SRX commands:

show interfaces terse----> to check interface

show chassis hardware --->To get the Hardware information

show configuration routing-options ----->Routing information(To get the default grp)

show route------> To get all routing table.

show route forwarding-table---->To get which range is mapped to which zone

Juniper SRX - VPN Troubleshooting:

show configuration security ike

show configuration security ipsec

show security ike security-associations

show security ipsec security-associations

show security ipsec satatisticss index <IndexFromSA>

clear security ike security-associations

clear security ipsec security-associations

Juniper Netscreen - VPN Troubleshooting

get vpn

get ike cookies

get sa active

get event include vpn

SRC DEST PROXY ID (SRC/DEST)

Group Group 0.0.0.0/0.0.0.0 > 0.0.0.0/0.0.0.0

Group Subnet 0.0.0.0/0.0.0.0 > Subnet

Subnet Subnet Subnet > Subnet

Juniper Netscreen - Upgrade

save software fom tftp <ip> <filename> to flash

Juniper SRX - Manually Failover

request chassis cluster failover redundancy-group 1 node <node>

Notes:

Node refers to the node number (0 or 1) to failover to

Juniper SRX - Interface Configuration

set interface <physical> unit 0 family inet address <ip/ci

Juniper SRX - Commit, Checks, and Rollbacks

show | compare !! View what will be pushed on commit

commit !! Push change

commit check !! Verify change has no errors and can be pushed

commit confirm !! Rollback to last configuration if current commit isn\'t confirmed

commit at <HH:MM:SS> !! Push at a specific time

rollback 0 !! Undo stage, rollback to current firewall configuration

Juniper SRX - Add Route

set routing-options static route <ip/cidr> next-hop <gw>

Juniper Netscreen - Manual Failover

exec nsrp vsd-group <group ID> mode master

Notes:

Performed on the standby/backup firewall

Juniper Netscreen - Health Troubleshooting

get sys !! Uptime

get perf session !! Connection Count

get perf cpu detail

get perf cpu all detail !! * means above threshold

get event level critical !! View failovers or other critical evens

get counter statistics !! CRC errors, etc

Juniper Netscreen - General Troubleshooting

get log traffic src-ip <ip> dst-ip <ip>

get session src-ip <src IP> dst-ip <dst IP>

Juniper SRX - View CPU Usage, Temperature, Memory, etc

show chassis routing-engine

Juniper SRX - View Active and Backup Partitions/Snapshots

show system snapshot media internal

Juniper - SRX - Default Pre-Defined Applications

show configuration groups junos-defaults applications

show groups junos-defaults

Juniper SRX - Packet Flow

Security platforms running JunosOS handle incoming packets as follows:

The software applies stateless policing filters and CoS classification to the packet at the
ingress.

If the packet does not drop, the software performs a session lookup to determine whether the
packet belongs to an existing session. The Junos OS matches on six elements of traffic
information for this determinationsource IP address, destination IP address, source port
number, destination port number, protocol number, and a session token.

If the packet does not match an existing session, a new session is created. This process is
referred to as the first-packet path.

The software takes the following steps during first-packet-path processing:

Based on the protocol used and its session layer (TCP or UDP), the software starts a session
timer. For TCP sessions, the default timeout is 30 minutes. For UDP sessions, the default
timeout is 1 minute. These values are the defaults, and can be modified

The software applies firewall SCREEN options.

If destination NAT is used, the software performs address allocation.

Next, the software performs the route lookup. If a route exists for the destination prefix, the
software takes the next step. Otherwise, it drops the packet.

The software determines the packets incoming zone by the interface through which it arrives.
The software also determines the packets outgoing zone by the forwarding lookup.

Based on incoming and outgoing zones, the corresponding security policy is determined and a
security policy lookup takes place. The software checks the packet against defined policies to
determine how to treat the packet.

If source NAT is used, the software performs address allocation.

The software sets up the ALG service vector.

The software creates and installs the session. Furthermore, the software caches the decisions
made for the first packet into a flow table, which subsequent packets of that flow use.

The packet now enters the fast-path processing.

Subsequent packets of a flow are all subject to fast-path processing. The software takes the
following steps during fast-path processing:

The software applies firewall SCREEN options.

The software performs TCP checks.

The software applies NAT.

The software applies an ALG.

The software applies packet forwarding features, which include the following:

a. Stateless packet filters

b. Traffic shaping by packet

c. Packet encapsulation and transmission

Juniper SRX - Capture 2
set security flow traceoptions file <filename>

set security flow traceoptions file size 100000

set security flow traceoptions file files 5

set security flow traceoptions flag basic-datapath

set security flow traceoptions packet-filter <name> source-prefix <ip/cidr>

set security flow traceoptions packet-filter <name> destination-prefix <ip/cidr>

commit

!! Run the following from the shell to view the capture

egrep 'matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|

search|denied|src_xlate|outgoing phy if' <filename> | sed -e 's/.*RT://g' | sed -e 's/tcp, flag 2
syn/--TCP SYN--/g' | sed -e 's/tcp, flag 12 syn ack/--TCP SYN\/ACK--/g' | sed -e 's/tcp, flag 10/--
TCP ACK--/g' | sed -e 's/tcp, flag 4 rst/--TCP RST--/g' | sed -e 's/tcp, flag 14 rst/--TCP
RST\/ACK--/g' | sed -e 's/tcp, flag 18/--TCP PUSH\/ACK--/g' | sed -e 's/tcp, flag 11 fin/--TCP
FIN\/ACK--/g' | sed -e 's/tcp, flag 5/--TCP FIN\/RST--/g' | sed -e 's/icmp, (0\/0)/--ICMP Echo
Reply--/g' | sed -e 's/icmp, (8\/0)/--ICMP Echo Request--/g' | sed -e 's/icmp, (3\/0)/--ICMP
Destination Unreachable--/g' | sed -e 's/icmp, (11\/0)/--ICMP Time Exceeded--/g' | awk
'/matched/ {print "\n\t\t\t=== PACKET START ==="}; {print};'

Notes:

The egrep outputs the capture into an easier to read format. It is not necessary to run this
command to read the capture file.

Make sure to replace in the egrep

Capture is bidirectional

Juniper SRX - Log Files

/var/log/chassisd !! Hardware and chassis control logs

/var/log/idpd !! IDP daemon, events, and failures

/var/log/interactive-commands !! View the commands run by users on the firewall

/var/log/jsprd !! HA logs

/var/log/kmd !! IKE Negotiation logs

/var/log/messages !! Start place for locating logs

/var/log/utmd !! UTM related logs

Juniper Netscreen - Route Based VPN Configuration

set interface "tunnel.<#>" ip unnumbered interface <outgoing-interface> !! If not using NHTB
routes

set interface "tunnel.<#>" ip <ip>/<cidr> !! If NHTB route is needed - A random IP such as

172.16.255.1/25 will work

set interface "tunnel.<#>" zone "<zone>"

set interface "tunnel.<#>" mip <Mapped-IP> host <real-ip> netmask 255.255.255.255 vr "trust-
vr" !! If Needed

set ike p1-proposal "pre-g2-aes265-sha" preshare group2 esp aes256 sha-1 second 28800

set ike p2-proposal "nopfs-esp-aes256-sha" no-pfs esp aes256 sha-1 second 28800

set ike gateway "<gateway-name>" address <gateway-ip> Main outgoing-interface "<outgoing-

interface>" preshare "<psk>" proposal "<p1-proposal>"

set vpn "<vpn_name-#>" gateway "<gateway-name>" no-replay tunnel idletime 0 proposal

"<p2-proposal>"

set vpn "<vpn_name-#>" bind interface tunnel.<#>

set vpn "<vpn_name-#>" proxy-id local-ip <ip/cidr> remote-ip <ip/cidr> "ANY" !! Only
necessary if you NEED to define proxy-ids, for instance to Cisco devices

!! Create the security rules as 'accept' rules

set route <remote-ip/cidr> interface tunnel.<#> !! Without NHTB

set interface tunnel.<#> nhtb <IP-on-tunnel-interface-network> vpn "<vpn_name-1>" !! With
NHTB

set route <remote-ip/cidr> interface tunnel.<#> gateway <nhtb-ip> !! With NHTB

Notes:

Rules should use accept action

Create more vpns (like vpn_name-1) for each proxy-id combination needed

NHTB routes are necessary if binding multiple VPNs to the same tunnel interface (for instance,
when multiple proxy-IDs are required)

Juniper SRX - Capture 1

!! Create the capture

edit security flow traceoptions

set security flow traceoptions file <captureFileName>

set security flow traceoptions flag basic-datapath

set security flow traceoptions flag packet-drops

set security flow traceoptions level 15

set security flow traceoptions packet-filter filter1 source-prefix <ip>

set security flow traceoptions packet-filter filter1 destination-prefix <ip>

set security flow traceoptions packet-filter filter2 source-prefix <ip>

set security flow traceoptions packet-filter filter2 destination-prefix <ip>

commit

run monitor start <captureFileName>

!! Kill the capture

monitor stop <captureFileName>

clear log <captureFileName> !! Clear the log file

delete security flow traceoptions

commit

file delete <captureFileName>

Juniper SRX - View CPU Usage

show system processes summary

show system processes extensive

Notes

* Summary will provide a brief overview with the top 3 processes

* Extensive includes all processes