Junos : Junos vs Screen OS

[ScreenOS] vs [JunOS]

ScreenOS	JUNOS	Notes
Session & Interface counters
get session	> show security flow session
get interface	> show interface terse
get counter stat get counter stat <interface>	> show interface extensive > show interface <interface> extensive
clear counter stat	> clear interface statistics <interface>
Debug & Snoop
debug flow basic	# edit security flow # set traceoptions flag basic-datapath # commit	-creates debugs in default file name: /var/log/security-trace See KB16108 for traceoptions info.
set ff	# edit security flow # set traceoptions packet-filter	Packet-drop is a feature that will be added
get ff	> show configuration | match packet-filter | display set
get debug	> show configuration | match traceoptions | display set
get db stream	View stored log: (recommended option) > show log <file name> (enter h to see help options) > show log security-trace (to view 'security flow' debugs) > show log kmd (to view 'security ike' debugs) View real-time: (use this option with caution) > monitor start <debugfilename> ESC-Q (to pause real-time output to screen)	‘monitor stop' stops real-time view , but debugs are still collected in log files
clear db	> clear log <filename> (clears contents of file)	Use ‘file delete <filename> to actually delete file>
undebug <debug> (stops collecting debugs)	# edit security flow # deactivate traceoptions OR # delete traceoptions (at the particular hierarchy) # commit	Deactivate makes it easier to enable/disable. Use activate traceoptions to activate.
undebug all	Not available. You need to deactivate or delete traceoptions separately.
debug ike detail	# edit security ike # set traceoptions flag ike # commit	-creates debugs in default file name: kmd
snoop (packets THRU the JUNOS device)	Use Packet Capture feature	- Not supported on SRX 3x00/5x00 yet
snoop (packets TO the JUNOS device)	> monitor traffic interface <int> layer2-headers write-file option (hidden) read-file (hidden)	-Only captures traffic destined for the RE of router itself. - Excludes PING .
Event Logs
get event	> show log messages > show log messages | last 20 (helpful cmd because newest log entries are at end of file)
get event | include <string>	> show log messages | match <string> > show log messages | match “<string> | <string> | <string>” Examples: > show log messages | match “error | kernel | panic” > show log messages | last 20 | find error	Note: There is not an equivalent command for ‘get event include <string>'. match displays only the lines that contains the string find displays output starting from the first occurrence of the string
clear event	> clear log messages
	> show log
Config & Software upgrade
get config	> show config (program structured format) > show config | display set (set command format)
get license	> show system license keys
get chassis (serial numbers)	> show chassis hardware detail	> show chas environment > show chas routing-engine
exec license	> request system license [add | delete |save]
unset all reset	load factory-default set system root-authentication plain-text-passsword commit and-quit request system reboot
load config from tftp <tftp_server> <configfile>	> start shell and FTP config to router, i.e. /var/tmp/test.cfg. Then # load override /var/tmp/test.cfg (or full path of config file)	-TFTP is not supported. Use only FTP, HTTP, or SCP.
load software from tftp <tftp_server> <screenosimage> to flash	> request system software add Example: request system software add ftp:10.10.10.129/jsr/junos-srxsme-9.5R1.8-domestic.tgz reboot	-TFTP is not supported. Use only FTP. HTTP, or SCP. -Use ‘request system software rollback' to rollback to previous s/w package See KB16652.
save	# commit OR # commit and-quit
reset	> request system reboot
Policy
get policy	> show security policies
get policy from <zone> to <zone>	> show security policies from <zone> to <zone>
VPN
get ike cookie	> show security ike security-associations
get sa	> show security ipsec security-associations	> show security ipsec stat
clear ike cookie	> clear security ike security-associations
clear sa	> clear security ipsec security-associations
NSRP
get nsrp	> show chassis cluster status > show chassis cluster interfaces > show chassis cluster status redundancy-group <group>
exec nsrp vsd <vsd> mode backup (on master) see KB5885	> request chassis cluster failover redundancy-group <group> node <node>
	> request chassis cluster failover reset redundancy-group <group>
DHCP
get dhcp client	> show system services dhcp client	See KB15753.
exec dhcp client <int> renew	> request system services dhcp renew (or release)
Routing
get route	> show route
get route ip <ipaddress>	> show route <ipaddress>
get vr untrust-vr route	> show route instance untrust-vr
get ospf nei	> show ospf neighbor
set route 0.0.0.0/0 interface <int> gateway <ip>	# set routing-options static route 0.0.0.0/0 next-hop <ip>	See KB16572.
NAT
get vip	> show security nat destination-nat summary
get mip	> show security nat static-nat summary
get dip	> show security nat source-nat summary > show security nat source-nat pool <pool>
Other
get perf cpu	> show chassis routing-engine
get net-pak s	> show system buffers
get file	> show system storage
get alg	> show configuration groups junos-defaults applications	All pre-defined applications are located within the hidden group junos-defaults. If any ALGs are applied to the pre-defined applications, they will also be displayed with this command.
get service	> show configuration groups junos-defaults applications
get tech	> request support information
set console page 0	> set cli screen-length 0
	> file list <path> Example: file list /var/tmp/	Shows directory listing. Note that / is needed at end of path
	#  =  configuration mode prompt
	>  =  operational mode prompt

Junos : Configure Static Route

Creating Static Routes

The following example configures a static route of 10.2.2.0/24 with a next-hop address of 10.1.1.254:

user@host# set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254

Creating Default Routes

The following example configures an IPv4 default route with a next-hop address of 10.1.1.254:

user@host# set routing-options static route 0.0.0.0/0 next-hop 10.1.1.254

Verification

To review a summary of the routes in the routing table, use the following operational mode command:

user@host> show route terse

Junos : Create a new admin user

JUNOS Software has predefined login classes that you assign to all users:

• Operator
• Read-only
• Super-user
• Unauthorized

.

J-Web Configuration

Using Predefined Login Classes

You can apply a login class when creating a new user account or to an existing user account.
To apply a login class to an existing user account:

1. Select Configure>System Properties>User Management.
2. Click Edit.
3. In the Edit User Management dialog box, select a username, and click Edit.
4. In the Login class list, select the level of permission for executing commands for the user.
5. Click OK.
6. In the Edit User Management dialog box, click OK.

Creating a New Admin User

To create a new admin user with super-user privileges:

1. Select Configure>System Properties>User Management.
2. Click Edit.
3. In the Edit User Management dialog box, click Add.
4. In the User name box, type the username of the user (for example, jlee).
5. In the Password box, type the password for the user.
6. In the Confirm password box, type the user password again.
7. In the Login class list, select the level of permission for executing commands for the user (in this example, super-user).
8. Click OK.
9. In the Edit User Management dialog box, click OK.

If you are finished configuring the device, click Commit to commit the configuration.

CLI Configuration

Using Predefined Login Classes

You can review the available login classes by using the following command:

user@host# set system login user labuser class ?
Possible completions:
<class> Login class
operator permissions [ clear network reset trace view ]
read-only permissions [ view ]
super-user permissions [ all ]
unauthorized permissions [ none ]

In the following example, you apply the operator login class to the user with the username of csmith:

user@host# set system login user csmith class operator

Creating a New Admin User

To create a new admin user, create a login user with super-user privileges:

1. Create a user account named jlee, which has super-user privileges.

user@host# set system login user jlee class super-user authentication plain-text-password

2. Enter the password for the user, and enter the password again. The password does not appear as you type.

New password:
Retype new password:

Junos : Configuring an interface and security zone on an SRX Series device.

Network Interface Naming

Junos uses the following interface naming conventions:

• The show interface terse command displays a list of the interfaces. 

user@host> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
ge-0/0/0                up    up 
ge-0/0/0.0              up    up   inet     10.85.49.150/24
gr-0/0/0                up    up 
ip-0/0/0                up    up 
lsq-0/0/0               up    up 
lt-0/0/0                up    up 
mt-0/0/0                up    up 
pd-0/0/0                up    up 
pe-0/0/0                up    up  

• The syntax for the interface name, such as ge-0/0/0, is as follows:

Interface Type - Slot / Module / Port . Logical number  

• All numbers for the slot, module, and port start with 0.
For example :
ge-0/0/0 = First onboard Gigabit Interface
st0.0 = First Secure Tunnel Interface (VPN Tunnel)
lo0 = First loopback interface

• Wildcards--Many commands accept wildcards in the interface names.
For example:
show interfaces ge-0/0/*

Security Zone

A security zone is a collection of interfaces that define a security boundary. Internal network interfaces may be assigned to a security zone named "trust," and external network interfaces may be assigned to a security zone named "untrust." Security policies are then used to control transit traffic between security zones. For more information about security zones.

CLI

The following example configures a security zone with one interface:

1. Verify existing security zones, and verify which interfaces have been assigned to the security zones by using one of the following commands: user@host> show security zones
user@host> show interfaces
2. Configure the ge-0/0/1.0 interface with the IP address 192.168.20.2/24.

user@host# set interfaces ge-0/0/1 unit 0 family inet address 192.168.20.2/24.

3. If a security zone name does not exist, configure a security zone:

user@host# set security zones security-zone trust

4. Assign the ge-0/0/1.0 interface to the trust security zone.

user@host# set security zones security-zone trust interfaces ge-0/0/1.0

 

Junos : What is Junos Pulse

Junos Pulse is an endpoint software platform that enables dynamic SSL VPN connectivity, network access control (NAC), mobile security, online meetings and collaboration, and application acceleration, through an simple yet elegant user interface. It removes the complexity from network connectivity and access control, and delivers optimal connectivity to end users depending on their device type and security state, location, identity, and adherence to corporate access control policies.
Junos Pulse provides easy deployment and management for administrators and easy access for users by intelligently delivering and enabling services through a single, integrated user interface for both mobile and non-mobile devices. Administrators can simplify and secure fast, seamless mobile, remote, and local network, cloud, and application access for end users by configuring policies that automatically enable the appropriate network or cloud connection — with no user interaction required.
Junos Pulse also:

• Enables mobile and remote network access, network security, and application acceleration, increasing visibility and manageability while enabling secure access to network resources based on user identity and role.
• Reduces the cost and time associated with deployment.
• Uses industry and open standards, such as the Trusted Network Connect (TNC) specifications.
• Serves as a platform for integration of select third-party, best-in-class security, access and connectivity applications.
• Delivers a value-added services platform for service providers.

Junos Pulse is the only integrated access, security, collaboration, and acceleration services, solution for virtually any device — mobile or non-mobile — that today's businesses need.