Tuesday, March 11, 2014

Juniper (SRX) Firewall Commands

Juniper SRX Firewalls

run = used in configure mode to use operational mode commands
//Show Routes
show route brief
show route best x.x.x.x
set routing-options static route next-hop
//Forwarding Table
run show route forwarding-table destination x.x.x.x/24
//TraceOptions settings
root@fw1# show security flow | display set
set security flow traceoptions file matt_trace
set security flow traceoptions file files 3
set security flow traceoptions file size 100000
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter f0 source-prefix destination-prefix
set security flow traceoptions packet-filter f1 source-prefix destination-prefix
activate security flow traceoptions
monitor start matt_trace
monitor list
!! Kill the capture
monitor stop
clear log             !! Clear the log file
delete security flow traceoptions
file delete
//Show Traceoptions
show security flow session source-prefix destination-prefix
start shell
egrep ‘matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if’ /var/log/matt_trace | sed -e ‘s/.*RT://g’ | sed -e ‘s/tcp, flag 2 syn/–TCP SYN–/g’ | sed -e ‘s/tcp, flag 12 syn ack/–TCP SYN\/ACK–/g’ | sed -e ‘s/tcp, flag 10/–TCP ACK–/g’ | sed -e ‘s/tcp, flag 4 rst/–TCP RST–/g’ | sed -e ‘s/tcp, flag 14 rst/–TCP RST\/ACK–/g’ | sed -e ‘s/tcp, flag 18/–TCP PUSH\/ACK–/g’ | sed -e ‘s/tcp, flag 11 fin/–TCP FIN\/ACK–/g’ | sed -e ‘s/tcp, flag 5/–TCP FIN\/RST–/g’ | sed -e ‘s/icmp, (0\/0)/–ICMP Echo Reply–/g’ | sed -e ‘s/icmp, (8\/0)/–ICMP Echo Request–/g’ | sed -e ‘s/icmp, (3\/0)/–ICMP Destination Unreachable–/g’ | sed -e ‘s/icmp, (11\/0)/–ICMP Time Exceeded–/g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”}; {print};’
//Show Sessions
run show security flow session destination-prefix x.x.x.x
//Match Policy
run show security match-policies from-zone zonea to-zone zoneb source-ip x.x.x.x destination-ip x.x.x.x protocol tcp source-port 1024 destination-port xx
//Check for Block Group
show security policies from-zone untrust to-zone trust | display set | grep deny
//Find Syntax for an Existing Command
show | display set | xxxxxxxxx
//VPN Troubleshooting
show security ike security-associations [index ] [detail]
show security ipsec security-associations [index ] [detail]
show security ipsec statistics [index ]
//Set proxy ID’s for a route based tunnel
set security ipsec vpn vpn-name ike proxy-identity local remote service any
//Packet Capture
set security datapath-debug capture-file my-capture
set security datapath-debug capture-file format pcap
set security datapath-debug capture-file size 1m
set security datapath-debug capture-file files 5
set security datapath-debug maximum-capture-size 400
set security datapath-debug action-profile do-capture event np-ingress packet-dump
set security datapath-debug packet-filter my-filter action-profile do-capture
set security datapath-debug packet-filter my-filter source-prefix
//Super SRX Packet Capture Filter
egrep ‘matched filter|(ge|fe|reth ) -.*- > .*|session found|Session \(id|session id|create|dst_nat|chose interface|dst_xlate|routed|search|denied|src_xlate|dip id|outgoing phy if|route to|DEST|post’ /var/log/mchtrace | uniq | sed -e ‘s/.*RT://g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”} ; {print} ;’ | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’ ; echo | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’
// Policy commands
show | display set (shows policy)
set system syslog
set security log
set interfaces ge-0/0/3 gigether-options auto-negotation (redundant-parent)
set security policies from-zone xxx to-zone xxx policy policy_name match
set security zones security-zone untrust address-book address
set security nat source rule-set zone-to-zone rule rule-source-nat match source-address
set routing-instances
set applications
set security ike proposal
set security ike policy
set security ike gateway
set security ipsec proposal
set security ipsec policy
set security ipsec vpn
commit check
commit comments ticket#2222 and-quit
set security policies from-zone dmz to-zone trust policy 12 match source-address h_10.124.0.1 destination-address h_1.2.3.4 application tcp_22
set security policies from-zone dmz to-zone trust policy 12 then permit
set security policies from-zone dmz to-zone trust policy 12 then log session-init session-close
+         match {
+             source-address h_10.124.0.1;
+             destination-address h_1.2.3.4;
+             application tcp_22;
+         }
+         then {
+             permit;
+             log {
+                 session-init;
+                 session-close;
+             }
+         }
+     }

show system uptimeUptime
show versionVersion of platform (host/model)
show chassis firmwareFirmware loaded on FPCs
show system software detail
show chassis routing-engineCPU, Memory for Routing-Engine
show chassis fanSpeed and status of fans
show chassis environmentTemperature status of components
show chassis hardware detailHardware inventory (backplane)
show system core-dumpsCore-dumps
show system alarmsSystem alarms
show chassis alarmsAlarms for hardware and chassis
show system boot-messagesLogs from boot sequence
show log chassisdLogs for SRX chassis (Cards)
show log messagesRecent system messages
show configuration security logSyslog configuration
show system buffersUtilization of memory buffers
show system virtual-memoryVirtual memory utilization
show system processesProcesses running on system
show security idp memoryIDP memory statistics
show security monitoring performance sessionSession counts on each FPC

Palo Alto Firewall Commands (4.0 – 5.0)

Palo Alto
// Base Help
lab@infostruction> ?
clear Clear runtime parameters
configure Manipulate software configuration information
debug Debug and diagnose
exit Exit this session
grep Searches file for lines containing a pattern match
less Examine debug file content
ping Ping hosts and networks
quit Exit this session
request Make system-level requests
scp Use ssh to copy file to another host
set Set operational parameters
show Show operational parameters
ssh Start a secure shell to another host
tail Print the last 10 lines of debug file content
lab@infostruction# set ?
> deviceconfig deviceconfig
> mgt-config mgt-config
> network network configuration
> shared shared
> vsys vsys
// Device configuration and RMA
default login & password is admin/admin
scp import configuration 22 user@host:/path/to/file
set deviceconfig system hostname ip-address netmask default-gateway dns-setting server primary
set password
// Administration
check pending-changes **Check for uncommitted changes
show config
show config-locks
request commit-lock remove admin
save/load (saved config) -> set (candidate config) -> commit (active config)
edit, up, top **Change hierarchy
// Privilege Levels
superreader Has complete read-only access to the firewall.
vsysadmin Has full access to a selected virtual system on the firewall.
vsysreader Has read-only access to a selected virtual system on the firewall.
deviceadmin Has full access to a selected device, except for defining new accounts or virtual systems.
devicereader Has read-only access to a selected device.
// Health Commands
show counter global | match drop
show interface ethernetX/X
show system state filter * | match over **Packet overruns.
show session info **High concurrent sessions
show running resource-monitor **CPU (app-id, decoders, session setup teardown)
debug dataplane pool statistics **Work Queue and Segment reassembly.
show counter global filter aspect resource **Resource counters, TCP window information.
show system statistics **System Counters
show system info **Show system information
show network interface ethernet **Show Interface configuration
show arp
netstat all
// Failover – High Availability
request high-availability state suspend                     // Fail the master firewall and set to ineligible.
request high-availability state functional                    // Set current device to functional/eligible.
request high-availability sync-to-remote                  // Force config and session sync to peer
show high-availability state                        // Show current H/A status
show high-availability all                             // Show high-availability information on current device.
show high-availability link                            // Show H/A state of devices
show high-availability state-synchronisation         // View the sync state to the peer device
show high-availability control-link                     // Show H/A link statistics
// HA Upgrade Process
request high-availability state suspend – passive firewall
Upgrade passive to 4.1.7
request high-availability state suspend – Current old version active firewall
request high-availability state functional – Newly upgraded firewall (Outage until this command completes)
Upgrade old active firewall to 4.1.7
request high-availability state functional – Newly upgraded firewall
HA processes can take up to 5 minutes to start up after reboot
// Troubleshooting
test nat-policy-match source destination protocol 6 destination-port
test security-policy-match source destination protocol 6 destination-port
test url **Provides URL category
show routing
show arp
show session
// Packet Capture
From the CLI:
Packet Filter
debug dataplane packet-diag set filter match source
debug dataplane packet-diag set filter match destination
debug dataplane packet-diag set filter on
debug dataplane packet-diag show setting
Packet Capture
debug dataplane packet-diag set capture stage drop file
debug dataplane packet-diag set capture stage transmit file
debug dataplane packet-diag set capture stage receive file
debug dataplane packet-diag set capture stage firewall file
debug dataplane packet-diag set capture on
Clear Packer Filter or capture
debug dataplane packet-diag set filter off
debug dataplane packet-diag set capture off
debug dataplane packet-diag clear filter all
debug dataplane packet-diag clear capture all
View PCAPs
view-pcap follow yes filter-pcap
Export the PCAPs
scp export filter-pcap from to
= user1@
tftp export filter-pcap from to
// VPN Troubleshooting
show vpn flow  **View active tunnels
show vpn flow tunnel-id   **View additional information on tunnels based on ID
show vpn ike-sa
show vpn ipsec-sa
clear vpn ike-sa
clear vpn ipsec-sa
test vpn ike-sa gateway
test vpn ipsec-sa tunnel
// Debug Commands
debug authd
debug cli
debug dhcpd
debug high-availability agent
debug ike
debug log-collector
debug management-server
debug master-service
debug ssl-vpn
debug user-id