Support Support Downloads Knowledge Base Service Request Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[J/SRX] Mapping of common troubleshooting commands from ScreenOS to Junos OS

0

0
Article ID: KB14000 KB Last Updated: 21 May 2014Version: 9.0 Summary:

This article contains a quick reference table mapping frequently used troubleshooting commands for ScreenOS to Junos OS.

Symptoms:

This table will help those that are new to the J-Series or SRX-Series devices, yet familiar with ScreenOS.

For additional information or help on getting started with SRX, refer to KB15694 - Configuration Examples & Troubleshooting (Jumpstation).



Cause:

Solution:

Refer to the following table mapping common ScreenOS CLI commands to Junos OS.

Note: This table applies to the following versions of Junos OS:

  • Junos OS 9.4 and above (with default configuration)
  • Junos OS with Enhanced Services 8.5 through 9.3 (with default configuration)

ScreenOS

Junos OS

Notes

Session & Interface counters

 

 

get session

> show security flow session

 

get interface

> show interface terse

 

get counter stat
get counter stat <interface>

> show interface extensive
> show interface <interface> extensive

 

clear counter stat

> clear interface statistics <interface>

 

Debug & Snoop

 

 

debug flow basic

# edit security flow
# set traceoptions flag basic-datapath
# commit

-creates debugs in default file name: /var/log/security-trace

See KB16108 for traceoptions info.

set ff

# edit security flow
# set traceoptions packet-filter

Packet-drop is a feature that will be added

get ff

> show configuration | match packet-filter | display set

 

get debug

> show configuration | match traceoptions | display set

 

get db stream

View stored log: (recommended option)
> show log <file name> (enter h to see help options)
> show log security-trace (to view 'security flow' debugs)
> show log kmd (to view 'security ike' debugs)

View real-time: (use this option with caution)
> monitor start <debugfilename>
ESC-Q (to pause real-time output to screen)

 





‘monitor stop' stops real-time view , but debugs are still collected in log files

clear db

> clear log <filename> (clears contents of file)

Use ‘file delete <filename> to actually delete file>

undebug <debug> (stops collecting debugs)

# edit security flow
# deactivate traceoptions OR # delete traceoptions (at the particular hierarchy)
# commit

Deactivate makes it easier to enable/disable.

Use activate traceoptions to activate.

undebug all

Not available. You need to deactivate or delete traceoptions separately.

 

debug ike detail

> request security ike debug-enable local <local gw> remote <remore peer> level 7

-creates debugs in default file name: kmd

snoop (packets THRU the Junos OS device)

Use Packet Capture feature for branch: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-admin-guide/config-pcap-chapter.html#config-pcap-chapter

For High End (SRX1xxx/3x00/5x00) refer to KB21563

snoop (packets TO the Junos OS device)

> monitor traffic interface <int> layer2-headers
write-file option (hidden)
read-file (hidden)

-Only captures traffic destined for the RE of router itself.

- Excludes PING .

Event Logs

 

 

get event

> show log messages
> show log messages | last 20 (helpful cmd because newest log entries are at end of file)

 On SRX, default will only show critical level messages.  The correct syslog level must be configured, if more detailed logs are required.

get event | include <string>

> show log messages | match <string>
> show log messages | match “<string> | <string> | <string>”
Examples:
> show log messages | match “error | kernel | panic”
> show log messages | last 20 | find error

Note: There is not an equivalent command for ‘get event include <string>'.

match displays only the lines that contains the string

find displays output starting from the first occurrence of the string

clear event

> clear log messages

 

 

> show log

 

Config & Software upgrade

 

 

get config

> show config (program structured format)
> show config | display set (set command format)

 

get license

> show system license keys

 

get chassis (serial numbers)

> show chassis hardware detail

> show chas environment
> show chas routing-engine

exec license

> request system license [add | delete |save]

 Does not require a reboot on SRX, but does on ScreenOS

unset all

reset

load factory-default
set system root-authentication plain-text-password
commit and-quit
request system reboot

 See KB15725.

save config from tftp <tftp_server> <configfile> to flash

> start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then
# load override /var/tmp/test.cfg (or full path of config file)

-TFTP is not supported. Use only FTP, HTTP, or SCP.

save software from tftp <tftp_server> <screenosimage> to flash

> request system software add
Example:
request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domestic.tgz reboot

-TFTP is not supported. Use only FTP. HTTP, or SCP.
-Use ‘request system software rollback' to rollback to previous s/w package

See KB16652.

save

# commit OR
# commit and-quit

 

reset

> request system reboot

 

Policy

 

 

get policy

> show security policies

 

get policy from <zone> to <zone>

> show security policies from <zone> to <zone>

 

VPN

 

 

get ike cookie

> show security ike security-associations

 

get sa

> show security ipsec security-associations

> show security ipsec sa

clear ike cookie

> clear security ike security-associations

 

clear sa

> clear security ipsec security-associations

 

NSRP

 

 

get nsrp

 

> show chassis cluster status
> show chassis cluster interfaces
> show chassis cluster status redundancy-group <group>

 

exec nsrp vsd <vsd> mode backup (on master) see KB5885

> request chassis cluster failover redundancy-group <group> node <node>

 

 

> request chassis cluster failover reset redundancy-group <group>

 

DHCP

 

 

get dhcp client

> show system services dhcp client

See KB15753.

exec dhcp client <int> renew

> request system services dhcp renew (or release) (DHCPD) OR
> request dhcp client renew (JDHCPD)

 

Routing

 

 

get route

> show route

 

get route ip <ipaddress>

> show route <ipaddress>

 

get vr untrust-vr route

> show route instance untrust-vr

 

get ospf nei

> show ospf neighbor

 

set route 0.0.0.0/0 interface <int> gateway <ip>

# set routing-options static route 0.0.0.0/0 next-hop <ip>

 See KB16572.

NAT

 

 

get vip

> show security nat destination-nat summary

 

get mip

> show security nat static-nat summary

 

get dip

> show security nat source-nat summary
> show security nat source-nat pool <pool>

 

Other

 

 

get perf cpu

> show chassis routing-engine

 

get net-pak s

> show system buffers

 

get file

> show system storage

 

get alg

> show security alg status

get service

> show configuration groups junos-defaults applications

 
get tech

> request support information

 
set console page 0

> set cli screen-length 0

 

 

 

 

 

> file list <path>
Example: file list /var/tmp/

Shows directory listing.
Note that / is needed at end of path

 

 

 

 

#  =  configuration mode prompt

 

 

=  operational mode prompt

 


Related Links

 Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Security Alerts and Vulnerabilities

Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search