Juniper Firewall Basic commands

Juniper Firewall Basic commands

If you like to start working on a hardware firewall I would like to add one thing that your start working on UNIX firewall and make a sound practice of the commands and tricks. Juniper Firewall Basic commands are very much similar to it. If you have a better idea of the UNIX commands and know how to issue a command in UNIX command line then its just a piece of cake to use any firewall of the world. One thing about Juniper firewall is that its totally FreeBSD based firewall so its really easy to start working on it if you know FreeBSD or any other flavor of UNIX. A few days ago one of my client was having some problem with his firewall and I was given the task to look into this matter. I never worked on a hardware firewall from Juniper not even on a router provided by Juniper networks but when I started working, it was not very much difficult to find any data, commands and books about the Juniper networks. Before I logged in, I searched for basic Juniper commands from the web and found on the Juniper website easily in just few minutes and in the very next moment I started working on the firewall. There was nothing unfamiliar to work on a Juniper firewall as I did worked on a FreeBSD firewall.

I know that I am not sharing anything new about Juniper firewall but perhaps someone find these commands useful. These are very basic, simple and easy to follow commands as you can find basic Linux and UNIX commands but they might not work on every Juniper equipment so please visit the juniper website for a detailed command list. I will try to share a book about juniper firewalls and routers later.


get counter statistics Show interface statistics (CRC errors etc)
get interface trust port phy Show physical ports for a certain zone
get driver phy Show all link states of interfaces
get counter statistics interface ethernet3 Show hardware stats on interface
set interface [interface] no-subnet-conflict-check Allows you to configure multiple interfaces in the same IP broadcast domain.

Current Settings / Values

get envar get environment variable
get config get device configuration
get system get system information
get arp get arp cache
get route get routing table
get system | i Box get port-mode
get alg h323 counters get the ALG counters
get alg get status of ALGs (disabled or enabled)
get sys-cfg get default settings for the device
get sys scale get basic system limits
get debug get currently enabled debug level
get tcp get system socket information


get mip get mip (nat)
get vip get vip (nat)
get nat cookie get show nat cookies
Statistics / Performance
Command Description
get perf cpu detail get cpu performance
get session info get load on firewall
get counter flow Show flow stats (fragmentation etc)
get counter screen Show screen stats (SYN Floods etc)


clear ike-cookie [gateway ip] clear ike cookies
clear sa [id] clear sa
get vpn show vpns
Command Description
get nsrp cluster Show cluster info
get nsrp monitor Show list of monitored interfaces
get nsrp vsd id 0 Show VSD id 0
get counters ha Show HA interface hardware counters
exec nsrp sync global-config check-sum Allows you to see if the cluster configs are syncronised
exec nsrp sync global save Sync’s the nodes.A reboot is required to complete the update.
exec nsrp vsd-group 0 mode Fails over the cluster. Run this command on the Master node.


set interface ethernet0/1 igmp router enable IGMP on interface eth0/1
get vrouter trust-vr protocol pim get the multicast sources visible to your ScreenOS device


set exec port-mode set the port mode
set flow tcp-mss 1460 sets the MSS