SRX Services Gateway
SRX Services Gateway

Junos Hidden Commands

[ Edited ]
‎07-17-2012 08:45 AM

Hi,

This was talked about before and was supposed to be a sticky at the top of the forum for everyone to participate in.  Thought I'd start it off. 

 

Something I like for VPN debugging, which enables logging to the KMD log by default without the need to commit!

 

user@srx>request security ike debug-enable local <ip-address> remote <ip-address> level <level>

 and to turn off:

 

user@srx>request security ike debug-disable

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
36 REPLIES 36
SRX Services Gateway

Re: Junos Hidden Commands

‎07-17-2012 10:25 AM

I floated the topic

SRX Services Gateway

Re: Junos Hidden Commands

‎07-17-2012 08:04 PM
thanks for sharing
Hafiz Muhammad Farooq
JNCIE-SEC, JNCIP-SEC, JNCIS-SEC, JNCIS-FWV
JNCIS-SP, JNCIS-SA, JNCIA-JUNOS
IBM Qradar Deployment Professional

[Please mark it as Accepted Solution if it works, Kudos if you like]

SRX Services Gateway

Re: Junos Hidden Commands

‎07-18-2012 12:03 AM
The request security ike debug-enable is all good for branch, but for high-end, it's a lot more tedious.
http://kb.juniper.net/InfoCenter/index?page=content&id=KB19943
Regards,
Adam

(if my post helped solve your problem, mark it as accepted solution)
SRX Services Gateway

Re: Junos Hidden Commands

[ Edited ]
‎07-18-2012 02:15 AM

Another usefull one for taking a tcpdump of an interface to analyze with Wireshark or similar.

 

user@srx>monitor traffic interface ge-0/0/1.0 write-file test.pcap

 Can be viewed on the SRX also:

 

user@srx>monitor traffic read-file test.pcap

 

 

 

MMcD [JNCIP-SEC, JNCIS-ENT, CCNA, MCP]
____________________________________________________

[Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too]
SRX Services Gateway

Re: Junos Hidden Commands

‎07-18-2012 03:46 AM

Hi

 

Some more hidden commands:

 

To see default config settings

 

lab@srx240# show groups junos-defaults

 To see some system limits (not really hidden, but anyway):

 

show log nsd_chk_only

 

To see currently working Junos applications definitions

 

request pfe execute command "show usp app-def tcp" target fwdd
request pfe execute command "show usp app-def udp" target fwdd

 And last but not the least,

 

lab@srx240# commit full

 to make all daemons re-read the configuration.

 

 

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
SRX Services Gateway

Re: Junos Hidden Commands

‎07-18-2012 04:20 AM

Nice.  Another hidden command I find incredibly useful when troubleshooting is:

 

bdale@gw210> show chassis cluster information ? 
Possible completions:
  <[Enter]>            Execute this command
  coldsync             Display coldsync information
  command-history      Display command history
  control-link         Display control link information
  detail               Display all chassis cluster information
  fabric-link          Display fabric link information
  hardware-monitor     Display hardware monitoring information
  interface-monitor    Display interface monitoring information
  issu                 Display ISSU information
  loopback             Display loopback monitoring information
  redundancy-group     Display chassis cluster status per redundancy-group
  spu                  Display SPU information
  |                    Pipe through a command

 Not sure why it's hidden, but "detail" probably does the work of three or for commands in one go!

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: Junos Hidden Commands

‎07-21-2012 12:10 PM

Would like to add few more ...

 

   1. Web-management traceoptions -

 

lab@host1-a# set system services web-management ?                     
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> control              Control of the web management process
> http                 Unencrypted HTTP connection settings
> https                Encrypted HTTPS connections
  management-url       URL path for web management access
> session              Session parameters

[edit]
lab@host1-a# set system services web-management traceoptions ?
Possible completions:
+ apply-groups         Groups from which to inherit configuration data
+ apply-groups-except  Don't inherit configuration data from these groups
> file                 Trace file information
> flag                 Area of HTTPD process to enable debugging output
  level                Level of debugging output
  no-remote-trace      Disable remote tracing
[edit]

 2. Disabling UTM process

 

[edit]
lab@host1-a# set system processes ut
                                    ^
syntax error.
edit]
lab@host1-a# set system processes utmd disable 

[edit]
lab@host1-a# show | compare 
[edit system]
+   processes {
+       utmd disable;
+   }

[edit]
lab@host1-a# commit check 
configuration check succeeds

 3.  ALG Configuration

 

lab@host1-a# run show security alg configuration 
ALG Activation List:
  DNS      : Activated
  FTP      : Activated
  H323     : Activated
  MGCP     : Activated
  REAL     : Activated
  RSH      : Activated
  RTSP     : Activated
  SCCP     : Activated
  SIP      : Activated
  SQL      : Activated
  TALK     : Activated
  TFTP     : Activated
  PPTP     : Activated

DNS Configuration:
  Maximum Message Length               : 0

FTP Configuration:
  FTP FTPS extension               : No
  Line Break extension:        : No
  Allow Mismatch IP Address:        : No
                                        
H323 Configuration:
  Endpoint Registration Timeout        : 3600
  Media Source Port Any                : Off
  Application Screen
    Unknown Message NAT packets        : Deny
    Unknown Message Routed packets     : Deny
    Message Flood Gatekeeper Threshold : 1000
    DSCP Codepoint                     : 64

MGCP Configuration:
  Inactive Media Timeout               : 120
  TransactionTimeout                   : 30
  Max Call Duration                    : 720
  Application Screen
    Unknown Message NAT packets        : Deny
    Unknown Message Routed packets     : Deny
    Message Flood Threshold            : 1000
    Connection Flood Threshold         : 200
    DSCP Codepoint                     : 64

SCCP Configuration:
  Inactive Media Timeout               : 120
  Application Screen                    
    Unknown Message NAT packets        : Deny
    Unknown Message Routed packets     : Deny
    Call Flood Threshold               : 20
    DSCP Codepoint                     : 64

SIP Configuration:
  Inactive Media Timeout               : 120
  Max Call Duration                    : 720
  T1 Interval                          : 500
  T4 Interval                          : 5
  C Timeout                            : 3
  DSCP Codepoint                       : 64
  Application Screen
    Unknown Message NAT packets        : Deny
    Unknown Message Routed packets     : Deny
    Protect Deny Timeout               : 5
    Protect Deny Destination IP List

[edit]

 

 and  for fun ...

 

[edit]
lab@host1-a# run show version and haiku    
Hostname: host1-a
Model: srx240h-poe
JUNOS Software Release [11.4R1.6]


        Look, mama, no hands!
        Only one finger typing.
        Easy: commit scripts.

 

 

Regards,
Pradeep 2xJNCIE(SEC/ENT)
SRX Services Gateway

Re: Junos Hidden Commands

‎08-13-2012 11:55 AM

Can someone paste contents of KB19943

 

SRX Services Gateway

Re: Junos Hidden Commands

‎08-16-2012 01:18 AM

May be not so useful, but there are some hidden aliases for comands, e.g. you can use

 

lab@srx> show security ike sa           
lab@srx> show security ipsec sa

 

(sa instead of security-associations).

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
SRX Services Gateway

Re: Junos Hidden Commands

‎08-16-2012 03:13 AM

To summarisr KB19943: How can I enable IKE traceoptions for only specific security associations?

 

request security ike debug-enable local <local-ip> remote <remote-ip> level <numer>

 Where level 7 should be high enough for most useful logs

Ben Dale
JNCIP-ENT, JNCIP-SP, JNCIP-DC, JNCIE-SEC #63
Juniper Ambassador
Follow me @labelswitcher
SRX Services Gateway

Re: Junos Hidden Commands

‎10-14-2012 08:26 PM

This is awesome guys. Thanks a ton. loving learning it 

SRX Services Gateway

Re: Junos Hidden Commands

‎10-14-2012 11:24 PM
show system and haiku Smiley Happy
Thanks!

Michael
JNCIA-JUNOS, JNCIS-ENT/SEC, JNCIP-ENT
(CCNA, ACMP, ACFE, CISE)
"http://www.thechampioncommunity.com/"
CONNECT EVERYTHING. EMPOWER EVERYONE.
Share & Learn. Knowledge is Power.

"If there's a will, there's a way!"
SRX Services Gateway

Re: Junos Hidden Commands

‎01-13-2013 12:09 AM

Would be more usefull in HA,

 

To enable or disable the vlan tagging/untagging in control link.

 

Spoiler
root@SRX# run set chassis cluster control-link-vlan ?
Possible completions:
  disable              Disable control VLAN tag
  enable               Enable control VLAN tag
  reboot               Reboot the system after setting the identifiers
[edit]
root@SRX# run set chassis cluster control-link-vlan

 

 

 

SRX Services Gateway

Re: Junos Hidden Commands

‎02-06-2013 10:34 PM

Nice. also to add to it,

if your commit is taking a long time and you want to see where it is taking time, you can try:

 

# commit |display detail

 

(again , this is not a hidden command but still useful )

 

All views and opinions shared are my own, unless they happen to be quotes, or links, naturally, of course.
SRX Services Gateway

Re: Junos Hidden Commands

[ Edited ]
‎02-17-2013 11:13 PM

 

Another good one is:

 

root@SRX210H> start shell pfe network fwdd                              


BSD platform (OCTEON processor, 416MB memory, 8192KB flash)

FLOWD_OCTEON(SRX210H vty)# ?
    clear                 clear commands
    connect               connect to a remote TNP endpoint
    debug                 Debug commands
    diagnostic            diagnostic commands
    eth                   eth commands
    jsflib                jsf lib information
    pconnect              connect to a remote PIP endpoint
    peekbyte              display memory in bytes
    peeklong              display memory in 32bit longs
    peekword              display memory in 16bit words
    plugin                plugin information
    pty                   open a pty to a PIC
    quit                  quit TTY environment
    reboot                reboot hardware
    set                   set system parameters
    show                  show system information
    sleep                 pause for a few seconds
    test                  test commands
    undebug               Undebug commands
    vty                   open a vty to a remote TNP endpoint

FLOWD_OCTEON(SRX210H vty)#    
FLOWD_OCTEON(SRX210H vty)# show threads    
PID PR State     Name                   Stack Use  Time (Last/Max/Total) cpu
--- -- -------   ---------------------  ---------  ---------------------
  1 H  asleep    Maintenance           1320/73824  0/8/792 ms  0%
  2 L  running   Idle                  1600/73824  0/15/2839688 ms  0%
  3 H  asleep    Timer Services        1256/73824  0/8/33463 ms  0%
  5 L  asleep    Ukern Syslog           856/73824  0/0/0 ms  0%
  6 L  asleep    Sheaf Background      1120/73824  0/8/1360 ms  0%
  7 M  asleep    mac_db                 856/73824  0/0/0 ms  0%
  8 M  asleep    Docsis                1072/73824  0/8/17890 ms  0%
  9 M  asleep    ATMX                  1312/73824  0/8/46704 ms  0%
 10 M  asleep    XDSL                  1392/73824  0/15/2119765 ms  0%
 11 M  asleep    DSX50ms               1648/73824  0/8/209140 ms  0%
 12 M  asleep    DSXonesec             1264/73824  0/8/20366 ms  0%
 13 M  asleep    SFP                   1216/73824  0/8/32989 ms  0%
 14 M  asleep    Ethernet              2264/73824  0/16/6458174 ms  1%
 15 M  asleep    RSMON syslog thread    896/73824  0/8/227 ms  0%
 16 L  asleep    Syslog                1264/73824  0/8/192 ms  0%
[...]

FLOWD_OCTEON(SRX210H vty)# show threads 1971
PID PR State     Name                   Stack Use  Time (Last/Max/Total) cpu
--- -- -------   ---------------------  ---------  ---------------------
1971 L  asleep    Cattle-Prod Daemon    3288/73824  0/0/0 ms  0%

Wakeups:
      Type  ID  Enabled  Pending   Context
 Semaphore  00       No       No  0x489ab1e8
     Timer  00       No       No  0x489ab998
    Socket  00      Yes       No  0x4a33aa80

Frame 00: sp = 0x4a336ba8, pc = 0x08014cb0
Frame 01: sp = 0x4a336c20, pc = 0x0801b9b4
Frame 02: sp = 0x4a336c58, pc = 0x08047db4
Frame 03: sp = 0x4a336c88, pc = 0x08046cc0
Frame 04: sp = 0x4a336ca8, pc = 0x08722374
Frame 05: sp = 0x4a337130, pc = 0x0802b8ec
Frame 06: sp = 0x4a337158, pc = 0x00002000

FLOWD_OCTEON(SRX210H vty)# 

 

 

SRX Services Gateway

Re: Junos Hidden Commands

‎02-20-2013 09:48 PM

Ideally, you should never see terms like 'ifd' and 'ifl' in the logs but if you do see them in logs which look something like:

COSD_GENCFG_WRITE_FAILED: GENCFG write failed for Classifier to IFL 10. Reason: File exists

(ifd refers to physical interface and ifl refers to logical interfaces. One ifd can have multiple ifls under it. )

and you want to know which interface it is referring to, you can use the following hidden commands:

 

cli> show interfaces ifl-index 10

 

#In case it says ifd, you can use:

cli> show interfaces ifd-index 10

All views and opinions shared are my own, unless they happen to be quotes, or links, naturally, of course.
SRX Services Gateway

Re: Junos Hidden Commands

‎02-23-2013 12:13 PM

A command to log in to other node of SRX cluster

 

{primary:node0}
lab@E1> request routing-engine login ?
Possible completions:
  <[Enter]>            Execute this command
  |                    Pipe through a command
{primary:node0}
lab@E1> request routing-engine login node 1 

--- JUNOS 12.1R3.5 built 2012-08-09 07:05:23 UTC
{secondary:node1}
lab@E2> 

 

Best Regards,
PK

Juniper Ambassador, Juniper Networks Certified Instructor,
JNCIE-SEC #98, JNCIE-ENT #393, JNCIE-SP #2253
Twitter: @JuniperTrain
GitHub: https://github.com/pklimai
[Juniper Authorized Education & Support in Russia]
SRX Services Gateway

commit full

‎02-27-2013 02:55 AM

commit full 

SRX Services Gateway

Re: Junos Hidden Commands

‎03-14-2013 11:25 AM

good share