Screen OS

Hi guys,

been searching the net for displaying any listening ports on the SSG-140.

Is there a command to list them like netstat?

We are using version 5.4.0r3a.0.

Thank you!

Definately no netstat on ScreenOS.  I think the closest thing would be "get session" which will show all the current sessions in the table.  Add a "?" and you'll get the various narrowning options for that.  But it looks like you want a full list.

You can dump the output to a tftp server by specifying an ip address and file name.

get session > tftp 192.168.1.1 sessions.txt

This sources from the lowest interface but you can set that too.

set tftp source-address bgroup0

"get session" will only give information on open connections/sessions.

If you really want to see what's "listening," you would need to use something like nmap with some various tcp and udp scan options.  I wouldn't say that this can be 100% guaranteed, since you'd be scanning a security device (firewall) with probing software, I'm sure you can see the possible issues.  

Really, though, the SSG shouldn't be "listening" on any ports that you haven't specifically configured.  You can just run though your configuration and see what's enabled -- management access on interfaces, SNMP, etc.

Nothing I can think that matches exactly what you're looking for, but there are a few cool hidden commands :

SSG-> get tcp
tcp checksum error: 0, tcp http ping: 0
tcp user auth: 0, tcp unknown port 0
tcp no more socket: 0, tcp syn pak error: 13
tcp socket full drop count: 1
tcp ooo segs: 0, tcp ooo segs drop count: 0
max ooo segs: 32, default max ooo segs 32
Total sock: 5/64, debug remote port: 65535
0: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
  ::/80, ::/0, window: 0/0/0
1: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
  ::/443, ::/0, window: 0/0/0
2: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
  ::/23, ::/0, window: 0/0/0
3: inuse: 1, mode: 0, state: 0, ifnum: -1, idle: 0, timer 0
  ::/22, ::/0, window: 0/0/0
44: inuse: 1, mode: 2, state: 4, ifnum: 21, idle: 0, timer 0
  192.168.xxx/22, 192.168.xxx/61064, window: 852397383/-2110642437/65535

SSG-> get task | i socket   
 20 ping high       IDLE (Socket)       8bfffdb4/06fc0    30/    0    7796815    1945.633,       0.000
 29 pki             IDLE (Socket)       8bfffdb4/0ffc0    30/    0     115980      18.964,       0.000
 36 dnsa            IDLE (Socket)       8bfffdec/10fc0    30/    0     557947     164.653,       0.000
 46 arp             IDLE (Socket)       8bfffdf0/06fc0    30/    0   29033156   11866.149,       0.000
 62 web             IDLE (Socket)       8bfffdbc/18fc0    30/    0       3745       1.077,       0.000
 70 aaa task        IDLE (Socket)       8bfffdf0/04fc0    30/    0          1       0.000,       0.000
 80 msg_proc        IDLE (Socket)       8bfffd84/08fc0    30/    0    5229738    2400.543,       0.000
 83 snmp            IDLE (Socket)       8bfffdd0/08fc0    30/    0          1       0.001,       0.000

Thanks! get socket was exactly what i was looking for.

This is handy for our PCI-DSS certification

get socket
 Socket  Type   State      Remote IP         Port    Local IP         Port
      0  tcp4/6  listen     ::                   0    ::                 80
      1  tcp4/6  listen     ::                   0    ::                443
      2  tcp4/6  listen     ::                   0    ::                 23
      3  tcp4/6  listen     ::                   0    ::                 22