Juniper How to:

How to go to operational mode from unix shell in juniper:
If you are logged as root then you can go to operational mode with the help of “cli”command. Following prompt is in root after using cli it goes in operational mode.

root@%
root@% cli
root>

How to go from operational mode to unix shell in juniper:

root> start shell
root@%

How to set hostname in SRX:

set system host-name SRX-FW

How to see the rollback configuration in juniper:
Juniper maintain upto 50 configuration for backup. To see the auto saved configuration you have to go in configuration mode and then type “rollback ?” you will get a list of auto saved files.

root# rollback ?
Possible completions:
              Execute this command
  0                    2017-02-08 00:00:49 UTC by root via cli
  1                    2017-02-03 01:07:53 UTC by root via cli
  2                    2017-02-03 01:07:00 UTC by root via cli
  3                    2015-01-31 13:06:04 UTC by root via other
  |                    Pipe through a command
[edit]

How to rollback to previous version of config:
You have to go to configuration mode and then type rollback command and then the version to which you want to rollback to.

root# rollback 1
load complete
[edit]

How to compare running config with a auto saved rollback config:
In following example I am comparing running config with rollback 0 configuraiton.

root# show | compare rollback 0
[edit interfaces ge-0/0/0 unit 0]
-     family inet {
-         address 192.168.2.16/24;

How to check up time of SRX device:

SRX>show system uptime
Current time: 2017-02-14 10:43:54 GMT
System booted: 2017-02-13 02:10:48 GMT (1d 08:33 ago)
Protocols started: 2017-02-13 02:13:29 GMT (1d 08:30 ago)
Last configured: 2017-02-13 02:12:11 GMT (1d 08:31 ago) by root
10:43AM  up 1 day,  8:33, 1 user, load averages: 0.11, 0.13, 0.14

How to check all interface summary:

SRX>show interfaces terse

How to check interface details/statistics:

SRX>show interface  extensive

How to check hardware and software details on SRX:

admin@srx> show version
Hostname: srx
Model: srx240h
JUNOS Software Release [12.1X44-D20.3]

How to check security policies in SRX:

SRX#show security policies

How to check configuration in SRX:

show configuration | display set
OR
show configuration

How to check the phase 1 and 2 in SRX:

SRX>show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
5004726 DOWN   155fd4374a0cb3c2  0000000000000000  Aggressive     x.x.x.x

SRX>show security ipsec security-associations

How to check for down tunnel:

 SRX>show security ipsec inactive-tunnels
  Total inactive tunnels: 6
  Total inactive tunnels with establish immediately: 6
  ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
  131078 500   7050   0      600a29    x.x.x.x   P1 SA deleted

How to check current time:

SRX>show system uptime | match current
Current time: 2017-02-24 14:24:23 UTC

How to check route in SRX:

admin@SRX> show route 10.5.198.12
inet.0: 102 destinations, 102 routes (102 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.0.0.0/8         *[Static/5] 46w3d 01:31:45
                    > to 10.5.192.9 via ge-2/0/15.0

How to check security zones on SRX:

admin@SRX> show security zones
Security zone: xxxx
  Send reset for non-SYN session TCP packets: Off
  Policy configurable: Yes
  Interfaces bound: 1
  Interfaces:
    xxxxxx

How to check session on SRX:

admin@SRX>show security flow session source-prefix x.x.x.x destination-prefix x.x.x.x

To get serial number of SRX device:

SRX> show chassis hardware

Monitoring traffic on interface:

# run monitor traffic interface fxp0.0 matching "host 10.5.194.4" no-resolve size 1500

How to check if there is any policy for the source and destination:

show security match-policies

How to configure interface on SRX interface:

set interfaces reth1 unit 91 vlan-id 91
set interfaces reth1 unit 91 family inet address x.x.x.x
set security zones security-zone DMZ1 interfaces reth1.91
set routing-instances vr1 interface reth1.91

How to apply trace option on SRX:

set security flow traceoptions file log-file-name
set security flow traceoptions file size 5m
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions packet-filter p1 source-prefix x.x.x.x/x
set security flow traceoptions packet-filter p1 destination-prefix y.y.y.y/y

show log log-file-name

How to add route in SRX:

set routing-instances vr1 routing-options static route 0.0.0.0/0 next-hop x.x.x.x

How to configure destination NAT in SRX:

set security nat static rule-set RuelSet1 from zone UNTRUST
set security nat static rule-set RuelSet1 rule RuleNo1 match destination-address 1.1.1.1/32
set security nat static rule-set RuelSet1 rule RuleNo1 then static-nat prefix 10.1.1.1/32

set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy match source-address any
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy match destination-address NET-10.1.1.1
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy match application TCP-443
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy match permit application-services idp
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy then log session-init
set security policies from-zone UNTRUST to-zone DMZ policy Destination-NAT-Policy then log session-close


How to configure security policy in SRX
:

set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound match source-address NET-10.0.0.0-8
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound match destination-address Any
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound match application TCP_443
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound then permit
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound then log session-init
set security policies from-zone TRUST to-zone UNTRUST policy Allow-OutBound  then log session-close

How to create address object:

set security address-book global address H_10.1.1.1 10.1.1.1/32

set security zones security-zone TRUST address-book address H-10.1.1.1 10.1.1.1/32

How to create a new application:

set applications application TCP-443 protocol tcp
set applications application TCP-443 destination-port 443

Check device health reboot reason:

show chassis routing-engine

How to check license on SRX:

SRX>show system license

How to download and install idp signature manually:

SRX>request security idp security-package download
SRX>request security idp security-package download status
SRX>request security idp security-package install
SRX>request security idp security-package install status

How to create security zone on SRX:

set security zones security-zone DMZ
Advertisements
This entry was posted in Juniper SRX and tagged , , , , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s