Useful SRX Commands

Overview

This series of posts goes over a number of useful Junos SRX commands, all CLI. I’ve looked at JWeb, I don’t find it as easy to use, or as fast. Most of the time, speed isn’t the most important aspect, but the faster you get 1 task completed, the faster you move on to the next thing.

View session information:

 1louisk@srx.cmhome> show security flow session summary
 2Unicast-sessions: 134
 3Multicast-sessions: 0
 4Failed-sessions: 0
 5Sessions-in-use: 134
 6  Valid sessions: 134
 7  Pending sessions: 0
 8  Invalidated sessions: 0
 9  Sessions in other states: 0
10Maximum-sessions: 409600
11
12louisk@srx.cmhome>

Clear sessions through the firewall (note that if you aren’t connected via a management interface, this will disconnect your login session):

1louisk@srx.cmhome> clear security flow session all
2This command may terminate the current session too.
3Continue? [yes,no] (no) yes

Switch to other node in a cluster via CLI (over the HA-link):

1louisk@srx.cmhome> request routing-engine login node 1

View the config in set commands instead of the default hierarchy view:

1louisk@srx.cmhome> show configuration | display set

Setting the correct logfile settings from the CLI (which is name-sensitive):

1[edit]
2louisk@srx.cmhome# set system syslog file policy_session user info
3louisk@srx.cmhome# set system syslog file policy_session match RT_FLOW
4louisk@srx.cmhome# set system syslog file policy_session archive size 1000k
5louisk@srx.cmhome# set system syslog file policy_session archive world-readable
6louisk@srx.cmhome# set system syslog file policy_session structured-data

Load the set commands through the CLI. After pasting them, use CTRL-D to end the insertion of commands. A commit is still needed to commit the changes.

1louisk@srx.cmhome# load set terminal
2louisk@srx.cmhome# <CTRL-D to end>
3louisk@srx.cmhome# <paste the set commands>

Monitor activity from the CLI (assuming that you have configured the logging part):

1louisk@srx.cmhome> monitor start policy_session

This will start scrolling the logging in real-time on the screen. To stop this, you need to enter the following (while your screen looks like a mess due to the scrolling log information):

1louisk@srx.cmhome> monitor stop

Replace strings in your config (e.g. globally change an IP address which is used several times):

1[edit]
2louisk@srx.cmhome# replace pattern 192.168.0.1 with 192.168.1.1

View the changes before you commit the configuration:

1[edit]
2louisk@srx.cmhome# show | compare

Save the rescue configuration (clearing the alarm LED on the device):

1louisk@srx.cmhome> request system configuration rescue save

Restoring the rescue configuration:

1[edit]
2louisk@srx.cmhome# rollback rescue 
3load complete
4
5[edit]
6louisk@srx.cmhome# commit

Lets start with modes: Junos has two modes – operational mode and configuration mode. Operational mode is identified by “>” sign and allows to execute show and other troubleshooting commands.

1louisk@srx.cmhome> configure
2Entering configuration mode
3
4[edit]
5louisk@srx.cmhome# exit
6Exiting configuration mode
7
8louisk@srx.cmhome>

There is also C shell available only for root user (most commonly seen when you access the device via serial console). If you log in as root (make sure this is not allowed remotely) on Juniper device, “%” sign appears, indicating that you are currently in C shell

1root@srx.cmhome%

Now, Lets start with operational mode commands: Show interfaces, protocol, state, IP addresses:

 1louisk@srx.cmhome> show interfaces terse
 2Interface               Admin Link Proto    Local                 Remote
 3fe-0/0/0                up    up
 4fe-0/0/0.0              up    up   inet     192.168.0.1/30
 5                                   inet6    2001:db8:ca7::1/64
 6                                            fe80::3e8a:b0ff:fea8:c900/64
 7gr-0/0/0                up    up
 8ip-0/0/0                up    up
 9lt-0/0/0                up    up
10mt-0/0/0                up    up
11sp-0/0/0                up    up
12sp-0/0/0.0              up    up   inet
13                                   inet6
14sp-0/0/0.16383          up    up   inet     10.0.0.1            --> 10.0.0.16
15                                            10.0.0.6            --> 0/0
16                                            128.0.0.1           --> 128.0.1.16
17                                            128.0.0.6           --> 0/0
18fe-0/0/1                down  down
19fe-0/0/2                down  down
20fe-0/0/3                down  down
21fe-0/0/4                down  down
22fe-0/0/5                down  down
23fe-0/0/6                down  down
24fe-0/0/7                up    up
25fe-0/0/7.0              up    up   inet     10.10.2.20/30
26gre                     up    up
27ipip                    up    up
28irb                     up    up
29lo0                     up    up
30lo0.0                   up    up   inet
31lo0.16384               up    up   inet     127.0.0.1           --> 0/0
32lo0.16385               up    up   inet     10.0.0.1            --> 0/0
33                                            10.0.0.16           --> 0/0
34                                            128.0.0.1           --> 0/0
35                                            128.0.0.4           --> 0/0
36                                            128.0.1.16          --> 0/0
37lo0.32768               up    up
38lsi                     up    up
39mtun                    up    up
40pimd                    up    up
41pime                    up    up
42pp0                     up    up
43ppd0                    up    up
44ppe0                    up    up
45st0                     up    up
46tap                     up    up
47vlan                    up    up
48
49louisk@srx.cmhome>

View current date/time and system uptime

1louisk@srx.cmhome> show system uptime
2Current time: 2018-11-03 20:33:11 UTC
3System booted: 2018-11-03 17:55:11 UTC (02:38:00 ago)
4Protocols started: 2018-11-03 18:00:28 UTC (02:32:43 ago)
5Last configured: 2018-11-03 17:58:43 UTC (02:34:28 ago) by root
6 8:33PM  up 2:38, 3 users, load averages: 0.30, 0.21, 0.13
7
8louisk@srx.cmhome>

To adjust date/time on your juniper box, use set date command:

1louisk@srx.cmhome> set date ?
2Possible completions:
3  <time>               New date and time (YYYYMMDDhhmm.ss)
4  ntp                  Set system date and time using Network Time Protocol servers
5louisk@srx.cmhome> 

Show logged in users:

1louisk@srx.cmhome> show system users
2 8:34PM  up 2:39, 3 users, load averages: 0.12, 0.17, 0.12
3USER     TTY      FROM                              LOGIN@  IDLE WHAT
4louisk   p0       192.168.11.126                    6:02PM   2:29 -cli (cli)
5louisk   p1       mpro                             8:24PM      8 -cli (cli)
6louisk   p2       mpro                             8:26PM      - -cli (cli)
7
8louisk@srx.cmhome>

If you want to log out user, use

1louisk@srx.cmhome> request system logout ?
2Possible completions:
3  <[Enter]>            Execute this command
4  all                  Logout all sessions owned by user
5  pid                  Management process ID for user
6  terminal             Terminal user is logged in to
7  user                 Name of user
8  |                    Pipe through a command
9louisk@srx.cmhome> request system logout

Show disk usage:

 1louisk@srx.cmhome> show system storage
 2Filesystem              Size       Used      Avail  Capacity   Mounted on
 3/dev/da0s1a             610M       179M       382M       32%  /
 4devfs                   1.0K       1.0K         0B      100%  /dev
 5/dev/md0                 20M       6.2M        12M       34%  /junos
 6/cf/packages            610M       179M       382M       32%  /junos/cf/packages
 7devfs                   1.0K       1.0K         0B      100%  /junos/cf/dev
 8/dev/md1                526M       526M         0B      100%  /junos
 9/cf                      20M       6.2M        12M       34%  /junos/cf
10devfs                   1.0K       1.0K         0B      100%  /junos/dev/
11/cf/packages            610M       179M       382M       32%  /junos/cf/packages1
12procfs                  4.0K       4.0K         0B      100%  /proc
13/dev/bo0s3e              46M       146K        42M        0%  /config
14/dev/bo0s3f             618M        37M       531M        7%  /cf/var
15/dev/md2                336M        21M       288M        7%  /mfs
16/cf/var/jail            618M        37M       531M        7%  /jail/var
17/cf/var/log             618M        37M       531M        7%  /jail/var/log
18devfs                   1.0K       1.0K         0B      100%  /jail/dev
19/dev/md3                 63M       4.0K        58M        0%  /mfs/var/run/utm
20/dev/md4                1.8M       4.0K       1.7M        0%  /jail/mfs
21
22louisk@srx.cmhome>

To view hardware details, alarms, environment status and many more, use:

 1louisk@srx.cmhome> show chassis ?
 2Possible completions:
 3  alarms               Show alarm status
 4  cluster              Show chassis cluster information
 5  craft-interface      Show craft interface status
 6  environment          Show component status and temperature, cooling system speeds
 7  firmware             Show firmware and operating system version for components
 8  forwarding           Show forwarding process (fwdd) status
 9  fpc                  Show Flexible PIC Concentrator status
10  hardware             Show installed hardware components
11  location             Show physical location of chassis
12  mac-addresses        Show media access control addresses
13  pic                  Show Physical Interface Card state, type, and uptime
14  realtime-ukern-thread  Show ukernel realtime thread assignment status
15  routing-engine       Show Routing Engine status
16  temperature-thresholds  Show chassis temperature threshold settings
17  usb                  Show chassis USB status
18louisk@srx.cmhome> show chassis

In operational mode, show commands can be suffixed with the following options:

  • terse
  • brief
  • detail
  • extensive

As you guess by names, you can control amount of command output.

Another couple of useful commands are restart and request. As name suggests, restart can be used to restart processes such as routing, dhcp server etc. Junos follows a traditional UNIX (FreeBSD) approach, so restarting of one particular process does not impact the other processes or services. Request is used for maintenance tasks, like software upgrade, reboot, tests etc.

Lets look at the configuration mode now. First of all, keep in mind, that commands you type in, do not affect device, until you do not enter commit command. Configuration is checked and if there are errors, commit will not work. Navigation in configuration mode is pretty simple: edit command is used to enter into specific hierarchy, such as protocols, chassis, or whatever. Command up is used to enter into upper levels. (use just up to enter one level up, or up N, Where N is number of levels). The top command will get you to the top of the configuration mode hierarchy.

 1louisk@srx.cmhome# edit protocols ospf area 0   
 2
 3[edit protocols ospf area 0.0.0.0]
 4louisk@srx.cmhome# up 2
 5
 6[edit protocols]
 7louisk@srx.cmhome# top
 8
 9[edit]
10louisk@srx.cmhome#

set is used to assign values. for example:

1[edit interfaces]
2louisk@srx.cmhome# set fe-0/0/7.0 family inet address 10.10.2.20/24
3
4[edit interfaces]
5louisk@srx.cmhome#

delete – deletes configuration entries. This could be a small portion of an entry, like an IP address from an interface, a section (delete protocols), or an entire config (if you use delete from the top, and don’t use any arguments, it will delete your entire config).

deactivate – Marks a portion/section of the configuration as inactive. It will still show as part of the configuration, but it has no effect.

 1[edit]
 2louisk@srx.cmhome# deactivate schedulers
 3
 4[edit]
 5louisk@srx.cmhome# show schedulers
 6##
 7## inactive: schedulers
 8##
 9scheduler lab-to-dns {
10    daily {
11        start-time 10:00:00 stop-time 18:00:00;
12    }
13    friday exclude;
14    saturday exclude;
15}
16[edit]
17louisk@srx.cmhome#

As you can see, configuration still exists, but not activated.

When you commit a configuration, the previous version is archived (Junos can store up to 50 configurations on the device) and you can restore any of them by using the rollback command. (It takes number as argument, for example ‘rollback 1’)

  • show – shows configuration.
  • show | compare – shows difference between candidate and active configuration
  • rollback 0 – Discards changes in configuration.
  • save – Used to save configuration files locally or remotely.
1[edit]
2louisk@srx.cmhome# save scp://louisk@198.18.11.11:srx.cfg
3srx.cfg                                         100%   29KB  28.9KB/s   00:00
4Wrote 1032 lines of configuration to 'scp://198.18.11.11:srx.cfg'
5
6[edit]
7louisk@srx.cmhome#

load – is used to load configuration, from local/remote file or terminal. If you want to copy/paste configuration snippet, use load merge terminal relative command. Here is my favorite one – replace. Lets say, that you have an address book entry, which is used in security policies and you want to change it, type:

1replace pattern blocked_network with blocked_user

or

1replace pattern 10.0.0.1/24 with 10.0.0.254/24

The analog of Cisco’s do command is run. It allows to execute operational mode commands. Descriptions can be made by annotate. copy – Used to copy configuration statements.

Setting Custom Timeout to Session on Juniper SRX To set custom timeout for particular application, you should define application and set inactivity-timeout value. Inactivity timeout is measured in seconds. It can accept values from 4 seconds to 24 hours and there is also another option: “never“, which is EVIL. Configuring inactivity-timeout never can cause device to run out of resources and it will form big black security hole in your network. Configuration example:

1louisk@srx.cmhome# show applications application custom_app | display set
2set applications application custom_app protocol tcp
3set applications application custom_app destination-port 3590
4set applications application custom_app inactivity-timeout 10800

Keep in mind, that by default, TCP session has 30 min. inactivity timeout. It will reset back to 1800 seconds, when subsequent traffic will be matched. Output that shows timeout value for session:

1louisk@srx.cmhome> show security flow session destination-port 80
2Session ID: 20252, Policy name: trust-to-untrust/7, Timeout: 242, Valid
3  In: 198.18.9.210/59170 --> 5.39.89.202/80;tcp, If: fe-0/0/0.0, Pkts: 12, Bytes: 1283
4  Out: 5.39.89.202/80 --> 10.10.2.20/29172;tcp, If: fe-0/0/7.0, Pkts: 7, Bytes: 1871
5Total sessions: 1
6
7louisk@srx.cmhome>

After defining custom application, you should match it in the security policy But what if you want to change timeout for well known applications? (such as junos-http, junos-ftp etc.) In this case, you have to define new application with different names from what is defined in junos. Example of creating an application “SSH” and changing inactivity timeout to 7200 seconds (2 hours)

1set applications application SSH protocol tcp
2set applications application SSH destination-port 22
3set applications application SSH inactivity-timeout 7200

There are two types of firewall user authentication:

  1. Pass-Through : Triggered by Telnet, FTP and HTTP traffic User connects to resource directly Junos prompts for username/password and if authentication is successful, traffic is permitted from the same source address
  2. Web Authentication: User connects to Junos device via HTTP Junos prompts for username/password and if authentication is successful, traffic is permitted from the same source address Users can be authenticated against local, RADIUS, LDAP, and SecurID server databases. In this post I will use simple local authentication.

Pieces we need to configure firewall user authentication: Access profile which defines clients, firewall user authentication type and banners, and security policy which triggers authentication. Configuration (pass-through edition):

 1louisk@srx.cmhome# show access
 2profile test-profile {
 3    client admin {
 4        firewall-user {
 5            password "$9$Olw11cyevWx-V"; ## SECRET-DATA
 6        }
 7    }
 8}
 9firewall-authentication {
10    pass-through {
11        default-profile test-profile;
12        telnet {
13            banner {
14                login "Enter your password";
15                success "Authentication passed";
16                fail "Authentication failed";
17            }
18        }
19    }
20}
21louisk@srx.cmhome#

We have defined an authentication, time to use it in the security policy:

 1[edit security policies]
 2louisk@srx.cmhome# show from-zone lan to-zone wan policy firewall-auth
 3match {
 4    source-address louisk;
 5    destination-address cisco-switch;
 6    application junos-telnet;
 7}
 8then {
 9    permit {
10        firewall-authentication {
11            pass-through {
12                client-match admin;
13            }
14        }
15    }
16}

In this configuration we have configured pass-through authentication for telnet traffic, Here is the result of our configuration:

 1[louisk@test.cmhome]$ telnet 10.0.0.204
 2Trying 10.0.0.204...
 3Connected to 10.0.0.204.
 4Escape character is '^]'.
 5Enter your password
 6Username: admin
 7Password:
 8          Authentication passed
 9
10User Access Verification
11
12Username:

To view authenticated users and status, use the command below:

1louisk@srx.cmhome> show security firewall-authentication users
2Firewall authentication data:
3  Total users in table: 1
4          Id Source Ip       Src zone Dst zone Profile    Age Status   User
5           4 192.168.12.11   lan      wan      test-pro     0 Success  admin

Show authentication history :

1louisk@srx.cmhome> show security firewall-authentication history
2History of firewall authentication data:
3  Authentications: 3
4          Id Source Ip       Date       Time     Duration   Status   User
5           1 192.168.12.11   2011-07-08 19:04:39 0:10:13    Success  admin
6           2 192.168.12.11   2011-07-08 19:20:29 0:39:43    Success  admin
7           3 192.168.12.11   2011-07-08 20:47:32 0:10:00    Success  admin

Tasks for configuring web authentication: Enable http access to your juniper srx:

1set system services web-management http

Assign secondary ip address from the same subnet to the interface, and enable web authentication:

1louisk@srx.cmhome# show interfaces vlan.15
2family inet {
3    address 192.168.12.1/24 {
4        preferred;
5    }
6    address 192.168.12.100/24 {
7        web-authentication http;
8    }
9}

Configure web authentication under access hierarchy:

1louisk@srx.cmhome# show access firewall-authentication web-authentication
2default-profile test-profile;
3banner {
4    success "Authentication passed";
5}

And finally, configure security policy appropriately:

 1[edit security policies]
 2louisk@srx.cmhome# show from-zone lan to-zone wan policy firewall-auth
 3match {
 4    source-address louisk;
 5    destination-address cisco-switch;
 6    application junos-telnet;
 7}
 8then {
 9    permit {
10        firewall-authentication {
11            web-authentication {
12                client-match admin;
13            }
14        }
15    }
16}

Footnotes and References

Copyright

Comments