Tuesday, March 11, 2014

Juniper (SRX) Firewall Commands

Juniper SRX Firewalls

run = used in configure mode to use operational mode commands
//Show Routes
show route brief
show route best x.x.x.x
set routing-options static route next-hop
//Forwarding Table
run show route forwarding-table destination x.x.x.x/24
//TraceOptions settings
root@fw1# show security flow | display set
set security flow traceoptions file matt_trace
set security flow traceoptions file files 3
set security flow traceoptions file size 100000
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter f0 source-prefix destination-prefix
set security flow traceoptions packet-filter f1 source-prefix destination-prefix
activate security flow traceoptions
monitor start matt_trace
monitor list
!! Kill the capture
monitor stop
clear log             !! Clear the log file
delete security flow traceoptions
file delete
//Show Traceoptions
show security flow session source-prefix destination-prefix
start shell
egrep ‘matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if’ /var/log/matt_trace | sed -e ‘s/.*RT://g’ | sed -e ‘s/tcp, flag 2 syn/–TCP SYN–/g’ | sed -e ‘s/tcp, flag 12 syn ack/–TCP SYN\/ACK–/g’ | sed -e ‘s/tcp, flag 10/–TCP ACK–/g’ | sed -e ‘s/tcp, flag 4 rst/–TCP RST–/g’ | sed -e ‘s/tcp, flag 14 rst/–TCP RST\/ACK–/g’ | sed -e ‘s/tcp, flag 18/–TCP PUSH\/ACK–/g’ | sed -e ‘s/tcp, flag 11 fin/–TCP FIN\/ACK–/g’ | sed -e ‘s/tcp, flag 5/–TCP FIN\/RST–/g’ | sed -e ‘s/icmp, (0\/0)/–ICMP Echo Reply–/g’ | sed -e ‘s/icmp, (8\/0)/–ICMP Echo Request–/g’ | sed -e ‘s/icmp, (3\/0)/–ICMP Destination Unreachable–/g’ | sed -e ‘s/icmp, (11\/0)/–ICMP Time Exceeded–/g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”}; {print};’
//Show Sessions
run show security flow session destination-prefix x.x.x.x
//Match Policy
run show security match-policies from-zone zonea to-zone zoneb source-ip x.x.x.x destination-ip x.x.x.x protocol tcp source-port 1024 destination-port xx
//Check for Block Group
show security policies from-zone untrust to-zone trust | display set | grep deny
//Find Syntax for an Existing Command
show | display set | xxxxxxxxx
//VPN Troubleshooting
show security ike security-associations [index ] [detail]
show security ipsec security-associations [index ] [detail]
show security ipsec statistics [index ]
//Set proxy ID’s for a route based tunnel
set security ipsec vpn vpn-name ike proxy-identity local remote service any
//Packet Capture
set security datapath-debug capture-file my-capture
set security datapath-debug capture-file format pcap
set security datapath-debug capture-file size 1m
set security datapath-debug capture-file files 5
set security datapath-debug maximum-capture-size 400
set security datapath-debug action-profile do-capture event np-ingress packet-dump
set security datapath-debug packet-filter my-filter action-profile do-capture
set security datapath-debug packet-filter my-filter source-prefix
//Super SRX Packet Capture Filter
egrep ‘matched filter|(ge|fe|reth ) -.*- > .*|session found|Session \(id|session id|create|dst_nat|chose interface|dst_xlate|routed|search|denied|src_xlate|dip id|outgoing phy if|route to|DEST|post’ /var/log/mchtrace | uniq | sed -e ‘s/.*RT://g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”} ; {print} ;’ | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’ ; echo | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’
// Policy commands
show | display set (shows policy)
set system syslog
set security log
set interfaces ge-0/0/3 gigether-options auto-negotation (redundant-parent)
set security policies from-zone xxx to-zone xxx policy policy_name match
set security zones security-zone untrust address-book address
set security nat source rule-set zone-to-zone rule rule-source-nat match source-address
set routing-instances
set applications
set security ike proposal
set security ike policy
set security ike gateway
set security ipsec proposal
set security ipsec policy
set security ipsec vpn
commit check
commit comments ticket#2222 and-quit
set security policies from-zone dmz to-zone trust policy 12 match source-address h_10.124.0.1 destination-address h_1.2.3.4 application tcp_22
set security policies from-zone dmz to-zone trust policy 12 then permit
set security policies from-zone dmz to-zone trust policy 12 then log session-init session-close
+         match {
+             source-address h_10.124.0.1;
+             destination-address h_1.2.3.4;
+             application tcp_22;
+         }
+         then {
+             permit;
+             log {
+                 session-init;
+                 session-close;
+             }
+         }
+     }

show system uptimeUptime
show versionVersion of platform (host/model)
show chassis firmwareFirmware loaded on FPCs
show system software detail
show chassis routing-engineCPU, Memory for Routing-Engine
show chassis fanSpeed and status of fans
show chassis environmentTemperature status of components
show chassis hardware detailHardware inventory (backplane)
show system core-dumpsCore-dumps
show system alarmsSystem alarms
show chassis alarmsAlarms for hardware and chassis
show system boot-messagesLogs from boot sequence
show log chassisdLogs for SRX chassis (Cards)
show log messagesRecent system messages
show configuration security logSyslog configuration
show system buffersUtilization of memory buffers
show system virtual-memoryVirtual memory utilization
show system processesProcesses running on system
show security idp memoryIDP memory statistics
show security monitoring performance sessionSession counts on each FPC

No comments:

Post a Comment

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.