Tuesday, March 11, 2014

Juniper (SRX) Firewall Commands


Juniper SRX Firewalls

**********************
run = used in configure mode to use operational mode commands
//Show Routes
show route brief
show route best x.x.x.x
set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254
//Forwarding Table
run show route forwarding-table destination x.x.x.x/24
//TraceOptions settings
root@fw1# show security flow | display set
set security flow traceoptions file matt_trace
set security flow traceoptions file files 3
set security flow traceoptions file size 100000
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter f0 source-prefix 10.0.0.1/32 destination-prefix 200.1.2.3/32
set security flow traceoptions packet-filter f1 source-prefix 10.0.0.1/32 destination-prefix 200.1.2.3/32
activate security flow traceoptions
commit
monitor start matt_trace
monitor list
!! Kill the capture
monitor stop
clear log             !! Clear the log file
delete security flow traceoptions
commit
file delete
//Show Traceoptions
show security flow session source-prefix 10.124.80.42 destination-prefix 117.1.1.25
start shell
egrep ‘matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if’ /var/log/matt_trace | sed -e ‘s/.*RT://g’ | sed -e ‘s/tcp, flag 2 syn/–TCP SYN–/g’ | sed -e ‘s/tcp, flag 12 syn ack/–TCP SYN\/ACK–/g’ | sed -e ‘s/tcp, flag 10/–TCP ACK–/g’ | sed -e ‘s/tcp, flag 4 rst/–TCP RST–/g’ | sed -e ‘s/tcp, flag 14 rst/–TCP RST\/ACK–/g’ | sed -e ‘s/tcp, flag 18/–TCP PUSH\/ACK–/g’ | sed -e ‘s/tcp, flag 11 fin/–TCP FIN\/ACK–/g’ | sed -e ‘s/tcp, flag 5/–TCP FIN\/RST–/g’ | sed -e ‘s/icmp, (0\/0)/–ICMP Echo Reply–/g’ | sed -e ‘s/icmp, (8\/0)/–ICMP Echo Request–/g’ | sed -e ‘s/icmp, (3\/0)/–ICMP Destination Unreachable–/g’ | sed -e ‘s/icmp, (11\/0)/–ICMP Time Exceeded–/g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”}; {print};’
//Show Sessions
run show security flow session destination-prefix x.x.x.x
//Match Policy
run show security match-policies from-zone zonea to-zone zoneb source-ip x.x.x.x destination-ip x.x.x.x protocol tcp source-port 1024 destination-port xx
//Check for Block Group
show security policies from-zone untrust to-zone trust | display set | grep deny
//Find Syntax for an Existing Command
show | display set | xxxxxxxxx
//VPN Troubleshooting
show security ike security-associations [index ] [detail]
show security ipsec security-associations [index ] [detail]
show security ipsec statistics [index ]
//VPN
//Set proxy ID’s for a route based tunnel
set security ipsec vpn vpn-name ike proxy-identity local 10.0.0.0/8 remote 192.168.1.0/24 service any
//Packet Capture
set security datapath-debug capture-file my-capture
set security datapath-debug capture-file format pcap
set security datapath-debug capture-file size 1m
set security datapath-debug capture-file files 5
set security datapath-debug maximum-capture-size 400
set security datapath-debug action-profile do-capture event np-ingress packet-dump
set security datapath-debug packet-filter my-filter action-profile do-capture
set security datapath-debug packet-filter my-filter source-prefix 1.2.3.4/32
//Super SRX Packet Capture Filter
egrep ‘matched filter|(ge|fe|reth ) -.*- > .*|session found|Session \(id|session id|create|dst_nat|chose interface|dst_xlate|routed|search|denied|src_xlate|dip id|outgoing phy if|route to|DEST|post’ /var/log/mchtrace | uniq | sed -e ‘s/.*RT://g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”} ; {print} ;’ | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’ ; echo | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’
// Policy commands
show | display set (shows policy)
set system syslog
set security log
set interfaces ge-0/0/3 gigether-options auto-negotation (redundant-parent)
set security policies from-zone xxx to-zone xxx policy policy_name match
set security zones security-zone untrust address-book address
set security nat source rule-set zone-to-zone rule rule-source-nat match source-address 10.0.0.0
set routing-instances
set applications
set security ike proposal
set security ike policy
set security ike gateway
set security ipsec proposal
set security ipsec policy
set security ipsec vpn
show|compare
commit check
commit comments ticket#2222 and-quit
set security policies from-zone dmz to-zone trust policy 12 match source-address h_10.124.0.1 destination-address h_1.2.3.4 application tcp_22
set security policies from-zone dmz to-zone trust policy 12 then permit
set security policies from-zone dmz to-zone trust policy 12 then log session-init session-close
+         match {
+             source-address h_10.124.0.1;
+             destination-address h_1.2.3.4;
+             application tcp_22;
+         }
+         then {
+             permit;
+             log {
+                 session-init;
+                 session-close;
+             }
+         }
+     }

Various:
show system uptimeUptime
show versionVersion of platform (host/model)
show chassis firmwareFirmware loaded on FPCs
show system software detail
show chassis routing-engineCPU, Memory for Routing-Engine
show chassis fanSpeed and status of fans
show chassis environmentTemperature status of components
show chassis hardware detailHardware inventory (backplane)
show system core-dumpsCore-dumps
show system alarmsSystem alarms
show chassis alarmsAlarms for hardware and chassis
show system boot-messagesLogs from boot sequence
show log chassisdLogs for SRX chassis (Cards)
show log messagesRecent system messages
show configuration security logSyslog configuration
show system buffersUtilization of memory buffers
show system virtual-memoryVirtual memory utilization
show system processesProcesses running on system
show security idp memoryIDP memory statistics
show security monitoring performance sessionSession counts on each FPC


Palo Alto Firewall Commands (4.0 – 5.0)


Palo Alto
// Base Help
lab@infostruction> ?
clear Clear runtime parameters
configure Manipulate software configuration information
debug Debug and diagnose
exit Exit this session
grep Searches file for lines containing a pattern match
less Examine debug file content
ping Ping hosts and networks
quit Exit this session
request Make system-level requests
scp Use ssh to copy file to another host
set Set operational parameters
show Show operational parameters
ssh Start a secure shell to another host
tail Print the last 10 lines of debug file content
username@hostname>
lab@infostruction# set ?
> deviceconfig deviceconfig
> mgt-config mgt-config
> network network configuration
> shared shared
> vsys vsys
// Device configuration and RMA
default login & password is admin/admin
scp import configuration 22 user@host:/path/to/file
set deviceconfig system hostname ip-address netmask default-gateway dns-setting server primary
set password
// Administration
check pending-changes **Check for uncommitted changes
show config
show config-locks
request commit-lock remove admin
save/load (saved config) -> set (candidate config) -> commit (active config)
edit, up, top **Change hierarchy
// Privilege Levels
superreader Has complete read-only access to the firewall.
vsysadmin Has full access to a selected virtual system on the firewall.
vsysreader Has read-only access to a selected virtual system on the firewall.
deviceadmin Has full access to a selected device, except for defining new accounts or virtual systems.
devicereader Has read-only access to a selected device.
// Health Commands
show counter global | match drop
show interface ethernetX/X
show system state filter * | match over **Packet overruns.
show session info **High concurrent sessions
show running resource-monitor **CPU (app-id, decoders, session setup teardown)
debug dataplane pool statistics **Work Queue and Segment reassembly.
show counter global filter aspect resource **Resource counters, TCP window information.
show system statistics **System Counters
show system info **Show system information
show network interface ethernet **Show Interface configuration
show arp
netstat all
// Failover – High Availability
request high-availability state suspend                     // Fail the master firewall and set to ineligible.
request high-availability state functional                    // Set current device to functional/eligible.
request high-availability sync-to-remote                  // Force config and session sync to peer
show high-availability state                        // Show current H/A status
show high-availability all                             // Show high-availability information on current device.
show high-availability link                            // Show H/A state of devices
show high-availability state-synchronisation         // View the sync state to the peer device
show high-availability control-link                     // Show H/A link statistics
// HA Upgrade Process
request high-availability state suspend – passive firewall
Upgrade passive to 4.1.7
request high-availability state suspend – Current old version active firewall
request high-availability state functional – Newly upgraded firewall (Outage until this command completes)
Upgrade old active firewall to 4.1.7
request high-availability state functional – Newly upgraded firewall
Notes:
HA processes can take up to 5 minutes to start up after reboot
// Troubleshooting
test nat-policy-match source destination protocol 6 destination-port
test security-policy-match source destination protocol 6 destination-port
test url **Provides URL category
show routing
show arp
show session
// Packet Capture
From the CLI:
Packet Filter
debug dataplane packet-diag set filter match source
debug dataplane packet-diag set filter match destination
debug dataplane packet-diag set filter on
debug dataplane packet-diag show setting
Packet Capture
debug dataplane packet-diag set capture stage drop file
debug dataplane packet-diag set capture stage transmit file
debug dataplane packet-diag set capture stage receive file
debug dataplane packet-diag set capture stage firewall file
debug dataplane packet-diag set capture on
Clear Packer Filter or capture
debug dataplane packet-diag set filter off
debug dataplane packet-diag set capture off
debug dataplane packet-diag clear filter all
debug dataplane packet-diag clear capture all
View PCAPs
view-pcap follow yes filter-pcap
Export the PCAPs
scp export filter-pcap from to
= user1@192.168.1.1:c:/1/scp
tftp export filter-pcap from to
// VPN Troubleshooting
show vpn flow  **View active tunnels
show vpn flow tunnel-id   **View additional information on tunnels based on ID
show vpn ike-sa
show vpn ipsec-sa
clear vpn ike-sa
clear vpn ipsec-sa
test vpn ike-sa gateway
test vpn ipsec-sa tunnel
// Debug Commands
debug authd
debug cli
debug dhcpd
debug high-availability agent
debug ike
debug log-collector
debug management-server
debug master-service
debug ssl-vpn
debug user-id