Matriz dos comandos mais comuns para troubleshooting entre as plataformas ScreenOS e JunOS
| ScreenOS | Junos OS | Notes |
| Session & Interface counters | ||
| get session | > show security flow session | |
| get interface | > show interface terse | |
| get counter stat get counter stat |
> show interface extensive > show interface <interface> extensive |
|
| clear counter stat | > clear interface statistics | |
| Debug & Snoop | ||
| debug flow basic | # edit security flow # set traceoptions flag basic-datapath # commit |
-creates debugs in default file name: /var/log/security-traceSee KB16108 for traceoptions info. |
| set ff | # edit security flow # set traceoptions packet-filter |
Packet-drop is a feature that will be added |
| get ff | > show configuration | match packet-filter | display set | |
| get debug | > show configuration | match traceoptions | display set | |
| get db stream | View stored log: (recommended option) > show log (enter h to see help options) > show log security-trace (to view ‘security flow’ debugs) > show log kmd (to view ‘security ike’ debugs)View real-time: (use this option with caution) > monitor start ESC-Q (to pause real-time output to screen) |
‘monitor stop’ stops real-time view , but debugs are still collected in log files |
| clear db | > clear log (clears contents of file) | Use ‘file delete to actually delete file> |
| undebug (stops collecting debugs) | # edit security flow # deactivate traceoptions OR # delete traceoptions (at the particular hierarchy) # commit |
Deactivate makes it easier to enable/disable.Use activate traceoptions to activate. |
| undebug all | Not available. You need to deactivate or delete traceoptions separately. | |
| debug ike detail | > request security ike debug-enable local remote level 7 | -creates debugs in default file name: kmd |
| snoop (packets THRU the Junos OS device) | Use Packet Capture feature for branch: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-admin-guide/config-pcap-chapter.html#config-pcap-chapter For High End (SRX1xxx/3×00/5×00) refer to KB21563 | |
| snoop (packets TO the Junos OS device) | > monitor traffic interface layer2-headers write-file option (hidden) read-file (hidden) |
-Only captures traffic destined for the RE of router itself.- Excludes PING . |
| Event Logs | ||
| get event | > show log messages > show log messages | last 20 (helpful cmd because newest log entries are at end of file) |
On SRX, default will only show critical level messages. The correct syslog level must be configured, if more detailed logs are required. |
| get event | include | > show log messages | match > show log messages | match “ | | ” Examples: > show log messages | match “error | kernel | panic” > show log messages | last 20 | find error |
Note: There is not an equivalent command for ‘get event include ‘. match displays only the lines that contains the string find displays output starting from the first occurrence of the string |
| clear event | > clear log messages | |
| > show log | ||
| Config & Software upgrade | ||
| get config | > show config (program structured format) > show config | display set (set command format) |
|
| get license | > show system license keys | |
| get chassis (serial numbers) | > show chassis hardware detail | > show chas environment > show chas routing-engine |
| exec license | > request system license [add | delete |save] | Does not require a reboot on SRX, but does on ScreenOS |
| unset allreset | load factory-default set system root-authentication plain-text-password commit and-quit request system reboot |
See KB15725. |
| save config from tftp <tftp_server> to flash | > start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then # load override /var/tmp/test.cfg (or full path of config file) |
-TFTP is not supported. Use only FTP, HTTP, or SCP. |
| save software from tftp <tftp_server> to flash | > request system software add Example: request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domestic.tgz reboot |
-TFTP is not supported. Use only FTP. HTTP, or SCP. -Use ‘request system software rollback’ to rollback to previous s/w packageSee KB16652. |
| save | # commit OR # commit and-quit |
|
| reset | > request system reboot | |
| Policy | ||
| get policy | > show security policies | |
| get policy from to | > show security policies from to | |
| VPN | ||
| get ike cookie | > show security ike security-associations | |
| get sa | > show security ipsec security-associations | > show security ipsec sa |
| clear ike cookie | > clear security ike security-associations | |
| clear sa | > clear security ipsec security-associations | |
| NSRP | ||
| get nsrp | > show chassis cluster status > show chassis cluster interfaces > show chassis cluster status redundancy-group |
|
| exec nsrp vsd mode backup (on master) see KB5885 | > request chassis cluster failover redundancy-group node | |
| > request chassis cluster failover reset redundancy-group | ||
| DHCP | ||
| get dhcp client | > show system services dhcp client | See KB15753. |
| exec dhcp client renew | > request system services dhcp renew (or release) (DHCPD) OR > request dhcp client renew (JDHCPD) |
|
| Routing | ||
| get route | > show route | |
| get route ip | > show route | |
| get vr untrust-vr route | > show route instance untrust-vr | |
| get ospf nei | > show ospf neighbor | |
| set route 0.0.0.0/0 interface gateway | # set routing-options static route 0.0.0.0/0 next-hop | See KB16572. |
| NAT | ||
| get vip | > show security nat destination-nat summary | |
| get mip | > show security nat static-nat summary | |
| get dip | > show security nat source-nat summary > show security nat source-nat pool |
|
| Other | ||
| get perf cpu | > show chassis routing-engine | |
| get net-pak s | > show system buffers | |
| get file | > show system storage | |
| get alg | > show security alg status | |
| get service | > show configuration groups junos-defaults applications | |
| get tech | > request support information | |
| set console page 0 | > set cli screen-length 0 | |
| > file list Example: file list /var/tmp/ |
Shows directory listing. Note that / is needed at end of path |
|
| # = configuration mode prompt | ||
| > = operational mode prompt |
Referências:
Mapping of common troubleshooting commands from ScreenOS to Junos OS