Page 1 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 C L I Reference M a nua l 350 East Plumeria Drive San Jose, CA 95134 August 2012 202-11138-01 v1.0...
Page 2: Technical Support
© 2012 All rights reserved. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at http://support.netgear.com.
Page 3: Table Of Contents
Contents Chapter 1 Introduction Command Syntax and Conventions ....... 7 Command Conventions .
Page 4 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv4 Add Firewall Rule and Edit Firewall Rule Commands ... 112 IPv4 General Firewall Commands ......154 IPv6 Firewall Commands .
Page 5 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network Settings (Net Mode) Show Commands ....273 WAN IPv4 and WAN IPv6 Show Commands ....273 IPv6 Mode, IPv6 Tunnel, and SIIT Show Commands .
Page 6: Chapter 1 Introduction
Introduction This document describes the command-line interface (CLI) for the NETGEAR ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308. This chapter introduces the CLI interface. It includes the following sections: • Command Syntax and Conventions • The Four Categories of Commands •...
Page 7: Command Syntax And Conventions
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Command Syntax and Conventions A command is one or more words that can be followed by one or more keywords and parameters. Keywords and parameters can be required or optional: • A keyword is a predefined string (word) that narrows down the scope of a command. A keyword can be followed by an associated parameter or by associated keywords.
Page 8: Description Of A Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 1. Command conventions (continued) Symbol Example Description { } curly braces Indicate that you need to select a keyword from the list of {choice1 | choice2} choices. (choice1 and choice1 are keywords.) | vertical bars Separate the mutually exclusive choices.
Page 9: Common Parameters
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Common Parameters Parameter values might be names (strings) or numbers. To use spaces as part of a name parameter, enclose the name value in double quotes. For example, the expression “System Name with Spaces” forces the system to accept the spaces. Empty strings (“”) are not valid user-defined strings.
Page 10: The Four Main Modes For Configuration Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The Four Main Modes for Configuration Commands For the configuration commands, there are four main modes in the CLI: net, security, system, and vpn. Chapter 2, Overview of the Configuration Commands lists all commands in these...
Page 11 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 3. Main configuration modes (continued) __________________________CLI________________________ ___Web Management Interface (GUI)___ Main Mode Submode Feature That You Can Configure Basic Path siit Stateless IP/ICMP Translation Network Configuration > SIIT (continued) IPv4 WAN (Internet) settings Network Configuration >...
Page 12: Save Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 3. Main configuration modes (continued) __________________________CLI________________________ ___Web Management Interface (GUI)___ Main Mode Submode Feature That You Can Configure Basic Path system time Administration > Time Zone (continued) traffic_meter WAN traffic meters Monitoring >...
Page 13: Global Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Commands That Require Saving After you have issued a command that includes the word configure, add, or edit, you enter a configuration mode from which you can issue keywords and associated parameters.
Page 14: The Three Basic Types Of Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 The Three Basic Types of Commands You can encounter the following three basic types of commands in the CLI: • Entry commands to enter a configuration mode. Commands that let you enter a configuration mode from which you can configure various keywords and associated parameters and keywords.
Page 15: Command Autocompletion And Command Abbreviation
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Command Autocompletion and Command Abbreviation Command autocompletion finishes spelling the command when you type enough letters of a command to uniquely identify the command keyword. You need to type all of the required keywords and parameters before you can use autocompletion.
Page 16: Access The Cli
Access the CLI You can access the CLI by logging in with the same user credentials (user name and password) that you use to access the web management interface. SRX5308> is the CLI prompt. SRX5308 login: admin...
Page 17: Chapter 2 Overview Of The Configuration Commands
Overview of the Configuration Commands This chapter provides an overview of all configuration commands in the four configuration command modes. The keywords and associated parameters that are available for these commands are explained in the following chapters. The chapter includes the following sections: •...
Page 18 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 7. Net mode configuration commands (continued) Submode Command Name Purpose net ipv6_tunnel isatap edit <row id> Configure an existing IPv6 ISATAP tunnel. ipv6_tunnel (continued) net ipv6_tunnel six_to_four configure Enable or disable automatic (6to4) tunneling.
Page 19 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 7. Net mode configuration commands (continued) Submode Command Name Purpose net lan ipv6 prefix_delegation delete <row id> Delete a prefix for IPv6 LAN prefix delegation. net lan ipv6 prefix_delegation edit <row id>...
Page 20: Security Settings (Security Mode) Configuration Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 7. Net mode configuration commands (continued) Submode Command Name Purpose net wan port_setup configure <wan interface> Configure the MTU, port speed, and MAC address of the VPN firewall. net wan wan ipv4 configure <wan interface>...
Page 21 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 8. Security mode configuration commands (continued) Submode Command Name Purpose security bandwidth profile add Configure a new bandwidth profile. security bandwidth profile delete <row id> Delete a bandwidth profile. bandwidth security bandwidth profile edit <row id>...
Page 22 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 8. Security mode configuration commands (continued) Submode Command Name Purpose security firewall ipv4 add_rule lan_wan inbound Configure a new IPv4 LAN WAN inbound firewall rule. security firewall ipv4 add_rule lan_wan Configure a new IPv4 LAN WAN outbound outbound firewall rule.
Page 23: Administrative And Monitoring Settings (System Mode) Configuration Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 8. Security mode configuration commands (continued) Submode Command Name Purpose security schedules edit {1 | 2 | 3} Configure one of the three security schedules schedules. security services add Configure a new custom service.
Page 24: Vpn Settings (Vpn Mode) Configuration Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 9. System mode configuration commands (continued) Submode Command Name Purpose system remote_management https Configure remote management over HTTPS. configure remote_management system remote_management telnet Configure remote management over Telnet. configure snmp system snmp sys configure Configure the SNMP system information.
Page 25 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 10. Configuration commands: vpn mode (continued) Submode Command Name Purpose pptp vpn pptp server configure Configure the PPTP server. radius vpn ipsec radius configure Configure the RADIUS server. vpn sslvpn client ipv4 Configure the SSL client IPv4 address range.
Page 26 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 10. Configuration commands: vpn mode (continued) Submode Command Name Purpose vpn sslvpn users domains edit <row id> Configure an existing authentication domain. vpn sslvpn users groups add Configure a new authentication group.
Page 27: Chapter 3 Net Mode Configuration Commands
Net Mode Configuration Commands This chapter explains the configuration commands, keywords, and associated parameters in the net mode. The chapter includes the following sections: • General WAN Commands • IPv4 WAN Commands • IPv6 WAN Commands • IPv6 Tunnel Commands •...
Page 28 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 1 Format net wan port_setup configure <wan interface> Mode Step 2 Format def_mtu {Default | Custom {mtu_size <number>}} port_speed {Auto_Sense | 10_BaseT_Half_Duplex | 10_BaseT_Full_Duplex | 100_BaseT_Half_Duplex | 100_BaseT_Full_Duplex | 1000_BaseT_Full_Duplex} mac_type {Use-Default-Mac | Use-This-Computers-Mac | Use-This-Mac {mac_address <mac address>}}...
Page 29 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Port speed Specifies the port speed and duplex mode of the port_speed Auto_Sense, WAN port. The keywords are self-explanatory. 10_BaseT_Half_Duplex, 10_BaseT_Full_Duplex, 100_BaseT_Half_Duplex,...
Page 30 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The number of failover attempts, from 2 to 999. failover_method number The primary WAN interface is considered down retry_attempts after the specified number of queries have failed to elicit a reply.
Page 31: Ipv4 Wan Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net-config[port_setup]> upload_download download_speed_type 1-Gbps net-config[port_setup]> save Related show command: show net wan port_setup <wan interface> IPv4 WAN Commands net wan_settings wanmode configure This command configures the mode of IPv4 routing between the WAN interface and LAN interfaces.
Page 32 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net wan wan ipv4 configure <wan interface> This command configures the IPv4 settings for a WAN interface. After you have issued the net wan wan ipv4 configure command to specify one of the four WAN interfaces (that is, WAN1, WAN2, WAN3, or WAN4), you enter the net-config [wan-ipv4] mode.
Page 33 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 pptp username <user name> pptp password <password> pptp AccountName <account name> pptp DomainName <domain name> pptp connectivity_type {keepalive | idletimeout {pptp idle_time <seconds>}} pptp my_address <ipaddress> pptp server_address <ipaddress> pptp get_dns_from_isp {Y | N {pptp primary_dns <ipaddress>} [pptp secondary_dns <ipaddress>]}...
Page 34 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type DHCPC (These keywords consist of two separate words) The ISP account name (alphanumeric dhcpc account_name account name string). The ISP domain name (alphanumeric string).
Page 35 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Y or N Specifies whether or not the PPPoE pppoe connection_reset connection is automatically reset. If it is reset, you need to issue the reset_hour...
Page 36 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The password (alphanumeric string) to log in pptp password password to the PPTP service, if required. The PPPoE account name (alphanumeric pptp AccountName account name string).
Page 37 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show commands: show net wan wan ipv4 setup <wan interface> show net wan wan ipv4 status <wan interface> net wan wan ipv4 secondary_address add <wan interface> This command configures a secondary IPv4 WAN address. After you have issued the net...
Page 38 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net wan_settings load_balancing configure This command configures the load balancing settings for two WAN interfaces that are configured for IPv4. After you have issued the net wan_settings load_balancing configure command, you enter the net-config [load-balancing] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 39 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Enables or disables auto-rollover mode. Issue the auto_rollover Y or N secondary_wan_interface keyword to specify the secondary WAN interface. The interface that functions as the secondary secondary_wan_interface WAN1, WAN2, WAN3, or WAN interface if auto-rollover mode is enabled.
Page 40 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format service_name {default_services <default service name> | {custom_services <custom service name>} local gateway {WAN1 | WAN2 | WAN3 | WAN4} source_network_type {address_wise {ANY | SINGLE_ADDRESS {source_network_start_ip <ipaddress>} | ADDRESS_RANGE {source_network_start_ip <ipaddress>} {source_network_end_ip <ipaddress>}} | group_wise...
Page 41 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Specifies the interface to which the local_gateway WAN1, WAN2, WAN3, or service is bound. WAN4 ANY, SINGLE_ADDRESS, or Specifies the type of LAN source source_network_type address.
Page 42 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The end IP address if the destination_network_end_ip ipaddress source_network_type address_wise keywords are set to ADDRESS_RANGE. The name of the WAN IP group. The...
Page 43 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format service_name {default_services <default service name> | {custom_services <custom service name>} local gateway {WAN1 | WAN2 | WAN3 | WAN4} source_network_type {address_wise {ANY | SINGLE_ADDRESS {source_network_start_ip <ipaddress>} | ADDRESS_RANGE {source_network_start_ip <ipaddress>} {source_network_end_ip <ipaddress>}} | group_wise...
Page 44 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Specifies the interface to which the local_gateway WAN1, WAN2, WAN3, or service is bound. WAN4 ANY, SINGLE_ADDRESS, or Specifies the type of LAN source source_network_type address.
Page 45 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The end IP address if the destination_network_end_ip ipaddress source_network_type address_wise keywords are set to ADDRESS_RANGE. The name of the WAN IP group. The...
Page 46: Ipv6 Wan Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net protocol_binding enable This command enables a protocol binding by specifying its row ID. Format net protocol binding enable <row id> Mode security Related show command: show net protocol_binding setup IPv6 WAN Commands net ipv6 ipmode configure This command configures the IPv6 mode.
Page 47 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net wan wan ipv6 configure <wan interface> This command configures the IPv6 settings for a WAN interface. After you have issued the net wan wan ipv6 configure command to specify one of the four WAN interfaces (that is, WAN1, WAN2, WAN3, or WAN4), you enter the net-config [wan-ipv6] mode.
Page 48 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (consists of two Associated Keyword to Select Description separate words) or Parameter to Type Static The IPv6 address of the WAN static ip_address ipv6-address interface. The prefix length (integer) for the static...
Page 49 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (consists of two Associated Keyword to Select Description separate words) or Parameter to Type Specifies the DHCPv6 server options pppoe dhcpv6_option Disable-DHCPv6, for the PPPoE configuration: DHCPv6-StatelessMode, DHCPv6-StatefulMode, or • Disable-DHCPv6. DHCPv6 is DHCPv6-Prefix-Delegation disabled.
Page 50: Ipv6 Tunnel Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show commands: show net wan wan ipv6 setup <wan interface> show net wan wan ipv6 status <wan interface> net siit configure This command enables and configures Stateless IP/ICMP Translation (SIIT). After you have issued the net siit configure command, you enter the net-config [siit] mode, and then you can enable SIIT and configure the IPv4 address.
Page 51 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: To be able to configure an ISATAP tunnel, you first need to set the IP mode to IPv4/IPv6 (see net ipv6 ipmode configure). Step 1 Format net ipv6_tunnel isatap add Mode...
Page 52 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format subnet_prefix <subnet prefix> Mode net-config [isatap-tunnel] Keyword Associated Keyword to Description Select or Parameter to Type The IPv6 64-bit subnet prefix (string) that is assigned to the subnet_prefix subnet prefix logical ISATAP subnet for this intranet.
Page 53: Dynamic Dns Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword Description to Select Enables or disables automatic tunneling. automatic_tunneling_enable Y or N Command example: FVS318N> net ipv6_tunnel six_to_four configure net-config[six-to-four-tunnel]> automatic_tunneling_enable Y net-config[six-to-four-tunnel]> save Related show commands: show net ipv6_tunnel setup...
Page 54: Ipv4 Lan Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Configures a user name (string) for a {wan1 | wan2 | wan3 | wan4} user name DDNS server.
Page 55 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format profile_name <name> port_membership {[port 1 {Y | N}] | [port 2 {Y | N}] | [port 3 {Y | N}] | [port 4 {Y | N}]} static address <ipaddress>...
Page 56 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of Associated Keyword to Description two separate words) Select or Parameter to Type None, DHCP-Server, or Specifies the DHCP mode for the devices that dhcp mode are connected to the VLAN: DHCP-Relay •...
Page 57 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net-config[lan-ipv4]> static address 192.168.1.1 net-config[lan-ipv4]> static subnet_mask 255.255.255.0 net-config[lan-ipv4]> dhcp mode DHCP-Relay net-config[lan-ipv4]> dhcp relay_gateway 10.172.214.198 net-config[lan-ipv4]> proxy dns_enable N net-config[lan-ipv4]> inter_vlan_routing Y net-config[lan-ipv4]> save Related show command: show net lan ipv4 setup net lan ipv4 delete <vlan id>...
Page 58 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show net lan ipv4 setup net ethernet configure <interface name or number> This command configures a VLAN for a LAN interface. After you have issued the net ethernet configure command to specify a LAN interface, you enter net-config [ethernet] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 59 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net lan ipv4 default_vlan This command configures the default VLAN for each port. After you have issued the net lan ipv4 default_vlan command, you enter the net-config [lan-ipv4-defvlan] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 60 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 keyword and associated parameter or associated keyword at a time in the order that you prefer. Step 1 Format net lan ipv4 advanced configure Mode Step 2 Format vlan_mac_offset_type {Same | Unique}...
Page 61 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format ip_mac_name <device name> ip_addr_type {Fixed_set_on_PC | Dhcp_Reserved_IP} ip_address <ipaddress> group_name {Group1 | Group2 | Group3 | Group4 | Group5 | Group6 | Group7 | Group8 | <custom group name>} vlan_profile <vlan name>...
Page 62 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net lan dhcp reserved_ip delete <mac address> This command deletes the binding of a MAC address to an IP address. Format net lan dhcp reserved_ip delete <mac address> Mode Related show commands:...
Page 63 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Command example: SRX5308> net lan ipv4 multi_homing add net-config[lan-ipv4-multihoming]> ip_address 192.168.16.110 net-config[lan-ipv4-multihoming]> subnet_mask 255.255.255.248 net-config[lan-ipv4-multihoming]> save Related show command: show net lan ipv4 multiHoming net lan ipv4 multi_homing edit <row id> This command configures an existing IPv4 alias, that is, a secondary IPv4 address. After you...
Page 64 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net lan ipv4 traffic_meter configure <ip address> This command configures a LAN traffic meter profile for an IP address. When the traffic limit has been reached, further traffic for that IP address is blocked. After you have issued the net...
Page 65 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Select or Description Parameter to Type The day in the format DD (01 to 31) day_of_month that the traffic counter restarts. This keyword applies only if you have set the counter keyword to SpecificTime.
Page 66: Ipv6 Lan Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net lan ipv4 traffic_meter delete <row id> This command deletes a LAN traffic meter profile by specifying its row ID. Format net lan ipv4 traffic_meter delete <row id> Mode Related show command:...
Page 67 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (consists of two Associated Keyword to Description separate words) Select or Parameter to Type Stateless or Stateful Specifies the DHCPv6 mode (stateless or dhcp mode stateful). Y or N Enables or disables prefix delegation. This...
Page 68 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net lan ipv6 pool add This command configures a new IPv6 DHCP address pool for the LAN. After you have issued the net lan ipv6 pool add command, you enter the net-config [lan-ipv6-pool] mode, and then you can configure the IPv6 start and end addresses and the IPv6 prefix length for the IPv6 pool in the order that you prefer.
Page 69 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format start_address <ipv6-address> end_address <ipv6-address> prefix_length <prefix length> Mode net-config [lan-ipv6-pool] Keyword Associated Description Parameter to Type The start address of the IPv6 address pool. start_address ipv6-address The end address of the IPv6 address pool.
Page 70 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Description Parameter to Type The secondary IPv6 address for the LAN. ip_address ipv6-address The prefix length for the secondary IPv6 address. prefix_length prefix length Command example: SRX5308> net lan ipv6 multi_homing add net-config[lan-ipv6-multihoming]>...
Page 71 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net lan ipv6 multi_homing delete <row id> This command deletes a secondary IPv6 address by specifying its row ID. Format net lan ipv6 multi_homing delete <row id> Mode Related show command: show net lan ipv6 multiHoming...
Page 72 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist Associated Keyword to Description of two separate words) Select or Parameter to Type The interval in seconds (integer) between interval seconds unsolicited multicast RAs. Enter a period from 10 to 1800 seconds.
Page 73 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format prefix <prefix> prefix_length <prefix length> Mode net-config [lan-prefix-delegation] Keyword Associated Description Parameter to Type The IPv6 prefix. prefix prefix The prefix length for IPv6 prefix. prefix_length prefix length Command example: SRX5308>...
Page 74: Ipv4 Dmz Setup Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net lan ipv6 prefix_delegation delete <row id> This command deletes an IPv6 prefix for LAN prefix delegation by deleting its row ID. Format net lan ipv6 prefix_delegation delete <row id> Mode Related show command:...
Page 75 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Y or N Enables or disables the DMZ. enable_dmz The IP address of the DMZ port. ip_address ipaddress The subnet mask of the DMZ port.
Page 76: Ipv6 Dmz Setup Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net-config[dmz-ipv4]> ip_address 10.126.32.59 net-config[dmz-ipv4]> subnet_mask 2525.255.255.0 net-config[dmz-ipv4]> dhcp_mode None net-config[dmz-ipv4]> dns_proxy_enable Y net-config[dmz-ipv4]> save Related show command: show net dmz ipv4 setup IPv6 DMZ Setup Commands net dmz ipv6 configure This command enables, configures, or disables the IPv6 DMZ. After you have issued the net...
Page 77 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type DHCPv6 server Y or N Enables or disables the DHCP server for the dhcp_enable DMZ. Stateless or Stateful Specifies the DHCPv6 mode (Stateless or dhcp_mode Stateful).
Page 78 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 configure the IPv6 end address and the IPv6 prefix length for the IPv6 pool in the order that you prefer. Step 1 Format net dmz ipv6 pool configure <ipv6-address> Mode Step 2 Format ending_ip_address <ipv6-address>...
Page 79 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. Step 1 Format net radvd configure dmz Mode Step 2...
Page 80: Wan Qos Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Command example: SRX5308> net radvd configure dmz net-config[radvd-dmz]> enable Y net-config[radvd-dmz]> mode Unicast-Only net-config[radvd-dmz]> flags Managed net-config[radvd-dmz]> preference High net-config[radvd-dmz]> mtu 1500 net-config[radvd-dmz]> life_time 7200 net-config[radvd-dmz]> save Related show command: show net radvd dmz setup...
Page 81 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net qos profile add This command configures a new WAN QoS profile. After you have issued the net qos profile add command, you enter the net-config [network-qos-profile] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 82 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Common settings Specifies the type of profile: qos_type Rate-Control or Priority • Rate-Control. Configure the keywords...
Page 83 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type (Optional) The DSCP value, from 0 diffserv_qos_match number through 63. Packets are classified against this value.
Page 84 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Specifies the priority queue that congestion_priority Default, High, determines the allocation of excess Medium-high, Medium, bandwidth and the classification level of...
Page 85 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type The end IP address if the hosts keyword hosts_end_ip ipaddress is set to IP-Address-Range. Specifies the group if the hosts keyword...
Page 86 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Priority profile settings Specifies the direction to which the priority direction_for_priority Inbound-Traffic or queue is applied: Outbound-Traffic •...
Page 87 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 [network-qos-profile] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. Step 1 Format net qos profile edit <row id>...
Page 88 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Specifies the default service and protocol service_name ANY, AIM, BGP, to which the profile applies. default_services...
Page 89 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Rate control profile settings Specifies the direction to which rate direction_for_rate_control Inbound, Outbound, or control is applied: Both •...
Page 90 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Specifies the IP address, range of IP hosts Single-IP-Address, addresses, or group to which the profile is...
Page 91 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Specifies how bandwidth is allocated. bandwidth_allocation Shared or Individual These options apply when the hosts keyword is set to IP-Address-Range or to group.
Page 92 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Specifies the priority queue that priority Low or High determines the allocation of bandwidth: • Low. All services that are assigned a low-priority queue share 10 percent of interface bandwidth.
Page 93: Ipv4 Routing Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net qos profile enable <row id> This command enables a WAN QoS profile by specifying its row ID. Format net qos profile enable <row id> Mode Related show command: show net qos setup IPv4 Routing Commands net routing static ipv4 configure <route name>...
Page 94 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Select Description or Parameter to Type Specifies the interface for which the route is interface custom_vlan <VLAN name>, applied. The dmz and lan keywords do not dmz, lan, or wan {WAN1, require additional selections.
Page 95 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net routing static ipv4 delete_all This command deletes all static IPv4 routes. Format net routing static ipv4 delete_all Mode Related show command: show net routing static ipv4 setup net routing dynamic configure This command configures RIP and the associated MD5 key information.
Page 96 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 second_key authentication_id <authentication key> second_key id_number <number> second_key valid_from {day <day>} second_key valid_from {month <month>} second_key valid_from {year <year>}} second_key valid_from {hour <hour> | second_key valid_from {minute <minute>} second_key valid_from {second <second>} second_key valid_to {day <day>}...
Page 97 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type The day in the format DD first_key valid_from day (01 to 31). The month in the format...
Page 98: Ipv6 Routing Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 net-config[dynamic-routing]> first_key valid_to month 12 net-config[dynamic-routing]> first_key valid_to year 2011 net-config[dynamic-routing]> first_key valid_to hour 23 net-config[dynamic-routing]> first_key valid_to minute 59 net-config[dynamic-routing]> first_key valid_to second 59 net-config[dynamic-routing]> second_key authentication_id 3gry!!99OoiI net-config[dynamic-routing]> second_key id_number 2 net-config[dynamic-routing]>...
Page 99 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Y or N Specifies whether or not the route is an active route. active_flag The destination IP address. destination_address ipv6-address The IPv6 prefix length (integer). This is a decimal...
Page 100 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show net routing static ipv6 setup net routing static ipv6 delete_all This command deletes all static IPv6 routes. Format net routing static ipv6 delete_all Mode Related show command: show net routing static ipv6 setup...
Page 101: Chapter 4 Security Mode Configuration Commands
Security Mode Configuration Commands This chapter explains the configuration commands, keywords, and associated parameters in the security mode. The chapter includes the following sections: • Security Services Commands • Security Schedules Commands • IPv4 Add Firewall Rule and Edit Firewall Rule Commands •...
Page 102 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 1 Format security services add Mode security Step 2 Format name <service name> protocol {TCP {start_port <number>} {finish_port <number>} | UDP {start_port <number>} {finish_port <number>} | ICMP {icmp_type <number> | ICMPv6 {icmp_type <number>}}...
Page 103: Security Services Qos_Profile Add
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format protocol {TCP {start_port <number>} {finish_port <number>} | UDP {start_port <number>} {finish_port <number>} | ICMP {icmp_type <number> | ICMPv6 {icmp_type <number>}} Mode security-config [custom-service] Keyword Associated Keyword to Description Select or Parameter to Type TCP, UDP, ICMP, or ICMPv6 Specifies the protocol type that applies to the service.
Page 104 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format profile_name <profile name> remark {N | Y {qos_type {IP-Precedence | DSCP} {qos_value <number>}}} qos_priority {Default | High | Medium-high | Medium | Low} Mode security-config [qosProfile] Keyword (might consist of two...
Page 105 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Specifies the priority queue that qos_priority Default, High, determines the allocation of excess Medium-high, Medium, bandwidth and the classification level of...
Page 106 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format remark {N | Y {qos_type {IP-Precedence | DSCP} {qos_value <number>}}} qos_priority {Default | High | Medium-high | Medium | Low} Mode security-config [qosProfile] Keyword (might consist of two Associated Keyword to...
Page 107: Security Services Ip_Group Add
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Specifies the priority queue that qos_priority Default, High, determines the allocation of excess Medium-high, Medium, bandwidth and the classification level of...
Page 108 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format ip_group_type {LAN-Group | WAN-Group} ip_group_name <group name> Mode security-config [ipGroup] Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type LAN-Group or WAN-Group Specifies the type of IP group: ip_group_type •...
Page 109 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type LAN-Group or WAN-Group Specifies the type of IP group: ip_group_type • LAN-Group. The group can be used as a firewall object in an IPv4 LAN firewall rule.
Page 110: Security Schedules Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security services ip_group delete <row id> This command deletes a LAN or WAN IP group by deleting its row ID. Format security services ip_group delete <row id> Mode security Related show command: show security services ip_group ip_setup security services ip_group delete_ip <row id>...
Page 111 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (consists of two Associated Keyword to Description separate words) Select or Parameter to Type Y or N Specifies whether or not the schedule is days all active on all days. Y or N...
Page 112: Ipv4 Add Firewall Rule And Edit Firewall Rule Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security-config[schedules]> time_of_day end mins 00 security-config[schedules]> time_of_day end meridiem PM security-config[schedules]> save Related show command: show security schedules setup IPv4 Add Firewall Rule and Edit Firewall Rule Commands security firewall ipv4 add_rule lan_wan outbound This command configures a new IPv4 LAN WAN outbound firewall rule.
Page 113 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Service name, action, and schedule Specifies the default service and service_name ANY, AIM, BGP, BOOTP_CLIENT, protocol to which the firewall rule...
Page 114 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The end IP address if the lan_user_end_ip ipaddress lan_users address_wise keywords are set to ADDRESS_RANGE. The name of the LAN group or LAN...
Page 115 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type NEVER or ALWAYS Specifies whether logging is disabled or enabled. The name of the bandwidth profile...
Page 116 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security firewall ipv4 edit_rule lan_wan outbound <row id> This command configures an existing IPv4 LAN WAN outbound firewall rule. After you have issued the security firewall ipv4 edit_rule lan_wan outbound command to...
Page 117 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Service name, action, and schedule Specifies the default service and service_name ANY, AIM, BGP, BOOTP_CLIENT, protocol to which the firewall rule...
Page 118 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The end IP address if the lan_user_end_ip ipaddress lan_users address_wise keywords are set to ADDRESS_RANGE. The name of the LAN group or LAN...
Page 119 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type NEVER or ALWAYS Specifies whether logging is disabled or enabled. The name of the bandwidth profile...
Page 120: Security Firewall Ipv4 Add_Rule Lan_Wan Inbound
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security firewall ipv4 add_rule lan_wan inbound This command configures a new IPv4 LAN WAN outbound firewall rule. After you have issued the security firewall ipv4 add_rule lan_wan inbound command, you enter the security-config [firewall-ipv4-lan-wan-inbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 121 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Service name, action, and schedule Specifies the default service and service_name ANY, AIM, BGP, BOOTP_CLIENT, protocol to which the firewall rule...
Page 122 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Y or N Enables or disables port translate_to_port_number forwarding. enable The port number (integer) if port...
Page 123 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The name of the LAN group or LAN lan_user group_wise group name IP group. The LAN group name is...
Page 124 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type NEVER or ALWAYS Specifies whether logging is disabled or enabled. The name of the bandwidth profile...
Page 125 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 send_to_lan_server {SINGLE_ADDRESS {send_to_lan_server_start_ip <ipaddress>} | ADDRESS_RANGE {send_to_lan_server_start_ip <ipaddress>} {send_to_lan_server_end_ip <ipaddress>}} translate_to_port_number enable {N | Y {translate_to_port_number port <number>}} wan_destination_ip_address {{WAN1 | WAN2 | WAN3 | WAN4} | RANGE {wan_destination_ip_address_start <ipaddress>} {wan_destination_ip_address_end <ipaddress>}} lan_user {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip <ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>}...
Page 126 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The custom service that you have service_name custom service name configured with the security custom_services services add command and to which the firewall rule applies.
Page 127 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The end IP address if the wan_destination_ip_address_end ipaddress wan_destination_ip_address keyword is set to RANGE. LAN user addresses or LAN group and WAN user addresses ANY, SINGLE_ADDRESS, or Specifies the type of LAN address.
Page 128 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type There are two options: wan_user_start_ip ipaddress • The IP address if the wan_user keyword is set to SINGLE_ADDRESS.
Page 129: Security Firewall Ipv4 Add_Rule Dmz_Wan Outbound
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security firewall ipv4 add_rule dmz_wan outbound This command configures a new IPv4 DMZ WAN outbound firewall rule. After you have issued the security firewall ipv4 add_rule dmz_wan outbound command, you enter the security-config [firewall-ipv4-dmz-wan-outbound] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 130 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Service name, action, and schedule Specifies the default service and service_name ANY, AIM, BGP, BOOTP_CLIENT, protocol to which the firewall rule...
Page 131 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type ANY, SINGLE_ADDRESS, or Specifies the type of WAN address. wan_users address_wise The address_wise and ADDRESS_RANGE group_wise keywords are mutually exclusive.
Page 132 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The NAT IP address, if the address nat_ip address ipaddress is different from the IP address of a WAN interface, for example, a secondary WAN IP address.
Page 133 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>} | ADDRESS_RANGE {dmz_user_start_ip <ipaddress>} {dmz_user_end_ip <ipaddress>}} wan_users {address_wise {ANY | SINGLE_ADDRESS {wan_user_start_ip <ipaddress>} | ADDRESS_RANGE {wan_user_start_ip <ipaddress>} {wan_user_end_ip <ipaddress>}} | group_wise <group name>} qos_profile <profile name>...
Page 134 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type DMZ user addresses and WAN user addresses ANY, SINGLE_ADDRESS, or Specifies the type of DMZ address.
Page 135 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Specifies the type of NAT IP nat_ip type Auto, WAN1, WAN2, WAN3, or address for a nonblocking rule: WAN4 •...
Page 136 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format service_name {default_services <default service name> | {custom_services <custom service name>} action {ALWAYS_BLOCK | ALWAYS_ALLOW | BLOCK_BY_SCHEDULE_ELSE_ALLOW {schedule {Schedule1 | Schedule2 | Schedule3}} | ALLOW_BY_SCHEDULE_ELSE_BLOCK {schedule {Schedule1 | Schedule2 | Schedule3}}} send_to_dmz_server_ip <ipaddress>...
Page 137 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The custom service that you have service_name custom service name configured with the security custom_services services add command and to which the firewall rule applies.
Page 138 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type There are two options: dmz_user_start_ip ipaddress • The IP address if the dmz_users keyword is set to SINGLE_ADDRESS.
Page 139 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security-config[firewall-ipv4-dmz-wan-inbound]> translate_to_port_number port 6700 security-config[firewall-ipv4-dmz-wan-inbound]> wan_destination_ip_address_start 10.168.50.1 security-config[firewall-ipv4-dmz-wan-inbound]> wan_users Single_Address security-config[firewall-ipv4-dmz-wan-inbound]> wan_user_start_ip 10.132.215.4 security-config[firewall-ipv4-dmz-wan-inbound]> log Always security-config[firewall-ipv4-dmz-wan-inbound]> save Related show command: show security firewall ipv4 setup dmz_wan security firewall ipv4 edit_rule dmz_wan inbound <row id>...
Page 140 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Service name, action, and schedule Specifies the default service and service_name ANY, AIM, BGP, BOOTP_CLIENT, protocol to which the firewall rule...
Page 141 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Specifies the IP address of the wan_destination_ip_address WAN1, WAN2, WAN3, or WAN4 selected WAN interface as the destination address.
Page 142: Security Firewall Ipv4 Add_Rule Lan_Dmz Outbound
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The end IP address if the wan_user_end_ip ipaddress wan_user keyword is set to ADDRESS_RANGE. The name of the WAN IP group.
Page 143 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip <ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>} {lan_user_end_ip <ipaddress>}} | group_wise <group name>} dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>} | ADDRESS_RANGE {dmz_user_start_ip <ipaddress>} {dmz_user_end_ip <ipaddress>}} log {NEVER | ALWAYS}...
Page 144 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type LAN user addresses or LAN group and DMZ user addresses ANY, SINGLE_ADDRESS, or Specifies the type of LAN address.
Page 145 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Logging NEVER or ALWAYS Specifies whether logging is disabled or enabled. Command example: SRX5308> security firewall ipv4 add_rule lan_dmz outbound security-config[firewall-ipv4-lan-dmz-outbound]>...
Page 146 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 lan_users {address_wise {ANY | SINGLE_ADDRESS {lan_user_start_ip <ipaddress>} | ADDRESS_RANGE {lan_user_start_ip <ipaddress>} {lan_user_end_ip <ipaddress>}} | group_wise <group name>} dmz_users {ANY | SINGLE_ADDRESS {dmz_user_start_ip <ipaddress>} | ADDRESS_RANGE {dmz_user_start_ip <ipaddress>} {dmz_user_end_ip <ipaddress>}} log {NEVER | ALWAYS}...
Page 147 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type LAN user addresses or LAN group and DMZ user addresses ANY, SINGLE_ADDRESS, or Specifies the type of LAN address.
Page 148: Security Firewall Ipv4 Add_Rule Lan_Dmz Inbound
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Logging NEVER or ALWAYS Specifies whether logging is disabled or enabled. Command example: See the command example for the...
Page 149 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Service name, action, and schedule Specifies the default service and service_name ANY, AIM, BGP, BOOTP_CLIENT, protocol to which the firewall rule...
Page 150 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The end IP address if the lan_user_end_ip ipaddress lan_users address_wise keywords are set to ADDRESS_RANGE. The name of the LAN group or LAN...
Page 151 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show security firewall ipv4 setup lan_dmz security firewall ipv4 edit_rule lan_dmz inbound <row id> This command configures an existing IPv4 LAN DMZ inbound firewall rule. After you have issued the security firewall ipv4 edit_rule lan_dmz inbound command to...
Page 152 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Service name, action, and schedule Specifies the default service and service_name ANY, AIM, BGP, BOOTP_CLIENT, protocol to which the firewall rule...
Page 153 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type The end IP address if the lan_user_end_ip ipaddress lan_users address_wise keywords are set to ADDRESS_RANGE. The name of the LAN group or LAN...
Page 154: Ipv4 General Firewall Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv4 General Firewall Commands security firewall ipv4 default_outbound_policy {Allow | Block} This command allows or blocks the IPv4 firewall default outbound policy. Format security firewall ipv4 default_outbound_policy {Allow | Block} Mode security...
Page 155: Ipv6 Firewall Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show security firewall ipv4 setup lan_wan, show security firewall ipv4 setup dmz_wan, and show security firewall ipv4 setup lan_dmz IPv6 Firewall Commands security firewall ipv6 default_outbound_policy {Allow | Block} This command allows or blocks the IPv6 firewall default outbound policy.
Page 156 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 qos_priority {Normal-Service | Minimize-Cost | Maximize-Reliability | Maximize-Throughput | Minimize-Delay} log {NEVER | ALWAYS} Mode security-config [firewall-ipv6] Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type...
Page 157 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type Schedule1, Schedule2, or Specifies the schedule, if any, that schedule is applicable to the rule. Schedule3...
Page 158 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Command example: SRX5308> security firewall ipv6 configure security-config[firewall-ipv6]> from_zone WAN security-config[firewall-ipv6]> to_zone LAN security-config[firewall-ipv6]> service_name default_services RTELNET security-config[firewall-ipv6]> action ALWAYS_ALLOW security-config[firewall-ipv6]> source_address_type SINGLE_ADDRESS security-config[firewall-ipv6]> source_start_address 2002::B32:AAB1:fD41 security-config[firewall-ipv6]> destination_address_type SINGLE_ADDRESS security-config[firewall-ipv6]> destination_start_address FEC0::db8:145 security-config[firewall-ipv6]>...
Page 159 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 qos_priority {Normal-Service | Minimize-Cost | Maximize-Reliability | Maximize-Throughput | Minimize-Delay} log {NEVER | ALWAYS} Mode security-config [firewall-ipv6] Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type...
Page 160 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Select or Description separate words) Parameter to Type LAN, WAN, and DMZ source and destination IP addresses ANY, SINGLE_ADDRESS, or Specifies the type of source source_address_type address.
Page 161 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Command example: See the command example for the security firewall ipv6 configure command. Related show command: show security firewall ipv6 setup security firewall ipv6 delete <row id> This command deletes an IPv6 firewall rule by deleting its row ID.
Page 162: Attack Check Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Attack Check Commands security firewall attack_checks configure ipv4 This command configures ipv4 WAN and LAN security attack checks. After you have issued the security firewall attack_checks configure ipv4 command, you enter the security-config [attack-checks-ipv4] mode, and then you can edit one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 163 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show security firewall attack_checks setup ipv4 security firewall attack_checks igmp configure This command enables or disables multicast pass-through by enabling or disabling the IGMP proxy for IPv4 traffic. After you have issued the security firewall attack_checks igmp configure command, you enter the security-config [igmp] mode, and then you can enable or disable the IGMP proxy.
Page 164 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security-config[vpn-passthrough]> l2tp_enable Y security-config[vpn-passthrough]> pptp_enable N security-config[vpn-passthrough]> save Related show command: show security firewall attack_checks vpn_passthrough setup security firewall attack_checks configure ipv6 This command configures ipv6 WAN security attack checks. After you have issued the...
Page 165: Session Limit, Time-Out, And Advanced Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Session Limit, Time-Out, and Advanced Commands security firewall session_limit configure This command configures global session limits. After you have issued the security firewall session_limit configure command, you enter the security-config [session-limit] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 166 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Select or Description Parameter to Type Percentage_Of_MaxSessions or Specifies the type of session limits: conn_limit_type Number_Of_Sessions • Percentage_Of_MaxSessions. Specifies a percentage of the total session-connection capacity on the VPN firewall. Issue the...
Page 167: Security Firewall Session_Settings Configure
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security-config[session-limit]> conn_limit_type Percentage_Of_MaxSessions security-config[session-limit]> user_limit 80 security-config[session-limit]> block_new_session Block_IP_to_add_new_session security-config[session-limit]> block_IP_to_add_new_session_for_time 60 security-config[session-limit]> save Related show command: show security firewall session_limit security firewall session_settings configure This command configures global session time-outs. After you have issued the security...
Page 168: Address Filter And Ip/Mac Binding Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security firewall advanced algs This command configures Session Initiation Protocol (SIP) support for the application level gateway (ALG). After you have issued the security firewall advanced algs command, you enter the security-config [firewall-alg] mode, and then you can enable or disable SIP support.
Page 169 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Y or N Enables or disables the source MAC address filter. enable Specifies the policy of the source MAC address filter. policy...
Page 170 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security address_filter mac_filter source delete <row id> This command deletes a MAC address from the MAC address table by deleting its row ID. Format security address_filter mac_filter source delete <row id> Mode...
Page 171 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The IPv6 address to which the IP/MAC binding ip_address6 ipv6-address rule is applied. log_dropped_packets Y or N Enables or disables logging for the IP/MAC binding rule.
Page 172 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type IPv4 or IPv6 Specifies the type of IP address to which the ip_version IP/MAC binding rule is applied: • IPv4. You need to issue the ip_address keyword and specify an IPv4 address.
Page 173: Port Triggering Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword Description to Select Y or N Enables or disables the email log or IP/MAC Binding vio- enable_email_logs lations. Command example: FVS318N> security address_filter ip_or_mac_binding enable_email_log IPv4 security-config[ip-or-mac-binding]> enable_email_logs Y security-config[ip-or-mac-binding]>...
Page 174 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The start port number (integer) of the outgoing outgoing_start_port number traffic range. Valid numbers are from 1025 to 65535. The end port number (integer) of the outgoing...
Page 175 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format enable_rule {Y | N} protocol {TCP | UDP} outgoing_start_port <number> outgoing_end_port <number> incoming_start_port <number> incoming_end_port <number> Mode security-config [porttriggering-rules] Keyword Associated Keyword to Description Select or Parameter to Type Y or N Enables or disables the port triggering rule.
Page 176: Upnp Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 UPnP Command security upnp configure This command configures Universal Plug and Play (UPnP). After you have issued the security upnp configure command, you enter the security-config [upnp] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 177: Bandwidth Profile Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Bandwidth Profile Commands security bandwidth enable_bandwidth_profiles {Y | N} This command enables or disables bandwidth profiles globally. Select Y to enable bandwidth profiles globally or N to disable bandwidth profiles globally. Format...
Page 178 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The minimum outbound bandwidth in kbps (0 to outbound_minimum_rate kbps 100000) provided to the group or individual user. The maximum outbound bandwidth in kbps (100...
Page 179 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format direction {Inbound | Outbound | Both _Directions} inbound_minimum_rate <kbps> inbound_maximum_rate <kbps> outbound_minimum_rate <kbps> outbound_maximum_rate <kbps> is_group {Individual | Group} max_instances <number> Mode security-config [bandwidth-profile] Keyword Associated Keyword to Description...
Page 180: Content Filtering Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show security bandwidth profile setup Content Filtering Commands security content_filter content_filtering configure This command globally enables or disables content filtering and configures web components After you have issued the security content_filter content_filtering configure command, you enter the security-config [content-filtering] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 181: Security Content_Filter Block_Group Enable
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security content_filter block_group enable This command applies content filtering to selected groups or to all groups. After you have issued the security content_filter block_group enable command, you enter the security-config [block-group-enable] mode, and then you can select a group, several groups, or all groups.
Page 182: Security Content_Filter Block_Group Disable
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show security content_filter block_group security content_filter block_group disable This command removes content filtering from selected groups or from all groups. After you have issued the security content_filter block_group disable command, you enter the security-config [block-group-disable] mode, and then you can select a group, several groups, or all groups.
Page 183 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show security content_filter block_group security content_filter blocked_keywords add This command configures a new blocked keyword for content filtering. After you have issued the security content_filter blocked_keywords add command, you enter the security-config [blocked-keywords] mode, and then you can configure one keyword a time.
Page 184: Security Content_Filter Trusted_Domain Add
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Description Parameter to Type The keyword (string) that needs to be blocked. blocked_keyword keyword Related show command: show security content_filter blocked_keywords security content_filter blocked_keywords delete <row id> This command deletes a blocked keyword by deleting its row ID.
Page 185 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show security content_filter trusted_domains security content_filter trusted_domain edit <row id> This command configures an existing trusted domain for content filtering. After you have issued the security content_filter trusted_domain edit command to specify the row to be edited, you enter the security-config [approved-urls] mode, and then you can edit the URL or domain name.
Page 186: Chapter 5 System Mode Configuration Commands
System Mode Configuration Commands This chapter explains the configuration commands, keywords, and associated parameters in the system mode. The chapter includes the following sections: • Remote Management Commands • SNMP Commands • Time Zone Command • WAN Traffic Meter Command •...
Page 187 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format ip_version {IPv4 | IPv6} enable_ipv4 {Y | N} access_type {Everyone | IP_Range {from_address <ipaddress>} {end_address <ipaddress>} | To_this_PC_only {only_this_pc_ip <ipaddress>}} port <number> enable_ipv6 {Y | N} access_type6 {Everyone | IP_Range {from_address6 <ipv6-address>} {end_address6 <ipv6-address>} |...
Page 188: System Remote_Management Telnet Configure
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Everyone, IP_Range, or Specifies the type of access: access_type6 To_this_PC_only • Everyone. Enables access to all IP addresses. You do not need to configure any IP address.
Page 189 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 1 Format system remote_management telnet configure Mode system Step 2 Format ip_version {IPv4 | IPv6} enable_ipv4 {Y | N} access_type {Everyone | IP_Range {from_address <ipaddress>} {to_address <ipaddress>} | To_this_PC_only {only_this_pc_ip <ipaddress>}}...
Page 190 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Everyone, IP_Range, or Specifies the type of access: access_type6 To_this_PC_only • Everyone. Enables access to all IP addresses. You do not need to configure any IP address.
Page 191: Snmp Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 SNMP Commands system snmp sys configure This command configures the SNMP system information. After you have issued the system snmp sys configure command, you enter the system-config [snmp-system] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 192: Time Zone Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Time Zone Command system time configure This command configures the system time, date, and NTP servers. After you have issued the system time configure command, you enter the system-config [time] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 193 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Specifies the NTP mode: ntp_mode Authoritative_Mode, Sync_to_NTP_Servers_on • Authoritative_Mode. The VPN firewall _Internet, or synchronizes its clock with the specified NTP Sync_to_NTP_Servers_on server or servers on the Internet.
Page 194 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type If the ntp_mode keyword is set to vpn_policy vpn policy name Sync_to_NTP_Servers_on_VPN, the name of the VPN policy that enables the VPN firewall to contact the NTP server on the VPN.
Page 195 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 11. Timezone keywords (continued) GMT time and location Note: Enter the keywords exactly as stated (you can use autocompletion keys). If there are two locations for the same time zone, enter the location exactly as stated.
Page 196 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 11. Timezone keywords (continued) GMT time and location Note: Enter the keywords exactly as stated (you can use autocompletion keys). If there are two locations for the same time zone, enter the location exactly as stated.
Page 197 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 11. Timezone keywords (continued) GMT time and location Note: Enter the keywords exactly as stated (you can use autocompletion keys). If there are two locations for the same time zone, enter the location exactly as stated.
Page 198: Wan Traffic Meter Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WAN Traffic Meter Command system traffic_meter configure <wan interface> This command configures the traffic meter. After you have issued the system traffic_meter configure command to specify one of the four WAN interfaces (that is,...
Page 199 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Select or Description Parameter to Type increase_limit_enable Y or N Enables or disables automatic increase of the limit after the meter has exceeded the configured limit. If you enable an automatic increase, issue the increase_limit_by keyword to specify the number of MB.
Page 200 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Select or Description Parameter to Type Action when limit is reached Block-all-traffic, or Specifies the type of traffic blocking block_type after the meter has exceeded the Block-all-traffic-except-email configured limit.
Page 201: Firewall Logs And Email Alerts Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Firewall Logs and Email Alerts Commands system logging configure This command configures routing logs for accepted and dropped IPv4 and IPv6 packets, selected system logs, and logs for other events. After you have issued the system...
Page 202 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Description Keyword to Select Routing logs Y or N lan_wan_accept_packet_logs Y or N lan_wan_drop_packet_logs Y or N lan_dmz_accept_packet_logs Y or N lan_dmz_drop_packet_logs Y or N dmz_wan_accept_packet_logs Enables or disables packet logging for...
Page 203: System Logging Remote Configure
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Description Keyword to Select Other event logs Y or N Enables or disables logging of packets source_mac_filter_logs from MAC addresses that match the source MAC address filter settings. Y or N...
Page 204 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 email_logs_enable {Y | N} email_server {ipaddress | domain name} return_email <email address> send_to_email <email address> smtp_custom_port <number> smtp_auth type {None | Plain {smtp_auth username <user name>} {smtp_auth password <password>} | CRAM-MD5 {smtp_auth username <user name>} {smtp_auth password <password>}}...
Page 205 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type None, Plain, or CRAM-MD5 Specifies the type of authentication smtp_auth type for the SMTP server. If you select...
Page 206 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two Associated Keyword to Description separate words) Select or Parameter to Type Syslog server ipaddress or domain name The IP address or domain name of syslog_server the syslog server.
Page 207: Chapter 6 Vpn Mode Configuration Commands
VPN Mode Configuration Commands This chapter explains the configuration commands, keywords, and associated parameters in the vpn mode. The chapter includes the following sections: • IPSec VPN Wizard Command • IPSec IKE Policy Commands • IPSec VPN Policy Commands • IPSec VPN Mode Config Commands •...
Page 208: Ipsec Vpn Wizard Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPSec VPN Wizard Command vpn ipsec wizard configure <Gateway | VPN_Client> This command configures the IPSec VPN wizard for a gateway-to-gateway or gateway-to-VPN client connection. After you have issued the vpn ipsec wizard...
Page 209 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The unique connection name (alphanumeric conn_name connection name string). The key (alphanumeric string) that needs to preshared_key be entered on both peers.
Page 210: Ipsec Ike Policy Commands
Local Remote Auth Encr _______ _________________ ___________ ___________ ______________________________________ ______________________________ _____ ____ Enabled SRX5308-to-Peer44 Auto Policy Tunnel Mode 2002:408b:36e4:a:a8ab:bbff:fe00:1 / 64 fe80::a4bb:ffdd:fe01:2 / 64 SHA-1 3DES Enabled SRX-to-Paris Auto Policy Tunnel Mode 192.168.1.0 / 255.255.255.0 192.168.50.0 / 255.255.255.255 SHA-1 3DES...
Page 211 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format enable_mode_config {N | Y {mode_config_record <record name>}} direction_type {Initiator | Responder | Both} exchange_mode {Main | Aggresive} ip_version {IPv4 | IPv6} select_local_gateway {WAN1 | WAN2 | WAN3 | WAN4} local_ident_type {Local_Wan_IP | FQDN | User-FQDN | DER_ASN1_DN} {local_identifier <identifier>}...
Page 212 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Initiator, Responder, or Specifies the IKE direction type: direction_type Both • Initiator. The VPN firewall initiates the connection to the remote endpoint.
Page 213 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Specifies the ISAKMP identifier to be local_ident_type Local_Wan_IP, FQDN, User-FQDN, or used by the VPN firewall: DER_ASN1_DN • Local_Wan_IP. The WAN IP address of the VPN firewall.
Page 214 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type MD5 or SHA-1 Specifies the algorithm to be used in the auth_algorithm VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest.
Page 215 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Extended authentication settings None, IPSecHost, or Specifies whether or not Extended extended_authentication Authentication (XAUTH) is enabled, and, EdgeDevice if enabled, which device is used to verify user account information: •...
Page 216: Ipsec Vpn Policy Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Command example: SRX5308> vpn ipsec ikepolicy configure SRX-to-Paris vpn-config[ike-policy]> enable_mode_config N vpn-config[ike-policy]> direction_type Both vpn-config[ike-policy]> exchange_mode Main vpn-config[ike-policy]> ip_version ipv4 vpn-config[ike-policy]> select_local_gateway WAN1 vpn-config[ike-policy]> local_ident_type Local_Wan_IP vpn-config[ike-policy]> local_identifier 10.139.54.228 vpn-config[ike-policy]> remote_ident_type Remote_Wan_IP vpn-config[ike-policy]>...
Page 217 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 associated keyword at a time in the order that you prefer. Step 1 Format vpn ipsec vpnpolicy configure <vpn policy name> Mode Step 2 Format general_policy_type {Auto-Policy | Manual-Policy} general_ip_version {IPv4 | IPv6}...
Page 218 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 manual_spi_out <number> manual_authentication_algorithm {MD5 | SHA-1} manual_authentication_key_in <key> manual_authentication_key_out <key> auto_sa_lifetime {Kbytes <number> | {seconds <seconds>} auto_encryption_algorithm {None | DES | 3DES | AES-128 | AES-192 | AES-256} auto_authentication_algorithm {MD5 | SHA-1}...
Page 219 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two separate Associated Description words) Keyword to Select or Parameter to Type IPv4 or IPv6 If the general_remote_end_point_type general_ip_version keyword is set to IP-Address, specifies the IP address version for the remote endpoint,...
Page 220 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two separate Associated Description words) Keyword to Select or Parameter to Type If the general_remote_end_point_type general_remote_end_point ipv6-address ipv6_adress keyword is set to IP-Address, and if the general_ip_version keyword is set to IPv6, the IPv6 address of the remote endpoint.
Page 221 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two separate Associated Description words) Keyword to Select or Parameter to Type The period in seconds between consecutive general_keep_alive_detection_period seconds keep-alive requests, which are sent only when the IPSec traffic is idle.
Page 222 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two separate Associated Description words) Keyword to Select or Parameter to Type If the general_local_network_type keyword is general_local_start_address ipaddress set to SINGLE, RANGE, or SUBNET, and if the...
Page 223 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two separate Associated Description words) Keyword to Select or Parameter to Type Traffic selector settings—Remote address information Specifies the address or addresses that are general_remote_network_type ANY, SINGLE, RANGE, or SUBNET part of the VPN tunnel on the remote end: •...
Page 224 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two separate Associated Description words) Keyword to Select or Parameter to Type If the general_remote_network_type general_remote_subnet_mask subnet mask keyword is set to SUBNET, and if the general_ip_version keyword is set to IPv4, specifies the subnet mask.
Page 225 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two separate Associated Description words) Keyword to Select or Parameter to Type Manual policy settings—Outbound policy The Security Parameters Index (SPI) for the manual_spi_out number outbound policy as a hexadecimal value between 3 and 8 characters.
Page 226 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword (might consist of two separate Associated Description words) Keyword to Select or Parameter to Type MD5 or SHA-1 Specifies the authentication algorithm to auto_authentication_algorithm negotiate the security association (SA): • SHA-1. Hash algorithm that produces a 160-bit digest.
Page 227 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn ipsec vpnpolicy delete <vpn policy name> This command deletes a VPN policy by specifying the name of the VPN policy. Format vpn ipsec vpnpolicy delete <vpn policy name> Mode Related show command: show vpn ipsec vpnpolicy setup vpn ipsec vpnpolicy disable <vpn policy name>...
Page 228: Ipsec Vpn Mode Config Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn ipsec vpnpolicy drop <vpn policy name> This command terminates an active VPN connection by specifying the name of the VPN policy. Format vpn ipsec vpnpolicy drop <vpn policy name> Mode Related show command:...
Page 229 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 pfs_key_group {N | Y {dh_group {Group1_768_bit | Group2_1024_bit | Group5_1536_bit}}} sa_lifetime_type {Seconds {sa_lifetime <seconds>} | KBytes {sa_lifetime <KBytes>}) encryption_algorithm {None | DES | 3DES | AES-128 | AES-192 | AES-256} integrity_algorithm {MD5 | SHA-1} local_ip <ipaddress>...
Page 230 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Seconds or KBytes Specifies whether the sa_lifetime sa_lifetime_type keyword is set in seconds or Kbytes. seconds or number Depending on the setting of the...
Page 231: Ssl Vpn Portal Layout Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show vpn ipsec mode_config setup vpn ipsec mode_config delete <record name> This command deletes a Mode Config record by specifying its record name. Format vpn ipsec mode_config delete <record name>...
Page 232 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The banner title (alphanumeric banner_title banner name string). Place text that consists of more than one word between quotes. The banner message...
Page 233 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 1 Format vpn sslvpn portal_layouts edit <row id> Mode Step 2 Format portal_title <portal title> banner_title <banner title> banner_message <message text> display_banner {Y | N} enable_httpmetatags {Y | N} enable_activex_web_cache_cleaner {Y | N}...
Page 234: Ssl Vpn Authentication Domain Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn sslvpn portal_layouts delete <row id> This command deletes an SSL VPN portal layout by specifying its row ID. Format vpn sslvpn portal_layouts delete <row id> Mode Related show command: show vpn sslvpn portal_layouts vpn sslvpn portal_layouts set-default <row id>...
Page 235 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format domain_name <domain name> portal <portal name> authentication_type {LocalUserDatabase | Radius-PAP | Radius-CHAP | Radius-MSCHAP | Radius-MSCHAPv2 | WIKID-PAP | WIKID-CHAP | MIAS-PAP | MIAS-CHAP | NTDomain | ActiveDirectory | LDAP} authentication_server1 <ipaddress>...
Page 236 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The LDAP base distinguished name (DN; ldap_base_dn distinguished name alphanumeric string). Do not include spaces. The Active Directory domain name active_directory_domain domain name (alphanumeric string).
Page 237 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type The portal name (alphanumeric string). portal portal name Note: For information about how to configure a portal, see SSL VPN Portal Layout Commands.
Page 238: Ssl Vpn Authentication Group Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 SSL VPN Authentication Group Commands vpn sslvpn users groups add This command configures a new authentication group that is not limited to SSL VPN users. After you have issued the vpn sslvpn users groups add command, you enter the vpn-config [user-groups] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 239: Ssl Vpn User Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 1 Format vpn sslvpn users groups edit <row id> Mode Step 2 Format idle_timeout <minutes> Mode vpn-config [user-groups] Keyword Associated Description Parameter to Type The idle time-out in minutes. idle_timeout minutes...
Page 240 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format user_name <user name> user_type {SSLVPNUser | Administrator | Guest | IPSECVPNUser | L2TPUser | PPTPUser} group <group name> password <password> confirm_password <password> idle_timeout <minutes> Mode vpn-config [users] Keyword Associated Keyword to Select...
Page 241 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn sslvpn users users edit <row id> This command configures an existing user account. The command is not limited to SSL VPN users. After you have issued the vpn sslvpn users users edit command to specify...
Page 242 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show vpn sslvpn users users vpn sslvpn users users login_policies <row id> This command configures the login policy for a user. The command is not limited to SSL VPN users.
Page 243 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. Step 1 Format vpn sslvpn users users ip_policies configure <row id> Mode Step 2...
Page 244 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type IPAddress or IPNetwork Specifies the source address type: source_address_type • IPAddress. A single IP address. The setting of the ip_version keyword determines whether you need to...
Page 245 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn sslvpn users users ip_policies delete <row id> This command deletes a source IP address for a user by specifying the row ID of the table. Format vpn sslvpn users ip_policies delete <row id>...
Page 246: Ssl Vpn Port Forwarding Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Y or N Specifies whether access enable_or_disable_login_from_defined_browsers through the browsers on the browser list is allowed or denied: • Yes. Allows access through the browsers on the browser list.
Page 247 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Description Parameter to Type The IP address of the local server that hosts the application. server_ip ipaddress The TCP port number of the local server that hosts the application. port...
Page 248: Ssl Vpn Client And Client Route Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Description Parameter to Type The IP address of the local server that hosts the application. server_ip ipaddress Note: The IP address needs to be the same as the IP address...
Page 249 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Step 2 Format enable_full_tunnel {Y | N} dns_suffix <suffix> primary_dns <ipaddress> secondary_dns <ipaddress> begin_client_address <ipaddress> end_client_address <ipaddress> Mode vpn-config [sslvpn-client-ipv4-settings] Keyword Associated Keyword to Description Select or Parameter to Type Y or N...
Page 250 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn sslvpn client ipv6 This command configures the SSL client IP address range. After you have issued the vpn sslvpn client ipv6 command, you enter the vpn-config [sslvpn-client-ipv6-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 251 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn sslvpn route add This command configures a static client route to a destination network. After you have issued the vpn sslvpn route add command, you enter the vpn-config [sslvpn-route-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 252: Ssl Vpn Resource Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show vpn sslvpn route vpn sslvpn route delete <row id> This command deletes a client route by specifying its row ID. Format vpn sslvpn route delete <row id> Mode...
Page 253 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Command example: SRX5308> vpn sslvpn resource add vpn-config[sslvpn-resource-settings]> resource_name TopSecure vpn-config[sslvpn-resource-settings]> service_type PortForwarding vpn-config[sslvpn-resource-settings]> save Related show command: show vpn sslvpn resource vpn sslvpn resource delete <row id> This command deletes a resource by specifying its row ID.
Page 254 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 For an IP network: ip_version {IPv4 {object_address <ipaddress>} {mask_length <subnet mask length>} | IPv6 {object_address6 <ipv6-address>} {mask_length <prefix length>}} start_port <port number> end_port <port number> Mode vpn-config [sslvpn-resource-settings] Keyword Associated Keyword to...
Page 255 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type subnet mask length or The nature of this keyword and parameter depend on mask_length the setting of the ip_version and object_type prefix length keywords: •...
Page 256: Ssl Vpn Policy Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 SSL VPN Policy Commands vpn sslvpn policy add This command configures a new SSL VPN policy. After you have issued the vpn sslvpn policy add command, you enter the vpn-config [sslvpn-policy-settings] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 257 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In addition to a policy name, policy type, and destination object type, configure the following for all addresses (that is, the destination_object_type keyword is set to All): ip_version {IPv4 | IPv6} start_port <port number>...
Page 258 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Specifies the policy destination type, which destination_object_type NetworkResource, IPAddress, IPNetwork, or determines how the policy is applied, and, in turn, which keywords you need to issue to specify the policy: •...
Page 259 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type • IPNetwork. The policy is applied to an IPv4 destination_object_type NetworkResource, IPAddress, IPNetwork, or or IPv6 network address. You need to issue...
Page 260 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type IPv4 or IPv6 Specifies the IP version that applies to the ip_version policy: • IPv4. The policy is for an IPv4 network resource, IPv4 address, IPv4 network, or for all IPv4 addresses.
Page 261 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn-config[sslvpn-policy-settings]> ip_version IPv4 vpn-config[sslvpn-policy-settings]> policy_type Global vpn-config[sslvpn-policy-settings]> destination_object_type NetworkResource vpn-config[sslvpn-policy-settings]> resource_name RoadWarrior vpn-config[sslvpn-policy-settings]> policy_permission Permit vpn-config[sslvpn-policy-settings]> save vpn-config[sslvpn-policy-settings]> policy_name GuestFTPPolicy vpn-config[sslvpn-policy-settings]> ip_version IPv4 vpn-config[sslvpn-policy-settings]> policy_type User vpn-config[sslvpn-policy-settings]> policy_owner guest vpn-config[sslvpn-policy-settings]> destination_object_type All vpn-config[sslvpn-policy-settings]>...
Page 262 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 In addition to the policy name, you can change the following for an IP network: {{policy_address <ipaddress>} {policy_mask_length <subnet mask>} | {policy_address6 <ipv6-address>} {policy_ipv6_prefix_length <prefix length>}} start_port <port number> end_port <port number>...
Page 263: Radius Server Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn-config[sslvpn-policy-settings]> end_port 35408 vpn-config[sslvpn-policy-settings]> policy_permission Permit vpn-config[sslvpn-policy-settings]> save Related show command: show vpn sslvpn policy vpn sslvpn policy delete <row id> This command deletes an SSL VPN policy by specifying its row ID.
Page 264 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Keyword Associated Keyword to Description Select or Parameter to Type Primary RADIUS server Y or N Enables or disables the primary enable RADIUS server. The IPv4 address of the primary radius-server ipaddress RADIUS server.
Page 265: Pptp Server Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Related show command: show vpn ipsec radius [ipaddress] PPTP Server Commands vpn pptp server configure This command configures the PPTP server. After you have issued the vpn pptp server configure command, you enter the pptp-server-config [policy] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 266: L2Tp Server Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 L2TP Server Commands vpn l2tp server configure This command configures the L2TP server. After you have issued the vpn l2tp server configure command, you enter the vpn-config [l2tp-config] mode, and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.
Page 267: Chapter 7 Overview Of The Show Commands
Overview of the Show Commands This chapter provides an overview of all show commands for the four configuration command modes. The chapter includes the following sections: • Network Settings (Net Mode) Show Commands • Security Settings (Security Mode) Show Commands •...
Page 268 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12. Show commands: show net mode (continued) Submode Command Name Purpose show net lan dhcp reserved_ip setup Display information about the DHCP clients, including the assigned (reserved) IP addresses. show net lan ipv4 advanced setup Display the advanced IPv4 LAN configuration.
Page 269: Security Settings (Security Mode) Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 12. Show commands: show net mode (continued) Submode Command Name Purpose show net wan wan ipv6 setup <wan Display the IPv6 configuration for a WAN interface> interface. wan (continued) show net wan wan ipv6 status Display the IPv6 connection status for a WAN <wan interface>...
Page 270: Administrative And Monitoring Settings (System Mode) Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 13. Show commands: show security mode (continued) Submode Command Name Purpose show security firewall ipv4 setup dmz_wan Display the IPv4 DMZ WAN firewall rules. show security firewall ipv4 setup lan_dmz Display the IPv4 LAN DMZ firewall rules.
Page 271: Vpn Settings (Vpn Mode) Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 14. Show commands: show system mode (continued) Submode Command Name Purpose remote_management show system remote_management setup Display the configuration of remote management for Telnet and HTTPS access. show system snmp sys...
Page 272 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Table 15. Show commands: show vpn mode (continued) Submode Command Name Purpose show vpn sslvpn client Display the SSL VPN client range and configuration. show vpn sslvpn logs Display the SSL VPN logs.
Page 273: Chapter 8 Show Commands
Show Commands This chapter explains the show commands and associated parameters for the four configuration This chapter explains the show commands and associated parameters for the four configuration command modes. The chapter includes the following sections: command modes. The chapter includes the following sections: •...
Page 274 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show net wan port_setup <wan interface> This command displays the configuration of a WAN port. For the WAN interface, type WAN1, WAN2, WAN3, or WAN4. WAN1 Port Setup _______________ MTU Type: Default...
Page 275 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Gateway IP Address: 10.139.54.225 Domain Name Servers (DNS) Source: Use these DNS Servers Primary DNS Server: 10.80.130.23 Secondary DNS Server: 10.80.130.24 show net wan wan ipv4 status <wan interface> This command displays the IPv4 WAN connection status. For the WAN interface, type WAN1, WAN2, WAN3, or WAN4.
Page 276: Show Net Protocol_Binding Setup
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show net wan wan ipv6 setup <wan interface> This command displays the IPv6 WAN configuration. For the WAN interface, type WAN1, WAN2, WAN3, or WAN4. IPv6 WAN1 Setup _______________ Dynamic IPv6 (DHCP) Configuration:...
Page 277: Ipv6 Mode, Ipv6 Tunnel, And Siit Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show net qos setup This command displays the WAN QoS configuration: Quality of Service __________________ Enabled: Yes QoS Type: Rate Control List of Network QoS Profiles ____________________________ ROW ID QoS Type Interface Name ServiceName Direction...
Page 278: Lan Dhcp Show Commands
Jul 10 10:23:50 SRX5308 local7.info dhcpd: Wrote 0 deleted host decls to leases file. Jul 10 10:23:50 SRX5308 local7.info dhcpd: Wrote 0 new dynamic host decls to leases file. Jul 10 10:23:50 SRX5308 local7.info dhcpd: Wrote 0 leases to leases file.
Page 279: Dynamic Dns Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show net lan dhcp reserved_ip setup This command displays information about the DHCP clients, including the assigned (reserved) IP addresses: List of DHCP Reserved Addresses _______________________________ Name IP Address MAC Address Group...
Page 280: Ipv4 Lan Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv4 LAN Show Commands show net lan ipv4 setup This command displays the IPv4 LAN configuration: VLAN Profiles _____________ Status Profile Name VLAN Id IPv4 Address Subnet Mask DHCP Status Server Address...
Page 281 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show net ethernet {interface name | all} This command displays the MAC address and VLAN status for a single or all Ethernet interfaces. SRX5308> show net ethernet eth0 MAC Address: DE:AD:DE:AD:DE:AF VLAN ID: 1...
Page 282: Show Net Lan Lan_Groups
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show net lan lan_groups This command displays the LAN groups: Row ID : Group Name ___________________ GROUP1 GROUP2 Finance GROUP4 GROUP5 SalesEMEA SalesAmericas Management show net lan ipv4 multiHoming This command displays the LAN secondary IP addresses:...
Page 283 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show net lan ipv4 traffic_meter detailed_setup <row id> Note: The row ID refers to the LAN Traffic Meter Table in the output of the show net lan ipv4 traffic_meter setup command. This command displays the detailed traffic meter information for the specified IP address:...
Page 284: Ipv6 Lan Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv6 LAN Show Commands show net lan ipv6 setup This command displays the IPv6 LAN configuration: IPv6 LAN Configuration ______________________ LAN TCP/IP Setup: IPv6 Address: fec0::1 IPv6 Prefix Length: 64 DHCPv6: DHCP Status: Disable DHCPv6 Server...
Page 285: Show Net Radvd Lan Setup
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show net radvd lan setup This command displays the LAN RADVD configuration: Router Advertisement Daemon ( RADVD ) _____________________________________ RADVD Status: Enabled Advertise Mode: Unsolicited Multicast Advertise Interval: 30 RA Flags Managed: Disabled...
Page 286: Dmz Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 DMZ Show Commands show net dmz ipv4 setup This command displays the IPv4 DMZ configuration: DMZ Setup _________ IPv4 Address: 176.16.2.1 Subnet Mask: 255.255.255.0 DHCP Setup Configuration: DHCP Mode: DHCP Server Domain Name: netgear.com Starting IP Address: 176.16.2.100...
Page 287: Show Net Radvd Dmz Setup
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show net radvd dmz setup This command displays the DMZ RADVD configuration: Router Advertisement Daemon ( RADVD ) _____________________________________ RADVD Status: Enabled Advertise Mode: Unsolicited Multicast Advertise Interval: 30 RA Flags Managed: Disabled...
Page 288: Routing Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Routing Show Commands show net routing dynamic setup This command displays the dynamic routing configuration: Dynamic Routing _______________ RIP Direction Both RIP Version RIP-2M Authentication for RIP-2B/2M: Enabled First Key Parameters MD5 Key Id: 1...
Page 289: Network Statistics Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Network Statistics Show Commands show net statistics {interface name | all} This command displays the network statistics for a single or all Ethernet interfaces: SRX5308> show net statistics eth0 Interface Statistics ____________________...
Page 290: Security Settings (Security Mode) Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Security Settings (Security Mode) Show Commands This section contains the following subsections: • Services Show Command • Schedules Show Command • Firewall Rules Show Command • Attack Checks Show Commands • Session Limits Show Commands •...
Page 291: Show Security Services Qos_Profile Setup
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show security services qos_profile setup This command displays the configured Qos profiles: List of QoS Profiles ____________________ ROW ID Profile Name QoS Type QoS Value Priority ______ ____________ _____________ _________ ________ Voice...
Page 292: Schedules Show Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Schedules Show Command show security schedules setup This command displays the configured schedules: Schedules _________ List of Available Schedules ROW ID Name Days Start Time End Time ______ _________ _________________________ __________ ________...
Page 293: Show Security Firewall Ipv4 Setup Dmz_Wan
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show security firewall ipv4 setup dmz_wan This command displays the configured IPv4 DMZ WAN firewall rules: Default Outbound Policy for IPv4 : Allow Always DMZ WAN Outbound Rules. _______________________ ROWID Status Service Name Filter...
Page 294: Attack Checks Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show security firewall ipv6 setup This command displays all configured IPv6 firewall rules: Default Outbound Policy _______________________ For IPv6 : Allow Always List of Available IPv6 Firewall Rules _____________________________________ ROW ID Status...
Page 295: Session Limits Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show security firewall attack_checks setup ipv6 This command displays which security checks are enabled for IPv6: Attack Checks IPv6 __________________ WAN Security Checks: Respond to ping on Wan : No VPN IPSec Passthrough...
Page 296: Advanced Firewall Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show security firewall session_settings This command displays the session time-out settings: Session Settings ________________ TCP Session Timeout Duration:3600(Secs) UDP Session Timeout Duration:180(Secs) ICMP Session Timeout Duration:120(Secs) Advanced Firewall Show Commands show security firewall advanced algs...
Page 297: Port Triggering Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show security address_filter mac_filter setup This command displays the configuration of the MAC filter and the MAC addresses for source MAC filtering: Source MAC Filter __________________ MAC Filtering: Enabled Policy for MAC Addresses: Block and Permit the rest...
Page 298: Upnp Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show security porttriggering_rules status This command displays the port triggering status: PortTriggering Rules Status ___________________________ UPnP Show Commands show security upnp portmap This command displays the UPnP portmap table: UPnP Portmap Table...
Page 299: Content Filtering Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Content Filtering Show Commands show security content_filter content_filtering This command displays the status of content filtering and the web components: Content Filtering _________________ WAN Security Checks Content Filtering : Enabled LAN Security Checks...
Page 300: Administrative And Monitoring Settings (System Mode) Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show security content_filter blocked_keywords This command displays the keywords that are blocked: Blocked Keywords ________________ List of available Blocked Keywords ROW ID Blocked Keyword Status ______ ________________ _______ casino Enabled nude Enabled...
Page 301: Remote Management Show Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Note: The VPN logs and RADIUS logs are part of the VPN Mode show commands (see VPN Settings (VPN Mode) Show Commands page 311). Remote Management Show Command show system remote_management setup...
Page 302: Time Show Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show system snmp sys This command displays the SNMP system configuration of the VPN firewall: SNMP System Configuration _________________________ SysContact: AdminSRX@netgear.com SysLocation: San Jose SysName: SRX5308-Bld3 Time Show Command show system time setup This command displays the time configuration and the configuration of the NTP server: Time Zone &...
Page 303: Status Show Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Status Show Command show system status This command displays the system status (also referred to as router status) information: System Info ___________ System Name: SRX5308 Firmware Version: 4.2.0-18 Secondary Firmware Version: 4.2.0-14...
Page 304 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 VLAN ID: 4094 MAC Address: 00:00:00:00:00:06 IP Address: 176.16.2.1 Subnet Mask: 255.255.255.0 DHCP Status: Enabled Broadband Information for WAN1 ______________________________ MAC Address: 00:00:00:00:11:22 IPv4 Address: 10.139.54.228 / 255.255.255.248 IPv6 Address: ::ffff:0:a86:5d9 / 96, fe80::200:ff:fe00:1122 / 64...
Page 305 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Upload Connection Speed: 1000000 Download Connection Speed: 1000000 Gateway: 0.0.0.0 Primary DNS: 0.0.0.0 Secondary DNS: 0.0.0.0 Gateway (IPv6): Primary DNS(IPv6): Secondary DNS(IPv6): Broadband Information for WAN3 ______________________________ MAC Address: 00:00:00:00:00:01 IPv4 Address: 0.0.0.0 / 0.0.0.0...
Page 306: Wan Traffic Meter Show Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 IPv6 Connection Type: Dynamic IP (DHCPv6) IPv4 Connection State: Not Yet Connected IPv6 Connection State: Not Yet Connected Link State: LINK DOWN Upload Connection Speed: 1000000 Download Connection Speed: 1000000 Gateway: 0.0.0.0 Primary DNS: 0.0.0.0...
Page 307: Logging Configuration Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Traffic Block Status: Block All Traffic Except Email Send e-mail alert: Enabled Internet Traffic Statistics ____________________________ Start Date / Time: Wed Jul 11 10:47:53 2012 Outgoing Traffic Volume: 0 Incoming Traffic Volume: 0...
Page 308 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 WAN to DMZ __________ Accepted Packets: Disabled Dropped Packets: Disabled LAN to DMZ __________ Accepted Packets: Disabled Dropped Packets: Disabled DMZ to LAN __________ Accepted Packets: Disabled Dropped Packets: Disabled System Logs...
Page 309: Logs Show Commands
Tue Jul 10 10:23:55 2012(GMT -0800) [SRX5308][Kernel][KERNEL] p->perfect 0000000000000000 p->h a800000417bab200 Tue Jul 10 10:23:55 2012(GMT -0800) [SRX5308][Kernel][KERNEL] HTB: quantum of class 10001 is big. Consider r2q change. Tue Jul 10 10:23:55 2012(GMT -0800) [SRX5308][Kernel][KERNEL] HTB: quantum of class 10002 is big.
Page 310 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Tue Jul 10 10:24:00 2012(GMT -0800) [SRX5308][Kernel][KERNEL] eth0.1: add 01:00:5e:7f:ff:fa mcast address to master interface Tue Jul 10 10:24:00 2012(GMT -0800) [SRX5308][Kernel][KERNEL] tcindex_destroy(tp a800000416f94600),p a80000041696d680 Tue Jul 10 10:24:00 2012(GMT -0800) [SRX5308][Kernel][KERNEL] tcindex_walk(tp...
Page 311: Vpn Settings (Vpn Mode) Show Commands
Local Remote Auth Encr _______ _________________ ___________ ___________ ______________________________________ ______________________________ _____ ____ Enabled SRX5308-to-Peer44 Auto Policy Tunnel Mode 2002:408b:36e4:a:a8ab:bbff:fe00:1 / 64 fe80::a4bb:ffdd:fe01:2 / 64 SHA-1 3DES Enabled SRX-to-Paris Auto Policy Tunnel Mode 192.168.1.0 / 255.255.255.0 192.168.50.0 / 255.255.255.255 SHA-1 3DES...
Page 312: Show Vpn Ipsec Vpnpolicy Status
Wed Jul 11 12:24:36 2012 (GMT -0800): [SRX5308] [IKE] INFO: Using IPsec SA configuration: anonymous Wed Jul 11 12:24:36 2012 (GMT -0800): [SRX5308] [IKE] INFO: Re-using previously generated policy: 100.10.10.2/32[0] 0.0.0.0/0[0] proto=any dir=in Wed Jul 11 12:24:36 2012 (GMT -0800): [SRX5308] [IKE] WARNING: less key length proposed, mine:128 peer:256.
Page 313: Ssl Vpn Show Commands
This command displays the SSL VPN logs (the following example shows only part of the command output): Mon Jul 9 11:00:18 2012(GMT -0800) [SRX5308][SSLVPN][SSLVPN] SSL_INFO : Login Successful for geardomain user admin(Admin) from host 10.110.205.58 Mon Jul 9 12:04:09 2012(GMT -0800) [SRX5308][SSLVPN][SSLVPN] SSL_INFO :user admin is Logged-Out successfully from host 10.110.205.58...
Page 314: Show Vpn Sslvpn Policy
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show vpn sslvpn policy This command displays the SSL VPN policies: SSL VPN Policies ________________ Row Id Policy Name Policy Type Service Type Destination Object Permission ______ ___________________ ___________ _______________ _________________________ __________...
Page 315 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show vpn sslvpn portforwarding hostconfig This command displays the SSL VPN port forwarding host configuration: Port Forwarding Host Configuration __________________________________ Row Id Server IP FQDN Name ______ ______________ ________________ 192.168.51.227 RemoteDesktop 192.168.51.230 Support.app.com...
Page 316: Ssl Vpn User Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show vpn sslvpn route This command displays the SSL VPN client routes: Configured Client Routes ________________________ Row Id Destination Network Subnet Mask ______ _______________________ _______________ 192.168.4.20 255.255.255.254 2001:abcf:1241:dffe::22 10 SSL VPN User Show Commands...
Page 317: Show Vpn Sslvpn Users Users
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show vpn sslvpn users users This command displays the user account configurations: List of Users _____________ Row_Id User Name Group Type Authentication Domain Login Status ______ ______________ ______________ ______________ _____________________ _____________________ admin*...
Page 318 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show vpn sslvpn users ip_policies <row id> Note: The row ID refers to the List of Users table in the output of the show vpn sslvpn users users command. This command displays the login restrictions based on IP addresses for the specified user:...
Page 319: Radius Server Show Command
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show vpn sslvpn users active_users This command displays the active SSL VPN users: UserName: : admin GroupName: : geardomain LoginAddress: : 10.116.205.166 LoginTime: : Thu Jul 12 10:31:38 2012 (GMT -0800) RADIUS Server Show Command...
Page 320: Pptp Server Show Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 PPTP Server Show Commands show vpn pptp server setup This command displays the configuration of the PPTP server: PPTP Server Configuration _________________________ PPTP Server Status: Enabled PPTP Starting IP Address: 10.119.215.1 PPTP server Ending IP Address: 10.119.215.26...
Page 321: Chapter 9 Utility Commands
Utility Commands This chapter explains the configuration commands, keywords, and associated parameters in the Util mode. The chapter includes the following sections: • Overview Util Commands • Firmware Backup, Restore, and Upgrade Commands • Diagnostic Commands Overview Util Commands Enter the util ? command at the CLI prompt to display the utility commands in the util mode.
Page 322: Firmware Backup, Restore, And Upgrade Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 Firmware Backup, Restore, and Upgrade Commands util backup_configuration This command backs up the configuration file of the VPN firewall to a TFTP server. Format util backup_configuration <destination file name> <tftp server address>...
Page 323: Diagnostic Commands
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 util restore_factory_defaults This command restores the VPN firewall to factory default settings. It takes about 3 minutes for the VPN firewall to come back up. Format util restore_factory_defaults Mode util Diagnostic Commands util dns_lookup This command looks up the IP address of a domain name.
Page 324: Util Ping_Through_Vpn_Tunnel
ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 util ping_through_vpn_tunnel This command pings a VPN endpoint IP address with 56 data bytes through a VPN tunnel and displays the ping information. Format util ping_through_vpn_tunnel <ipaddress> Mode util SRX5308> util ping_through_vpn_tunnel 10.136.24.128 Pinging 192.168.1.1 from 5...
Page 325: Cli Command Index
CLI Command Index net qos configure net qos profile add net ddns configure net qos profile delete net dmz ipv4 configure net qos profile disable net dmz ipv6 configure net qos profile edit net dmz ipv6 pool configure net qos profile enable net ethernet configure net radvd configure dmz net ipv6 ipmode configure...
Page 326 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 security content_filter blocked_keywords edit security services ip_group edit security content_filter block_group disable security services qos_profile add security content_filter block_group enable security services qos_profile delete security content_filter content_filtering configure security services qos_profile edit...
Page 327 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 show security content_filter content_filtering show vpn sslvpn portforwarding hostconfig show security content_filter trusted_domains show vpn sslvpn resource show security firewall advanced algs show vpn sslvpn resource_object show security firewall attack_checks igmp show vpn sslvpn route...
Page 328 ProSafe Gigabit Quad WAN SSL VPN Firewall SRX5308 vpn sslvpn client ipv4 vpn sslvpn client ipv6 vpn sslvpn policy add vpn sslvpn policy delete vpn sslvpn policy edit vpn sslvpn portal_layouts add vpn sslvpn portal_layouts delete vpn sslvpn portal_layouts edit...

NETGEAR ProSafe SRX5308 Cli Reference Manual

Chapter 1 Introduction

Chapter 2 Overview of the Configuration Commands

Chapter 3 Net Mode Configuration Commands

Chapter 4 Security Mode Configuration Commands

Chapter 5 System Mode Configuration Commands

Chapter 6 VPN Mode Configuration Commands

Chapter 7 Overview of the Show Commands

Chapter 8 Show Commands

Chapter 9 Utility Commands

CLI Command Index

Quick Links

Related Manuals for NETGEAR ProSafe SRX5308

Summary of Contents for NETGEAR ProSafe SRX5308

Table of Contents