Tag Archives: Juniper NSM

CLI Commands for Troubleshooting Juniper ScreenOS Firewalls

Yes I know, ScreenOS is “End of Everything” (EoE). However, for historical reasons I am still managing many Netscreen/ScreenOS firewalls for some customers. Similar to my troubleshooting CLI commands for Palo Alto and Fortinet I am listing the most common used commands for the ScreenOS devices as a quick reference / cheat sheet. These are only the commands that are needed for deep troubleshooting sessions that cannot be done solely on the GUI.

Continue reading CLI Commands for Troubleshooting Juniper ScreenOS Firewalls

Juniper ScreenOS DHCP Relay: “Use Interface as Source IP for VPN”

I had strange looking DHCP packets in my network as I tested around with DHCP relays on the Juniper SSG firewall. Some packets were blocked and I didn’t know why. After some troubleshooting, it was clear that the checkmark “Use xy Zone Interface as Source IP for VPN” has a big impact in all environments even without the usage of a VPN!

Continue reading Juniper ScreenOS DHCP Relay: “Use Interface as Source IP for VPN”

Juniper ScreenOS NSRP: Configuration via GUI, NSM, and CLI

Short step-by-step screenshot guide for an initial configuration of NSRP on two Juniper ScreenOS firewalls, such as the SSGs. One screenshot pack for the https GUI and another one for the Network and Security Manager (NSM) since I am always searching for the positions of the commands on it. Finally, I am listing the appropriate CLI commands.

Continue reading Juniper ScreenOS NSRP: Configuration via GUI, NSM, and CLI

Juniper ScreenOS Firewall autocorrects Route Entries

I was a bit confused today as I saw a “wrong” route entry in the config of an SSG firewall. The route had not the correct “network/netmask” notation but a “host-address/netmask-of-the-network” notation. However, the SSG autocorrected this false route entry to the correct subnet id in its routing table.

Continue reading Juniper ScreenOS Firewall autocorrects Route Entries

Juniper NSM: Exclamation Mark due to Attack Database Version Mismatch

Short and very specific notice: How to remove the exclamation marks on the Juniper NSM device list for firewalls that have an outdated attack database version. This happens if the license for the deep inspection expires and the device still has an old sigpack version. Since the NSM later on has newer ones, it marks the firewall with a yellow symbol. To have a consistent “green” view of all firewalls, the following steps can be done to remove the exclamation mark.

Continue reading Juniper NSM: Exclamation Mark due to Attack Database Version Mismatch