ScreenOS Firewalls (NOT SRX)
CLI usability issue

I am running intto some fatal issues with using the ScreenOS CLI for much of anything.



Issue 1: Object names longer than 11 characters are truncated and a tilde is appended. If I have three mips which all have the same first 6 digits, they appear to all be the same thing when displayed on the cli. For example, 'get policy' may show the following three different dest addresses:





There is no way to tell them apart. Is there any way to get it to display more characters? The current display makes it impossible to manage policies via the cli.


Issue 2: Lets say I need to change/remove a policy which I know contains the IP address I do not know the policy ID, and I know there are not many policies which refference this number. I can do 'get policy' and get a list of 1000+ policies and then scan through them for 20 minutes and hope I find it, but there must be a better way. Unfortunately using '| inc' will not return anything useful because the policy this object is refferenced in has multiple destination addresses, so it takes up multiple lines. Searching with 'inc' will find the IP address, but does not show me anything else, such as policy ID or what the policy even does. Is there a good way to find a policy containing a specific IP when you have a lot of policys?


Thank you for your help.

Re: CLI usability issue

Policies I normally configure from the WebUI due to some of the same limitations you mentioned.


What you can do is do a "get config" and do an include for what you're looking for.  That should show you all the details.  So if you're looking for any config statement with "", do a "get config | inc".  You may still find some weird things with it but something you can try to see if it helps you in what you're looking for.


Another option is do run a report on your policy, which generates a web page with everything.  You can do a quick find on what you're looking for to find the policy ID.


Just some ideas.



Re: CLI usability issue

The command "get policy" dispalys all policies in a table form. Sure, the columns are of a fixed width. "get policy id <id>" displays a single policy in a text form, with no truncationc. There are several additional keywords that help to narrow your search:

xxxxxxxxxxxxxx-> get policy ?
>                   redirect output
|                    match output                       <--- You can add include <searched text> here, as Mike explained
disabled             show disabled policies
id                          show one policy
action                  action
all                         show all policies(including global policy)
dst-ip                   dst-ip address
from                     from zone
global                 show global policies
service               service
src-ip                  src-ip address
to                          to zone


But I see no reason not to use the WebUI. The WebUI has no limitations that might prevent you from policy editing.


Kind regards,


Re: CLI usability issue



You probably don't have to do editing in batches, or have to deal with hundreds of policies. CLI is the best way, especially when wrapping with perl, etc..


Does Juniper plan on fixing this bug? It would be nice if there was an option to turn off truncation.