Configuring Juniper NetScreen firewall rule from command line

I needed to configure a firewall rule on an old Juniper Networks NetScreen 5XP firewall to block all outgoing traffic from a PC that had become infected with malware. I logged into the firewall via SSH to get a command line interface, but, since it had been a very long time since I had to make changes to the configuration of the firewall, I had forgotten the syntax of the command to establish a new policy in the firewall.

The get config command will show the configuration of the firewall, including all rules in the firewall and the command get policy will show all policies, aka rules, which gave me examples of existing rules to check the syntax I should use for a new rule.

Looking at the list of existing rules, it appeared the next id for a rule number would be 17 in this firewall, but I decided to double-check to make sure I hadn't overlooked an existing one with that number.

ns5xp-> get policy id 17
Policy: Not found

Failed command - get policy id 17

Since one couldn't be found, I used that number for the id of the policy I created. You can set a descriptive name for a rule using the name parameter, so I decided to label it as "Block infected system". The infected system was on the inside, i.e., the "Trust" side of the firewall and I wanted to block all traffic from it to the "Untrust" side, i.e., the Internet. The IP address of the infected system was, so I entered the command below:

ns5xp-> set policy id 17 name "Block infected system" from "Trust" to "Untrust" "ANY" "ANY" deny
### Zone Trust->Untrust : following address(es) not defined: (src,

Failed command - set policy id 17 name "Block infected system" from "Trust" to "Untrust" "ANY" "ANY" deny

But the command failed, so I obviously had made a mistake. I realized I had to associate a name with the IP address before setting the policy, but didn't remember how to do that from a command prompt. Fortunately, you can enter the start of a command followed by a question mark and the NetScreen operating system will provide you with information on what you can enter next on the command line to complete the command, so I just added parameters followed by a question mark until I could complete the command.

ns5xp-> set address ?
Trust                Trust zone
Untrust              Untrust zone
Global               Global zone
V1-Trust             V1-Trust zone
V1-Untrust           V1-Untrust zone
ns5xp-> set address "Trust" ?
<name string>        address name
ns5xp-> set address "Trust" "Onda" ?
<a.b.c.d>/<num>      IP Address/Netmask
<a.b.c.d>            IP Address
ns5xp-> set address "Trust" "Onda" ?
<A.B.C.D>            Network Mask
ns5xp-> set address "Trust" "Onda" ?
<string>             address comment
ns5xp-> set address "Trust" "Onda" "Sue's PC"

I set the subnet mask to, since that is the appropriate mask to use when you are specifying a specific IP address rather than a range of addresses.

I wanted to move the block rule up near the top of the list of rules, so I used "before 2" to put it before the policy with id number 2 in the list. I wanted to block traffic from the source system to any destination system on any port, so used "ANY" "ANY" and put deny at the end of the policy definition to block all traffic from the system named "Onda".

ns5xp-> set policy id 17 before 2 name "Block infected system" from "Trust" to "Untrust" "Onda" "ANY" "ANY" deny
policy id = 17

I saw "policy id = 17" this time after entering the command, letting me know the rule was successfully set and I was able to verify that the system no longer could communicate outside the LAN. I left connectivity in place with other systems on the LAN temporarily until I could pull some files from the system for analysis on another system and push some troubleshooting tools to it before unplugging the network cable from the infected system.

For the set policy command, the following options are available:

ns5xp-> set policy ?
before               insert a policy
default-permit-all   permit if no policy match
from                 from zone
global               set global policy
id                   specify policy id
move                 move a policy
name                 specify policy name
top                  put this policy as the first one in the list

I used set policy id 17 before 2 name "Block infected system" from "Trust" to "Untrust". The next two parameters needed on the line were as follows. They were needed in the order listed.

<name string>        destination address name
<name string>        service name

After those, you can use one of the following options:

deny                 deny packets
nat                  enable nat
permit               permit packets
tunnel               encrypt packets

By blocking access to "ANY" "ANY", I blocked access to all destinations and all services, which blocked access to any port on any destination sysem on the outside, i.e., "untrusted", side of the firewall. The last parameter on the command line deny blocks the connectivity.


  1. Juniper Firewall ScreenOS Basics (CJFV)
    By: Corelan Team
    Published: June 22, 2008
    Corelan Team
  2. Creating a Firewall Rule in a NetScreen Firewall from the Command Line
    Date: May 3, 2010
    MoonPoint Support


TechRabbit ad 300x250

Justdeals Daily Electronics Deals1x1 px

Valid HTML 4.01 Transitional

Created: Tuesday January 6, 2015