Categories

CUC (6) CUCM (26) Jabber (6) Python (2) Routing (3) Solarwinds Orion NPM (4) switching (1) Video (6) voice (2)

Thursday, 23 November 2017

Juniper SRX basic troubleshoot commands


show security zones:

this will display the various 'zones' /logical interfaces together with their physical interfaces

BASIC

SRX_FW1>>show interfaces terse

this will show you all the interfaces, their IP address and status

SRX-FW1>> show chassis routing-engine

shows uptime, serial number CPU util, temperature etc.



FW1> show security match-policies from-zone trust to-zone untrust source-ip 172.16.0.23 destination-ip 64.62.142.12 source-port 12345 destination-port 7351 protocol udp


VPN

show security ipsec inactive-tunnels detail:

this will tell you when tunnels went down and come back up, also tells remote GW IP address

show security ipsec security-associations

this will tell you what encryption is used 

This command will also provide details on for instance the index of the SA. every SA has an inbound and outbound leg (indicated by the arrows left of the SA ID).

you can drill down into each sa by issuing: show security ipsec index <number>. This will tell you exactly what policy belongs to what sa.

show security ike security-associations details


This will show if a tunnel has any input and output.

show security ike active peer

displays IKE and remote IP addresses


Trouble shoot Traffic flows:


Traffic flows:


show security flow session source-prefix <ipaddr/32> destination-prefix <2.2.2.2/32>
This will show you what TCP session are in progress or were attempted. A very usefull command if you want to find out, if traffic is actually hitting your firewall.

show security match-policies from-zone <name> to-zone <name2> source-ip <beh> destination-ip <blah>destination-port <jaja> protocol <meh>.

This command is extremely useful, it is pretty much a Junos CLI version of the ASA packet tracer, in that it will tell you how certain traffic gets treated by the Junos FW engine.


show security policies hit-count

This will show you an increasing hit count against your security policies
very very useful. if you generate traffic against a certain intended policy and your hit count stays at zero, you need to revise your policies potentially.


-SRX-FW1> show configuration system syslog


this will tell you what the names of the log files are, for instance:

file traffic {
    any any;
    match RT_FLOW_SESSION_CREATE;
    archive files 100;
}
file block_traffic {
    any any;
    match RT_FLOW_SESSION_DENY;

monitor traffic matching "net 1.1.1.1/32" no-resolve brief


monitor traffic matching "net 1.1.1.1/32" no-resolve detail


show traffic log

SRX-FW1> show log traffic | ?
Possible completions:
  count                Count occurrences
  display              Show additional kinds of information
  except               Show only text that does not match a pattern
  find                 Search for first occurrence of pattern
  hold                 Hold text without exiting the --More-- prompt
  last                 Display end of output only
  match                Show only text that matches a pattern
  no-more              Don't paginate output
  refresh              Refresh a continuous display of the command
  request              Make system-level requests
  resolve              Resolve IP addresses
  save                 Save output text to file
  trim                 Trim specified number of columns from start of line

so if you want to search for an ip address go (for instance 1.1.1.1) issue:


SRX-FW1> show log traffic | find 1.1.1.1



still to read:


https://kb.juniper.net/InfoCenter/index?page=content&id=KB16110&actp=METADATA


No comments:

Post a Comment