show | compare  !! View what will be pushed on commit
commit  !! Push change
commit check  !! Verify change has no errors and can be pushed
commit confirm  !! Rollback to last configuration if current commit isn\'t confirmed
commit at <HH:MM:SS>  !! Push at a specific time
rollback 0  !! Undo stage, rollback to current firewall configuration

[ # ]

show interfaces terse fab*    !! Verify the Fabric link is up
file copy <node0|node1>:<source-filepath> <node0|node1>:<dest-filepath>

Documentation

[ # ]

  • fxp1 - Control link - Enables sync of config
  • fxp0 - Management interface - Can be used for OOB
  • fab# - Data link - Session sync (packets known as "real-time object" or RTO), transit traffic link for active/active, fragmentation not supported, jumbo frames supported
  • reth - Each reth is a logical interface containing 1 physical interface from each firewall

Redundant Group 0 is always routing engine, Group 1 is what has been configured for failover such as the interfaces

[ # ]

request chassis cluster failover redundancy-group 1 node <node>

Notes:

  • Node refers to the node number (0 or 1) to failover to

[ # ]

request routing-engine login node <0|1>    !! Branch SRX devices (Pre-11.4R1.6)
rlogin -Jk -T <node0|node1>    !! High-end and Branch SRX devices (11.4R1.6+ for Branch models) from the shell

Documentation

[ # ]

/var/log/chassisd                !! Hardware and chassis control logs
/var/log/idpd                    !! IDP daemon, events, and failures
/var/log/interactive-commands    !! View the commands run by users on the firewall
/var/log/jsprd                    !! HA logs
/var/log/kmd                    !! IKE Negotiation logs
/var/log/messages                !! Start place for locating logs
/var/log/utmd                    !! UTM related logs

[ # ]

set interface <physical> unit 0 family inet address <ip/cidr>

[ # ]

set security flow traceoptions file <filename>
set security flow traceoptions file size 100000
set security flow traceoptions file files 5
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter <name> source-prefix <ip/cidr>
set security flow traceoptions packet-filter <name> destination-prefix <ip/cidr>
commit

!! Run the following from the shell to view the capture
egrep 'matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if' <filename> | sed -e 's/.*RT://g' | sed -e 's/tcp, flag 2 syn/--TCP SYN--/g' | sed -e 's/tcp, flag 12 syn ack/--TCP SYN\/ACK--/g' | sed -e 's/tcp, flag 10/--TCP ACK--/g' | sed -e 's/tcp, flag 4 rst/--TCP RST--/g' | sed -e 's/tcp, flag 14 rst/--TCP RST\/ACK--/g' | sed -e 's/tcp, flag 18/--TCP PUSH\/ACK--/g' | sed -e 's/tcp, flag 11 fin/--TCP FIN\/ACK--/g' | sed -e 's/tcp, flag 5/--TCP FIN\/RST--/g' | sed -e 's/icmp, (0\/0)/--ICMP Echo Reply--/g' | sed -e 's/icmp, (8\/0)/--ICMP Echo Request--/g' | sed -e 's/icmp, (3\/0)/--ICMP Destination Unreachable--/g' | sed -e 's/icmp, (11\/0)/--ICMP Time Exceeded--/g' | awk '/matched/ {print "\n\t\t\t=== PACKET START ==="}; {print};'

Notes:

  • The egrep outputs the capture into an easier to read format. It is not necessary to run this command to read the capture file.
  • Make sure to replace in the egrep
  • Capture is bidirectional

[ # ]

!! Create the capture
edit security flow traceoptions
set security flow traceoptions file <captureFileName>
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions level 15
set security flow traceoptions packet-filter filter1 source-prefix <ip>
set security flow traceoptions packet-filter filter1 destination-prefix <ip>
set security flow traceoptions packet-filter filter2 source-prefix <ip>
set security flow traceoptions packet-filter filter2 destination-prefix <ip>
commit
run monitor start <captureFileName>

!! Kill the capture
monitor stop <captureFileName>
clear log <captureFileName>            !! Clear the log file
delete security flow traceoptions
commit
file delete <captureFileName>

[ # ]

snmp-server location <location-information>
snmp-server contact <contact-information>
snmp-server host <interface> <ip> trap community <community-string>    !! Device only sent traps, no polling
snmp-server host <interface> <ip> poll community <community-string>    !! Device only polling, no traps
snmp-server enable traps

Notes:

  • You can leave off 'poll' and 'trap' to allow both

Documentation

[ # ]