request routing-engine login node <0|1>    !! Branch SRX devices (Pre-11.4R1.6)
rlogin -Jk -T <node0|node1>    !! High-end and Branch SRX devices (11.4R1.6+ for Branch models) from the shell

Documentation

[ # ]

/var/log/chassisd                !! Hardware and chassis control logs
/var/log/idpd                    !! IDP daemon, events, and failures
/var/log/interactive-commands    !! View the commands run by users on the firewall
/var/log/jsprd                    !! HA logs
/var/log/kmd                    !! IKE Negotiation logs
/var/log/messages                !! Start place for locating logs
/var/log/utmd                    !! UTM related logs

[ # ]

set interface <physical> unit 0 family inet address <ip/cidr>

[ # ]

  • fxp1 - Control link - Enables sync of config
  • fxp0 - Management interface - Can be used for OOB
  • fab# - Data link - Session sync (packets known as "real-time object" or RTO), transit traffic link for active/active, fragmentation not supported, jumbo frames supported
  • reth - Each reth is a logical interface containing 1 physical interface from each firewall

Redundant Group 0 is always routing engine, Group 1 is what has been configured for failover such as the interfaces

[ # ]

show interfaces terse fab*    !! Verify the Fabric link is up
file copy <node0|node1>:<source-filepath> <node0|node1>:<dest-filepath>

Documentation

[ # ]

request system snapshot slice alternate

[ # ]

show system snapshot media internal

[ # ]

system time-zone Europe/London
set date ntp <ip>

set system ntp server <ntp server 1 ip> prefer
set system ntp server <ntp server 2 ip>

[ # ]

set security flow traceoptions file <filename>
set security flow traceoptions file size 100000
set security flow traceoptions file files 5
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter <name> source-prefix <ip/cidr>
set security flow traceoptions packet-filter <name> destination-prefix <ip/cidr>
commit

!! Run the following from the shell to view the capture
egrep 'matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if' <filename> | sed -e 's/.*RT://g' | sed -e 's/tcp, flag 2 syn/--TCP SYN--/g' | sed -e 's/tcp, flag 12 syn ack/--TCP SYN\/ACK--/g' | sed -e 's/tcp, flag 10/--TCP ACK--/g' | sed -e 's/tcp, flag 4 rst/--TCP RST--/g' | sed -e 's/tcp, flag 14 rst/--TCP RST\/ACK--/g' | sed -e 's/tcp, flag 18/--TCP PUSH\/ACK--/g' | sed -e 's/tcp, flag 11 fin/--TCP FIN\/ACK--/g' | sed -e 's/tcp, flag 5/--TCP FIN\/RST--/g' | sed -e 's/icmp, (0\/0)/--ICMP Echo Reply--/g' | sed -e 's/icmp, (8\/0)/--ICMP Echo Request--/g' | sed -e 's/icmp, (3\/0)/--ICMP Destination Unreachable--/g' | sed -e 's/icmp, (11\/0)/--ICMP Time Exceeded--/g' | awk '/matched/ {print "\n\t\t\t=== PACKET START ==="}; {print};'

Notes:

  • The egrep outputs the capture into an easier to read format. It is not necessary to run this command to read the capture file.
  • Make sure to replace in the egrep
  • Capture is bidirectional

[ # ]

!! Create the capture
edit security flow traceoptions
set security flow traceoptions file <captureFileName>
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions level 15
set security flow traceoptions packet-filter filter1 source-prefix <ip>
set security flow traceoptions packet-filter filter1 destination-prefix <ip>
set security flow traceoptions packet-filter filter2 source-prefix <ip>
set security flow traceoptions packet-filter filter2 destination-prefix <ip>
commit
run monitor start <captureFileName>

!! Kill the capture
monitor stop <captureFileName>
clear log <captureFileName>            !! Clear the log file
delete security flow traceoptions
commit
file delete <captureFileName>

[ # ]