Comandos troubleshooting entre ScreenOS e JunOS

Matriz dos comandos mais comuns para troubleshooting entre as plataformas ScreenOS e JunOS

ScreenOS Junos OS Notes
Session & Interface counters
get session > show security flow session
get interface > show interface terse
get counter stat
get counter stat
> show interface extensive
> show interface <interface> extensive
clear counter stat > clear interface statistics
Debug & Snoop
debug flow basic # edit security flow
# set traceoptions flag basic-datapath
# commit
-creates debugs in default file name: /var/log/security-traceSee KB16108 for traceoptions info.
set ff # edit security flow
# set traceoptions packet-filter
Packet-drop is a feature that will be added
get ff > show configuration | match packet-filter | display set
get debug > show configuration | match traceoptions | display set
get db stream View stored log: (recommended option)
> show log (enter h to see help options)
> show log security-trace (to view ‘security flow’ debugs)
> show log kmd (to view ‘security ike’ debugs)View real-time: (use this option with caution)
> monitor start
ESC-Q (to pause real-time output to screen)
‘monitor stop’ stops real-time view , but debugs are still collected in log files
clear db > clear log (clears contents of file) Use ‘file delete to actually delete file>
undebug (stops collecting debugs) # edit security flow
# deactivate traceoptions OR # delete traceoptions (at the particular hierarchy)
# commit
Deactivate makes it easier to enable/disable.Use activate traceoptions to activate.
undebug all Not available. You need to deactivate or delete traceoptions separately.
debug ike detail > request security ike debug-enable local remote level 7 -creates debugs in default file name: kmd
snoop (packets THRU the Junos OS device) Use Packet Capture feature for branch: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-admin-guide/config-pcap-chapter.html#config-pcap-chapter For High End (SRX1xxx/3×00/5×00) refer to KB21563
snoop (packets TO the Junos OS device) > monitor traffic interface layer2-headers
write-file option (hidden)
read-file (hidden)
-Only captures traffic destined for the RE of router itself.- Excludes PING .
Event Logs
get event > show log messages
> show log messages | last 20 (helpful cmd because newest log entries are at end of file)
 On SRX, default will only show critical level messages.  The correct syslog level must be configured, if more detailed logs are required.
get event | include > show log messages | match
> show log messages | match “ | | ”
Examples:
> show log messages | match “error | kernel | panic”
> show log messages | last 20 | find error
Note: There is not an equivalent command for ‘get event include ‘.

match
displays only the lines that contains the string

find
displays output starting from the first occurrence of the string
clear event > clear log messages
> show log
Config & Software upgrade
get config > show config (program structured format)
> show config | display set (set command format)
get license > show system license keys
get chassis (serial numbers) > show chassis hardware detail > show chas environment
> show chas routing-engine
exec license > request system license [add | delete |save]  Does not require a reboot on SRX, but does on ScreenOS
unset allreset load factory-default
set system root-authentication plain-text-password
commit and-quit
request system reboot
 See KB15725.
save config from tftp <tftp_server> to flash > start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then
# load override /var/tmp/test.cfg (or full path of config file)
-TFTP is not supported. Use only FTP, HTTP, or SCP.
save software from tftp <tftp_server> to flash > request system software add
Example:
request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domestic.tgz reboot
-TFTP is not supported. Use only FTP. HTTP, or SCP.
-Use ‘request system software rollback’ to rollback to previous s/w packageSee KB16652.
save # commit OR
# commit and-quit
reset > request system reboot
Policy
get policy > show security policies
get policy from to > show security policies from to
VPN
get ike cookie > show security ike security-associations
get sa > show security ipsec security-associations > show security ipsec sa
clear ike cookie > clear security ike security-associations
clear sa > clear security ipsec security-associations
NSRP
get nsrp  > show chassis cluster status
> show chassis cluster interfaces
> show chassis cluster status redundancy-group
exec nsrp vsd mode backup (on master) see KB5885 > request chassis cluster failover redundancy-group node
> request chassis cluster failover reset redundancy-group
DHCP
get dhcp client > show system services dhcp client See KB15753.
exec dhcp client renew > request system services dhcp renew (or release) (DHCPD) OR
> request dhcp client renew (JDHCPD)
Routing
get route > show route
get route ip > show route
get vr untrust-vr route > show route instance untrust-vr
get ospf nei > show ospf neighbor
set route 0.0.0.0/0 interface gateway # set routing-options static route 0.0.0.0/0 next-hop  See KB16572.
NAT
get vip > show security nat destination-nat summary
get mip > show security nat static-nat summary
get dip > show security nat source-nat summary
> show security nat source-nat pool
Other
get perf cpu > show chassis routing-engine
get net-pak s > show system buffers
get file > show system storage
get alg > show security alg status
get service > show configuration groups junos-defaults applications
get tech > request support information
set console page 0 > set cli screen-length 0
> file list
Example: file list /var/tmp/
Shows directory listing.
Note that / is needed at end of path
#  =  configuration mode prompt
=  operational mode prompt

Referências:

Mapping of common troubleshooting commands from ScreenOS to Junos OS

Leave a Reply

Your email address will not be published. Required fields are marked *