| ScreenOS | JUNOS | Notes |
| Session & Interface counters | | |
| get session | > show security flow session | |
| get interface | > show interface terse | |
| get counter stat
get counter stat <interface> | > show interface extensive
> show interface <interface> extensive | |
| clear counter stat | > clear interface statistics <interface> | |
| Debug & Snoop | | |
| debug flow basic | # edit security flow
# set traceoptions flag basic-datapath
# commit | -creates debugs in default file name: /var/log/security-trace See KB16108 for traceoptions info. |
| set ff | # edit security flow
# set traceoptions packet-filter | Packet-drop is a feature that will be added |
| get ff | > show configuration | match packet-filter | display set | |
| get debug | > show configuration | match traceoptions | display set | |
| get db stream | View stored log: (recommended option)
> show log <file name> (enter h to see help options)
> show log security-trace (to view 'security flow' debugs)
> show log kmd (to view 'security ike' debugs) View real-time: (use this option with caution)
> monitor start <debugfilename>
ESC-Q (to pause real-time output to screen) | ‘monitor stop' stops real-time view , but debugs are still collected in log files |
| clear db | > clear log <filename> (clears contents of file) | Use ‘file delete <filename> to actually delete file> |
| undebug <debug> (stops collecting debugs) | # edit security flow
# deactivate traceoptions OR # delete traceoptions (at the particular hierarchy)
# commit | Deactivate makes it easier to enable/disable. Use activate traceoptions to activate. |
| undebug all | Not available. You need to deactivate or delete traceoptions separately. | |
| debug ike detail | # edit security ike
# set traceoptions flag ike
# commit | -creates debugs in default file name: kmd |
| snoop (packets THRU the JUNOS device) | Use Packet Capture feature:http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-admin-guide/config-pcap-chapter.html#config-pcap-chapter | - Not supported on SRX 3x00/5x00 yet |
| snoop (packets TO the JUNOS device) | > monitor traffic interface <int> layer2-headers
write-file option (hidden)
read-file (hidden) | -Only captures traffic destined for the RE of router itself. - Excludes PING . |
| Event Logs | | |
| get event | > show log messages
> show log messages | last 20 (helpful cmd because newest log entries are at end of file) | |
| get event | include <string> | > show log messages | match <string>
> show log messages | match “<string> | <string> | <string>”
Examples:
> show log messages | match “error | kernel | panic”
> show log messages | last 20 | find error | Note: There is not an equivalent command for ‘get event include <string>'.
match displays only the lines that contains the string
find displays output starting from the first occurrence of the string |
| clear event | > clear log messages | |
| | > show log | |
| Config & Software upgrade | | |
| get config | > show config (program structured format)
> show config | display set (set command format) | |
| get license | > show system license keys | |
| get chassis (serial numbers) | > show chassis hardware detail | > show chas environment
> show chas routing-engine |
| exec license | > request system license [add | delete |save] | |
| unset all reset | load factory-default
set system root-authentication plain-text-passsword
commit and-quit
request system reboot | See KB15725. |
| load config from tftp <tftp_server> <configfile> | > start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then
# load override /var/tmp/test.cfg (or full path of config file) | -TFTP is not supported. Use only FTP, HTTP, or SCP. |
| load software from tftp <tftp_server> <screenosimage> to flash | > request system software add
Example:
request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domestic.tgz reboot | -TFTP is not supported. Use only FTP. HTTP, or SCP.
-Use ‘request system software rollback' to rollback to previous s/w package See KB16652. |
| save | # commit OR
# commit and-quit | |
| reset | > request system reboot | |
| Policy | | |
| get policy | > show security policies | |
| get policy from <zone> to <zone> | > show security policies from <zone> to <zone> | |
| VPN | | |
| get ike cookie | > show security ike security-associations | |
| get sa | > show security ipsec security-associations | > show security ipsec stat |
| clear ike cookie | > clear security ike security-associations | |
| clear sa | > clear security ipsec security-associations | |
| NSRP | | |
| get nsrp | > show chassis cluster status
> show chassis cluster interfaces
> show chassis cluster status redundancy-group <group> | |
| exec nsrp vsd <vsd> mode backup (on master) see KB5885 | > request chassis cluster failover redundancy-group <group> node <node> | |
| | > request chassis cluster failover reset redundancy-group <group> | |
| DHCP | | |
| get dhcp client | > show system services dhcp client | See KB15753. |
| exec dhcp client <int> renew | > request system services dhcp renew (or release) | |
| Routing | | |
| get route | > show route | |
| get route ip <ipaddress> | > show route <ipaddress> | |
| get vr untrust-vr route | > show route instance untrust-vr | |
| get ospf nei | > show ospf neighbor | |
| set route 0.0.0.0/0 interface <int> gateway <ip> | # set routing-options static route 0.0.0.0/0 next-hop <ip> | See KB16572. |
| NAT | | |
| get vip | > show security nat destination-nat summary | |
| get mip | > show security nat static-nat summary | |
| get dip | > show security nat source-nat summary
> show security nat source-nat pool <pool> | |
| Other | | |
| get perf cpu | > show chassis routing-engine | |
| get net-pak s | > show system buffers | |
| get file | > show system storage | |
| get alg | > show configuration groups junos-defaults applications | All pre-defined applications are located within the hidden group junos-defaults. If any ALGs are applied to the pre-defined applications, they will also be displayed with this command. |
| get service | > show configuration groups junos-defaults applications | |
| get tech | > request support information | |
| set console page 0 | > set cli screen-length 0 | |
| | | |
| | > file list <path>
Example: file list /var/tmp/ | Shows directory listing.
Note that / is needed at end of path |
| | | |
| | # = configuration mode prompt | |
| | > = operational mode prompt | |
