Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Mapping of common troubleshooting commands from ScreenOS to Junos OS



Article ID: KB14000 KB Last Updated: 29 Jun 2020Version: 10.0

This article contains a quick reference table mapping frequently used troubleshooting commands for ScreenOS to Junos OS.


This table will help those that are new to the SRX Series devices, yet familiar with ScreenOS.

For additional information or help on getting started with SRX, refer to KB15694 - Configuration Examples & Troubleshooting (Jumpstation).


Refer to the following table mapping common ScreenOS CLI commands to Junos OS.


Junos OS


Session & Interface counters



get session

> show security flow session


get interface

> show interface terse


get counter stat
get counter stat <interface>

> show interface extensive
> show interface <interface> extensive


clear counter stat

> clear interface statistics <interface>


Debug & Snoop



debug flow basic

# edit security flow
# set traceoptions flag basic-datapath
# commit

-creates debugs in default file name: /var/log/security-trace

See KB16108 for traceoptions info.

set ff

# edit security flow
# set traceoptions packet-filter

Packet-drop is a feature that will be added

get ff

> show configuration | match packet-filter | display set


get debug

> show configuration | match traceoptions | display set


get db stream

View stored log: (recommended option)
> show log <file name> (enter h to see help options)
> show log security-trace (to view 'security flow' debugs)
> show log kmd (to view 'security ike' debugs)

View real-time: (use this option with caution)
> monitor start <debugfilename>
ESC-Q (to pause real-time output to screen)


‘monitor stop' stops real-time view , but debugs are still collected in log files

clear db

> clear log <filename> (clears contents of file)

Use ‘file delete <filename> to actually delete file>

undebug <debug> (stops collecting debugs)

# edit security flow
# deactivate traceoptions OR # delete traceoptions (at the particular hierarchy)
# commit

Deactivate makes it easier to enable/disable.

Use activate traceoptions to activate.

undebug all

Not available. You need to deactivate or delete traceoptions separately.


debug ike detail

> request security ike debug-enable local <local gw> remote <remore peer> level 7

-creates debugs in default file name: kmd

snoop (packets THRU the Junos OS device)

Use Packet Capture feature for branch, refer to KB11709

For High-end SRX (SRX1xxx/3x00/5x00), refer to KB21563



snoop (packets TO the Junos OS device)

> monitor traffic interface <int> layer2-headers
write-file option (hidden)
read-file (hidden)

-Only captures traffic destined for the RE of router itself.

- Excludes PING .

Event Logs



get event

> show log messages
> show log messages | last 20 (helpful cmd because newest log entries are at end of file)

 On SRX, default will only show critical level messages.  The correct syslog level must be configured, if more detailed logs are required.

get event | include <string>

> show log messages | match <string>
> show log messages | match “<string> | <string> | <string>”
> show log messages | match “error | kernel | panic”
> show log messages | last 20 | find error

Note: There is not an equivalent command for ‘get event include <string>'.

match displays only the lines that contains the string

find displays output starting from the first occurrence of the string

clear event

> clear log messages



> show log


Config & Software upgrade



get config

> show config (program structured format)
> show config | display set (set command format)


get license

> show system license keys


get chassis (serial numbers)

> show chassis hardware detail

> show chas environment
> show chas routing-engine

exec license

> request system license [add | delete |save]

 Does not require a reboot on SRX, but does on ScreenOS

unset all


load factory-default
set system root-authentication plain-text-password
commit and-quit
request system reboot

 See KB15725.

save config from tftp <tftp_server> <configfile> to flash

> start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then
# load override /var/tmp/test.cfg (or full path of config file)

-TFTP is not supported. Use only FTP, HTTP, or SCP.

save software from tftp <tftp_server> <screenosimage> to flash

> request system software add
request system software add ftp: reboot

-TFTP is not supported. Use only FTP. HTTP, or SCP.
-Use ‘request system software rollback' to rollback to previous s/w package

See KB16652.


# commit OR
# commit and-quit



> request system reboot





get policy

> show security policies


get policy from <zone> to <zone>

> show security policies from <zone> to <zone>





get ike cookie

> show security ike security-associations


get sa

> show security ipsec security-associations

> show security ipsec sa

clear ike cookie

> clear security ike security-associations


clear sa

> clear security ipsec security-associations





get nsrp


> show chassis cluster status
> show chassis cluster interfaces
> show chassis cluster status redundancy-group <group>


exec nsrp vsd <vsd> mode backup (on primary) see KB5885

> request chassis cluster failover redundancy-group <group> node <node>



> request chassis cluster failover reset redundancy-group <group>





get dhcp client

> show system services dhcp client

See KB15753.

exec dhcp client <int> renew

> request system services dhcp renew (or release) (DHCPD) OR
> request dhcp client renew (JDHCPD)





get route

> show route


get route ip <ipaddress>

> show route <ipaddress>


get vr untrust-vr route

> show route instance untrust-vr


get ospf nei

> show ospf neighbor


set route interface <int> gateway <ip>

# set routing-options static route next-hop <ip>

 See KB16572.




get vip

> show security nat destination-nat summary


get mip

> show security nat static-nat summary


get dip

> show security nat source-nat summary
> show security nat source-nat pool <pool>





get perf cpu

> show chassis routing-engine


get net-pak s

> show system buffers


get file

> show system storage


get alg

> show security alg status


get service

> show configuration groups junos-defaults applications


get tech

> request support information


set console page 0

> set cli screen-length 0






> file list <path>
Example: file list /var/tmp/

Shows directory listing.
Note that / is needed at end of path





#  =  configuration mode prompt



=  operational mode prompt





Modification History:
2020-06-29: Removed J-Series references.

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search