Juniper Firewall Basic commands
If you like to start working on a hardware firewall I would like to add one thing that your start working on UNIX firewall and make a sound practice of the commands and tricks. Juniper Firewall Basic commands are very much similar to it. If you have a better idea of the UNIX commands and know how to issue a command in UNIX command line then its just a piece of cake to use any firewall of the world. One thing about Juniper firewall is that its totally FreeBSD based firewall so its really easy to start working on it if you know FreeBSD or any other flavor of UNIX. A few days ago one of my client was having some problem with his firewall and I was given the task to look into this matter. I never worked on a hardware firewall from Juniper not even on a router provided by Juniper networks but when I started working, it was not very much difficult to find any data, commands and books about the Juniper networks. Before I logged in, I searched for basic Juniper commands from the web and found on the Juniper website easily in just few minutes and in the very next moment I started working on the firewall. There was nothing unfamiliar to work on a Juniper firewall as I did worked on a FreeBSD firewall.
I know that I am not sharing anything new about Juniper firewall but perhaps someone find these commands useful. These are very basic, simple and easy to follow commands as you can find basic Linux and UNIX commands but they might not work on every Juniper equipment so please visit the juniper website for a detailed command list. I will try to share a book about juniper firewalls and routers later.
Interface |
|
Command |
Description |
get counter statistics | Show interface statistics (CRC errors etc) |
get interface trust port phy | Show physical ports for a certain zone |
get driver phy | Show all link states of interfaces |
get counter statistics interface ethernet3 | Show hardware stats on interface |
set interface [interface] no-subnet-conflict-check | Allows you to configure multiple interfaces in the same IP broadcast domain. |
Current Settings / Values |
|
Command |
Description |
get envar | get environment variable |
get config | get device configuration |
get system | get system information |
get arp | get arp cache |
get route | get routing table |
get system | i Box | get port-mode |
get alg h323 counters | get the ALG counters |
get alg | get status of ALGs (disabled or enabled) |
get sys-cfg | get default settings for the device |
get sys scale | get basic system limits |
get debug | get currently enabled debug level |
get tcp | get system socket information |
NAT |
|
Command |
Description |
get mip | get mip (nat) |
get vip | get vip (nat) |
get nat cookie | get show nat cookies |
Statistics / Performance | |
Command | Description |
get perf cpu detail | get cpu performance |
get session info | get load on firewall |
get counter flow | Show flow stats (fragmentation etc) |
get counter screen | Show screen stats (SYN Floods etc) |
VPN |
|
Command |
Description |
clear ike-cookie [gateway ip] | clear ike cookies |
clear sa [id] | clear sa |
get vpn | show vpns |
NSRP | |
Command | Description |
get nsrp cluster | Show cluster info |
get nsrp monitor | Show list of monitored interfaces |
get nsrp vsd id 0 | Show VSD id 0 |
get counters ha | Show HA interface hardware counters |
exec nsrp sync global-config check-sum | Allows you to see if the cluster configs are syncronised |
exec nsrp sync global save | Sync’s the nodes.A reboot is required to complete the update. |
exec nsrp vsd-group 0 mode | Fails over the cluster. Run this command on the Master node. |
IGMP |
|
Command |
Description |
set interface ethernet0/1 igmp router | enable IGMP on interface eth0/1 |
get vrouter trust-vr protocol pim | get the multicast sources visible to your ScreenOS device |
Misc |
|
Command |
Description |
set exec port-mode | set the port mode |
set flow tcp-mss 1460 | sets the MSS |