搜索
JuniperNetworksTechnologyBriefCopyright!2006,JuniperNetworks,IncPage1of9Version1.0–July7,2006HiddenScreenOSCommandsIntroductionInanefforttoimprovethefirewalladministrator’sabilitytotroubleshootissuesontheScreenOSCLI,followingisalistofundocumentedcommandsinaconciseformat.Onethingtokeepinmindisthatthesecommandsareundocumentedforareason!Besuretounderstandexactlywhatyouaredoingbeforemakinguseofthemandpreferablytestinalabbeforeusingtheminaproductionenvironment.Forinstance,payparticularcarewhenusingthe‘snoop’commandastheusercanbelockedoutofadeviceduetoincreasedsystemutilization.AlsokeepinmindthatsomeofthesecommandsareonlyavailableoncertainScreenOSversionswhiletheymaybedocumentedinothers.These'undocumented'commandsareusually(butnotalways)hiddenforoneoffourreasons:1.Itisbrandnewandisstillbeingtestedforeffectivenessandfunctionality.2.ThecommandiscustommadetosolveaparticularcustomerproblemthatmayhavebeenbroughtintomainlinecodewithoutnotifyingTechPubs.3.Itisalegacycommandthatremainsforbackwardcompatibility.Itsusemaybedeprecatedinfavorofanewercommandorsyntax.4.Itisanengineeringcommandthatisdesignedforexpertsorinternaluseonly.CommandsInsteadoflistingcommandscategorically,theyhavebeenplacedalphabeticallytobetterassistthereaderinpossiblyfindinganappropriateentryandtomaintainconsistencywithcurrentNetscreenCLIdocumentation.Additionally,mostCLIvariablesanddependencydelimitersarealsomaintainedforconsistencywithNetscreendocumentation.asicgetasicaclDisplayasiclimitscomparingcurrentusetomaximumconfigurableACLs.cmgetcm1-4Viewsomeofthesyntaxassociatedwithoneofthefourmajorcommandmenus.Theargumentexpectedisanindexofeachofthetoplevelkeywordsincluding:set,get,clear,exec.TheoutputofthiscommandisverbosebutlistswhatScreenOSexpectsintermsofcommandlinearguments.configgetconfigchecksumDisplayonlytheglobalconfigurationchecksum.Itcanbeusefulwhenquicklycomparingconfigurationstoseeifalterationshavebeenmade.JuniperNetworksTechnologyBriefCopyright!2006,JuniperNetworks,IncPage2of9Version1.0–July7,2006consolesetconsoledbufThiscommandisdocumentedbutshouldbeusedinconjunctionwithcommandsthatarenotverboseinoutputsoastonothogtheconsole.Thisredirectsalldebugoutputtoabufferinsteadoftheconsole.setconsolechange-notification-charactercharacterNicelittlecommandtoenableachangenotificationcharacterontheCLI.Iftheconfigurationchanges,thespecifiedcharacterwillappearontheCLIpromptuntilitissaved.The“+”charactermightbehandyforthispurpose.countergetcounterinfoDisplaydetailedcounterinformationincludingnumberofcountersconfigured,associatedpolicyid,andtimeelapsedonsystemcounters(second,minute,hour,day,month).getcounterhaReturnsinformationontheHAinterface’shardwarecounters.Thisincludesinpackets,outpackets,CRCs,noaligns,nobuffers,collisions,underruns.dbufgetdbufargumentsinfoshowdebugbufferinfomemshowdebugbuffermemorycontentstreamshowdebugbufferstreamThisallowsyoutoviewconsolemessagesthathavebeenredirectedtoadebugbufferabove.setdbufsizesizeIncreasethesizeofthedbufbufferfromthedefaultof32k.debugdebugargumentsDebugisextremelyhandyfortroubleshootingmostfirewallissues.Itshouldbeusedinconjunctionwith'setconsoledbuf'and'getdbuf'commandsifpossible.Followingareafewofthedebugoptionsthatcanbeparticularlyhelpful.debugflowbasicThiswillshowwhattheflowengineisdoingwitheachpackettraversingtheNetscreen(e.g.,packetdroppeddeniedbypolicy,packetallowedbypolicyidX,packetbeingroutedoutinterfacee3,etc.).debugikedetailThisisgoodforusingwhentryingtodebugISAKMP(IKE)tunnelsetups(e.g.,detectmis-matchedproposals,mis-matchedphase2proxyids[tunnelselectors],can'tfindgateway,etc.).JuniperNetworksTechnologyBriefCopyright!2006,JuniperNetworks,IncPage3of9Version1.0–July7,2006debugpkidetailThisisgoodfordebuggingtheuseofX.509certificateswithinIKE.getdebugListthecurrentdebugflagsthatareenabled.dnssetdnsudp-session-normalEnablethenormalhandlingofDNSUDPpackets.Helpfulwhenmultiplequeriesareissuedwiththesamesourceportsothatreturnquerieswillbeallowedthroughinsteadofjustthefirstone(IEBIND).ffiltergetffiltersetffilterDisplaythefiltersusedforthedisplayofdebugflowoutputincludingparametersforsourceIP,destIP,sourceport,destport,andIPprotocol.Insomecodeversions‘setffilter’willshowupasanoptionbut‘getffilter’willnot.flowsetflowlogargumentsdst-ipdstipdst-portdstportprotoipprotosrc-ipsrcipsrc-portsrcportRestricttheflowlogginginformationtoaspecificsubsetoftrafficsetflowsessionConfiguretheTCPsessioncleanuptimeinintervalsof10seconds.Thesystemdefaulthasbeenrecentlydecreasedto2secondsinsteadof10sodonotusethisunlessyouhavetosincethesmallesttimeyoucansetis10seconds.getflowargumentsreturnshowcurrentflowconfigurationsettingsperfshowflowperfstatstcp-mssshowTCPmaximumsegmentsizeforVPNtunnelViewflowsettingsincludingtimeouts,cleanuptime,actionflags,synflagchecking,andmore.setflowvpn-untrust-mipEnableMIPtranslationforIPaddressesthattraverseaVPN.Use‘unset’todisablethis.JuniperNetworksTechnologyBriefCopyright!2006,JuniperNetworks,IncPage4of9Version1.0–July7,2006groupsetgroupbeginExperimentalcommandforlargepolicymodifications.En