Hidden ScreenOS Commands
Introduction
In an effort to improve the firewall administrator’s ability to troubleshoot issues on the ScreenOS CLI, following is a list of undocumented commands in a concise format. One thing to keep in mind is that these commands are undocumented for a reason! Be sure to understand exactly what you are doing before making use of them and preferably test in a lab before using them in a production environment. For instance, pay particular care when using the ‘snoop’ command as the user can be locked out of a device due to increased system utilization. Also keep in mind that some of these commands are only available on certain ScreenOS versions while they may be documented in others.
These 'undocumented' commands are usually (but not always) hidden for one of four reasons:
1. It is brand new and is still being tested for effectiveness and functionality.
2. The command is custom made to solve a particular customer problem that may have been brought into mainline code without notifying Tech Pubs.
3. It is a legacy command that remains for backward compatibility. Its use may be deprecated in favor of a newer command or syntax.
4. It is an engineering command that is designed for experts or internal use only.
Commands
Instead of listing commands categorically, they have been placed alphabetically to better assist the reader in possibly finding an appropriate entry and to maintain consistency with current Netscreen CLI documentation. Additionally, most CLI variables and dependency delimiters are also maintained for consistency with Netscreen documentation.
asic
get asic acl
Display asic limits comparing current use to maximum configurable ACLs. cm
get cm <1-4>
View some of the syntax associated with one of the four major command menus. The argument expected is an index of each of the top level keywords including: set, get, clear, exec. The output of this command is verbose but lists what ScreenOS expects in terms of command line arguments.
config
get config checksum
Display only the global configuration checksum. It can be useful when quickly comparing configurations to see if alterations have been made.
Copyright ! 2006, Juniper Networks, Inc Version 1.0 – July 7, 2006
Page 1 of 9
Juniper Networks Technology Brief
console
set console dbuf
This command is documented but should be used in conjunction with commands that are not verbose in output so as to not hog the console. This redirects all debug output to a buffer instead of the console.
set console change-notification-character Nice little command to enable a change notification character on the CLI. If the configuration changes, the specified character will appear on the CLI prompt until it is saved. The “+” character might be handy for this purpose. counter get counter info Display detailed counter information including number of counters configured, associated policy id, and time elapsed on system counters (second, minute, hour, day, month). get counter ha Returns information on the HA interface’s hardware counters. This includes in packets, out packets, CRCs, no aligns, no buffers, collisions, underruns. dbuf get dbuf info show debug buffer info mem show debug buffer memory content stream show debug buffer stream This allows you to view console messages that have been redirected to a debug buffer above. set dbuf size Increase the size of the dbuf buffer from the default of 32k. debug debug Debug is extremely handy for troubleshooting most firewall issues. It should be used in conjunction with 'set console dbuf' and 'get dbuf' commands if possible. Following are a few of the debug options that can be particularly helpful. debug flow basic This will show what the flow engine is doing with each packet traversing the Netscreen (e.g., packet dropped denied by policy, packet allowed by policy id X, packet being routed out interface e3, etc.). debug ike detail This is good for using when trying to debug ISAKMP (IKE) tunnel setups (e.g., detect mis-matched proposals, mis-matched phase 2 proxy ids [tunnel selectors], can't find gateway, etc.). Copyright ! 2006, Juniper Networks, Inc Version 1.0 – July 7, 2006 Page 2 of 9 Juniper Networks Technology Brief debug pki detail This is good for debugging the use of X.509 certificates within IKE. get debug List the current debug flags that are enabled. dns set dns udp-session-normal Enable the normal handling of DNS UDP packets. Helpful when multiple queries are issued with the same source port so that return queries will be allowed through instead of just the first one (IE BIND). ffilter get ffilter set ffilter Display the filters used for the display of debug flow output including parameters for source IP, dest IP, source port, dest port, and IP protocol. In some code versions ‘set ffilter’ will show up as an option but ‘get ffilter’ will not. flow set flow log dst-port dst port proto ip proto src-ip src ip src-port src port Restrict the flow logging information to a specific subset of traffic set flow session Configure the TCP session cleanup time in intervals of 10 seconds. The system default has been recently decreased to 2 seconds instead of 10 so do not use this unless you have to since the smallest time you can set is 10 seconds. get flow tcp-mss show TCP maximum segment size for VPN tunnel View flow settings including timeouts, cleanup time, action flags, syn flag checking, and more. set flow vpn-untrust-mip Enable MIP translation for IP addresses that traverse a VPN. Use ‘unset’ to disable this. Copyright ! 2006, Juniper Networks, Inc Version 1.0 – July 7, 2006 Page 3 of 9 Juniper Networks Technology Brief group set group begin Experimental command for large policy modifications . Enables scanning of the session table for the entire set of policy changes rather than individually for each change. This command is subject to further testing. set group finish To be issued in conjunction with set group begin. h323 set h323 gate source-port-any Change the system default to remove restrictions on the h323 gate source port. get h323 Display current parameters of h323 source port restrictions. interface set interface Disable subnet conflict checking. This allows you to configure multiple interfaces in the same IP broadcast domain. mac-learn-sticky set mac-learn-sticky Enable sticky mac learning when the firewall is in transparent mode. This will disable the automatic aging of learned MAC entries. System default is to age out old entries. net-pak get net-pak distribute net data pak distribution link net data pak in link stats net data pak statistics Return information on memory pool allocations, hits, and misses based on buffer sizes from tiny to giants. nsm debug nsm noidplog debug nsm nonslog To suspend IDP logging to NSM. These commands do not re-enable logging upon completion of any specific task. undeb nsm noidplog Copyright ! 2006, Juniper Networks, Inc Version 1.0 – July 7, 2006 Page 4 of 9 Juniper Networks Technology Brief undeb nsm nonslog Restores default behavior and re-enables logging. nsmgmt set nsmgmt report drop enable Temporarily suspends logging during an update from NSM and re-enables logging upon successful completion of the update. The command is persistent and is stored as part of the configuration. unset nsmgmt report drop enable Restores the default behavior of sending all log messages to the NSM server. nvram get nvram Display nvram magic number, checksum, flags, and software version. policy get policy asic Tells you how many rules you have created and what the maximum number allowable is regardless of policy direction. get policy incoming asic get policy outgoing asic get policy fromdmz asic get policy todmz asic Commands included here for backwards compatibility with the 3.0 code train. ASICs limitations are specific to a policy direction rather than being a global number. The items above will return how many rules have been created and how many are available in each direction. get policy disable This will display only the policies that have been disabled. rms get rms View RMS internal information, including context limits. session get session info Display only the summary header of the ‘get session’ command. It is helpful for scripting where output only lists current, maximum, and failed sessions. snoop snoop Copyright ! 2006, Juniper Networks, Inc Version 1.0 – July 7, 2006 Page 5 of 9 Juniper Networks Technology Brief direction snoop direction ethernet snoop specified ethernet info show snoop information interface snoop which interface ip snoop ip packet off turn off snoop Snoop allows you to sniff traffic on any firewall interface. Take caution when using this, and use in conjunction with the 'set console dbuf' and 'get dbuf' commands if possible. sys-cfg get sys-cf Display most system internal limits. This is quite helpful to determine the maximum number of entries allowed in any given system parameter. Executing this on different platforms will return the system limits appropriate to that hardware and software platform. system get system scale View basic system limits including maximum entry size and maximum count on: ASICs, Addresses, Sessions, Routes, Users, IPSEC VPNs, Mapped IPs, and policies. tcp get tcp Display information regarding system sockets. This is a tad more detailed than ‘get socket’ but probably not as concise or helpful. Extremely detailed information can be obtained from each individual socket by specifying a socket id number with either command. This is not listed in deprecated status because the output of ‘get socket’ is slightly different and includes udp information as well. undebug undebug This command will disable debug output for the specific argument. undebug all Quickly turn off all debugging; don’t leave debugging on indefinitely because it slows the box way down. vpnmonitor set vpnmonitor frequency