Juniper show command (RSI : request support information)

request support information | no-more
request support information | save RSI_20210208

show system uptime no-forwarding
show version detail no-forwarding
show system core-dumps no-forwarding
show chassis alarms no-forwarding
show chassis hardware detail no-forwarding
show system processes extensive no-forwarding
show pfe statistics error
show pfe statistics traffic
show chassis routing-engine no-forwarding
show chassis environment no-forwarding
show chassis firmware no-forwarding
show chassis fpc detail
show system boot-messages no-forwarding
show system storage no-forwarding
show system virtual-memory no-forwarding
show system buffer no-forwarding
show system queues no-forwarding
show system statistics no-forwarding
show configuration | except SECRET-DATA | display omit
show interfaces extensive no-forwarding
show chassis hardware extensive no-forwarding
show krt queue
show krt state
show route summary
show arp no-resolve
show pfe statistics bridge
show ethernet-switching table
show ethernet-switching interfaces detail
show ethernet-switching mac-learning-log
show vlans extensive
show spanning-tree bridge detail
show spanning-tree interface
show redundant-trunk-group
show lldp neighbors
show dhcp snooping binding
show arp no-resolve
show arp inspection statistics
show dot1x interface
show dot1x interface detail
show pfe statistics bridge
show system services dhcp binding detail
show system services dhcp statistics
show lldp neighbors
show vrrp summary
show chassis firmware
show route forwarding-table
show ipv6 neighbors
show lacp interfaces
show lacp statistics interfaces
show services unified-access-control status
show services unified-access-control authentication-table
show services unified-access-control policies
file show /var/run/dmesg.boot.detail
show virtual-chassis protocol statistics
show virtual-chassis vc-port statistics extensive
show virtual-chassis status
show virtual-chassis vc-port
show virtual-chassis active-topology
show virtual-chassis protocol adjacency
show virtual-chassis protocol database extensive
show virtual-chassis protocol route
show virtual-chassis protocol statistics
show vrrp summary
show virtual-chassis vc-port statistics extensive
show chassis pic-mode
show protection-group ethernet-ring configuration
show protection-group ethernet-ring aps
show protection-group ethernet-ring interface
show protection-group ethernet-ring node-state
show protection-group ethernet-ring statistics detail
show chassis fpc pfe-version
show captive-portal interface
show captive-portal authentication-failed-users

Juniper Troubleshooting Commands

Managing configuration

configure exclusive – to prevent others modifying the while in configuration mode

status – show users currently logged in

compare (filename | rollback n)

#commit | display detail – debug commit
#commit check
#commit comment
#commit confirmed
#commit at [tt:mm | yyyy-mm-dd hh:mm | reboot], to cancel:

clear system [commit | reboot ] - to cancel scheduled state:

show system commit
show configuration ….

#load {set} {merge | replace | override } {relative} [terminal | file] – paste - Ctrl+D to end

show | # compare (filename | rollback n)

show | display set

show | display changed

show | display detail

show | display omit statement

Configuration modification commands:
#annotate “xxxxx” – annotate part of configuration
#activate/deactivate
#copy / delete / rename – works with wildcards, e.g. delete fe*
#rename – string in configuration
#replace pattern
#protect / unprotect a statement

#exit configuration-mode
#quit

show system rollback 10
show system rollback compare 10 12
show system commit

System:

show version {detail}
request system reboot | power-off

file [copy | list | delete | show | rename ]
show system storage

show chassis hardware detail
show chassis alarms
show chassis environment
show chassis craft-interface – show router LED alarms

show configuration | display detail
show system users – who is logged in to the system
request system logout use username – forcefully logout a user
request message all message “log out now”

show system boot-messages – boot log

Interfaces/Hardware:

Display information about memory, CPU temperature, load and uptime:

show chassis routing engine

To viw hardware and SFPs installed in a slot:

General hardware overview

show chassis hardware

Which fpc are in use

show chassis fpc

To display what details of pic intstalled in a slot:

show chassis pic pic-slot 0 fpc-slot 0

To see light levels for fibre interface:

show interfaces diagnostics optics

Logging

#set system syslog file messages any info – to save all log messages to file “messages”

show log messages | match LOGIN | match “Mar 16”
file list detail /var/log = ls –al (to see permitions, etc.)
clear log messages - to clear the contents of the messages file

monitor start messages - live monitoring of messages file
monitor list
monitor stop – to stop all

For more detailed information about a process, under the process level:
#set traceoptions file filenamefil world-readable
#set traceoptions flag all

help syslog – to show information about syslog messages

Security Policies
View security policy:

show security policies from-zone Proxy-DMZ to-zone Inside details

To check if traffic will pass through the security policies (useful when not able to generate traffic):

show security match-policies from-zone Outside to-zone Inside protocol xxx source-ip xxx source-port xxx destination-ip xxx destination-port xxxx

General Monitoring and troubleshooting

monitor traffic interface ge-0/0/0
monitor interface ge-0/0/0

monitor traffic interface ge-0/2/3 matching "proto 89" write-file ospf.cap - matches proto 89 and writes it in ospf.cap
show security flow session ... options
show system statistics – all packet types statistics for a device

test policy

Routing

show route
show route terse - nice concise output with the following information: A-active, Destination, P-protocol, Prf-preference, Metric1,2 Next-hop, AS Patch)
show route protocol [static|direct|ospf]

show route forwarding-table to see active routes in the forwarding table

Troubleshoot OSPF

show route forwarding-table to see active routes in the forwarding table

show route protocol ospf

show ospf overview
show ospf interaces
show ospf neighbor
show ospf dataset detail

show ospf neighbor [extensive]
clear ospf neighbor [192.168.254.225]

show ospf statistics

show ospf interface [extensive]

show ospf route [abr|asbr|extern]

show route protocol ospf

show ospf database [summary|brief]
show ospf database [router|network|netsummary|asbrsummary|extern|nssa]
show ospf database router advertising-router 10.0.3.3 detail
show ospf database router area 0 extensive
show ospf database area 0 lsa-id extensive
clear ospf database purge

show ospf log

show bgp summary
show bgp neighbor 1.1.1.1
show route advertising protocol bgp
show route receiving protocol bgp

To find a range of prefixes in the routing table:

show route 200.10/18

show route terse - better routing output

Troubleshoot NAT

Source

show security nat source summary
show security nat source rule
show security nat source pool

Static

show security nat static rule

Destination

show security nat destination summary
show security nat destination pool
show security nat destination rule

show security flow session

Set Firewall filter to count packtes (see further down)

Firewall

show firewall
show firewall log
clear firewall [all|filter-name|counter-name]
show interfaces filters
show interfaces policers
show policer

Set Firewall Filter to count packets through the SRX:

show interfaces ge-0/0/0

ge-0/0/0 {
unit 0 {
family inet {
filter {
input icmp-filter;
}
address 1.1.1.1/30; ## This address was already set on the interface
}
}
}

show firewall family inet filter icmp-filter

icmp-filter {
term 1 { ## This is the main term which will count the packets.
from {
source-address 3.3.3.3;
destination-address 1.1.1.1;
protocol icmp;
}
then {
count icmp-counter; ## The icmp-counter will show the bytes/packets incrementing
accept; ## This will accept the packets if you don't want them to be dropped. You can use - "drop" or "reject" and/or "log" here.
}
}

Then the Firewall Filter stats can be checked with the
show firewall filter icmp-filter
q
Counter Bytes Packets
icmp-counter 84 1
.
term default { ## This term will ensure that the other traffic is not affected.
accept;
}

}

Packet Flow

Monitor traffic targeting the interface (useful for ping, ssh, etc.)

monitor traffic interface ge-0/0/0 [extensive]

Display live sessions:

show security flow session [destination-port|destination-prefix|source-port|source-prefix] [extensive|brief|summary]

Create packet filter and capture packets:

http://kb.juniper.net/InfoCenter/index?page=content&id=KB11709

forwarding-options {

/* Filename and file properties  */
packet-capture {
    file filename test_capture;
    maximum-capture-size 1000;
}

}
firewall {
/* Capture filter with action sample /
filter CAPTURE_PCAP {
term 1 {
from {
source-address {
1.1.1.1/32;
}
destination-address {
2.2.2.2/32;
}
destination-port 22;
}
then {
sample;
accept;
}
}
term Allow_All {
then accept;
}
}
}
interfaces {
/ Apply the firewall filter on the desired interface for the input and output direction: */
ge-0/0/0
unit 0 {
family inet {
filter {
output CAPTURE_PCAP;
}
address 172.16.46.121/24;
}
}
}
}

File can be found in /var/tmp and opened with Wireshark

file list /var/tmp/ | match test_capture*

On EX Switches Mirror port traffic to remote capture server:

set analyzer employee-monitor input ingress interface ge-0/0/0.0

/* optional sampling ration - 1 of every 200 packets will be forwared */

set analyzer employee-monitor ratio 200

set analyzer employee-monitor output interface ge-0/0/10.0

Alternatively the output can be a vlin. Vlan needs to be specified under VLANs:

set vlans remote-analyzer vlan-id 999

Operational mode flow session monitoring (requires junos 12.1)

monitor security flow file tmp_test [files 2 size 100k match pattern ]
monitor security flow filter source-prefix 10.52.20.0/24 destination->prefix 10.75.0.1 destination-port 389 protocol tcp source-port 12354 temp_test_filter

show monitor security flow

monitor security flow start
monitor security flow stop

clear monitor security flow filter temp_test_filter

file delete /var/log/tmp_test

Tips

set cli timestamp
#set chassis alarm management-ethernet link-down ignore
show interfaces | match "(^Physical.* ge-)|(^Physical.*Up$)"
show version and haiku
Ctrl+R: search history of previous command
use # for the rest of the line in a script to be ignored
Use the save CLI pipe to save output to a local or remote file.
Type 'b' at the more prompt to go backwards one page.
Type '/' at the more prompt to search for a string in the rest of the output.
In configuration mode, type rollback ? to see when previous configurations were committed, and by whom.
In configuration mode, the status command displays who is editing the configuration and where in the hierarchy they are working.
In configuration mode, the delete command with no arguments will delete the entire configuration hierarchy under the current location.
show cli history
help tip cli
To move interface configuration: replace pattern ge-0/0/0 with ge-0/1/0

wildcard delete interfaces ge-0/0/[2-3]

Junos software contains default configurations in a hidden group named junos-defaults. To see them, use the show configuration groups junos-defaults command

test policy policy_name 1.1.1.1/12 – run a router through a policy

To see changes from a particular commit at the past:

show system commit - identify the change you wan to see (e.g. 2), and then
show system rollback compare 3 4

To see the default Junos preconfigure applications:

user@host> show configuration groups junos-defaults applications

패킷을 떠서 확인하는 방법.
명령어는 monitor traffic interface irb.1 write-file ICMP.pcap 입니다.
“write-file”은 hidden command라 ? 키 입력이나 tap 키로 확인되지는 않으나 직접 입력하시면 적용됩니다.

기본 Hadware 정보 및 주요 명령어

uptime : 장비 업타임 확인(부팅이 되고 지난 일 수)

TMOUT=0 : 장비 접속 세션 유지
=> 분 단위이며, 0을 입력하면 시간 제한이 없음

top : IPS의 현재 CPU 정보 확인

cat /proc/cpuinfo : IPS의 CPU 정보 확인

df -h : IPS의 현재 DISK 용량 상태 정보 확인

free : IPS의 현재 Memory 용량 정보 확인

cat /proc/meminfo : IPS의 현재 Memory 사용량 확인

ps -ef : 현재 사용중인 Process 확인

lsmod : 데몬 활성화 / 비활성화 확인
=> IPS의 2세그먼트 기준으로 NIC정보 값이 8이면 데몬 활성화 / 0일 경우 데몬 비활성화 상태

init 0 : 장비 전원 OFF

init 6 : 장비 리부팅

cd /home1/sniper/sniper 디렉토리 이동 후
./sniper : 장비 데몬 ON/OFF
./sniper -v : 현재 IPS 버전 정보 확인
./sniper -O : 현재 IPS SSL버전 정보 확인

Traffic 관련

cd /home1/sniper/sniper 디렉토리 이동 후
./isconfig 혹은 ./wgconfig
=> 장비의 NIC에 따라 명령어 달라짐
=> In, Out 트래픽, 인터페이스 에러, 정책에 의한 Drop 카운트 확인 가능
./isconfig |grep error
=> 점검 시, error값으로 sort하여 이상 유무 확인

Config 백업 관련

cd /home1/sniper 디렉토리 이동 후
cp -rfp config config_YYMMDD : config 파일 복사
tar -cvzf config_YYMMDD.tar.gz config_YYMMDD : config 파일 압축
mv config_YYMMDD.tar.gz /backup : 압축한 config 파일을 /backup 디렉토리로 이동

Log 확인

cat /var/log/messages : IPS 로그 전체 정보 확인

cd /var/log 이동 후
tail -n 숫자 messages : 최근 로그부터 숫자만큼 정보 확인
=> 예를 들어 tail -n 100 messages 명령어인 경우 최근 100개의 로그 메세지 확인 가능

dmesg : 장비 부팅 로그 확인

기타

#df -h
#more /home1/sniper/config/sniper.dat ->제품의 S/N, License 정보
#more /home1/sniper/config/sniper.cfg -> 각종 운영 설정 관련 정보
#sniper_network.sh
#ps -ef|grep sniper
#netstat -na
#cd /home1/sniper/sniper -> #./skill sniper
#cd /home1/sniper/sniper -> #./sniper
#cd /home1/sniper/sniper -> #./nic_setup.sh
#cd /home1/sniper/sniper -> #./wgconfig

WD -i eth0 -s 1600 -w packet.pcap -> 관리포트 패킷 수집

tcpdump -i eth0 -s 1600 -w filename.pcap -> 패킷덤프

auto_create_partition.sh -> HDD장애 시 HDD 교체 후 해당 스크립트를 이용하여 자동으로 Partition 설정함

config_gather -> 설정 정보 확인(결과는 /backup/Config_Gathering/에 txt 파일로 저장됨)

#lspci -> 장착되어 있는 NIC 정보 확인

more /home1/sniper/sniper/is_insmode.sh_ -> mode/speed 등

more /home1/sniper/sniper/sn_insmode.sh_

#/home1/sniper/sniper/sniper -v

rm -rf /home1/sniper/config/master.dat ->> Sniper Daemon Restart 관리자 접속 안될경우

sniper_network.sh eth1

SRX 설정 방법 (CLI)

설정 확인(operation 모드)
show configuration | display set | match “찾을 문자 또는 숫자”

어드레스 추가(configure 모드)

set security zones security-zone untrust address-book address 222_231_7_233 222.231.7.233/32
set security zones security-zone trust address-book address 2_2_2_2 2.2.2.2/32

어드레스 그룹 추가(configure 모드)

set security zones security-zone untrust address-book address-set 222_231_7_233/222_231_7_234 address 222_231_7_233
set security zones security-zone untrust address-book address-set 222_231_7_233/222_231_7_234 address 218_50_1_87

어드레스 그룹 삭제(해당 그룹에서 특정 IP만 제거)

delete security zones security-zone untrust address-book address-set 1_1_1_1/2_2_2_2 address 1_1_1_1

스케줄 추가(configure 모드)

set schedulers scheduler 2014_07_31_23_59 start-date 2012-08-24.00:00 stop-date 2014-07-31.23:59

서비스 추가

#set applications application tcp_3659 term tcp_3659 protocol tcp
#set applications application tcp_3659 term tcp_3659 source-port 1024-65535
#set applications application tcp_3659 term tcp_3659 destination-port 3659-3659

서비스 그룹 추가

#set applications application-set ping_tcp_3659 application junos-ping
#set applications application-set ping_tcp_3659 application tcp_3659

정책 추가(configure 모드)

set security policies from-zone untrust to-zone trust policy 120824001 match source-address 61_110_18_122
set security policies from-zone untrust to-zone trust policy 120824001 match destination-address 121_254_132_198
set security policies from-zone untrust to-zone trust policy 120824001 match application http_8080
set security policies from-zone untrust to-zone trust policy 120824001 then permit
set security policies from-zone untrust to-zone trust policy 120824001 then log session-close
set security policies from-zone untrust to-zone trust policy 120824001 scheduler-name 2014_07_31_23_59

우선순위 변경(configure 모드)

insert security policies from-zone untrust to-zone trust policy 130115001 before policy 706 (인바운드))

정책 우선순위 확인(operation 모드)

show security policies from-zone untrust to-zone trust
show security policies from-zone trust to-zone untrust

정책 리스트 확인

op policy.xml

Source NAT 추가 (configure 모드)

set security nat source rule-set rs_1 to zone untrust --> 초기생성 시 적용
set security nat source rule-set rs_1 rule rule_14 match source-address 172.30.148.0/24
set security nat source rule-set rs_1 rule rule_14 then source-nat pool pool_14
set security nat source pool pool_14 address 117.52.15.148/32

Destination NAT 추가 (configure 모드)

set security nat destination rule-set dnat_1 from zone untrust
set security nat destination rule-set dnat_1 rule dnat_rule_1 match destination-address 123.123.123.123/32
set security nat destination rule-set dnat_1 rule dnat_rule_1 then destination-nat pool dpool_1
set security nat destination pool dpool_1 address 192.168.10.50/32

dnat port(포트 포워딩)

set security nat destination pool dpool_1 address 192.168.10.50/32
set security nat destination pool dpool_1 address port 80
set security nat destination rule-set dnat_1 from zone untrust
set security nat destination rule-set dnat_1 rule dnat_rule_1 match destination-address 123.123.123.123/32
set security nat destination rule-set dnat_1 rule dnat_rule_1 match destination-port 33890
set security nat destination rule-set dnat_1 rule dnat_rule_1 then destination-nat pool dpool_1

routing 추가 (configure 모드)

set routing-options static route 172.30.148.0/24 next-hop 172.16.20.113

session 확인

show security flow session source-prefix
show security flow session destination-prefix 출발지IP

• show | compare 로 추가되는 설정 확인 후, commit check로 정상적으로 들어가는지 확인 후 commit 적용 필요~!!!!
  #show | compare
  #commit check
  #commit
  #exit

Foundry Command Reference Guide입니다.