Clearing and Removing Configuration Settings in ASA

Clearing and Removing Configuration Settings

To erase settings, enter one of the following commands.

•To clear all the configuration for a specified command, enter the following command:

hostname(config)# clear configure configurationcommand [level2configurationcommand]

This command clears all the current configuration for the specified configuration command. If you only want to clear the configuration for a specific version of the command, you can enter a value for level2configurationcommand.

For example, to clear the configuration for all aaa commands, enter the following command:

hostname(config)# clear configure aaa

To clear the configuration for only aaa authentication commands, enter the following command:

hostname(config)# clear configure aaa authentication

•To disable the specific parameters or options of a command, enter the following command:

hostname(config)# no configurationcommand [level2configurationcommand] qualifier

In this case, you use the no command to remove the specific configuration identified by qualifier.

For example, to remove a specific nat command, enter enough of the command to identify it uniquely as follows:

hostname(config)# no nat (inside) 1

•To erase the startup configuration, enter the following command:

hostname(config)# write erase

•To erase the running configuration, enter the following command:

hostname(config)# clear configure all

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/start.html#wp1055130

Advertisements

Juniper SRX sample Internet screen configuration

Configuration for Screen and Flow Option Sample Deployment
This configuration would look as follows:

root@SRX5800> show configuration security screen
ids-option Internet-Screen {
icmp {
ip-sweep threshold 1000;
fragment;
large;
flood threshold 300;
ping-death;
}
ip {
bad-option;
record-route-option;
timestamp-option;
security-option;
stream-option;
spoofing;
source-route-option;
loose-source-route-option;
strict-source-route-option;
unknown-protocol;
tear-drop;
}
tcp {
syn-fin;
fin-no-ack;
tcp-no-flag;
syn-frag;
port-scan threshold 1000;
syn-flood {
alarm-threshold 750;
attack-threshold 2000;
source-threshold 50;
destination-threshold 1000;
timeout 30;
}
land;
winnuke;
tcp-sweep threshold 1000;
}
udp {
flood threshold 1000;
udp-sweep threshold 1000;
}
limit-session {
source-ip-based 100;
destination-ip-based 25000;
}
}

root@SRX5800> show configuration security flow
syn-flood-protection-mode syn-cookie;
aging {
early-ageout 2;
low-watermark 66;
high-watermark 80;
}
tcp-session {
strict-syn-check;
}

–From Juniper SRX Series – Sample Deployment

Juniper firewall log

root@R3> show configuration firewall | display set
set firewall filter BLOCK_ICMP term 1 from source-address 11.11.11.1/32
set firewall filter BLOCK_ICMP term 1 from destination-address 33.33.33.3/32
set firewall filter BLOCK_ICMP term 1 from protocol icmp
set firewall filter BLOCK_ICMP term 1 from icmp-type echo-request
set firewall filter BLOCK_ICMP term 1 then count BLOCK_ICMP_Counter_1
set firewall filter BLOCK_ICMP term 1 then log
set firewall filter BLOCK_ICMP term 1 then reject
set firewall filter BLOCK_ICMP term 9999 then count BLOCK_ICMP_Counter_9999
set firewall filter BLOCK_ICMP term 9999 then accept

root@R3> show firewall log
Log :
Time Filter Action Interface Protocol Src Addr Dest Addr
21:22:39 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:22:38 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:22:38 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:22:37 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:22:36 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:21:08 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:20:22 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3
21:20:21 BLOCK_ICMP R em5.0 ICMP 11.11.11.1 33.33.33.3

root@R3> show firewall log detail
Time of Log: 2013-11-10 21:22:39 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:22:38 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:22:38 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:22:37 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:22:36 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:21:08 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:20:22 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0
Time of Log: 2013-11-10 21:20:21 UTC, Filter: BLOCK_ICMP, Filter action: reject, Name of interface: em5.0
Name of protocol: ICMP, Packet Length: 54189, Source address: 11.11.11.1, Destination address: 33.33.33.3
ICMP type: 8, ICMP code: 0

Juniper Junos basic BGP and firewall filter

R1:
root@R1> show configuration | display set
set version 10.1R1.8
set system host-name R1
set system root-authentication encrypted-password “$1$DxeIh.QQ$XZ6zRnoGMUHJw/On7ojvz0”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 12.12.12.1/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/24
set interfaces lo0 unit 0 family inet address 11.11.11.1/24
set routing-options static route 0.0.0.0/0 next-hop 12.12.12.2
set routing-options autonomous-system 100
set protocols bgp group EXT export LOOPS_to_BGP
set protocols bgp group EXT peer-as 200
set protocols bgp group EXT neighbor 12.12.12.2
set policy-options policy-statement LOOPS_to_BGP term 1 from protocol direct
set policy-options policy-statement LOOPS_to_BGP term 1 then accept

R2:
root@R2> show configuration | display set
set version 10.1R1.8
set system host-name R2
set system root-authentication encrypted-password “$1$DxeIh.QQ$XZ6zRnoGMUHJw/On7ojvz0”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em0 unit 0 family inet address 12.12.12.2/24
set interfaces em5 unit 0 family inet address 23.23.23.2/24
set routing-options generate route 0.0.0.0/0
set routing-options autonomous-system 200
set protocols bgp traceoptions file BGP
set protocols bgp traceoptions flag route
set protocols bgp export DEFAULT
set protocols bgp group EXT neighbor 12.12.12.1 peer-as 100
set protocols bgp group EXT neighbor 23.23.23.3 peer-as 300
set policy-options policy-statement DEFAULT term 1 from protocol aggregate
set policy-options policy-statement DEFAULT term 1 then accept

R3:
root@R3> show configuration | display set
set version 10.1R1.8
set system host-name R3
set system root-authentication encrypted-password “$1$DxeIh.QQ$XZ6zRnoGMUHJw/On7ojvz0”
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces em5 unit 0 family inet filter input BLOCK_ICMP
set interfaces em5 unit 0 family inet address 23.23.23.3/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/24
set interfaces lo0 unit 0 family inet address 33.33.33.3/24
set routing-options autonomous-system 300
set protocols bgp group EXT export LOOPS_to_BGP
set protocols bgp group EXT neighbor 23.23.23.2 peer-as 200
set policy-options policy-statement LOOPS_to_BGP term 1 from protocol direct
set policy-options policy-statement LOOPS_to_BGP term 1 then accept
set firewall filter BLOCK_ICMP term 1 from source-address 11.11.11.1/32
set firewall filter BLOCK_ICMP term 1 from destination-address 33.33.33.3/32
set firewall filter BLOCK_ICMP term 1 from protocol icmp
set firewall filter BLOCK_ICMP term 1 from icmp-type echo-request
set firewall filter BLOCK_ICMP term 1 then count BLOCK_ICMP_Counter_1
set firewall filter BLOCK_ICMP term 1 then reject
set firewall filter BLOCK_ICMP term 9999 then count BLOCK_ICMP_Counter_9999
set firewall filter BLOCK_ICMP term 9999 then accept

root@R3> show firewall filter BLOCK_ICMP counter BLOCK_ICMP_Counter_1

Filter: BLOCK_ICMP
Counters:
Name Bytes Packets
BLOCK_ICMP_Counter_1 9240 110

root@R3> show firewall filter BLOCK_ICMP counter BLOCK_ICMP_Counter_9999

Filter: BLOCK_ICMP
Counters:
Name Bytes Packets
BLOCK_ICMP_Counter_9999 2316 34

root@R3> clear firewall counter BLOCK_ICMP_Counter_1 filter BLOCK_ICMP

root@R3> clear firewall counter BLOCK_ICMP_Counter_9999 filter BLOCK_ICMP

root@R3> show firewall filter BLOCK_ICMP counter BLOCK_ICMP_Counter_1

Filter: BLOCK_ICMP
Counters:
Name Bytes Packets
BLOCK_ICMP_Counter_1 0 0

root@R3> show firewall filter BLOCK_ICMP counter BLOCK_ICMP_Counter_9999

Filter: BLOCK_ICMP
Counters:
Name Bytes Packets
BLOCK_ICMP_Counter_9999 0 0

root@R3>