Posts Tagged ‘asa’
Information regarding the Cisco ASA Botnet License.
What is it?
Botnet Traffic Filter is an extra license that can be applied to a Cisco ASA firewall that provides detection and automatic blocking of known bots and botnets. The firewall grabs updates from Cisco’s website to know which IPs to look for and block.
Besides stopping outside botnets from coming into the network the botnet filter is also very effective at identifying which hosts may have malicious software within the network. It will stop internal hosts from going out to a known botnet IP. It has the ability to listen for call-home or command/control behavior seen within the network.
It is time based. The SKU is something like L-ASA55xx-BOT-1YR=
It costs between $200-$500 per year. I will only fully work on version 8.2.2 and up.
Purchase license. Apply it using the activation-key command.
Requires the 3DES/AES license (this license is free but does not ship with an ASA).
The firewall needs to communicate to update-manifests.ironport.com. This means it has to have a valid DNS lookup mechanism. To get this going do something like the following:
dns domain-lookup INSIDE
DNS server-group DefaultDNS
There are over 70,000 DNS names that are in the Cisco database and only 5000 IP addresses. To effectively look at each domain name, DNS snooping must be turned on. To do that issue the following commands:
match port udp eq domain
inspect dns preset_dns_map dynamic-filter-snoop
Next turn on the dynamic-filters. I like to start by blocking everything that is blacklisted and whitelist the CEO’s IP from being blocked. Do this by issuing the following commands:
dynamic-filter updater-client enable
dynamic-filter enable interface OUTSIDE
dynamic-filter drop blacklist interface OUTSIDE
address 10.1.4.4 255.255.255.255
Checking to see what’s happening
Verify the ASA is downloading the rules:
show dynamic-filter updater-client
Verify traffic is being inspected:
show dynamic-filter statistics
View which hosts are being blocked:
show dynamic-filter reports infected-host all
Using Splunk to see even more
If you are collecting syslogs within in Splunk you can create a cool dashboard to give statistics based over time. Here is the code for a dashboard that could be used for that purpose (note this would require the Splunk for Cisco ASA plugin):
<?xml version=’1.0′ encoding=’utf-8′?>
<label>Botnet Information by host</label>
<!– define master search template; leave time unbounded so that the time input can be used –>
<input type=”text” token=”host”>
<!– add default TimePicker –>
<input type=”time” />
<title>Botnet activity. Tracked by whether the source or destination is blacklisted</title>
<searchTemplate>$host$ error_code=338007 OR error_code=338006 OR error_code=338008 | rex field=_raw “, (?<srcdst>[\w]+) \d” | timechart span=1hr count by srcdst</searchTemplate>
<title>External blacklisted IPs are targetting these systems</title>
<searchTemplate>$host$ error_code=338007 | rex field=_raw “from (?<Source>[^\']+) to (?<Destination>[^\']+), source.*threat-level: (?<Threat_Level>[^\']+), category: (?<Category>[^\']+)” | timechart span=30min count by Destination</searchTemplate>
<title>Internal systems that are targetting external blacklisted IPs</title>
<searchTemplate>$host$ error_code=338008 OR error_code=338006 | rex field=_raw “from (?<Source>[^\']+) to.*resolved from dynamic list:(?<Destination>[^\']+), threat-level: (?<Threat_Level>[^\']+), category: (?<Category>[^\']+)” | timechart span=30m count by Source</searchTemplate>
<searchTemplate>$host$ error_code=444005 earliest_time=-1d | rex field=_raw “will expire in (?<avg>[^\']+) days” | chart min(avg)</searchTemplate>
<title>Botnet license expires in this many days (444005)</title>
<searchTemplate>$host$ error_code=338007 | chart count</searchTemplate>
<title>Total denied incoming connections due to botnet filter</title>
<searchTemplate>$host$ error_code=338006 OR error_code=338008 | chart count</searchTemplate>
<title>Total denied outgoing connections due to botnet filter</title>
<title>Top 10 denied traffic flows due to blacklisted source IP (338007)</title>
<searchTemplate>$host$ error_code=338007 | rex field=_raw “from (?<Source>[^\']+) to (?<Destination>[^\']+), source.*threat-level: (?<Threat_Level>[^\']+), category: (?<Category>[^\']+)” | stats count by Source Destination Threat_Level Category | sort 10 -count</searchTemplate>
<title>Top 10 denied traffic flows due to blacklisted destination IP (338006, 338008)</title>
<searchTemplate>$host$ error_code=338008 OR error_code=338006 | rex field=_raw “from (?<Source>[^\']+) to.*resolved from dynamic list:(?<Destination>[^\']+), threat-level: (?<Threat_Level>[^\']+), category: (?<Category>[^\']+)” | stats count by Source Destination Threat_Level Category | sort 10 -count</searchTemplate>
<title>Top 10 addresses for message: URL Timed Out, Removing Rule (338303)</title>
<searchTemplate>$host$ error_code=338303 | rex field=_raw “Address (?<avg>[^\']+) timed out” | stats count by avg | sort 10 -count</searchTemplate>
More information on Cisco’s website:
To copy a file from an FTP server to the flash of a ASA you could do the following:
copy ftp flash
Which will then prompt you for all the details (username/password/location/file). But there is a better way which will allow you to put all of that information on one line.
To indicate all of the details on one line you can do:
copy ftp://ftpuser:[email protected]/asa/asa825-41-k8.bin flash
This indicates the username is ftpuser, with the password of PassworD with the location of the ftp server at 192.168.5.50 with the filename asa825-41-k8.bin
Consider the following network.
Things to notice:
Subnets 18.104.22.168/24 and 22.214.171.124/24 are being routed to the outside of the ASA.
There is a static NAT statement in the ASA to translate the real IP 192.168.5.22 to 126.96.36.199
There is a static NAT statement in the ASA to translate the real IP 192.168.5.33 to 188.8.131.52
So how do you get this to work properly?
In ASA pre-8.3 code the ASA would ARP for the static NATs it would have regardless if it’s connected or not.
In ASA 8.3-8.4(4), THIS IS IMPOSSIBLE
In ASA 8.4(5)+ Cisco realized their major mistake and implemented the command:
When else can I use this?
Another scenario to use this is when you have a router with multiple IPs on its interface that is connected to an ASA with a single IP. The ASA won’t accept any packets for the other subnets that the router thinks is connected. By applying this command it will accept packets for the other subnets.
What’s the risk?
Well, by enabling this feature it could facilitate denial of service (DoS) attack against the ASA; a user on any interface could send out many ARP replies and overload the ASA ARP table with false entries.
Today we are going to set up a Cisco ASA firewall to send WCCP (port 80) web inspection traffic to a Cisco Ironport WSA (Web Security Appliance).
Suppose the following:
Ironport WSA IP address: 192.168.5.55
Inside IP of ASA firewall: 192.168.5.1
Inside IP address range: 192.168.0.0/16
Cisco ASA firewall configuration:
! Define the Ironport IP Address in an ACL
access-list ACL-IRONPORT-WSA extended permit ip host 192.168.5.55 any
! Define what traffic should be inspected
access-list ACL-WEBPROXY-TRAFFIC extended permit tcp 192.168.0.0 255.255.0.0 any eq www
! Apply the WCCP configuration
wccp web-cache redirect-list ACL-WEBPROXY-TRAFFIC group-list ACL-IRONPORT-WSA
wccp interface INSIDE web-cache redirect in
Now configure the Ironport.
Navigate to Network -> Transparent Redirection
Make the type WCCP v2 Router
Add a service with a name of WEB_CACHE, a router IP of 192.168.5.1 (ASA Inside IP) and port 80 (Standard).
At this point you can do a ‘show wccp’ on the ASA and you should see “Total Packets Redirected” rising. From within the Ironport go to Reporting -> Overview and you should see statistics of what traffic is now flowing through the Ironport.
- Verify basic connectivity. Check interface IP addresses. Verify network access between both ASA and Ironport.
- Show commands on ASA: show wccp
- Debug commands on firewall: debug wccp packet, debug wccp events
- Verify the ports caught in the traffic ACL are the same as the ports used for WCCP and there’s a listener (service) on Ironport to interpret them.
Suppose you are trying to troubleshoot a site to site VPN tunnel that is designed like this:
Upon doing `show ipsec sa peer` on the blue ASA you see the following:
Crypto map tag: MAP-OUTSIDE, seq num: 200, local addr: 184.108.40.206
local ident (addr/mask/prot/port): (192.168.11.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.16.22.0/255.255.255.0/0/0)
#pkts encaps: 61, #pkts encrypt: 61, #pkts digest: 61
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 61, #pkts comp failed: 0, #pkts decomp failed: 0
#pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
#PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
#send errors: 0, #recv errors: 0
The problem above shows that Phase 1 of the tunnel is successfully establishing but phase 2 has problems. Specifically the firewall is encrypting packets but not decrypting them.
If an ASA or router is getting encaps but not decaps, this means it is encrypting the data and sending it but has not received anything to decrypt in return.
- Verify the other end has a route outside for the interesting traffic.
- Check that both VPN ACL’s are not mismatched.
- Double check NAT’s to make sure the traffic is not NAT’ing correctly.
- Is what you are trying to ping even responding back? Often what you’re sending traffic to is not able to accept or is not responding to this traffic. I prefer to put a packet capture on the remote end firewall to see if the traffic is coming back into that firewall.
Blue firewall: Juniper SRX 210 (JunOS 10.0R1.8)
Red firewall: Cisco ASA 5510 (OS 8.4)
This is a script to create a site to site VPN tunnel between a Cisco ASA and a Juniper SRX. The Juniper SRX will be using a policy based VPN.
Blue Juniper SRX
# Create the IKE proposal
set security ike proposal IKE-SHA-AES128-DH1 authentication-method pre-shared-keys
set security ike proposal IKE-SHA-AES128-DH1 dh-group group2
set security ike proposal IKE-SHA-AES128-DH1 encryption-algorithm aes-128-cbc
set security ike proposal IKE-SHA-AES128-DH1 authentication algorithm sha1
set security ike proposal IKE-SHA-AES128-DH1 lifetime-seconds 86400
# Create the IKE policy
set security ike policy IKE-POLICY-HQ mode main
set security ike policy IKE-POLICY-HQ proposals IKE-SHA-AES128-DH1
set security ike policy IKE-POLICY-HQ pre-shared-key ascii-text s3kreTKey
# Create an IKE gateway
set security ike gateway IKE-GATEWAY-HQ ike-policy IKE-POLICY-HQ
set security ike gateway IKE-GATEWAY-HQ address 220.127.116.11
set security ike gateway IKE-GATEWAY-HQ external-interface ge-0/0/0.0
# Create an IPSec proposal/transform set
set security ipsec proposal IPSEC-SHA-AES128-ESP encryption-algorithm aes-128-cbc
set security ipsec proposal IPSEC-SHA-AES128-ESP authentication-algorithm hmac-sha1-96
set security ipsec proposal IPSEC-SHA-AES128-ESP protocol esp
set security ipsec proposal IPSEC-SHA-AES128-ESP lifetime-seconds 3600
# Create a IPSec policy
set security ipsec policy VPN-POLICY-HQ proposals IPSEC-SHA-AES128-ESP
# Create the IPSec VPN
set security ipsec vpn VPN-HQ ike gateway IKE-GATEWAY-HQ
set security ipsec vpn VPN-HQ ike ipsec-policy VPN-POLICY-HQ
# Add some networks into the address book
set security zones security-zone OUTSIDE address-book address NET-REMOTE-VPN 172.16.22.0/24
set security zones security-zone INSIDE address-book address NET-LOCAL 192.168.11.0/24
# Create the policies to define the interesting traffic
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT match source-address NET-LOCAL
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT match destination-address NET-REMOTE-VPN
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT match application any
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT then permit tunnel ipsec-vpn VPN-HQ
set security policies from-zone INSIDE to-zone OUTSIDE policy VPN-POLICY-HQ-OUT then permit tunnel pair-policy VPN-POLICY-HQ-IN
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN match source-address NET-REMOTE-VPN
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN match destination-address NET-LOCAL
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN match application any
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN then permit tunnel ipsec-vpn VPN-HQ
set security policies from-zone OUTSIDE to-zone INSIDE policy VPN-POLICY-HQ-IN then permit tunnel pair-policy VPN-POLICY-HQ-OUT
# You want to exclude the VPN traffic from being NAT’d
set security nat source rule-set NAT-INTERFACE rule NO-NAT match source-address 192.168.11.0/24
set security nat source rule-set NAT-INTERFACE rule NO-NAT match destination-address 172.16.22.0/24
set security nat source rule-set NAT-INTERFACE rule NO-NAT then source-nat off
# My config already had a rule in the rule-set. So I had to move the new rule above the old rule so it processes the no nat first.
insert source rule-set NAT-INTERFACE rule NO-NAT before rule RULE-NAME
Red Cisco ASA Firewall
! Define the interesting traffic
access-list ACL-VPN-SRX extended permit ip 172.16.22.0 255.255.255.0 192.168.11.0 255.255.255.0
! Set the IKE parameters
crypto ikev1 enable OUTSIDE
crypto ikev1 policy 5
! Create the IPSec settings
crypto ipsec ikev1 transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
crypto map MAP-VPN 10 match address ACL-VPN-SRX
crypto map MAP-VPN 10 set peer 18.104.22.168
crypto map MAP-VPN 10 set ikev1 transform-set ESP-AES128-SHA
crypto map MAP-VPN interface OUTSIDE
! Create the tunnel group
tunnel-group 22.214.171.124 type ipsec-l2l
tunnel-group 126.96.36.199 ipsec-attributes
ikev1 pre-shared-key s3kreTKey
! In my case I needed to tell this VPN traffic to not be NAT’d as it goes through the firewall
object network OBJ-172.16.22.0
subnet 172.16.22.0 255.255.255.0
object network OBJ-192.168.11.0
subnet 192.168.11.0 255.255.255.0
nat (INSIDE,OUTSIDE) source static OBJ-172.16.22.0 OBJ-172.16.22.0 destination static OBJ-192.168.11.0 OBJ-192.168.11.0 no-proxy-arp description No NAT for VPN to SRX
There is a great tool to generate the Juniper SRX code on Juniper’s site:
To build the Juniper config I used this page as a reference guide:
Today I was given a problem that our Cisco Ironport was not accepting email from outside people sending mail to inside people (backstory: this occurred right after we moved our Ironport to a different location). I looked in Ironport and spotted a lot of messages failing to be delivered. Specifically the error in Ironport was:
Message 1006902 aborted: Receiving aborted
I spent a long time doing packet captures to try to troubleshoot and determined the remote end was sending a reset which made me think this is the sender’s problem and not mine. However I was wrong.
The next thing I checked was the MX Record at MXToolbox.com (a great site for looking up DNS records and stuff). Specifically the SMTP test showed this:
Specifically I didn’t like seeing this warning:
SMTP Reverse DNS Mismatch — Warning – Reverse DNS does not match SMTP Banner
SMTP TLS — Warning – Does not support TLS
But what does that mean? I specifically wanted to know what two strings are being compared that resulted in a mismatch. Well in the case above the two strings it was comparing were *********************** and mail3.example.com. For some reason this took me a long time to realize the ********************* was the banner… You can see it in the image above after 220.
Looking around on the internet it turns out that our Cisco ASA we have in front of the Ironport has “inspect esmtp” turned on (which is on by default). Upon turning that inspect off the issue immediately cleared up and the results were this:
Mail was then flowing into the Ironport properly and being delivered as expected. Looking back at the problem if I would have looked at the logs in the ASA I would have seen these syslogs:
ASA-4-108004: ESMTP Classification: Dropped connection for ESMTP Request from outside:188.8.131.52/35314 to DMZ:10.0.25.101/25; matched Class 4: header line length gt 998
%ASA-4-507003: tcp flow from outside:184.108.40.206/35314 to PUBLIC_DMZ:10.0.25.101/25 terminated by inspection engine, reason - inspector disconnected, dropped packet.
This tutorial is to show you how to install a HTTPS/SSL certificate on an ASA. This is often used when WebVPN or AnyConnect is configured which uses SSL. Without a certificate installed the users is given warnings and errors about a missing or invalid certificate.
This has nothing to do with authentication. It’s simply the https certificate which is needed for a secure communication to be set up.
Suppose you are working for a place called http://company.com and they want to set up their ASA to allows users to VPN into the network. To access the VPN you can either use IPSec or SSL. Suppose their choice was SSL and they want the URL of the ASA to be https://vpn.company.com. This tutorial will help set the HTTPS certificate for that URL.
It is easier for me to use ASDM when dealing with certificates so this tutorial uses ASDM exclusively.
Step 1 – Create an Identity Certificate
Under Configuration -> Device Management -> Certificate Management -> Identity Certificates
Give the Trustpoint a Name.
Choose “Add” a new identity certificate
Choose the key pair to use for encryption.
Click “Select” for the certificate subject DN. In this section it is important to make the CN = the URL of the ASA that this certificate will be serving. It doesn’t need to have any trailing slashes. So if the URL is “https://example.com/owa” you can simply make the CN “example.com”.
Fill in the FQDN field. This should be exactly the same as CN.
Click Add certificate.
Step 2 – Send the certificate to the CA
After completing step 1 you will be presented with the option of saving your certificate.
Send this certificate to the CA such as Symantec or Verisign. They will then process it and send you back your public certificate
Step 3 – Installing your certificate
Go back to the ASDM: Configuration -> Device Management -> Certificate Management -> Identity Certificates
Click the certificate you made earlier. Then click Install.
Paste in the certificate the CA sent you. Paste in everything including the BEGIN CERTIFICATE and END CERTIFICATE portions but make sure there are no trailing spaces or carriage returns. You do not need any of the intermediate keys, simply the public cert.
Step 4 – Enabling your certificate on an interface
Go to Configuration -> Remote Access VPN -> Network (client) access -> AnyConnect Connection Profiles
Click Device Certificate
Choose the certificate you installed as the one to use for when users HTTPS to this device.
That’s it! Test the functionality by going to the URL of your ASA by using HTTPS.
Below is a config to create a VPN tunnel between a Cisco ASA (Blue side) to a Juniper SSG ScreenOS (Red Side).
ethernet0/0: 220.127.116.11, Untrust
bgroup0: 172.16.22.1, Trust
Cisco ASA config (Blue):
!^^^^^^^ ISAKMP (Phase 1) ^^^^^^^!
! must match with the other side in order for Phase 1 to complete.
! Lower policy numbers will likely be used before higher ones.
crypto isakmp policy 5
! Enable ISAKMP on the outside interface
crypto isakmp enable OUTSIDE
! Define the pre-shared-key
tunnel-group 18.104.22.168 type ipsec-l2l
tunnel-group 22.214.171.124 ipsec-attributes
!^^^^^^^ IPSEC (Phase 2) ^^^^^^^!
! Define the interesting traffic in the ACL
access-list ACL-RED-VPN permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
crypto ipsec transform-set ESP-AES128-SHA esp-aes esp-sha-hmac
! Create a crypto map entry that defines the tunnel
crypto map MAP-OUTSIDE 20 set peer 126.96.36.199
! ACL must be exactly the opposite of the other sides ACL
crypto map MAP-OUTSIDE 20 match address ACL-RED-VPN
! Transform set must match other side identically
crypto map MAP-OUTSIDE 20 set transform-set ESP-AES128-SHA
crypto map MAP-OUTSIDE 20 set security-association lifetime kilobytes 10000
! Apply crypto map to an interface
crypto map MAP-OUTSIDE interface OUTSIDE
!^^^^^^^ Routes and No-NATS ^^^^^^^!
! Point the destination network out the outside interface with a next hop as the default gateway.
route OUTSIDE 172.16.22.0 255.255.255.0 188.8.131.52
! Make sure that the VPN traffic is NOT NAT’d
access-list ACL-INSIDE-NONAT extended permit ip 192.168.11.0 255.255.255.0 172.16.22.0 255.255.255.0
nat (INSIDE) 0 access-list ACL-INSIDE-NONAT
Juniper SSG-5 ScreenOS config (Red):
# Create a tunnel interface
set interface tunnel.1 zone Untrust
set interface tunnel.1 ip unnumbered interface ethernet0/0
# Create the gateway (IKE settings)
# note that “sec-level standard” means the IKE policies will try to use: pre-g2-3des-sha and pre-g2-aes128-sha
set ike gateway “VPN-GATEWAY” ip 184.108.40.206 outgoing-interface ethernet0/0 preshare “sekretk3y” sec-level standard
# Configure VPN IPSEC settings
set vpn “VPN” gateway “VPN-GATEWAY” replay tunnel idletime 0 proposal “nopfs-esp-aes128-sha”
set vpn “VPN” id 1 bind interface tunnel.1
set vpn “VPN” proxy-id local-ip 172.16.22.0/24 remote-ip 192.168.11.0/24 “ANY”
# Configure a route for the remote end traffic
set vrouter trust-vr route 192.168.11.0/24 interface tunnel.1
# Create 2 address book entries and create two policies to permit this traffic
set address Untrust “192.168.11.0/24″ 192.168.11.0/24
set address Trust “172.16.22.0/24″ 172.16.22.0/24
set policy top from “Trust” to “Untrust” “172.16.22.0/24″ “192.168.11.0/24″ “ANY” Permit log count
set policy top from “Untrust” to “Trust” “192.168.11.0/24″ “172.16.22.0/24″ “ANY” Permit log count
Coming at this from my Cisco background I had to learn some new ways of looking at this.
The traffic that can go over the tunnel is called the proxy-id. It is defined in the vpn settings. You also have to then permit this traffic in a policy between the two zones of your tunnel interface and whatever internal interface you have. In my case my Trust interface was bgroup0.
Some show commands to see what’s going on:
get ike gateway
Try creating a packet capture to see what is happening to the packet. With a packet capture you can see what is going on between the two VPN peers, or why your interesting traffic is not making it through the SSG.
set console dbuf
set ffilter src-ip 220.127.116.11 dst-ip 18.104.22.168
debug flow basic
# generate some traffic
# to see the capture:
get dbuf stream
# to stop capturing:
Here is a basic reference sheet for looking up equivalent commands between a Cisco ASA and a Juniper SSG firewall running ScreenOS.
|show log||get event|
|show ip||get interface|
|show version||get system|
|show int (for i/o of bytes)||get counter statistics|
|show cpu usage||get performance cpu|
|show conn||get session|
|show clock||get clock|
|ssh x.x.x.0 y.y.y.0 inside||set admin manager-ip x.x.x.0 y.y.y.0
set ssh enable
|show run [cry isakmp|tunnel-group]?||get ike gateway|
|show cry isak sa||get sa|
|set interface ethernet0/0 phy link-down|
|unset interface ethernet0/0 phy link-down|
|show failover||get nsrp|
|route outside 22.214.171.124 255.255.255.0 126.96.36.199||set route 188.8.131.52/24 interface bgroup3/0 gateway 184.108.40.206|
|logging host INSIDE 220.127.116.11
logging trap notification
|set syslog config 172.16.200.200 facilities local5
set syslog src-interface ethernet1/0
set syslog enable
|ntp server 18.104.22.168 source OUTSIDE||set ntp server 22.214.171.124
set ntp server src-interface ethernet3/0
set clock ntp
exec ntp update
|capture CAP1 match ip host 126.96.36.199 host 188.8.131.52||clear db
set console dbuf
set ffilter src-ip 184.108.40.206 dst-ip 220.127.116.11
debug flow basic
— OR —
snoop filter ip src-ip 18.104.22.168 dst-ip 22.214.171.124 direction both
|show capture CAP1||get dbuf stream|
|clear capture CAP1||undebug all
— OR —
snoop filter delete
Additional reading material regarding Juniper SSG and ScreenOS commands: