ScreenOS / JunOS 장애 발생시 처리 명령어 정리

Mapping of common troubleshooting commands from ScreenOS to JUNOS

 

ScreenOS	JUNOS	Notes
Session & Interface counters
get session	> show security flow session
get interface	> show interface terse
get counter stat get counter stat <interface>	> show interface extensive > show interface <interface> extensive
clear counter stat	> clear interface statistics <interface>
Debug & Snoop
debug flow basic	# edit security flow # set traceoptions flag basic-datapath # commit	-creates debugs in default file name: /var/log/security-trace See KB16108 for traceoptions info.
set ff	# edit security flow # set traceoptions packet-filter	Packet-drop is a feature that will be added
get ff	> show configuration | match packet-filter | display set
get debug	> show configuration | match traceoptions | display set
get db stream	View stored log: (recommended option) > show log <file name> (enter h to see help options) > show log security-trace (to view 'security flow' debugs) > show log kmd (to view 'security ike' debugs) View real-time: (use this option with caution) > monitor start <debugfilename> ESC-Q (to pause real-time output to screen)	‘monitor stop' stops real-time view , but debugs are still collected in log files
clear db	> clear log <filename> (clears contents of file)	Use ‘file delete <filename> to actually delete file>
undebug <debug> (stops collecting debugs)	# edit security flow # deactivate traceoptions OR # delete traceoptions (at the particular hierarchy) # commit	Deactivate makes it easier to enable/disable. Use activate traceoptions to activate.
undebug all	Not available. You need to deactivate or delete traceoptions separately.
debug ike detail	# edit security ike # set traceoptions flag ike # commit	-creates debugs in default file name: kmd
snoop (packets THRU the JUNOS device)	Use Packet Capture feature: http://www.juniper.net/techpubs/software/junos-security/junos-security95/junos-security-admin-guide/config-pcap-chapter.html#config-pcap-chapter	- Not supported on SRX 3x00/5x00 yet
snoop (packets TO the JUNOS device)	> monitor traffic interface <int> layer2-headers write-file option (hidden) read-file (hidden)	-Only captures traffic destined for the RE of router itself. - Excludes PING .
Event Logs
get event	> show log messages > show log messages | last 20 (helpful cmd because newest log entries are at end of file)
get event | include <string>	> show log messages | match <string> > show log messages | match “<string> | <string> | <string>” Examples: > show log messages | match “error | kernel | panic” > show log messages | last 20 | find error	Note: There is not an equivalent command for ‘get event include <string>'. match displays only the lines that contains the string find displays output starting from the first occurrence of the string
clear event	> clear log messages
	> show log
Config & Software upgrade
get config	> show config (program structured format) > show config | display set (set command format)
get license	> show system license keys
get chassis (serial numbers)	> show chassis hardware detail	> show chas environment > show chas routing-engine
exec license	> request system license [add | delete |save]
unset all reset	load factory-default set system root-authentication plain-text-passsword commit and-quit request system reboot	See KB15725.
load config from tftp <tftp_server> <configfile>	> start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then # load override /var/tmp/test.cfg (or full path of config file)	-TFTP is not supported. Use only FTP, HTTP, or SCP.
load software from tftp <tftp_server> <screenosimage> to flash	> request system software add Example: request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domestic.tgz reboot	-TFTP is not supported. Use only FTP. HTTP, or SCP. -Use ‘request system software rollback' to rollback to previous s/w package See KB16652.
save	# commit OR # commit and-quit
reset	> request system reboot
Policy
get policy	> show security policies
get policy from <zone> to <zone>	> show security policies from <zone> to <zone>
VPN
get ike cookie	> show security ike security-associations
get sa	> show security ipsec security-associations	> show security ipsec stat
clear ike cookie	> clear security ike security-associations
clear sa	> clear security ipsec security-associations
NSRP
get nsrp	> show chassis cluster status > show chassis cluster interfaces > show chassis cluster status redundancy-group <group>
exec nsrp vsd <vsd> mode backup (on master) see KB5885	> request chassis cluster failover redundancy-group <group> node <node>
	> request chassis cluster failover reset redundancy-group <group>
DHCP
get dhcp client	> show system services dhcp client	See KB15753.
exec dhcp client <int> renew	> request system services dhcp renew (or release)
Routing
get route	> show route
get route ip <ipaddress>	> show route <ipaddress>
get vr untrust-vr route	> show route instance untrust-vr
get ospf nei	> show ospf neighbor
set route 0.0.0.0/0 interface <int> gateway <ip>	# set routing-options static route 0.0.0.0/0 next-hop <ip>	See KB16572.
NAT
get vip	> show security nat destination-nat summary
get mip	> show security nat static-nat summary
get dip	> show security nat source-nat summary > show security nat source-nat pool <pool>
Other
get perf cpu	> show chassis routing-engine
get net-pak s	> show system buffers
get file	> show system storage
get alg	> show configuration groups junos-defaults applications	All pre-defined applications are located within the hidden group junos-defaults. If any ALGs are applied to the pre-defined applications, they will also be displayed with this command.
get service	> show configuration groups junos-defaults applications
get tech	> request support information
set console page 0	> set cli screen-length 0
	> file list <path> Example: file list /var/tmp/	Shows directory listing. Note that / is needed at end of path
	# = configuration mode prompt
	> = operational mode prompt

Last updated: 4/2010