CLI Commands for Troubleshooting Juniper ScreenOS Firewalls

Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands for Palo Alto and Fortinet I am listing the most common used commands for the ScreenOS devices as a quick reference / cheat sheet. These are only the commands that are needed for deep troubleshooting sessions that cannot be done solely on the GUI.

At first: Always remember that the default backspace key is “Ctrl + h” and not the backspace key itself! ;)

Basics

These are the very basics on the command line:

How to turn off the LED alarm on the firewall:

Basic Networking

The reason why we are all here:

 

Application Layer Gateway

I had some trouble with the application layer gateway functionality on the ScreenOS devices. Here are some hidden commands that help while troubleshooting the ALGs:

And a few links concerning ALGs:

 

NSRP (High Availability)

The following command lists all details about an NetScreen Redundancy Protocol (NSRP) cluster, i.e., the IDs of all connected units, the current master, encryption and authentication passwords (in plain text!), etc.:

To sync the configuration from the master to the local device (AND NOT VICE VERSA!!!) [Link]:

And to do a manual failover. This brings the current master unit into backup mode. This command must be used on the current master! [Link]:

 

Session & Log

The session commands list sessions that are currently active. The traffic log shows already finished sessions (of course only if they were logged):

Link: “How to determine how long a session has been up in ScreenOS“.

 

IPsec VPN

This is one of the main use cases for using the CLI on the SSG firewalls: Many details about IPsec site-to-site VPNs, e.g., the proxy-IDs for policy-based VPNs:

In order to clear a current VPN connection, use one of the following commands for either phase 1 (IKE) or phase 2 (IPsec):

Flow

To display the most detailed information about active flows, for example to see which policies trigger or which routing table lookups are used, etc. [Link]:

 

Common Problems

Some more links to common problems or other scenarios:

 

NSM Stuff

And finally some notes concerning the “Network and Security Manager“.

  • Default port from ScreenOS device to NSM: TCP/7800 .
  • Default https port to download the Java GUI: https://<ip>:8443 .
  • Default port from Java GUI to NSM: TCP/7808 .

To become root on the NSM CLI:

And some links:

 

Factory Reset & Defaults

To do a factory reset you can either use the reset pinhole on the device or login to the serial console with the serial number as username and password. Both ways are explained here.

To do a reset via the CLI use the following commands, explained here. Note that this is NOT a complete factory reset but only an “unset” of all commands, while port modes, license keys, etc. will remain:

The default IPv4 address is 192.168.1.1. The switch ports which are configured with this IPv4 address vary! For example, on a SSG 5 it is bgroup0 = eth0/2 – 0/6 while on a SSG 140 it is eth0/0. The default login is netscreen:netscreen. (Followed by “tab tab enter” to login via the GUI. ;))

 

Update via USB

To update the imagekey and the ScreenOS firmware from an USB stick (rather than GUI, NSM, or TFTP) use the following commands:

Featured image “Warten auf Arbeit” by Günter Hentschel is licensed under CC BY-ND 2.0.

14 thoughts on “CLI Commands for Troubleshooting Juniper ScreenOS Firewalls

  1. Great post for people like me getting fresh with Netscreen. Thanks and continue the good job.

  2. Do we have any command for replacing string, like below in SRX

    #replace pattern with

    1. Simply log into the SSG via SSH and issue the “get config” command. Copy and paste it into a text file.

      You can download the same output from the GUI. I don’t remember the exact place (since I don’t have any SSGs running anymore). But I know that it’s there. ;) It gives you a “_cfg” file.

  3. Im stuck in loading the image via the OS Loader without success.

    Juniper Networks ISG Series BootROM V1.1.1 (Checksum: 88D32336)
    Copyright (c) 1997-2008 Juniper Networks, Inc.

    Total physical memory: 2048MB
    Test – Pass
    Initialization……………. Done

    Hit key ‘X’ and ‘A’ sequentially to update OS Loader….

    BOM Version [F06]: READ ONLY
    Self MAC Address [0022-83ad-4d00]: READ ONLY
    OS Loader File Name [nsISG2000.6.3.0r12.0]: nsISG2000.6.3.0r12.0
    Self IP Address [10.1.6.252]:
    TFTP IP Address [10.1.6.250]:
    Ip Address Mask [255]: 255.255.255.192
    Default Gateway IP [0]: 10.1.6.250

    Save loader config (112 bytes)… Done

    Loading file “nsISG2000.6.3.0r12.0″…

    atatatatatatatatatatatatatatatatata
    Loaded successfully! (size = 14,668,116 bytes)

    ### invalid image file ###

Leave a Reply

Your email address will not be published. Required fields are marked *