Juniper Netscreen - Captures

juniper netscreen 
!! Snoop Filter - More basic capture
!! Enable
snoop filter ip src-ip <src IP> dst-ip <dest IP>
snoop
!! Disable
snoop off
snoop filter del

!! Flow Filter - Much more information on the packet flow
!! Enable
set ff src-ip <src IP> dst-ip <dest IP>
debug flow basic
!! Disable
undebug all
unset ff  !! Unset the filter op

Notes:

  • Use 'get db st' to view the output
  • Use 'clear db' to clear the capture but keep it running

[ # ]

Juniper Netscreen - Licensing

juniper netscreen 
exec licese-key <key>
get license

Notes:

  • Refers to what follows "advanced=", no spaces or line breaks

[ # ]

Juniper Netscreen - Health Troubleshooting

juniper netscreen 
get sys  !! Uptime
get perf session  !! Connection Count
get perf cpu detail
get perf cpu all detail  !! * means above threshold
get event level critical  !! View failovers or other critical evens
get counter statistics  !! CRC errors, etc

[ # ]

Juniper Netscreen - General Troubleshooting

juniper netscreen 
get log traffic src-ip <ip> dst-ip <ip>
get session src-ip <src IP> dst-ip <dst IP>

[ # ]

Juniper Netscreen - Disable Specific Log Messages

juniper netscreen 
set log exclude-id <#> user-id <username> event-type <event-id> scr-ip <ip> src-netmask <netmask> dst-ip <ip> dst-netmask <netmask> dst-port <port> <success|failure>

You can set any of the above options to attempt to hide specific log messages. For instance, let's assume I wanted to stop logging the following admin login messages:

Feb 10 00:00:01 192.168.1.1 LocalFirewall: NetScreen device_id=LocalFirewall [Root]system-information-00519: ADM: Local admin authentication successful for login name admin (2014-02-10 00:00:01)

The following would work to suppress all successful logins with mesage id 00519 for the 'admin' user

set log exclude-id 1 user-id "admin" event-type 519 success

Notes

  • ScreenOS version 6.2+ required
  • A maximum of 10 exclude rules are allowed

Documentation

[ # ]

Juniper Netscreen - Manual Failover

juniper netscreen 
exec nsrp vsd-group <group ID> mode master

Notes:

  • Performed on the standby/backup firewall

[ # ]

Juniper Netscreen - NSRP Configuration

juniper netscreen 
!! Node A - Master
set nsrp rto-mirror sync
set nsrp monitor interface eth1
set nsrp monitor interface eth3
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 100

!! Node B - Backup
set nsrp rto-mirror sync
set nsrp monitor interface eth1
set nsrp monitor interface eth3
set nsrp cluster id 1
set nsrp vsd-group id 0 priority 90
save
exec nsrp sync global-config save  !! Performed on the backup device

Notes:

  • Configure the interfaces PRIOR to performing NSRP configuration
  • After syncing config, reboot the secondary firewall

[ # ]

Juniper Netscreen - VPN Troubleshooting

juniper netscreen vpn 
get vpn
get ike cookies
get sa active
get event include vpn

SRC    DEST    PROXY ID (SRC/DEST)
Group  Group   0.0.0.0/0.0.0.0 > 0.0.0.0/0.0.0.0
Group  Subnet  0.0.0.0/0.0.0.0 > Subnet
Subnet Subnet  Subnet > Subnet

Notes:

  • Use subnets instead of groups to solve issues with proxy id / encryption domains. 1 rule per subnet pair

[ # ]

Juniper Netscreen - Track IP Configuration

juniper netscreen 
set interface <interface> monitor track-ip ip
set interface <interface> monitor track-ip threshold 255
set interface <interface> monitor track-ip ip <IP-to-monitor> threshold 10
set interface <interface> monitor track-ip ip <IP-to-monitor> weight 255

Notes:

  • Interface will be brought down after 10 failed pings

[ # ]

Juniper Netscreen - Reset NSM Connection

juniper netscreen 
unset nsm enable
set nsm enable

[ # ]