request routing-engine login node <0|1>    !! Branch SRX devices (Pre-11.4R1.6)
rlogin -Jk -T <node0|node1>    !! High-end and Branch SRX devices (11.4R1.6+ for Branch models) from the shell

Documentation

[ # ]

  • fxp1 - Control link - Enables sync of config
  • fxp0 - Management interface - Can be used for OOB
  • fab# - Data link - Session sync (packets known as "real-time object" or RTO), transit traffic link for active/active, fragmentation not supported, jumbo frames supported
  • reth - Each reth is a logical interface containing 1 physical interface from each firewall

Redundant Group 0 is always routing engine, Group 1 is what has been configured for failover such as the interfaces

[ # ]

set interface <physical> unit 0 family inet address <ip/cidr>

[ # ]

set routing-options static route <ip/cidr> next-hop <gw>

[ # ]

show interfaces terse fab*    !! Verify the Fabric link is up
file copy <node0|node1>:<source-filepath> <node0|node1>:<dest-filepath>

Documentation

[ # ]

request system snapshot slice alternate

[ # ]

!! Create the capture
edit security flow traceoptions
set security flow traceoptions file <captureFileName>
set security flow traceoptions flag basic-datapath
set security flow traceoptions flag packet-drops
set security flow traceoptions level 15
set security flow traceoptions packet-filter filter1 source-prefix <ip>
set security flow traceoptions packet-filter filter1 destination-prefix <ip>
set security flow traceoptions packet-filter filter2 source-prefix <ip>
set security flow traceoptions packet-filter filter2 destination-prefix <ip>
commit
run monitor start <captureFileName>

!! Kill the capture
monitor stop <captureFileName>
clear log <captureFileName>            !! Clear the log file
delete security flow traceoptions
commit
file delete <captureFileName>

[ # ]

set security flow traceoptions file <filename>
set security flow traceoptions file size 100000
set security flow traceoptions file files 5
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter <name> source-prefix <ip/cidr>
set security flow traceoptions packet-filter <name> destination-prefix <ip/cidr>
commit

!! Run the following from the shell to view the capture
egrep 'matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if' <filename> | sed -e 's/.*RT://g' | sed -e 's/tcp, flag 2 syn/--TCP SYN--/g' | sed -e 's/tcp, flag 12 syn ack/--TCP SYN\/ACK--/g' | sed -e 's/tcp, flag 10/--TCP ACK--/g' | sed -e 's/tcp, flag 4 rst/--TCP RST--/g' | sed -e 's/tcp, flag 14 rst/--TCP RST\/ACK--/g' | sed -e 's/tcp, flag 18/--TCP PUSH\/ACK--/g' | sed -e 's/tcp, flag 11 fin/--TCP FIN\/ACK--/g' | sed -e 's/tcp, flag 5/--TCP FIN\/RST--/g' | sed -e 's/icmp, (0\/0)/--ICMP Echo Reply--/g' | sed -e 's/icmp, (8\/0)/--ICMP Echo Request--/g' | sed -e 's/icmp, (3\/0)/--ICMP Destination Unreachable--/g' | sed -e 's/icmp, (11\/0)/--ICMP Time Exceeded--/g' | awk '/matched/ {print "\n\t\t\t=== PACKET START ==="}; {print};'

Notes:

  • The egrep outputs the capture into an easier to read format. It is not necessary to run this command to read the capture file.
  • Make sure to replace in the egrep
  • Capture is bidirectional

[ # ]

show | compare  !! View what will be pushed on commit
commit  !! Push change
commit check  !! Verify change has no errors and can be pushed
commit confirm  !! Rollback to last configuration if current commit isn\'t confirmed
commit at <HH:MM:SS>  !! Push at a specific time
rollback 0  !! Undo stage, rollback to current firewall configuration

[ # ]

system time-zone Europe/London
set date ntp <ip>

set system ntp server <ntp server 1 ip> prefer
set system ntp server <ntp server 2 ip>

[ # ]