Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands for Palo Alto and Fortinet I am listing the most common used commands for the ScreenOS devices as a quick reference / cheat sheet. These are only the commands that are needed for deep troubleshooting sessions that cannot be done solely on the GUI.
At first: Always remember that the default backspace key is “Ctrl + h” and not the backspace key itself! ;)
Basics
These are the very basics on the command line:
1 2 3 4 5 |
get config get config all #configuration with default values get config | incl <string> #grep within the configuration get system #serial #, software version, uptime, etc. get event #event list (same as in the GUI) |
How to turn off the LED alarm on the firewall:
1 2 |
clear led alarm clear cluster led alarm #on a cluster for all devices at once |
Basic Networking
The reason why we are all here:
1 2 3 4 5 6 7 8 9 10 11 12 |
get arp get route #routing table get route ip <ip-address> #routing table lookup for a specific IP get vrouter <name-of-the-VR> route #routing table from a specific virtual router get vrouter <name-of-the-VR> protocol ? #dynamic routing protocols such as OSPF or BGP get counter statistics interface <interface> #counters for hardware interfaces get ndp #IPv6 neighbor cache ping <name|ip-address> ping <name|ip-address> from <interface> #ping from a specific interface trace-route <name|ip-address> trace-route <name|ip-address> from <interface> #same for trace-route |
Application Layer Gateway
I had some trouble with the application layer gateway functionality on the ScreenOS devices. Here are some hidden commands that help while troubleshooting the ALGs:
1 2 3 |
get alg #lists all available ALGs with an enabled/disabled statement get service portmap #which port is assigned to which application get service application #known applications by ScreenOS that trigger an ALG |
And a few links concerning ALGs:
- How to show which TCP/UDP ports trigger an ALG ?
- Viewing list of ALGs and disabling an ALG differs on ScreenOS versions
- Which ALGs are unset by default in ScreenOS 6.x?
- What is the Policy keyword “Application NONE”?
NSRP (High Availability)
The following command lists all details about an NetScreen Redundancy Protocol (NSRP) cluster, i.e., the IDs of all connected units, the current master, encryption and authentication passwords (in plain text!), etc.:
1 |
get nsrp |
To sync the configuration from the master to the local device (AND NOT VICE VERSA!!!) [Link]:
1 |
exec nsrp sync global-config save |
And to do a manual failover. This brings the current master unit into backup mode. This command must be used on the current master! [Link]:
1 |
exec nsrp vsd-group 0 mode backup |
Session & Log
The session commands list sessions that are currently active. The traffic log shows already finished sessions (of course only if they were logged):
1 2 3 4 5 6 7 8 |
get session get session ? get session scr-ip <ip-address> get session policy-id <id> get log traffic get log traffic ? get log traffic src-ip <ip-address> get log traffic policy <id> |
Link: “How to determine how long a session has been up in ScreenOS“.
IPsec VPN
This is one of the main use cases for using the CLI on the SSG firewalls: Many details about IPsec site-to-site VPNs, e.g., the proxy-IDs for policy-based VPNs:
1 2 3 4 5 6 |
get ike cookies #phase 1 get vpn auto #list of phase 2 VPNs get vpn <name> #details get sa id <number> #details of phase 2 filtered by the tunnel-id get sa id 2 #values from 0-9 can be entered directly get sa id 0x0000000b #higher values must be entered in hexadecimal notation |
In order to clear a current VPN connection, use one of the following commands for either phase 1 (IKE) or phase 2 (IPsec):
1 2 |
clear ike-cookie <gateway-ipv4-address> clear sa <number> |
Flow
To display the most detailed information about active flows, for example to see which policies trigger or which routing table lookups are used, etc. [Link]:
1 2 3 4 5 6 7 8 9 10 11 12 |
undebug all #stop all other debuggings get ff #if there are any filters set, remove them with the next line: unset ff set ff ? #ff = flow filter set ff src-ip <ip> set ff dst-ip <ip> get ff #verify all filters clear db #clear the debug buffer debug flow basic #now the debug will be logged. Generate your traffic now undebug all #after the traffic is finished, stop debugging get db stream #and display the debug stream unset ff #finally, unset all filters to not confuese further troubleshooting sessions |
Common Problems
Some more links to common problems or other scenarios:
- Packet taking the wrong route due to the route-cache feature
- What does ‘set flow mac-cache mgt’ do?
- Behavior of ScreenOS ‘set flow’ commands in asymmetric routing scenario
- How can I find the serial number for my Juniper Networks device?
- How to Update the New Image Authentication Key and Upgrade Boot Loader/ScreenOS Firmware
NSM Stuff
And finally some notes concerning the “Network and Security Manager“.
- Default port from ScreenOS device to NSM: TCP/7800 .
- Default https port to download the Java GUI: https://<ip>:8443 .
- Default port from Java GUI to NSM: TCP/7808 .
To become root on the NSM CLI:
1 |
sudo su - |
And some links:
- What ports are used for communication between the Management System (NSM), the GUI client, and Juniper Firewall devices?
- Recommended starting and stopping sequences for NSM services
- Export NSM logs to CSV file from the NSM CLI
Factory Reset & Defaults
To do a factory reset you can either use the reset pinhole on the device or login to the serial console with the serial number as username and password. Both ways are explained here.
To do a reset via the CLI use the following commands, explained here. Note that this is NOT a complete factory reset but only an “unset” of all commands, while port modes, license keys, etc. will remain:
1 2 3 4 5 6 |
SSG5-> unset all Erase all system config, are you sure y/[n] ? y SSG5-> reset Configuration modified, save? [y]/n n System reset, are you sure? y/[n] y In reset ... |
The default IPv4 address is 192.168.1.1. The switch ports which are configured with this IPv4 address vary! For example, on a SSG 5 it is bgroup0 = eth0/2 – 0/6 while on a SSG 140 it is eth0/0. The default login is netscreen:netscreen. (Followed by “tab tab enter” to login via the GUI. ;))
Update via USB
To update the imagekey and the ScreenOS firmware from an USB stick (rather than GUI, NSM, or TFTP) use the following commands:
1 2 3 |
save image-key usb imagekey.cer save software from usb ssg140.6.3.0r23 to flash reset |
Featured image “Warten auf Arbeit” by Günter Hentschel is licensed under CC BY-ND 2.0.
Great post for people like me getting fresh with Netscreen. Thanks and continue the good job.
Good Job,
How to find the NAT translated IP’s?
Awesome guide/layout. Appreciate it.
Great & clear guide Johannes. Tnx! Keep up the good work.
Do we have any command for replacing string, like below in SRX
#replace pattern with
Awesome guide ,
how can i copy my configuration file for backup from SSG 140
Simply log into the SSG via SSH and issue the “get config” command. Copy and paste it into a text file.
You can download the same output from the GUI. I don’t remember the exact place (since I don’t have any SSGs running anymore). But I know that it’s there. ;) It gives you a “_cfg” file.
Appreciate the guide. Awesome work!
how to disable web redirect via cli command?
Here we go: https://www.letmegooglethat.com/?q=screenos+web+redirect
;)
unset admin http redirect
Im stuck in loading the image via the OS Loader without success.
Juniper Networks ISG Series BootROM V1.1.1 (Checksum: 88D32336)
Copyright (c) 1997-2008 Juniper Networks, Inc.
Total physical memory: 2048MB
Test – Pass
Initialization……………. Done
Hit key ‘X’ and ‘A’ sequentially to update OS Loader….
BOM Version [F06]: READ ONLY
Self MAC Address [0022-83ad-4d00]: READ ONLY
OS Loader File Name [nsISG2000.6.3.0r12.0]: nsISG2000.6.3.0r12.0
Self IP Address [10.1.6.252]:
TFTP IP Address [10.1.6.250]:
Ip Address Mask [255]: 255.255.255.192
Default Gateway IP [0]: 10.1.6.250
Save loader config (112 bytes)… Done
Loading file “nsISG2000.6.3.0r12.0″…
atatatatatatatatatatatatatatatatata
Loaded successfully! (size = 14,668,116 bytes)
### invalid image file ###
You’re probably running into this: https://kb.juniper.net/InfoCenter/index?page=content&id=TSB16495 ?