ScreenOS

Junos OS

Notes

Session & Interface counters

get session

> show security flow session

get interface

> show interface terse

get counter stat
get counter stat <interface>

> show interface extensive
> show interface <interface> extensive

clear counter stat

> clear interface statistics <interface>

Debug & Snoop

debug flow basic

# edit security flow
# set traceoptions flag basic-datapath
# commit

-creates debugs in default file name: /var/log/security-trace

set ff

# edit security flow
# set traceoptions packet-filter

Packet-drop is a feature that will be added

get ff

> show configuration | match packet-filter | display set

get debug

> show configuration | match traceoptions | display set

get db stream

View stored log: (recommended option)
> show log <file name> (enter h to see help options)
> show log security-trace (to view 'security flow' debugs)
> show log kmd (to view 'security ike' debugs)

‘monitor stop' stops real-time view , but debugs are still collected in log files

clear db

> clear log <filename> (clears contents of file)

Use ‘file delete <filename> to actually delete file>

undebug <debug> (stops collecting debugs)

# edit security flow
# deactivate traceoptions OR # delete traceoptions (at the particular hierarchy)
# commit

Deactivate makes it easier to enable/disable.

Use activate traceoptions to activate.

undebug all

Not available. You need to deactivate or delete traceoptions separately.

debug ike detail

> request security ike debug-enable local <local gw> remote <remore peer> level 7

-creates debugs in default file name: kmd

snoop (packets THRU the Junos OS device)

Use Packet Capture feature for branch: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-admin-guide/config-pcap-chapter.html#config-pcap-chapter

For High End (SRX1xxx/3x00/5x00) refer to KB21563

snoop (packets TO the Junos OS device)

> monitor traffic interface <int> layer2-headers
write-file option (hidden)
read-file (hidden)

-Only captures traffic destined for the RE of router itself.

- Excludes PING .

Event Logs

get event

> show log messages
> show log messages | last 20 (helpful cmd because newest log entries are at end of file)

 On SRX, default will only show critical level messages.  The correct syslog level must be configured, if more detailed logs are required.

get event | include <string>

> show log messages | match <string>
> show log messages | match “<string> | <string> | <string>”
Examples:
> show log messages | match “error | kernel | panic”
> show log messages | last 20 | find error

Note: There is not an equivalent command for ‘get event include <string>'.

match displays only the lines that contains the string

find displays output starting from the first occurrence of the string

clear event

> clear log messages

> show log

Config & Software upgrade

get config

> show config (program structured format)
> show config | display set (set command format)

get license

> show system license keys

get chassis (serial numbers)

> show chassis hardware detail

> show chas environment
> show chas routing-engine

exec license

> request system license [add | delete |save]

 Does not require a reboot on SRX, but does on ScreenOS

unset all

reset

load factory-default
set system root-authentication plain-text-password
commit and-quit
request system reboot

 See KB15725.

save config from tftp <tftp_server> <configfile> to flash

> start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then
# load override /var/tmp/test.cfg (or full path of config file)

-TFTP is not supported. Use only FTP, HTTP, or SCP.

save software from tftp <tftp_server> <screenosimage> to flash

> request system software add
Example:
request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domestic.tgz reboot

-TFTP is not supported. Use only FTP. HTTP, or SCP.
-Use ‘request system software rollback' to rollback to previous s/w package

save

# commit OR
# commit and-quit

reset

> request system reboot

Policy

get policy

> show security policies

get policy from <zone> to <zone>

> show security policies from <zone> to <zone>

VPN

get ike cookie

> show security ike security-associations

get sa

> show security ipsec security-associations

> show security ipsec sa

clear ike cookie

> clear security ike security-associations

clear sa

> clear security ipsec security-associations

NSRP

get nsrp

> show chassis cluster status
> show chassis cluster interfaces
> show chassis cluster status redundancy-group <group>

exec nsrp vsd <vsd> mode backup (on master) see KB5885

> request chassis cluster failover redundancy-group <group> node <node>

> request chassis cluster failover reset redundancy-group <group>

DHCP

get dhcp client

> show system services dhcp client

See KB15753.

exec dhcp client <int> renew

> request system services dhcp renew (or release) (DHCPD) OR
> request dhcp client renew (JDHCPD)

Routing

get route

> show route

get route ip <ipaddress>

> show route <ipaddress>

get vr untrust-vr route

> show route instance untrust-vr

get ospf nei

> show ospf neighbor

set route 0.0.0.0/0 interface <int> gateway <ip>

# set routing-options static route 0.0.0.0/0 next-hop <ip>

 See KB16572.

NAT

get vip

> show security nat destination-nat summary

get mip

> show security nat static-nat summary

get dip

> show security nat source-nat summary
> show security nat source-nat pool <pool>

Other

get perf cpu

> show chassis routing-engine

get net-pak s

> show system buffers

get file

> show system storage

get alg

> show security alg status

> show configuration groups junos-defaults applications

> request support information

> set cli screen-length 0

> file list <path>
Example: file list /var/tmp/

Shows directory listing.
Note that / is needed at end of path

#  =  configuration mode prompt

>  =  operational mode prompt