Overview
This series of posts goes over a number of useful Junos SRX commands, all CLI. I’ve looked at JWeb, I don’t find it as easy to use, or as fast. Most of the time, speed isn’t the most important aspect, but the faster you get 1 task completed, the faster you move on to the next thing.
View session information:
1louisk@srx.cmhome> show security flow session summary
2Unicast-sessions: 134
3Multicast-sessions: 0
4Failed-sessions: 0
5Sessions-in-use: 134
6 Valid sessions: 134
7 Pending sessions: 0
8 Invalidated sessions: 0
9 Sessions in other states: 0
10Maximum-sessions: 409600
11
12louisk@srx.cmhome>
Clear sessions through the firewall (note that if you aren’t connected via a management interface, this will disconnect your login session):
1louisk@srx.cmhome> clear security flow session all
2This command may terminate the current session too.
3Continue? [yes,no] (no) yes
Switch to other node in a cluster via CLI (over the HA-link):
1louisk@srx.cmhome> request routing-engine login node 1
View the config in set commands instead of the default hierarchy view:
1louisk@srx.cmhome> show configuration | display set
Setting the correct logfile settings from the CLI (which is name-sensitive):
1[edit]
2louisk@srx.cmhome# set system syslog file policy_session user info
3louisk@srx.cmhome# set system syslog file policy_session match RT_FLOW
4louisk@srx.cmhome# set system syslog file policy_session archive size 1000k
5louisk@srx.cmhome# set system syslog file policy_session archive world-readable
6louisk@srx.cmhome# set system syslog file policy_session structured-data
Load the set commands through the CLI. After pasting them, use CTRL-D to end the insertion of commands. A commit is still needed to commit the changes.
1louisk@srx.cmhome# load set terminal
2louisk@srx.cmhome# <CTRL-D to end>
3louisk@srx.cmhome# <paste the set commands>
Monitor activity from the CLI (assuming that you have configured the logging part):
1louisk@srx.cmhome> monitor start policy_session
This will start scrolling the logging in real-time on the screen. To stop this, you need to enter the following (while your screen looks like a mess due to the scrolling log information):
1louisk@srx.cmhome> monitor stop
Replace strings in your config (e.g. globally change an IP address which is used several times):
1[edit]
2louisk@srx.cmhome# replace pattern 192.168.0.1 with 192.168.1.1
View the changes before you commit the configuration:
1[edit]
2louisk@srx.cmhome# show | compare
Save the rescue configuration (clearing the alarm LED on the device):
1louisk@srx.cmhome> request system configuration rescue save
Restoring the rescue configuration:
1[edit]
2louisk@srx.cmhome# rollback rescue
3load complete
4
5[edit]
6louisk@srx.cmhome# commit
Lets start with modes: Junos has two modes – operational mode and configuration mode. Operational mode is identified by “>” sign and allows to execute show and other troubleshooting commands.
1louisk@srx.cmhome> configure
2Entering configuration mode
3
4[edit]
5louisk@srx.cmhome# exit
6Exiting configuration mode
7
8louisk@srx.cmhome>
There is also C shell available only for root user (most commonly seen when you access the device via serial console). If you log in as root (make sure this is not allowed remotely) on Juniper device, “%” sign appears, indicating that you are currently in C shell
1root@srx.cmhome%
Now, Lets start with operational mode commands: Show interfaces, protocol, state, IP addresses:
1louisk@srx.cmhome> show interfaces terse
2Interface Admin Link Proto Local Remote
3fe-0/0/0 up up
4fe-0/0/0.0 up up inet 192.168.0.1/30
5 inet6 2001:db8:ca7::1/64
6 fe80::3e8a:b0ff:fea8:c900/64
7gr-0/0/0 up up
8ip-0/0/0 up up
9lt-0/0/0 up up
10mt-0/0/0 up up
11sp-0/0/0 up up
12sp-0/0/0.0 up up inet
13 inet6
14sp-0/0/0.16383 up up inet 10.0.0.1 --> 10.0.0.16
15 10.0.0.6 --> 0/0
16 128.0.0.1 --> 128.0.1.16
17 128.0.0.6 --> 0/0
18fe-0/0/1 down down
19fe-0/0/2 down down
20fe-0/0/3 down down
21fe-0/0/4 down down
22fe-0/0/5 down down
23fe-0/0/6 down down
24fe-0/0/7 up up
25fe-0/0/7.0 up up inet 10.10.2.20/30
26gre up up
27ipip up up
28irb up up
29lo0 up up
30lo0.0 up up inet
31lo0.16384 up up inet 127.0.0.1 --> 0/0
32lo0.16385 up up inet 10.0.0.1 --> 0/0
33 10.0.0.16 --> 0/0
34 128.0.0.1 --> 0/0
35 128.0.0.4 --> 0/0
36 128.0.1.16 --> 0/0
37lo0.32768 up up
38lsi up up
39mtun up up
40pimd up up
41pime up up
42pp0 up up
43ppd0 up up
44ppe0 up up
45st0 up up
46tap up up
47vlan up up
48
49louisk@srx.cmhome>
View current date/time and system uptime
1louisk@srx.cmhome> show system uptime
2Current time: 2018-11-03 20:33:11 UTC
3System booted: 2018-11-03 17:55:11 UTC (02:38:00 ago)
4Protocols started: 2018-11-03 18:00:28 UTC (02:32:43 ago)
5Last configured: 2018-11-03 17:58:43 UTC (02:34:28 ago) by root
6 8:33PM up 2:38, 3 users, load averages: 0.30, 0.21, 0.13
7
8louisk@srx.cmhome>
To adjust date/time on your juniper box, use set date command:
1louisk@srx.cmhome> set date ?
2Possible completions:
3 <time> New date and time (YYYYMMDDhhmm.ss)
4 ntp Set system date and time using Network Time Protocol servers
5louisk@srx.cmhome>
Show logged in users:
1louisk@srx.cmhome> show system users
2 8:34PM up 2:39, 3 users, load averages: 0.12, 0.17, 0.12
3USER TTY FROM LOGIN@ IDLE WHAT
4louisk p0 192.168.11.126 6:02PM 2:29 -cli (cli)
5louisk p1 mpro 8:24PM 8 -cli (cli)
6louisk p2 mpro 8:26PM - -cli (cli)
7
8louisk@srx.cmhome>
If you want to log out user, use
1louisk@srx.cmhome> request system logout ?
2Possible completions:
3 <[Enter]> Execute this command
4 all Logout all sessions owned by user
5 pid Management process ID for user
6 terminal Terminal user is logged in to
7 user Name of user
8 | Pipe through a command
9louisk@srx.cmhome> request system logout
Show disk usage:
1louisk@srx.cmhome> show system storage
2Filesystem Size Used Avail Capacity Mounted on
3/dev/da0s1a 610M 179M 382M 32% /
4devfs 1.0K 1.0K 0B 100% /dev
5/dev/md0 20M 6.2M 12M 34% /junos
6/cf/packages 610M 179M 382M 32% /junos/cf/packages
7devfs 1.0K 1.0K 0B 100% /junos/cf/dev
8/dev/md1 526M 526M 0B 100% /junos
9/cf 20M 6.2M 12M 34% /junos/cf
10devfs 1.0K 1.0K 0B 100% /junos/dev/
11/cf/packages 610M 179M 382M 32% /junos/cf/packages1
12procfs 4.0K 4.0K 0B 100% /proc
13/dev/bo0s3e 46M 146K 42M 0% /config
14/dev/bo0s3f 618M 37M 531M 7% /cf/var
15/dev/md2 336M 21M 288M 7% /mfs
16/cf/var/jail 618M 37M 531M 7% /jail/var
17/cf/var/log 618M 37M 531M 7% /jail/var/log
18devfs 1.0K 1.0K 0B 100% /jail/dev
19/dev/md3 63M 4.0K 58M 0% /mfs/var/run/utm
20/dev/md4 1.8M 4.0K 1.7M 0% /jail/mfs
21
22louisk@srx.cmhome>
To view hardware details, alarms, environment status and many more, use:
1louisk@srx.cmhome> show chassis ?
2Possible completions:
3 alarms Show alarm status
4 cluster Show chassis cluster information
5 craft-interface Show craft interface status
6 environment Show component status and temperature, cooling system speeds
7 firmware Show firmware and operating system version for components
8 forwarding Show forwarding process (fwdd) status
9 fpc Show Flexible PIC Concentrator status
10 hardware Show installed hardware components
11 location Show physical location of chassis
12 mac-addresses Show media access control addresses
13 pic Show Physical Interface Card state, type, and uptime
14 realtime-ukern-thread Show ukernel realtime thread assignment status
15 routing-engine Show Routing Engine status
16 temperature-thresholds Show chassis temperature threshold settings
17 usb Show chassis USB status
18louisk@srx.cmhome> show chassis
In operational mode, show commands can be suffixed with the following options:
- terse
- brief
- detail
- extensive
As you guess by names, you can control amount of command output.
Another couple of useful commands are restart and request. As name suggests, restart can be used to restart processes such as routing, dhcp server etc. Junos follows a traditional UNIX (FreeBSD) approach, so restarting of one particular process does not impact the other processes or services. Request is used for maintenance tasks, like software upgrade, reboot, tests etc.
Lets look at the configuration mode now. First of all, keep in mind, that commands you type in, do not affect device, until you do not enter commit command. Configuration is checked and if there are errors, commit will not work. Navigation in configuration mode is pretty simple: edit command is used to enter into specific hierarchy, such as protocols, chassis, or whatever. Command up is used to enter into upper levels. (use just up to enter one level up, or up N, Where N is number of levels). The top command will get you to the top of the configuration mode hierarchy.
1louisk@srx.cmhome# edit protocols ospf area 0
2
3[edit protocols ospf area 0.0.0.0]
4louisk@srx.cmhome# up 2
5
6[edit protocols]
7louisk@srx.cmhome# top
8
9[edit]
10louisk@srx.cmhome#
set is used to assign values. for example:
1[edit interfaces]
2louisk@srx.cmhome# set fe-0/0/7.0 family inet address 10.10.2.20/24
3
4[edit interfaces]
5louisk@srx.cmhome#
delete – deletes configuration entries. This could be a small portion of an entry, like an IP address from an interface, a section (delete protocols), or an entire config (if you use delete from the top, and don’t use any arguments, it will delete your entire config).
deactivate – Marks a portion/section of the configuration as inactive. It will still show as part of the configuration, but it has no effect.
1[edit]
2louisk@srx.cmhome# deactivate schedulers
3
4[edit]
5louisk@srx.cmhome# show schedulers
6##
7## inactive: schedulers
8##
9scheduler lab-to-dns {
10 daily {
11 start-time 10:00:00 stop-time 18:00:00;
12 }
13 friday exclude;
14 saturday exclude;
15}
16[edit]
17louisk@srx.cmhome#
As you can see, configuration still exists, but not activated.
When you commit a configuration, the previous version is archived (Junos can store up to 50 configurations on the device) and you can restore any of them by using the rollback command. (It takes number as argument, for example ‘rollback 1’)
- show – shows configuration.
- show | compare – shows difference between candidate and active configuration
- rollback 0 – Discards changes in configuration.
- save – Used to save configuration files locally or remotely.
1[edit]
2louisk@srx.cmhome# save scp://louisk@198.18.11.11:srx.cfg
3srx.cfg 100% 29KB 28.9KB/s 00:00
4Wrote 1032 lines of configuration to 'scp://198.18.11.11:srx.cfg'
5
6[edit]
7louisk@srx.cmhome#
load – is used to load configuration, from local/remote file or terminal. If you want to copy/paste configuration snippet, use load merge terminal relative command. Here is my favorite one – replace. Lets say, that you have an address book entry, which is used in security policies and you want to change it, type:
1replace pattern blocked_network with blocked_user
or
1replace pattern 10.0.0.1/24 with 10.0.0.254/24
The analog of Cisco’s do
command is run
. It allows to execute operational mode commands.
Descriptions can be made by annotate.
copy – Used to copy configuration statements.
Setting Custom Timeout to Session on Juniper SRX To set custom timeout for particular application, you should define application and set inactivity-timeout value. Inactivity timeout is measured in seconds. It can accept values from 4 seconds to 24 hours and there is also another option: “never“, which is EVIL. Configuring inactivity-timeout never can cause device to run out of resources and it will form big black security hole in your network. Configuration example:
1louisk@srx.cmhome# show applications application custom_app | display set
2set applications application custom_app protocol tcp
3set applications application custom_app destination-port 3590
4set applications application custom_app inactivity-timeout 10800
Keep in mind, that by default, TCP session has 30 min. inactivity timeout. It will reset back to 1800 seconds, when subsequent traffic will be matched. Output that shows timeout value for session:
1louisk@srx.cmhome> show security flow session destination-port 80
2Session ID: 20252, Policy name: trust-to-untrust/7, Timeout: 242, Valid
3 In: 198.18.9.210/59170 --> 5.39.89.202/80;tcp, If: fe-0/0/0.0, Pkts: 12, Bytes: 1283
4 Out: 5.39.89.202/80 --> 10.10.2.20/29172;tcp, If: fe-0/0/7.0, Pkts: 7, Bytes: 1871
5Total sessions: 1
6
7louisk@srx.cmhome>
After defining custom application, you should match it in the security policy But what if you want to change timeout for well known applications? (such as junos-http, junos-ftp etc.) In this case, you have to define new application with different names from what is defined in junos. Example of creating an application “SSH” and changing inactivity timeout to 7200 seconds (2 hours)
1set applications application SSH protocol tcp
2set applications application SSH destination-port 22
3set applications application SSH inactivity-timeout 7200
There are two types of firewall user authentication:
- Pass-Through : Triggered by Telnet, FTP and HTTP traffic User connects to resource directly Junos prompts for username/password and if authentication is successful, traffic is permitted from the same source address
- Web Authentication: User connects to Junos device via HTTP Junos prompts for username/password and if authentication is successful, traffic is permitted from the same source address Users can be authenticated against local, RADIUS, LDAP, and SecurID server databases. In this post I will use simple local authentication.
Pieces we need to configure firewall user authentication: Access profile which defines clients, firewall user authentication type and banners, and security policy which triggers authentication. Configuration (pass-through edition):
1louisk@srx.cmhome# show access
2profile test-profile {
3 client admin {
4 firewall-user {
5 password "$9$Olw11cyevWx-V"; ## SECRET-DATA
6 }
7 }
8}
9firewall-authentication {
10 pass-through {
11 default-profile test-profile;
12 telnet {
13 banner {
14 login "Enter your password";
15 success "Authentication passed";
16 fail "Authentication failed";
17 }
18 }
19 }
20}
21louisk@srx.cmhome#
We have defined an authentication, time to use it in the security policy:
1[edit security policies]
2louisk@srx.cmhome# show from-zone lan to-zone wan policy firewall-auth
3match {
4 source-address louisk;
5 destination-address cisco-switch;
6 application junos-telnet;
7}
8then {
9 permit {
10 firewall-authentication {
11 pass-through {
12 client-match admin;
13 }
14 }
15 }
16}
In this configuration we have configured pass-through authentication for telnet traffic, Here is the result of our configuration:
1[louisk@test.cmhome]$ telnet 10.0.0.204
2Trying 10.0.0.204...
3Connected to 10.0.0.204.
4Escape character is '^]'.
5Enter your password
6Username: admin
7Password:
8 Authentication passed
9
10User Access Verification
11
12Username:
To view authenticated users and status, use the command below:
1louisk@srx.cmhome> show security firewall-authentication users
2Firewall authentication data:
3 Total users in table: 1
4 Id Source Ip Src zone Dst zone Profile Age Status User
5 4 192.168.12.11 lan wan test-pro 0 Success admin
Show authentication history :
1louisk@srx.cmhome> show security firewall-authentication history
2History of firewall authentication data:
3 Authentications: 3
4 Id Source Ip Date Time Duration Status User
5 1 192.168.12.11 2011-07-08 19:04:39 0:10:13 Success admin
6 2 192.168.12.11 2011-07-08 19:20:29 0:39:43 Success admin
7 3 192.168.12.11 2011-07-08 20:47:32 0:10:00 Success admin
Tasks for configuring web authentication: Enable http access to your juniper srx:
1set system services web-management http
Assign secondary ip address from the same subnet to the interface, and enable web authentication:
1louisk@srx.cmhome# show interfaces vlan.15
2family inet {
3 address 192.168.12.1/24 {
4 preferred;
5 }
6 address 192.168.12.100/24 {
7 web-authentication http;
8 }
9}
Configure web authentication under access hierarchy:
1louisk@srx.cmhome# show access firewall-authentication web-authentication
2default-profile test-profile;
3banner {
4 success "Authentication passed";
5}
And finally, configure security policy appropriately:
1[edit security policies]
2louisk@srx.cmhome# show from-zone lan to-zone wan policy firewall-auth
3match {
4 source-address louisk;
5 destination-address cisco-switch;
6 application junos-telnet;
7}
8then {
9 permit {
10 firewall-authentication {
11 web-authentication {
12 client-match admin;
13 }
14 }
15 }
16}
Comments