ScreenOS Firewalls (NOT SRX)
Reply
New User
james0991
Posts: 1
Registered: ‎05-05-2010
0

CLI usability issue

I am running intto some fatal issues with using the ScreenOS CLI for much of anything.

 

 

Issue 1: Object names longer than 11 characters are truncated and a tilde is appended. If I have three mips which all have the same first 6 digits, they appear to all be the same thing when displayed on the cli. For example, 'get policy' may show the following three different dest addresses:

MIP(123.123~

MIP(123.123~

MIP(123.123~

 

There is no way to tell them apart. Is there any way to get it to display more characters? The current display makes it impossible to manage policies via the cli.

 

Issue 2: Lets say I need to change/remove a policy which I know contains the IP address 123.123.123.123. I do not know the policy ID, and I know there are not many policies which refference this number. I can do 'get policy' and get a list of 1000+ policies and then scan through them for 20 minutes and hope I find it, but there must be a better way. Unfortunately using '| inc 123.123.123.123' will not return anything useful because the policy this object is refferenced in has multiple destination addresses, so it takes up multiple lines. Searching with 'inc' will find the IP address, but does not show me anything else, such as policy ID or what the policy even does. Is there a good way to find a policy containing a specific IP when you have a lot of policys?

 

Thank you for your help.

Super Contributor
mnarine
Posts: 179
Registered: ‎10-03-2009
0

Re: CLI usability issue

Policies I normally configure from the WebUI due to some of the same limitations you mentioned.

 

What you can do is do a "get config" and do an include for what you're looking for.  That should show you all the details.  So if you're looking for any config statement with "123.123.123.123", do a "get config | inc 123.123.123.123".  You may still find some weird things with it but something you can try to see if it helps you in what you're looking for.

 

Another option is do run a report on your policy, which generates a web page with everything.  You can do a quick find on what you're looking for to find the policy ID.

 

Just some ideas.

 

-Mike

Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: CLI usability issue

The command "get policy" dispalys all policies in a table form. Sure, the columns are of a fixed width. "get policy id <id>" displays a single policy in a text form, with no truncationc. There are several additional keywords that help to narrow your search:

xxxxxxxxxxxxxx-> get policy ?
>                   redirect output
|                    match output                       <--- You can add include <searched text> here, as Mike explained
<return>
disabled             show disabled policies
id                          show one policy
action                  action
all                         show all policies(including global policy)
dst-ip                   dst-ip address
from                     from zone
global                 show global policies
service               service
src-ip                  src-ip address
to                          to zone

 

But I see no reason not to use the WebUI. The WebUI has no limitations that might prevent you from policy editing.

 

Kind regards,

Edouard

Kind regards,
Edouard
New User
wbathurs
Posts: 1
Registered: ‎12-31-2010
0

Re: CLI usability issue

Edouard,

 

You probably don't have to do editing in batches, or have to deal with hundreds of policies. CLI is the best way, especially when wrapping with perl, etc..

 

Does Juniper plan on fixing this bug? It would be nice if there was an option to turn off truncation.

 

 

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.