Cisco ASA to Juniper ScreenOS to Juniper JunOS Command.

Here is a basic reference sheet for looking up equivalent commands between a Cisco ASA and a Juniper ScreenOS (or Netscreen) SSG and a Juniper JunOS SRX firewall.

Cisco ASA	Juniper ScreenOS (SSG)	Juniper JunOS (SRX)
show log	get event	show log messages show log messages | last 20 (see the 20 most recent logs)
show ip	get interface	show interface terse
show failover	get nsrp	show log jsrp show chassis cluster [status|statistics|interfaces]
no failover active	exec nsrp vsd [vsd] mode backup	request chassis cluster failover redundancy-group [group] node
show route	get route	show route
show connections	get session	show security flow session
show clock	get clock	show system uptime
show version (to get uptime)	get system	show system uptime
show running-config	get config	show config
show version (to get serial number)	get chassis	show chassis hardware detail
show access-list	get policy	show security policies
show crypto isakmp sa	get ike cookie	show security ike security-associations
show crypto ipsec sa	get sa	show security ipsec security-associations
clear crypto isakmp sa	clear ike cookie	clear security ike security-associations
clear crypto ipsec sa	clear sa	clear security ipsec security-associations
show cpu	get perf cpu	show chassis routing-engine
show proc cpu-usage		show system processes extensive
show int (for i/o of bytes)	get counter statistics	sh int
ssh x.x.x.0 y.y.y.0 inside	set admin manager-ip x.x.x.0 y.y.y.0 set ssh enable	set security zones security-zone TRUST host-inbound-traffic system-services ssh
show run [cry isakmp|tunnel-group]?	get ike gateway	show config security ike show config security ipsec
interface Ethernet1 shutdown	set interface ethernet0/0 phy link-down	set interfaces ge-0/0/3 disable
interface Ethernet1 no shutdown	unset interface ethernet0/0 phy link-down	delete interfaces ge-0/0/3 disable
route outside 1.1.1.0 255.255.255.0 1.1.1.2	set route 1.1.1.0/24 interface bgroup3/0 gateway 1.1.1.2	set routing-options static route 10.10.10.128/25 next-hop 172.16.100.1
logging host INSIDE 1.1.1.1 logging trap notification	set syslog config 1.1.1.1 facilities local5 set syslog src-interface ethernet1/0 set syslog enable	set system syslog source-address 10.14.4.4 set system syslog host 1.1.1.1 any notice
ntp server 1.1.1.1 source OUTSIDE	set ntp server 1.1.1.1 set ntp server src-interface ethernet3/0 set clock ntp exec ntp update	set system ntp server 1.1.1.1 prefer
capture CAP1 match ip host 1.1.1.1 host 2.2.2.2	clear db set console dbuf set ffilter src-ip 1.1.1.1 dst-ip 2.2.2.2 debug flow basic— OR —snoop filter ip src-ip 1.1.1.1 dst-ip 2.2.2.2 direction both clear dbuf snoop	edit security flow traceoptions set file TSHOOT set flag basic-datapath set packet-filter IN-TO-OUT source-prefix 10.1.1.100/32 destination-prefix 10.2.0.3/32
show capture CAP1	get dbuf stream	show log TSHOOT
clear capture CAP1	undebug all unset ffilter— OR —snoop filter delete	deactivate security flow traceoptions delete security flow traceoptions

 

Tech Commands for Juniper JunOS Troubleshooting

Below shows some of the main Juniper SRX commands available. All commands are provided with the necessary mode in which they should be run from.

**********************
Juniper SRX Firewalls
**********************
run = used in configure mode to use operational mode commands

//Show Routes
show route brief
show route best x.x.x.x
set routing-options static route 10.2.2.0/24 next-hop 10.1.1.254
//Forwarding Table
run show route forwarding-table destination x.x.x.x/24

//TraceOptions settings
root@fw1# show security flow | display set
set security flow traceoptions file matt_trace
set security flow traceoptions file files 3
set security flow traceoptions file size 100000
set security flow traceoptions flag basic-datapath
set security flow traceoptions packet-filter f0 source-prefix 10.0.0.1/32 destination-prefix 200.1.2.3/32
set security flow traceoptions packet-filter f1 source-prefix 10.0.0.1/32 destination-prefix 200.1.2.3/32
activate security flow traceoptions
commit
monitor start matt_trace
monitor list

!! Kill the capture
monitor stop <captureFileName>
clear log <captureFileName>            !! Clear the log file
delete security flow traceoptions
commit
file delete <captureFileName>

//Show Traceoptions
show security flow session source-prefix 10.124.80.42 destination-prefix 117.1.1.25
start shell

egrep ‘matched filter|(ge|fe|reth)-.*->.*|session found|create session|dst_xlate|routed|search|denied|src_xlate|outgoing phy if’ /var/log/matt_trace | sed -e ‘s/.*RT://g’ | sed -e ‘s/tcp, flag 2 syn/–TCP SYN–/g’ | sed -e ‘s/tcp, flag 12 syn ack/–TCP SYN\/ACK–/g’ | sed -e ‘s/tcp, flag 10/–TCP ACK–/g’ | sed -e ‘s/tcp, flag 4 rst/–TCP RST–/g’ | sed -e ‘s/tcp, flag 14 rst/–TCP RST\/ACK–/g’ | sed -e ‘s/tcp, flag 18/–TCP PUSH\/ACK–/g’ | sed -e ‘s/tcp, flag 11 fin/–TCP FIN\/ACK–/g’ | sed -e ‘s/tcp, flag 5/–TCP FIN\/RST–/g’ | sed -e ‘s/icmp, (0\/0)/–ICMP Echo Reply–/g’ | sed -e ‘s/icmp, (8\/0)/–ICMP Echo Request–/g’ | sed -e ‘s/icmp, (3\/0)/–ICMP Destination Unreachable–/g’ | sed -e ‘s/icmp, (11\/0)/–ICMP Time Exceeded–/g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”}; {print};’

//Show Sessions
run show security flow session destination-prefix x.x.x.x

//Match Policy
run show security match-policies from-zone zonea to-zone zoneb source-ip x.x.x.x destination-ip x.x.x.x protocol tcp source-port 1024 destination-port xx

//Check for Block Group
show security policies from-zone untrust to-zone trust | display set | grep deny

//Find Syntax for an Existing Command
show | display set | xxxxxxxxx

//VPN Troubleshooting
show security ike security-associations [index <ID>] [detail]
show security ipsec security-associations [index <ID>] [detail]
show security ipsec statistics [index <ID>]

//VPN
//Set proxy ID’s for a route based tunnel
set security ipsec vpn vpn-name ike proxy-identity local 10.0.0.0/8 remote 192.168.1.0/24 service any

//Packet Capture
set security datapath-debug capture-file my-capture
set security datapath-debug capture-file format pcap
set security datapath-debug capture-file size 1m
set security datapath-debug capture-file files 5
set security datapath-debug maximum-capture-size 400
set security datapath-debug action-profile do-capture event np-ingress packet-dump
set security datapath-debug packet-filter my-filter action-profile do-capture
set security datapath-debug packet-filter my-filter source-prefix 1.2.3.4/32

//Super SRX Packet Capture Filter
egrep ‘matched filter|(ge|fe|reth ) -.*- > .*|session found|Session \(id|session id|create|dst_nat|chose interface|dst_xlate|routed|search|denied|src_xlate|dip id|outgoing phy if|route to|DEST|post’ /var/log/mchtrace | uniq | sed -e ‘s/.*RT://g’ | awk ‘/matched/ {print “\n\t\t\t=== PACKET START ===”} ; {print} ;’ | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’ ; echo | awk ‘/^$/ {print “\t\t\t=== PACKET END ===”}; {print};’

// Policy commands

show | display set (shows policy)
set system syslog
set security log
set interfaces ge-0/0/3 gigether-options auto-negotation (redundant-parent)
set security policies from-zone xxx to-zone xxx policy policy_name match
set security zones security-zone untrust address-book address
set security nat source rule-set zone-to-zone rule rule-source-nat match source-address 10.0.0.0
set routing-instances
set applications

set security ike proposal
set security ike policy
set security ike gateway
set security ipsec proposal
set security ipsec policy
set security ipsec vpn

show|compare
commit check
commit comments ticket#2222 and-quit

set security policies from-zone dmz to-zone trust policy 12 match source-address h_10.124.0.1 destination-address h_1.2.3.4 application tcp_22
set security policies from-zone dmz to-zone trust policy 12 then permit
set security policies from-zone dmz to-zone trust policy 12 then log session-init session-close

+         match {
+             source-address h_10.124.0.1;
+             destination-address h_1.2.3.4;
+             application tcp_22;
+         }
+         then {
+             permit;
+             log {
+                 session-init;
+                 session-close;
+             }
+         }
+     }

 

Various:

show system uptime	Uptime
show version	Version of platform (host/model)
show chassis firmware	Firmware loaded on FPCs
show system software detail
show chassis routing-engine	CPU, Memory for Routing-Engine
show chassis fan	Speed and status of fans
show chassis environment	Temperature status of components
show chassis hardware detail	Hardware inventory (backplane)
show system core-dumps	Core-dumps
show system alarms	System alarms
show chassis alarms	Alarms for hardware and chassis
show system boot-messages	Logs from boot sequence
show log chassisd	Logs for SRX chassis (Cards)
show log messages	Recent system messages
show configuration security log	Syslog configuration
show system buffers	Utilization of memory buffers
show system virtual-memory	Virtual memory utilization
show system processes	Processes running on system
show security idp memory	IDP memory statistics
show security monitoring performance session	Session counts on each FPC

 

CONFIGURATION COMMANDS

replace pattern expr1 with expr	# configuration mode	find and replace string within configuration
show | compare rollback {1..5}	# configuration mode	compare the current configuration against roll back configuration file
commit check	# configuration mode	verify the uncommitted changes
commit comment “{TEXT}”	# configuration mode	commit changes and add a comment
commit confirmed 10	# configuration mode	changes are committed. If additional commit is not issued the changes are reverted
commit full	# configuration mode	commit entire configuration
rollback rescue	# configuration mode	rollback the configuration to rescue point
clear system commit	> operational mode	discard uncommitted changes
configure private	> operational mode	config mode is launched, any changes are not made global and keep only to your session
load merge terminal	# configuration mode	merge configuration with current configuration
load merge relative terminal	# configuration mode	merge configuration relative to the current edit point (stanza)
load override baseline-config.cfg	# configuration mode	overide current running config with saved config
save baseline-config.cfg	# configuration mode	save current configuration to a file

SHOW COMMANDS

show chassis routing-engine	> operational mode	show CPU, Mem and Temperature
show security flow session summary	# configuration mode	show total session total, limit
show security policies	> operational mode	show security policies
show security zones	# configuration mode	show security zones
show groups junos-defaults	# configuration mode	show junos default groups
show system queues	> operation mode	show interface statistics
show security flow status	> operation mode	show mode (packet/flow-based)
monitor  interface [traffic|interface]	> operation mode	show interface stats in real-time

PROCESS MANAGEMENT

show system processes extensive	# configuration mode	show processes
restart {process} gracefully	> operational mode	restart the process one all the present tasks have been completed

SYSTEM COMMANDS

request system reboot	> operational mode	reboot system
request system storage cleanup	> operational mode	remove unwanted files

MISC COMMANDS

set security forwarding-options family mpls mode [packet-based|flow-based]

# configuration mode

configure the mode (packet/flow-based)

 

Juniper Certification Guide: Overview and Career Paths

Juniper Networks Certifications

Juniper Networks helps companies build the best networks possible by providing a combination of networking equipment, services and its own network operating system. Juniper Networks provides networking services to the world’s top 100 service providers, banks, stock exchanges, various government agencies, healthcare organizations, education institutions, utility companies and more. Juniper Networks was founded in 1996 by Pradeep Sindhu, has over 9,000 employees worldwide and is based in Sunnyvale, CA. The company boasts several awards, including Ethisphere’s “World’s Most Ethical Companies” for three years running.

If you’re looking for a new career opportunity or work for a company that utilizes Juniper Network products and services, participating in the Juniper Networks Certification Program (JNCP) is a must.

Juniper Networks Certification Program (JNCP) Overview

Juniper Networks certifications can distinguish you from non-certified peers, provide career growth opportunities, give you greater insight into Juniper Networks products and services and benefit your customers.

There are four certification levels within the JNCP:

• Associate,
• Specialist,
• Professional,
• Expert.

The Associate, Specialist and Professional exams contain multiple-choice questions, range from 90 to 120 minutes and cost between $100 and $300. The exams are delivered through Pearson VUE. The Expert exams are hands-on labs that take up to 8 hours and are offered at select Juniper Network testing centers. Lab exams cost $1,400.

Juniper Networks offers training for each exam. The last slide in this article provides links and details to certification prep training opportunities.

Junos Track Overview

The Juniper certification program has several tracks, categorized by career path, that are based on Juniper Networks technologies, products and services.

The JNCP tracks include:

• Service Provider Routing and Switching,
• Enterprise Routing and Switching,
• Junos Security,
• Junos Support Tracks,
• Product and Technology Certifications.

The Service Provider Routing and Switching, Enterprise Routing and Switching, and Junos Security certifications are collectively referred to as “Network Engineer” certifications as they’re all geared toward the network engineer professional.

Each of these tracks is covered in more detail in the following slides. You can also find more detailed information on the Juniper Networks website : juniper.net/us/en/training/certification/certification-tracks.

 

JNCIA-Junos: Juniper Networks Certified Associate – Junos

Juniper Networks Certified Associate – Junos (JNCIA-Junos) is the entry-level certification for all network engineer certifications.

This certification is geared toward individuals who have basic experience with the Juniper Networks Junos OS, and understand the fundamentals of networking, routing and switching. You must obtain this certification to advance to the Specialist, Professional and Expert certs in the Service Provider Routing and Switching, Enterprise Routing and Switching, and Junos Security tracks.

The JN0-102 exam costs $100, has 70 multiple-choice questions and takes up to 90 minutes to complete.

 

JNCP Enterprise Routing and Switching Track

The JNCP Enterprise Routing and Switching track is part of the Network Engineer certification track. It’s geared towards individuals who are proficient in networking technologies in general and Juniper Networks enterprise routing and switching platforms specifically.

Four certifications are available in this track:

• Juniper Networks Certified Associate – Junos (JNCIA-Junos),
• Juniper Networks Certified Specialist Enterprise Routing and Switching (JNCIS-ENT),
• Juniper Networks Certified Professional Enterprise Routing and Switching (JNCIP-ENT),
• Juniper Networks Certified Expert Enterprise Routing and Switching (JNCIE-ENT).

The JNCIA-Junos cert is covered on the previous slide and is a prerequisite to the JNCIS-ENT certification. The JNCIS-ENT recognizes networking professionals with fundamental to intermediate knowledge of routing and switching, platform configuration and troubleshooting in Junos.

The JN0-343 exam costs $200, contains 70 multiple-choice questions and takes up to 90 minutes to complete.

 

Junos JNCIP-ENT and JNCIE-ENT Certifications

The last two certifications in Juniper’s Enterprise Routing and Switching Track are the Professional (JNCIP-ENT) and Expert (JNCIE-ENT) certifications.

JNCIS-ENT is a prerequisite to the JNCIP-ENT certification, which is geared toward networking professionals who have extensive knowledge of enterprise routing and switching technologies, platform configuration and Junos OS troubleshooting skills. The JN0-643 exam costs $300, has 70 multiple-choice questions and takes up to 120 minutes to complete at a Pearson VUE facility.

The JNCIP-ENT is a prerequisite to the JNCIE-ENT certification. The JNCIE-ENT is the highest certification in the Enterprise Routing and Switching track. This is a practical exam that tests the networking professional’s ability to deploy, configure, manage and troubleshoot Junos-based enterprise routing and switching platforms using a variety of devices, protocols and features. Candidates can enroll in a JNCIE Enterprise Bootcamp (cost is $3,500) to help prepare for the JPR-943 practical exam, which lasts up to 8 hours, costs $1,400 and is offered at select Juniper Network testing centers. (Some bootcamps include a complementary exam voucher.)

 

Junos Security Track

The Junos Security certifications include Associate, Specialist, Professional and Expert levels. The first step is the associate-level JNCIA-Junos certification. It’s a prerequisite to the next certification, the Juniper Networks Certified Specialist Security (JNCIS-SEC).

This intermediate-level certification is geared toward candidates who configure and troubleshoot Juniper Networks Junos software for SRX Series devices, and understand security technologies. The JN0-332 written exam costs $200, takes 90 minutes, consists of 70 questions and is offered through Pearson VUE.

 

Junos JNCIS-SEC and JNCIP-SEC Certifications

JNCIS-SEC is a prerequisite to Juniper Networks Certified Professional Security (JNCIP-SEC). This certification recognizes networking professionals who are highly familiar with security, platform configuration and troubleshooting of the Juniper Networks Junos software for SRX Series devices. The JN0-633 written exam costs $300, has 70 multiple-choice questions and takes up to 120 minutes. Candidates can take the exam through Pearson VUE.

JNCIP-SEC is a prerequisite to Juniper Networks Certified Expert Security (JNCIE-SEC), the most advanced certification in the Security track. The JNCIE-SEC identifies professionals who implement, configure, manage and troubleshoot JUNOS-based security platforms. The JPR-932 practical exam lasts for up to v8 hours, costs $1,400 and is delivered at select Juniper Network testing centers.

 

Junos Service Provider Routing and Switching Track

Similar to the Enterprise Routing and Switching and Junos Security tracks, the Service Provider Routing and Switching track also has Associate, Specialist, Professional and Expert certifications. JNCIA-Junos is the foundational cert from which a candidate can achieve the Juniper Networks Certified Internet Specialist (JNCIS-SP), then Juniper Networks Certified Internet Professional (JNCIP-SP) and Juniper Networks Certified Internet Expert (JNCIE-SP) credentials.

JNCIS-SP identifies individuals with beginner to intermediate knowledge of routing and switching implementations in Junos. The JN0-360 written exam costs $200, takes up to 90 minutes to complete and has 70 questions. It is offered through Pearson VUE.

JNCIP-SP is geared toward experienced networking professionals with advanced knowledge of the routing technologies and platform configuration, and can troubleshoot the Juniper Networks Junos OS. The JN0-660 written exam costs $300, takes up to 120 minutes, has 70 questions and is offered through Pearson VUE.

JNCIE-SP is the pinnacle certification in this track. It’s an 8-hour practical exam for networkers who implement, troubleshoot and maintain Juniper Networks service provider networks. The JPR-960 practical exam costs $1,400 and is offered at select Juniper Network testing centers.

 

Junos Enterprise Routing and Switching Support Track

The Enterprise Routing and Switching Support track offers one certification: Juniper Networks Certified Support Professional, or JNCSP-ENT. The cert recognizes experienced networking professionals who support advanced enterprise routing and switching technologies with Junos devices and the Junos OS.

To achieve this certification, you must have the JNCIP-ENT cert and pass two exams: Junos Troubleshooting (JN0-690, 90 minutes, 70 questions) and the JNCSP-ENT Support Professional (JN0-694, 60 minutes, 36 questions).

 

Junos Security Support Track

The Juniper Networks Certified Support Professional (JNCSP-SEC) certification is the lone credential in the Security Support track. The intermediate-level cert recognizes individuals who troubleshoot security issues on Junos devices.

To achieve this certification, you must have the JNCIP-SEC certification and pass two exams: Junos Troubleshooting (JN0-690, 90 minutes, 70 questions) and JNCSP-SEC Support Professional (JN0-696, 60 minutes, 36 questions).