Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands for Palo Alto and Fortinet I am listing the most common used commands for the ScreenOS devices as a quick reference / cheat sheet. These are only the commands that are needed for deep troubleshooting sessions that cannot be done solely on the GUI.
I had strange looking DHCP packets in my network as I tested around with DHCP relays on the Juniper SSG firewall. Some packets were blocked and I didn’t know why. After some troubleshooting it was clear that the checkmark “Use xy Zone Interface as Source IP for VPN” has a big impact in all environments even without the usage of a VPN!
Short step-by-step screenshot guide for an initial configuration of NSRP of two Juniper ScreenOS firewalls, such as the SSGs. One screenshot pack for the https GUI and another one for the Network and Security Manager (NSM) since I am always searching for the positions of the commands on it. Finally, I am listing the appropriate CLI commands.
I was a bit confused today as I saw a “wrong” route entry in the config of an SSG firewall. The route had not the correct “network/netmask” notation but a “host-address/netmask-of-the-network” notation. However, the SSG autocorrected this false route entry to the correct subnet id in its routing table.
Short and very specific notice: How to remove the exclamation marks on the Juniper NSM device list for firewalls that have an outdated attack database version. This happens if the license for the deep inspection expires and the device still has an old sigpack version. Since the NSM later on has newer ones, it marks the firewall with a yellow symbol. To have a consistent “green” view of all firewalls, the following steps can be done to remove the exclamation mark.