv6address fe80::a4bb:ffdd:fe01:2
remote_lan_prefixLength 64
save
Related show command: show vpn ipsec vpnpolicy setup, show vpn ipsec ikepolicy setup, and show
vpn ipsec vpnpolicy status
To display the VPN policy configuration that the wizard created through the vpn ipsec
wizard configure command, issue the show vpn ipsec vpnpolicy setup
command:
SRX5308> show vpn ipsec vpnpolicy setup
Status
_______
Enabled
Enabled
Name
_________________
SRX5308-to-Peer44
SRX-to-Paris
Type
___________
Auto Policy
Auto Policy
IPSec Mode
___________
Tunnel Mode
Tunnel Mode
Local
______________________________________
2002:408b:36e4:a:a8ab:bbff:fe00:1 / 64
192.168.1.0 / 255.255.255.0
Remote
______________________________
fe80::a4bb:ffdd:fe01:2 / 64
192.168.50.0 / 255.255.255.255
Auth
_____
SHA-1
SHA-1
Encr
____
3DES
3DES
To display the IKE policy configuration that the wizard created through the vpn ipsec
wizard configure command, issue the show vpn ipsec ikepolicy setup
command:
SRX5308> show vpn ipsec ikepolicy setup
List of IKE Policies
____________________
Name
Mode
Local ID
Remote ID
Encryption Authentication DH Group
_________________ __________ ______________________ _____________ __________ ______________ ____________
SRX5308-to-Peer44 main
fe80::a8ab:bbff:fe00:2 peer44.com
SRX-to-Paris
main
10.139.54.228
3DES
SHA-1
Group 2 (1024 bit)
10.112.71.154 3DES
SHA-1
Group 2 (1024 bit)
iphone
aggressive 10.139.54.228
0.0.0.0
SHA-1
Group 2 (1024 bit)
AES-128
IPSec IKE Policy Commands
vpn ipsec ikepolicy configure <ike policy name>
This command configures a new or existing manual IPSec IKE policy. After you have issued
the vpn ipsec ikepolicy configure command to specify the name of a new or existing IKE
policy, you enter the vpn-config [ike-policy] mode, and then you can configure one keyword
and associated parameter or associated keyword or associated keyword at a time in the
order that you prefer.
Step 1
Format
vpn ipsec ikepolicy configure <ike policy name>
Mode
vpn
VPN Mode Configuration Commands
210
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
enable_mode_config {N | Y {mode_config_record <record name>}}
direction_type {Initiator | Responder | Both}
exchange_mode {Main | Aggresive}
ip_version {IPv4 | IPv6}
select_local_gateway {WAN1 | WAN2 | WAN3 | WAN4}
local_ident_type {Local_Wan_IP | FQDN | User-FQDN | DER_ASN1_DN}
{local_identifier <identifier>}
remote_ident_type {Remote_Wan_IP | FQDN | User-FQDN |
DER_ASN1_DN}{remote_identifier <identifier>}
encryption_algorithm {DES | 3DES | AES_128 | AES_192 | AES_256}
auth_algorithm {MD5 | SHA-1}
auth_method {Pre_shared_key {pre_shared_key <key>} |
RSA_Signature}
dh_group {Group1_768_bit | Group2_1024_bit | Group5_1536_bit}
lifetime <seconds>
enable_dead_peer_detection {N | Y {detection_period <seconds>}
{reconnect_failure_count <number>}}
extended_authentication {None | IPSecHost {xauth_username
<user name>} {xauth_password <password>} | EdgeDevice
{extended_authentication_type {User-Database | RadiusPap |
RadiusChap}}}
Mode
vpn-config [ike-policy]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
Mode Config record selection and general policy settings
enable_mode_config
Y or N
Specifies whether or not the IKE policy
uses a Mode Config record.
mode_config_record
record name
If the enable_mode_config keyword is
set to Y, specifies the Mode Config record
that should be used. For information
about configuring Mode Config records,
see the vpn ipsec mode_config configure
<record name> command.
VPN Mode Configuration Commands
211
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
direction_type
Initiator, Responder, or
Both
Specifies the IKE direction type:
• Initiator. The VPN firewall initiates the
connection to the remote endpoint.
• Responder. The VPN firewall responds
only to an IKE request from the remote
endpoint.
• Both. The VPN firewall can both initiate
a connection to the remote endpoint
and respond to an IKE request from the
remote endpoint.
exchange_mode
Main or Aggresive
Specifies the exchange mode:
• Main. This mode is slower than the
Aggressive mode but more secure.
• Aggressive. This mode is faster than
the Main mode but less secure. When
the IKE policy uses a Mode Config
record, the exchange mode needs to be
set to Aggresive.
ip_version
IPv4 or IPv6
If the local_ident_type and
remote_ident_type keywords are set
to Local_Wan_IP, specifies the IP
address version for both the local and
remote endpoints:
• IPv4. Both endpoints use IPv4
addresses. You need to specify IPv4
addresses for the local_identifier
and remote_identifier keywords.
• IPv6. Both endpoints use IPv6
addresses. You need to specify IPv6
addresses for the local_identifier
and remote_identifier keywords.
select_local_gateway
WAN1, WAN2, WAN3, or
WAN4
Specifies the WAN interface for the local
gateway.
Local and remote identifiers
VPN Mode Configuration Commands
212
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
local_ident_type
Local_Wan_IP, FQDN,
User-FQDN, or
DER_ASN1_DN
Specifies the ISAKMP identifier to be
used by the VPN firewall:
• Local_Wan_IP. The WAN IP address of
the VPN firewall. The setting of the
ip_version keyword determines if
you need to specify an IPv4 or IPv6
address for the local_identifier
keyword.
• FQDN. The domain name for the VPN
firewall.
• User-FQDN. The email address for a
local VPN client or the VPN firewall.
• DER_ASN1_DN. A distinguished name
(DN) that identifies the VPN firewall in
the DER encoding and ASN.1 format.
local_identifier
identifier
The identifier of the VPN firewall. The
setting of the local_ident_type and
ip_version keywords determines the
type of identifier that you need to specify.
remote_ident_type
Remote_Wan_IP, FQDN,
User-FQDN, or
DER_ASN1_DN
Specifies the ISAKMP identifier to be
used by the VPN firewall:
• Remote_Wan_IP. The WAN IP address
of the remote endpoint. The setting of
the ip_version keyword determines if
you need to specify an IPv4 or IPv6
address for the local_identifier
keyword.
• FQDN. The domain name for the VPN
firewall.
• User-FQDN. The email address for a
local VPN client or the VPN firewall.
• DER_ASN1_DN. A distinguished name
(DN) that identifies the VPN firewall in
the DER encoding and ASN.1 format.
remote_identifier
identifier
The identifier of the remote endpoint. The
setting of the remote_ident_type and
ip_version keywords determines the
type of identifier that you need to specify.
DES, 3DES, AES_128,
AES_192, or AES_256
Specifies the algorithm to negotiate the
security association (SA):
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES.
• AES_128. Advanced Encryption
Standard (AES) with a 128-bit key size.
• AES_192. AES with a 192-bit key size.
• AES_256. AES with a 256-bit key size.
IKE SA settings
encryption_algorithm
VPN Mode Configuration Commands
213
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
auth_algorithm
MD5 or SHA-1
Specifies the algorithm to be used in the
VPN header for the authentication
process:
• SHA-1. Hash algorithm that produces a
160-bit digest.
• MD5. Hash algorithm that produces a
128-bit digest.
auth_method
Pre_shared_key or
RSA_Signature
Specifies the authentication method:
• Pre_shared_key. A secret that is
shared between the VPN firewall and
the remote endpoint. You also need to
issue the pre_shared_key keyword
and specify the key.
• RSA_Signature. Uses the active
self-signed certificate that you uploaded
on the Certificates screen of the web
management interface.
Note: You cannot upload certificates by
using the CLI.
pre_shared_key
key
If the auth_method keyword is set to
Pre_shared_key, specifies a key with a
minimum length of 8 characters and no
more than 49 characters.
dh_group
Group1_768_bit,
Group2_1024_bit, or
Group5_1536_bit
Specifies the Diffie-Hellman (DH) group,
which sets the strength of the algorithm in
bits. The higher the group, the more
secure the exchange.
lifetime
seconds
The period in seconds for which the IKE
SA is valid. When the period times out,
the next rekeying occurs.
enable_dead_peer_detection
Y or N
Enables or disables dead peer detection
(DPD). When DPD is enabled, you also
need to issue the detection_period
and reconnect_failure_count
keywords and associated parameters.
detection_period
seconds
The period in seconds between
consecutive DPD R-U-THERE
messages, which are sent only when the
IPSec traffic is idle.
reconnect_failure_count
number
The maximum number of DPD failures
before the VPN firewall tears down the
connection and then attempts to
reconnect to the peer.
VPN Mode Configuration Commands
214
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
Extended authentication settings
extended_authentication
None, IPSecHost, or
EdgeDevice
Specifies whether or not Extended
Authentication (XAUTH) is enabled, and,
if enabled, which device is used to verify
user account information:
• None. XAUTH is disabled. This the
default setting.
• IPSecHost. The VPN firewall functions
as a VPN client of the remote gateway.
In this configuration the VPN firewall is
authenticated by a remote gateway. You
need to issue the xauth_username
and xauth_password keywords and
specify the associated parameters.
• EdgeDevice. The VPN firewall
functions as a VPN concentrator on
which one or more gateway tunnels
terminate. You need to issue the
extended_authentication_type
keyword and select an associated
keyword.
If the extended_authentication
RadiusPap, or RadiusChap keyword is set to EdgeDevice, specifies
the authentication type:
• User-Database. XAUTH occurs through
the VPN firewall’s user database.
• RadiusPap. XAUTH occurs through
RADIUS Password Authentication
Protocol (PAP).
• RadiusChap. XAUTH occurs through
RADIUS Challenge Handshake
Authentication Protocol (CHAP).
extended_authentication_type User-Database,
Note: For information about how to
configure a RADIUS server for
authentication of VPN connections, see
RADIUS Server Command.
xauth_username
user name
If the extended_authentication
keyword is set to IPSecHost, specifies a
user name.
xauth_password
password
If the extended_authentication
keyword is set to IPSecHost, specifies a
password.
VPN Mode Configuration Commands
215
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Command example:
SRX5308> vpn ipsec ikepolicy configure SRX-to-Paris
vpn-config[ike-policy]> enable_mode_config N
vpn-config[ike-policy]> direction_type Both
vpn-config[ike-policy]> exchange_mode Main
vpn-config[ike-policy]> ip_version ipv4
vpn-config[ike-policy]> select_local_gateway WAN1
vpn-config[ike-policy]> local_ident_type Local_Wan_IP
vpn-config[ike-policy]> local_identifier 10.139.54.228
vpn-config[ike-policy]> remote_ident_type Remote_Wan_IP
vpn-config[ike-policy]> remote_identifier 10.112.71.154
vpn-config[ike-policy]> encryption_algorithm 3DES
vpn-config[ike-policy]> auth_algorithm SHA-1
vpn-config[ike-policy]> auth_method Pre_shared_key
vpn-config[ike-policy]> pre_shared_key 3Tg67!JXL0Oo?
vpn-config[ike-policy]> dh_group Group2_1024_bit
vpn-config[ike-policy]> lifetime 28800
vpn-config[ike-policy]> enable_dead_peer_detection Y
vpn-config[ike-policy]> detection_period 20
vpn-config[ike-policy]> reconnect_failure_count 3
vpn-config[ike-policy]> extended_authentication EdgeDevice
vpn-config[ike-policy]> extended_authentication_type RadiusChap
vpn-config[ike-policy]> save
Related show command: show vpn ipsec ikepolicy setup
vpn ipsec ikepolicy delete <ike policy name>
This command deletes an IKE policy by specifying the name of the IKE policy.
Format
vpn ipsec ikepolicy delete <ike policy name>
Mode
vpn
Related show command: show vpn ipsec ikepolicy setup
IPSec VPN Policy Commands
vpn ipsec vpnpolicy configure <vpn policy name>
This command configures a new or existing auto IPSec VPN policy or manual IPSec VPN
policy. After you have issued the vpn ipsec vpnpolicy configure command to specify the
name of a new or existing VPN policy, you enter the vpn-config [vpn-policy] mode, and then
you can configure one keyword and associated parameter or associated keyword or
VPN Mode Configuration Commands
216
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn ipsec vpnpolicy configure <vpn policy name>
Mode
vpn
Format
general_policy_type {Auto-Policy | Manual-Policy}
general_ip_version {IPv4 | IPv6}
general_select_local_gateway {WAN1 | WAN2 | WAN3 | WAN4}
general_remote_end_point_type {FQDN {general_remote_end_point
fqdn <domain name> | IP-Address {general_remote_end_point
ip_address <ipaddress> | {general_remote_end_point
ipv6_address <ipv6-address>}}
general_enable_netbios {N | Y}
general_enable_rollover {N | Y {general_rollover_gateway {WAN1 |
WAN2 | WAN3 | WAN4}}
general_enable_auto_initiate_policy {N | Y}
general_enable_keep_alive {N | Y {general_ping_ipaddress
<ipaddress> | {general_ping_ipaddress6 <ipv6-address>}
{general_keep_alive_detection_period <seconds>}
{general_keep_alive_failureCount <number>}}
general_local_network_type {ANY | SINGLE
{general_local_start_address <ipaddress> |
general_local_start_address_ipv6 <ipv6-address>} | RANGE
{{general_local_start_address <ipaddress>}
{general_local_end_address <ipaddress>} |
{general_local_start_address_ipv6 <ipv6-address>}
{general_local_end_address_ipv6 <ipv6-address>}} | SUBNET
{{general_local_start_address <ipaddress>}
{general_local_subnet_mask <subnet mask>} |
{general_local_start_address_ipv6 <ipv6-address>}
{general_local_ipv6_prefix_length <prefix length>}}}
general_remote_network_type {ANY | SINGLE
{general_remote_start_address <ipaddress> |
general_remote_start_address_ipv6 <ipv6-address>} | RANGE
{{general_remote_start_address <ipaddress>}
{general_remote_end_address <ipaddress>} |
{general_remote_start_address_ipv6 <ipv6-address>}
{general_remote_end_address_ipv6 <ipv6-address>}} | SUBNET
{{general_remote_start_address <ipaddress>}
{general_remote_subnet_mask <subnet mask>} |
{general_remote_start_address_ipv6 <ipv6-address>}
{general_remote_ipv6_prefix_length <prefix length>}}}
manual_spi_in <number>
manual_encryption_algorithm {None | DES | 3DES | AES-128 |
AES-192 | AES-256}
manual_encryption_key_in <key>
manual_encryption_key_out <key>
VPN Mode Configuration Commands
217
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
manual_spi_out <number>
manual_authentication_algorithm {MD5 | SHA-1}
manual_authentication_key_in <key>
manual_authentication_key_out <key>
auto_sa_lifetime {Kbytes <number> | {seconds <seconds>}
auto_encryption_algorithm {None | DES | 3DES | AES-128 |
AES-192 | AES-256}
auto_authentication_algorithm {MD5 | SHA-1}
auto_enable_pfskeygroup {N | Y {auto_dh_group {Group1_768_bit |
Group2_1024_bit | Group5_1536_bit}}}
auto_select_ike_policy <ike policy name>
Mode
vpn-config [vpn-policy]
Keyword (might consist of two separate Associated
words)
Keyword to Select
or Parameter to
Type
Description
General policy settings
general_policy_type
Auto-Policy or
Manual-Policy
Species whether the policy type is an auto or
manual VPN policy:
• Auto-Policy. The inbound and outbound
policy settings for the VPN tunnel are
automatically generated after you have
issued the keywords and associated
parameters that are listed in the Auto policy
settings section of this table. All other VPN
policy settings need to be specified
manually.
• Manual-Policy. All settings need to be
specified manually, excluding the ones in
the Auto policy settings section of this
table.
VPN Mode Configuration Commands
218
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two separate Associated
words)
Keyword to Select
or Parameter to
Type
IPv4 or IPv6
general_ip_version
Description
If the general_remote_end_point_type
keyword is set to IP-Address, specifies the
IP address version for the remote endpoint,
local address information, and remote
address information:
• IPv4. The IPv4 selection requires you to
specify IPv4 addresses for the following
keywords:
- general_remote_end_point
ip_address
- general_local_start_address
- general_local_end_address
- general_remote_start_address
- general_remote_end_address
• IPv6. The IPv6 selection requires you to
specify IPv6 addresses for the following
keywords:
- general_remote_end_point
ipv6_address
- general_local_start_address_ipv6
- general_local_end_address_ipv6
- general_remote_start_address_ipv6
- general_remote_end_address_ipv6
general_select_local_gateway
WAN1, WAN2,
WAN3, or WAN4
Specifies the local WAN interface that the
VPN tunnel uses as the local endpoint.
general_remote_end_point_type
IP-Address or
FQDN
Specifies whether the remote endpoint is
defined by an IP address or a domain name:
• IP-Address. Depending on the setting of
the general_ip_version keyword, you
need to either issue the
general_remote_end_point
ip_address keyword and specify an IPv4
address or issue the
general_remote_end_point
ipv6_address keyword and specify an
IPv6 address.
• FQDN. You need to issue the
general_remote_end_point fqdn
keyword and specify a domain name.
general_remote_end_point fqdn
domain name
If the general_remote_end_point_type
keyword is set to FQDN, the domain name
(FQDN) of the remote endpoint.
general_remote_end_point ip_adress
ipaddress
If the general_remote_end_point_type
keyword is set to IP-Address, and if the
general_ip_version keyword is set to
IPv4, the IPv4 address of the remote
endpoint.
VPN Mode Configuration Commands
219
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two separate Associated
words)
Keyword to Select
or Parameter to
Type
Description
general_remote_end_point
ipv6_adress
ipv6-address
If the general_remote_end_point_type
keyword is set to IP-Address, and if the
general_ip_version keyword is set to
IPv6, the IPv6 address of the remote
endpoint.
general_enable_netbios
Y or N
Enables or disables NetBIOS broadcasts to
travel over the VPN tunnel.
general_enable_rollover
Y or N
Enables or disables VPN rollover mode. If
VPN rollover mode is enabled, you need to
issue the general_rollover_gateway
keyword to specify the WAN interface to
which the VPN rollover should occur.
Note: Rollover mode functions only when
the IP version is IPV4.
general_rollover_gateway
WAN1, WAN2,
WAN3, or WAN4
If VPN rollover mode is enabled, specifies
the WAN interface to which the rollover
should occur.
general_enable_auto_initiate_policy
Y or N
Enables or disables the automatic
establishment of the VPN tunnel when there
is no traffic.
Note: You cannot enable automatic
establishment of the VPN tunnel if the
direction_type keyword under the vpn
ipsec ikepolicy configure <ike policy name>
command is set to Responder.
general_enable_keep_alive
Y or N
Enables or disables the VPN firewall to send
keep-alive requests (ping packets) to the
remote endpoint to keep the tunnel alive. If
you enable keep-alives, you also need to
issue the following keywords:
• Either general_ping_ipaddress to
specify an IPv4 address or
general_ping_ipaddress6 to specify
an IPv6 address.
• general_keep_alive_detection_period
to specify the detection period.
• general_keep_alive_failue_count
to specify the failure count.
general_ping_ipaddress
ipaddress
The IPv4 address to send keep-alive
requests to.
general_ping_ipaddress6
ipv6-address
The IPv6 address to send keep-alive
requests to.
VPN Mode Configuration Commands
220
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two separate Associated
words)
Keyword to Select
or Parameter to
Type
Description
general_keep_alive_detection_period
seconds
The period in seconds between consecutive
keep-alive requests, which are sent only
when the IPSec traffic is idle.
general_keep_alive_failue_count
number
The maximum number of keep-alive request
failures before the VPN firewall tears down
the connection and then attempts to
reconnect to the peer.
Traffic selector settings—Local address information
general_local_network_type
ANY, SINGLE,
RANGE, or SUBNET
Specifies the address or addresses that are
part of the VPN tunnel on the VPN firewall:
• ANY. All computers and devices on the
network.
• SINGLE. A single IP address on the
network. Depending on the setting of the
general_ip_version keyword, issue
one of the following keywords:
- general_local_start_address to
specify an IPv4 address.
- general_local_start_address_ipv6
to specify an IPv6 address.
• RANGE. A range of IP addresses on the
network. Depending on the setting of the
general_ip_version keyword, issue
one of the following sets of keywords:
- general_local_start_address
and general_local_end_address
to specify IPv4 addresses.
- general_local_start_address_ipv6
and
general_local_end_address_ipv6 to
specify IPv6 addresses.
• SUBNET. A subnet on the network.
Depending on the setting of the
general_ip_version keyword, issue
one of the following sets of keywords:
- general_local_start_address to
specify an IPv4 address and
general_local_subnet_mask to
specify a subnet mask.
- general_local_start_address_ipv6
to specify an IPv6 address and
general_local_ipv6_prefix_length
to specify a prefix length.
VPN Mode Configuration Commands
221
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two separate Associated
words)
Keyword to Select
or Parameter to
Type
Description
general_local_start_address
ipaddress
If the general_local_network_type keyword is
set to SINGLE, RANGE, or SUBNET, and if the
general_ip_version keyword is set to
IPv4, specifies the local IPv4 (start)
address.
general_local_end_address
ipaddress
If the general_local_network_type
keyword is set to RANGE, and if the
general_ip_version keyword is set to
IPv4, specifies the local IPv4 end address.
general_local_subnet_mask
subnet mask
If the general_local_network_type
keyword is set to SUBNET, and if the
general_ip_version keyword is set to
IPv4, specifies the subnet mask.
general_local_start_address_ipv6
ipv6-address
If the general_local_network_type
keyword is set to SINGLE, RANGE, or
SUBNET, and if the general_ip_version
keyword is set to IPv6, specifies the local
IPv6 (start) address.
general_local_end_address_ipv6
ipv6-address
If the general_local_network_type
keyword is set to RANGE, and if the
general_ip_version keyword is set to
IPv6, specifies the local IPv6 end address.
general_local_ipv6_prefix_length
prefix length
If the general_local_network_type
keyword is set to SUBNET, and if the
general_ip_version keyword is set to
IPv6, specifies the prefix length.
VPN Mode Configuration Commands
222
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two separate Associated
words)
Keyword to Select
or Parameter to
Type
Description
Traffic selector settings—Remote address information
general_remote_network_type
ANY, SINGLE,
RANGE, or SUBNET
Specifies the address or addresses that are
part of the VPN tunnel on the remote end:
• ANY. All computers and devices on the
network.
• SINGLE. A single IP address on the
network. Depending on the setting of the
general_ip_version keyword, issue
one of the following keywords:
- general_remote_start_address
to specify an IPv4 address.
- general_remote_start_address_ipv6
to specify an IPv6 address.
• RANGE. A range of IP addresses on the
network. Depending on the setting of the
general_ip_version keyword, issue
one of the following sets of keywords:
- general_remote_start_address
and
general_remote_end_address to
specify IPv4 addresses.
- general_remote_start_address_ipv6
and
general_remote_end_address_ipv6
to specify IPv6 addresses.
• SUBNET. A subnet on the network.
Depending on the setting of the
general_ip_version keyword, issue
one of the following sets of keywords:
- general_remote_start_address
to specify an IPv4 address and
general_remote_subnet_mask to
specify a subnet mask.
- general_remote_start_address_ipv6
to specify an IPv6 address and
general_remote_ipv6_prefix_length
to specify a prefix length.
general_remote_start_address
ipaddress
If the general_remote_network_type
keyword is set to SINGLE, RANGE, or
SUBNET, and if the general_ip_version
keyword is set to IPv4, specifies the remote
IPv4 (start) address.
general_remote_end_address
ipaddress
If the general_remote_network_type
keyword is set to RANGE, and if the
general_ip_version keyword is set to
IPv4, specifies the remote IPv4 end
address.
VPN Mode Configuration Commands
223
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two separate Associated
words)
Keyword to Select
or Parameter to
Type
Description
general_remote_subnet_mask
subnet mask
If the general_remote_network_type
keyword is set to SUBNET, and if the
general_ip_version keyword is set to
IPv4, specifies the subnet mask.
general_remote_start_address_ipv6
ipv6-address
If the general_remote_network_type
keyword is set to SINGLE, RANGE, or
SUBNET, and if the general_ip_version
keyword is set to IPv6, specifies the remote
IPv6 (start) address.
general_remote_end_address_ipv6
ipv6-address
If the general_remote_network_type
keyword is set to RANGE, and if the
general_ip_version keyword is set to
IPv6, specifies the remote IPv6 end
address.
general_remote_ipv6_prefix_length
prefix length
If the general_remote_network_type
keyword is set to SUBNET, and if the
general_ip_version keyword is set to
IPv6, specifies the prefix length.
manual_spi_in
number
The Security Parameter Index (SPI) for the
inbound policy as a hexadecimal value
between 3 and 8 characters.
manual_encryption_algorithm
None, DES, 3DES,
Specifies the encryption algorithm, if any, to
AES-128, AES-192, negotiate the security association (SA):
AES-256
• None.
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES.
• AES-128. Advanced Encryption Standard
(AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
manual_encryption_key_in
key
The encryption key for the inbound policy.
The length of the key depends on setting of
the manual_encryption_algorithm
keyword.
manual_encryption_key_out
key
The encryption key for the outbound policy.
The length of the key depends on setting of
the manual_encryption_algorithm
keyword.
Manual policy settings—Inbound policy
VPN Mode Configuration Commands
224
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two separate Associated
words)
Keyword to Select
or Parameter to
Type
Description
Manual policy settings—Outbound policy
manual_spi_out
number
The Security Parameters Index (SPI) for the
outbound policy as a hexadecimal value
between 3 and 8 characters.
manual_authentication_algorithm
MD5 or SHA-1
Specifies the authentication algorithm for the
security association (SA):
• SHA-1. Hash algorithm that produces a
160-bit digest.
• MD5. Hash algorithm that produces a
128-bit digest.
manual_authentication_key_in
key
The encryption key for the inbound policy.
The length of the key depends on setting of
the
manual_authentication_algorithm
keyword.
manual_authentication_key_out
key
The encryption key for the outbound policy.
The length of the key depends on setting of
the
manual_authentication_algorithm
keyword.
auto_sa_lifetime Kbytes
number
auto_sa_lifetime seconds
seconds
The lifetime of the security association (SA)
is the period or the amount of transmitted
data after which the SA becomes invalid and
needs to be renegotiated. Either issue the
auto_sa_lifetime Kbytes keywords
and specify the number of bytes, or issue the
auto_sa_lifetime seconds keywords
and specify the period in seconds.
auto_encryption_algorithm
None, DES, 3DES,
Specifies the encryption algorithm, if any, to
AES-128, AES-192, negotiate the security association (SA):
AES-256
• None.
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES.
• AES-128. Advanced Encryption Standard
(AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
Auto policy settings
VPN Mode Configuration Commands
225
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword (might consist of two separate Associated
words)
Keyword to Select
or Parameter to
Type
Description
auto_authentication_algorithm
MD5 or SHA-1
Specifies the authentication algorithm to
negotiate the security association (SA):
• SHA-1. Hash algorithm that produces a
160-bit digest.
• MD5. Hash algorithm that produces a
128-bit digest.
auto_enable_pfskeygroup
Y or N
Enables or disables Perfect Forward Secrecy
(PFS). If you enable PFS, you need to issue
the auto_dh_group keyword to specify a
group.
auto_dh_group
Group1_768_bit,
Group2_1024_bit,
or
Group5_1536_bit
Specifies the Diffie-Hellman (DH) group,
which sets the strength of the algorithm in
bits. The higher the group, the more secure
the exchange.
auto_select_ike_policy
ike policy name Select an existing IKE policy that defines the
authentication negotiation.
Command example:
SRX5308> vpn ipsec vpnpolicy configure SRX-to-Paris
vpn-config[vpn-policy]> general_policy_type Auto-Policy
vpn-config[vpn-policy]> general_ip_version IPv4
vpn-config[vpn-policy]> general_select_local_gateway WAN1
vpn-config[vpn-policy]> general_enable_rollover Y
vpn-config[vpn-policy]> general_rollover_gateway WAN2
vpn-config[vpn-policy]> general_remote_end_point_type IP-Address
vpn-config[vpn-policy]> general_remote_end_point ip_address 10.112.71.154
vpn-config[vpn-policy]> general_local_network_type SUBNET
vpn-config[vpn-policy]> general_local_start_address 192.168.1.0
vpn-config[vpn-policy]> general_local_subnet_mask 255.255.255.0
vpn-config[vpn-policy]> general_remote_network_type SUBNET
vpn-config[vpn-policy]> general_remote_start_address 192.168.50.0
vpn-config[vpn-policy]> general_remote_subnet_mask 255.255.255.255
vpn-config[vpn-policy]> auto_sa_lifetime seconds 3600
vpn-config[vpn-policy]> auto_encryption_algorithm 3DES
vpn-config[vpn-policy]> auto_authentication_algorithm SHA-1
vpn-config[vpn-policy]> auto_select_ike_policy SRX-to-Paris
vpn-config[vpn-policy]> save
Related show command: show vpn ipsec vpnpolicy setup and show vpn ipsec vpnpolicy status
VPN Mode Configuration Commands
226
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn ipsec vpnpolicy delete <vpn policy name>
This command deletes a VPN policy by specifying the name of the VPN policy.
Format
vpn ipsec vpnpolicy delete <vpn policy name>
Mode
vpn
Related show command: show vpn ipsec vpnpolicy setup
vpn ipsec vpnpolicy disable <vpn policy name>
This command disables a VPN connection by specifying the name of the VPN policy.
Format
vpn ipsec vpnpolicy disable <vpn policy name>
Mode
vpn
Related show command: show vpn ipsec vpnpolicy setup
vpn ipsec vpnpolicy enable <vpn policy name>
This command enables a VPN connection by specifying the name of the VPN policy.
Format
vpn ipsec vpnpolicy enable <vpn policy name>
Mode
vpn
Related show command: show vpn ipsec vpnpolicy setup
vpn ipsec vpnpolicy connect <vpn policy name>
This command establishes a VPN connection by specifying the name of the VPN policy.
Format
vpn ipsec vpnpolicy connect <vpn policy name>
Mode
vpn
Related show command: show vpn ipsec vpnpolicy setup and show vpn ipsec vpnpolicy status
VPN Mode Configuration Commands
227
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn ipsec vpnpolicy drop <vpn policy name>
This command terminates an active VPN connection by specifying the name of the VPN
policy.
Format
vpn ipsec vpnpolicy drop <vpn policy name>
Mode
vpn
Related show command: show vpn ipsec vpnpolicy setup and show vpn ipsec vpnpolicy status
IPSec VPN Mode Config Commands
vpn ipsec mode_config configure <record name>
This command configures a Mode Config record. After you have issued the vpn ipsec
mode_config configure command to specify a record name, you enter the
vpn-config [modeConfig] mode, and then you can configure one keyword and associated
parameter or associated keyword or associated keyword at a time in the order that you
prefer.
Step 1
Step 2
Format
vpn ipsec mode_config configure <record name>
Mode
vpn
Format
first_pool_start_ip <ipaddress>
first_pool_end_ip <ipaddress>
second_pool_start_ip <ipaddress>
second_pool_end_ip <ipaddress>
third_pool_start_ip <ipaddress>
third_pool_end_ip <ipaddress>
wins_server_primary_ip <ipaddress>
wins_server_secondary_ip <ipaddress>
dns_server_primary_ip <ipaddress>
dns_server_secondary_ip <ipaddress>
VPN Mode Configuration Commands
228
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
pfs_key_group {N | Y {dh_group {Group1_768_bit |
Group2_1024_bit | Group5_1536_bit}}}
sa_lifetime_type {Seconds {sa_lifetime <seconds>} | KBytes
{sa_lifetime <KBytes>})
encryption_algorithm {None | DES | 3DES | AES-128 |
AES-192 | AES-256}
integrity_algorithm {MD5 | SHA-1}
local_ip <ipaddress>
local_subnet_mask <subnet mask>
Mode
vpn-config [modeConfig]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
Client pool
first_pool_start_ip
ipaddress
The start IP address for the first Mode
Config pool.
first_pool_end_ip
ipaddress
The end IP address for the first Mode Config
pool.
second_pool_start_ip
ipaddress
The start IP address for the second Mode
Config pool.
second_pool_end_ip
ipaddress
The end IP address for the second Mode
Config pool.
third_pool_start_ip
ipaddress
The start IP address for the third Mode
Config pool.
third_pool_end_ip
ipaddress
The end IP address for the third Mode
Config pool.
wins_server_primary_ip
ipaddress
The IP address of the first WINS server.
wins_server_secondary_ip
ipaddress
The IP address of the second WINS server.
dns_server_primary_ip
ipaddress
The IP address of the first DNS server that is
used by remote VPN clients.
dns_server_secondary_ip
ipaddress
The IP address of the second DNS server
that is used by remote VPN clients.
pfs_key_group
Y or N
Enables or disables Perfect Forward
Secrecy (PFS). If you enable PFS, you need
to issue the dh_group keyword to specify a
group.
dh_group
Group1_768_bit,
Group2_1024_bit, or
Group5_1536_bit
Specifies the Diffie-Hellman (DH) group,
which sets the strength of the algorithm in
bits. The higher the group, the more secure
the exchange.
Traffic tunnel security level
VPN Mode Configuration Commands
229
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
sa_lifetime_type
Seconds or KBytes
Specifies whether the sa_lifetime
keyword is set in seconds or Kbytes.
sa_lifetime
seconds or number
Depending on the setting of the
sa_lifetime_type keyword, the SA
lifetime in seconds or in KBytes.
encryption_algorithm
None, DES, 3DES, AES-128,
AES-192, or AES-256
Specifies the encryption algorithm, if any, to
negotiate the security association (SA):
• None.
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES.
• AES-128. Advanced Encryption Standard
(AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
integrity_algorithm
MD5 or SHA-1
Specifies the authentication (integrity)
algorithm to negotiate the security
association (SA):
• SHA-1. Hash algorithm that produces a
160-bit digest.
• MD5. Hash algorithm that produces a
128-bit digest.
local_ip
ipaddress
The local IPv4 address to which remote VPN
clients have access. If you do not specify a
local IP address, the wireless VPN firewall’s
default LAN IP address is used.
local_subnet_mask
subnet mask
The local subnet mask.
Command example:
SRX5308> vpn ipsec mode_config configure EMEA Sales
vpn-config[modeConfig]> first_pool_start_ip 172.16.100.1
vpn-config[modeConfig]> first_pool_end_ip 172.16.100.99
vpn-config[modeConfig]> second_pool_start_ip 172.16.200.1
vpn-config[modeConfig]> second_pool_end_ip 172.16.200.99
vpn-config[modeConfig]> dns_server_primary_ip 192.168.1.1
vpn-config[modeConfig]> pfs_key_group Y
vpn-config[modeConfig]> dh_group Group2_1024_bit
vpn-config[modeConfig]> sa_lifetime_type Seconds
vpn-config[modeConfig]> sa_lifetime 3600
vpn-config[modeConfig]> encryption_algorithm 3DES
vpn-config[modeConfig]> integrity_algorithm SHA-1
vpn-config[modeConfig]> local_ip 192.168.1.0
vpn-config[modeConfig]> local_subnet_mask 255.255.255.0
vpn-config[modeConfig]> save
VPN Mode Configuration Commands
230
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show vpn ipsec mode_config setup
vpn ipsec mode_config delete <record name>
This command deletes a Mode Config record by specifying its record name.
Format
vpn ipsec mode_config delete <record name>
Mode
vpn
Related show command: show vpn ipsec mode_config setup
SSL VPN Portal Layout Commands
vpn sslvpn portal_layouts add
This command configures a new SSL VPN portal layout. After you have issued the vpn
sslvpn portal_layouts add command, you enter the vpn-config [portal-settings] mode,
and then you can configure one keyword and associated parameter or associated keyword or
associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn portal_layouts add
Mode
vpn
Format
portal_name <portal name>
portal_title <portal title>
banner_title <banner title>
banner_message <message text>
display_banner {Y | N}
enable_httpmetatags {Y | N}
enable_activex_web_cache_cleaner {Y | N}
enable_vpntunnel {Y | N}
enable_portforwarding {Y | N}
Mode
vpn-config [portal-settings]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
portal_name
portal name
The portal name (alphanumeric
string).
portal_title
portal title
The portal title (alphanumeric
string). Place text that consists of
more than one word between
quotes.
VPN Mode Configuration Commands
231
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
banner_title
banner name
The banner title (alphanumeric
string). Place text that consists of
more than one word between
quotes.
banner_message
message text
The banner message
(alphanumeric string). Place text
that consists of more than one
word between quotes.
display_banner
Y or N
Enables or disables display of the
banner message.
enable_httpmetatags
Y or N
Enables or disables HTTP meta
tags.
enable_activex_web_cache_cleaner Y or N
Enables or disables the ActiveX
web cache cleaner.
enable_vpntunnel
Y or N
Enables or disables the VPN
tunnel.
enable_portforwarding
Y or N
Enables or disables port
forwarding.
Command example:
SRX5308> vpn sslvpn portal_layouts add
vpn-config[portal-settings]> portal_name CSup
vpn-config[portal-settings]> portal_title “Customer Support”
vpn-config[portal-settings]> banner_title “Welcome to Customer Support”
vpn-config[portal-settings]> banner_message “In case of login difficulty,
call 123-456-7890.”
vpn-config[portal-settings]> display_banner Y
vpn-config[portal-settings]> enable_httpmetatags Y
vpn-config[portal-settings]> enable_activex_web_cache_cleaner Y
vpn-config[portal-settings]> enable_vpntunnel Y
vpn-config[portal-settings]> save
Related show command: show vpn sslvpn portal_layouts
vpn sslvpn portal_layouts edit <row id>
This command configures an existing SSL VPN portal layout. After you have issued the vpn
sslvpn portal_layouts edit command to specify the row to be edited, you enter the
vpn-config [portal-settings] mode, and then you can configure one keyword and associated
parameter or associated keyword or associated keyword at a time in the order that you
prefer. You cannot change the name of the portal layout.
VPN Mode Configuration Commands
232
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 1
Step 2
Format
vpn sslvpn portal_layouts edit <row id>
Mode
vpn
Format
portal_title <portal title>
banner_title <banner title>
banner_message <message text>
display_banner {Y | N}
enable_httpmetatags {Y | N}
enable_activex_web_cache_cleaner {Y | N}
enable_vpntunnel {Y | N}
enable_portforwarding {Y | N}
Mode
vpn-config [portal-settings]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
portal_title
portal title
The portal title (alphanumeric
string). Place text that consists of
more than one word between
quotes.
banner_title
banner name
The banner title (alphanumeric
string). Place text that consists of
more than one word between
quotes.
banner_message
message text
The banner message
(alphanumeric string). Place text
that consists of more than one
word between quotes.
display_banner
Y or N
Enables or disables display of the
banner message.
enable_httpmetatags
Y or N
Enables or disables HTTP meta
tags.
enable_activex_web_cache_cleaner Y or N
Enables or disables the ActiveX
web cache cleaner.
enable_vpntunnel
Y or N
Enables or disables the VPN
tunnel.
enable_portforwarding
Y or N
Enables or disables port
forwarding.
Related show command: show vpn sslvpn portal_layouts
VPN Mode Configuration Commands
233
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn sslvpn portal_layouts delete <row id>
This command deletes an SSL VPN portal layout by specifying its row ID.
Format
vpn sslvpn portal_layouts delete <row id>
Mode
vpn
Related show command: show vpn sslvpn portal_layouts
vpn sslvpn portal_layouts set-default <row id>
This command configures an SSL VPN portal as the default portal by specifying its row ID.
Format
vpn sslvpn portal_layouts set-default <row id>
Mode
vpn
Related show command: show vpn sslvpn portal_layouts
SSL VPN Authentication Domain Commands
vpn sslvpn users domains add
This command configures a new authentication domain that is not limited to SSL VPN users.
After you have issued the vpn sslvpn users domains add command, you enter the
vpn-config [user-domains] mode, and then you can configure one keyword and associated
parameter or associated keyword at a time in the order that you prefer.
Step 1
Format
vpn sslvpn users domains add
Mode
vpn
VPN Mode Configuration Commands
234
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
domain_name <domain name>
portal <portal name>
authentication_type {LocalUserDatabase | Radius-PAP |
Radius-CHAP | Radius-MSCHAP | Radius-MSCHAPv2 | WIKID-PAP |
WIKID-CHAP | MIAS-PAP | MIAS-CHAP | NTDomain |
ActiveDirectory | LDAP}
authentication_server1 <ipaddress>
authentication_secret <secret>
workgroup <group name>
ldap_base_dn <distinguished name>
active_directory_domain <domain name>
Mode
vpn-config [user-domains]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
domain_name
domain name
The domain name (alphanumeric string).
portal
portal name
The portal name (alphanumeric string).
Note: For information about how to configure
a portal, see SSL VPN Portal Layout
Commands.
authentication_type
LocalUserDatabase,
Radius-PAP, Radius-CHAP,
Radius-MSCHAP,
Radius-MSCHAPv2,
WIKID-PAP, WIKID-CHAP,
MIAS-PAP, MIAS-CHAP,
NTDomain,
ActiveDirectory, or LDAP
Specifies the authentication method that is
applied to the domain. Note the following:
• For all selections with the exception of
LocalUserDatabase, you need to issue
the authentication_server1 keyword
and specify an IP address.
• For all PAP and CHAP selections, you need
to issue the authentication_secret
keyword and specify a secret.
• For the NTDomain selection, you need to
issue the workgroup keyword and specify
the workgroup.
• For the ActiveDirectory selection, you
need to issue the
active_directory_domain keyword and
specify the Active Directory.
• For the LDAP selection, you need to issue
the ldap_base_dn keyword and specify a
DN.
authentication_server1
ipaddress
The IP address of the authentication server.
authentication_secret
secret
The authentication secret (alphanumeric
string).
workgroup
group name
The NT domain workgroup name
(alphanumeric string).
VPN Mode Configuration Commands
235
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
ldap_base_dn
distinguished name
The LDAP base distinguished name (DN;
alphanumeric string). Do not include spaces.
The Active Directory domain name
(alphanumeric string).
active_directory_domain domain name
Command example:
SRX5308> vpn sslvpn users domains add
vpn-config[user-domains]> active_directory_domain Headquarter
vpn-config[user-domains]> portal CSup
vpn-config[user-domains]> authentication_type LDAP
vpn-config[user-domains]> authentication_server1 192.168.24.118
vpn-config[user-domains]> ldap_base_dn dc=netgear,dc=com
vpn-config[user-domains]> save
Related show command: show vpn sslvpn users domains
vpn sslvpn users domains edit <row id>
This command configures an existing authentication domain that is not limited to SSL VPN
users. After you have issued the vpn sslvpn users domains edit command to specify
the row to be edited, you enter the vpn-config [user-domains] mode, and then you can
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer. You cannot change the name of the domain and the type of
authentication.
Step 1
Step 2
Format
vpn sslvpn users domains edit <row id>
Mode
vpn
Format
portal <portal name>
authentication_server1 <ipaddress>
authentication_secret <secret>
workgroup <group name>
ldap_base_dn <distinguished name>
active_directory_domain <domain name>
Mode
vpn-config [user-domains]
VPN Mode Configuration Commands
236
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
portal
portal name
The portal name (alphanumeric string).
Note: For information about how to configure
a portal, see SSL VPN Portal Layout
Commands.
authentication_server1
ipaddress
The IP address of the authentication server.
authentication_secret
secret
The authentication secret (alphanumeric
string).
workgroup
group name
The NT domain workgroup name
(alphanumeric string).
ldap_base_dn
distinguished name
The LDAP base distinguished name (DN;
alphanumeric string). Do not include spaces.
The Active Directory domain name
(alphanumeric string).
active_directory_domain domain name
Related show command: show vpn sslvpn users domains
vpn sslvpn users domains delete <row id>
This command deletes an SSL VPN authentication domain by specifying its row ID.
Format
vpn sslvpn users domains delete <row id>
Mode
vpn
Related show command: show vpn sslvpn users domains
vpn sslvpn users domains disable_Local_Authentication {Y | N}
This command enables or disables local authentication of users globally by specifying
Y (local authentication is disabled) or N (local authentication is enabled).
Format
vpn sslvpn users domains disable_Local_Authentication {Y | N}
Mode
vpn
Related show command: show vpn sslvpn users domains
VPN Mode Configuration Commands
237
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
SSL VPN Authentication Group Commands
vpn sslvpn users groups add
This command configures a new authentication group that is not limited to SSL VPN users.
After you have issued the vpn sslvpn users groups add command, you enter the
vpn-config [user-groups] mode, and then you can configure one keyword and associated
parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users groups add
Mode
vpn
Format
domain_name <domain name>
group_name <group name>
idle_timeout <minutes>
Mode
vpn-config [user-groups]
Keyword
Associated
Description
Parameter to Type
domain_name
domain name
The domain name (alphanumeric string) to which the group
belongs.
Note: For information about configuring domains, see SSL VPN
Authentication Domain Commands.
group_name
group name
The group name (alphanumeric string).
idle_timeout
minutes
The idle time-out in minutes.
Command example:
SRX5308> vpn sslvpn users groups add
vpn-config[user-groups]> domain_name Headquarter
vpn-config[user-groups]> group_name Sales
vpn-config[user-groups]> idle_timeout 15
vpn-config[user-groups]> save
Related show command: show vpn sslvpn users groups
vpn sslvpn users groups edit <row id>
This command configures an existing authentication group that is not limited to SSL VPN
users. After you have issued the vpn sslvpn users groups edit command to specify
the row to be edited, you enter the vpn-config [user-groups] mode, and then you can change
the idle time-out only.
VPN Mode Configuration Commands
238
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 1
Step 2
Format
vpn sslvpn users groups edit <row id>
Mode
vpn
Format
idle_timeout <minutes>
Mode
vpn-config [user-groups]
Keyword
Associated
Description
Parameter to Type
idle_timeout
minutes
The idle time-out in minutes.
Related show command: show vpn sslvpn users groups
vpn sslvpn users groups delete <row id>
This command deletes an authentication group by specifying its row ID.
Format
vpn sslvpn users groups delete <row id>
Mode
vpn
Related show command: show vpn sslvpn users groups
SSL VPN User Commands
vpn sslvpn users users add
This command configures a new user account. The command is not limited to SSL VPN
users. After you have issued the vpn sslvpn users users add command, you enter the
vpn-config [users] mode, and then you can configure one keyword and associated parameter
or associated keyword at a time in the order that you prefer.
Step 1
Format
vpn sslvpn users users add
Mode
vpn
VPN Mode Configuration Commands
239
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
user_name <user name>
user_type {SSLVPNUser | Administrator | Guest | IPSECVPNUser |
L2TPUser | PPTPUser}
group <group name>
password <password>
confirm_password <password>
idle_timeout <minutes>
Mode
vpn-config [users]
Keyword
Associated Keyword to Select Description
or Parameter to Type
user_name
user name
user_type
SSLVPNUser, Administrator, Specifies the user type.
Guest, IPSECVPNUser,
L2TPUser, or PPTPUser
group
group name
The user name (alphanumeric string)
The group name (alphanumeric string) to which the
user belongs.
Note: For information about how to configure
groups, see SSL VPN Authentication Group
Commands.
password
password
The password (alphanumeric string) that is assigned
to the user. You need to issue the
confirm_password keyword and confirm the
password.
confirm_password
password
The confirmation of the password.
idle_timeout
minutes
The idle time-out in minutes.
Command example:
SRX5308> vpn sslvpn users users add
vpn-config[users]> user_name PeterBrown
vpn-config[users]> user_type SSLVPNUser
vpn-config[users]> group Sales
vpn-config[users]> password 3goTY5!Of6hh
vpn-config[users]> confirm_password 3goTY5!Of6hh
vpn-config[users]> idle_timeout 10
vpn-config[users]> save
Related show command: show vpn sslvpn users users
VPN Mode Configuration Commands
240
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn sslvpn users users edit <row id>
This command configures an existing user account. The command is not limited to SSL VPN
users. After you have issued the vpn sslvpn users users edit command to specify
the row to be edited, you enter the vpn-config [users] mode, and then you can configure one
keyword and associated parameter or associated keyword at a time in the order that you
prefer. You cannot change the name of the user or the group to which the user is assigned.
The changes you can make to the user type are restricted.
Step 1
Step 2
Format
vpn sslvpn users users edit <row id>
Mode
vpn
Format
user_type {SSLVPNUser | Administrator | Guest | IPSECVPNUser |
L2TPUser | PPTPUser}
password <password>
confirm_password <password>
idle_timeout <minutes>
Mode
vpn-config [users]
Keyword
Associated Keyword to Select Description
or Parameter to Type
user_type
SSLVPNUser, Administrator, Specifies the user type.
Guest, IPSECVPNUser,
L2TPUser, or PPTPUser
Note: You cannot change an existing user from the
L2TPUser or PPTPUser user type to another type or
from another type to the L2TPUser or PPTPUser
type.
password
password
The password (alphanumeric string) that is assigned
to the user. You need to issue the
confirm_password keyword and confirm the
password.
confirm_password
password
The confirmation of the password.
idle_timeout
minutes
The idle time-out in minutes.
Related show command: show vpn sslvpn users users
vpn sslvpn users users delete <row id>
This command deletes a user account by specifying its row ID.
Format
vpn sslvpn users users delete <row id>
Mode
vpn
VPN Mode Configuration Commands
241
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show vpn sslvpn users users
vpn sslvpn users users login_policies <row id>
This command configures the login policy for a user. The command is not limited to SSL VPN
users. After you have issued the vpn sslvpn users users login_policies
command to specify the row ID that represents the user, you enter the
vpn-config [user-login-policy] mode, and then you can configure one keyword and associated
parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users users login_policies <row id>
Mode
vpn
Format
deny_login_from_wan_interface {Y | N}
disable_login {Y | N}
Mode
vpn-config [user-login-policy]
Keyword
Associated Keyword Description
to Select
deny_login_from_wan_interface Y or N
disable_login
Enables or disables login from the WAN
interface.
Y or N
Enables or disables login from any interface.
Command example:
SRX5308> vpn sslvpn users users login_policies 4
vpn-config[user-login-policy]> deny_login_from_wan_interface N
vpn-config[user-login-policy]> disable_login N
vpn-config[user-login-policy]> save
Related show command: show vpn sslvpn users users and show vpn sslvpn users login_policies
<row id>
vpn sslvpn users users ip_policies configure <row id>
This command configures source IP addresses from which a user is either allowed or denied
access. The command is not limited to SSL VPN users. After you have issued the vpn
sslvpn users users ip_policies configure command to specify the row ID that
represents the user, you enter the vpn-config [user-ip-policy] mode, and then you can
VPN Mode Configuration Commands
242
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users users ip_policies configure <row id>
Mode
vpn
Format
allow_login_from_defined_addresses {Y | N}
ip_version {IPv4 | IPv6}
source_address_type {IPAddress {{source_address <ipaddress>} |
{source_address6 <ipv6-address>}} | IPNetwork
{{source_address <ipaddress>} {mask_length <mask length>} |
{source_address6 <ipv6-address>} {prefix_length
<prefix length>}}}
Mode
vpn-config [user-ip-policy]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
allow_login_from_defined_addresses
Y or N
Allows or denies login from a
single-source IP address or network IP
addresses.
ip_version
IPv4 or IPv6
Specifies the IP version of the source
IP address:
• IPv4. The IP address or network
address is defined by an IPv4
address. You need to issue the
source_address keyword and
specify an IPv4 address. For a
network address, you also need to
issue the mask_length keyword
and specify a subnet mask length.
• IPv6. The IP address or network
address is defined by an IPv6
address. You need to issue the
source_address6 keyword and
specify an IPv6 address. For a
network address, you also need to
issue the prefix_length keyword
and specify a prefix length.
VPN Mode Configuration Commands
243
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
source_address_type
IPAddress or IPNetwork
Specifies the source address type:
• IPAddress. A single IP address. The
setting of the ip_version keyword
determines whether you need to
issue the source_address keyword
and specify an IPv4 address or issue
the source_address6 keyword and
specify an IPv6 address.
• IPNetwork. A subnet of IP
addresses. The setting of the
ip_version keyword determines
whether you need to issue the
mask_length keyword and specify
an IPv4 subnet mask or issue the
prefix_length keyword and
specify an IPv6 prefix length.
source_address
ipaddress
The IPv4 IP address or network
address if the ip_version keyword is
set to IPv4.
mask_length
mask length
If the source_address_type
keyword is set to IPNetwork and the
ip_version keyword is set to IPv4,
the mask length of the IPv4 network.
source_address6
ipv6-address
The IPv6 IP address or network
address if the ip_version keyword is
set to IPv6.
prefix_length
prefix length
If the source_address_type
keyword is set to IPNetwork and the
ip_version keyword is set to IPv6,
the prefix length of the IPv6 network.
Command example:
SRX5308> vpn sslvpn users users ip_policies configure 4
vpn-config[user-ip-policy]> allow_login_from_defined_addresses Y
vpn-config[user-ip-policy]> ip_version IPv4
vpn-config[user-ip-policy]> source_address_type IPAddress
vpn-config[user-ip-policy]> source_address 10.156.127.39
vpn-config[user-ip-policy]> save
Related show command: show vpn sslvpn users users and show vpn sslvpn users ip_policies <row
id>
VPN Mode Configuration Commands
244
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn sslvpn users users ip_policies delete <row id>
This command deletes a source IP address for a user by specifying the row ID of the table.
Format
vpn sslvpn users ip_policies delete <row id>
Mode
vpn
Related show command: show vpn sslvpn users users and show vpn sslvpn users ip_policies <row
id>
vpn sslvpn users users browser_policies <row id>
This command configures a client browser from which a user is either allowed or denied
access. The command is not limited to SSL VPN users. After you have issued the vpn
sslvpn users users browser_policies command to specify the row ID that
represents the user, you enter the vpn-config [user-browser-policy] mode, and then you can
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
vpn sslvpn users users browser_policies <row id>
Mode
vpn
Format
add browser {InternetExplorer | NetscapeNavigator | Opera | Firefox |
Mozilla}
delete_browser {InternetExplorer | NetscapeNavigator | Opera | Firefox
Mozilla}
enable_or_disable_login_from_defined_browsers {Y | N}
Mode
vpn-config [user-browser-policy]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
add_browser
InternetExplorer,
NetscapeNavigator,
Opera, Firefox, or
Mozilla
Adds a browser to the
browser list. By default,
there are no browsers on
the browser list.
delete_browser
InternetExplorer,
NetscapeNavigator,
Opera, Firefox, or
Mozilla
Removes a browser from
the browser list (after you
first have added the
browser to the browser
list).
VPN Mode Configuration Commands
245
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable_or_disable_login_from_defined_browsers
Y or N
Specifies whether access
through the browsers on
the browser list is allowed
or denied:
• Yes. Allows access
through the browsers on
the browser list.
• No. Denies access
through the browsers on
the browser list.
Command example:
SRX5308> vpn sslvpn users users
vpn-config[user-browser-policy]>
vpn-config[user-browser-policy]>
vpn-config[user-browser-policy]>
vpn-config[user-browser-policy]>
vpn-config[user-browser-policy]>
vpn-config[user-browser-policy]>
browser_policies 4
add_browser NetscapeNavigator
enable_or_disable_login_from_defined_browsers N
save
add_browser InternetExplorer
enable_or_disable_login_from_defined_browsers N
save
Related show command: show vpn sslvpn users users and show vpn sslvpn users browser_policies
<row id>
SSL VPN Port Forwarding Commands
vpn sslvpn portforwarding appconfig add
This command configures a new SSL port forwarding application. After you have issued the
vpn sslvpn portforwarding appconfig add command, you enter the
vpn-config [portforwarding-settings] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn portforwarding appconfig add
Mode
vpn
Format
server_ip <ipaddress>
port <number>
Mode
vpn-config [portforwarding-settings]
VPN Mode Configuration Commands
246
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated
Description
Parameter to Type
server_ip
ipaddress
The IP address of the local server that hosts the application.
port
number
The TCP port number of the local server that hosts the application.
Command example:
SRX5308> vpn sslvpn portforwarding appconfig add
vpn-config[portforwarding-settings]> server_ip 192.168.51.227
vpn-config[portforwarding-settings]> port 3389
vpn-config[portforwarding-settings]> save
Related show command: show vpn sslvpn portforwarding appconfig
vpn sslvpn portforwarding appconfig delete <row id>
This command deletes an SSL port forwarding application by specifying its row ID.
Format
vpn sslvpn portforwarding appconfig delete <row id>
Mode
vpn
Related show command: show vpn sslvpn portforwarding appconfig
vpn sslvpn portforwarding hostconfig add
This command configures a new host name for an SSL port forwarding application. After you
have issued the vpn sslvpn portforwarding hostconfig add command, you enter
the vpn-config [portforwarding-host-settings] mode, and then you can configure one keyword
and associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn portforwarding hostconfig add
Mode
vpn
Format
server_ip <ipaddress>
domain_name <domain name>
Mode
vpn-config [portforwarding-host-settings]
VPN Mode Configuration Commands
247
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated
Description
Parameter to Type
server_ip
ipaddress
The IP address of the local server that hosts the application.
Note: The IP address needs to be the same as the IP address
that you assigned through the vpn sslvpn portforwarding
appconfig add command for the same application.
domain_name
domain name
The domain name for the local server that hosts the application.
Command example:
SRX5308> vpn sslvpn portforwarding hostconfig add
vpn-config[portforwarding-host-settings]> server_ip 192.168.51.227
vpn-config[portforwarding-host-settings]> domain_name RemoteDesktop
vpn-config[portforwarding-host-settings]> save
Related show command: show vpn sslvpn portforwarding hostconfig
vpn sslvpn portforwarding hostconfig delete <row id>
This command deletes a host name for an SSL port forwarding application by specifying the
row ID of the host name.
Format
vpn sslvpn portforwarding hostconfig delete <row id>
Mode
vpn
Related show command: show vpn sslvpn portforwarding hostconfig
SSL VPN Client and Client Route Commands
vpn sslvpn client ipv4
This command configures the SSL client IP address range. After you have issued the vpn
sslvpn client ipv4 command, you enter the vpn-config [sslvpn-client-ipv4-settings]
mode, and then you can configure one keyword and associated parameter or associated
keyword at a time in the order that you prefer.
Step 1
Format
vpn sslvpn client ipv4
Mode
vpn
VPN Mode Configuration Commands
248
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Step 2
Format
enable_full_tunnel {Y | N}
dns_suffix <suffix>
primary_dns <ipaddress>
secondary_dns <ipaddress>
begin_client_address <ipaddress>
end_client_address <ipaddress>
Mode
vpn-config [sslvpn-client-ipv4-settings]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable_full_tunnel
Y or N
Enables or disables full-tunnel support:
• Yes. Enables full-tunnel support.
• No. Disables full-tunnel support and enables
split-tunnel support. If you enable split-tunnel
support and you assign an entirely different
subnet to the VPN tunnel clients from the
subnet that is used by the local network, you
need to add a client route to ensure that a VPN
tunnel client connects to the local network over
the VPN tunnel (see the vpn sslvpn route add
command).
dns_suffix
suffix
The DNS suffix to be appended to incomplete
DNS search strings. This setting is optional.
primary_dns
ipaddress
The IP address of the primary DNS server. This
setting is optional.
Note: If you do not assign a DNS server, the
DNS settings remain unchanged in the VPN
client after a VPN tunnel has been established.
secondary_dns
ipaddress
The IP address of the secondary DNS server.
This setting is optional.
begin_client_address
ipaddress
The start IP address of the IPv4 client range. The
default address is 192.168.251.1.
end_client_address
ipaddress
The end IP address of the IPv4 client range. The
default address is 192.168.251.254.
Command example:
SRX5308> vpn sslvpn client ipv4
vpn-config[sslvpn-client-ipv4-settings]>
vpn-config[sslvpn-client-ipv4-settings]>
vpn-config[sslvpn-client-ipv4-settings]>
vpn-config[sslvpn-client-ipv4-settings]>
vpn-config[sslvpn-client-ipv4-settings]>
vpn-config[sslvpn-client-ipv4-settings]>
enable_full_tunnel Y
primary_dns 192.168.10.5
secondary_dns 192.168.10.6
begin_client_address 192.168.251.1
end_client_address 192.168.251.254
save
Related show command: show vpn sslvpn client
VPN Mode Configuration Commands
249
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn sslvpn client ipv6
This command configures the SSL client IP address range. After you have issued the vpn
sslvpn client ipv6 command, you enter the vpn-config [sslvpn-client-ipv6-settings]
mode, and then you can configure one keyword and associated parameter or associated
keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn client ipv6
Mode
vpn
Format
enable_full_tunnel {Y | N}
begin_client_address <ipv6-address>
end_client_address <ipv6-address>
Mode
vpn-config [sslvpn-client-ipv6-settings]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable_full_tunnel
Y or N
Enables or disables full-tunnel support:
• Yes. Enables full-tunnel support.
• No. Disables full-tunnel support and enables
split-tunnel support. If you enable split-tunnel
support and you assign an entirely different
subnet to the VPN tunnel clients from the
subnet that is used by the local network, you
need to add a client route to ensure that a VPN
tunnel client connects to the local network over
the VPN tunnel (see the vpn sslvpn route add
command).
begin_client_address
ipv6-address
The start IP address of the IPv6 client range. The
default address is 4000::1.
end_client_address
ipv6-address
The end IP address of the IPv6 client range. The
default address is 4000::200.
Command example:
SRX5308> vpn sslvpn client ipv6
vpn-config[sslvpn-client-ipv6-settings]>
vpn-config[sslvpn-client-ipv6-settings]>
vpn-config[sslvpn-client-ipv6-settings]>
vpn-config[sslvpn-client-ipv6-settings]>
enable_full_tunnel N
begin_client_address 4000::1000:2
end_client_address 4000::1000:50
save
Related show command: show vpn sslvpn client
VPN Mode Configuration Commands
250
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn sslvpn route add
This command configures a static client route to a destination network. After you have issued
the vpn sslvpn route add command, you enter the vpn-config [sslvpn-route-settings]
mode, and then you can configure one keyword and associated parameter or associated
keyword at a time in the order that you prefer.
Note: When full-tunnel support is enabled, client routes are not operable.
For clients routes to be operable, split-tunnel support should be
enabled.
Step 1
Step 2
Format
vpn sslvpn route add
Mode
vpn
Format
ip_version {IPv4 {destination_network <ipaddress>} {subnet_mask
<subnet mask>} | IPv6 {destination_network6 <ipv6-address>}
{prefix_length <prefix length>}}
Mode
vpn-config [sslvpn-route-settings]
Keyword
Associated
Description
Parameter to Type
ip_version
IPv4 or IPv6
Specifies the IP version of the destination network for the
route:
• IPv4. The network address is an IPv4 address. You need to
issue the destination_network and subnet_mask
keywords and specify an IPv4 address and subnet mask.
• IPv6. The network address is an IPv6 address. You need to
issue the destination_network6 and prefix_length
keywords and specify an IPv6 address and prefix length.
destination_network
ipaddress
If the ip_version keyword is set to IPv4, the IPv4 address
of the destination network for the route.
subnet_mask
subnet mask
If the ip_version keyword is set to IPv4, the subnet mask
of the destination network for the route.
destination_network6 ipv6-address
If the ip_version keyword is set to IPv6, the IPv6 address
of the destination network for the route.
prefix_length
If the ip_version keyword is set to IPv6, the prefix length
of the destination network for the route.
prefix length
Command example:
SRX5308> vpn sslvpn route add
vpn-config[sslvpn-route-settings]>
vpn-config[sslvpn-route-settings]>
vpn-config[sslvpn-route-settings]>
vpn-config[sslvpn-route-settings]>
ip_version IPv4
destination_network 192.168.4.20
subnet_mask 255.255.255.254
save
VPN Mode Configuration Commands
251
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show vpn sslvpn route
vpn sslvpn route delete <row id>
This command deletes a client route by specifying its row ID.
Format
vpn sslvpn route delete <row id>
Mode
vpn
Related show command: show vpn sslvpn route
SSL VPN Resource Commands
vpn sslvpn resource add
This command adds a new resource. After you have issued the vpn sslvpn resource
add command, you enter the vpn-config [sslvpn-resource-settings] mode, and then you can
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
vpn sslvpn resource add
Mode
vpn
Format
resource_name <resource name>
service_type {VPNTunnel | PortForwarding | All}
Mode
vpn-config [sslvpn-resource-settings]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
resource_name
resource name
The resource name (alphanumeric string).
service_type
VPNTunnel,
PortForwarding, or All
Specifies the type of service to which the resource
applies:
• VPNTunnel. The resource applies only to a VPN
tunnel.
• PortForwarding. The resource applies only to port
forwarding.
• All. The resource applies both to a VPN tunnel and
to port forwarding.
VPN Mode Configuration Commands
252
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Command example:
SRX5308> vpn sslvpn resource add
vpn-config[sslvpn-resource-settings]> resource_name TopSecure
vpn-config[sslvpn-resource-settings]> service_type PortForwarding
vpn-config[sslvpn-resource-settings]> save
Related show command: show vpn sslvpn resource
vpn sslvpn resource delete <row id>
This command deletes a resource by specifying its row ID.
Format
vpn sslvpn resource delete <row id>
Mode
vpn
Related show command: show vpn sslvpn resource
vpn sslvpn resource configure add <resource name>
This command configures a resource object. (You first need to add a resource with the vpn
sslvpn resource add command.) After you have issued the vpn sslvpn resource
configure add command to specify the resource name, you enter the
vpn-config [sslvpn-resource-settings] mode, and then you can configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn resource configure add <resource name>
Mode
vpn
Format
object_type {IPAddress | IPNetwork}
For a single IP address:
ip_version {IPv4 {object_address <ipaddress>} | IPv6
{object_address6 <ipv6-address>}}
start_port <port number>
end_port <port number>
VPN Mode Configuration Commands
253
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
For an IP network:
ip_version {IPv4 {object_address <ipaddress>} {mask_length
<subnet mask length>} | IPv6 {object_address6
<ipv6-address>} {mask_length <prefix length>}}
start_port <port number>
end_port <port number>
Mode
vpn-config [sslvpn-resource-settings]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
object_type
IPAddress or IPNetwork
Specifies the source address type for the object:
• IPAddress. A single IP address. The setting of the
ip_version keyword determines whether you
need to issue the object_address keyword and
specify an IPv4 address or the object_address6
keyword and specify an IPv6 address.
• IPNetwork. A subnet of IP addresses. The setting of
the ip_version keyword determines whether you
need to issue the object_address and
mask_length keywords and specify an IPv4
network address and mask length or issue the
object_address6 and mask_length keywords
and specify an IPv6 network address and prefix
length.
ip_version
IPv4 or IPv6
Specifies the IP version of the IP address or IP
network:
• IPv4. The IP address or IP network is defined by an
IPv4 address. You need to issue the
object_address keyword and specify an IPv4
address. For a network address, you also need to
issue the mask_length keyword and specify a
subnet mask length.
• IPv6. The IP address or network address is defined
by an IPv6 address. You need to issue the
object_address6 keyword and specify an IPv6
address. For a network address, you also need to
issue the mask_length keyword and specify a
prefix length.
object_address
ipaddress
The IPv4 address, if the policy is for an IPv4 address
or IPv4 network.
object_address6
ipv6-address
The IPv6 address, if the policy is for an IPv6 address
or IPv6 network.
VPN Mode Configuration Commands
254
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
mask_length
subnet mask length or
prefix length
The nature of this keyword and parameter depend on
the setting of the ip_version and object_type
keywords:
• If the ip_version keyword is set to IPv4 and the
object_type keyword is set to IPNetwork, the
subnet mask length of the IPv4 network.
• If the ip_version keyword is set to IPv6 and the
object_type keyword is set to IPNetwork, the
prefix length of the IPv6 network.
start_port
number
The start port number for the port range that applies to
the object.
end_port
number
The end port number for the port range that applies to
the object.
Command example:
SRX5308>add TopSecure
vpn-config[sslvpn-resource-settings]>
vpn-config[sslvpn-resource-settings]>
vpn-config[sslvpn-resource-settings]>
vpn-config[sslvpn-resource-settings]>
vpn-config[sslvpn-resource-settings]>
vpn-config[sslvpn-resource-settings]>
vpn-config[sslvpn-resource-settings]>
object_type IPNetwork
ip_version IPv4
object_address 192.168.30.56
mask_length 24
start_port 3391
end_port 3393
save
Related show command: show vpn sslvpn resource_object <resource name>
vpn sslvpn resource configure delete <row id>
This command deletes a resource object by specifying its row ID. To delete the resource
itself, use the vpn sslvpn resource delete <row id> command.
Format
vpn sslvpn resource configure delete <row id>
Mode
vpn
Related show command: show vpn sslvpn resource_object <resource name>
VPN Mode Configuration Commands
255
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
SSL VPN Policy Commands
vpn sslvpn policy add
This command configures a new SSL VPN policy. After you have issued the vpn sslvpn
policy add command, you enter the vpn-config [sslvpn-policy-settings] mode, and then
you can configure one keyword and associated parameter or associated keyword at a time in
the order that you prefer.
Step 1
Step 2
Format
vpn sslvpn policy add
Mode
vpn
Format
policy_name <policy name>
policy_type {Global | Group {policy_owner <group name>} |
User {policy_owner <user name>}}
destination_object_type {NetworkResource | IPAddress |
IPNetwork | All}
In addition to a policy name, policy type, and destination object type, configure the
following for a network resource:
ip_version {IPv4 | IPv6}
resource_name <resource name>
policy_permission {Permit | Deny}
In addition to a policy name, policy type, and destination object type, configure the
following for an IP address:
ip_version {IPv4 {policy_address <ipaddress>} | IPv6
{policy_address6 <ipv6-address>}}
start_port <port number>
end_port <port number>
service_type {VPNTunnel | PortForwarding | All}
policy_permission {Permit | Deny}
In addition to a policy name, policy type, and destination object type, configure the
following for an IP network:
ip_version {IPv4 {policy_address <ipaddress>}
{policy_mask_length <subnet mask>} | IPv6 {policy_address6
<ipv6-address>} {policy_ipv6_prefix_length <prefix length>}}
start_port <port number>
end_port <port number>
service_type {VPNTunnel | PortForwarding | All}
policy_permission {Permit | Deny}
VPN Mode Configuration Commands
256
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
In addition to a policy name, policy type, and destination object type, configure the
following for all addresses (that is, the destination_object_type keyword is set to
All):
ip_version {IPv4 | IPv6}
start_port <port number>
end_port <port number>
service_type {VPNTunnel | PortForwarding | All}
policy_permission {Permit | Deny}
Mode
vpn-config [sslvpn-policy-settings]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
policy_name
policy name
The policy name (alphanumeric string).
policy_type
Global, Group, or User
Specifies the SSL VPN policy type:
• Global. The policy is global and includes all
groups and users.
• Group. The policy is limited to a single group.
For information about how to create groups,
see SSL VPN Authentication Group
Commands. You need to issue the
policy_owner keyword and specify the
group name.
• User. The policy is limited to a single user.
For information about how to create user
accounts, see SSL VPN User Commands.
You need to issue the policy_owner
keyword and specify the user name.
policy_owner
group name or user name
Specifies the owner of the policy. The owner
depends on the setting of the policy_type
keyword:
• Group. Specify the group name to which the
policy applies.
• User. Specify the user name to which the
policy applies.
VPN Mode Configuration Commands
257
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
destination_object_type
NetworkResource,
IPAddress, IPNetwork, or
All
Specifies the policy destination type, which
determines how the policy is applied, and, in
turn, which keywords you need to issue to
specify the policy:
• NetworkResource. The policy is applied to
an existing IPv4 or IPv6 resource. For
information about how to create and
configure network resources, see SSL VPN
Resource Commands. You need to issue the
following keywords and their associated
parameters and keywords:
- policy_name
- ip_version
- resource_name
- policy_permission
- policy_owner if the policy_type
keyword is set to Group or User.
• IPAddress. The policy is applied to a single
IPv4 or IPv6 address. You need to issue the
following keywords and their associated
parameters and keywords:
- policy_name
- ip_version
- policy_address or
policy_address6 (depending on the
setting of the ip_version keyword)
- start_port and end_port
- service_type
- policy_permission
- policy_owner if the policy_type
keyword is set to Group or User.
VPN Mode Configuration Commands
258
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
destination_object_type
NetworkResource,
IPAddress, IPNetwork, or
All
(continued)
• IPNetwork. The policy is applied to an IPv4
or IPv6 network address. You need to issue
the following keywords and their associated
parameters and keywords:
- policy_name
- ip_version
- policy_address and
policy_mask_length or
policy_address6 and
policy_ipv6_prefix_length
(depending on the setting of the
ip_version keyword)
- start_port and end_port
- service_type
- policy_permission
- policy_owner if the policy_type
keyword is set to Group or User.
• All. The policy is applied to all addresses.
You need to issue the following keywords and
their associated parameters and keywords:
- policy_name
- ip_version
- start_port and end_port
- service_type
- policy_permission
- policy_owner if the policy_type
keyword is set to Group or User.
resource_name
resource name
The name of a resource that you configured
with the vpn sslvpn resource add command.
This keyword and parameter apply only if the
policy is for a network resource.
policy_permission
Permit or Deny
Specifies whether the policy permits or denies
access.
(continued)
VPN Mode Configuration Commands
259
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
ip_version
IPv4 or IPv6
Specifies the IP version that applies to the
policy:
• IPv4. The policy is for an IPv4 network
resource, IPv4 address, IPv4 network, or for
all IPv4 addresses.
For an IP address or IP network, you need to
issue the policy_address keyword and
specify an IPv4 address. For a network
address, you also need to issue the
policy_mask_length keyword and specify
a subnet mask.
• IPv6. The policy is for an IPv6 network
resource, IPv6 address, IPv6 network, or for
all IPv6 addresses.
For an IP address or IP network, you need to
issue the policy_address6 keyword and
specify an IPv6 address. For a network
address, you also need to issue the
policy_ipv6_prefix_length keyword
and specify a prefix length.
policy_address
ipaddress
The IPv4 address, if the policy is for an IPv4
address or IPv4 network.
policy_mask_length
subnet mask
The subnet mask, if the policy is for an IPv4
network.
policy_address6
ipv6-address
The IPv6 address, if the policy is for an IPv6
address or IPv6 network.
policy_ipv6_prefix_length prefix length
The prefix length, if the policy is for an IPv6
network.
start_port
port number
The start port number for a policy port range.
(This does not apply if the policy is for a
network resource.)
end_port
port number
The end port number for a policy port range.
(This does not apply if the policy is for a
network resource.)
service_type
VPNTunnel,
PortForwarding, or All
Specifies the service type for the policy:
• VPNTunnel. The policy is applied only to a
VPN tunnel.
• PortForwarding. The policy is applied only to
port forwarding.
• All. The policy is applied both to a VPN
tunnel and to port forwarding.
Command example:
SRX5308> vpn sslvpn policy add
vpn-config[sslvpn-policy-settings]> policy_name RoadWarriorPolicy
VPN Mode Configuration Commands
260
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
vpn-config[sslvpn-policy-settings]>
ip_version IPv4
policy_type Global
destination_object_type NetworkResource
resource_name RoadWarrior
policy_permission Permit
save
policy_name GuestFTPPolicy
ip_version IPv4
policy_type User
policy_owner guest
destination_object_type All
start_port 25077
end_port 25078
service_type PortForwarding
policy_permission Deny
save
Related show command: show vpn sslvpn policy
vpn sslvpn policy edit <row id>
This command configures an existing SSL VPN policy. After you have issued the vpn
sslvpn policy edit command to specify the row to be edited (for row information, see
the output of the show vpn sslvpn policy command), you enter the
vpn-config [sslvpn-policy-settings] mode. You can then configure one keyword and
associated parameter or associated keyword at a time in the order that you prefer. You
cannot change the policy type, policy owner, destination object, IP version, or service type.
Step 1
Step 2
Format
vpn sslvpn policy edit <row id>
Mode
vpn
Format
policy_name <policy name>
In addition to the policy name, you can change the following for a network resource:
resource_name <resource name>
policy_permission {Permit | Deny}
In addition to the policy name, you can change the following for an IP address:
{{policy_address <ipaddress>} | {policy_address6
<ipv6-address>}}
start_port <port number>
end_port <port number>
policy_permission {Permit | Deny}
VPN Mode Configuration Commands
261
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
In addition to the policy name, you can change the following for an IP network:
{{policy_address <ipaddress>} {policy_mask_length
<subnet mask>} | {policy_address6 <ipv6-address>}
{policy_ipv6_prefix_length <prefix length>}}
start_port <port number>
end_port <port number>
policy_permission {Permit | Deny}
In addition to the policy name, you can change the following for all addresses (that is,
the destination_object_type keyword is set to All):
start_port <port number>
end_port <port number>
policy_permission {Permit | Deny}
Mode
vpn-config [sslvpn-policy-settings]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
policy_name
policy name
The policy name (alphanumeric string).
policy_address
ipaddress
The IPv4 address, if the policy is for an IPv4
address or IPv4 network.
policy_mask_length
subnet mask
The subnet mask, if the policy is for an IPv4
network.
policy_address6
ipv6-address
The IPv6 address, if the policy is for an IPv6
address or IPv6 network.
policy_ipv6_prefix_length prefix length
The prefix length, if the policy is for an IPv6
network.
start_port
port number
The start port number for a policy port range.
(This does not apply if the policy is for a
network resource.)
end_port
port number
The end port number for a policy port range.
(This does not apply if the policy is for a
network resource.)
resource_name
resource name
The name of a resource that you configured
with the vpn sslvpn resource add command.
This keyword and parameter apply only if the
policy is for a network resource.
policy_permission
Permit or Deny
Specifies whether the policy permits or denies
access.
Command example:
SRX5308> vpn sslvpn policy edit 2
vpn-config[sslvpn-policy-settings]> policy_name RoadWarriorPolicyIII
vpn-config[sslvpn-policy-settings]> start_port 35406
VPN Mode Configuration Commands
262
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn-config[sslvpn-policy-settings]> end_port 35408
vpn-config[sslvpn-policy-settings]> policy_permission Permit
vpn-config[sslvpn-policy-settings]> save
Related show command: show vpn sslvpn policy
vpn sslvpn policy delete <row id>
This command deletes an SSL VPN policy by specifying its row ID.
Format
vpn sslvpn policy delete <row id>
Mode
vpn
Related show command: show vpn sslvpn policy
RADIUS Server Command
vpn ipsec radius configure
This command configures a RADIUS server. After you have issued the vpn ipsec radius
configure command, you enter the vpn-config [radius-config] mode, and then you can
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
vpn ipsec radius configure
Mode
vpn
Format
enable {Y | N}
radius-server <ipaddress>
secret <secret>
nas_identifier <identifier>
backup_server_enable {Y | N}
backup-radius_server <ipaddress>
backup_server_secret <secret>
backup_server_nas_identifier <identifier>
timeout <seconds>
retries <number>
Mode
vpn-config [radius-config]
VPN Mode Configuration Commands
263
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Keyword
Associated Keyword to
Description
Select or Parameter to Type
Primary RADIUS server
enable
Y or N
Enables or disables the primary
RADIUS server.
radius-server
ipaddress
The IPv4 address of the primary
RADIUS server.
secret
secret
The secret phrase (alphanumeric string)
for the primary RADIUS server.
nas_identifier
identifier
The NAS ID for the primary RADIUS
server.
backup_server_enable
Y or N
Enables or disables the backup
RADIUS server.
backup_radius_server
ipaddress
The IPv4 address of the backup
RADIUS server.
backup_server_secret
secret
The secret phrase (alphanumeric string)
for the backup RADIUS server.
Backup RADIUS server
backup_server_nas_identifier identifier
The NAS ID for the backup RADIUS
server.
Connection configuration
timeout
seconds
The connection time-out in seconds for
the RADIUS server.
retries
number
The number of connection retry
attempts for the RADIUS server.
Command example:
SRX5308> vpn ipsec radius
vpn-config[radius-config]>
vpn-config[radius-config]>
vpn-config[radius-config]>
vpn-config[radius-config]>
vpn-config[radius-config]>
vpn-config[radius-config]>
vpn-config[radius-config]>
vpn-config[radius-config]>
vpn-config[radius-config]>
vpn-config[radius-config]>
vpn-config[radius-config]>
configure
enable Y
radius-server 192.168.4.2
secret Hlo0ole1H12aaq43
nas_identifier SRX5308-Bld3
backup_server_enable Y
backup_radius-server 192.168.4.3
backup_server_secret Hduo0oplH54bqX91
backup_server_nas_identifier SRX5308-Bld3
timeout 30
retries 4
save
VPN Mode Configuration Commands
264
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Related show command: show vpn ipsec radius [ipaddress]
PPTP Server Commands
vpn pptp server configure
This command configures the PPTP server. After you have issued the vpn pptp server
configure command, you enter the pptp-server-config [policy] mode, and then you can
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
vpn pptp server configure
Mode
vpn
Format
enable {Y | N}
start_address <ipaddress>
end_address <ipaddress>
idle_timeout <minutes>
Mode
pptp-server-config [policy]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable
Y or N
Enables or disables the PPTP server.
start_address
ipaddress
The start IPv4 address of the PPTP server range.
end_address
ipaddress
The end IPv4 address of the PPTP server range.
idle_timeout
minutes
The idle time-out after which the connection is terminated.
Command example:
SRX5308> vpn pptp server configure
pptp-server-config[policy]> enable Y
pptp-server-config[policy]> start_address 192.168.112.1
pptp-server-config[policy]> end_address 192.168.112.25
pptp-server-config[policy]> idle_timeout 10
pptp-server-config[policy]> save
Related show command: show vpn pptp server setup and show vpn pptp server connections
VPN Mode Configuration Commands
265
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
L2TP Server Commands
vpn l2tp server configure
This command configures the L2TP server. After you have issued the vpn l2tp server
configure command, you enter the vpn-config [l2tp-config] mode, and then you can
configure one keyword and associated parameter or associated keyword at a time in the
order that you prefer.
Step 1
Step 2
Format
vpn l2tp server configure
Mode
vpn
Format
enable {Y | N}
start_address <ipaddress>
end_address <ipaddress>
idle_timeout <minutes>
Mode
vpn-config [l2tp-config]
Keyword
Associated Keyword to
Description
Select or Parameter to Type
enable
Y or N
Enables or disables the L2TP server.
start_address
ipaddress
The start IPv4 address of the L2TP server range.
end_address
ipaddress
The end IPv4 address of the L2TP server range.
idle_timeout
minutes
The idle time-out after which the connection is terminated.
Command example:
SRX5308> vpn l2tp server configure
vpn-config[l2tp-config]> enable Y
vpn-config[l2tp-config]> start_address 192.168.112.1
vpn-config[l2tp-config]> end_address 192.168.112.25
vpn-config[l2tp-config]> idle_timeout 10
vpn-config[l2tp-config]> save
Related show command: show vpn l2tp server setup and show vpn l2tp server connections
VPN Mode Configuration Commands
266
7.
Overview of the Show Commands
7
This chapter provides an overview of all show commands for the four configuration command
modes. The chapter includes the following sections:
•
Network Settings (Net Mode) Show Commands
•
Security Settings (Security Mode) Show Commands
•
Administrative and Monitoring Settings (System Mode) Show Commands
•
VPN Settings (VPN Mode) Show Commands
Network Settings (Net Mode) Show Commands
Enter the show net ? command at the CLI prompt to display the submodes in the show net
mode. The following table lists the submodes and their commands in alphabetical order:
Table 12. Show commands: show net mode
Submode
Command Name
Purpose
ddns
show net ddns setup
Display the Dynamic DNS configuration.
dmz
show net dmz ipv4 setup
Display the IPv4 DMZ configuration.
show net dmz ipv6 setup
Display the IPv6 DMZ configuration.
ethernet
show net ethernet {interface name | all}
Display the MAC address and VLAN status for a
single or all Ethernet interfaces.
ipv6
show net ipv6 ipmode setup
Display the IPv6 routing mode configuration.
show net ipv6_tunnel setup
Display the IPv6 tunnel configuration.
show net ipv6_tunnel status
Display the status of the IPv6 tunnels.
show net lan available_lan_hosts list
Display the IPv4 hosts.
show net lan dhcp leased_clients list
Display the LAN clients that received a leased
DHCP IP address.
show net lan dhcp logs
Display the LAN DHCP log.
ipv6_tunnel
lan
267
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 12. Show commands: show net mode (continued)
Submode
Command Name
Purpose
show net lan dhcp reserved_ip setup
Display information about the DHCP clients,
including the assigned (reserved) IP addresses.
show net lan ipv4 advanced setup
Display the advanced IPv4 LAN configuration.
show net lan ipv4 detailed setup <vlan id> Display the detailed configuration for a VLAN.
lan
(continued)
show net lan ipv4 multiHoming
Display the LAN secondary IPv4 addresses.
show net lan ipv4 setup
Display the IPv4 LAN configuration.
show net lan ipv4 traffic_meter setup
Display the LAN traffic meter configuration.
show net lan ipv4 traffic_meter
detailed_setup <row id>
Display the detailed traffic meter information for a
specified IP address.
show net lan ipv6 multiHoming
Display the LAN secondary IPv6 addresses.
show net lan ipv6 setup
Display the IPv6 LAN configuration.
show net lan lan_groups
Display the LAN groups.
protocol binding show net protocol_binding setup
Display the protocol bindings.
qos
show net qos setup
Display the WAN QoS configuration.
show net radvd dmz setup
Display the DMZ RADVD configuration.
show net radvd lan setup
Display the LAN RADVD configuration.
show net routing dynamic setup
Display the dynamic routing configuration.
show net routing static ipv4 setup
Display the IPv4 static routes configuration.
show net routing static ipv6 setup
Display the IPv6 static routes configuration.
siit
show net siit setup
Displays the status of the Stateless IP/ICMP
Translation.
statistics
show net statistics {interface name | all}
Display the network statistics for a single or all
Ethernet interfaces.
radvd
routing
show net wan port_setup <wan interface> Display the configuration for a WAN interface.
wan
show net wan wan ipv4
secondary_addresses <wan interface>
Display the secondary IPv4 addresses for a WAN
interface.
show net wan wan ipv4 setup
<wan interface>
Display the IPv4 configuration for a WAN
interface.
show net wan wan ipv4 status
<wan interface>
Display the IPv4 connection status for a WAN
interface.
Overview of the Show Commands
268
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 12. Show commands: show net mode (continued)
Submode
wan (continued)
wan_settings
Command Name
Purpose
show net wan wan ipv6 setup <wan
interface>
Display the IPv6 configuration for a WAN
interface.
show net wan wan ipv6 status
<wan interface>
Display the IPv6 connection status for a WAN
interface.
show net wan_settings wanmode
Display the IPv4 WAN routing mode.
Security Settings (Security Mode) Show Commands
Enter the show security ? command at the CLI prompt to display the submodes in the
show security mode. The following table lists the submodes and their commands in
alphabetical order:
Table 13. Show commands: show security mode
Submode
address_filter
Command Name
Purpose
show security address_filter
enable_email_log
Display the configuration of the IP/MAC
binding log.
show security address_filter
ip_or_mac_binding setup
Display the IPv4 and IPv6 MAC bindings.
show security address_filter mac_filter setup Display the MAC addresses for source
MAC filtering.
bandwidth
content_filter
show security bandwidth profile setup
Display the configured bandwidth profiles.
show security content_filter block_group
Display the groups for which content
filtering is enabled.
show security content_filter
blocked_keywords
Display the keywords that are blocked.
show security content_filter content_filtering
Display the status of content filtering and
the web components.
show security content_filter trusted_domains Display the trusted domains.
firewall
show security firewall advanced algs
Display whether or not SIP ALG is enabled.
show security firewall attack_checks igmp
Display whether or not the IGMP proxy is
enabled.
show security firewall attack_checks setup
ipv4
Display which WAN and LAN security
checks are enabled for IPv4.
show security firewall attack_checks setup
ipv6
Display which WAN and LAN security
checks are enabled for IPv6.
show security firewall attack_checks
vpn_passthrough setup
Display which VPN pass-through features
are enabled.
Overview of the Show Commands
269
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 13. Show commands: show security mode (continued)
Submode
Command Name
Purpose
show security firewall ipv4 setup dmz_wan
Display the IPv4 DMZ WAN firewall rules.
show security firewall ipv4 setup lan_dmz
Display the IPv4 LAN DMZ firewall rules.
show security firewall ipv4 setup lan_wan
Display the IPv4 LAN WAN firewall rules.
show security firewall ipv6 setup
Display all IPv6 firewall rules.
show security firewall session_limit
Display the session limit settings.
show security firewall session_settings
Display the session time-out settings.
show security porttriggering_rules setup
Display the port triggering rules.
show security porttriggering_rules status
Display the port triggering status.
schedules
show security schedules setup
Display the configured schedules.
services
show security services setup
Display the configured custom services.
show security services qos_profile setup
Display the configured QoS profiles.
show security services ip_group ip_setup
Display the configured IP groups.
show security upnp portmap
Display the UPnP portmap table.
show security upnp setup
Display the UPnP configuration.
firewall
(continued)
porttriggering_rules
upnp
Administrative and Monitoring Settings (System Mode)
Show Commands
Enter the show system ? command at the CLI prompt to display the submodes in the show
system mode. The following table lists the submodes and their commands in alphabetical
order:
Table 14. Show commands: show system mode
Submode
Command Name
Purpose
show sysinfo
Display system information, including MAC
addresses, serial number, and firmware
version.
show system firmware_version
Display the firmware version.
show system logging remote setup
Display the configuration and the schedule of
the email logs.
show system logging setup
Display the configuration of the IPv4 and
IPv6 logs.
show system logs
Display the system logs.
not applicable
logging
logs
Overview of the Show Commands
270
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 14. Show commands: show system mode (continued)
Submode
Command Name
Purpose
remote_management show system remote_management setup Display the configuration of remote
management for Telnet and HTTPS access.
show system snmp sys
Display the SNMP system configuration of
the SNMP agent and the SNMP system
information of the wireless VPN firewall.
snmp
show system snmp trap [agent ipaddress] Display the SNMP trap configuration of the
SNMP agent.
status
show system status
Display the system status information.
time
show system time setup
Display the time configuration and the
configuration of the NTP server.
traffic_meter
show system traffic_meter setup
<wan interface>
Display the configuration of the traffic meter
and the Internet traffic statistics.
VPN Settings (VPN Mode) Show Commands
Enter the show vpn ? command at the CLI prompt to display the submodes in the show vpn
mode. The following table lists the submodes and their commands in alphabetical order:
Table 15. Show commands: show vpn mode
Submode
ipsec
Command Name
Purpose
show vpn ipsec ikepolicy setup
Display the IKE policies.
show vpn ipsec logs
Display the IPSec VPN logs.
show vpn ipsec mode_config setup
Display the Mode Config records.
show vpn ipsec radius [ipaddress]
Display the configuration of all or a specific
RADIUS server.
show vpn ipsec vpnpolicy setup
Display the IPSec VPN policies.
show vpn ipsec vpnpolicy status
Display status information about the active
and nonactive IPSec VPN policies.
show vpn l2tp server connections
Display the users that are connected through
the L2TP server.
show vpn l2tp server setup
Display the configuration of the PPTP server.
show vpn pptp server connections
Display the users that are connected through
the PPTP server.
show vpn pptp server setup
Display the configuration of the L2TP server.
l2tp
pptp
Overview of the Show Commands
271
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Table 15. Show commands: show vpn mode (continued)
Submode
sslvpn
Command Name
Purpose
show vpn sslvpn client
Display the SSL VPN client range and
configuration.
show vpn sslvpn logs
Display the SSL VPN logs.
show vpn sslvpn policy
Display the SSL VPN policies.
show vpn sslvpn portal_layouts
Display the SSL VPN portal layout.
show vpn sslvpn portforwarding appconfig
Display the SSL VPN port forwarding
application configuration.
show vpn sslvpn portforwarding hostconfig
Display the SSL VPN port forwarding host
configuration.
show vpn sslvpn resource
Display the SSL VPN resource configuration.
show vpn sslvpn resource_object
<resource name>
Display the detailed configuration for a
specific resource object.
show vpn sslvpn route
Display the SSL VPN client routes.
show vpn sslvpn users active_users
Display the active SSL VPN users.
show vpn sslvpn users browser_policies <row id>
Display the login restrictions based on web
browsers for a specific user.
show vpn sslvpn users domains
Display the domain configurations.
show vpn sslvpn users groups
Display the group configurations.
show vpn sslvpn users ip_policies <row id>
Display the login restrictions based on IP
addresses for a specific user.
show vpn sslvpn users login_policies <row id>
Display the login restrictions based on login
policies for a specific user.
show vpn sslvpn users users
Display the user account configurations.
Overview of the Show Commands
272
8.
Show Commands
8
This chapter explains the show commands and associated parameters for the four configuration
command modes. The chapter includes the following sections:
•
Network Settings (Net Mode) Show Commands
•
Security Settings (Security Mode) Show Commands
•
Administrative and Monitoring Settings (System Mode) Show Commands
•
VPN Settings (VPN Mode) Show Commands
Network Settings (Net Mode) Show Commands
This section contains the following subsections:
•
WAN IPv4 and WAN IPv6 Show Commands
•
IPv6 Mode, IPv6 Tunnel, and SIIT Show Commands
•
LAN DHCP Show Commands
•
Dynamic DNS Show Commands
•
IPv4 LAN Show Commands
•
IPv6 LAN Show Commands
•
DMZ Show Commands
•
Routing Show Commands
•
Network Statistics Show Commands
WAN IPv4 and WAN IPv6 Show Commands
show net wan_settings wanmode
This command displays the IPv4 WAN routing mode:
Routing Mode between WAN and LAN
__________________________________
NAT is Enabled
273
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net wan port_setup <wan interface>
This command displays the configuration of a WAN port. For the WAN interface, type WAN1,
WAN2, WAN3, or WAN4.
WAN1 Port Setup
_______________
MTU Type:
Default
Port Speed:
Auto Sense
WAN MODE Setup
______________
WAN Mode: Primary Wan Mode Using WAN1
Auto Rollover: Auto Rollover is Disabled
WAN Failure Detection Method: WAN DNS Servers
Retry Interval: 30
Failover After: 4
Router's MAC Address for WAN1
_____________________________
MAC Address Type: This MAC Address
MAC Address: 00:00:00:00:11:22
Upload/Download Settings for WAN1
_________________________________
WAN Connection Type: DSL
WAN Connection Speed Upload Type: Custom
WAN Connection Speed Upload: 1500
WAN Connection Speed Download Type: 1 Gbps
WAN Connection Speed Download: 1000000
show net wan wan ipv4 setup <wan interface>
This command displays the IPv4 configuration for a WAN interface. For the WAN interface,
type WAN1, WAN2, WAN3, or WAN4.
Broadband Setup
_______________
STATIC Configuration:
Internet (IP) Address Source: Use Static IP Address
IP Address: 10.139.54.228
IP Subnet Mask: 255.255.255.248
Show Commands
274
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Gateway IP Address: 10.139.54.225
Domain Name Servers (DNS) Source: Use these DNS Servers
Primary DNS Server: 10.80.130.23
Secondary DNS Server: 10.80.130.24
show net wan wan ipv4 status <wan interface>
This command displays the IPv4 WAN connection status. For the WAN interface, type WAN1,
WAN2, WAN3, or WAN4.
WAN1 Status
___________
WAN1 Status (Ipv4):
MAC Address: AA:AB:BB:00:00:02
IPv4 Address: 10.139.54.228 / 255.255.255.248
Wan State: UP
NAT (IPv4 only): Enabled
IPv4 Connection Type: STATIC
IPv4 Connection State: Connected
Link State: LINK UP
WAN Mode: Use only single WAN portWAN1
Gateway: 10.139.54.225
Primary DNS: 10.80.130.23
Secondary DNS: 8.8.8.8
show net wan wan ipv4 secondary_addresses <wan interface>
This command displays the secondary IPv4 addresses for a WAN interface. For the WAN
interface, type WAN1, WAN2, WAN3, or WAN4.
WAN2 Secondary Addresses
________________________
List of Secondary WAN addresses
_______________________________
Row Id: 1
IP Address: 10.168.50.1
Subnet Mask: 255.255.255.0
Show Commands
275
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net wan wan ipv6 setup <wan interface>
This command displays the IPv6 WAN configuration. For the WAN interface, type WAN1,
WAN2, WAN3, or WAN4.
IPv6 WAN1 Setup
_______________
Dynamic IPv6 (DHCP) Configuration:
Stateless Address Auto Configuration: Enabled
Prefix Delegation: Disabled
show net wan wan ipv6 status <wan interface>
This command displays the IPv6 WAN1 connection status. For the WAN interface, type
WAN1, WAN2, WAN3, or WAN4.
IPv6 WAN1 Status
________________
IPv6 Connection Type: Dynamic IPv6 (DHCP)
IPv6 Connection State: Connected
IPv6 Address: fe80::a8ab:bbff:fe00:2
IPv6 Prefix Length: 64
Default IPv6 Gateway:
Primary DNS Server:
Secondary DNS Server:
show net protocol_binding setup
This command displays the protocol bindings:
List of Protocol Bindings.
__________________________
ROW ID State
Service Local Gateway Source Network Destination Network
______ _______ _______ _____________ ______________ ___________________
1
Enabled FTP
WAN1
Any
10.122.178.214
2
Enabled PPTP
WAN3
Any
Any
3
Enabled ANY
WAN1
Any
Any
Show Commands
276
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net qos setup
This command displays the WAN QoS configuration:
Quality of Service
__________________
Enabled: Yes
QoS Type: Rate Control
List of Network QoS Profiles
____________________________
ROW ID QoS Type
Interface Name
______ ____________ ______________
1
Rate Control WAN2
2
Priority
WAN1
ServiceName
___________
HTTP
RTSP:TCP
Direction
_______________
Inbound
Inbound Traffic
Rate
____________
7500 - 15000
High
Hosts
_______________________________
192.168.110.2 - 192.168.110.199
-
IPv6 Mode, IPv6 Tunnel, and SIIT Show Commands
show net ipv6 ipmode setup
This command displays the IPv6 routing mode configuration:
IP MODE
_______
IPv4 only mode : Disabled
IPv4/IPv6 mode : Enabled
show net ipv6_tunnel setup
This command displays the IPv6 tunnel configuration:
IPv6 Tunnels
____________
6 to 4 Tunneling
Automatic Tunneling is Enabled
List of Available ISATAP Tunnels
ROW ID LocalEndpoint ISATAP Subnet Prefix
______ _____________ ____________________
1
192.168.1.1
FE80:2006::
2
10.29.33.4
2004::
Show Commands
277
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net ipv6_tunnel status
This command displays the status of the IPv6 tunnels:
Tunnel Name IPv6 Address(es)
___________ __________________________________________________
sit0-WAN1
isatap1-LAN
isatap2-LAN
2002:408b:36e2::408b:36e2/64, ::127.0.0.1/96, ::176.16.2.1/96, ::192.168.1.1/96,
::192.168.20.1/96, ::192.168.70.1/96, ::64.139.54.226/96
fe80::5efe:c0a8:101/64
::10.29.33.4/128, fe80::5efe:a1d:2104/64
show net siit setup
This command displays the status of the Stateless IP/ICMP Translation (SIIT):
SIIT Configuration
_________________
Status
enabled
IPv4 Address
192.168.5.117
LAN DHCP Show Commands
show net lan dhcp leased_clients list
This command displays the LAN clients that received a leased DHCP IP address:
List of Available DHCP Leased Clients
_____________________________________
show net lan dhcp logs
This command displays the LAN DHCP log:
Jul
Jul
Jul
Jul
Jul
Jul
Jul
10
10
10
10
10
10
10
10:23:50
10:23:50
10:23:50
10:23:51
10:23:51
10:23:51
10:23:51
SRX5308
SRX5308
SRX5308
SRX5308
SRX5308
SRX5308
SRX5308
local7.info dhcpd: Wrote 0 deleted host decls to leases file.
local7.info dhcpd: Wrote 0 new dynamic host decls to leases file.
local7.info dhcpd: Wrote 0 leases to leases file.
local7.info dhcpd: Listening on LPF/eth0.4094/00:00:00:00:00:06/176.16.2.0/24
local7.info dhcpd: Sending on
LPF/eth0.4094/00:00:00:00:00:06/176.16.2.0/24
local7.err dhcpd:
local7.err dhcpd: No subnet declaration for eth0.20 (192.168.70.1).
Show Commands
278
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net lan dhcp reserved_ip setup
This command displays information about the DHCP clients, including the assigned
(reserved) IP addresses:
List of DHCP Reserved Addresses
_______________________________
Name
IP Address
MAC Address
Group
Profile Name
_____________ _____________ _________________ __________ ____________
IPphoneRoom12 192.168.1.100 d1:d2:44:45:9e:9f GROUP1
Default
SalesServer
192.168.70.15 a1:c1:33:44:2a:2b GROUP5
Sales
Mobile3008
192.168.90.22 a1:b1:11:12:1a:12 Management Marketing
FN_Server
192.168.70.2
a1:a2:a3:11:bc:de Management Sales
Dynamic DNS Show Commands
show net ddns setup
This command displays the Dynamic DNS configuration:
WAN Mode
________
Single Port WAN1
WAN1 Dynamic DNS service currently disabled
___________________________________________
WAN2 Dynamic DNS service currently disabled
___________________________________________
WAN3 Dynamic DNS service currently disabled
___________________________________________
WAN4 Dynamic DNS service currently disabled
___________________________________________
Show Commands
279
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
IPv4 LAN Show Commands
show net lan ipv4 setup
This command displays the IPv4 LAN configuration:
VLAN Profiles
_____________
Status
________
Enabled
Enabled
Disabled
Profile Name
____________
Default
Sales
Marketing
VLAN Id
_______
1
20
40
IPv4 Address
____________
192.168.1.1
192.168.70.1
192.168.90.5
Subnet Mask
_______________
255.255.255.0
255.255.255.0
255.255.255.128
DHCP Status
___________
DHCP Server
Disabled
Disabled
Server Address
_____________________________
192.168.1.100 - 192.168.1.254
Not Applicable
Not Applicable
Default VLAN
____________
Port1: Sales
Port2: Default
Port3: Default
Port4: DMZ
show net lan ipv4 detailed setup <vlan id>
This command displays the detailed configuration for a VLAN. For the VLAN ID, type a VLAN
number.
Detailed Setup (IPv4) of VLAN :- Default
________________________________________
Status: : Enabled
Profile Name: : Default
VLAN Id: : 1
IPv4 Address: : 192.168.1.1
Subnet Mask: : 255.255.255.0
DHCP Status: : DHCP Server
Server Address: : 192.168.1.100 - 192.168.1.254
Primary DNS Server: :
Secondary DNS Server: :
WINS Server: :
Lease Time: : 24
LDAP Status: : Disabled
DNS Proxy: : Enabled
Inter VLAN Routing: : Disabled
Show Commands
280
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net ethernet {interface name | all}
This command displays the MAC address and VLAN status for a single or all Ethernet
interfaces.
SRX5308> show net ethernet eth0
MAC Address: DE:AD:DE:AD:DE:AF
VLAN ID: 1
Interface Name: eth0
VLAN Enabled: N
Native VLAN: N
SRX5308> show net ethernet all
Ethernet Interfaces
___________________
VLAN ID Interface Name VLAN Enabled Native VLAN
_______ ______________ ____________ ___________
1
eth0
N
N
1
eth1
N
N
show net lan ipv4 advanced setup
This command displays the advanced IPv4 LAN configuration:
LAN Advanced Setup
__________________
VLAN MAC Settings:
MAC Address for VLANs: Unique
Advanced Settings:
ARP Broadcast: Enabled
show net lan available_lan_hosts list
This command displays the IPv4 hosts (that is, the known computers and devices in the
LAN):
List of Available Lan Hosts
___________________________
Show Commands
281
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net lan lan_groups
This command displays the LAN groups:
Row ID : Group Name
___________________
1
GROUP1
2
GROUP2
3
Finance
4
GROUP4
5
GROUP5
6
SalesEMEA
7
SalesAmericas
8
Management
show net lan ipv4 multiHoming
This command displays the LAN secondary IP addresses:
IPv4 LAN Multi-homing
_____________________
Available Secondary LAN IPs :______________________________
Row Id IP Address
Subnet Mask
______ ______________ _______________
1
192.168.20.1
255.255.255.0
2
192.168.70.240 255.255.255.128
show net lan ipv4 traffic_meter setup
This command displays the LAN traffic meter configuration:
LAN Traffic Meter Table
_______________________
Row Id LAN IP Address Direction
Limit (MB) Traffic (MB) State
______ ______________ _______________ __________ ____________ _______
1
192.168.11.68
Download Only
30000
0
Allowed
2
192.168.11.204 Both Directions 45000
0
Allowed
Show Commands
282
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net lan ipv4 traffic_meter detailed_setup <row id>
Note: The row ID refers to the LAN Traffic Meter Table in the output of the
show net lan ipv4 traffic_meter setup command.
This command displays the detailed traffic meter information for the specified IP address:
LAN Traffic Meter Account
_________________________
LAN IP Address: 192.168.11.204
Direction: Both Directions
Limit in (MB): 45000
Traffic Counter
_______________
Traffic Counter: Restart Counter
Restart Time (HH/MM-Day of Month): 12/0-1
Send e-mail before restarting Counter: Disabled
When Limit is reached
_____________________
Send e-mail alert: Disabled
LAN IP Traffic Statistics
_________________________
Start Date / Time: Sun Jul
1 00:00:16 2012
Outgoing Traffic Volume: 0
Incoming Traffic Volume: 0
Average per day:
% of Standard Limit:
State: Allowed
Show Commands
283
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
IPv6 LAN Show Commands
show net lan ipv6 setup
This command displays the IPv6 LAN configuration:
IPv6 LAN Configuration
______________________
LAN TCP/IP Setup:
IPv6 Address: fec0::1
IPv6 Prefix Length: 64
DHCPv6:
DHCP Status: Disable DHCPv6 Server
DHCP Mode: Stateless
Prefix Delegation: Disable
Domain Name: netgear.com
Server Preference: 255
DNS Servers: Use Below
Primary DNS Server:
Secondary DNS Server:
Lease/Rebind Time: 86400
List of IPv6 Address Pools
__________________________
Row Id Start Address
End Address
Prefix Length
______ ________________ __________________ _____________
1
fec0::db8:2
fec0::db8:199
10
2
fec0::db8:10a1:1 fec0::db8:10a1:300 10
List of Prefixes for Prefix Delegation
______________________________________
Row Id IPv6 Prefix
IPv6 Prefix Length
______ ______________ __________________
1
2001:db8::
64
2
2001:db8:ac2:: 64
Show Commands
284
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net radvd lan setup
This command displays the LAN RADVD configuration:
Router Advertisement Daemon ( RADVD )
_____________________________________
RADVD Status: Enabled
Advertise Mode: Unsolicited Multicast
Advertise Interval: 30
RA Flags
Managed: Disabled
Other: Enabled
Router Preference: High
MTU: 1500
Router Lifetime: 3600 Seconds
List of Available Prefixes to Advertise
_______________________________________
ROW ID IPv6 Prefix
IPv6 Prefix Length Life Time
______ __________________ __________________ _________
1
2002:408b:36e4:a:: 64
43200
2
FE80:0:0:CC40::
21600
64
show net lan ipv6 multiHoming
This command displays the LAN secondary IPv6 addresses:
IPv6 LAN Multi-homing
_____________________
Available Secondary LAN IPs :______________________________
Row Id: 1
IPv6 Address: 2001:db8:3000::2192
Prefix Length: 10
Show Commands
285
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
DMZ Show Commands
show net dmz ipv4 setup
This command displays the IPv4 DMZ configuration:
DMZ Setup
_________
IPv4 Address: 176.16.2.1
Subnet Mask: 255.255.255.0
DHCP Setup Configuration:
DHCP Mode: DHCP Server
Domain Name: netgear.com
Starting IP Address: 176.16.2.100
Ending IP Address: 176.16.2.254
Primary DNS Server:
Secondary DNS Server:
WINS Server:
Lease Time in hrs : 24
LDAP Status: Disabled
DNS Proxy:
Enabled
show net dmz ipv6 setup
This command displays the IPv6 DMZ configuration:
DHCP Setup Configuration
________________________
IPv6 Address: 176::1
Prefix Length: 64
DHCP Status: DHCP Server Enabled
Mode: Stateless
Domain Name: netgear.com
DNS Server: Use DNS Proxy
Lease Time in Sec : 86400
Starting IP Address :
176::1100 176::2031:1500
Ending IP Address
:
176::1220 176::2031:1650
Pool Prefix Length
:
56 56
Show Commands
286
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show net radvd dmz setup
This command displays the DMZ RADVD configuration:
Router Advertisement Daemon ( RADVD )
_____________________________________
RADVD Status: Enabled
Advertise Mode: Unsolicited Multicast
Advertise Interval: 30
RA Flags
Managed: Disabled
Other: Enabled
Router Preference: High
MTU: 1500
Router Lifetime: 3600 Seconds
List of Available Prefixes to Advertise
_______________________________________
ROW ID IPv6 Prefix
IPv6 Prefix Length Life Time
______ _____________________ __________________ _________
1
2001:db8:abdd::
64
3600
2
2002:408b:36e2:2727:: 64
7200
Show Commands
287
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Routing Show Commands
show net routing dynamic setup
This command displays the dynamic routing configuration:
Dynamic Routing
_______________
RIP
___
RIP Direction Both
RIP Version RIP-2M
Authentication for RIP-2B/2M: Enabled
First Key Parameters
MD5 Key Id: 1
MD5 Auth Key:
*****
Not Valid Before: 2011/12/[email protected]:00:00
Not Valid After: 2012/12/[email protected]:59:59
Second Key Parameters
MD5 Key Id: 2
MD5 Auth Key: *****
Not Valid Before: 2012/12/[email protected]:00:00
Not Valid After: 2013/03/[email protected]:59:59
show net routing static ipv4 setup
This command displays the IPv4 static routes configuration:
Name
Destination
Gateway
Interface
Metric
Active
Private
----
-----------
-------
---------
------
------- -------
Orly
10.118.215.178
10.192.44.13
WAN1
7
1
1
show net routing static ipv6 setup
This command displays the IPv6 static routes configuration:
Name
Destination
Gateway
Interface
Metric
Active
----
-----------
-------
---------
------
-------
SFO2
2002:201b:24e2::1001
FE80::2001:5efe:ab23
WAN1
2
1
Show Commands
288
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Network Statistics Show Commands
show net statistics {interface name | all}
This command displays the network statistics for a single or all Ethernet interfaces:
SRX5308> show net statistics eth0
Interface Statistics
____________________
IFACE: eth0
PktRx: 5688
ktTx: 5651
ByteRx: 654963
ByteTx: 4834187
ErrRx: 0
ErrTx: 0
DropRx: 0
DropTx: 0
Mcast: 0
Coll: 0
SRX5308> show net statistics all
Interface Statistics
____________________
IFACE PktRx
PktTx
ByteRx
ByteTx
ErrRx ErrTx DropRx DropTx Mcast Coll
_____ ______ ______ ________ ________ _____ _____ ______ ______ _____ ____
eth0
20802
38409384 0
0
0
0
0
0
eth1
359059 186965 61156441 28586367 0
31569
2148358
0
0
0
0
0
Show Commands
289
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Security Settings (Security Mode) Show Commands
This section contains the following subsections:
•
Services Show Command
•
Schedules Show Command
•
Firewall Rules Show Command
•
Attack Checks Show Commands
•
Session Limits Show Commands
•
Advanced Firewall Show Commands
•
Address Filter Show Commands
•
Port Triggering Show Commands
•
UPnP Show Commands
•
Bandwidth Profiles Show Command
•
Content Filtering Show Commands
Services Show Command
show security services setup
This command displays the configured custom services:
List of Available Custom Services
_________________________________
ROW ID Name
Type ICMP Type / Port Range
______ ________________ ____ ______________________
76
Ixia
77
RemoteManagement TCP
TCP
78
Traceroute
10115-10117
8888-8888
ICMP 20
Show Commands
290
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show security services qos_profile setup
This command displays the configured Qos profiles:
List of QoS Profiles
____________________
ROW ID Profile Name QoS Type
QoS Value Priority
______ ____________ _____________ _________ ________
1
Voice
DSCP
24
High
2
Video
IP-Precedence 5
High
3
Standard
IP-Precedence 0
Default
show security services ip_group ip_setup
This command displays the configured IP groups:
List of IP Group's IP Table
___________________________
ROW ID IP Group
IP Address
______ ____________ _____________
1
TechSuppport 10.55.3.201
2
TechSuppport 10.167.88.241
3
VIPcustomers 10.222.24.190
4
VIPcustomers 10.147.219.43
Show Commands
291
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Schedules Show Command
show security schedules setup
This command displays the configured schedules:
Schedules
_________
List of Available Schedules
ROW ID Name
Days
Start Time End Time
______ _________ _________________________ __________ ________
1
schedule1 Monday, Wednesday, Friday 07:15 AM
06:30 PM
2
schedule2 All Days
12:00 AM
11:59 PM
3
schedule3 All Days
12:00 AM
12:00 AM
Firewall Rules Show Command
show security firewall ipv4 setup lan_wan
This command displays the configured IPv4 LAN WAN firewall rules:
Default Outbound Policy for IPv4 : Allow Always
LAN WAN Outbound Rules.
_______________________
ROWID
_____
29
30
Status
_______
Enabled
Enabled
Service Name
____________
HTTP
AIM
Filter
_________________________________
ALLOW Always
BLOCK by schedule,otherwise allow
LAN User
_____________
SalesAmericas
Any
WAN User
________
Any
Any
QoS Profile
___________
None
Voice
Filter
_________________________________
ALLOW Always
BLOCK by schedule,otherwise allow
LAN Server IP Address LAN User
_____________________ ________
192.168.5.71
192.168.20.171
Bandwidth Profile
_________________
PriorityQueue
NONE
Log
______
Never
Always
LAN WAN Inbound Rules.
______________________
ROWID
_____
31
32
Status
_______
Enabled
Enabled
Service Name
____________
FTP
RTSP:TCP
Show Commands
292
WAN User
Destination QoS Profile Bandwidth Profile
____________ ___________ ___________ _________________
Any
None
NONE
VIPcustomers WAN1
Voice
NONE
Log
______
Never
Always
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show security firewall ipv4 setup dmz_wan
This command displays the configured IPv4 DMZ WAN firewall rules:
Default Outbound Policy for IPv4 : Allow Always
DMZ WAN Outbound Rules.
_______________________
ROWID
_____
15
23
Status
_______
Enabled
Enabled
Service Name
____________
CU-SEEME:TCP
ANY
Filter
_________________________________
BLOCK by schedule,otherwise allow
BLOCK Always
DMZ User
________
Any
Any
WAN User
________
Any
Any
QoS Profile
___________
Video
None
Log
_____
Never
Never
DMZ WAN Inbound Rules.
______________________
ROWID
_____
16
24
Status
_______
Enabled
Enabled
Service Name
____________
BOOTP_CLIENT
ANY
Filter
DMZ Server IP Address DMZ User
____________ _____________________ ________
ALLOW Always 192.168.24.112
BLOCK Always
WAN User
____________
10.132.215.4
Any
Destination
___________
10.168.50.1
WAN1
QoS Profile
___________
None
None
Log
______
Always
Never
show security firewall ipv4 setup lan_dmz
This command displays the configured IPv4 LAN DMZ firewall rules:
Default Outbound Policy for IPv4 : Allow Always
LAN DMZ Outbound Rules.
_______________________
ROWID
_____
17
25
Status
_______
Enabled
Enabled
Service Name
____________
FTP
ANY
Filter
____________
ALLOW Always
BLOCK Always
LAN User
________
GROUP4
Any
DMZ User
_________________________
176.14.2.30 - 176.14.2.79
Any
Log
_____
Never
Never
LAN DMZ Inbound Rules.
______________________
ROWID
_____
18
26
Status
_______
Enabled
Enabled
Service Name
____________
SSH:UDP
ANY
Filter
_________________________________
BLOCK by schedule,otherwise allow
BLOCK Always
Show Commands
293
DMZ User
____________
176.16.2.101
Any
LAN User
_____________
192.168.5.108
Any
Log
______
Always
Never
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show security firewall ipv6 setup
This command displays all configured IPv6 firewall rules:
Default Outbound Policy
_______________________
For IPv6 : Allow Always
List of Available IPv6 Firewall Rules
_____________________________________
ROW ID
______
130
131
132
133
134
135
136
137
138
Status
_______
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Rule Type
__________
WAN To LAN
WAN To LAN
LAN To WAN
LAN To WAN
DMZ To WAN
WAN To DMZ
DMZ To LAN
DMZ To LAN
LAN To DMZ
Service
_______________
RTELNET
HTTP
HTTP
HTTPS
FTP
VDOLIVE
RTSP:TCP
RTSP:UDP
ICMPv6-TYPE-134
Action
_________________________________
ALLOW Always
ALLOW Always
ALLOW Always
ALLOW Always
ALLOW by schedule,otherwise block
BLOCK Always
BLOCK Always
BLOCK Always
BLOCK Always
Source Users
_______________________________________
2002::B32:AAB1:fD41
Any
Any
Any
FEC0::db8:10a1:201 - FEC0::db8:10a1:299
Any
Any
Any
Any
Destination Users
________________________
FEC0::db8:145
Any
Any
Any
2001:db6::30f4:fbbf:ccbc
176::1150 - 176::1200
Any
Any
176::1121 - 176::1142
Log
______
Always
Never
Never
Never
Never
Always
Always
Always
Always
Qos Priority
Schedule
______________ _________
Normal-Service
Normal-Service
Normal-Service
Normal-Service
Normal-Service schedule1
Normal-Service
Normal-Service
Normal-Service
Normal-Service
Attack Checks Show Commands
show security firewall attack_checks igmp
This command displays whether the IGMP proxy is enabled:
IGMP Configuration
__________________
Igmp Proxy: Disabled
show security firewall attack_checks setup ipv4
This command displays which WAN and LAN security checks are enabled for IPv4:
Attack Checks
_____________
WAN Security Checks:
_____________________
Respond to ping on Wan
: No
Enable Stealth mode
: Yes
Block TCP Flood
: Yes
LAN Security Checks:
_____________________
Block UDP Flood
: No
Disable Ping Reply on LAN Ports
: Yes
Show Commands
294
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show security firewall attack_checks setup ipv6
This command displays which security checks are enabled for IPv6:
Attack Checks IPv6
__________________
WAN Security Checks:
Respond to ping on Wan
: No
VPN IPSec Passthrough
: Yes
show security firewall attack_checks vpn_passthrough setup
This command displays which VPN pass-through features are enabled:
Passthrough
___________
IPSec VPN Passthrough:
IPSec Passthrough : Enabled
PPTP Passthrough
: Disabled
L2TP Passthrough
: Enabled
Session Limits Show Commands
show security firewall session_limit
This command displays the session limit settings:
Session Settings
________________
Session Limit Enable:
Enabled
Connection Limit Type:
0
User Connection Limit:
80
TCP Session Timeout Duration:
3600(Secs)
UDP Session Timeout Duration:
180(Secs)
ICMP Session Timeout Duration:
120(Secs)
Show Commands
295
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show security firewall session_settings
This command displays the session time-out settings:
Session Settings
________________
TCP Session Timeout Duration:3600(Secs)
UDP Session Timeout Duration:180(Secs)
ICMP Session Timeout Duration:120(Secs)
Advanced Firewall Show Commands
show security firewall advanced algs
This command displays whether or not SIP ALG is enabled:
ALGs
____
Sip: Disabled
Address Filter Show Commands
show security address_filter enable_email_log
This command displays the configuration of the IP/MAC binding log:
Email logs for IP/MAC binding violation IPv4
____________________________________________
Email logs for IP/MAC binding violation:
Enabled
Email logs for IP/MAC binding violation IPv6
____________________________________________
Email logs for IP/MAC binding violation:
Disabled
show security address_filter ip_or_mac_binding setup
This command displays the IP/MAC bindings:
ROW ID
______
1
2
Name
_______________
PhoneConfRoom52
FinanceServer3
MAC Address
_________________
d1:e1:55:54:8e:7f
c3:e3:ee:f2:a2:db
IP Address
__________________
192.151.1.107
fec0::db8:10b1:166
Show Commands
296
Log Dropped Packets
___________________
Disabled
Enabled
IP Version
__________
IPv4
IPv6
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show security address_filter mac_filter setup
This command displays the configuration of the MAC filter and the MAC addresses for
source MAC filtering:
Source MAC Filter
__________________
MAC Filtering: Enabled
Policy for MAC Addresses: Block and Permit the rest
List of Available MAC Addresses
________________________________
ROW ID MAC Address
______ _________________
1
aa:11:bb:22:cc:33
2
a1:b2:c3:de:11:22
3
a1:b2:c3:de:11:25
Port Triggering Show Commands
show security porttriggering_rules setup
This command displays the port triggering rules:
Port Triggering
_______________
List of Available Port Triggering Rules
_______________________________________
ROW ID: 1
Name: Skype
Enable: Yes
Type: TCP
Interface: LAN
Outgoing Start Port: 61196
Outgoing End Port: 61196
Incoming Start Port: 61197
Incoming End Port: 61197
Show Commands
297
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show security porttriggering_rules status
This command displays the port triggering status:
PortTriggering Rules Status
___________________________
UPnP Show Commands
show security upnp portmap
This command displays the UPnP portmap table:
UPnP Portmap Table
__________________
show security upnp setup
This command displays the UPnP configuration:
UPnP configuration
__________________
Advertisement Period: 60
Advertisement Time To Live: 6
Bandwidth Profiles Show Command
show security bandwidth profile setup
This command displays the configured bandwidth profiles:
List of Available Bandwidth Profiles
____________________________________
ROW ID
______
1
2
Name
______________
PriorityQueue
BusinessLevelI
Direction
_______________
Inbound
Both Directions
Inbound Bandwidth Range
_______________________
10000-100000
7500-25000
Show Commands
298
Outbound Bandwidth Range
________________________
NA
5000-10000
Is Group
________
0
1
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Content Filtering Show Commands
show security content_filter content_filtering
This command displays the status of content filtering and the web components:
Content Filtering
_________________
WAN Security Checks
Content Filtering : Enabled
LAN Security Checks
------------------Proxy : Disabled
Java : Enabled
ActiveX : Enabled
Cookies : Disabled
show security content_filter block_group
This command displays the groups for which content filtering is enabled:
Blocked Groups
______________
List of Blocked Groups
Blocked Groups: GROUP1, GROUP2, Finance, Management
Unblocked Groups : GROUP4, GROUP5, SalesEMEA, SalesAmericas
Show Commands
299
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show security content_filter blocked_keywords
This command displays the keywords that are blocked:
Blocked Keywords
________________
List of available Blocked Keywords
ROW ID Blocked Keyword
Status
______ ________________ _______
2
casino
Enabled
3
nude
Enabled
4
gambl*
Enabled
5
guns
Enabled
show security content_filter trusted_domains
This command displays the trusted domains:
List of available
Approved URLS
ROW ID Domain
______ __________
1
netgear
2
google.com
3
www.irs.gov
Administrative and Monitoring Settings (System Mode)
Show Commands
This section contains the following subsections:
•
Remote Management Show Command
•
SNMP Show Commands
•
Time Show Command
•
Firmware Version Show Command
•
Status Show Command
•
WAN Traffic Meter Show Command
•
Logging Configuration Show Commands
•
Logs Show Commands
Show Commands
300
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Note: The VPN logs and RADIUS logs are part of the VPN Mode show
commands (see VPN Settings (VPN Mode) Show Commands on
page 311).
Remote Management Show Command
show system remote_management setup
This command displays the configuration of remote management for Telnet and HTTPS
access:
Remote Mgmt Configuration for telnet
____________________________________
IPv4 access granted to everyone
IPv6 access granted to a range of IPs from : FEC0::3001 to FEC0::3100
port being used : 23
Remote Mgmt Configuration for https
___________________________________
IPv4 access granted to everyone
IPv6 access granted to everyone
port being used : 445
SNMP Show Commands
show system snmp trap [agent ipaddress]
This command displays the SNMP trap configuration of an SNMP agent:
Trap Agent IP Address
_____________________
IP Address: 10.118.33.245
Subnet Mask: 255.255.255.0
Port: 162
Community: public
Show Commands
301
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show system snmp sys
This command displays the SNMP system configuration of the VPN firewall:
SNMP System Configuration
_________________________
SysContact: [email protected]
SysLocation: San Jose
SysName: SRX5308-Bld3
Time Show Command
show system time setup
This command displays the time configuration and the configuration of the NTP server:
Time Zone & NTP Servers Configuration
_____________________________________
Current Time: Tuesday, July 10, 2012, 18:50:09 (GMT -0800)
Timezone: (GMT-08:00) Pacific Time(Canada)
Automatically Adjust for Daylight Savings Time: Yes
Default NTP servers used : Yes
Firmware Version Show Command
show system firmware_version
This command displays the firmware version:
Firmware Version : 4.2.0-18
Secondary Firmware Version : 4.2.0-14
Show Commands
302
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Status Show Command
show system status
This command displays the system status (also referred to as router status) information:
System Info
___________
System Name: SRX5308
Firmware Version: 4.2.0-18
Secondary Firmware Version: 4.2.0-14
Lan Port 1 Information
______________________
VLAN Profile:
Sales
VLAN ID:
20
MAC Address:
00:00:00:00:00:08
IP Address:
192.168.70.1
Subnet Mask:
255.255.255.0
DHCP Status:
Disabled
Lan Port 2 Information
______________________
VLAN Profile:
Default
VLAN ID:
1
MAC Address:
00:00:00:00:00:01
IP Address:
192.168.1.1
Subnet Mask:
255.255.255.0
DHCP Status:
Enabled
Lan Port 3 Information
______________________
VLAN Profile:
Marketing
VLAN ID:
40
MAC Address:
00:00:00:00:00:04
IP Address:
192.168.90.5
Subnet Mask:
255.255.255.128
DHCP Status:
Enabled
Lan Port 4/DMZ
Information
___________________________
VLAN Profile:
DMZ
Show Commands
303
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
VLAN ID:
4094
MAC Address:
00:00:00:00:00:06
IP Address:
176.16.2.1
Subnet Mask:
255.255.255.0
DHCP Status:
Enabled
Broadband Information for WAN1
______________________________
MAC Address: 00:00:00:00:11:22
IPv4 Address: 10.139.54.228 / 255.255.255.248
IPv6 Address: ::ffff:0:a86:5d9 / 96, fe80::200:ff:fe00:1122 / 64
Wan State: UP
NAT (IPv4 only): Enabled
IPv4 Connection Type: STATIC
IPv6 Connection Type: Dynamic IP (DHCPv6)
IPv4 Connection State: Connected
IPv6 Connection State: Connected
Link State: LINK UP
Upload Connection Speed: 1500
Download Connection Speed: 1000000
Gateway: 10.139.54.225
Primary DNS: 10.80.130.23
Secondary DNS: 8.8.8.8
Gateway (IPv6):
Primary DNS(IPv6):
Secondary DNS(IPv6):
Broadband Information for WAN2
______________________________
MAC Address: 00:00:00:00:00:01
IPv4 Address: 0.0.0.0 / 0.0.0.0
IPv6 Address:
Wan State: DOWN
NAT (IPv4 only): Enabled
IPv4 Connection Type: Dynamic IP (DHCP)
IPv6 Connection Type: Dynamic IP (DHCPv6)
IPv4 Connection State: Not Yet Connected
IPv6 Connection State: Not Yet Connected
Link State: LINK DOWN
Show Commands
304
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Upload Connection Speed: 1000000
Download Connection Speed: 1000000
Gateway: 0.0.0.0
Primary DNS: 0.0.0.0
Secondary DNS: 0.0.0.0
Gateway (IPv6):
Primary DNS(IPv6):
Secondary DNS(IPv6):
Broadband Information for WAN3
______________________________
MAC Address: 00:00:00:00:00:01
IPv4 Address: 0.0.0.0 / 0.0.0.0
IPv6 Address:
Wan State: DOWN
NAT (IPv4 only): Enabled
IPv4 Connection Type: Dynamic IP (DHCP)
IPv6 Connection Type: Dynamic IP (DHCPv6)
IPv4 Connection State: Not Yet Connected
IPv6 Connection State: Not Yet Connected
Link State: LINK DOWN
Upload Connection Speed: 1000000
Download Connection Speed: 1000000
Gateway: 0.0.0.0
Primary DNS: 0.0.0.0
Secondary DNS: 0.0.0.0
Gateway (IPv6):
Primary DNS(IPv6):
Secondary DNS(IPv6):
Broadband Information for WAN4
______________________________
MAC Address: 00:00:00:00:00:01
IPv4 Address: 0.0.0.0 / 0.0.0.0
IPv6 Address: fe80::21e:2aff:fe3d:284a / 64
Wan State: DOWN
NAT (IPv4 only): Enabled
IPv4 Connection Type: Dynamic IP (DHCP)
Show Commands
305
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
IPv6 Connection Type: Dynamic IP (DHCPv6)
IPv4 Connection State: Not Yet Connected
IPv6 Connection State: Not Yet Connected
Link State: LINK DOWN
Upload Connection Speed: 1000000
Download Connection Speed: 1000000
Gateway: 0.0.0.0
Primary DNS: 0.0.0.0
Secondary DNS: 0.0.0.0
Gateway (IPv6):
Primary DNS(IPv6):
Secondary DNS(IPv6):
WAN Traffic Meter Show Command
show system traffic_meter setup <wan interface>
This command displays the configuration of the traffic meter and the Internet traffic statistics.
For the WAN interface, type WAN1, WAN2, WAN3, or WAN4.
Enable Traffic Meter
____________________
Traffic Meter is Enabled
Limit Type Both Directions
Monthly Limit in (MB): 255000
Increase this month limit: Enabled
Increase limit by in (MB): 125000
This month limit:
Traffic Counter
________________
Traffic Counter: Specific Time
Restart Time (HH:MM-Day of Month): 12:0 AM - 1
Send e-mail before restarting: Enabled
When Limit is reached
______________________
Show Commands
306
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Traffic Block Status: Block All Traffic Except Email
Send e-mail alert: Enabled
Internet Traffic Statistics
____________________________
Start Date / Time: Wed Jul 11 10:47:53 2012
Outgoing Traffic Volume: 0
Incoming Traffic Volume: 0
Average per day: 0
% of Standard Limit: 0
% of this Month's Limit: 0
Logging Configuration Show Commands
show system logging setup
This command displays the configuration of the IPv4 and IPv6 logs:
Logging Config
______________
Routing Logs
____________
LAN to WAN
__________
Accepted Packets:
Disabled
Dropped Packets:
Disabled
WAN to LAN
__________
Accepted Packets:
Disabled
Dropped Packets:
Disabled
DMZ to WAN
__________
Accepted Packets:
Disabled
Dropped Packets:
Disabled
Show Commands
307
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
WAN to DMZ
__________
Accepted Packets:
Disabled
Dropped Packets:
Disabled
LAN to DMZ
__________
Accepted Packets:
Disabled
Dropped Packets:
Disabled
DMZ to LAN
__________
Accepted Packets:
Disabled
Dropped Packets:
Disabled
System Logs
___________
Change of time by NTP:
Disabled
Login attempts:
Disabled
Secure Login attempts:
Disabled
Reboots:
Disabled
All Unicast Traffic:
Disabled
All Broadcast/Multicast Traffic:
Disabled
WAN Status:
Disabled
Resolved DNS Names:
Disabled
VPN Logs:
Disabled
DHCP Server:
Disabled
Other Event Logs
________________
Source MAC Filter:
Disabled
Session Limit:
Disabled
Bandwidth Limit:
Disabled
Show Commands
308
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show system logging remote setup
This command displays the configuration and the schedule of the email logs:
Log Identifier: SRX5308-BLD3
Enable E-Mail Logs
__________________
E-Mail Server Address: SMTP.Netgear.com
Return E-Mail Address: [email protected]
Send to E-Mail Address: [email protected]
Authentication: No Authentication
Respond to Identd from SMTP Server: N
Send E-mail logs by Schedule
____________________________
Unit: Weekly
Day: Sunday
Time: 03 AM
Syslog Configuration
____________________
Syslog Server: Disabled
Logs Show Commands
show system logs
This command displays the system logs (the following example shows only part of the
command output):
Tue Jul 10 10:23:55 2012(GMT -0800) [SRX5308][Kernel][KERNEL] p->perfect
0000000000000000 p->h a800000417bab200
Tue Jul 10 10:23:55 2012(GMT -0800) [SRX5308][Kernel][KERNEL] HTB: quantum of
class 10001 is big. Consider r2q change.
Tue Jul 10 10:23:55 2012(GMT -0800) [SRX5308][Kernel][KERNEL] HTB: quantum of
class 10002 is big. Consider r2q change.
Tue Jul 10 10:23:55 2012(GMT -0800) [SRX5308][Kernel][KERNEL] HTB: quantum of
class 11024 is big. Consider r2q change.
Tue Jul 10 10:24:00 2012(GMT -0800) [SRX5308][Kernel][KERNEL] eth0.1: del
01:00:5e:7f:ff:fa mcast address from master interface
Show Commands
309
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Tue Jul 10 10:24:00 2012(GMT -0800) [SRX5308][Kernel][KERNEL] eth0.1: add
01:00:5e:7f:ff:fa mcast address to master interface
Tue Jul 10 10:24:00 2012(GMT -0800) [SRX5308][Kernel][KERNEL]
tcindex_destroy(tp a800000416f94600),p a80000041696d680
Tue Jul 10 10:24:00 2012(GMT -0800) [SRX5308][Kernel][KERNEL] tcindex_walk(tp
a800000416f94600,walker a800000415f4f900),p a80000041696d680
Tue Jul 10 10:24:00 2012(GMT -0800) [SRX5308][Kernel][KERNEL] tcindex_delete(tp
a800000416f94600,arg 0xa800000416981e08),p a80000041696d680,f 0000000000000000
show sysinfo
This command displays system information, including MAC addresses, serial number, and
firmware version:
System - Manufacturer Information
**************************
hwver: 00:00:A0:03reginfo: 0x0005
numofimages : 1
currimage: 1
mac address : E0469A1D1A9C
vlan[0] MAC : e0469a1d1a9f
vlan[1] MAC : e0469a1d1aa0
vlan[2] MAC : e0469a1d1aa1
vlan[3] MAC : e0469a1d1aa2
vlan[4] MAC : e0469a1d1aa3
vlan[5] MAC : e0469a1d1aa4
vlan[6] MAC : e0469a1d1aa5
vlan[7] MAC : e0469a1d1aa6
vlan[8] MAC : e0469a1d1aa7
vlan[9] MAC : e0469a1d1aa8
vlan[10] MAC : e0469a1d1aa9
vlan[11] MAC : e0469a1d1aaa
vlan[12] MAC : e0469a1d1aab
vlan[13] MAC : e0469a1d1aac
vlan[14] MAC : e0469a1d1aad
WAN MAC : e0469a1d1a9d
pcbasn number : S.YX218U00E0
serial number : 2JF119BY001B0
image 0 : 4.1.1-8
Show Commands
310
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
image 1 : 0
productId : SRX5308
maccnt0: 0x22
maccnt1: 0x0
maccnt2: 0x0
maccnt3: 0x0
**************************
VPN Settings (VPN Mode) Show Commands
This section contains the following subsections:
•
IPSec VPN Show Commands
•
SSL VPN Show Commands
•
SSL VPN User Show Commands
•
RADIUS Server Show Command
•
PPTP Server Show Commands
•
L2TP Server Show Commands
IPSec VPN Show Commands
show vpn ipsec ikepolicy setup
This command displays the IKE policies:
List of IKE Policies
____________________
Name
Mode
Local ID
Remote ID
Encryption Authentication DH Group
_________________ __________ ______________________ _____________ __________ ______________ ____________
iphone
aggressive 10.139.54.228
0.0.0.0
AES-128
SHA-1
3DES
SHA-1
Group 2 (1024 bit)
10.112.71.154 3DES
SHA-1
Group 2 (1024 bit)
SRX5308-to-Peer44 main
fe80::a8ab:bbff:fe00:2 peer44.com
SRX-to-Paris
10.139.54.228
main
Group 2 (1024 bit)
show vpn ipsec vpnpolicy setup
This command displays the IPSec VPN policies:
Status
_______
Enabled
Enabled
Name
_________________
SRX5308-to-Peer44
SRX-to-Paris
Type
___________
Auto Policy
Auto Policy
IPSec Mode
___________
Tunnel Mode
Tunnel Mode
Local
______________________________________
2002:408b:36e4:a:a8ab:bbff:fe00:1 / 64
192.168.1.0 / 255.255.255.0
Show Commands
311
Remote
______________________________
fe80::a4bb:ffdd:fe01:2 / 64
192.168.50.0 / 255.255.255.255
Auth
_____
SHA-1
SHA-1
Encr
____
3DES
3DES
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show vpn ipsec vpnpolicy status
This command displays status information about the active and nonactive IPSec VPN
policies.
Note: This example does not relate to the previous two examples, nor to the
examples in Chapter 8, VPN Settings (VPN Mode) Show Commands.
Row Id
______
1
2
3
4
Policy Name
_______________
GW1-to-GW2
SRX-to-IPv6Peer
10.100.10.1
10.100.10.2
Endpoint
______________________________
10.144.28.226
2001::da21:1316:df17:dfee:e33c
10.153.46.120
10.153.46.120
tx ( KB )
_________
0.00
0.00
7.01
6.68
tx ( Packets )
______________
0
0
31
29
State
________________________
IPsec SA Not Established
IPsec SA Not Established
IPsec SA Established
IPsec SA Established
Action
_______
Connect
Connect
Drop
Drop
show vpn ipsec mode_config setup
This command displays the Mode Config records:
List of Mode Config Records
___________________________
Record Name
______________
EMEA Sales
Americas Sales
iphone
Pool Start IP
Pool End IP
____________________________________________ _____________________________________________
172.16.100.1
172.16.200.1
172.16.100.99
172.16.200.99
172.25.100.50
172.25.210.1
172.25.220.80 172.25.100.90
172.25.210.99
172.25.220.99
192.168.22.1
192.168.22.2
show vpn ipsec logs
This command displays the IPSec VPN logs (the following example shows only part of the
command output):
Wed Jul 11 12:24:36 2012 (GMT -0800): [SRX5308] [IKE] INFO:
configuration: anonymous
Using IPsec SA
Wed Jul 11 12:24:36 2012 (GMT -0800): [SRX5308] [IKE] INFO: Re-using previously
generated policy: 100.10.10.2/32[0] 0.0.0.0/0[0] proto=any dir=in
Wed Jul 11 12:24:36 2012 (GMT -0800): [SRX5308] [IKE] WARNING:
proposed, mine:128 peer:256. Use initiator's one.
less key length
Wed Jul 11 12:24:36 2012 (GMT -0800): [SRX5308] [IKE] INFO: IPsec-SA
established: ESP/Tunnel 173.11.109.158->64.139.54.228 with spi=
73255174(0x45dc906)
Wed Jul 11 12:24:36 2012 (GMT -0800): [SRX5308] [IKE] INFO: IPsec-SA
established: ESP/Tunnel 10.139.54.228->172.11.109.158 with spi=
7343706(0x700e5a)
Wed Jul 11 12:27:25 2012 (GMT -0800): [SRX5308] [IKE] INFO:
Informational Exchange: notify payload[10637]
Show Commands
312
Sending
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
SSL VPN Show Commands
show vpn sslvpn client
This command displays the SSL VPN client ranges and configurations:
SSL VPN Client(IPv4)
____________________
Enable Full Tunnel Support: Yes
DNS Suffix:
Primary DNS Server: 192.168.10.5
Secondary DNS Server: 192.168.10.6
Client Address Range Begin: 192.168.251.1
Client Address Range End: 192.168.251.254
SSL VPN Client(IPv6)
____________________
Enable Full Tunnel Support: No
DNS Suffix:
Primary DNS Server:
Secondary DNS Server:
Client Address Range Begin: 4000::1
Client Address Range End: 4000::200
show vpn sslvpn logs
This command displays the SSL VPN logs (the following example shows only part of the
command output):
Mon Jul 9 11:00:18 2012(GMT -0800) [SRX5308][SSLVPN][SSLVPN] SSL_INFO : Login
Successful for geardomain user admin(Admin) from host 10.110.205.58
Mon Jul 9 12:04:09 2012(GMT -0800) [SRX5308][SSLVPN][SSLVPN] SSL_INFO :user
admin is Logged-Out successfully from host 10.110.205.58
Mon Jul 9 12:04:20 2012(GMT -0800) [SRX5308][SSLVPN][SSLVPN] SSL_INFO : Login
Successful for geardomain user techwriter(Admin) from host 10.110.205.58
Mon Jul 9 16:00:34 2012(GMT -0800) [SRX5308][SSLVPN][SSLVPN] SSL_INFO : Login
Successful for geardomain user techwriter(Admin) from host 10.110.205.58
Mon Jul 9 16:10:54 2012(GMT -0800) [SRX5308][SSLVPN][SSLVPN] SSL_INFO : Login
Successful for geardomain user admin(Admin) from host 10.110.205.58
Show Commands
313
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show vpn sslvpn policy
This command displays the SSL VPN policies:
SSL VPN Policies
________________
Row Id
______
1
2
3
Policy Name
___________________
RoadWarriorPolicy
RoadWarriorPolicyII
GuestFTPPolicy
Policy Type
___________
global
global
user
Service Type
_______________
VPN Tunnel
VPN Tunnel
Port Forwarding
Destination Object
_________________________
RoadWarrior
10.201.33.200:35401-35405
0.0.0.0:25077-25078
Permission
__________
Permit
Deny
Deny
show vpn sslvpn portal_layouts
This command displays the SSL VPN portal layouts:
List of Layouts
_______________
Row Id
______
1
2
Layout Name
___________
SSL-VPN*
CSup
Description
______________________________
Welcome to Netgear Configur...
In case of login difficulty...
Use Count
_________
4
1
Portal URL (IPv4)
____________________________________
https://10.139.54.228/portal/SSL-VPN
https://10.139.54.228/portal/CSup
Portal URL (IPV6)
__________________________________________________
https://[fe80::e246:9aff:fe1d:1a9d]/portal/SSL-VPN
https://[fe80::e246:9aff:fe1d:1a9d]/portal/CSup
show vpn sslvpn portforwarding appconfig
This command displays the SSL VPN port forwarding application configuration:
Port Forwarding Application Configuration
_________________________________________
Row Id Server IP
Port
______ ______________ ____
1
192.168.51.227 3389
2
192.168.51.230 4009
Show Commands
314
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show vpn sslvpn portforwarding hostconfig
This command displays the SSL VPN port forwarding host configuration:
Port Forwarding Host Configuration
__________________________________
Row Id Server IP
FQDN Name
______ ______________ ________________
1
192.168.51.227 RemoteDesktop
2
192.168.51.230 Support.app.com
show vpn sslvpn resource
This command displays the SSL VPN resource configuration:
RESOURCES
_________
Row Id Resource Name Service
______ _____________ _______________
1
TopSecure
Port Forwarding
2
FTPServer
Port Forwarding
3
RoadWarrior
VPN Tunnel
show vpn sslvpn resource_object <resource name>
This command displays the detailed configuration for the specified resource object. Type the
name of a resource object that is displayed in the output of the show vpn sslvpn resource
command.
RESOURCE OBJECTS
________________
Row Id: 1
Object Type: IP Address
Object Address: 192.168.144.23
Mask Length: 32
Start Port: 40133
End Port: 40140
Show Commands
315
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show vpn sslvpn route
This command displays the SSL VPN client routes:
Configured Client Routes
________________________
Row Id Destination Network
Subnet Mask
______ _______________________ _______________
1
192.168.4.20
255.255.255.254
2
2001:abcf:1241:dffe::22 10
SSL VPN User Show Commands
show vpn sslvpn users domains
This command displays the domain configurations:
List of Domains
_______________
Row_Id Domain Name
Authentication Type Portal Layout Name
______ ______________ ___________________ __________________
1
geardomain*
Local User Database SSL-VPN
2
Headquarter
LDAP
3
LevelI_Support Local User Database SSL-VPN
4
TEST
CSup
wikid_pap
SSL-VPN
show vpn sslvpn users groups
This command displays the group configurations:
List of Groups
______________
Row_Id Name
Domain
______ _______________ ______________
1
geardomain*
geardomain
2
Headquarter
Headquarter
3
Sales
Headquarter
4
LevelI_Support
LevelI_Support
5
TEST
TEST
Show Commands
316
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show vpn sslvpn users users
This command displays the user account configurations:
List of Users
_____________
Row_Id User Name
Group
Type
Authentication Domain Login Status
______ ______________ ______________ ______________ _____________________ _____________________
1
admin*
geardomain
Administrator
geardomain
Enabled (LAN and WAN)
2
guest*
geardomain
Guest
geardomain
Enabled (LAN only)
3
admin2
geardomain
Administrator
geardomain
Enabled (LAN and WAN)
4
PeterBrown
Sales
SSL VPN User
Headquarter
Enabled (LAN and WAN)
5
JohnD_Company
LevelI_Support SSL VPN User
LevelI_Support
Enabled (LAN and WAN)
6
chin
geardomain
geardomain
Enabled (LAN and WAN)
7
iphone
Administrator
IPSEC VPN User
Enabled (LAN and WAN)
show vpn sslvpn users login_policies <row id>
Note: The row ID refers to the List of Users table in the output of the show vpn
sslvpn users users command.
This command displays the login restrictions based on login policies for the specified user:
User Login Policies
___________________
User Name: PeterBrown
Disable Login: No
Deny Login from Wan Interface: No
Show Commands
317
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show vpn sslvpn users ip_policies <row id>
Note: The row ID refers to the List of Users table in the output of the show vpn
sslvpn users users command.
This command displays the login restrictions based on IP addresses for the specified user:
User Ip Policies
________________
User Name: PeterBrown
Allow Login from Defined Address: Yes
Ip Addresses
____________
Row_Id: 1
Source Address Type: IP Address
Network/IP Address: 10.156.127.39
Mask Length: 32
show vpn sslvpn users browser_policies <row id>
Note: The row ID refers to the List of Users table in the output of the show vpn
sslvpn users users command.
This command displays the login restrictions based on web browsers for the specified user:
User Browser Policies
_____________________
User Name: PeterBrown
Allow Login from Defined Browser: No
Defined Browsers
________________
Internet Explorer
Netscape Navigator
Show Commands
318
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show vpn sslvpn users active_users
This command displays the active SSL VPN users:
UserName: : admin
GroupName: : geardomain
LoginAddress: : 10.116.205.166
LoginTime: : Thu Jul 12 10:31:38 2012 (GMT -0800)
RADIUS Server Show Command
show vpn ipsec radius [ipaddress]
This command displays the configuration of all RADIUS servers or of a specified RADIUS
server:
•
All RADIUS Servers:
SRX5308> show vpn ipsec radius
Configured RADIUS Client
________________________
Server IP
Server Port Timeout Retries NAS Identifier
___________ ___________ _______ _______ ______________
•
192.168.4.2 1812
30
4
SRX5308
192.168.4.3 1812
30
4
SRX5308
A specified RADIUS server:
SRX5308> show vpn ipsec radius 192.168.4.2
RADIUS Configuration
____________________
Auth Server IP Address: 192.168.4.2
Auth Port: 1812
Timeout (in seconds): 30
Retries: 4
Secret: sharedsecret
NAS Identifier: SRX5308
Show Commands
319
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
PPTP Server Show Commands
show vpn pptp server setup
This command displays the configuration of the PPTP server:
PPTP Server Configuration
_________________________
PPTP Server Status: Enabled
PPTP Starting IP Address: 10.119.215.1
PPTP server Ending IP Address: 10.119.215.26
PPTP server Idle Timeout: 999
show vpn pptp server connections
This command displays the users that are connected through the PPTP server:
List of PPTP Active Users
_________________________
L2TP Server Show Commands
show vpn l2tp server setup
This command displays the configuration of the L2TP server:
L2TP Server Configuration
_________________________
L2TP Server Status: Enabled
L2TP Starting IP Address: 192.168.112.1
L2TP server Ending IP Address: 192.168.112.25
L2TP server Idle Timeout: 10
show vpn l2tp server connections
This command displays the users that are connected through the L2TP server:
List of L2TP Active Users
_________________________
Show Commands
320
9.
Utility Commands
9
This chapter explains the configuration commands, keywords, and associated parameters in the
Util mode. The chapter includes the following sections:
•
Overview Util Commands
•
Firmware Backup, Restore, and Upgrade Commands
•
Diagnostic Commands
Overview Util Commands
Enter the util ? command at the CLI prompt to display the utility commands in the util
mode. The following table lists the commands in alphabetical order:
Table 16. Utility commands in the util mode
Command Name
Purpose
util backup_configuration
Back up the configuration file of the VPN firewall to a TFTP
server.
util dns_lookup
Look up the IP address of a domain name.
util firmware_upgrade
Upgrade the firmware of the VPN firewall from a TFTP server.
util ping
Ping an IP address.
util ping_through_vpn_tunnel
Ping a VPN endpoint IP address.
util reboot
Reboot the VPN firewall.
util restore_factory_defaults
Restore the VPN firewall to factory default settings.
util routing_table_ipv4
Display the IPv4 routing table.
util routing_table_ipv6
Display the IPv6 routing table.
util traceroute
Trace a route to an IP address.
util upload_configuration
Upload a previously backed-up configuration file of the VPN
firewall from a TFTP server
321
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
Firmware Backup, Restore, and Upgrade Commands
util backup_configuration
This command backs up the configuration file of the VPN firewall to a TFTP server.
Format
util backup_configuration <destination file name> <tftp server address>
Mode
util
util upload_configuration
This command uploads a previously backed-up configuration file of the VPN firewall from a
TFTP server.
Format
util upload_configuration <source file name> <tftp server address>
Mode
util
util firmware_upgrade
This command upgrades the firmware of the VPN firewall from a TFTP server.
Format
util firmware_upgrade <source file name> <tftp server address>
Mode
util
util reboot
This command reboots the VPN firewall. It takes about 3 minutes for the VPN firewall to come
back up.
Format
util reboot
Mode
util
Utility Commands
322
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
util restore_factory_defaults
This command restores the VPN firewall to factory default settings. It takes about 3 minutes
for the VPN firewall to come back up.
Format
util restore_factory_defaults
Mode
util
Diagnostic Commands
util dns_lookup
This command looks up the IP address of a domain name.
Format
util dns_lookup <domain name>
Mode
util
SRX5308> util dns_lookup netgear.com
Server:
66.80.130.23
Address 1: 66.80.130.23 ns1.megapath.net
Name:
netgear.com
Address 1: 206.16.44.90
util ping
This command pings an IP address with 56 data bytes and displays the ping information.
Format
util ping <ipaddress>
Mode
util
SRX5308> util ping 10.136.216.82
PING 10.136.216.82 (10.136.216.82): 56 data bytes
64 bytes from 10.136.216.82: seq=0 ttl=48 time=69.168 ms
64 bytes from 10.136.216.82: seq=1 ttl=48 time=112.606 ms
64 bytes from 10.136.216.82: seq=2 ttl=48 time=46.531 ms
64 bytes from 10.136.216.82: seq=3 ttl=48 time=49.804 ms
64 bytes from 10.136.216.82: seq=4 ttl=48 time=51.247 ms
--- 10.136.216.82 ping statistics --5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 46.531/65.871/112.606 ms
Utility Commands
323
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
util ping_through_vpn_tunnel
This command pings a VPN endpoint IP address with 56 data bytes through a VPN tunnel
and displays the ping information.
Format
util ping_through_vpn_tunnel <ipaddress>
Mode
util
SRX5308> util ping_through_vpn_tunnel
Pinging 192.168.1.1 from 5
Ping passed
64 bytes from 10.136.24.128: icmp_seq=0
64 bytes from 10.136.24.128: icmp_seq=1
64 bytes from 10.136.24.128: icmp_seq=2
64 bytes from 10.136.24.128: icmp_seq=3
64 bytes from 10.136.24.128: icmp_seq=4
10.136.24.128
ttl=64
ttl=64
ttl=64
ttl=64
ttl=64
util traceroute
This command traces a route to an IP address.
Format
util traceroute <ipaddress>
Mode
util
SRX5308> util traceroute 10.136.24.128
traceroute to 10.136.24.128 (10.136.24.128), 30 hops max, 40 byte packets|
1
(10.136.24.128) 0.516 ms 0.227 ms 0.218 ms
util routing_table_ipv4
This command displays the IPv4 routing table.
Format
util routing_table_ipv4
Mode
util
util routing_table_ipv6
This command displays the IPv6 routing table.
Format
util routing_table_ipv6
Mode
util
Utility Commands
324
CLI Command Index
N
net qos configure 80
net qos profile add 81
net qos profile delete 92
net qos profile disable 92
net qos profile edit 86
net qos profile enable 93
net radvd configure dmz 78
net radvd configure lan 71
net radvd pool dmz delete 78
net routing dynamic configure 95
net routing static ipv4 configure 93
net routing static ipv4 delete 94
net routing static ipv4 delete_all 95
net routing static ipv6 configure 98
net routing static ipv6 delete 99
net routing static ipv6 delete_all 100
net siit configure 50
net wan port_setup configure 27
net wan wan ipv4 secondary_address add 37
net wan wan ipv4 secondary_address delete 37
net wan wan1 ipv4 configure 32
net wan wan1 ipv6 configure 47
net wan_settings load_balancing configure 38
net wan_settings wanmode configure 31
net ddns configure 53
net dmz ipv4 configure 74
net dmz ipv6 configure 76
net dmz ipv6 pool configure 77
net ethernet configure 58
net ipv6 ipmode configure 46
net ipv6_tunnel isatap add 50
net ipv6_tunnel isatap delete 52
net ipv6_tunnel isatap edit 51
net ipv6_tunnel six_to_four configure 52
net lan dhcp reserved_ip configure 60
net lan dhcp reserved_ip delete 62
net lan ipv4 advanced configure 59
net lan ipv4 configure 54
net lan ipv4 default_vlan 59
net lan ipv4 delete 57
net lan ipv4 disable 57
net lan ipv4 enable 57
net lan ipv4 multi_homing add 62
net lan ipv4 multi_homing delete 63
net lan ipv4 multi_homing edit 63
net lan ipv4 traffic_meter configure 64
net lan ipv4 traffic_meter delete 66
net lan ipv6 configure 66
net lan ipv6 multi_homing add 69
net lan ipv6 multi_homing delete 71
net lan ipv6 multi_homing edit 70
net lan ipv6 pool add 68
net lan ipv6 pool delete 69
net lan ipv6 pool edit 68
net lan ipv6 prefix_delegation add 72
net lan ipv6 prefix_delegation delete 74
net lan ipv6 prefix_delegation edit 73
net lan lan_groups edit 62
net protocol_binding add 39
net protocol_binding delete 45
net protocol_binding disable 45
net protocol_binding edit 42
net protocol_binding enable 46
S
security address_filter ip_or_mac_binding add 170
security address_filter ip_or_mac_binding delete 172
security address_filter ip_or_mac_binding edit 171
security address_filter ip_or_mac_binding
enable_email_log 172
security address_filter mac_filter configure 168
security address_filter mac_filter source add 169
security address_filter mac_filter source delete 170
security bandwidth enable_bandwidth_profiles 177
security bandwidth profile add 177
security bandwidth profile delete 179
security bandwidth profile edit 178
security content_filter blocked_keywords add 183
security content_filter blocked_keywords delete 184
325
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
security services ip_group edit 108
security services qos_profile add 103
security services qos_profile delete 107
security services qos_profile edit 105
security upnp configure 176
show net ddns setup 279
show net dmz ipv4 setup 286
show net dmz ipv6 setup 286
show net ethernet 281
show net ipv6 ipmode setup 277
show net ipv6_tunnel setup 277
show net ipv6_tunnel status 278
show net lan available_lan_hosts list 281
show net lan dhcp leased_clients list 278
show net lan dhcp logs 278
show net lan dhcp reserved_ip setup 279
show net lan ipv4 advanced setup 281
show net lan ipv4 detailed setup 280
show net lan ipv4 multiHoming 282
show net lan ipv4 setup 280
show net lan ipv4 traffic_meter detailed_setup 283
show net lan ipv4 traffic_meter setup 282
show net lan ipv6 multiHoming 285
show net lan ipv6 setup 284
show net lan lan_groups 282
show net protocol_binding setup 276
show net qos setup 277
show net radvd dmz setup 287
show net radvd lan setup 285
show net routing dynamic setup 288
show net routing static ipv4 setup 288
show net routing static ipv6 setup 288
show net siit setup 278
show net statistics 289
show net wan port_setup 274
show net wan wan ipv4 secondary_addresses 275
show net wan wan ipv4 setup 274
show net wan wan1 ipv4 status 275
show net wan wan1 ipv6 setup 276
show net wan wan1 ipv6 status 276
show net wan_settings wanmode 273
show security address_filter enable_email_log 296
show security address_filter ip_or_mac_binding setup
296
show security address_filter mac_filter setup 297
show security bandwidth profile setup 298
show security content_filter blocked_keywords 300
show security content_filter block_group 299
security content_filter blocked_keywords edit 183
security content_filter block_group disable 182
security content_filter block_group enable 181
security content_filter content_filtering configure 180
security content_filter trusted_domain add 184
security content_filter trusted_domain delete 185
security content_filter trusted_domain edit 185
security firewall advanced algs 168
security firewall attack_checks configure ipv4 162
security firewall attack_checks configure ipv6 164
security firewall attack_checks igmp configure 163
security firewall attack_checks vpn_passthrough
configure 163
security firewall ipv4 add_rule dmz_wan inbound 135
security firewall ipv4 add_rule dmz_wan outbound 129
security firewall ipv4 add_rule lan_dmz inbound 148
security firewall ipv4 add_rule lan_dmz outbound 142
security firewall ipv4 add_rule lan_wan inbound 120
security firewall ipv4 add_rule lan_wan outbound 112
security firewall ipv4 default_outbound_policy 154
security firewall ipv4 delete 154
security firewall ipv4 disable 154
security firewall ipv4 edit_rule dmz_wan inbound 139
security firewall ipv4 edit_rule dmz_wan outbound 132
security firewall ipv4 edit_rule lan_dmz inbound 151
security firewall ipv4 edit_rule lan_dmz outbound 145
security firewall ipv4 edit_rule lan_wan inbound 124
security firewall ipv4 edit_rule lan_wan outbound 116
security firewall ipv4 enable 154
security firewall ipv6 configure 155
security firewall ipv6 default_outbound_policy 155
security firewall ipv6 delete 161
security firewall ipv6 disable 161
security firewall ipv6 edit 158
security firewall ipv6 enable 161
security firewall session_limit configure 165
security firewall session_settings configure 167
security porttriggering_rules add 173
security porttriggering_rules delete 175
security porttriggering_rules edit 174
security schedules edit 110
security services add 101
security services delete 103
security services edit 102
security services ip_group add 107
security services ip_group add_ip_to 109
security services ip_group delete 110
security services ip_group delete_ip 110
326
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
show vpn sslvpn portforwarding hostconfig 315
show vpn sslvpn resource 315
show vpn sslvpn resource_object 315
show vpn sslvpn route 316
show vpn sslvpn users active_users 319
show vpn sslvpn users browser_policies 318
show vpn sslvpn users domains 316
show vpn sslvpn users groups 316
show vpn sslvpn users ip_policies 318
show vpn sslvpn users login_policies 317
show vpn sslvpn users users 317
system logging configure 201
system logging remote configure 203
system remote_management https configure 186
system remote_management telnet configure 188
system snmp sys configure 191
system time configure 192
system traffic_meter configure 198
show security content_filter content_filtering 299
show security content_filter trusted_domains 300
show security firewall advanced algs 296
show security firewall attack_checks igmp 294
show security firewall attack_checks setup ipv4 294
show security firewall attack_checks setup ipv6 295
show security firewall attack_checks vpn_passthrough
setup 295
show security firewall ipv4 setup dmz_wan 293
show security firewall ipv4 setup lan_dmz 293
show security firewall ipv4 setup lan_wan 292
show security firewall ipv6 setup 294
show security firewall session_limit 295
show security firewall session_settings 296
show security porttriggering_rules setup 297
show security porttriggering_rules status 298
show security schedules setup 292
show security services ip_group ip_setup 291
show security services qos_profile setup 291
show security services setup 290
show security upnp portmap 298
show security upnp setup 298
show sysinfo 310
show system firmware_version 302
show system logging remote setup 309
show system logging setup 307
show system logs 309
show system remote_management setup 301
show system snmp sys 302
show system snmp trap 301
show system status 303
show system time setup 302
show system traffic_meter setup 306
show vpn ipsec ikepolicy setup 311
show vpn ipsec logs 312
show vpn ipsec mode_config setup 312
show vpn ipsec radius 319
show vpn ipsec vpnpolicy setup 311
show vpn ipsec vpnpolicy status 312
show vpn l2tp server connections 320
show vpn l2tp server setup 320
show vpn pptp server connections 320
show vpn pptp server setup 320
show vpn sslvpn client 313
show vpn sslvpn logs 313
show vpn sslvpn policy 314
show vpn sslvpn portal_layouts 314
show vpn sslvpn portforwarding appconfig 314
U
util backup_configuration 322
util dns_lookup 323
util firmware_upgrade 322
util ping 323
util ping_through_vpn_tunnel 324
util reboot 322
util restore_factory_defaults 323
util routing_table_ipv4 324
util routing_table_ipv6 324
util traceroute 324
util upload_configuration 322
V
vpn ipsec ikepolicy configure 210
vpn ipsec ikepolicy delete 216
vpn ipsec mode_config configure 228
vpn ipsec mode_config delete 231
vpn ipsec radius configure 263
vpn ipsec vpnpolicy configure 216
vpn ipsec vpnpolicy connect 227
vpn ipsec vpnpolicy delete 227
vpn ipsec vpnpolicy disable 227
vpn ipsec vpnpolicy drop 228
vpn ipsec vpnpolicy enable 227
vpn ipsec wizard configure 208
vpn l2tp server configure 266
vpn pptp server configure 265
327
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308
vpn sslvpn client ipv4 248
vpn sslvpn client ipv6 250
vpn sslvpn policy add 256
vpn sslvpn policy delete 263
vpn sslvpn policy edit 261
vpn sslvpn portal_layouts add 231
vpn sslvpn portal_layouts delete 234
vpn sslvpn portal_layouts edit 232
vpn sslvpn portal_layouts set-default 234
vpn sslvpn portforwarding appconfig add 246
vpn sslvpn portforwarding appconfig delete 247
vpn sslvpn portforwarding hostconfig add 247
vpn sslvpn portforwarding hostconfig delete 248
vpn sslvpn resource add 252
vpn sslvpn resource configure add 253
vpn sslvpn resource configure delete 255
vpn sslvpn resource delete 253
vpn sslvpn route add 251
vpn sslvpn route delete 252
vpn sslvpn users domains add 234
vpn sslvpn users domains delete 237
vpn sslvpn users domains disable_Local_Authentication
237
vpn sslvpn users domains edit 236
vpn sslvpn users groups add 238
vpn sslvpn users groups delete 239
vpn sslvpn users groups edit 238
vpn sslvpn users users add 239
vpn sslvpn users users browser_policies 245
vpn sslvpn users users delete 241
vpn sslvpn users users edit 241
vpn sslvpn users users ip_policies configure 242
vpn sslvpn users users ip_policies delete 245
vpn sslvpn users users login_policies 242
328
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement