05-05-2010 12:33 PM
I am running intto some fatal issues with using the ScreenOS CLI for much of anything.
Issue 1: Object names longer than 11 characters are truncated and a tilde is appended. If I have three mips which all have the same first 6 digits, they appear to all be the same thing when displayed on the cli. For example, 'get policy' may show the following three different dest addresses:
There is no way to tell them apart. Is there any way to get it to display more characters? The current display makes it impossible to manage policies via the cli.
Issue 2: Lets say I need to change/remove a policy which I know contains the IP address 18.104.22.168. I do not know the policy ID, and I know there are not many policies which refference this number. I can do 'get policy' and get a list of 1000+ policies and then scan through them for 20 minutes and hope I find it, but there must be a better way. Unfortunately using '| inc 22.214.171.124' will not return anything useful because the policy this object is refferenced in has multiple destination addresses, so it takes up multiple lines. Searching with 'inc' will find the IP address, but does not show me anything else, such as policy ID or what the policy even does. Is there a good way to find a policy containing a specific IP when you have a lot of policys?
Thank you for your help.
05-06-2010 09:51 AM
Policies I normally configure from the WebUI due to some of the same limitations you mentioned.
What you can do is do a "get config" and do an include for what you're looking for. That should show you all the details. So if you're looking for any config statement with "126.96.36.199", do a "get config | inc 188.8.131.52". You may still find some weird things with it but something you can try to see if it helps you in what you're looking for.
Another option is do run a report on your policy, which generates a web page with everything. You can do a quick find on what you're looking for to find the policy ID.
Just some ideas.
05-06-2010 11:50 PM
The command "get policy" dispalys all policies in a table form. Sure, the columns are of a fixed width. "get policy id <id>" displays a single policy in a text form, with no truncationc. There are several additional keywords that help to narrow your search:
xxxxxxxxxxxxxx-> get policy ?
> redirect output
| match output <--- You can add include <searched text> here, as Mike explained
disabled show disabled policies
id show one policy
all show all policies(including global policy)
dst-ip dst-ip address
from from zone
global show global policies
src-ip src-ip address
to to zone
But I see no reason not to use the WebUI. The WebUI has no limitations that might prevent you from policy editing.
12-31-2010 11:44 PM
You probably don't have to do editing in batches, or have to deal with hundreds of policies. CLI is the best way, especially when wrapping with perl, etc..
Does Juniper plan on fixing this bug? It would be nice if there was an option to turn off truncation.