ScreenOS
|
Junos OS
|
Notes
|
Session & Interface counters
|
|
|
get session
|
> show security flow session
|
|
get interface
|
> show interface terse
|
|
get counter stat
get counter stat <interface>
|
> show interface extensive
> show interface <interface> extensive
|
|
clear counter stat
|
> clear interface statistics <interface>
|
|
Debug & Snoop
|
|
|
debug flow basic
|
# edit security flow
# set traceoptions flag basic-datapath
# commit
|
-creates debugs in default file name: /var/log/security-trace
See KB16108 for traceoptions info. |
set ff
|
# edit security flow
# set traceoptions packet-filter
|
Packet-drop is a feature that will be added
|
get ff
|
> show configuration | match packet-filter | display set
|
|
get debug
|
> show configuration | match traceoptions | display set
|
|
get db stream
|
View stored log: (recommended option)
> show log <file name> (enter h to see help options)
> show log security-trace (to view 'security flow' debugs)
> show log kmd (to view 'security ike' debugs)
View real-time: (use this option with caution)
> monitor start <debugfilename>
ESC-Q (to pause real-time output to screen) |
‘monitor stop' stops real-time view , but debugs are still collected in log files
|
clear db
|
> clear log <filename> (clears contents of file)
|
Use ‘file delete <filename> to actually delete file>
|
undebug <debug> (stops collecting debugs)
|
# edit security flow
# deactivate traceoptions OR # delete traceoptions (at the particular hierarchy)
# commit
|
Deactivate makes it easier to enable/disable.
Use activate traceoptions to activate.
|
undebug all
|
Not available. You need to deactivate or delete traceoptions separately.
|
|
debug ike detail
|
> request security ike debug-enable local <local gw> remote <remore peer> level 7
|
-creates debugs in default file name: kmd
|
snoop (packets THRU the Junos OS device)
|
Use Packet Capture feature for branch, refer to KB11709
For High-end SRX (SRX1xxx/3x00/5x00), refer to KB21563
|
|
snoop (packets TO the Junos OS device)
|
> monitor traffic interface <int> layer2-headers
write-file option (hidden)
read-file (hidden)
|
-Only captures traffic destined for the RE of router itself.
- Excludes PING .
|
Event Logs
|
|
|
get event
|
> show log messages
> show log messages | last 20 (helpful cmd because newest log entries are at end of file)
|
On SRX, default will only show critical level messages. The correct syslog level must be configured, if more detailed logs are required.
|
get event | include <string>
|
> show log messages | match <string>
> show log messages | match “<string> | <string> | <string>”
Examples:
> show log messages | match “error | kernel | panic”
> show log messages | last 20 | find error
|
Note: There is not an equivalent command for ‘get event include <string>'.
match displays only the lines that contains the string
find displays output starting from the first occurrence of the string
|
clear event
|
> clear log messages
|
|
|
> show log
|
|
Config & Software upgrade
|
|
|
get config
|
> show config (program structured format)
> show config | display set (set command format)
|
|
get license
|
> show system license keys
|
|
get chassis (serial numbers)
|
> show chassis hardware detail
|
> show chas environment
> show chas routing-engine
|
exec license
|
> request system license [add | delete |save]
|
Does not require a reboot on SRX, but does on ScreenOS
|
unset all
reset
|
load factory-default
set system root-authentication plain-text-password
commit and-quit
request system reboot
|
See KB15725.
|
save config from tftp <tftp_server> <configfile> to flash
|
> start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then
# load override /var/tmp/test.cfg (or full path of config file)
|
-TFTP is not supported. Use only FTP, HTTP, or SCP.
|
save software from tftp <tftp_server> <screenosimage> to flash
|
> request system software add
Example:
request system software add ftp:10.10.10.129/jsr/junos-srxsme-18.4R3-S2.tgz reboot
|
-TFTP is not supported. Use only FTP. HTTP, or SCP.
-Use ‘request system software rollback' to rollback to previous s/w package
See KB16652. |
save
|
# commit OR
# commit and-quit
|
|
reset
|
> request system reboot
|
|
Policy
|
|
|
get policy
|
> show security policies
|
|
get policy from <zone> to <zone>
|
> show security policies from <zone> to <zone>
|
|
VPN
|
|
|
get ike cookie
|
> show security ike security-associations
|
|
get sa
|
> show security ipsec security-associations
|
> show security ipsec sa
|
clear ike cookie
|
> clear security ike security-associations
|
|
clear sa
|
> clear security ipsec security-associations
|
|
NSRP
|
|
|
get nsrp
|
> show chassis cluster status
> show chassis cluster interfaces
> show chassis cluster status redundancy-group <group>
|
|
exec nsrp vsd <vsd> mode backup (on master) see KB5885
|
> request chassis cluster failover redundancy-group <group> node <node>
|
|
|
> request chassis cluster failover reset redundancy-group <group>
|
|
DHCP
|
|
|
get dhcp client
|
> show system services dhcp client
|
See KB15753.
|
exec dhcp client <int> renew
|
> request system services dhcp renew (or release) (DHCPD) OR
> request dhcp client renew (JDHCPD)
|
|
Routing
|
|
|
get route
|
> show route
|
|
get route ip <ipaddress>
|
> show route <ipaddress>
|
|
get vr untrust-vr route
|
> show route instance untrust-vr
|
|
get ospf nei
|
> show ospf neighbor
|
|
set route 0.0.0.0/0 interface <int> gateway <ip>
|
# set routing-options static route 0.0.0.0/0 next-hop <ip>
|
See KB16572.
|
NAT
|
|
|
get vip
|
> show security nat destination-nat summary
|
|
get mip
|
> show security nat static-nat summary
|
|
get dip
|
> show security nat source-nat summary
> show security nat source-nat pool <pool>
|
|
Other
|
|
|
get perf cpu
|
> show chassis routing-engine
|
|
get net-pak s
|
> show system buffers
|
|
get file
|
> show system storage
|
|
get alg
|
> show security alg status
|
|
get service |
> show configuration groups junos-defaults applications
|
|
get tech |
> request support information
|
|
set console page 0 |
> set cli screen-length 0
|
|
|
|
|
|
> file list <path>
Example: file list /var/tmp/
|
Shows directory listing.
Note that / is needed at end of path
|
|
|
|
|
# = configuration mode prompt
|
|
|
> = operational mode prompt
|
|