Support Support Downloads Knowledge Base Juniper Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] What does the 'set log cli enable' command do?

0

0

Article ID: KB22393 KB Last Updated: 04 Jan 2012Version: 1.0
Summary:
This article provides information about the functionality of the 'set log cli enable' command.
Symptoms:
  • What is the set log cli enable command used for?

  • What is the impact of this command on the performance of the firewall?
Cause:

Solution:
This command is used to log the commands entered on the firewall, for auditing purposes. Once you enable set log cli enable, all the commands that are typed in the firewall will be logged and stored in the firewall flash.

To see all the commands being logged, use the get log cli file command:

nsisg1000(M)-> set log cli enable--------------->logging enabled

nsisg1000(M)-> get log cli file
0: 2011-12-07 00:04:01 Root netscreen set log cli enable

After enabling the above command, the following output was generated:

nsisg1000(M)-> get ff
nsisg1000(M)-> snoop in
Snoop: OFF
Filters Defined: 0, Active Filters 0
Detail: OFF, Detail Display length: 96
Snoop tunnel traffic: ON
nsisg1000(M)-> set ff
filter added
nsisg1000(M)-> snoop detail
Snoop detail turned ON
nsisg1000(M)-> set db size 4096
nsisg1000(M)-> cl db
nsisg1000(M)-> get db str
nsisg1000(M)-> unset flow tcp-syn-check

See the output after all the commands were logged:

nsisg1000(M)-> get log cli file
0: 2011-12-07 00:04:01 Root netscreen set log cli enable
1: 2011-12-07 00:04:04 Root netscreen get log cli file
2: 2011-12-07 00:04:09 Root netscreen get ff
3: 2011-12-07 00:04:12 Root netscreen snoop in
4: 2011-12-07 00:04:14 Root netscreen set ff
5: 2011-12-07 00:04:28 Root netscreen snoop detail
6: 2011-12-07 00:04:33 Root netscreen set db size 4096
7: 2011-12-07 00:04:34 Root netscreen cl db
8: 2011-12-07 00:04:36 Root netscreen get db str
9: 2011-12-07 00:04:49 Root netscreen unset flow tcp-syn-check

This file is stored in the firewall flash with the cli-log file. To check the same, run the following command:

nsisg1000(M)-> exec vfs ls flash:/
$NSBOOT$.BIN 18,434,811
envar.rec 289
golerd.rec 1,220
syscert.cfg 1,180
prngseed.bin 32
ns_sys_config 20,414
detector2.so 772,011
dnstb.rec 1
policy.gz.v 2,949
cli-log 10,016 ----see here
appsig.bin 1,846,950
sm_coredump.tgz 48,253
$lkg$.cfg 1,231
usrterms.txt 11
101,232,640 bytes free (122,677,248 total) on disk

The log-cli command can store up to 250000 bytes of data. The size of this file can also be defined, by using the following command:

nsisg1000(M)-> set log cli file-size 4096
CLI-LOG: CLI log file size of 4096 bytes is not permitted. Valid range between 10000 and 250000 bytes.
nsisg1000(M)-> set log cli file-size 10000

The effect on the firewall performance is almost zero. Only in cases where the commands are sent in bulk, the overhead is detectable. All it does is write the commands to a file, at the same time it executes them.


Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search