CLI Commands for Troubleshooting Juniper ScreenOS Firewalls

Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands for Palo Alto and Fortinet I am listing the most common used commands for the ScreenOS devices. These are only the commands that are needed for deep troubleshooting sessions that cannot be done solely on the GUI.

At first: Always remember that the default backspace key is “Ctrl + h” and not the backspace key itself!

Basics

These are the very basics on the command line:

get config
get config all                #configuration with default values
get config | incl <string>    #grep within the configuration
get system                    #serial #, software version, uptime, etc.
get event                     #event list (same as in the GUI)

How to turn off the LED alarm on the firewall:

clear led alarm
clear cluster led alarm       #on a cluster for all devices at once

Basic Networking

The reason why we are all here:

get arp
get route                                       #routing table
get route ip <ip-address>                       #routing table lookup for a specific IP
get vrouter <name-of-the-VR> route              #routing table from a specific virtual router
get vrouter <name-of-the-VR> protocol ?         #dynamic routing protocols such as OSPF or BGP
get counter statistics interface <interface>    #counters for hardware interfaces
get ndp                                         #IPv6 neighbor cache

ping <name|ip-address>
ping <name|ip-address> from <interface>         #ping from a specific interface
trace-route <name|ip-address>
trace-route <name|ip-address> from <interface>  #same for trace-route

Application Layer Gateway

I had some trouble with the application layer gateway functionality on the ScreenOS devices. Here are some hidden commands that help while troubleshooting the ALGs:

get alg                       #lists all available ALGs with an enabled/disabled statement
get service portmap           #which port is assigned to which application
get service application       #known applications by ScreenOS that trigger an ALG

And a few links concerning ALGs:

• How to show which TCP/UDP ports trigger an ALG ?
• Viewing list of ALGs and disabling an ALG differs on ScreenOS versions
• Which ALGs are unset by default in ScreenOS 6.x?
• What is the Policy keyword “Application NONE”?

NSRP (High Availability)

The following command lists all details about an NetScreen Redundancy Protocol (NSRP) cluster, i.e., the IDs of all connected units, the current master, encryption and authentication passwords (in plain text!), etc.:

get nsrp

To sync the configuration from the master to the local device (AND NOT VICE VERSA!!!) [Link]:

exec nsrp sync global-config save

And to do a manual failover. This brings the current master unit into backup mode. This command must be used on the current master! [Link]:

exec nsrp vsd-group 0 mode backup

Session & Log

The session commands list sessions that are currently active. The traffic log shows already finished sessions (of course only if they were logged):

get session
get session ?
get session scr-ip <ip-address>
get session policy-id <id>
get log traffic
get log traffic ?
get log traffic src-ip <ip-address>
get log traffic policy <id>

Link: “How to determine how long a session has been up in ScreenOS“.

IPsec VPN

This is one of the main use cases for using the CLI on the SSG firewalls: Many details about IPsec site-to-site VPNs, e.g., the proxy-IDs for policy-based VPNs:

get ike cookies         #phase 1
get vpn auto            #list of phase 2 VPNs
get vpn <name>          #details
get sa id <number>      #details of phase 2 filtered by the tunnel-id
get sa id 2             #values from 0-9 can be entered directly
get sa id 0x0000000b    #higher values must be entered in hexadecimal notation

Flow

To display the most detailed information about active flows, for example to see which policies trigger or which routing table lookups are used, etc. [Link]:

undebug all             #stop all other debuggings
get ff                  #if there are any filters set, remove them with the next line:
unset ff
set ff ?                #ff = flow filter
set ff src-ip <ip>
set ff dst-ip <ip>
get ff                  #verify all filters
clear db                #clear the debug buffer
debug flow basic        #now the debug will be logged. Generate your traffic now
undebug all             #after the traffic is finished, stop debugging
get db stream           #and display the debug stream
unset ff                #finally, unset all filters to not confuese further troubleshooting sessions

Common Problems

Some more links to common problems or other scenarios:

• Packet taking the wrong route due to the route-cache feature
• What does ‘set flow mac-cache mgt’ do?
• Behavior of ScreenOS ‘set flow’ commands in asymmetric routing scenario
• How can I find the serial number for my Juniper Networks device?
• How to Update the New Image Authentication Key and Upgrade Boot Loader/ScreenOS Firmware

NSM Stuff

And finally some notes concerning the “Network and Security Manager“.

• Default port from ScreenOS device to NSM:

  TCP/7800

   .
• Default https port to download the Java GUI:

  https://<ip>:8443

   .
• Default port from Java GUI to NSM:

  TCP/7808

   .

To become root on the NSM CLI:

sudo su -

And some links:

• What ports are used for communication between the Management System (NSM), the GUI client, and Juniper Firewall devices?
• Recommended starting and stopping sequences for NSM services
• Export NSM logs to CSV file from the NSM CLI