Junos® OS

Administration Guide for Security Devices

Modified: 2017-04-05

Copyright © 2017, Juniper Networks, Inc.

Juniper Networks, Inc.
1133 Innovation Way
Sunnyvale, California 94089
USA
408-745-2000
www.juniper.net
Juniper Networks, Junos, Steel-Belted Radius, NetScreen, and ScreenOS are registered trademarks of Juniper Networks, Inc. in the United
States and other countries. The Juniper Networks Logo, the Junos logo, and JunosE are trademarks of Juniper Networks, Inc. All other
trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.

Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify,
transfer, or otherwise revise this publication without notice.

®
Junos OS Administration Guide for Security Devices
Copyright © 2017, Juniper Networks, Inc.
All rights reserved.

The information in this document is current as of the date on the title page.

YEAR 2000 NOTICE

Juniper Networks hardware and software products are Year 2000 compliant. Junos OS has no known time-related limitations through the
year 2038. However, the NTP application is known to have some difficulty in the year 2036.

END USER LICENSE AGREEMENT

The Juniper Networks product that is the subject of this technical documentation consists of (or is intended for use with) Juniper Networks
software. Use of such software is subject to the terms and conditions of the End User License Agreement (“EULA”) posted at
http://www.juniper.net/support/eula.html. By downloading, installing or using such software, you agree to the terms and conditions of
that EULA.

ii Copyright © 2017, Juniper Networks, Inc.

Table of Contents
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Documentation and Release Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Supported Platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Using the Examples in This Manual . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Merging a Full Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Merging a Snippet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
Documentation Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Documentation Feedback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Requesting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Self-Help Online Tools and Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Opening a Case with JTAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxii

Part 1 User Access and Authentication

Chapter 1 User Access and Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Understanding Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Permission Bits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Denying or Allowing Individual Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Understanding User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Understanding Junos OS Access Privilege Levels . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Junos OS Login Class Permission Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Allowing or Denying Individual Commands for Junos OS Login Classes . . . . . 11
Understanding User Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Hardening Shared Secrets in Junos OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Understanding Hardening Shared Secrets . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chassis Cluster Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Using Trusted Platform Module to Bind Secrets on SRX Series Devices . . . . . . . . 14
Enabling the TPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Verifying the Status of the TPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Changing the Master Encryption Password . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Chapter 2 Configuring Junos OS User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Example: Configuring New Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Understanding Template Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Example: Creating Template Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Understanding Administrative Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Example: Configuring Administrative Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Handling Authorization Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Example: Configuring System Retry Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

Copyright © 2017, Juniper Networks, Inc. iii

Administration Guide for Security Devices

Chapter 3 Configuring User Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Example: Configuring User Permissions with Access Privilege Levels . . . . . . . . . . 39
Example: Configuring User Permissions with Access Privilege Levels . . . . . . . . . . 43
Example: Configuring User Permissions with Access Privileges for Operational
Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Example: Configuring User Permissions with Access Privileges for Operational
Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Example: Configuring User Permissions with Access Privileges for Operational
Mode Commands, Configuration Statements, and Hierarchies . . . . . . . . . . . 68
Chapter 4 Permissions Flags for User Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . 79
Access Privilege User Permission Flags Overview . . . . . . . . . . . . . . . . . . . . . . . . . 80
access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82
access-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
admin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
admin-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
all-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
firewall-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
floppy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
flow-tap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
flow-tap-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
flow-tap-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
idp-profiler-operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
interface-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
pgcp-session-mirroring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
pgcp-session-mirroring-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
reset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191
rollback . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
secret-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
security-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
system . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
system-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
trace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
trace-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232

iv Copyright © 2017, Juniper Networks, Inc.

 Table of Contents

view-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Chapter 5 Configuring Authentication Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Configuring RADIUS Server Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
Example: Configuring a RADIUS Server for System Authentication . . . . . . . . . . 340
Configuring TACACS+ Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Configuring TACACS+ Server Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
Specifying a Source Address for the Junos OS to Access External TACACS+
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Configuring the Same Authentication Service for Multiple TACACS+
Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Configuring Juniper Networks Vendor-Specific TACACS+ Attributes . . . . . . 345
Example: Configuring a TACACS+ Server for System Authentication . . . . . . . . . 346
Example: Configuring Authentication Order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349

Part 2 Configuring Remote Access to an SRX Series Appliances

Chapter 6 Configuring Secure Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Secure Web Access Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Generating an SSL Certificate Using the openssl Command . . . . . . . . . . . . . . . 356
Generating a Self-Signed SSL Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Manually Generating Self-Signed SSL Certificates . . . . . . . . . . . . . . . . . . . . . . . . 357
Configuring Device Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Enabling Access Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
Example: Configuring Secure Web Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Adding, Editing, and Deleting Certificates on the Device . . . . . . . . . . . . . . . . . . . 362
Chapter 7 Setting up USB Modems for Remote Management . . . . . . . . . . . . . . . . . . . 363
USB Modem Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
USB Modem Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Dialer Interface Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
How the Device Initializes USB Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
USB Modem Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Example: Configuring a USB Modem Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Example: Configuring a Dialer Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Example: Configuring a Dialer Interface for USB Modem Dial-In . . . . . . . . . . . . . 376
Configuring a Dial-Up Modem Connection Remotely . . . . . . . . . . . . . . . . . . . . . . 378
Connecting to the Device Remotely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Modifying USB Modem Initialization Commands . . . . . . . . . . . . . . . . . . . . . . . . 380
Resetting USB Modems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381

Copyright © 2017, Juniper Networks, Inc. v

Administration Guide for Security Devices

Chapter 8 Configuring Telnet and SSH Access to an SRX Series Appliance . . . . . . . 383
Securing the Console Port Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . 383
Configuring Password Retry Limits for Telnet and SSH Access . . . . . . . . . . . . . . 384
Example: Controlling Management Access on SRX Series Devices . . . . . . . . . . 385
Example: Configuring a Filter to Block Telnet and SSH Access . . . . . . . . . . . . . . 389
The telnet Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394
The ssh Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Configuring Outbound SSH Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 397
Configuring the Device Identifier for Outbound SSH Connections . . . . . . . . 397
Sending the Public SSH Host Key to the Outbound SSH Client . . . . . . . . . . 398
Configuring Keepalive Messages for Outbound SSH Connections . . . . . . . 399
Configuring a New Outbound SSH Connection . . . . . . . . . . . . . . . . . . . . . . 399
Configuring the Outbound SSH Client to Accept NETCONF as an Available
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Configuring Outbound SSH Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400

Part 3 Configuring DNS

Chapter 9 Configuring DNS Server Caching, DNSSEC, and DNS Proxy . . . . . . . . . . . . 403
DNS Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
DNS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
DNS Server Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Example: Configuring the TTL Value for DNS Server Caching . . . . . . . . . . . . . . . 404
DNSSEC Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Example: Configuring DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Example: Configuring Keys for DNSSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
Example: Configuring Secure Domains and Trusted Keys for DNSSEC . . . . . . . 406
DNS Proxy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
DNS Proxy Cache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
DNS Proxy with Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Dynamic Domain Name System Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411
Configuring the Device as a DNS Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413

Part 4 Configuring DHCP Access Service for IP Address Management

Chapter 10 Understanding DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
DHCP Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
DHCP Client, DHCP Local Server, and Address-Assignment Pool
Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
DHCP Local Server and Address-Assignment Pools . . . . . . . . . . . . . . . 420
DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
DHCP Client, DHCP Relay Agent, and DHCP Local Servers . . . . . . . . . . . . . . 421
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
DHCP Server, Client, and Relay Agent Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 423
DHCP Settings and Restrictions Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
Propagation of TCP/IP Settings for DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . 424
DHCP Conflict Detection and Resolution . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

vi Copyright © 2017, Juniper Networks, Inc.

 Table of Contents

DHCP Interface Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 424

Understanding Cascaded DHCPv6 Prefix Delegating . . . . . . . . . . . . . . . . . . . . . 425
Example - Configuring DHCPv6 Prefix Delegation (PD) over Point-to-Point
Protocol over Ethernet (PPPoE) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Chapter 11 Configuring a DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Understanding DHCP Server Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Compatibility with Autoinstallation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Chassis Cluster Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
DHCP Server Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
Minimum DHCP Local Server Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 449
Configuring Address-Assignment Pools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 450
Configuring an Address-Assignment Pool Name and Addresses . . . . . . . . . . . . . 451
Configuring a Named Address Range for Dynamic Address Assignment . . . . . . 451
Configuring Static Address Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Enabling TCP/IP Propagation on a DHCP Local Server . . . . . . . . . . . . . . . . . . . . 453
Verifying and Managing DHCP Local Server Configuration . . . . . . . . . . . . . . . . . 454
Example: Configuring the Device as a DHCP Server . . . . . . . . . . . . . . . . . . . . . . . 454
Chapter 12 Configuring a DHCP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Understanding DHCP Client Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Minimum DHCP Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Configuring DHCP Client-Specific Attributes for Address-Assignment Pools . . 462
Configuring Optional DHCP Client Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Verifying and Managing DHCP Client Configuration . . . . . . . . . . . . . . . . . . . . . . 464
Example: Configuring the Device as a DHCP Client . . . . . . . . . . . . . . . . . . . . . . . 465
Chapter 13 Configuring a DHCP Relay Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Understanding DHCP Relay Agent Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Minimum DHCP Relay Agent Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Verifying and Managing DHCP Relay Configuration . . . . . . . . . . . . . . . . . . . . . . . 472
Example: Configuring the Device as a BOOTP or DHCP Relay Agent . . . . . . . . . 473
Chapter 14 Configuring a DHCPv6 Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
DHCPv6 Server Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Creating a Security Policy for DHCPv6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 480
Example: Configuring DHCPv6 Server Options . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
Example: Configuring an Address-Assignment Pool . . . . . . . . . . . . . . . . . . . . . . 484
Configuring a Named Address Range for Dynamic Address Assignment . . . . . . 486
Configuring Address-Assignment Pool Linking . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
Configuring DHCP Client-Specific Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488
Configuring an Address-Assignment Pool for Router Advertisement . . . . . . . . . 489
Understanding DHCPv6 Client and Server Identification . . . . . . . . . . . . . . . . . . 489
Chapter 15 Configuring a DHCPv6 Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
DHCPv6 Client Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 491
Minimum DHCPv6 Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
Configuring Optional DHCPv6 Client Attributes . . . . . . . . . . . . . . . . . . . . . . . . . 494
Configuring Nontemporary Address Assignment . . . . . . . . . . . . . . . . . . . . . . . . . 495

Copyright © 2017, Juniper Networks, Inc. vii

Administration Guide for Security Devices

Configuring Identity Associations for Nontemporary Addresses and Prefix

Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Configuring Auto-Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 496
Configuring the DHCPv6 Client Rapid Commit Option . . . . . . . . . . . . . . . . . . . . 497
Configuring a DHCPv6 Client in Autoconfig Mode . . . . . . . . . . . . . . . . . . . . . . . . 498
Configuring TCP/IP Propagation on a DHCPv6 Client . . . . . . . . . . . . . . . . . . . . . 499
Chapter 16 Configuring DHCP in Cluster Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 501
Example: Configuring the Device as a DHCP Server in Chassis Cluster Mode . . . 501
Example: Configuring the Device as a DHCP Client in Chassis Cluster Mode . . . 507

Part 5 Managing System Files

Chapter 17 Performing File Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
File Management Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Decrypting Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Encrypting Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Modifying the Encryption Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Cleaning Up Files in J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Cleaning Up Files with the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
Deleting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 520
Deleting the Backup Software Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Downloading Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Configuring RADIUS System Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
Configuring Auditing of User Events on a RADIUS Server . . . . . . . . . . . . . . . 523
Specifying RADIUS Server Accounting and Auditing Events . . . . . . . . . . . . . 523
Configuring RADIUS Server Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 524
Managing Accounting Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

Part 6 Working with Junos OS Licenses

Chapter 18 Managing Junos OS Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Junos OS Feature License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
License Key Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
License Management Fields Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Software Feature Licenses for SRX Series Devices . . . . . . . . . . . . . . . . . . . . . . . . 531
Displaying License Keys in J-Web . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 531
Downloading License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Generating a License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 532
Saving License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Updating License Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533
Example: Adding a New License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534
Example: Deleting a License Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Part 7 Configuration Statements and Operational Commands

Chapter 19 Configuration Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 543
address-assignment (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546
address-pool (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 549
allow-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 550

viii Copyright © 2017, Juniper Networks, Inc.

 Table of Contents

allow-configuration-regexps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551
authentication-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 552
authentication-order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 553
boot-server (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554
broadcast . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555
broadcast-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 556
ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 557
connection-limit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 558
client-ia-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 559
client-identifier (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560
client-identifier (dhcpv6-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 561
client-list-name (SNMP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
client-type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 562
deny-configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 563
deny-configuration-regexps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 564
destination (Accounting) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 565
dhcp-attributes (Access IPv4 Address Pools) . . . . . . . . . . . . . . . . . . . . . . . . . . . 566
dhcp-attributes (Access IPv6 Address Pools) . . . . . . . . . . . . . . . . . . . . . . . . . . . 568
dhcp-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 570
dhcp-local-server (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
dhcpv6 (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575
dhcpv6-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 579
disable (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 580
dlv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 581
dynamic-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582
dynamic-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 583
family (Security Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 584
file (System Logging) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 585
forwarding-options (Security) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 588
group (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 589
host (SSH Known Hosts) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 592
hostkey-algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593
idle-timeout (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594
interface (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 595
interfaces (ARP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 596
interfaces (Security Zones) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 597
interface-traceoptions (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . 598
internet-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 600
kernel-replication (System) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601
lease-time (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 602
location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603
lockout-period . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604
macs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605
max-pre-authentication-packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606
multicast-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
name-server (Access) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 607
neighbor-discovery-router-advertisement (Access) . . . . . . . . . . . . . . . . . . . . . . 608
ntp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609
outbound-ssh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 610

Copyright © 2017, Juniper Networks, Inc. ix

Administration Guide for Security Devices

overrides (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

peer (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 613
prefix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 614
profilerd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615
proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616
radius-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617
radius-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 618
rapid-commit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 619
reconfigure (System Services DHCP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620
req-option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 622
retransmission-attempt (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 623
retransmission-attempt (dhcpv6-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 624
retransmission-interval (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625
root-authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 626
single-connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627
server (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628
server-address (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 629
source-address (NTP, RADIUS, System Logging, or TACACS+) . . . . . . . . . . . . . 630
ssh-known-hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 631
static-subscribers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
statistics-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632
subscriber-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 633
subscriber-management-helper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634
system master password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 635
tacplus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636
tacplus-options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 637
tacplus-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 639
traceoptions (Outbound SSH) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 641
trusted-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642
uac-service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643
update-router-advertisement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
update-server (dhcp-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644
update-server (dhcpv6-client) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
usb-control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645
use-interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
user-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 646
vendor-id . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
vpn (Forwarding Options) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647
watchdog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648
web-management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 649
web-management (System Services) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650
Chapter 20 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
clear dhcp client binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658
clear dhcp client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659
clear dhcp relay binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660
clear dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 661
clear dhcp server binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662
clear dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 663

x Copyright © 2017, Juniper Networks, Inc.

 Table of Contents

clear dhcpv6 client binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 664

clear dhcpv6 client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 665
clear dhcpv6 server binding (Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 666
clear dhcpv6 server statistics (Local Server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667
clear security ssh key-pair-identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 668
clear system login lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 669
file archive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 670
file checksum md5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672
file checksum sha1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 673
file checksum sha-256 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 674
file compare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 675
file copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 678
file delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 680
file list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 681
file rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 682
file show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 683
request dhcp client renew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 684
request dhcpv6 client renew . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 685
request security ssh key-pair-identity generate . . . . . . . . . . . . . . . . . . . . . . . . . . 686
request security tpm master-encryption-password set . . . . . . . . . . . . . . . . . . . . 687
request system autorecovery state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 688
request system decrypt password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 690
request system download abort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 691
request system download clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 692
request system download pause . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 693
request system download resume . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 694
request system download start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 695
request system firmware upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 697
request system license update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 698
request system power-off fpc . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 699
request system services dhcp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 700
request system snapshot (Maintenance) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 701
request system software abort in-service-upgrade (ICU) . . . . . . . . . . . . . . . . . . 704
request system software add (Maintenance) . . . . . . . . . . . . . . . . . . . . . . . . . . . 705
request system reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 706
request system software rollback (SRX Series) . . . . . . . . . . . . . . . . . . . . . . . . . . 707
request system zeroize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 708
restart (Reset) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 710
Restart Commands Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 714
show chassis routing-engine (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 715
show cli authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 718
show dhcp client binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 720
show dhcp client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
show dhcp relay binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 725
show dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
show dhcp server binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 730
show dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
show dhcpv6 client binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 734
show dhcpv6 client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 736

Copyright © 2017, Juniper Networks, Inc. xi

Administration Guide for Security Devices

show dhcpv6 server binding (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 738

show dhcpv6 server statistics (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 743
show firewall (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746
show security ssh key-pair-identity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 748
show security tpm status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 749
show system autorecovery state . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 750
show system download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 752
show system license (View) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
show system login lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
show system services dhcp client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 758
show system services dhcp relay-statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 761
show system snapshot media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 763
show system storage partitions (View SRX Series) . . . . . . . . . . . . . . . . . . . . . . . 764

xii Copyright © 2017, Juniper Networks, Inc.

List of Figures
Part 1 User Access and Authentication
Chapter 1 User Access and Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Figure 1: Master Password Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 3 Configuring User Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Figure 2: Configuring TACACS+ Server Authentication . . . . . . . . . . . . . . . . . . . . . 46
Figure 3: Configuring TACACS+ Server Authentication . . . . . . . . . . . . . . . . . . . . . . 62
Figure 4: Configuring TACACS+ Server Authentication . . . . . . . . . . . . . . . . . . . . . . 72

Part 3 Configuring DNS

Chapter 9 Configuring DNS Server Caching, DNSSEC, and DNS Proxy . . . . . . . . . . . . 403
Figure 5: DNS Proxy with Split DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Figure 6: Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Part 4 Configuring DHCP Access Service for IP Address Management

Chapter 10 Understanding DHCP Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Figure 7: IPv6 Prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 425
Figure 8: Sub-prefix Delegation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426
Figure 9: Configuring SRX Series Devices for DHCPv6 PD over PPPoE . . . . . . . . 427

Copyright © 2017, Juniper Networks, Inc. xiii

Administration Guide for Security Devices

xiv Copyright © 2017, Juniper Networks, Inc.

List of Tables
About the Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
Table 1: Notice Icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Table 2: Text and Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

Part 1 User Access and Authentication

Chapter 1 User Access and Authentication Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 3: Predefined Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Table 4: Permission Bits for Login Classes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Table 5: Login Class Permission Flags . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Table 6: $8$-encrypted Password Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 3 Configuring User Access Privileges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 7: Restricting Configuration Access Using deny-configurtion and
deny-configuration-regexps Statements . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Part 2 Configuring Remote Access to an SRX Series Appliances

Chapter 7 Setting up USB Modems for Remote Management . . . . . . . . . . . . . . . . . . . 363
Table 8: Default Modem Initialization Commands . . . . . . . . . . . . . . . . . . . . . . . . 365
Table 9: Configuring Branch Office and Head Office Routers for USB Modem
Backup Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Table 10: Incoming Map Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Chapter 8 Configuring Telnet and SSH Access to an SRX Series Appliance . . . . . . . 383
Table 11: CLI telnet Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 395
Table 12: CLI ssh Command Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Part 4 Configuring DHCP Access Service for IP Address Management

Chapter 11 Configuring a DHCP Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 447
Table 13: Sample DHCP Server Configuration Settings . . . . . . . . . . . . . . . . . . . . 448
Chapter 14 Configuring a DHCPv6 Local Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
Table 14: DHCPv6 Attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

Part 5 Managing System Files

Chapter 17 Performing File Management Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515
Table 15: request system set-encryption-key Commands . . . . . . . . . . . . . . . . . . 517

Copyright © 2017, Juniper Networks, Inc. xv

Administration Guide for Security Devices

Part 6 Working with Junos OS Licenses

Chapter 18 Managing Junos OS Licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Table 16: Summary of License Management Fields . . . . . . . . . . . . . . . . . . . . . . . 530

Part 7 Configuration Statements and Operational Commands

Chapter 20 Operational Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 655
Table 17: show chassis routing-engine Output Fields . . . . . . . . . . . . . . . . . . . . . . 715
Table 18: show dhcp client binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 720
Table 19: show dhcp client statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 723
Table 20: show dhcp relay binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 725
Table 21: show dhcp relay statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 728
Table 22: show dhcp server binding Output Fields . . . . . . . . . . . . . . . . . . . . . . . . 730
Table 23: show dhcp server statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 732
Table 24: show dhcpv6 client binding Output Fields . . . . . . . . . . . . . . . . . . . . . . 734
Table 25: show dhcpv6 client statistics Output Fields . . . . . . . . . . . . . . . . . . . . . 736
Table 26: show dhcv6p server binding Output Fields . . . . . . . . . . . . . . . . . . . . . . 739
Table 27: show dhcpv6 server statistics Output Fields . . . . . . . . . . . . . . . . . . . . . 744
Table 28: show firewall Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 746
Table 29: show system autorecovery state Output Fields . . . . . . . . . . . . . . . . . . 750
Table 30: show system download Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . 752
Table 31: show system license Output Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . 754
Table 32: show system login lockout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 757
Table 33: show system services dhcp client Output Fields . . . . . . . . . . . . . . . . . 758
Table 34: show system services dhcp relay-statistics Output Fields . . . . . . . . . . 761

xvi Copyright © 2017, Juniper Networks, Inc.

About the Documentation

• Documentation and Release Notes on page xvii

• Supported Platforms on page xvii
• Using the Examples in This Manual on page xvii
• Documentation Conventions on page xix
• Documentation Feedback on page xxi
• Requesting Technical Support on page xxi

Documentation and Release Notes

®
To obtain the most current version of all Juniper Networks technical documentation,
see the product documentation page on the Juniper Networks website at
http://www.juniper.net/techpubs/.

If the information in the latest release notes differs from the information in the
documentation, follow the product Release Notes.

Juniper Networks Books publishes books by Juniper Networks engineers and subject
matter experts. These books go beyond the technical documentation to explore the
nuances of network architecture, deployment, and administration. The current list can
be viewed at http://www.juniper.net/books.

Supported Platforms

For the features described in this document, the following platforms are supported:

• SRX Series

• vSRX

Using the Examples in This Manual

If you want to use the examples in this manual, you can use the load merge or the load
merge relative command. These commands cause the software to merge the incoming
configuration into the current candidate configuration. The example does not become
active until you commit the candidate configuration.

If the example configuration contains the top level of the hierarchy (or multiple
hierarchies), the example is a full example. In this case, use the load merge command.

Copyright © 2017, Juniper Networks, Inc. xvii

Administration Guide for Security Devices

If the example configuration does not start at the top level of the hierarchy, the example
is a snippet. In this case, use the load merge relative command. These procedures are
described in the following sections.

Merging a Full Example

To merge a full example, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration example into a
text file, save the file with a name, and copy the file to a directory on your routing
platform.

For example, copy the following configuration to a file and name the file ex-script.conf.
Copy the ex-script.conf file to the /var/tmp directory on your routing platform.

system {
scripts {
commit {
file ex-script.xsl;
}
}
}
interfaces {
fxp0 {
disable;
unit 0 {
family inet {
address 10.0.0.1/24;
}
}
}
}

2. Merge the contents of the file into your routing platform configuration by issuing the
load merge configuration mode command:

[edit]
user@host# load merge /var/tmp/ex-script.conf
load complete

Merging a Snippet
To merge a snippet, follow these steps:

1. From the HTML or PDF version of the manual, copy a configuration snippet into a text
file, save the file with a name, and copy the file to a directory on your routing platform.

For example, copy the following snippet to a file and name the file
ex-script-snippet.conf. Copy the ex-script-snippet.conf file to the /var/tmp directory
on your routing platform.

commit {
file ex-script-snippet.xsl; }

xviii Copyright © 2017, Juniper Networks, Inc.

 About the Documentation

2. Move to the hierarchy level that is relevant for this snippet by issuing the following
configuration mode command:

[edit]
user@host# edit system scripts
[edit system scripts]

3. Merge the contents of the file into your routing platform configuration by issuing the
load merge relative configuration mode command:

[edit system scripts]

user@host# load merge relative /var/tmp/ex-script-snippet.conf
load complete

For more information about the load command, see CLI Explorer.

Documentation Conventions

Table 1 on page xix defines notice icons used in this guide.

Table 1: Notice Icons

Icon Meaning Description

Informational note Indicates important features or instructions.

Caution Indicates a situation that might result in loss of data or hardware damage.

Warning Alerts you to the risk of personal injury or death.

Laser warning Alerts you to the risk of personal injury from a laser.

Tip Indicates helpful information.

Best practice Alerts you to a recommended use or implementation.

Table 2 on page xx defines the text and syntax conventions used in this guide.

Copyright © 2017, Juniper Networks, Inc. xix

Administration Guide for Security Devices

Table 2: Text and Syntax Conventions

Convention Description Examples

Bold text like this Represents text that you type. To enter configuration mode, type the
configure command:

user@host> configure

Fixed-width text like this Represents output that appears on the user@host> show chassis alarms
terminal screen.
No alarms currently active

Italic text like this • Introduces or emphasizes important • A policy term is a named structure
new terms. that defines match conditions and
• Identifies guide names. actions.

• • Junos OS CLI User Guide

Identifies RFC and Internet draft titles.
• RFC 1997, BGP Communities Attribute

Italic text like this Represents variables (options for which Configure the machine’s domain name:
you substitute a value) in commands or
configuration statements. [edit]
root@# set system domain-name
domain-name

Text like this Represents names of configuration • To configure a stub area, include the
statements, commands, files, and stub statement at the [edit protocols
directories; configuration hierarchy levels; ospf area area-id] hierarchy level.
or labels on routing platform • The console port is labeled CONSOLE.
components.

< > (angle brackets) Encloses optional keywords or variables. stub <default-metric metric>;

| (pipe symbol) Indicates a choice between the mutually broadcast | multicast

exclusive keywords or variables on either
side of the symbol. The set of choices is (string1 | string2 | string3)
often enclosed in parentheses for clarity.

# (pound sign) Indicates a comment specified on the rsvp { # Required for dynamic MPLS only
same line as the configuration statement
to which it applies.

[ ] (square brackets) Encloses a variable for which you can community name members [
substitute one or more values. community-ids ]

Indention and braces ( { } ) Identifies a level in the configuration [edit]

hierarchy. routing-options {
static {
route default {
; (semicolon) Identifies a leaf statement at a
nexthop address;
configuration hierarchy level.
retain;
}
}
}

GUI Conventions

xx Copyright © 2017, Juniper Networks, Inc.

 About the Documentation

Table 2: Text and Syntax Conventions (continued)

Convention Description Examples

Bold text like this Represents graphical user interface (GUI) • In the Logical Interfaces box, select
items you click or select. All Interfaces.
• To cancel the configuration, click
Cancel.

> (bold right angle bracket) Separates levels in a hierarchy of menu In the configuration editor hierarchy,
selections. select Protocols>Ospf.

Documentation Feedback

We encourage you to provide feedback, comments, and suggestions so that we can

improve the documentation. You can provide feedback by using either of the following
methods:

• Online feedback rating system—On any page of the Juniper Networks TechLibrary site
at http://www.juniper.net/techpubs/index.html, simply click the stars to rate the content,
and use the pop-up form to provide us with information about your experience.
Alternately, you can use the online feedback form at
http://www.juniper.net/techpubs/feedback/.

• E-mail—Send your comments to techpubs-comments@juniper.net. Include the document

or topic name, URL or page number, and software version (if applicable).

Requesting Technical Support

Technical product support is available through the Juniper Networks Technical Assistance
Center (JTAC). If you are a customer with an active J-Care or Partner Support Service
support contract, or are covered under warranty, and need post-sales technical support,
you can access our tools and resources online or open a case with JTAC.

• JTAC policies—For a complete understanding of our JTAC procedures and policies,

review the JTAC User Guide located at
http://www.juniper.net/us/en/local/pdf/resource-guides/7100059-en.pdf.

• Product warranties—For product warranty information, visit

http://www.juniper.net/support/warranty/.

• JTAC hours of operation—The JTAC centers have resources available 24 hours a day,
7 days a week, 365 days a year.

Self-Help Online Tools and Resources

For quick and easy problem resolution, Juniper Networks has designed an online
self-service portal called the Customer Support Center (CSC) that provides you with the
following features:

Copyright © 2017, Juniper Networks, Inc. xxi

Administration Guide for Security Devices

• Find CSC offerings: http://www.juniper.net/customers/support/

• Search for known bugs: http://www2.juniper.net/kb/

• Find product documentation: http://www.juniper.net/techpubs/

• Find solutions and answer questions using our Knowledge Base: http://kb.juniper.net/

• Download the latest versions of software and review release notes:

http://www.juniper.net/customers/csc/software/

• Search technical bulletins for relevant hardware and software notifications:

http://kb.juniper.net/InfoCenter/

• Join and participate in the Juniper Networks Community Forum:

http://www.juniper.net/company/communities/

• Open a case online in the CSC Case Management tool: http://www.juniper.net/cm/

To verify service entitlement by product serial number, use our Serial Number Entitlement
(SNE) Tool: https://tools.juniper.net/SerialNumberEntitlementSearch/

Opening a Case with JTAC

You can open a case with JTAC on the Web or by telephone.

• Use the Case Management tool in the CSC at http://www.juniper.net/cm/.

• Call 1-888-314-JTAC (1-888-314-5822 toll-free in the USA, Canada, and Mexico).

For international or direct-dial options in countries without toll-free numbers, see

http://www.juniper.net/support/requesting-support.html.

xxii Copyright © 2017, Juniper Networks, Inc.

PART 1

User Access and Authentication

• User Access and Authentication Overview on page 3
• Configuring Junos OS User Accounts on page 17
• Configuring User Access Privileges on page 39
• Permissions Flags for User Access Privileges on page 79
• Configuring Authentication Methods on page 337

Copyright © 2017, Juniper Networks, Inc. 1

Administration Guide for Security Devices

2 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 1

User Access and Authentication Overview

• Understanding Login Classes on page 3

• Understanding User Accounts on page 6
• Understanding Junos OS Access Privilege Levels on page 7
• Understanding User Authentication Methods on page 12
• Hardening Shared Secrets in Junos OS on page 12
• Using Trusted Platform Module to Bind Secrets on SRX Series Devices on page 14

Understanding Login Classes

Supported Platforms SRX Series, vSRX

All users who log in to the device must be in a login class. You can define any number of
login classes. You then apply one login class to an individual user account. With login
classes, you define the following:

• Access privileges users have when they are logged in to the device.

• Commands and statements that users can and cannot specify.

• How long a login session can be idle before it times out and the user is logged off.

You can define any number of login classes and then apply one login class to an individual
user account.

Table 3 on page 3 contains a few predefined login classes. The predefined login classes
cannot be modified.

Table 3: Predefined Login Classes

Login Class Permission Bits Set

operator clear, network, reset, trace, view

read-only view

super-user and superuser all

unauthorized None

Copyright © 2017, Juniper Networks, Inc. 3

Administration Guide for Security Devices

NOTE:
• You cannot modify a predefined login class name. If you issue the set
command on a predefined class name, the Junos OS appends -local to the
login class name. The following message also appears:

warning: '<class-name>' is a predefined class name; changing to

'<class-name>-local'

• You cannot issue the rename or copy command on a predefined login class.
Doing so results in the following error message:

error: target '<class-name>' is a predefined class

This section contains the following topics:

• Permission Bits on page 4

• Denying or Allowing Individual Commands on page 6

Permission Bits
Each top-level CLI command and each configuration statement has an access privilege
level associated with it. Users can execute only those commands and configure and view
only those statements for which they have access privileges. The access privileges for
each login class are defined by one or more permission bits (see Table 4 on page 4).

Two forms for the permissions control the individual parts of the configuration:

• "Plain" form—Provides read-only capability for that permission type. An example is

interface.

• Form that ends in -control—Provides read and write capability for that permission type.
An example is interface-control.

Table 4: Permission Bits for Login Classes

Permission Bit Access

admin Can view user account information in configuration mode and with the show configuration
command.

admin-control Can view user accounts and configure them (at the [edit system login] hierarchy level).

access Can view the access configuration in configuration mode and with the show configuration
operational mode command.

access-control Can view and configure access information (at the [edit access] hierarchy level).

all Has all permissions.

clear Can clear (delete) information learned from the network that is stored in various network
databases (using the clear commands).

4 Copyright © 2017, Juniper Networks, Inc.

 Chapter 1: User Access and Authentication Overview

Table 4: Permission Bits for Login Classes (continued)

Permission Bit Access

configure Can enter configuration mode (using the configure command) and commit configurations
(using the commit command).

control Can perform all control-level operations (all operations configured with the -control
permission bits).

field Reserved for field (debugging) support.

firewall Can view the firewall filter configuration in configuration mode.

firewall-control Can view and configure firewall filter information (at the [edit firewall] hierarchy level).

floppy Can read from and write to the removable media.

interface Can view the interface configuration in configuration mode and with the show configuration
operational mode command.

interface-control Can view chassis, class of service, groups, forwarding options, and interfaces configuration
information. Can configure chassis, class of service, groups, forwarding options, and
interfaces (at the [edit] hierarchy).

maintenance Can perform system maintenance, including starting a local shell on the device and
becoming the superuser in the shell (by issuing the su root command), and can halt and
reboot the device (using the request system commands).

network Can access the network by entering the ping, ssh, telnet, and traceroute commands.

reset Can restart software processes using the restart command and can configure whether
software processes are enabled or disabled (at the [edit system processes] hierarchy
level).

rollback Can use the rollback command to return to a previously committed configuration other
than the most recently committed one.

routing Can view general routing, routing protocol, and routing policy configuration information
in configuration and operational modes.

routing-control Can view general routing, routing protocol, and routing policy configuration information
and configure general routing (at the [edit routing-options] hierarchy level), routing
protocols (at the [edit protocols] hierarchy level), and routing policy (at the [edit
policy-options] hierarchy level).

secret Can view passwords and other authentication keys in the configuration.

secret-control Can view passwords and other authentication keys in the configuration and can modify
them in configuration mode.

security Can view security configuration in configuration mode and with the show configuration
operational mode command.

Copyright © 2017, Juniper Networks, Inc. 5

Administration Guide for Security Devices

Table 4: Permission Bits for Login Classes (continued)

Permission Bit Access

security-control Can view and configure security information (at the [edit security] hierarchy level).

shell Can start a local shell on the device by entering the start shell command.

snmp Can view SNMP configuration information in configuration and operational modes.

snmp-control Can view SNMP configuration information and configure SNMP (at the [edit snmp]
hierarchy level).

system Can view system-level information in configuration and operational modes.

system-control Can view system-level configuration information and configure it (at the [edit system]
hierarchy level).

trace Can view trace file settings in configuration and operational modes.

trace-control Can view trace file settings and configure trace file properties.

view Can use various commands to display current system-wide, routing table, and
protocol-specific values and statistics.

Denying or Allowing Individual Commands

By default, all top-level CLI commands have associated access privilege levels. Users
can execute only those commands and view only those statements for which they have
access privileges. For each login class, you can explicitly deny or allow the use of
operational and configuration mode commands that are otherwise permitted or not
allowed by a permission bit.

Related • Understanding User Authentication Methods on page 12

Documentation
• Understanding User Accounts on page 6

• Understanding Template Accounts on page 20

• Example: Configuring New Users on page 17

Understanding User Accounts

Supported Platforms SRX Series, vSRX

User accounts provide one way for users to access the device. Users can access the
device without accounts if you configured RADIUS or TACACS+ servers. After you have
created an account, the device creates a home directory for the user. An account for the
user root is always present in the configuration. For each user account, you can define
the following:

6 Copyright © 2017, Juniper Networks, Inc.

 Chapter 1: User Access and Authentication Overview

• Username—Name that identifies the user. It must be unique within the device. Do not
include spaces, colons, or commas in the username.

• User's full name—If the full name contains spaces, enclose it in quotation marks (“ ”).
Do not include colons or commas.

• User identifier (UID)—Numeric identifier that is associated with the user account name.
The identifier range from 100 through 64,000 and must be unique within the device.
If you do not assign a UID to a username, the software assigns one when you commit
the configuration, preferring the lowest available number.

• User's access privilege—You can create login classes with specific permission bits or
use one of the predefined classes.

• Authentication method or methods and passwords that the user can use to access
the device—You can use SSH or an MD5 password, or you can enter a plain-text
password that Junos OS encrypts using MD5-style encryption before entering it in the
password database. If you configure the plain-text-password option, you are prompted
to enter and confirm the password.

Related • Understanding User Authentication Methods on page 12

Documentation
• Example: Configuring a RADIUS Server for System Authentication on page 340

• Example: Configuring a TACACS+ Server for System Authentication on page 346

• Example: Configuring Authentication Order on page 349

Understanding Junos OS Access Privilege Levels

Supported Platforms EX Series, M Series, MX Series, OCX1100, PTX Series, QFabric System, QFX Series, SRX Series,
T Series, vSRX

Each top-level CLI command and each configuration statement have an access privilege
level associated with them. Users can execute only those commands and configure and
view only those statements for which they have access privileges. The access privileges
for each login class are defined by one or more permission flags.

For each login class, you can explicitly deny or allow the use of operational and
configuration mode commands that would otherwise be permitted or not allowed by a
privilege level specified in the permissions statement.

The following sections provide additional information about permissions:

• Junos OS Login Class Permission Flags on page 7

• Allowing or Denying Individual Commands for Junos OS Login Classes on page 11

Junos OS Login Class Permission Flags

The permissions statement specifies one or more of the permission flags listed in
Table 5 on page 8. Permission flags are not cumulative, so for each class you must list
all the permission flags needed, including view to display information and configure to

Copyright © 2017, Juniper Networks, Inc. 7

Administration Guide for Security Devices

enter configuration mode. Two forms of permissions control for individual parts of the
configuration are:

• "Plain” form—Provides read-only capability for that permission type. An example is

interface.

• Form that ends in -control—Provides read and write capability for that permission type.
An example is interface-control.

Table 5 on page 8 lists the Junos OS login class permission flags that you can configure
by including the permissions statement at the [edit system login class class-name]
hierarchy level.

Table 5: Login Class Permission Flags

Permission Flag Description

access Can view the access configuration in configuration mode and

with the show configuration operational mode command.

access-control Can view and configure access information at the [edit access]
hierarchy level.

admin Can view user account information in configuration mode and

with the show configuration operational mode command.

admin-control Can view user accounts and configure them at the [edit system
login] hierarchy level.

all Can access all operational mode commands and configuration

mode commands. Can modify configuration in all the
configuration hierarchy levels.

clear Can clear (delete) information learned from the network that
is stored in various network databases by using the clear
commands.

configure Can enter configuration mode by using the configure command.

control Can perform all control-level operations—all operations

configured with the -control permission flags.

field Can view field debug commands. Reserved for debugging

support.

firewall Can view the firewall filter configuration in configuration mode.

firewall-control Can view and configure firewall filter information at the [edit
firewall] hierarchy level.

floppy Can read from and write to the removable media.

flow-tap Can view the flow-tap configuration in configuration mode.

8 Copyright © 2017, Juniper Networks, Inc.

 Chapter 1: User Access and Authentication Overview

Table 5: Login Class Permission Flags (continued)

Permission Flag Description

flow-tap-control Can view the flow-tap configuration in configuration mode and

can configure flow-tap configuration information at the [edit
services flow-tap] hierarchy level.

flow-tap-operation Can make flow-tap requests to the router or switch. For

example, a Dynamic Tasking Control Protocol (DTCP) client
must have flow-tap-operation permission to authenticate itself
to the Junos OS as an administrative user.

NOTE: The flow-tap-operation option is not included in the

all-control permissions flag.

idp-profiler-operation Can view profiler data.

interface Can view the interface configuration in configuration mode and

with the show configuration operational mode command.

interface-control Can view chassis, class of service (CoS), groups, forwarding

options, and interfaces configuration information. Can edit
configuration at the following hierarchy levels:

• [edit chassis]
• [edit class-of-service]
• [edit groups]
• [edit forwarding-options]
• [edit interfaces]

maintenance Can perform system maintenance, including starting a local

shell on the router or switch and becoming the superuser in the
shell by using the su root command, and can halt and reboot
the router or switch by using the request system commands.

network Can access the network by using the ping, ssh, telnet, and
traceroute commands.

pgcp-session-mirroring Can view the pgcp session mirroring configuration.

pgcp-session-mirroring-control Can modify the pgcp session mirroring configuration.

reset Can restart software processes by using the restart command

and can configure whether software processes are enabled or
disabled at the [edit system processes] hierarchy level.

rollback Can use the rollback command to return to a previously

committed configuration other than the most recently
committed one.

routing Can view general routing, routing protocol, and routing policy
configuration information in configuration and operational
modes.

Copyright © 2017, Juniper Networks, Inc. 9

Administration Guide for Security Devices

Table 5: Login Class Permission Flags (continued)

Permission Flag Description

routing-control Can view general routing, routing protocol, and routing policy
configuration information and can configure general routing at
the [edit routing-options] hierarchy level, routing protocols at
the [edit protocols] hierarchy level, and routing policy at the
[edit policy-options] hierarchy level.

secret Can view passwords and other authentication keys in the

configuration.

secret-control Can view passwords and other authentication keys in the

configuration and can modify them in configuration mode.

security Can view security configuration in configuration mode and with

the show configuration operational mode command.

security-control Can view and configure security information at the [edit security]
hierarchy level.

shell Can start a local shell on the router or switch by using the start
shell command.

snmp Can view Simple Network Management Protocol (SNMP)

configuration information in configuration and operational
modes.

snmp-control Can view SNMP configuration information and can modify SNMP
configuration at the [edit snmp] hierarchy level.

system Can view system-level information in configuration and

operational modes.

system-control Can view system-level configuration information and configure

it at the [edit system] hierarchy level.

trace Can view trace file settings and configure trace file properties.

trace-control Can modify trace file settings and configure trace file properties.

view Can use various commands to display current system-wide,

routing table, and protocol-specific values and statistics. Cannot
view the secret configuration.

view-configuration Can view all of the configuration excluding secrets, system

scripts, and event options.

NOTE: Only users with the maintenance permission can view

commit script, op script, or event script configuration.

10 Copyright © 2017, Juniper Networks, Inc.

 Chapter 1: User Access and Authentication Overview

Allowing or Denying Individual Commands for Junos OS Login Classes

By default, all top-level CLI commands have associated access privilege levels. Users
can execute only those commands and view only those statements for which they have
access privileges. For each login class, you can explicitly deny or allow the use of
operational and configuration mode commands that would otherwise be permitted or
not allowed by a privilege level specified in the permissions statement.

Permission flags are used to grant a user access to operational mode commands and
configuration hierarchy levels and statements. By specifying a specific permission flag
on the user's login class at the [edit system login class] hierarchy level, you grant the user
access to the corresponding commands and configuration hierarchy levels and
statements. To grant access to all commands and configuration statements, use the all
permissions flag. For permission flags that grant access to configuration hierarchy levels
and statements, the flags grant read-only privilege to that configuration. For example,
the interface permissions flag grants read-only access to the [edit interfaces] hierarchy
level. The -control form of the flag grants read-write access to that configuration. Using
the preceding example, interface-control grants read-write access to the [edit interfaces]
hierarchy level.

• The all login class permission bits take precedence over extended regular expressions
when a user issues rollback command with rollback permission flag enabled.

• Expressions used to allow and deny commands for users on RADIUS and TACACS+
servers have been simplified. Instead of a single, long expression with multiple
commands (allow-commands=cmd1 cmd2 ... cmdn), you can specify each command
as a separate expression. This new syntax is valid for allow-configuration,
deny-configuration, allow-commands, deny-commands, and all user permission bits.

• Users cannot issue the load override command when specifying an extended regular
expression. Users can only issue the merge, replace, and patch configuration commands.

• If you allow and deny the same commands, the allow-commands permissions take
precedence over the permissions specified by the deny-commands. For example, if you
include allow-commands "request system software add" and deny-commands "request
system software add", the login class user is allowed to install software using the
request system software add command.

• Regular expressions for allow-commands and deny-commands can also include the
commit, load, rollback, save, status, and update commands.

• If you specify a regular expression for allow-commands and deny-commands with two
different variants of a command, the longest match is always executed.

For example, if you specify a regular expression for allow-commands with the
commit-synchronize command and a regular expression for deny-commands with the
commit command, users assigned to such a login class would be able to issue the
commit synchronize command, but not the commit command. This is because
commit-synchronize is the longest match between commit and commit-synchronize
and it is specified for allow-commands.

Copyright © 2017, Juniper Networks, Inc. 11

Administration Guide for Security Devices

Likewise, if you specify a regular expression for allow-commands with the commit
command and a regular expression for deny-commands with the commit-synchronize
command, users assigned to such a login class would be able to issue the commit
command, but not the commit-synchronize command. This is because
commit-synchronize is the longest match between commit and commit-synchronize
and it is specified for deny-commands.

Related • Example: Configuring User Permissions with Access Privilege Levels on page 39
Documentation
• Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies

• Access Privilege User Permission Flags Overview on page 80

Understanding User Authentication Methods

Supported Platforms SRX Series, vSRX

Junos OS supports three methods of user authentication: local password authentication,

Remote Authentication Dial-In User Service (RADIUS), and Terminal Access Controller
Access Control System Plus (TACACS+).

With local password authentication, you configure a password for each user allowed to
log in to the device.

RADIUS and TACACS+ are authentication methods for validating users who attempt to
access the device using Telnet. Both are distributed client/server systems—the RADIUS
and TACACS+ clients run on the device, and the server runs on a remote network system.

You can configure the device to use RADIUS or TACACS+ authentication, or both, to
validate users who attempt to access the device. If you set up both authentication
methods, you also can configure which method the device will try first.

Related • Understanding User Accounts on page 6

Documentation
• Understanding Login Classes on page 3

• Understanding Template Accounts on page 20

• Example: Configuring Authentication Order on page 349

• Example: Configuring a RADIUS Server for System Authentication on page 340

• Example: Configuring a TACACS+ Server for System Authentication on page 346

Hardening Shared Secrets in Junos OS

Supported Platforms SRX Series

• Understanding Hardening Shared Secrets on page 13

12 Copyright © 2017, Juniper Networks, Inc.

 Chapter 1: User Access and Authentication Overview

Understanding Hardening Shared Secrets

Existing shared secrets ($9$ format) in Junos OS currently use an obfuscation algorithm,
which is not a very strong encryption for configuration secrets. If you want a strong
encryption for your configuration secrets, you can configure a master password. The
master password is used to derive an encryption key that is used with AES256-GCM to
encrypt configuration secrets. This new encryption method uses the $8$ formatted
strings.

Starting with Junos OS Release 15.1X49-D50, new CLI commands are introduced to
configure a system master password to provide stronger encryption for configuration
secrets. The master password encrypts secrets like the RADIUS password, IKE preshared
keys, and other shared secrets in the Junos OS management process (mgd) configuration.
The master password itself is not saved as part of the configuration. The password quality
is evaluated for strength, and the device gives feedback if weak passwords are used.

The master password is used as input to the password based key derivation function
(PBKDF2) to generate an encryption key. the key is used as input to the Advanced
Encryption Standard in Galois/Counter Mode (AES256-GCM). The plain text that the
user enters is processed by the encryption algorithm (with key) to produce the encrypted
text (cipher text). See Figure 1 on page 13

Figure 1: Master Password Encryption

Master
PBKDF2
Password
Key

Plaintext AES256-GCM ciphertext

g043440

The $8$ configuration secrets can only be shared between devices using the same master
password.

The $8$-encrypted passwords have the following format:

$8$crypt-algo$hash-algo$iterations$salt$iv$tag$encrypted. See Table 6 on page 13 for

the master password format details.

Table 6: $8$-encrypted Password Format

Format Description
crypt-algo Encryption/decryption algorithm to be used. Currently only AES256-GCM is supported.

hash-algo Hash (prf) algorithm to be used for the PBKDF2 key derivation.

iterations The number of iterations to use for the PBKDF2 hash function. Current iteration-count default is
100. The iteration count slows the hashing count, thus slowing attacker guesses.

Copyright © 2017, Juniper Networks, Inc. 13

Administration Guide for Security Devices

Table 6: $8$-encrypted Password Format (continued)

salt Sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be
used to salt (a random, but known string) the password and input to the PBKDF2 key derivation.

iv A sequence of ASCII64-encoded pseudorandom bytes generated during encryption that are to be

used as initialization vector for the AES256-GCM encryption function.

tag ASCII64-encoded representation of the tag.

encrypted ASCII64-encoded representation of the encrypted password.

The ASCII64 encoding is Base64 (RFC 4648) compatible, except no padding (character
“=”) is used to keep the strings short. For example:
$8$aes256-gcm$hmac-sha2-256$100$y/4YMC4YDLU$fzYDI4jjN6YCyQsYLsaf8A$Ilu4jLcZarD9YnyD
/Hejww$okhBlc0cGakSqYxKww

Chassis Cluster Considerations

When defining a chassis cluster on SRX Series devices, be aware of the following
restrictions:

• For SRX Series devices, first configure the master password on each node, and then
build the cluster. The same master password should be configured on each node.

• In chassis cluster mode, the master password cannot be deleted.

NOTE: A change in the master password would mean disruption in chassis

clustering; therefore you must change the password on both nodes
independently.

Release History Table Release Description

15.1X49-D50 Starting with Junos OS Release 15.1X49-D50, new CLI commands are
introduced to configure a system master password to provide stronger
encryption for configuration secrets.

Using Trusted Platform Module to Bind Secrets on SRX Series Devices

Supported Platforms SRX300, SRX320, SRX340, SRX345

By enabling the Trusted Platform Module (TPM) on the SRX devices, the software layer
leverages the use of underlying TPM chip. TPM is a specialized chip that protects certain
secrets at rest such as passwords, private keys and other sensitive data. Instead of storing
the sensitive data in clear text format, this data is now stored in encrypted format using
TPM.

The advantages of TPM are that the data such as the master password and private
key-pairs will be encrypted by enabling TPM.

14 Copyright © 2017, Juniper Networks, Inc.

 Chapter 1: User Access and Authentication Overview

The TPM encrypts the following secrets:

• /config/unrd-master-password.txt

• All files in /var/db/certs/common/key-pair/

The TPM chip is available on SRX300, SRX320, SRX340, and SRX345 devices. TPM is
not enabled by default. The secrets are encrypted using the Master Encryption Password
that is set by the user using the CLI. See “Enabling the TPM” on page 15. The Master
Encryption Password is encrypted using TPM’s binding key called Master Binding Key.

• Enabling the TPM on page 15

• Verifying the Status of the TPM on page 15
• Changing the Master Encryption Password on page 15

Enabling the TPM

You can enable the TPM by setting the Master Encryption Password using the following
CLI command:

request security tpm master-encryption-password set plain-text-password

You will be prompted to enter the Master Encryption Password twice, to make sure that
these passwords match. The Master Encryption Password is validated for required
password strength.

After Master Encryption Password is set, the system proceeds to encrypt the sensitive
data with the Master Encryption Password.

NOTE: If there is any issue with setting the Master Encryption Password, a
critical ERROR message is logged on the console and the process is aborted.

Verifying the Status of the TPM

You can use the show security tpm status command to verify the status of the TPM. The
following information is displayed:

• TPM enabled/disabled

• TPM ownership

• TPM’s Master Binding Key status (created or not created)

• Master Encryption Password status (set or not set)

Changing the Master Encryption Password

Changing the Master Encryption Password is done using the CLI.

To change the Master Encryption Password, enter the following command from
operational mode:

Copyright © 2017, Juniper Networks, Inc. 15

Administration Guide for Security Devices

request security tpm master-encryption-password set plain-text-password

The system checks if the Master Encryption Password is already configured. If Master
Encryption Password is configured, then you are prompted to enter the current Master
Encryption Password.

The entered Master Encryption Password is validated against the current Master
Encryption Password to make sure these Master Encryption Passwords match. If the
validation succeeds, you will be prompted to enter the new Master Encryption Password
as plain text. You will be asked to enter the key twice to validate the password.

The system then proceeds to re-encrypt the sensitive data with the new Master Encryption
Password. You must wait for this process of re-encryption to complete before attempting
to change the Master Encryption Password again.

If for some reason, the encrypted Master Encryption Password file is lost or corrupted,
the system will not be able to decrypt the sensitive data. The system can only be recovered
by reimporting the sensitive data in clear text, and re-encrypting them.

You can also recover the system by using the CLI command request system zeroize, which
erases all the data on the hard disk.

Related • Hardening Shared Secrets in Junos OS on page 12

Documentation

16 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 2

Configuring Junos OS User Accounts

• Example: Configuring New Users on page 17

• Understanding Template Accounts on page 20
• Example: Creating Template Accounts on page 21
• Understanding Administrative Roles on page 24
• Example: Configuring Administrative Roles on page 26
• Handling Authorization Failure on page 33
• Example: Configuring System Retry Options on page 34

Example: Configuring New Users

Supported Platforms SRX Series, vSRX

This example shows how to configure new users.

• Requirements on page 17
• Overview on page 17
• Configuration on page 18
• Verification on page 20

Requirements
No special configuration beyond device initialization is required before configuring this
feature.

Overview

You can add new users to the device’s local database. For each account, you define a
login name and password for the user and specify a login class for access privileges. The
login password must meet the following criteria:

• The password must be at least six characters long.

• You can include most character classes in a password (alphabetic, numeric, and special
characters), but not control characters.

• The password must contain at least one change of case or character class.

Copyright © 2017, Juniper Networks, Inc. 17

Administration Guide for Security Devices

In this example, you create a login class named operator-and-boot and allow it to reboot
the device. You can define any number of login classes. You then allow the
operator-and-boot login class to use commands defined in the clear, network, reset,
trace, and view permission bits.

Then you create user accounts. User accounts provide enable you to access the device.
(You can access the device without accounts if you configured RADIUS or TACACS+
servers.) You set the username as cmartin and the login class as superuser. Finally, you
define the encrypted password for the user.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set system login class operator-and-boot allow-commands “request system reboot”

set class system login operator-and-boot permissions [clear network reset trace view]
set system login user cmartin class superuser authentication encrypted-password
$1$ABC123

GUI Step-by-Step To configure new users:

Procedure
1. In the J-Web user interface, select Configure>System Properties>User Management.

2. Click Edit. The Edit User Management dialog box appears.

3. Select the Users tab.

4. Click Add to add a new user. The Add User dialog box appears.

5. In the User name box, type a unique name for the user.

Do not include spaces, colons, or commas in the username.

6. In the User ID box, type a unique ID for the user.

7. In the Full Name box, type the user’s full name.

If the full name contains spaces, enclose it in quotation marks. Do not include colons
or commas.

8. In the Password and Confirm Password boxes, enter a login password for the user
and verify your entry.

9. From the Login Class list, select the user’s access privilege:

• operator

18 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

• read-only

• unauthorized

This list also includes any user-defined login classes.

10. Click OK in the Add User dialog box and Edit User Management dialog box.

11. Click OK to check your configuration and save it as a candidate configuration.

12. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure new users:

1. Set the name of the login class and allow the use of the reboot command.

[edit system login]

user@host# set class operator-and-boot allow-commands “request system reboot”

2. Set the permission bits for the login class.

[edit system login]

user@host# set class operator-and-boot permissions [clear network reset trace
view]

3. Set the username, login class, and encrypted password for the user.

[edit system login]

user@host# set user cmartin class superuser authentication encrypted-password
$1$ABC123

Results From configuration mode, confirm your configuration by entering the show system login
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

[edit]
user@host# show system login
class operator-and-boot {
permissions [ clear network reset trace view ];
allow-commands "request system reboot";
}
user cmartin {
class superuser;
authentication {
encrypted-password "$1$ABC123";
}

Copyright © 2017, Juniper Networks, Inc. 19

Administration Guide for Security Devices

If you are done configuring the device, enter commit from configuration mode.

NOTE: To completely set up RADIUS or TACACS+ authentication, you must

configure at least one RADIUS or TACACS+ server and specify a user template
account. Do one of the following tasks:

• Configure a RADIUS server. See “Example: Configuring a RADIUS Server

for System Authentication” on page 340.

• Configure a TACACS+ server. See “Example: Configuring a TACACS+ Server

for System Authentication” on page 346.

• Configure a user. See “Example: Configuring New Users” on page 17.

• Configure template accounts. See “Example: Creating Template Accounts”

on page 21.

Verification
Confirm that the configuration is working properly.

Verifying the New Users Configuration

Purpose Verify that the new users have been configured.

Action From operational mode, enter the show system login command.

Related • Understanding User Authentication Methods on page 12

Documentation
• Understanding User Accounts on page 6

• Understanding Template Accounts on page 20

• Understanding Login Classes on page 3

Understanding Template Accounts

Supported Platforms SRX Series, vSRX

You use local user template accounts when you need different types of templates. Each
template can define a different set of permissions appropriate for the group of users who
use that template. These templates are defined locally on the device and referenced by
the TACACS+ and RADIUS authentication servers.

When you configure local user templates and a user logs in, Junos OS issues a request
to the authentication server to authenticate the user's login name. If a user is
authenticated, the server returns the local username to the device, which then determines

20 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

whether a local username is specified for that login name (local-username for TACACS+,
Juniper-Local-User for RADIUS). If so, the device selects the appropriate local user
template locally configured on the device. If a local user template does not exist for the
authenticated user, the device defaults to the remote template.

Related • Understanding User Authentication Methods on page 12

Documentation
• Understanding User Accounts on page 6

• Understanding Login Classes on page 3

• Example: Creating Template Accounts on page 21

Example: Creating Template Accounts

Supported Platforms SRX Series, vSRX

This example shows how to create template accounts.

• Requirements on page 21
• Overview on page 21
• Configuration on page 22
• Verification on page 23

Requirements
No special configuration beyond device initialization is required before configuring this
feature.

Overview
You can create template accounts that are shared by a set of users when you are using
RADIUS or TACACS+ authentication. When a user is authenticated by a template account,
the CLI username is the login name, and the privileges, file ownership, and effective user
ID are inherited from the template account.

By default, Junos OS uses the remote template account when:

• The authenticated user does not exist locally on the device.

• The authenticated user's record in the RADIUS or TACACS+ server specifies local user,
or the specified local user does not exist locally on the device.

In this example, you create a remote template account and set the username to remote
and the login class for the user as operator. You create a remote template that is applied
to users authenticated by RADIUS or TACACS+ that do not belong to a local template
account.

You then create a local template account and set the username as admin and the login
class as superuser. You use local template accounts when you need different types of
templates. Each template can define a different set of permissions appropriate for the
group of users who use that template.

Copyright © 2017, Juniper Networks, Inc. 21

Administration Guide for Security Devices

Configuration
• Creating a Remote Template Account on page 22
• Creating a Local Template Account on page 22

Creating a Remote Template Account

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set system login user remote class operator

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To create a remote template account:

• Set the username and the login class for the user.

[edit system login]

user@host# set user remote class operator

Results From configuration mode, confirm your configuration by entering the show system login
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

[edit]
user@host# show system login
user remote {
class operator;
}

If you are done configuring the device, enter commit from configuration mode.

Creating a Local Template Account

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set system login user admin class superuser

22 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To create a local template account:

1. Set the username and the login class for the user.

[edit system login]

user@host# set user admin class superuser

Results From configuration mode, confirm your configuration by entering the show system login
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

[edit]
user@host# show system login
user admin {
class super-user;
}

If you are done configuring the device, enter commit from configuration mode.

NOTE: To completely set up RADIUS or TACACS+ authentication, you must

configure at least one RADIUS or TACACS+ server and specify a system
authentication order. Do one of the following tasks:

• Configure a RADIUS server. See “Example: Configuring a RADIUS Server

for System Authentication” on page 340.

• Configure a TACACS+ server. See “Example: Configuring a TACACS+ Server

for System Authentication” on page 346.

• Configure system authentication order. See “Example: Configuring

Authentication Order” on page 349.

Verification
Confirm that the configuration is working properly.

Verifying the Template Accounts Creation

Purpose Verify that the template accounts have been created.

Action From operational mode, enter the show system login command.

Related • Understanding User Authentication Methods on page 12

Documentation

Copyright © 2017, Juniper Networks, Inc. 23

Administration Guide for Security Devices

• Understanding User Accounts on page 6

• Understanding Login Classes on page 3

• Understanding Template Accounts on page 20

Understanding Administrative Roles

Supported Platforms SRX Series, vSRX

A system user can be a member of a class that allows the user to act as a particular kind
of administrator for the system. Requiring a specific role to view or modify an item restricts
the extent of information a user can obtain from the system. It also limits how much of
the system is open to intentional or unintentional modification or observation by a user.
We recommend that you use the following guidelines when you are designing
administrative roles:

• Do not allow any user to log in to the system as root.

• Restrict each user to the smallest set of privileges needed to perform the user’s duties.

• Do not allow any user to belong to a login class containing the shell permission flag.
The shell permission flag allows users to run the start shell command from the CLI.

• Allow users to have rollback permissions. Rollback permissions allow users to undo
an action performed by an administrator but does not allow them to commit the
changes.

You can assign an administrative role to a user by configuring a login class to have the
privileges required for that role. You can configure each class to allow or deny access to
configuration statements and commands by name. These specific restrictions override
and take precedence over any permission flags also configured in the class. You can
assign one of the following role attributes to an administrative user.

• Crypto-administrator—Allows the user to configure and monitor cryptographic data.

• Security-administrator—Allows the user to configure and monitor security data.

• Audit-administrator—Allows the user to configure and monitor audit data.

• IDS-administrator—Allows the user to monitor and clear the intrusion detection service
(IDS) security logs.

Each role can perform the following specific management functions:

• Cryptographic Administrator

• Configures the cryptographic self-test.

• Modifies the cryptographic security data parameters.

• Audit Administrator

• Configures and deletes the audit review search and sort feature.

• Searches and sorts audit records.

24 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

• Configures search and sort parameters.

• Manually deletes audit logs.

• Security Administrator

• Invokes, determines, and modifies the cryptographic self-test behavior.

• Enables, disables, determines, and modifies the audit analysis and audit selection
functions and configures the device to automatically delete audit logs.

• Enables or disables security alarms.

• Specifies limits for quotas on Transport Layer connections.

• Specifies the limits, network identifiers, and time periods for quotas on controlled
connection-oriented resources.

• Specifies the network addresses permitted to use Internet Control Message Protocol
(ICMP) or Address Resolution Protocol (ARP).

• Configures the time and date used in time stamps.

• Queries, modifies, deletes, and creates the information flow or access control rules
and attributes for the unauthenticated information flow security function policy
(SFP), the authenticated information flow SFP, the unauthenticated device services,
and the discretionary access control policy.

• Specifies initial values that override default values when object information is created
under unauthenticated information flow SFP, the authenticated information flow
SFP, the unauthenticated target of evaluation (TOE) services, and the discretionary
access control policy.

• Creates, deletes, or modifies the rules that control the address from which
management sessions can be established.

• Specifies and revokes security attributes associated with the users, subjects, and
objects.

• Specifies the percentage of audit storage capacity at which the device alerts
administrators.

• Handles authentication failures and modifies the number of failed authentication

attempts through SSH or from the CLI that can occur before progressive throttling
is enforced for further authentication attempts and before the connection is dropped.

• Manages basic network configuration of the device.

• IDS Administrator—Specifies IDS security alarms, intrusion alarms, audit selections,

and audit data.

You need to set the security-role attribute in the classes created for these administrative
roles. This attribute restricts which users can show and clear the security logs, actions
that cannot be performed through configuration alone.

For example, you need to set the security-role attribute in the ids-admin class created
for the IDS administrator role if you want to restrict clearing and showing IDS logs to the

Copyright © 2017, Juniper Networks, Inc. 25

Administration Guide for Security Devices

IDS administrator role. Likewise, you need to set the security-role to one of the other
admin values to restrict that class from being able to clear and show non-IDS logs only.

NOTE: When a user deletes an existing configuration, the configuration

statements under the hierarchy level of the deleted configuration (that is,
the child objects that the user does not have permission to modify), now
remain in the device.

Related • Example: Configuring Administrative Roles on page 26

Documentation

Example: Configuring Administrative Roles

Supported Platforms M Series, SRX Series, T Series, vSRX

This example shows how to configure individual administrative roles for a distinct, unique
set of privileges apart from all other administrative roles.

• Requirements on page 26
• Overview on page 26
• Configuration on page 27
• Verification on page 32

Requirements
No special configuration beyond device initialization is required before configuring this
feature.

Overview
This example configures four users:

• audit-officer of the class audit-admin

• crypto-officer of the class crypto-admin

• security-officer of the class security-admin

• ids-officer of the class ids-admin

When a security-admin class is configured, the privileges for creating administrators are
revoked from the user who created the security-admin class. Creation of new users and
logins is at the discretion of the security-officer.

In this example, you create audit admin, crypto admin, security admin, and ids admin
with permission flags pertaining to this role. Then you allow or deny access to configuration
statements and commands by name for each administrative role. These specific
restrictions take precedence over the permission flags also configured in the class. For
example, only the crypto-admin can run the request system set-encryption-key command,
which requires having the security permission flag to access it. Only the security-admin

26 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

can include the system time-zone statement in the configuration, which requires having
the system-control permission flag.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set system login class audit-admin permissions security

set system login class audit-admin permissions trace
set system login class audit-admin permissions maintenance
set system login class audit-admin allow-commands "^clear (log|security log)"
set system login class audit-admin deny-commands "^clear (security alarms|system
login lockout)|^file (copy|delete|rename)|^request (security|system
set-encryption-key)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell";
set system login class audit-admin security-role audit-administrator
set system login class crypto-admin permissions admin-control
set system login class crypto-admin permissions configure
set system login class crypto-admin permissions maintenance
set system login class crypto-admin permissions security-control
set system login class crypto-admin permissions system-control
set system login class crypto-admin permissions trace
set system login class crypto-admin allow-commands "^request system
set-encryption-key"
set system login class crypto-admin deny-commands "^clear (log|security alarms|security
log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell"
set system login class crypto-admin allow-configuration-regexps "security (ike|ipsec)
(policy|proposal)" "security ipsec ^vpn$ .* manual
(authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"
set system login class crypto-admin security-role crypto-administrator
set system login class security-admin permissions all
set system login class security-admin deny-commands "^clear (log|security
log)|^(clear|show) security alarms alarm-type idp|^request (security|system
set-encryption-key)|^rollback|^start shell"
set system login class security-admin deny-configuration-regexps "security alarms
potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$
.* manual (authentication| encryption|protocol|spi)" "security log cache" "security log
exclude .* event-id IDP_.*" "system fips self-test after-key- generation"
set system login class security-admin security-role security-administrator
set system login class ids-admin permissions configure
set system login class ids-admin permissions security-control
set system login class ids-admin permissions trace
set system login class ids-admin permissions maintenance
set system login class ids-admin allow-configuration-regexps "security alarms
potential-violation idp" "security log exclude .* event-id IDP_.*"
set system login class ids-admin deny-commands "^clear log|^(clear|show) security
alarms (alarm-id|all|newer-than|older- than|process|severity)|^(clear|show) security
alarms alarm-type
(authentication|cryptographic-self-test|decryption-failures|encryption-failures|
ike-phase1-failures|ike-phase2-failures|key-generation-self-test|

Copyright © 2017, Juniper Networks, Inc. 27

Administration Guide for Security Devices

non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request
(security|system set-encryption-key)|^rollback|
^set date|^show security (dynamic-policies|match-policies|policies)|^start shell"
set system login class ids-admin deny-configuration-regexps "security alarms
potential-violation (authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
set system login class ids-admin security-role ids-admin
set system login user audit-officer class audit-admin
set system login user crypto-officer class crypto-admin
set system login user security-officer class security-admin
set system login user ids-officer class ids-admin
set system login user audit-officer authentication plain-text-password
set system login user crypto-officer authentication plain-text-password
set system login user security-officer authentication plain-text-password
set system login user ids-officer authentication plain-text-password

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode.

To configure users in administrative roles:

1. Create the audit-admin login class.

[edit]
user@host# set system login class audit-admin
[edit system login class audit-admin]
user@host# set permissions security
user@host# set permissions trace
user@host# set permissions maintenance

2. Configure the audit-admin login class restrictions.

[edit system login class audit-admin]

user@host# set allow-commands "^clear (log|security log)"
user@host# set deny-commands "^clear (security alarms|system login lockout)|^file
(copy|delete|rename)|^request (security|system
set-encryption-key)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell"
user@host# set security-role audit-administrator

3. Create the crypto-admin login class.

[edit]
user@host# set system login class crypto-admin

[edit system login class crypto-admin]

user@host# set permissions admin-control
user@host# set permissions configure
user@host# set permissions maintenance
user@host# set permissions security-control
user@host# set permissions system-control
user@host# set permissions trace

28 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

4. Configure the crypto-admin login class restrictions.

[edit system login class crypto-admin]

user@host# set allow-commands "^request system set-encryption-key"
user@host# set deny-commands "^clear (log|security alarms|security log|system
login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell"
user@host# set allow-configuration-regexps "security (ike|ipsec) (policy|proposal)"
"security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system
fips self-test after-key-generation"
user@host# set security-role crypto-administrator

5. Create the security-admin login class.

[edit]
user@host# set system login class security-admin

[edit system login class security-admin]

user@host# set permissions all

6. Configure the security-admin login class restrictions.

[edit system login class security-admin]

user@host# set deny-commands "^clear (log|security log)|^(clear|show) security
alarms alarm-type idp|^request (security|system
set-encryption-key)|^rollback|^start shell"
user@host# set deny-configuration-regexps "security alarms potential-violation
idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual
(authentication| encryption|protocol|spi)" "security log cache" "security log
exclude .* event-id IDP_.*" "system fips self-test after-key- generation"
user@host# set security-role security-administrator

7. Create the ids-admin login class.

[edit]
user@host# set system login class ids-admin

[edit system login class ids-admin]

user@host# set permissions configure
user@host# set permissions maintenance
user@host# set permissions security-control
user@host# set permissions trace

8. Configure the ids-admin login class restrictions.

[edit system login class ids-admin]

user@host# set allow-configuration-regexps "security alarms potential-violation
idp" "security log exclude .* event-id IDP_.*"
set system login class ids-admin deny-commands "^clear log|^(clear|show) security
alarms (alarm-id|all|newer-than|older- than|process|severity)|^(clear|show)
security alarms alarm-type
(authentication|cryptographic-self-test|decryption-failures|encryption-failures|
ike-phase1-failures|ike-phase2-failures|key-generation-self-test|

Copyright © 2017, Juniper Networks, Inc. 29

Administration Guide for Security Devices

non-cryptographic-self-test|policy|replay-attacks)|^file
(copy|delete|rename)|^request (security|system set-encryption-key)|
^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start
shell"
set system login class ids-admin deny-configuration-regexps "security alarms
potential-violation (authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
user@host# set security-role ids-administrator

9. Assign users to the roles.

[edit]
user@host# set system login

[edit system login]

user@host# set user audit-officer class audit-admin
user@host# set user crypto-officer class crypto-admin
user@host# set user security-officer class security-admin
user@host# set user ids-officer class ids-admin

10. Configure passwords for the users.

[edit system login]

user@host# set user audit-officer authentication plain-text-password
user@host# set user crypto-officer authentication plain-text-password
user@host# set user security-officer authentication plain-text-password
user@host# set user ids-officer authentication plain-text-password

Results

From configuration mode, confirm your configuration by entering the show system
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.

[edit]
user@host# show system
system {
login {
class audit-admin {
permissions [ maintenance security trace ];
allow-commands "^clear (log|security log)";
deny-commands "^clear (security alarms|system login lockout)|^file
(copy|delete|rename)|^request (security|system
set-encryption-key)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell";
security-role audit-administrator;
}
class crypto-admin {
permissions [ admin-control configure maintenance security-control system-control
trace ];
allow-commands "^request (system set-encryption-key)";

30 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

deny-commands "^clear (log|security alarms|security log|system login lockout)|^file

(copy|delete|rename)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell";
allow-configuration-regexps "security (ike|ipsec) (policy|proposal)" "security ipsec
^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test
after-key-generation" ;
security-role crypto-administrator;
}
class security-admin {
permissions [all];
deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type
idp|^request (security|system set-encryption-key)|^rollback|^start shell";
deny-configuration-regexps "security alarms potential-violation idp" "security
(ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual
(authentication|encryption|protocol|spi)" "security log exclude .* event-id IDP_.*"
"system fips self-test after-key-generation";
security-role security-administrator;
}
class ids-admin {
permissions [ configure maintenance security-control trace ];
deny-commands "^clear log|^(clear|show) security alarms
(alarm-id|all|newer-than|older-than|process|severity)|^(clear|show) security
alarms alarm-type
(authentication | cryptographic-self-test | decryption-failures | encryption-failures
| ike-phase1-failures | ike-phase2-failures|key-generation-self-test |
non-cryptographic-self-test |policy | replay-attacks) | ^file (copy|delete|rename)
|^request (security|system set-encryption-key) | ^rollback |
^set date | ^show security (dynamic-policies|match-policies|policies) |^start shell";
allow-configuration-regexps "security alarms potential-violation idp" "security log
exclude .* event-id IDP_.*";
deny-configuration-regexps "security alarms potential-violation
(authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
security-role ids-administrator;
}
user audit-officer {
class audit-admin;
authentication {
encrypted-password "$1$ABC123"; ## SECRET-DATA
}
}
user crypto-officer {
class crypto-admin;
authentication {
encrypted-password "$1$ABC123."; ## SECRET-DATA
}
}
user security-officer {
class security-admin;
authentication {
encrypted-password "$1$ABC123."; ##SECRET-DATA
}
}
user ids-officer {
class ids-admin;

Copyright © 2017, Juniper Networks, Inc. 31

Administration Guide for Security Devices

authentication {
encrypted-password "$1$ABC123/"; ## SECRET-DATA
}
}
}
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying the Login Permissions

Purpose Verify the login permissions for the current user.

Action From operational mode, enter the show cli authorization command.

user@host>show cli authorization

Current user: 'example' class 'super-user'
Permissions:
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network info
configure -- Can enter configuration mode
control -- Can modify any config
edit -- Can edit full files
field -- Can use field debug commands
floppy -- Can read and write the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
routing -- Can view routing configuration
routing-control-- Can modify routing configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
system -- Can view system configuration
system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
maintenance -- Can become the super-user
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
secret -- Can view secret statements
secret-control-- Can modify secret statements
rollback -- Can rollback to previous configurations
security -- Can view security configuration
security-control-- Can modify security configuration
access -- Can view access configuration
access-control-- Can modify access configuration
view-configuration-- Can view all configuration (not including secrets)
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can modify flow-tap configuration
idp-profiler-operation-- Can Profiler data

32 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

pgcp-session-mirroring-- Can view pgcp session mirroring configuration

pgcp-session-mirroring-control-- Can modify pgcp session mirroring configura
tion
storage -- Can view fibre channel storage protocol configuration
storage-control-- Can modify fibre channel storage protocol configuration
all-control -- Can modify any configuration
Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: none

This output summarizes the login permissions.

Related • Understanding Administrative Roles on page 24

Documentation

Handling Authorization Failure

Supported Platforms SRX Series, vSRX

The security administrator can configure the number of times a user can try to log in to
the device with invalid login credentials. The device can be locked after the specified
number of unsuccessful authentication attempts. This helps to protect the device from
malicious users attempting to access the system by guessing an account’s password.
The security administrator can unlock the user account or define a time period for the
user account to remain locked.

The system lockout-period defines the amount of time the device can be locked for a
user account after a specified number of unsuccessful login attempts.

The security administrator can configure a period of time after which an inactive session
will be locked and require re-authentication to be unlocked. This helps to protect the
device from being idle for a long period before the session times out.

The system idle-timeout defines length of time the CLI operational mode prompt remains
active before the session times out.

The security administrator can configure a banner with an advisory notice to be displayed
before the identification and authentication screen.

The system message defines the system login message. This message appears before
a user logs in.

The number of reattempts the device allows is defined by the tries-before-disconnect

option. The device allows 3 unsuccessful attempts by default or as configured by the
administrator. The device prevents the locked users to perform activities that require
authentication, until a security administrator manually clears the lock or the defined time
period for the device to remain locked has elapsed. However, the existing locks are ignored
when the user attempts to log in from the local console.

Copyright © 2017, Juniper Networks, Inc. 33

Administration Guide for Security Devices

NOTE: To clear the console during an administrator-initiated logout, the

administrator must configure the set system login message “message string”
such that, the message-string contains newline (\n) characters and a login
banner message at the end of the \n characters.

To ensure that configuration information is cleared completely, the

administrator can enter 50 or more \n characters in the message-string of
the command set system login message “message string”.

For example, set system login message

"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Welcome to Junos!!!"

Related • Example: Configuring System Retry Options on page 34

Documentation

Example: Configuring System Retry Options

Supported Platforms SRX Series, vSRX

This example shows how to configure system retry options to protect the device from
malicious users.

• Requirements on page 34
• Overview on page 34
• Configuration on page 36
• Verification on page 37

Requirements
Before you begin, you should understand “Handling Authorization Failure” on page 33.

No special configuration beyond device initialization is required before configuring this

feature.

Overview
Malicious users sometimes try to log in to a secure device by guessing an authorized user
account’s password. Locking out a user account after a number of failed authentication
attempts helps protect the device from malicious users.

Device lockout allows you to configure the number of failed attempts before the user
account is locked out of the device and configure the amount of time before the user can
attempt to log in to the device again. You can configure the amount of time in-between
failed login attempts of a user account and can manually lock and unlock user accounts.

34 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

NOTE:
This example includes the following settings:

• backoff-factor — Sets the length of delay in seconds after each failed login
attempt. When a user incorrectly logs in to the device, the user must wait
the configured amount of time before attempting to log in to the device
again. The length of delay increases by this value for each subsequent login
attempt after the value specified in the backoff-threshold statement. The
default value for this statement is five seconds, with a range of five to ten
seconds.

• backoff-threshold — Sets the threshold for the number of failed login

attempts on the device before the user experiences a delay when
attempting to reenter a password. When a user incorrectly logs in to the
device and hits the threshold of failed login attempts, the user experiences
a delay that is set in the backoff-factor statement before attempting to log
in to the device again. The default value for this statement is two, with a
range of one through three.

• lockout-period — Sets the amount of time in minutes before the user can
attempt to log in to the device after being locked out due to the number of
failed login attempts specified in the tries-before-disconnect statement.
When a user fails to correctly login after the number of allowed attempts
specified by the tries-before-disconnect statement, the user must wait the
configured amount of minutes before attempting to log in to the device
again. The lockout-period must be greater than zero. The range at which
you can configure the lockout-period is one through 43,200 minutes.

• tries-before-disconnect — Sets the maximum number of times the user is

allowed to enter a password to attempt to log in to the device through SSH
or Telnet. When the user reaches the maximum number of failed login
attempts, the user is locked out of the device. The user must wait the
configured amount of minutes in the lockout-period statement before
attempting to log back in to the device. The tries-before-disconnect
statement must be set when the lockout-period statement is set; otherwise,
the lockout-period statement is meaningless. The default number of
attempts is ten, with a range of one through ten attempts.

Once a user is locked out of the device, if you are the security administrator,
you can manually remove the user from this state using the clear system login
lockout <username> command. You can also use the show system login lockout
command to view which users are currently locked out, when the lockout
period began for each user, and when the lockout period ends for each user.

If the security administrator is locked out of the device, he can log in to the
device from the console port, which ignores any user locks. This provides a
way for the administrator to remove the user lock on their own user account.

Copyright © 2017, Juniper Networks, Inc. 35

Administration Guide for Security Devices

In this example the user waits for the backoff-threshold multiplied by the backoff-factor
interval, in seconds, to get the login prompt. In this example, the user must wait 5 seconds
after the first failed login attempt and 10 seconds after the second failed login attempt
to get the login prompt. The user gets disconnected after 15 seconds after the third failed
attempt because the tries-before-disconnect option is configured as 3.

The user cannot attempt anther login until 120 minutes has elapsed, unless a security
administrator manually clears the lock sooner.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set system login retry-options backoff-factor 5

set system login retry-options backoff-threshold 1
set system login retry-options lockout-period 120
set system login retry-options tries-before-disconnect 3

Step-by-Step To configure system retry-options:

Procedure
1. Configure the backoff factor.

[edit ]
user@host# set system login retry-options backoff-factor 5

2. Configure the backoff threshold.

[edit]
user@host# set system login retry-options backoff-threshold 1

3. Configure the amount of time the device gets locked after failed attempts.

[edit]
user@host# set system login retry-options lockout-period 5

4. Configure the number of unsuccessful attempts during which, the device can remain
unlocked.

[edit]
user@host# set system login retry-options tries-before-disconnect 3

Results From configuration mode, confirm your configuration by entering the show system login
retry-options command. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.

[edit]
user@host# show system login retry-options
backoff-factor 5;
backoff-threshold 1;

36 Copyright © 2017, Juniper Networks, Inc.

 Chapter 2: Configuring Junos OS User Accounts

lockout-period 5;
tries-before-disconnect 3;

Confirm that the configuration is working properly.

If you are done configuring the device, enter commit from configuration mode.

Verification

Displaying the Locked User Logins

Purpose Verify that the login lockout configuration is enabled.

Action Attempt three unsuccessful logins for a particular username. The device will be locked
for that username; then log in to the device with a different username. From operational
mode, enter the show system login lockout command.

Meaning When you perform three unsuccessful login attempts with a particular username, the
device is locked for that user for five minutes, as configured in the example. You can verify
that the device is locked for that user by logging in to the device with a different username
and entering the show system login lockout command.

Related • Handling Authorization Failure on page 33

Documentation

Copyright © 2017, Juniper Networks, Inc. 37

Administration Guide for Security Devices

38 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 3

Configuring User Access Privileges

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privilege Levels on page 43
• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44
• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 54
• Example: Configuring User Permissions with Access Privileges for Configuration
Statements and Hierarchies on page 56
• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands, Configuration Statements, and Hierarchies on page 68

Example: Configuring User Permissions with Access Privilege Levels

Supported Platforms EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series, vSRX

This example shows how to view permissions for a user account and configure the user
permissions with access privileges for a login class. This enables users to execute only
those commands and configure and view only those statements for which they have
access privileges. This prevents unauthorized users from executing or configuring sensitive
commands and statements that could potentially cause damage to the network.

• Requirements on page 39
• Overview on page 40
• Configuration on page 41
• Verification on page 42

Requirements
This example uses the following hardware and software components:

• One Juniper Networks device

• One TACACS+ (or RADIUS) server

• Junos OS build running on the Juniper Networks device

Copyright © 2017, Juniper Networks, Inc. 39

Administration Guide for Security Devices

Before you begin:

• Establish connection between the device and the TACACS+ server.

For information on configuring a TACACS+ server, see “Configuring TACACS+

Authentication” on page 343.

• Configure at least one user assigned to a login class on the Juniper Networks device.
There can be more than one login class, each with varying permission configurations,
and more than one user on the device.

Overview
Each top-level command-line interface (CLI) command and each configuration statement
in Junos OS has an access privilege level associated with it. For each login class, you can
explicitly deny or allow the use of operational and configuration mode commands that
would otherwise be permitted or not allowed by a privilege level. Users can execute only
those commands and configure and view only those statements for which they have
access privileges. To configure access privilege levels, include the permissions statement
at the [edit system login class class-name] hierarchy level.

The access privileges for each login class are defined by one or more permission flags
specified in the permissions statement. Permission flags are used to grant a user access
to operational mode commands, statements, and configuration hierarchies. Permission
flags are not cumulative, so for each login class you must list all the permission flags
needed, including view to display information and configure to enter configuration mode.
By specifying a specific permission flag on the user's login class, you grant the user access
to the corresponding commands, statements, and configuration hierarchies. To grant
access to all commands and configuration statements, use the all permissions flag. The
permission flags provide read-only (“plain” form) and read and write (form that ends in
-control) capability for a permission type.

NOTE: The all login class permission bits take precedence over extended
regular expressions when a user issues a rollback command with the rollback
permission flag enabled.

To configure user access privilege levels:

1. View permissions for a user account.

You can view the permissions for a user account before configuring the access
privileges for those permissions.

To view the user permissions, enter ? at the [edit] hierarchy level:

[edit]
?

2. Configure user permissions with access privileges.

40 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

All users who can log in to a device must be in a login class. For each login class, you
can configure the access privileges that the associated users can have when they are
logged in to the device.

To configure access privilege levels for user permissions, include the permissions
statement at the [edit system login class class-name] hierarchy level, followed by the
user permission, the permissions option, and the required permission flags.

[edit system login]

user@host# set class class-name permissions user-permission permissions [permission
flags];

Configuration

Configuring User Permissions with Access Privilege Levels

Step-by-Step To configure access privileges:

Procedure
1. From the device, view the list of permissions available for the user account. In this
example, the username of the user account is host.

[edit]
user@host> ?
Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
load Load information from file
monitor Show real-time debugging information
mtrace Trace multicast path from source to receiver
op Invoke an operation script
ping Ping remote target
quit Exit the management session
request Make system-level requests
restart Restart software process
save Save information to file
set Set CLI properties, date/time, craft interface
message
show Show system information
ssh Start secure shell on another host
start Start shell
telnet Telnet to another host
test Perform diagnostic debugging
traceroute Trace route to remote host

The output lists the permissions for the user host. Customized login classes can be
created by configuring different access privileges on these user permissions.

2. Configure an access privilege class to enable user host to configure and view SNMP
parameters only. In this example, this login class is called network-management.
To customize the network-management login class, include the SNMP permission
flags to the configure user permission.

[edit system login class network-management]

user@host# set permissions configure permissions snmp
user@host# set permissions configure permissions snmp-control

Copyright © 2017, Juniper Networks, Inc. 41

Administration Guide for Security Devices

Here, the configured permission flags provide both read (snmp) and read-and-write
(snmp-control) capability for SNMP, and this is the only allowed access privilege
for the network-management login class. In other words, all other access privileges
other than configuring and viewing SNMP parameters are denied.

Results

From configuration mode, confirm your configuration by entering the show system login
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.

user@host# show system login

class network-management {
permissions [ configure snmp snmp-control ];
}

Verification
Log in as the username assigned with the new login class, and confirm that the
configuration is working properly.

• Verifying SNMP Configuration on page 42

• Verifying non-SNMP Configuration on page 42

Verifying SNMP Configuration

Purpose Verify that SNMP configuration can be executed.

Action From configuration mode, execute basic SNMP commands at the [edit snmp] hierarchy
level.

[edit snmp]
user@host# set name device1
user@host# set description switch1
user@host# set location Lab1
user@host# set contact example.com
user@host# commit

Meaning The user host assigned to the network-management login class is able to configure
SNMP parameters, as the permission flags specified for this class include both snmp
(read capabilities) and snmp-control (read and write capabilities) permission bits.

Verifying non-SNMP Configuration

Purpose Verify that non-SNMP configuration is denied for the network-management login class.

Action From the configuration mode, execute any non-SNMP configuration, for example,
interfaces configuration.

42 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

[edit]
user@host# edit interfaces
Syntax error, expecting <statement> or <identifier>.

Related • Understanding Junos OS Access Privilege Levels on page 7

Documentation
• Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies

Example: Configuring User Permissions with Access Privilege Levels

Supported Platforms EX Series, M Series, MX Series, PTX Series, QFX Series, SRX Series, T Series, vSRX

Create two access privilege classes on the router or switch, one for configuring and viewing
user accounts only and the second for configuring and viewing SNMP parameters only:

In this example, you create two custom login classes on the router or switch and assign
access privileges to each class through permission flags. The first custom login class is
called user-accounts and it only includes access privileges for configuring and viewing
user accounts. The second custom login class is called network-mgmt and only includes
access privileges for configuring SNMP parameters.

[edit]
system {
login {
class user-accounts {
permissions [ configure admin admin-control ];
}
class network-mgmt {
permissions [ configure snmp snmp-control ];
}
}
}

1. Create the user-accounts custom login class and give it control over user accounts
with the configure admin admin-control permission flag.

[edit system login]

user@router# set class user-accounts permissions configure admin admin-control

2. Create the network-mgmt custom login class and use the configure snmp snmp-control
permission flag to assign it SNMP configuration privileges.

[edit system login]

user@router# set class network-mgmt permissions configure snmp snmp-control

3. Check your configuration by using the show system login command.

user@router# show system login

class user-accounts {
permissions [ configure admin admin-control ];
}
class network-mgmt {
permissions [ configure snmp snmp-control ];

Copyright © 2017, Juniper Networks, Inc. 43

Administration Guide for Security Devices

Related • Example: Configuring User Permissions with Access Privilege Levels on page 39
Documentation

Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands

Supported Platforms EX Series, M Series, MX Series, OCX1100, PTX Series, QFabric System, QFX Series, SRX Series,
T Series, vSRX

This example shows how to configure custom login classes and assign access privileges
for operational mode commands. This enables users of the customized login class to
execute only those operational commands for which access privileges have been specified.
This prevents unauthorized users from executing sensitive commands that could
potentially cause damage to the network.

• Requirements on page 44
• Overview and Topology on page 44
• Configuration on page 47
• Verification on page 51

Requirements
This example uses the following hardware and software components:

• One Juniper Networks device

• One TACACS+ (or RADIUS) server

• Junos OS build running on the Juniper Networks device

Before you begin:

• Establish a TCP connection between the device and the TACACS+ server. In the case
of the RADIUS server, establish a UDP connection between the device and the RADIUS
server.

For information on configuring a TACACS+ server, see “Configuring TACACS+

Authentication” on page 343.

• Configure at least one user assigned to a login class on the Juniper Networks device.
There can be more than one login class, each with varying permission configurations,
and more than one user on the device.

Overview and Topology

Each top-level command-line interface (CLI) command and each configuration statement
in Junos OS has an access privilege level associated with it. For each login class, you can
explicitly deny or allow the use of operational and configuration mode commands that
would otherwise be permitted or not allowed by a privilege level. Users can execute only
those commands and configure and view only those statements for which they have

44 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

access privileges. To configure access privilege levels, include the permissions statement
at the [edit system login class class-name] hierarchy level.

The access privileges for each login class are defined by one or more permission flags
specified in the permissions statement. In addition to this, you can specify extended
regular expressions with the following statements:

• allow-commands and deny-commands—Allow or deny access to operational mode

commands only.

• allow-configuration and deny-configuration—Allow or deny access to a particular

configuration hierarchy only.

• allow-configuration-regexps and deny-configuration-regexps—Allow or deny access to

a particular configuration hierarchy only using strings of regular expressions.

The above statements define a user’s access privileges to individual operational mode
commands, configuration statements, and hierarchies. These statements take precedence
over a login class permissions bit set for a user.

Configuration Notes

When configuring the allow-commands and deny-commands statements with access

privileges, take the following into consideration:

• You can include one deny-commands and one allow-commands statement in each
login class.

• If the exact same command is configured under both allow-commands and

deny-commands statements, then the allow operation takes precedence over the deny
command.

For instance, with the following configuration, a user assigned to login class test is
allowed to install software using the request system software add command, although
the deny-commands statement also includes it:

[edit system login]

user@host# set class test permissions allow-commands "request system software
add"
user@host# set class test permissions deny-commands "request system software add"

• If you specify a regular expression for allow-commands and deny-commands statements

with two different variants of a command, the longest match is always executed.

For instance, for the following configuration, a user assigned to test login class is allowed
to execute the commit synchronize command and not the commit command. This is
because commit-synchronize is the longest match between commit and
commit-synchronize and it is specified for allow-commands.

[edit system login class]

user@host# set class test permissions allow-commands "commit-synchronize"
user@host# set class test permissions deny-commands commit

• Regular expressions for allow-commands and deny-commands statements can also

include the commit, load, rollback, save, status, and update commands.

Copyright © 2017, Juniper Networks, Inc. 45

Administration Guide for Security Devices

• If the regular expression contains any spaces, operators, or wildcard characters, enclose
the expression in quotation marks. Regular expressions are not case-sensitive, for
example, allow-commands "show interfaces";

• Modifiers, such as set, log, and count, are not supported within the regular expression
string to be matched. If a modifier is used, then nothing is matched.

Incorrect configuration:

[edit system login]

user@host# set class test permission deny-commands "set protocols"

Correct configuration:

[edit system login]

user@host# set class test permission deny-commands protocols

• Anchors are required when specifying complex regular expressions with the
allow-commands statement.

For example:

[edit system login]

user@host# set class test permissions allow-commands "(^monitor) | (^ping) | (^show)
| (^exit)"

OR
set class test permissions allow-commands "allow-commands ="^(monitor | ping |
show | exit)"

Topology

Figure 2: Configuring TACACS+ Server Authentication

10.209.1.66/24

TCP connection
g043487

R1 TACACS+
Server

Figure 2 on page 46 illustrates a simple topology, where Router R1 is a Juniper Networks

device and has a TCP connection established with a TACACS+ server.

In this example, R1 is configured with three customized login classes—Class1, Class2, and
Class3—for specifying access privileges with extended regular expressions using the
allow-commands and deny-commands statements differently.

The purpose of each login class is as follows:

• Class1—Defines access privileges for the user with the allow-commands statement
only. This login class provides operator-level user permissions, and should provide
authorization for only rebooting the device.

• Class2—Defines access privileges for the user with the deny-commands statement
only. This login class provides operator-level user permissions, and should deny access
to set commands.

46 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

• Class3—Defines access privileges for the user with both the allow-commands and
deny-commands statements. This login class provides superuser-level user permissions,
and should provide authorization for accessing interfaces and viewing device
information. It should also deny access to edit and configure commands.

Router R1 has three different users, User1, User2, and User3, assigned to Class1, Class2,
and Class3 login classes, respectively.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

R1 set system authentication-order tacplus

set system authentication-order radius
set system authentication-order password
set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting
set system tacplus-options enhanced-accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions clear
set system login class Class1 permissions network
set system login class Class1 permissions reset
set system login class Class1 permissions trace
set system login class Class1 permissions view
set system login class Class1 allow-commands "request system reboot"
set system login class Class2 permissions clear
set system login class Class2 permissions network
set system login class Class2 permissions reset
set system login class Class2 permissions trace
set system login class Class2 permissions view
set system login class Class2 deny-commands set
set system login class Class3 permissions all
set system login class Class3 allow-commands configure
set system login class Class3 deny-commands .*
set system login user User1 uid 2001
set system login user User1 class Class1
set system login user User1 authentication encrypted-password "$ABC123"
set system login user User2 uid 2002
set system login user User2 class Class2
set system login user User2 authentication encrypted-password "$ABC123"
set system login user User3 uid 2003
set system login user User3 class Class3
set system login user User3 authentication encrypted-password "$ABC123"
set system syslog file messages any any

Copyright © 2017, Juniper Networks, Inc. 47

Administration Guide for Security Devices

Configuring Authentication Parameters for Router R1

Step-by-Step The following example requires that you navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure Router R1 authentication:

1. Configure the order in which authentication should take place for R1. In this example,
TACACS+ server authentication is first, followed by RADIUS server authentication,
and then the local password.

[edit system]
user@R1# set authentication-order tacplus
user@R1# set authentication-order radius
user@R1# set authentication-order password

2. Establish R1 connection with the TACACS+ server.

[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66

3. Configure RADIUS server authentication parameters.

[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting

4. Configure R1 accounting configuration parameters.

[edit system]
user@R1# set accounting events login
user@R1# set accounting events change-log
user@R1# set accounting events interactive-commands
user@R1# set accounting traceoptions file auditlog
user@R1# set accounting traceoptions flag all

Configuring Access Privileges with allow-commands Statement Only (Class1)

Step-by-Step To specify regular expressions using the allow-commands statement only:

Procedure
1. Configure Class1 custom login class and assign operator-level user permissions. For
information on the predefined system login classes, see the Junos OS Login Classes
Overview.

[edit system login]

user@R1# set class Class1 permissions clear
user@R1t# set class Class1 permissions network
user@R1# set class Class1 permissions reset
user@R1# set class Class1 permissions trace

48 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

user@R1# set class Class1 permissions view

2. Specify the command to enable rebooting of R1 in the allow-commands statement.

[edit system login]

user@R1# set class Class1 allow-commands "request system reboot"

3. Configure the user account for the Class1 login class.

[edit system login]

user@R1# set user User1 uid 2001
user@R1# set user User1 class Class1
user@R1# set user User1 authentication encrypted-password "$ABC123"

Configuring Access Privileges with deny-commands Statement Only (Class2)

Step-by-Step To specify regular expressions using the deny-commands statement only:

Procedure
1. Configure the Class2 custom login class and assign operator-level user permissions.
For information on the predefined system login classes, see the Junos OS Login
Classes Overview.

[edit system login]

user@R1# set class Class1 permissions clear
user@R1# set class Class1 permissions network
user@R1# set class Class1 permissions reset
user@R1# set class Class1 permissions trace
user@R1# set class Class1 permissions view

2. Disable execution of any set commands in the deny-commands statement.

[edit system login]

user@R1# set class Class1 deny-commands "set"

3. Configure the user account for the Class2 login class.

user@R1# set login user User2 uid 2002

user@R1# set login user User2 class Class2
user@R1# set login user User2 authentication encrypted-password "$ABC123"

Configuring Access Privileges with Both allow-commands and deny-commands

Statements (Class3)

Step-by-Step To specify regular expressions using both the allow-commands and deny-commands
Procedure statements:

1. Configure the Class3 custom login class and assign superuser-level user permissions.
For information on the predefined system login classes, see the Junos OS Login
Classes Overview.

[edit system login]

Copyright © 2017, Juniper Networks, Inc. 49

Administration Guide for Security Devices

user@R1# set class Class3 permissions all

2. Specify the commands to enable only configure commands in the allow-commands

statement.

[edit system login]

user@R1# set class Class3 allow-commands configure

3. Disable execution of all commands in the deny-commands statement.

[edit system login]

user@R1# set class Class3 deny-commands .*

4. Configure the user account for the Class1 login class.

[edit system login]

user@R1# set login user User3 uid 2003
user@R1# set login user User3 class Class3
user@R1# set login user User3 authentication encrypted-password "$ABC123"

Results

From configuration mode, confirm your configuration by entering the show system
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.

user@R1# show system

authentication-order [ tacplus radius password ];
radius-server {
10.209.1.66 secret "$ABC123";
}
tacplus-server {
10.209.1.66;
}
radius-options {
enhanced-accounting;
}
tacplus-options {
enhanced-accounting;
}
accounting {
events [ login change-log interactive-commands ];
traceoptions {
file auditlog;
flag all;
}
destination {
tacplus {
server {
10.209.1.66;
}
}
}

50 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

}
login {
class Class1 {
permissions [ clear network reset trace view ];
allow-commands "request system reboot";
}
class Class2 {
permissions [ clear network reset trace view ];
deny-commands set;
}
class Class3 {
permissions all;
allow-commands configure;
deny-commands .*;
}
user User1 {
uid 2001;
class Class1;
authentication {
encrypted-password "$ABC123";
}
}
user User2 {
uid 2002;
class Class2;
authentication {
encrypted-password "$ABC123";
}
}
user User3 {
uid 2003;
class Class3;
authentication {
encrypted-password “$ABC123”;
}
}
}
syslog {
file messages {
any any;
}
}

Verification
Log in as the username assigned with the new login class, and confirm that the
configuration is working properly.

• Verifying Class1 Configuration on page 52

• Verifying Class2 Configuration on page 52
• Verifying Class3 Configuration on page 53

Copyright © 2017, Juniper Networks, Inc. 51

Administration Guide for Security Devices

Verifying Class1 Configuration

Purpose Verify that the permissions and commands allowed in the Class1 login class are working.

Action From operational mode, run the show system users command.

User1@R1> show system users

12:39PM up 6 days, 23 mins, 6 users, load averages: 0.00, 0.01, 0.00
USER TTY FROM LOGIN@ IDLE WHAT
User1 p0 abc.example.net 12:34AM 12:04 cli
User2 p1 abc.example.net 12:36AM 12:02 -cli (cli)
User3 p2 abc.example.net 10:41AM 11 -cli (cli)

From operational mode, run the request system reboot command.

User1@R1> request system ?

Possible completions:
reboot Reboot the system

Meaning The Class1 login class to which User1 is assigned has the operator-level user permissions,
and is allowed to execute the request system reboot command.

The predefined operator login class has the following permission flags specified:

• clear—Can clear (delete) information learned from the network that is stored in various
network databases by using the clear commands.

• network—Can access the network by using the ping, ssh, telnet, and traceroute
commands.

• reset—Can restart software processes by using the restart command and can configure
whether software processes are enabled or disabled at the [edit system processes]
hierarchy level.

• trace—Can view trace file settings and configure trace file properties.

• view—Can use various commands to display current system-wide, routing table, and
protocol-specific values and statistics. Cannot view the secret configuration.

For the Class1 login class, in addition to the above-mentioned user permissions, User1
can execute the request system reboot command. The first output displays the view
permissions as an operator, and the second output shows that the only request command
that User1 can execute as an operator is the request system reboot command.

Verifying Class2 Configuration

Purpose Verify that the permissions and commands allowed for the Class2 login class are working.

52 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Action From the operational mode, run the ping command.

User2@R1> ping 10.209.1.66

ping 10.209.1.66
PING 10.209.1.66 (10.209.1.66): 56 data bytes
64 bytes from 10.209.1.66: icmp_seq=0 ttl=52 time=212.521 ms
64 bytes from 10.209.1.66: icmp_seq=1 ttl=52 time=212.844 ms
64 bytes from 10.209.1.66: icmp_seq=2 ttl=52 time=211.304 ms
64 bytes from 10.209.1.66: icmp_seq=3 ttl=52 time=210.963 ms
^C
--- 10.209.1.66 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max/stddev = 210.963/211.908/212.844/0.792 ms

From the CLI prompt, check the available permissions.

User2@R1> ?
Possible completions:
clear Clear information in the system
file Perform file operations
help Provide help information
load Load information from file
monitor Show real-time debugging information
mtrace Trace multicast path from source to receiver
op Invoke an operation script
ping Ping remote target
quit Exit the management session
request Make system-level requests
restart Restart software process
save Save information to file
show Show system information
ssh Start secure shell on another host
start Start shell
telnet Telnet to another host
test Perform diagnostic debugging
traceroute Trace route to remote host

From the CLI prompt, execute any set command.

User2@R1> set
^
unknown command.

Meaning The Class2 login class to which User2 is assigned has the operator-level user permissions,
and is denied access to all set commands. This is displayed in the command outputs.

The permission flags specified for the predefined operator login class are the same as
that of Class1.

Verifying Class3 Configuration

Purpose Verify that the permissions and commands allowed for the Class3 login class are working.

Copyright © 2017, Juniper Networks, Inc. 53

Administration Guide for Security Devices

Action From the CLI prompt, check the available permissions.

User3@R1> ?
Possible completions:
configure Manipulate software configuration information

From the operational mode, enter configuration mode.

User3@R1> configure
Entering configuration mode

[edit]
User3@R1#

Meaning The Class3 login class to which User3 is assigned has the superuser (all) user permissions,
but is allowed to execute the configure command only, and is denied access to all other
operational mode commands. Because the regular expressions specified in the
allow/deny-commands statements take precedence over the user permissions, User3
on R1 has access only to configuration mode, and is denied access to all other operational
mode commands.

Related • Understanding Junos OS Access Privilege Levels on page 7

Documentation
• Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands, Configuration Statements, and Hierarchies on page 68

Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands

Supported Platforms EX Series, M Series, MX Series, OCX1100, PTX Series, QFabric System, QFX Series, SRX Series,
T Series, vSRX

54 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Each operational mode command has an access privilege level associated with it. Access
privileges control the commands that each custom login class can execute, configure,
and view. Custom login classes are groups of users who are assigned with customized
levels of access to different commands and statements. This ensures that each group
of users can only use commands appropriate to their function, preventing unauthorized
users from executing sensitive commands that could potentially cause damage to the
network.

In this example, you create three custom login classes on the router or switch and assign
access privileges for operational mode commands through the allow-commands and
deny-commands settings. Each custom login class uses the same set of permission flags
as the default login class operator, but the login class is allowed or denied certain
operational mode commands. The first custom login class is called operator-and-boot
and it has access to the request system reboot operational mode command. The second
custom login class is called operator-no-set and it is denied access to any set commands.
The third login class is called operator-and-install-but-no-bgp and it has access to the
request system software add and show route operational mode commands, but it is denied
access to the show bgp command.

[edit]
system {
login {
class operator-and-boot {
permissions [ clear network reset trace view ];
allow-commands "request system reboot";
}
class operator-no-set {
permissions [ clear network reset trace view ];
deny-commands "set";
}
class operator-and-install-but-no-bgp {
permissions [ clear network reset trace view ];
allow-commands "(request system software add)|(show route$)";
deny-commands "show bgp";
}
}
}

1. Create the operator-and-boot custom login class, give it operator level permission
flags, and authorize it to use the request system reboot command.

[edit system login]

user@router# set class operator-and-boot permissions clear network reset trace view
user@router# set class operator-and-boot allow-commands request system reboot

2. Create the operator-no-set custom login class, give it operator level permission flags,
and deny it access to the set command.

[edit system login]

user@router# set class operator-no-set clear network reset trace view
user@router# set class operator-no-set deny-commands set

3. Create the operator-and-install-but-no-bgp custom login class, give it operator level

permission flags, authorize it to use the request system software add and show route
commands, and deny it access to the show bgp command.

Copyright © 2017, Juniper Networks, Inc. 55

Administration Guide for Security Devices

[edit system login]

user@router# set class operator-and-install-but-no-bgp clear network reset trace
view
user@router# set class operator-and-install-but-no-bgp request system software
add show route
user@router# set class operator-and-install-but-no-bgp show bgp

4. Check your configuration by using the show system login command.

user@router# show system login

class operator-and-boot {
permissions [ clear network reset trace view ];
allow-commands "request system reboot";
}
class operator-no-set {
permissions [ clear network reset trace view ];
deny-commands "set";
}
class operator-and-install-but-no-bgp {
permissions [ clear network reset trace view ];
allow-commands "(request system software add)|(show route$)";
deny-commands "show bgp";
}

Related • Example: Configuring User Permissions with Access Privileges for Operational Mode
Documentation Commands on page 44

Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

This example shows how to configure custom login classes and assign access privileges
to portions of the configuration hierarchy. This enables users of the customized login
class to execute only those configuration statements and hierarchies for which access
privileges have been specified. This prevents unauthorized users from accessing device
configurations that could potentially cause damage to the network.

• Requirements on page 56
• Overview and Topology on page 57
• Configuration on page 63
• Verification on page 67

Requirements
This example uses the following hardware and software components:

• One Juniper Networks device

• One TACACS+ (or RADIUS) server

• Junos OS build running on the Juniper Networks device

56 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Before you begin:

• Establish a TCP connection between the device and the TACACS+ server. In the case
of the RADIUS server, establish a UDP connection between the device and the RADIUS
server.

For information on configuring a TACACS+ server, see “Configuring TACACS+

Authentication” on page 343.

• Configure at least one user assigned to a login class on the Juniper Networks device.
There can be more than one login class, each with varying permission configurations,
and more than one user on the device.

Overview and Topology

Each top-level command-line interface (CLI) command and each configuration statement
in Junos OS has an access privilege level associated with it. For each login class, you can
explicitly deny or allow the use of operational and configuration mode commands that
would otherwise be permitted or not allowed by a privilege level. Users can execute only
those commands and configure and view only those statements for which they have
access privileges. To configure access privilege levels, include the permissions statement
at the [edit system login class class-name] hierarchy level.

The access privileges for each login class are defined by one or more permission flags
specified in the permissions statement. In addition to this, you can specify extended
regular expressions with the following statements:

• allow-commands and deny-commands—Allow or deny access to operational mode

commands.

• allow-configuration and deny-configuration—Allow or deny access to parts of the

configuration hierarchy.

These statements perform slower matching, with more flexibility, especially in wildcard
matching. However, it can take a very long time to evaluate all of the possible
statements if a great number of full-path regular expressions or wildcard expressions
are configured, possibly impacting performance.

• allow-configuration-regexps and deny-configuration-regexps—Allow or deny access to

a particular configuration hierarchy using strings of regular expressions. These
statements are similar to allow-configuration and deny-configuration statements,
except that in the allow/deny-configuration-regexps statements you can configure
sets of strings in which the strings include spaces when using the first set of statements.

The above statements define a user’s access privileges to individual operational mode
commands, configuration statements, and hierarchies. These statements take precedence
over a login class permissions bit set for a user.

Difference between allow/deny-configuration and allow/deny-configuration-regexps

statements

The allow-configuration and deny-configuration statements were introduced before Junos

OS Release 7.4. The allow-configuration-regexps and deny-configuration-regexps

Copyright © 2017, Juniper Networks, Inc. 57

Administration Guide for Security Devices

statements were introduced in Junos OS Release 11.2. In Junos OS Release 11.4, the
allow-configuration and deny-configuration statements were deprecated, but because
these statements were useful in executing simple configurations, these statements were
undeprecated in Junos OS Release 11.4R6, and starting with the 11.4R6 release, both the
allow/deny-configuration and the allow/deny-configuration-regexps statements are
supported.

The allow/deny-configuration-regexps statements split up the regular expression into

tokens and match each piece against each part of the specified configuration’s full path,
whereas the allow/deny-configuration statements match against the full string. For
allow/deny-configuration-regexps statements, you configure a set of strings in which
each string is a regular expression, with spaces between the terms of the string. This
provides very fast matching, but with less flexibility. For specifying wildcard expressions
you must set up wildcards for each token of the space-delimited string you want to
match, and this makes it more tedious to use wildcard expressions for these statements.

For example:

• Regular expression matching one token using allow-configuration-regexps

This example shows that options is the only matched expression against the first token
of the statement.

[edit system]
login {
class test {
permissions configure;
allow-configuration-regexps .*options;
}
}

The above configuration matches the following statements:

• set policy-options condition condition dynamic-db

• set routing-options static route static-route next-hop next-hop

• set event-options generate-event event time-interval seconds

The above configuration does not match the following statements:

• system host-name host-options

• interfaces interface-name description options

• Regular expression matching three tokens using allow-configuration-regexps

This example shows that ssh is the only matched expression against the third token
of the statement.

[edit system]
login {
class test {
permissions configure;
allow-configuration-regexps ".* .* .*ssh";
}
}

58 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

In the above example, the three tokens include .*, .*, and .*ssh, respectively.

The above configuration matches the following statements:

• system host-name hostname-ssh

• system services ssh

• system services outbound-ssh

The above configuration does not match the following statement:

• interfaces interface-name description ssh

You can restrict configuration access easily using the deny-configuration statement as
compared to using the deny-configuration-regexps statement. Table 7 on page 59
illustrates the use of both the deny-configuration and deny-configuration-regexps
statements in different configurations to achieve the same result of restricting access
to a particular configuration.

Table 7: Restricting Configuration Access Using deny-configurtion and

deny-configuration-regexps Statements
Configuration Using: deny-configuration Using: deny-configuration-regexps Result
Denied

xnm-ssl [edit system] [edit system] The following

login { login { configuration
class test { class test { statement is
permissions configure; permissions configure; denied:
allow-configuration .*; allow-configuration .*;
deny-configuration .*xnm-ssl; deny-configuration-regexps ".* .* • system services
} .*-ssl""; xnm-ssl
} }
}

ssh [edit system] [edit system] The following

login { login { configuration
class test { class test { statements are
permissions configure; permissions configure; denied:
allow-configuration .*; allow-configuration .*;
deny-configuration ".*ssh"; deny-configuration-regexps ".*ssh"; • system
} deny-configuration-regexps ".* host-name
} .*ssh"; hostname-ssh
deny-configuration-regexps ".* .* • system services
.*ssh"; ssh
}
• system services
}
outbound-ssh
• security
ssh-known-host

Although the allow/deny-configuration statements are also useful when simple

configuration is desired, the allow/deny-configuration-regexps statements provide better
performance and overcome the ambiguity that existed when combining expressions set
in the allow/deny-configuration statements.

Copyright © 2017, Juniper Networks, Inc. 59

Administration Guide for Security Devices

NOTE: The allow/deny-configuration and allow/deny-configuration-regexps

statements are mutually exclusive and cannot be configured together for a
login class. At a given point in time, a login class can include either the
allow/deny-configuration statement, or the allow/deny-configuration-regexps
statement. If you have existing configurations using the
allow/deny-configuration statements, using the same configuration options
with the allow/deny-configuration-regexps statements might not produce the
same results, as the search and match methods differ in the two forms of
these statements.

Configuration Notes

When configuring the allow-configuration, deny-configuration, allow-configuration-regexps,

and deny-configuration-regexps statements with access privileges, take the following
into consideration:

• You can include one deny-configuration and one allow-configuration statement in each
login class.

• The allow/deny-configuration and allow/deny-configuration-regexps statements are

mutually exclusive and cannot be configured together for a login class. At a given point
in time, a login class can include either the allow/deny-configuration statement, or the
allow/deny-configuration-regexps statement. If you have existing configurations using
the allow/deny-configuration statements, using the same configuration options with
the allow/deny-configuration-regexps statements might not produce the same results,
as the search and match methods differ in the two forms of these statements.

• Explicitly allowing configuration mode hierarchies or regular expressions using the

allow-configuration statement adds to the regular permissions set using the permissions
statement. Likewise, explicitly denying configuration mode hierarchies or regular
expressions using the deny-configuration statement removes permissions for the
specified configuration mode hierarchy, from the default permissions provided by the
permissions statement.

For example, for the following configuration, the login class user can edit the
configuration at the [edit system services] hierarchy level and issue configuration mode
commands (such as commit), in addition to just entering the configuration mode using
the configure command, which is the permission specified by the configure permission
flag:

[edit system login]

user@host# set class test permissions configure allow-configuration "system services"

Likewise, for the following configuration, the login class user can perform all operations
allowed by the all permissions flag, except issuing configuration mode commands
(such as commit) or modifying the configuration at the [edit system services] hierarchy
level:

[edit system login]

user@host# set class test permissions all deny-configuration "system services"

60 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

• To define access privileges to parts of the configuration hierarchy, specify the full paths
in the extended regular expressions with the allow-configuration and deny-configuration
statements. Use parentheses around an extended regular expression that connects
two or more expressions with the pipe (|) symbol.

For example:

[edit system login]

user@host# set class test deny-configuration "(system login class)|(system services)"

• When specifying extended regular expressions using the allow/deny-commands and

allow/deny-configuration statements, each expression separated by a pipe (|) symbol
must be a complete standalone expression, and must be enclosed in parentheses ( ).
Do not use spaces between regular expressions separated with parentheses and
connected with the pipe (|) symbol.

For example:

[edit system login]

user@host# set class test allow-commands "(ping .*)|(traceroute .*)|(show
.*)|(configure .*)|(edit)|(exit)|(commit)|(rollback .*)"
user@host# set class test deny-configuration "(system login class)|(system services)"

• When specifying extended regular expressions using the

allow-deny-configuration-regexps statement, each expression enclosed within quotes
(") and separated by a space must be enclosed in angular brackets [ ].

For example:

[edit system login]

user@host# set class test allow-configuration-regexps [ "interfaces .* description .*”
“interfaces .* unit .* description .*” “interfaces .* unit .* family inet address .*”
“interfaces.* disable" ]

• If the exact same command is configured under both allow-configuration and

deny-configuration statements, then the allow operation takes precedence over the
deny statement.

For instance, with the following configuration, a user assigned to login class test is
allowed to access the [edit system services] configuration hierarchy, although the
deny-configuration statement also includes it:

[edit system login]

user@host# set class test permissions allow-configuration "system services"
user@host# set class test permissions deny-configuration "system services"

For instance, if a certain command or configuration is allowed, for example, using

permission all, then we can use the deny-configuration command to deny access to a
particular hierarchy.

• Modifiers such as set, log, and count are not supported within the regular expression
string to be matched. If a modifier is used, then nothing is matched.

Incorrect configuration:

[edit system login]

user@host# set class test permission deny-configuration "set protocols"

Copyright © 2017, Juniper Networks, Inc. 61

Administration Guide for Security Devices

Correct configuration:

[edit system login]

user@host# set class test permission deny-configuration protocols

• You can use the * wildcard character when denoting regular expressions. However, it
must be used as a portion of a regular expression. You cannot use [ * ] or [ .* ] alone.

• You cannot configure the allow-configuration statement with the (interfaces (description
(|.*)) regular expression, as this evaluates to allow-configuration = .* regular expression.

• You can configure as many regular expressions as needed to be allowed or denied.

Regular expressions to be denied take precedence over configurations to be allowed.

Topology

Figure 3: Configuring TACACS+ Server Authentication

10.209.1.66/24

TCP connection

g043487
R1 TACACS+
Server

Figure 3 on page 62 illustrates a simple topology, where Router R1 is a Juniper Networks

device and has a TCP connection established with a TACACS+ server.

In this example, R1 is configured with two customized login classes—Class1 and Class2—for
specifying access privileges with extended regular expressions using the
allow-configuration, deny-configuration, allow-configuration-regexps, and
deny-configuration-regexps statements differently.

The purpose of the login classes is as follows:

• Class1—Define access privileges for the user with the allow-configuration and
deny-configuration statements. This login class should provide access to configure
interfaces hierarchy only, and deny all other access on the device. To do this, the user
permissions should include configure to provide configuration access. In addition to
this, the allow-configuration statement should allow interfaces configuration, and the
deny-configuration statement should deny access to all other configurations. Because
the allow statement takes precedence over the deny statement, the users assigned
to the Class1 login class can access only the [edit interfaces] hierarchy level.

• Class2—Define access privileges for the user with the allow-configuration-regexps and
deny-configuration-regexps statements. This login class provides superuser-level user
permissions, and in addition, explicitly allows configuration under multiple hierarchy
levels for interfaces. It also denies configuration access to the [edit system] and [edit
protocols] hierarchy levels.

Router R1 has two users, User1 and User2, assigned to the Class1 and Class2 login classes,
respectively.

62 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

R1 set system authentication-order tacplus

set system authentication-order radius
set system authentication-order password
set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting
set system tacplus-options enhanced-accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions configure
set system login class Class1 allow-configuration "interfaces .* unit .*"
set system login class Class1 deny-configuration .*
set system login class Class2 permissions all
set system login class Class2 allow-configuration-regexps [ "interfaces .* description .*"
"interfaces .* unit .* description .*" "interfaces .* unit .* family inet address .*"
"interfaces.* disable" ]
set system login class Class2 deny-configuration-regexps [ "system" "protocols" ]
set system login user User1 uid 2004
set system login user User1 class Class1
set system login user User1 authentication encrypted-password "$ABC123"
set system login user User2 uid 2006
set system login user User2 class Class2
set system login user User2 authentication encrypted-password "$ABC123"
set system syslog file messages any any

Configuring Authentication Parameters for Router R1

Step-by-Step The following example requires that you navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure Router R1 authentication:

1. Configure the order in which authentication should take place for R1. In this example,
TACACS+ server authentication is first, followed by RADIUS server authentication,
then the local password.

[edit system]
user@R1# set authentication-order tacplus
user@R1# set authentication-order radius
user@R1# set authentication-order password

Copyright © 2017, Juniper Networks, Inc. 63

Administration Guide for Security Devices

2. Establish R1 connection with the TACACS+ server.

[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66

3. Configure RADIUS server authentication parameters.

[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting

4. Configure the R1 accounting configuration parameters.

[edit system]
user@R1# set accounting events login
user@R1# set accounting events change-log
user@R1# set accounting events interactive-commands
user@R1# set accounting traceoptions file auditlog
user@R1# set accounting traceoptions flag all

Configuring Access Privileges with allow-configuration and deny-configuration

Statements (Class1)

Step-by-Step To specify regular expressions using the allow-configuration and deny-configuration

Procedure statements:

1. Configure the Class1 custom login class and assign configuration user permissions.

[edit system login]

user@R1# set class Class1 permissions configure

2. Specify the regular expression in the allow-configuration statement to allow

configuration at the [edit interfaces] hierarchy level. To allow set commands at the
[edit interfaces] hierarchy level, the regular expression used is interfaces .* unit .*.

[edit system login]

user@R1# set class Class1 allow-configuration "interfaces .* unit .*"

3. Specify the regular expression in the deny-configuration statement to disable all

configuration access. The regular expression used to deny all configuration access
is .*.

[edit system login]

user@R1# set class Class1 deny-configuration .*

4. Configure the user account for the Class1 login class.

[edit system login]

user@R1# set system login user User1 uid 2004
user@R1# set system login user User1 class Class1
user@R1# set system login user User1 authentication encrypted-password "$ABC123"

64 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Configuring Access Privileges with allow-configuration-regexps and

deny-configuration-regexps Statements (Class2)

Step-by-Step To specify regular expressions using the allow-configuration-regexps and

Procedure deny-configuration-regexps statements:

1. Configure the Class2 custom login class and assign superuser (all) user permissions.
For information on the predefined system login classes, see Junos OS Login Classes
Overview.

[edit system login]

user@R1# set class Class2 permissions all

2. Specify the regular expression to allow access to multiple hierarchies under the
[edit interfaces] hierarchy level.

[edit system login]

user@R1# set class Class2 allow-configuration-regexps [ "interfaces .* description
.*" "interfaces .* unit .* description .*" "interfaces .* unit .* family inet address .*"
"interfaces.* disable" ]

3. Specify the regular expression to deny configuration at the [edit system] and [edit
protocols] hierarchy levels.

[edit system login]

user@R1# set class Class2 deny-configuration-regexps [ "system" "protocols" ]

4. Configure the user account for the Class2 login class.

[edit system login]

user@R1# set system login user User2 uid 2006
user@R1# set system login user User2 class Class2
user@R1# set system login user User2 authentication encrypted-password "$ABC123"

Results

From configuration mode, confirm your configuration by entering the show system
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.

user@R1# show system

authentication-order [ tacplus radius password ];
radius-server {
10.209.1.66 secret "$ABC123";
}
tacplus-server {
10.209.1.66;
}
radius-options {
enhanced-accounting;
}
tacplus-options {

Copyright © 2017, Juniper Networks, Inc. 65

Administration Guide for Security Devices

enhanced-accounting;
}
accounting {
events [ login change-log interactive-commands ];
traceoptions {
file auditlog;
flag all;
}
destination {
tacplus {
server {
10.209.1.66;
}
}
}
}
login {
class Class1 {
permissions configure;
allow-configuration "interfaces .* unit .*";
deny-configuration .*;
}
class Class2 {
permissions all;
allow-configuration-regexps [ "interfaces .* description .*" "interfaces .* unit .*
description .*" "interfaces .* unit .* family inet address .*" "interfaces.* disable" ];
deny-configuration-regexps [ "system" "protocols" ];
}
user User1 {
uid 2001;
class Class1;
authentication {
encrypted-password "$ABC123";
}
}
user User2 {
uid 2002;
class Class2;
authentication {
encrypted-password "$ABC123";
}
}
}
syslog {
file messages {
any any;
}
}

66 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Verification
Log in as the username assigned with the new login class, and confirm that the
configuration is working properly.

• Verifying Class1 Configuration on page 67

• Verifying Class2 Configuration on page 67

Verifying Class1 Configuration

Purpose Verify that the permissions allowed in the Class1 login class are working.

Action From the CLI prompt, check the available permissions.

User1@R1> ?
Possible completions:
clear Clear information in the system
configure Manipulate software configuration information
file Perform file operations
help Provide help information
load Load information from file
op Invoke an operation script
quit Exit the management session
request Make system-level requests
save Save information to file
set Set CLI properties, date/time, craft interface message
start Start shell
test Perform diagnostic debugging

From the configuration mode, check the available configuration permissions.

User1@R1# edit ?
Possible completions:
> interfaces Interface configuration

Meaning User1 has configure user permissions seen in the first output, and the only configuration
access allowed for User1 is at the interfaces hierarchy level. All other configuration is
denied, as seen in the second output.

Verifying Class2 Configuration

Purpose Verify that the Class2 configuration is working.

Action From the configuration mode, access the interfaces configuration.

[edit interfaces]
User2@R1# set ?
Possible completions:
<interface-name> Interface name
+ apply-groups Groups from which to inherit configuration data

Copyright © 2017, Juniper Networks, Inc. 67

Administration Guide for Security Devices

+ apply-groups-except Don't inherit configuration data from these groups

ge-0/0/3 Interface name
> interface-range Interface ranges configuration
> interface-set Logical interface set configuration
> traceoptions Interface trace options

From the configuration mode, access the system and protocols configuration hierarchies.

User2@R1# edit system

^
Syntax error, expecting <statement> or <identifier>.

User2@R1# edit protocols

^
Syntax error, expecting <statement> or <identifier>.

Meaning User2 has permissions to configure interfaces of R1, but the [edit system] and [edit
protocols] hierarchy levels are denied access, as seen in the output.

Related • Understanding Junos OS Access Privilege Levels on page 7

Documentation
• Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands, Configuration Statements, and Hierarchies on page 68

Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands, Configuration Statements, and Hierarchies

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

This example shows how to configure custom login classes and assign access privileges
for operational mode commands and to portions of the configuration hierarchy. This
enables users of the customized login class to execute only those commands and access
only those configuration statements and hierarchies for which access privileges have
been specified. This prevents unauthorized users from executing sensitive commands
or accessing device configurations that could potentially cause damage to the network.

• Requirements on page 69
• Overview and Topology on page 69
• Configuration on page 73
• Verification on page 76

68 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Requirements
This example uses the following hardware and software components:

• One Juniper Networks device

• One TACACS+ (or RADIUS) server

• Junos OS build running on the Juniper Networks device

Before you begin:

• Establish a TCP connection between the device and the TACACS+ server. In the case
of the RADIUS server, establish a UDP connection between the device and the RADIUS
server.

For information on configuring a TACACS+ server, see “Configuring TACACS+

Authentication” on page 343.

• Configure at least one user assigned to a login class on the Juniper Networks device.
There can be more than one login class, each with varying permission configurations,
and more than one user on the device.

Overview and Topology

Each top-level command-line interface (CLI) command and each configuration statement
in Junos OS has an access privilege level associated with it. For each login class, you can
explicitly deny or allow the use of operational and configuration mode commands that
would otherwise be permitted or not allowed by a privilege level. Users can execute only
those commands and configure and view only those statements for which they have
access privileges. To configure access privilege levels, include the permissions statement
at the [edit system login class class-name] hierarchy level.

The access privileges for each login class are defined by one or more permission flags
specified in the permissions statement. In addition to this, you can specify extended
regular expressions with the following statements:

• allow-commands and deny-commands—Allow or deny access to operational mode

commands only.

• allow-configuration and deny-configuration—Allow or deny access to a particular

configuration hierarchy only.

• allow-configuration-regexps and deny-configuration-regexps—Allow or deny access to

a particular configuration hierarchy only using strings of regular expressions.

The above statements define a user’s access privileges to individual operational mode
commands, configuration statements, and hierarchies. These statements take precedence
over a login class permissions bit set for a user.

Configuration Notes

Copyright © 2017, Juniper Networks, Inc. 69

Administration Guide for Security Devices

When configuring the allow-commands, deny-commands, allow-configuration, and

deny-configuration statements with access privileges, take the following into
consideration:

• You can include the allow/deny statement only once in each login class.

• If the exact same command is configured under both allow-commands and

deny-commands statements, or both allow-configuration and deny-configuration
statements, then the allow operation takes precedence over the deny statement.

For instance, with the following configuration, a user assigned to login class test is
allowed to install software using the request system software add command, although
the deny-commands statement also includes it:

[edit system login]

user@host# set class test permissions allow-commands "request system software
add"
user@host# set class test permissions deny-commands "request system software add"

For instance, with the following configuration, a user assigned to login class test is
allowed to access the [edit system services] configuration hierarchy, although the
deny-configuration statement also includes it:

[edit system login]

user@host# set class test permissions allow-configuration "system services"
user@host# set class test permissions deny-configuration "system services"

• If you specify a regular expression for allow-commands and deny-commands statements

with two different variants of a command, the longest match is always executed.

For instance, for the following configuration, a user assigned to test login class is allowed
to execute the commit synchronize command and not the commit command. This is
because commit-synchronize is the longest match between commit and
commit-synchronize, and it is specified for allow-commands.

[edit system login class]

user@host# set class test permissions allow-commands "commit-synchronize"
user@host# set class test permissions deny-commands commit

• Regular expressions for allow-commands and deny-commands statements can also

include the commit, load, rollback, save, status, and update commands.

• Explicitly allowing configuration mode hierarchies or regular expressions using the

allow-configuration statement adds to the regular permissions set using the permissions
statement. Likewise, explicitly denying configuration mode hierarchies or regular
expressions using the deny-configuration statement removes permissions for the
specified configuration mode hierarchy, from the default permissions provided by the
permissions statement.

For example, for the following configuration, the login class user can edit the
configuration at the [edit system services] hierarchy level and issue configuration mode
commands (such as commit), in addition to just entering the configuration mode using
the configure command, which is the permission specified by the configure permission
flag:

[edit system login]

user@host# set class test permissions configure allow-configuration "system services"

70 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Likewise, for the following configuration, the login class user can perform all operations
allowed by the all permissions flag, except issuing configuration mode commands
(such as commit) or modifying the configuration at the [edit system services] hierarchy
level:

[edit system login]

user@host# set class test permissions all deny-configuration "system services"

• The allow/deny-configuration and allow/deny-configuration-regexps statements are

mutually exclusive and cannot be configured together for a login class. At a given point
in time, a login class can include either the allow/deny-configuration statement, or the
allow/deny-configuration-regexps statement. If you have existing configurations using
the allow/deny-configuration statements, using the same configuration options with
the allow/deny-configuration-regexps statements might not produce the same results,
as the search and match methods differ in the two forms of these statements.

• To define access privileges to parts of the configuration hierarchy, specify the full paths
in the extended regular expressions with the allow-configuration and deny-configuration
statements. Use parentheses around an extended regular expression that connects
two or more expressions with the pipe (|) symbol.

For example:

[edit system login]

user@host# set class test deny-configuration "(system login class) | (system services)"

• If the regular expression contains any spaces, operators, or wildcard characters, enclose
the expression in quotation marks. Regular expressions are not case-sensitive; for
example, allow-commands "show interfaces".

• Modifiers such as set, log, and count are not supported within the regular expression
string to be matched. If a modifier is used, then nothing is matched.

Incorrect configuration:

[edit system login]

user@host# set class test permission deny-commands "set protocols"

Correct configuration:

[edit system login]

user@host# set class test permission deny-commands protocols

• Anchors are required when specifying complex regular expressions with the
allow-commands statement.

For example:

[edit system login]

user@host# set class test permissions allow-commands "(^monitor) | (^ping) | (^show)
| (^exit)"

OR
set class test permissions allow-commands "allow-commands ="^(monitor | ping |
show | exit)"

• When specifying extended regular expressions using the allow/deny-commands and

allow/deny-configuration statements, each expression separated by a pipe (|) symbol

Copyright © 2017, Juniper Networks, Inc. 71

Administration Guide for Security Devices

must be a complete standalone expression, and must be enclosed in parentheses ( ).

Do not use spaces between regular expressions separated with parentheses and
connected with the pipe (|) symbol.

For example:

[edit system login]

user@host# set class test allow-commands "(ping .*)|(traceroute .*)|(show
.*)|(configure .*)|(edit)|(exit)|(commit)|(rollback .*)"
user@host# set class test deny-configuration "(system login class)|(system services)"

• When specifying extended regular expressions using the

allow-deny-configuration-regexps statement, each expression enclosed within quotes
(") and separated by a space must be enclosed in angular brackets [ ].

For example:

[edit system login]

user@host# set class test allow-configuration-regexps [ "interfaces .* description .*”
“interfaces .* unit .* description .*” “interfaces .* unit .* family inet address .*”
“interfaces.* disable" ]

• You can use the * wildcard character when denoting regular expressions. However, it
must be used as a portion of a regular expression. You cannot use [ * ] or [ .* ] alone.

• You cannot configure the allow-configuration statement with the (interfaces (description
(|.*)) regular expression, as this evaluates to allow-configuration = .* regular expression.

• You can configure as many regular expressions as needed to be allowed or denied.

Regular expressions to be denied take precedence over configurations to be allowed.

Topology

Figure 4: Configuring TACACS+ Server Authentication

10.209.1.66/24

TCP connection
g043487

R1 TACACS+
Server

Figure 4 on page 72 illustrates a simple topology, where Router R1 is a Juniper Networks

device and has a TCP connection established with a TACACS+ server. In this example,
R1 has a customized login class, Class1, with an associated login user, User1.

The purpose of the Class1 login class is to provide security user permission with access
to only the configure command, and deny access to all other operational mode commands.
The login class again filters the configuration access to only group VPN configuration
under the [edit security] hierarchy, and denies access to the multi-chassis configuration
statement, which is allowed with the security user permissions.

User1 is the login user assigned to the Class1 login class.

72 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

R1 set system authentication-order tacplus

set system authentication-order radius
set system authentication-order password
set system ports console log-out-on-disconnect
set system radius-server 10.209.1.66 secret "$ABC123"
set system tacplus-server 10.209.1.66
set system radius-options enhanced-accounting
set system tacplus-options enhanced-accounting
set system accounting events login
set system accounting events change-log
set system accounting events interactive-commands
set system accounting traceoptions file auditlog
set system accounting traceoptions flag all
set system accounting destination tacplus server 10.209.1.66
set system login class Class1 permissions security
set system login class Class1 allow-commands configure
set system login class Class1 deny-commands .*
set system login class Class1 allow-configuration "security group-vpn"
set system login class Class1 deny-configuration multi-chassis
set system login user User1 uid 2005
set system login user User1 class Class1
set system login user User1 authentication encrypted-password "$ABC123"

Configuring Authentication Parameters for Router R1

Step-by-Step The following example requires that you navigate various levels in the configuration
Procedure hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure Router R1 authentication:

1. Configure the order in which authentication should take place for R1. In this example,
TACACS+ server authentication is first, followed by RADIUS server authentication,
then the local password.

[edit system]
user@R1# set authentication-order tacplus
user@R1# set authentication-order radius
user@R1# set authentication-order password

2. Establish R1 connection with the TACACS+ server.

[edit system]
user@R1# set tacplus-server 10.209.1.66
user@R1# set tacplus-options enhanced-accounting
user@R1# set accounting destination tacplus server 10.209.1.66

Copyright © 2017, Juniper Networks, Inc. 73

Administration Guide for Security Devices

3. Configure RADIUS server authentication parameters.

[edit system]
user@R1# set radius-server 10.209.1.66 secret "$ABC123"
user@R1# set radius-options enhanced-accounting

4. Configure the R1 accounting configuration parameters.

[edit system]
user@R1# set accounting events login
user@R1# set accounting events change-log
user@R1# set accounting events interactive-commands
user@R1# set accounting traceoptions file auditlog
user@R1# set accounting traceoptions flag all

Configuring Access Privileges with Regular Expressions

Step-by-Step To specify regular expressions for user permissions with access privileges:
Procedure
1. Configure the Class1 custom login class and assign security user permissions.

[edit system login]

user@R1# set class Class1 permissions security

2. Specify the regular expression in the allow-commands statement to enter the

configuration mode.

[edit system login]

user@R1# set class Class1 allow-commands configure

3. Specify the regular expression in the deny-commands statement to disable access

to all other operational mode commands. The regular expression used to deny all
access is deny-commands .*.

[edit system login]

user@R1# set class Class1 deny-commands .*

4. Specify the regular expression in the allow-configuration statement to allow access

to the group VPN configuration at the [edit security] hierarchy level.

[edit system login]

user@R1# set class Class1 allow-configuration "security group-vpn"

5. Specify the regular expression in the deny-configuration statement to disable access

to the multi-chassis configuration statement.

[edit system login]

user@R1# set class Class1 deny-configuration multi-chassis

6. Configure the user account for the Class1 login class.

[edit system login]

user@R1# set user User1 uid 2005

74 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

user@R1# set user User1 class Class1

user@R1# set user User1 authentication encrypted-password "$ABC123"

Results

From configuration mode, confirm your configuration by entering the show system
command. If the output does not display the intended configuration, repeat the
instructions in this example to correct the configuration.

user@R1# show system

authentication-order [ tacplus radius password ];
ports {
console log-out-on-disconnect;
}
radius-server {
10.209.1.66 secret "$ABC123";
}
tacplus-server {
10.209.1.66;
}
radius-options {
enhanced-accounting;
}
tacplus-options {
enhanced-accounting;
}
accounting {
events [ login change-log interactive-commands ];
traceoptions {
file auditlog;
flag all;
}
destination {
tacplus {
server {
10.209.1.66;
}
}
}
}
login {
class Class1 {
permissions security;
allow-commands configure;
deny-commands .*;
allow-configuration "security group-vpn";
deny-configuration multi-chassis;
}
user User1 {
uid 2005;
class Class1;
authentication {
encrypted-password "$ABC123";
}

Copyright © 2017, Juniper Networks, Inc. 75

Administration Guide for Security Devices

}
}

Verification
Log in as the username assigned with the new login class, and confirm that the
configuration is working properly.

• Verifying Class1 Configuration on page 76

Verifying Class1 Configuration

Purpose Verify that the permissions and regular expressions allowed in Class1 login class are
working.

Action From the CLI prompt, view the allowed user permissions.

User1@R1> ?
Possible completions:
configure Manipulate software configuration information

From the configuration mode, enter the [edit security] hierarchy and view the allowed
configuration statements.

User1@R1> edit ?
Possible completions:
> group-vpn Group VPN configuration

From the configuration mode, enter the multi-chassis configuration statement.

User1@R1# edit multi-chassis

^
Syntax error, expecting <statement> or <identifier>.

Meaning User 1 has security user permissions, which allows the user to view the security
configuration in configuration mode and with the show configuration operational mode
command. However, this has been altered with the allow-commands and deny-commands
statements, where User1 is able to enter configuration mode with the configure command
in the allow-commands statement, and is denied access to all other operational mode
commands with the use of the deny-commands .* statement. As a result, even the show
configuration command, which was allowed with the security user permissions, is now
denied. This is displayed in the first output.

In the second output, the allow-configuration statement takes effect, and the only allowed
configuration under the [edit security] hierarchy level is for group VPN.

In the last output, the deny-configuration statement takes effect, and the multi-chassis
configuration statement that is allowed with the security user permissions is denied for
User1.

76 Copyright © 2017, Juniper Networks, Inc.

 Chapter 3: Configuring User Access Privileges

Related • Understanding Junos OS Access Privilege Levels on page 7

Documentation
• Regular Expressions for Allowing and Denying Junos OS Operational Mode Commands,
Configuration Statements, and Hierarchies

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

Copyright © 2017, Juniper Networks, Inc. 77

Administration Guide for Security Devices

78 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 4

Permissions Flags for User Access

Privileges

• Access Privilege User Permission Flags Overview on page 80

• access on page 82
• access-control on page 85
• admin on page 86
• admin-control on page 90
• all-control on page 91
• clear on page 91
• configure on page 161
• control on page 161
• field on page 162
• firewall on page 162
• firewall-control on page 166
• floppy on page 167
• flow-tap on page 167
• flow-tap-control on page 171
• flow-tap-operation on page 171
• idp-profiler-operation on page 172
• interface on page 172
• interface-control on page 176
• maintenance on page 177
• network on page 185
• pgcp-session-mirroring on page 187
• pgcp-session-mirroring-control on page 191
• reset on page 191
• rollback on page 192
• secret on page 192

Copyright © 2017, Juniper Networks, Inc. 79

Administration Guide for Security Devices

• secret-control on page 197

• security on page 198
• security-control on page 205
• shell on page 208
• snmp on page 208
• system on page 212
• system-control on page 217
• trace on page 219
• trace-control on page 227
• view on page 232
• view-configuration on page 334

Access Privilege User Permission Flags Overview

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Permission flags are used to grant a user access to operational mode commands and
configuration hierarchy levels and statements. By specifying a specific permission flag
on the user's login class at the [edit system login class] hierarchy level, you grant the user
access to the corresponding commands and configuration hierarchy levels and
statements. To grant access to all commands and configuration statements, use the all
permissions flag.

For permission flags that grant access to configuration hierarchy levels and statements,
the flags grant read-only privilege to that configuration. For example, the interface
permissions flag grants read-only access to the [edit interfaces] hierarchy level. The
-control form of the flag grants read-write access to that configuration. Using the
preceding example, interface-control grants read-write access to the [edit interfaces]
hierarchy level.

The permission flags listed in "Related Documentation" grant a specific set of access
privileges. Each permission flag is listed with the operational mode commands and
configuration hierarchy levels and statements for which that flag grants access.

NOTE: Each command listed represents that command and all subcommands
with that command as a prefix. Each configuration statement listed represents
the top of the configuration hierarchy to which that flag grants access.

Related • Understanding Junos OS Access Privilege Levels on page 7

Documentation
• access on page 82

• access-control on page 85

• admin on page 86

• admin-control on page 90

80 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

• all-control on page 91

• clear on page 91

• configure on page 161

• control on page 161

• field on page 162

• firewall on page 162

• firewall-control on page 166

• floppy on page 167

• flow-tap on page 167

• flow-tap-operation on page 171

• idp-profiler-operation on page 172

• interface on page 172

• interface-control on page 176

• maintenance on page 177

• network on page 185

• pgcp-session-mirroring on page 187

• pgcp-session-mirroring-control on page 191

• reset on page 191

• rollback on page 192

• secret on page 192

• secret-control on page 197

• security on page 198

• security-control on page 205

• shell on page 208

• snmp on page 208

• system on page 212

• system-control on page 217

• trace on page 219

• trace-control on page 227

• view on page 232

• view-configuration on page 334

Copyright © 2017, Juniper Networks, Inc. 81

Administration Guide for Security Devices

access

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can view the access configuration in configuration mode.

Commands clear unified-edge

clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics

82 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>

Copyright © 2017, Juniper Networks, Inc. 83

Administration Guide for Security Devices

clear unified-edge tdf aaa statistics

<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>

84 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

Configuration [edit access]

Hierarchy Levels [edit access diameter]
[edit access ppp-options]
[edit access radius]
[edit dynamic-profile]
[edit logical-systems access]
[edit logical-systems routing-instances instance system services
static-subscribers access-profile]
[edit logical-systems routing-instances instance system services
static-subscribers dynamic-profile]
[edit logical-systems routing-instances instance system services
static-subscribers group access-profile]
[edit logical-systems routing-instances instance system services
static-subscribers group dynamic-profile]
[edit logical-systems system services static-subscribers access-profile]
[edit logical-systems system services static-subscribers dynamic-profile]
[edit logical-systems system services static-subscribers group access-profile]
[edit logical-systems system services static-subscribers group dynamic-profile]
[edit routing-instances instance system services static-subscribers
access-profile]
[edit routing-instances instance system services static-subscribers
dynamic-profile]
[edit routing-instances instance system services static-subscribers group
access-profile]
[edit routing-instances instance system services static-subscribers group
dynamic-profile]
[edit system services extensible-subscriber-services access-profile]
[edit system services static-subscribers access-profile]
[edit system services static-subscribers dynamic-profile]
[edit system services static-subscribers group access-profile]
[edit system services static-subscribers group dynamic-profile]
[edit unified-edge]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• access-control on page 85

access-control

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can view access configuration information. Can edit access configuration at the [edit
access], [edit logical-systems], [edit routing-instances, and [edit system services] hierarchy
levels.

Configuration
Hierarchy Levels [edit access]

Copyright © 2017, Juniper Networks, Inc. 85

Administration Guide for Security Devices

[edit access ppp-options]

[edit dynamic-profile]
[edit logical-systems access]
[edit logical-systems routing-instances instance system services
static-subscribers access-profile]
[edit logical-systems routing-instances instance system services
static-subscribers dynamic-profile]
[edit logical-systems routing-instances instance system services
static-subscribers group access-profile]
[edit logical-systems routing-instances instance system services
static-subscribers group dynamic-profile]
[edit logical-systems system services static-subscribers access-profile]
[edit logical-systems system services static-subscribers dynamic-profile]
[edit logical-systems system services static-subscribers group access-profile]
[edit logical-systems system services static-subscribers group dynamic-profile]
[edit routing-instances instance system services static-subscribers
access-profile]
[edit routing-instances instance system services static-subscribers
dynamic-profile]
[edit routing-instances instance system services static-subscribers group
access-profile]
[edit routing-instances instance system services static-subscribers group
dynamic-profile]
[edit system services static-subscribers access-profile]
[edit system services static-subscribers dynamic-profile]
[edit system services static-subscribers group access-profile]
[edit system services static-subscribers group dynamic-profile]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• access on page 82

admin

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can view user account information in configuration mode.

Commands clear unified-edge

clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool

86 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage

Copyright © 2017, Juniper Networks, Inc. 87

Administration Guide for Security Devices

clear unified-edge sgw charging local-persistent-storage statistics

<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer

88 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear unified-edge tdf diameter peer statistics

<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show system audit

Configuration
Hierarchy Levels [edit protocols uplink-failure-detection]
[edit system]
[edit system accounting]
[edit system diag-port-authentication]
[edit system extensions]
[edit system login]
[edit system pic-console-authentication]
[edit system root-authentication]
[edit system services ssh authorized-keys-command]
[edit system services ssh authorized-keys-command-user]
[edit system services ssh ciphers]
[edit system services ssh client-alive-count-max]
[edit system services ssh client-alive-interval]]
[edit system services ssh fingerprint-hash]
[edit system services ssh hostkey-algorithm]
[edit system services ssh key-exchange]
[edit system services ssh macs]
[edit system services ssh max-sessions-per-connection]

Copyright © 2017, Juniper Networks, Inc. 89

Administration Guide for Security Devices

[edit system services ssh no-tcp-fowarding]

[edit system services ssh protocol-version]
[edit system services ssh root-login]
[edit system services ssh tcp-fowarding]
[edit unified-edge]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• admin-control on page 90

admin-control

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can view user account information and configure it at the [edit system] hierarchy level.

Commands show system audit

Configuration [edit protocols uplink-failure-detection]

Hierarchy Levels [edit system]
[edit system accounting]
[edit system diag-port-authentication]
[edit system extensions]
[edit system login]
[edit system pic-console-authentication]
[edit system root-authentication]
[edit system services ssh ciphers]
[edit system services ssh hostkey-algorithm]
[edit system services ssh key-exchange]
[edit system services ssh macs]
[edit system services ssh protocol-version]
[edit system services ssh root-login]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• admin on page 86

90 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

all-control

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can access all operational mode commands and configuration mode commands. Can
modify configuration in all the configuration hierarchy levels.

Commands All CLI commands.

Configuration All CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

clear

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can clear (delete) information learned from the network that is stored in various network
databases.

Commands clear
clear access-security
clear access-security router-advertisement-entries
<clear-as-router-advetisement-entry>
clear amt
clear amt statistics
<clear-amt-statistics>
clear amt tunnel
clear-amt-tunnel
clear amt tunnel gateway-address
<clear amt tunnel gateway-address>
clear amt tunnel statistics
<clear-amt-tunnel-statistics>
clear amt tunnel statistics gateway-address
<clear-amt-tunnel-gateway-address-statistics>
clear amt tunnel statistics tunnel-interface
<clear-amt-tunnel-interface-statistics>
clear amt tunnel tunnel-interface
<clear-amt-tunnel-interface<>
clear ancp
clear ancp neighbor
<clear-ancp-neighbor-connection>
clear ancp statistics
<clear-ancp-statistics>

Copyright © 2017, Juniper Networks, Inc. 91

Administration Guide for Security Devices

clear ancp subscriber

<clear-ancp-subscriber-connection>
clear-appqos-counter
<clear-appqos-rate-limiters-statistics>
clear-appqos-rate-limiter-statistics
clear-appqos-rule-statistics
clear arp
<clear-arp-table>
clear auto-configuration
clear auto-configuration interfaces
<clear-auto-configuration-interfaces>
clear bfd
clear bfd adaptation
<clear-bfd-adaptation-information>
clear bfd adaptation address
<clear-bfd-adaptation-address>
clear bfd adaptation discriminator
<clear-bfd-adaptation-discriminator>
clear bfd session
<clear-bfd-session-information>
clear bfd session address
<clear-bfd-session-address>
clear bfd session discriminator
<clear-bfd-session-discriminator>
clear bgp
clear bgp damping
<clear-bgp-damping>
clear bgp neighbor
<clear-bgp-neighbor>
clear bgp table
<clear-bgp-table>
clear bridge
clear bridge evpn
clear bridge evpn arp-table
<clear-bridge-evpn-arp-table>
clear bridge evpn nd-table
<clear-bridge-evpn-nd-table>
clear bridge mac-table
<clear-bridge-mac-table>
clear bridge mac-table interface
<clear-bridge-interface-mac-table>
clear bridge recovery-timeout
<clear-bridge-recovery>
clear bridge recovery-timeout interface
<clear-bridge-recovery-interface>
clear bridge satellite
clear bridge satellite logging
<clear-satellite-control-logging>
clear bridge satellite vlan-auto-sense
<clear-satellite-control-plane-vlan-auto-sense>
clear captive-portal
clear captive-portal firewall
<clear-captive-portal-firewall>
clear captive-portal firewall interface
<clear-captive-portal-firewall-interface>
clear captive-portal interface
<clear-captive-portal-interface-session>
clear captive-portal mac-address
<clear-captive-portal-mac-session>
clear cli
clear cli logical-system

92 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-cli-logical-system>
clear database-replication
clear database-replication statistics
<clear-database-replication-statistics-information>
clear ddos-protection
clear ddos-protection protocols
clear ddos-protection protocols all-fiber-channel-enode
clear ddos-protection protocols all-fiber-channel-enode aggregate
clear ddos-protection protocols all-fiber-channel-enode aggregate culprit-flows
<clear-ddos-all-fc-enode-aggregate-flows>
clear ddos-protection protocols all-fiber-channel-enode aggregate states
<clear-ddos-all-fc-enode-aggregate-states>
clear ddos-protection protocols all-fiber-channel-enode aggregate statistics
<clear-ddos-all-fc-enode-aggregate-statistics>
clear ddos-protection protocols all-fiber-channel-enode culprit-flows
<clear-ddos-all-fc-enode-flows>
clear ddos-protection protocols all-fiber-channel-enode states
<clear-ddos-all-fc-enode-states>
clear ddos-protection protocols all-fiber-channel-enode statistics
<clear-ddos-all-fc-enode-statistics>
clear ddos-protection protocols amtv4
clear ddos-protection protocols amtv4 aggregate
clear ddos-protection protocols amtv4 aggregate culprit-flows
clear ddos-protection protocols amtv4 aggregate states
clear ddos-protection protocols amtv4 aggregate statistics
clear ddos-protection protocols amtv4 culprit-flows
clear ddos-protection protocols amtv4 states
clear ddos-protection protocols amtv4 statistics
clear ddos-protection protocols amtv6
clear ddos-protection protocols amtv6 aggregate
clear ddos-protection protocols amtv6 aggregate culprit-flows
<clear-ddos-amtv6-aggregate-flows>
clear ddos-protection protocols amtv6 aggregate states
<clear-ddos-amtv6-aggregate-states>
clear ddos-protection protocols amtv6 aggregate statistics
<clear-ddos-amtv6-aggregate-statistics>
clear ddos-protection protocols amtv6 culprit-flows
<clear-ddos-amtv6-flows>
clear ddos-protection protocols amtv6 states
<clear-ddos-amtv6-states<>
clear ddos-protection protocols amtv6 statistics
<clear-ddos-amtv6-statistics>
clear ddos-protection protocols ancp aggregate culprit-flows
<clear-ddos-ancp-aggregate-flows>
clear ddos-protection protocols ancp culprit-flows
clear ddos-protection protocols ancp
clear ddos-protection protocols ancp aggregate
clear ddos-protection protocols ancp aggregate states
clear ddos-protection protocols ancp aggregate statistics
<clear-ddos-ancp-aggregate-statistics>
clear ddos-protection protocols ancp states
<clear-ddos-ancp-states>
clear ddos-protection protocols ancp statistics
<clear-ddos-ancp-statistics>
clear ddos-protection protocols ancpv6
clear ddos-protection protocols ancpv6 aggregate
clear ddos-protection protocols ancpv6 aggregate states

clear ddos-protection protocols ancpv6 aggregate culprit-flows

clear ddos-protection protocols arp aggregate statistics
clear-ddos-arp-aggregate-statistics

Copyright © 2017, Juniper Networks, Inc. 93

Administration Guide for Security Devices

clear ddos-protection protocols arp aggregate culprit-flows

clear ddos-protection protocols arp states
clear-ddos-arp-states
clear ddos-protection protocols arp statistics
<clear-ddos-arp-statistics>
clear ddos-protection protocols arp-snoop
clear ddos-protection protocols arp-snoop aggregate
clear ddos-protection protocols arp-snoop aggregate culprit-flows
<clear-ddos-arp-snoop-aggregate-flows>
clear ddos-protection protocols arp-snoop aggregate states
<clear-ddos-arp-snoop-aggregate-states>
clear ddos-protection protocols arp-snoop aggregate statistics
<clear-ddos-arp-snoop-aggregate-statistics>
clear ddos-protection protocols arp-snoop culprit-flows
<clear-ddos-arp-snoop-flows>
clear ddos-protection protocols arp-snoop states
<clear-ddos-arp-snoop-states>
clear ddos-protection protocols arp-snoop statistics
<clear-ddos-arp-snoop-statistics>
clear ddos-protection protocols arp culprit-flows
clear ddos-protection protocols atm
clear ddos-protection protocols atm aggregate
clear ddos-protection protocols atm aggregate culprit-flows
clear ddos-protection protocols atm aggregate states
<clear-ddos-atm-aggregate-states>
clear ddos-protection protocols atm aggregate statistics
<clear-ddos-atm-aggregate-statistics>
clear ddos-protection protocols atm culprit-flows
clear ddos-protection protocols bfd aggregate culprit-flows
clear ddos-protection protocols atm states
clear-ddos-atm-states
clear ddos-protection protocols atm statistics
clear-ddos-atm-statistics
clear ddos-protection protocols bfd
clear ddos-protection protocols bfd aggregate
clear ddos-protection protocols bfd culprit-flows
clear ddos-protection protocols bfd aggregate states
clear-ddos-bfd-aggregate-states
clear ddos-protection protocols bfd aggregate statistics
clear-ddos-bfd-aggregate-statistics
clear ddos-protection protocols bfd states
clear-ddos-bfd-states
clear ddos-protection protocols bfd statistics
clear-ddos-bfd-statistics
clear ddos-protection protocols bfdv6
clear ddos-protection protocols bfdv6 aggregate
clear ddos-protection protocols bfdv6 culprit-flows
clear ddos-protection protocols bfdv6 aggregate states
clear-ddos-bfdv6-aggregate-states
clear ddos-protection protocols bfdv6 aggregate statistics
clear-ddos-bfdv6-aggregate-statistics
clear ddos-protection protocols bfdv6 states
clear-ddos-bfdv6-states
clear ddos-protection protocols bfdv6 statistics
clear-ddos-bfdv6-statistics
clear ddos-protection protocols bgp
clear ddos-protection protocols bgp aggregate
clear ddos-protection protocols bgp aggregate culprit-flows
clear ddos-protection protocols bgp aggregate states
clear-ddos-bgp-aggregate-states
clear ddos-protection protocols bgp aggregate statistics

94 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols bgp culprit-flows

clear ddos-protection protocols bgp states
clear-ddos-bgp-states
clear ddos-protection protocols bgp statistics
clear-ddos-bgp-statistics
clear ddos-protection protocols bgpv6
clear ddos-protection protocols bgpv6 aggregate
clear ddos-protection protocols bgpv6 aggregate culprit-flows
clear ddos-protection protocols bgpv6 aggregate states
clear-ddos-bgpv6-aggregate-states
clear ddos-protection protocols bgpv6 aggregate statistics
clear-ddos-bgpv6-aggregate-statistics
clear ddos-protection protocols bgpv6 states
clear-ddos-bgp-aggregate-states
clear-ddos-bgp-aggregate-statistics
clear-ddos-bgp-states
clear-ddos-bgp-statistics
clear-ddos-bgpv6-aggregate-states
clear-ddos-bgpv6-aggregate-statistics
clear-ddos-bgpv6-states
clear ddos-protection protocols bgpv6 statistics
<clear-ddos-bgpv6-statistics>
clear ddos-protection protocols bridge-control
clear ddos-protection protocols bridge-control aggregate
clear ddos-protection protocols bridge-control aggregate culprit-flows
<clear-ddos-brg-ctrl-aggregate-flows>
clear ddos-protection protocols bridge-control aggregate states
<clear-ddos-brg-ctrl-aggregate-states>
clear ddos-protection protocols bridge-control aggregate statistics
<clear-ddos-brg-ctrl-aggregate-statistics>
clear ddos-protection protocols bridge-control culprit-flows
<clear-ddos-brg-ctrl-flows>
clear ddos-protection protocols bridge-control states
<clear-ddos-brg-ctrl-states>
clear ddos-protection protocols bridge-control statistics
<clear-ddos-brg-ctrl-statistics>
clear ddos-protection protocols culprit-flows
clear ddos-protection protocols demux-autosense
clear ddos-protection protocols demux-autosense aggregate
clear ddos-protection protocols demux-autosense aggregate culprit-flows
clear ddos-protection protocols demux-autosense aggregate states
clear-ddos-demuxauto-aggregate-states
clear ddos-protection protocols demux-autosense aggregate statistics
clear ddos-protection protocols demux-autosense culprit-flows
clear ddos-protection protocols demux-autosense states
clear-ddos-demuxauto-states
clear ddos-protection protocols demux-autosense statistics
clear-ddos-demuxauto-statistics
clear ddos-protection protocols dhcpv4
clear ddos-protection protocols dhcpv4 ack
clear ddos-protection protocols dhcpv4 ack culprit-flows
clear ddos-protection protocols dhcpv4 ack states
clear ddos-protection protocols dhcpv4 ack statistics
clear ddos-protection protocols dhcpv4 aggregate
clear ddos-protection protocols dhcpv4v6
clear ddos-protection protocols dhcpv4v6 aggregate
clear ddos-protection protocols dhcpv4v6 aggregate culprit-flows
<clear-ddos-dhcpv4v6-aggregate-flows>
clear ddos-protection protocols dhcpv4v6 aggregate states
<clear-ddos-dhcpv4v6-aggregate-states>
clear ddos-protection protocols dhcpv4v6 aggregate statistics

Copyright © 2017, Juniper Networks, Inc. 95

Administration Guide for Security Devices

<clear-ddos-dhcpv4v6-aggregate-statistics>
clear ddos-protection protocols dhcpv4v6 culprit-flows
<clear-ddos-dhcpv4v6-flows>
clear ddos-protection protocols dhcpv4v6 states
<clear-ddos-dhcpv4v6-states>
clear ddos-protection protocols dhcpv4v6 statistics
<clear-ddos-dhcpv4v6-statistics>
clear-ddos-demuxauto-aggregate-states
clear-ddos-demuxauto-aggregate-statistics
clear-ddos-demuxauto-states
clear-ddos-demuxauto-statistics
clear-ddos-dhcpv4-ack-states
clear ddos-protection protocols dhcpv4 ack statistics
clear-ddos-dhcpv4-ack-statistics
clear ddos-protection protocols dhcpv4 aggregate
clear ddos-protection protocols dhcpv4 aggregate states
clear-ddos-dhcpv4-aggregate-states
clear ddos-protection protocols dhcpv4 aggregate statistics
clear-ddos-dhcpv4-aggregate-statistics
clear ddos-protection protocols dhcpv4 bad-packets
clear ddos-protection protocols dhcpv4 bad-packets states
clear-ddos-dhcpv4-bad-pack-states
clear ddos-protection protocols dhcpv4 bad-packets statistics
clear-ddos-dhcpv4-bad-pack-statistics
clear ddos-protection protocols dhcpv4 bootp
clear ddos-protection protocols dhcpv4 bootp states
clear-ddos-dhcpv4-bootp-states
clear ddos-protection protocols dhcpv4 bootp statistics
clear-ddos-dhcpv4-bootp-statistics
clear ddos-protection protocols dhcpv4 decline
clear ddos-protection protocols dhcpv4 decline culprit-flows
clear ddos-protection protocols dhcpv4 decline states
clear-ddos-dhcpv4-decline-states
clear ddos-protection protocols dhcpv4 decline statistics
clear-ddos-dhcpv4-decline-statistics
clear ddos-protection protocols dhcpv4 discover
clear ddos-protection protocols dhcpv4 discover states
clear-ddos-dhcpv4-discover-states
clear ddos-protection protocols dhcpv4 discover statistics
clear-ddos-dhcpv4-discover-statistics
clear ddos-protection protocols dhcpv4 force-renew
clear ddos-protection protocols dhcpv4 force-renew culprit-flows
clear ddos-protection protocols dhcpv4 force-renew states
clear-ddos-dhcpv4-forcerenew-states
clear ddos-protection protocols dhcpv4 force-renew statistics
clear-ddos-dhcpv4-forcerenew-statistics
clear ddos-protection protocols dhcpv4 inform
clear ddos-protection protocols dhcpv4 inform culprit-flows
clear ddos-protection protocols dhcpv4 inform states
clear-ddos-dhcpv4-decline-states
clear-ddos-dhcpv4-decline-statistics
clear-ddos-dhcpv4-discover-states
clear-ddos-dhcpv4-discover-statistics
clear-ddos-dhcpv4-forcerenew-states
clear-ddos-dhcpv4-forcerenew-statistics
clear ddos-protection protocols dhcpv4 unclassified culprit-flows
clear ddos-protection protocols dhcpv4 unclassified states
clear-ddos-dhcpv4-unclass-states
clear ddos-protection protocols dhcpv4 unclassified statistics
clear-ddos-dhcpv4-unclass-statistics
clear ddos-protection protocols dhcpv6

96 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols dhcpv6 advertise

clear ddos-protection protocols dhcpv6 advertise culprit-flows
clear ddos-protection protocols dhcpv6 advertise states
clear-ddos-dhcpv6-advertise-states
clear ddos-protection protocols dhcpv6 advertise statistics
clear-ddos-dhcpv6-advertise-statistics
clear ddos-protection protocols dhcpv6 aggregate
clear ddos-protection protocols dhcpv6 aggregate states
clear-ddos-dhcpv6-aggregate-states
clear ddos-protection protocols dhcpv6 aggregate statistics
clear-ddos-dhcpv6-aggregate-statistics
clear ddos-protection protocols dhcpv6 confirm
clear ddos-protection protocols dhcpv6 confirm culprit-flows
clear ddos-protection protocols dhcpv6 confirm states
clear-ddos-dhcpv6-confirm-states
clear ddos-protection protocols dhcpv6 confirm statistics
clear-ddos-dhcpv6-confirm-statistics
clear ddos-protection protocols dhcpv6 decline
clear ddos-protection protocols dhcpv6 decline states
clear-ddos-dhcpv6-decline-states
clear ddos-protection protocols dhcpv6 decline statistics
clear-ddos-dhcpv6-decline-statistics
clear ddos-protection protocols dhcpv6 information-request
clear ddos-protection protocols dhcpv6 information-request states
clear-ddos-dhcpv6-info-req-states
clear ddos-protection protocols dhcpv6 information-request statistics
clear-ddos-dhcpv6-info-req-statistics
clear ddos-protection protocols dhcpv6 leasequery
clear ddos-protection protocols dhcpv6 leasequery states
clear-ddos-dhcpv6-leasequery-states
clear ddos-protection protocols dhcpv6 leasequery statistics
clear-ddos-dhcpv6-leasequery-statistics
clear ddos-protection protocols dhcpv6 leasequery-data
clear ddos-protection protocols dhcpv6 leasequery-data states
clear ddos-protection protocols dhcpv6 leasequery-data statistics
clear ddos-protection protocols garp-reply
clear ddos-protection protocols garp-reply aggregate
clear ddos-protection protocols garp-reply aggregate culprit-flows
<clear-ddos-garp-reply-aggregate-flows>
clear ddos-protection protocols garp-reply aggregate states
<clear-ddos-garp-reply-aggregate-states>
clear ddos-protection protocols garp-reply aggregate statistics
<clear-ddos-garp-reply-aggregate-statistics>
clear ddos-protection protocols garp-reply culprit-flows
<clear-ddos-garp-reply-flows>
clear ddos-protection protocols garp-reply states
<clear-ddos-garp-reply-states>
clear ddos-protection protocols garp-reply statistics
<clear-ddos-garp-reply-statistics>
clear ddos-protection protocols gre hbc
clear ddos-protection protocols gre hbc culprit-flows
<clear-ddos-gre-hbc-flows>
clear ddos-protection protocols gre hbc states
<clear-ddos-gre-hbc-states>
clear ddos-protection protocols gre hbc statistics
<clear-ddos-gre-hbc-statistics>
clear ddos-protection protocols gre punt
clear ddos-protection protocols gre punt culprit-flows
<clear-ddos-gre-punt-flows>
clear ddos-protection protocols gre punt states
<clear-ddos-gre-punt-states>

Copyright © 2017, Juniper Networks, Inc. 97

Administration Guide for Security Devices

clear ddos-protection protocols gre punt statistics

<clear-ddos-gre-punt-statistics>
clear ddos-protection protocols ipmc-reserved
clear ddos-protection protocols ipmc-reserved aggregate
clear ddos-protection protocols ipmc-reserved aggregate culprit-flows
<clear-ddos-ipmc-reserved-aggregate-flows>
clear ddos-protection protocols ipmc-reserved aggregate states
<clear-ddos-ipmc-reserved-aggregate-states>
clear ddos-protection protocols ipmc-reserved aggregate statistics
<clear-ddos-ipmc-reserved-aggregate-statistics>
clear ddos-protection protocols ipmc-reserved culprit-flows
<clear-ddos-ipmc-reserved-flows>
clear ddos-protection protocols ipmc-reserved states
<clear-ddos-ipmc-reserved-states>
clear ddos-protection protocols ipmc-reserved statistics
<clear-ddos-ipmc-reserved-statistics>
clear ddos-protection protocols ipmcast-miss
clear ddos-protection protocols ipmcast-miss aggregate
clear ddos-protection protocols ipmcast-miss aggregate culprit-flows
<clear-ddos-ipmcast-miss-aggregate-flows>
clear ddos-protection protocols ipmcast-miss aggregate states
<clear-ddos-ipmcast-miss-aggregate-states>
clear ddos-protection protocols ipmcast-miss aggregate statistics
<clear-ddos-ipmcast-miss-aggregate-statistics>
clear ddos-protection protocols ipmcast-miss culprit-flows
<clear-ddos-ipmcast-miss-flows>
clear ddos-protection protocols ipmcast-miss states
<clear-ddos-ipmcast-miss-states>
clear ddos-protection protocols ipmcast-miss statistics
<clear-ddos-ipmcast-miss-statistics>
clear ddos-protection protocols l3dest-miss
clear ddos-protection protocols l3dest-miss aggregate
clear ddos-protection protocols l3dest-miss aggregate culprit-flows
<clear-ddos-l3dest-miss-aggregate-flows>
clear ddos-protection protocols l3dest-miss aggregate states
<clear-ddos-l3dest-miss-aggregate-states>
clear ddos-protection protocols l3dest-miss aggregate statistics
<clear-ddos-l3dest-miss-aggregate-statistics>
clear ddos-protection protocols l3dest-miss culprit-flows
<clear-ddos-l3dest-miss-flows>
clear ddos-protection protocols l3dest-miss states
<clear-ddos-l3dest-miss-states>
clear ddos-protection protocols l3dest-miss statistics
<clear-ddos-l3dest-miss-statistics>
clear ddos-protection protocols l3mc-sgv-hit-icl
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate culprit-flows
<clear-ddos-l3mc-sgv-hit-icl-aggregate-flows>
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate states
<clear-ddos-l3mc-sgv-hit-icl-aggregate-states>
clear ddos-protection protocols l3mc-sgv-hit-icl aggregate statistics
<clear-ddos-l3mc-sgv-hit-icl-aggregate-statistics>
clear ddos-protection protocols l3mc-sgv-hit-icl culprit-flowsclear
ddos-protection protocols l3mc-sgv-hit-icl culprit-flows
<clear-ddos-l3mc-sgv-hit-icl-flows>
clear ddos-protection protocols l3mc-sgv-hit-icl states
<clear-ddos-l3mc-sgv-hit-icl-states>
clear ddos-protection protocols l3mc-sgv-hit-icl statistics
<clear-ddos-l3mc-sgv-hit-icl-statistics>
clear ddos-protection protocols l3mtu-fail
clear ddos-protection protocols l3mtu-fail aggregate

98 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols l3mtu-fail aggregate culprit-flows

<clear-ddos-l3mtu-fail-aggregate-flows>
clear ddos-protection protocols l3mtu-fail aggregate states
<clear-ddos-l3mtu-fail-aggregate-states>
clear ddos-protection protocols l3mtu-fail aggregate statistics
<clear-ddos-l3mtu-fail-aggregate-statistics>
clear ddos-protection protocols l3mtu-fail culprit-flows
<clear-ddos-l3mtu-fail-flows>
clear ddos-protection protocols l3mtu-fail states
<clear-ddos-l3mtu-fail-states>
clear ddos-protection protocols l3mtu-fail statistics
<clear-ddos-l3mtu-fail-statistics>
clear ddos-protection protocols l3nhop
clear ddos-protection protocols l3nhop aggregate
clear ddos-protection protocols l3nhop aggregate culprit-flows
<clear-ddos-l3nhop-aggregate-flows>
clear ddos-protection protocols l3nhop aggregate states
<clear-ddos-l3nhop-aggregate-states>
clear ddos-protection protocols l3nhop aggregate statistics
<clear-ddos-l3nhop-aggregate-statistics>
clear ddos-protection protocols l3nhop culprit-flows
<clear-ddos-l3nhop-flows>
clear ddos-protection protocols l3nhop states
<clear-ddos-l3nhop-states>
clear ddos-protection protocols l3nhop statistics
<clear-ddos-l3nhop-statistics>
clear ddos-protection protocols localnh
clear ddos-protection protocols localnh aggregate
clear ddos-protection protocols localnh aggregate culprit-flows
<clear-ddos-localnh-aggregate-flows>
clear ddos-protection protocols localnh aggregate states
<clear-ddos-localnh-aggregate-states>
clear ddos-protection protocols localnh aggregate statistics
<clear-ddos-localnh-aggregate-statistics>
clear ddos-protection protocols localnh culprit-flows
<clear-ddos-localnh-flows>
clear ddos-protection protocols localnh states
<clear-ddos-localnh-states>
clear ddos-protection protocols localnh statistics
<clear-ddos-localnh-statistics>
clear-ddos-dhcpv4-unclass-states
clear-ddos-dhcpv4-unclass-statistics
clear-ddos-dhcpv6-advertise-states
clear-ddos-dhcpv6-advertise-statistics
clear-ddos-dhcpv6-aggregate-states
clear-ddos-dhcpv6-aggregate-statistics
clear-ddos-dhcpv6-confirm-states
clear-ddos-dhcpv6-confirm-statistics
clear-ddos-dhcpv6-decline-states
clear-ddos-dhcpv6-decline-statistics
clear-ddos-dhcpv6-info-req-states
clear-ddos-dhcpv6-info-req-statistics
clear-ddos-dhcpv6-leaseq-da-states
clear-ddos-dhcpv6-leasequery-states
clear-ddos-dhcpv6-leasequery-statistics
clear ddos-protection protocols dhcpv6 leasequery-done
clear ddos-protection protocols dhcpv6 leasequery-done states
clear-ddos-dhcpv6-leaseq-do-states
clear ddos-protection protocols dhcpv6 leasequery-done statistics
clear-ddos-dhcpv6-leaseq-do-statistics
clear ddos-protection protocols dhcpv6 leasequery-reply

Copyright © 2017, Juniper Networks, Inc. 99

Administration Guide for Security Devices

clear ddos-protection protocols dhcpv6 leasequery-reply states

clear-ddos-dhcpv6-leaseq-re-states
clear ddos-protection protocols dhcpv6 leasequery-reply statistics
clear-ddos-dhcpv6-leaseq-re-statistics
clear ddos-protection protocols dhcpv6 rebind
clear ddos-protection protocols dhcpv6 rebind states
clear-ddos-dhcpv6-rebind-states
clear ddos-protection protocols dhcpv6 rebind statistics
clear-ddos-dhcpv6-rebind-statistics
clear ddos-protection protocols dhcpv6 reconfigure
clear ddos-protection protocols dhcpv6 reconfigure states
clear-ddos-dhcpv6-reconfig-states
clear ddos-protection protocols dhcpv6 reconfigure statistics
clear-ddos-dhcpv6-reconfig-statistics
clear ddos-protection protocols dhcpv6 relay-forward
clear ddos-protection protocols dhcpv6 relay-forward states
clear-ddos-dhcpv6-relay-for-states
clear ddos-protection protocols dhcpv6 relay-forward statistics
clear-ddos-dhcpv6-relay-for-statistics
clear ddos-protection protocols dhcpv6 relay-reply
clear ddos-protection protocols dhcpv6 relay-reply states
clear-ddos-dhcpv6-relay-rep-states
clear ddos-protection protocols dhcpv6 relay-reply statistics
clear-ddos-dhcpv6-relay-rep-statistics
clear ddos-protection protocols dhcpv6 release
clear ddos-protection protocols dhcpv6 release states
clear-ddos-dhcpv6-release-states
clear ddos-protection protocols dhcpv6 release statistics
clear-ddos-dhcpv6-release-statistics
clear ddos-protection protocols dhcpv6 renew
clear ddos-protection protocols dhcpv6 renew states
clear-ddos-dhcpv6-renew-states
clear ddos-protection protocols dhcpv6 renew statistics
clear-ddos-dhcpv6-renew-statistics
clear ddos-protection protocols dhcpv6 reply
clear ddos-protection protocols dhcpv6 reply states
clear-ddos-dhcpv6-reply-states
clear ddos-protection protocols dhcpv6 reply statistics
clear-ddos-dhcpv6-reply-statistics
clear ddos-protection protocols dhcpv6 request
clear ddos-protection protocols dhcpv6 request culprit-flows
clear ddos-protection protocols dhcpv6 request states
clear-ddos-dhcpv6-request-states
clear ddos-protection protocols dhcpv6 request statistics
clear-ddos-dhcpv6-request-statistics
clear ddos-protection protocols dhcpv6 solicit
clear ddos-protection protocols dhcpv6 solicit culprit-flows
clear ddos-protection protocols dhcpv6 solicit states
clear-ddos-dhcpv6-solicit-states
clear ddos-protection protocols dhcpv6 solicit statistics
clear-ddos-dhcpv6-solicit-statistics
clear ddos-protection protocols dhcpv6 states
clear-ddos-dhcpv6-states
clear ddos-protection protocols dhcpv6 statistics
clear-ddos-dhcpv6-statistics
clear ddos-protection protocols dhcpv6 unclassified
clear ddos-protection protocols dhcpv6 unclassified culprit-flows
clear ddos-protection protocols dhcpv6 unclassified states
clear-ddos-dhcpv6-unclass-states
clear ddos-protection protocols dhcpv6 unclassified statistics
clear-ddos-dhcpv6-unclass-statistics

100 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols diameter

clear ddos-protection protocols diameter aggregate
clear ddos-protection protocols diameter aggregate culprit-flows
clear ddos-protection protocols diameter aggregate states
clear ddos-protection protocols diameter aggregate statistics
clear-ddos-dhcpv6-leaseq-da-statistics
clear-ddos-dhcpv6-leaseq-do-states
clear-ddos-dhcpv6-leaseq-do-statistics
clear-ddos-dhcpv6-leaseq-re-states
clear-ddos-dhcpv6-leaseq-re-statistics
clear-ddos-dhcpv6-rebind-states
clear-ddos-dhcpv6-rebind-statistics
clear-ddos-dhcpv6-reconfig-states
clear-ddos-dhcpv6-reconfig-statistics
clear-ddos-dhcpv6-relay-for-states
clear-ddos-dhcpv6-relay-for-statistics
clear-ddos-dhcpv6-relay-rep-states
clear-ddos-dhcpv6-relay-rep-statistics
clear-ddos-dhcpv6-release-states
clear-ddos-dhcpv6-release-statistics
clear-ddos-dhcpv6-renew-states
clear-ddos-dhcpv6-renew-statistics
clear-ddos-dhcpv6-reply-states
clear-ddos-dhcpv6-reply-statistics
clear-ddos-dhcpv6-request-states
clear-ddos-dhcpv6-request-statistics
clear-ddos-dhcpv6-solicit-states
clear-ddos-dhcpv6-solicit-statistics
clear-ddos-dhcpv6-states
clear-ddos-dhcpv6-statistics
clear-ddos-dhcpv6-unclass-states
clear-ddos-dhcpv6-unclass-statistics
clear-ddos-diameter-aggregate-states
clear ddos-protection protocols diameter aggregate statistics
clear-ddos-diameter-aggregate-statistics
clear ddos-protection protocols diameter states
clear-ddos-diameter-states
clear ddos-protection protocols diameter statistics
clear-ddos-diameter-statistics
clear ddos-protection protocols dns
clear ddos-protection protocols dns aggregate
clear ddos-protection protocols dns aggregate states
clear-ddos-dns-aggregate-states
clear ddos-protection protocols dns aggregate statistics
clear-ddos-dns-aggregate-statistics
clear ddos-protection protocols dns states
clear-ddos-dns-states
clear ddos-protection protocols dns statistics
clear-ddos-dns-statistics
clear ddos-protection protocols dtcp
clear ddos-protection protocols dtcp aggregate
clear ddos-protection protocols dtcp aggregate culprit-flows
clear ddos-protection protocols dtcp aggregate states
clear-ddos-dtcp-aggregate-states
clear ddos-protection protocols dtcp aggregate statistics
clear ddos-protection protocols dtcp culprit-flows
clear ddos-protection protocols dtcp states
clear-ddos-dtcp-states
clear ddos-protection protocols dtcp statistics
clear-ddos-dtcp-statistics
clear ddos-protection protocols dynamic-vlan

Copyright © 2017, Juniper Networks, Inc. 101

Administration Guide for Security Devices

clear ddos-protection protocols dynamic-vlan aggregate

clear ddos-protection protocols dynamic-vlan aggregate culprit-flows
clear ddos-protection protocols dynamic-vlan aggregate states
clear-ddos-dynvlan-aggregate-states
clear ddos-protection protocols dynamic-vlan aggregate statistics
clear-ddos-dynvlan-aggregate-statistics
clear ddos-protection protocols dynamic-vlan states
clear-ddos-dynvlan-states
clear ddos-protection protocols dynamic-vlan statistics
clear-ddos-dynvlan-statistics
clear ddos-protection protocols egpv6
clear ddos-protection protocols egpv6 aggregate
clear ddos-protection protocols egpv6 aggregate culprit-flows
clear ddos-protection protocols egpv6 aggregate states
clear-ddos-egpv6-aggregate-states
clear ddos-protection protocols egpv6 aggregate statistics
clear-ddos-egpv6-aggregate-statistics
clear ddos-protection protocols egpv6 states
clear-ddos-egpv6-states
clear ddos-protection protocols egpv6 statistics
clear-ddos-egpv6-statistics
clear ddos-protection protocols eoam
clear ddos-protection protocols eoam aggregate
clear ddos-protection protocols eoam aggregate culprit-flows
clear ddos-protection protocols eoam aggregate states
clear-ddos-eoam-aggregate-states
clear ddos-protection protocols eoam aggregate statistics
clear-ddos-eoam-aggregate-statistics
clear ddos-protection protocols eoam states
clear-ddos-eoam-states
clear ddos-protection protocols eoam statistics
clear-ddos-eoam-statistics
clear ddos-protection protocols esmc
clear ddos-protection protocols esmc aggregate
clear ddos-protection protocols esmc aggregate culprit-flows
clear ddos-protection protocols esmc aggregate states
clear-ddos-esmc-aggregate-states
clear ddos-protection protocols esmc aggregate statistics
clear ddos-protection protocols esmc culprit-flows
clear ddos-protection protocols esmc states
clear-ddos-esmc-states
clear ddos-protection protocols esmc statistics
<clear-ddos-esmc-statistics>
clear ddos-protection protocols ethernet-tcc
clear ddos-protection protocols ethernet-tcc aggregate
clear ddos-protection protocols ethernet-tcc aggregate culprit-flows
<clear-ddos-eth-tcc-aggregate-flows>
clear ddos-protection protocols ethernet-tcc aggregate states
<clear-ddos-eth-tcc-aggregate-states>
clear ddos-protection protocols ethernet-tcc aggregate statistics
<clear-ddos-eth-tcc-aggregate-statistics>
clear ddos-protection protocols ethernet-tcc culprit-flows
<clear-ddos-eth-tcc-flows>
clear ddos-protection protocols ethernet-tcc states
<clear-ddos-eth-tcc-states>
clear ddos-protection protocols ethernet-tcc statistics
<clear-ddos-eth-tcc-statistics>
clear ddos-protection protocols exceptions
clear ddos-protection protocols exceptions aggregate
clear ddos-protection protocols exceptions aggregate culprit-flows
<clear-ddos-exception-aggregate-flows>

102 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols exceptions aggregate states

<clear-ddos-exception-aggregate-states>
clear ddos-protection protocols exceptions aggregate statistics
<clear-ddos-exception-aggregate-statistics>
clear ddos-protection protocols exceptions culprit-flows
<clear-ddos-exception-flows>
clear ddos-protection protocols exceptions mcast-rpf-err
clear ddos-protection protocols exceptions mcast-rpf-err culprit-flows
<clear-ddos-exception-mcast-rpf-flows>
clear ddos-protection protocols exceptions mcast-rpf-err states
<clear-ddos-exception-mcast-rpf-states>
clear ddos-protection protocols exceptions mcast-rpf-err statistics
<clear-ddos-exception-mcast-rpf-statistics>
clear ddos-protection protocols exceptions mtu-exceeded
clear ddos-protection protocols exceptions mtu-exceeded culprit-flows
<clear-ddos-exception-mtu-exceed-flows>
clear ddos-protection protocols exceptions mtu-exceeded states
<clear-ddos-exception-mtu-exceed-states>
clear ddos-protection protocols exceptions mtu-exceeded statistics
<clear-ddos-exception-mtu-exceed-statistics>
clear ddos-protection protocols exceptions states
<clear-ddos-exception-states>
clear ddos-protection protocols exceptions statistics
<clear-ddos-exception-statistics>
clear ddos-protection protocols exceptions unclassified
clear ddos-protection protocols exceptions unclassified culprit-flows
<clear-ddos-exception-unclass-flows>
clear ddos-protection protocols exceptions unclassified states
<clear-ddos-exception-unclass-states>
clear ddos-protection protocols exceptions unclassified statistics
<clear-ddos-exception-unclass-statistics>
clear ddos-protection protocols fab-probe
clear ddos-protection protocols fab-probe aggregate
clear ddos-protection protocols fab-probe aggregate states
clear ddos-protection protocols fab-probe aggregate statistics
<clear-ddos-fab-probe-aggregate-statistics>
clear ddos-protection protocols martian-address
clear ddos-protection protocols martian-address aggregate
clear ddos-protection protocols martian-address aggregate culprit-flows
<clear-ddos-martian-address-aggregate-flows>
clear ddos-protection protocols martian-address aggregate states
<clear-ddos-martian-address-aggregate-states>
clear ddos-protection protocols martian-address aggregate statistics
<clear-ddos-martian-address-aggregate-statistics>
clear ddos-protection protocols martian-address culprit-flows
<clear-ddos-martian-address-flows>
clear ddos-protection protocols martian-address states
<clear-ddos-martian-address-states>
clear ddos-protection protocols martian-address statistics
<clear-ddos-martian-address-statistics>
clear-ddos-diameter-statistics
clear-ddos-dns-aggregate-states
clear-ddos-dns-aggregate-statistics
clear-ddos-dns-states
clear-ddos-dns-statistics
clear-ddos-dtcp-aggregate-states
clear-ddos-dtcp-aggregate-statistics
clear-ddos-dtcp-states
clear-ddos-dtcp-statistics
clear-ddos-dynvlan-aggregate-states
clear-ddos-dynvlan-aggregate-statistics

Copyright © 2017, Juniper Networks, Inc. 103

Administration Guide for Security Devices

clear-ddos-dynvlan-states
clear-ddos-dynvlan-statistics
clear-ddos-egpv6-aggregate-states
clear-ddos-egpv6-aggregate-statistics
clear-ddos-egpv6-states
clear-ddos-egpv6-statistics
clear-ddos-eoam-aggregate-states
clear-ddos-eoam-aggregate-statistics
clear-ddos-eoam-states
clear-ddos-eoam-statistics
clear-ddos-esmc-aggregate-states
clear-ddos-esmc-aggregate-statistics
clear-ddos-esmc-states
clear ddos-protection protocols fab-probe states
<clear-ddos-fab-probe-states>
clear ddos-protection protocols fab-probe statistics
<clear-ddos-fab-probe-statistics>
clear-ddos-esmc-statistics
clear ddos-protection protocols firewall-host
clear ddos-protection protocols firewall-host aggregate
clear ddos-protection protocols firewall-host aggregate culprit-flows
clear ddos-protection protocols firewall-host aggregate states
clear-ddos-fw-host-aggregate-states
clear ddos-protection protocols firewall-host aggregate statistics
clear ddos-protection protocols firewall-host states
clear ddos-protection protocols firewall-host statistics
clear-ddos-esmc-statistics
clear-ddos-fw-host-aggregate-states
clear-ddos-fw-host-aggregate-statistics
<clear-ddos-fw-host-statistics>
clear-ddos-fw-host-states
clear ddos-protection protocols frame-relay
clear ddos-protection protocols frame-relay aggregate
clear ddos-protection protocols frame-relay aggregate culprit-flows
clear ddos-protection protocols frame-relay aggregate states
clear ddos-protection protocols frame-relay aggregate statistics
clear ddos-protection protocols frame-relay culprit-flows
clear ddos-protection protocols frame-relay frf15
clear ddos-protection protocols frame-relay frf15 culprit-flows
clear ddos-protection protocols frame-relay frf15 states
clear ddos-protection protocols frame-relay frf15 statistics
clear ddos-protection protocols frame-relay frf16
clear ddos-protection protocols frame-relay frf16 culprit-flows
clear ddos-protection protocols frame-relay frf16 states
clear ddos-protection protocols frame-relay frf16 statistics
clear ddos-protection protocols frame-relay states
clear ddos-protection protocols frame-relay statistics
clear ddos-protection protocols ftp
clear ddos-protection protocols ftp aggregate
clear ddos-protection protocols ftp aggregate culprit-flows
clear ddos-protection protocols ftp aggregate states
clear-ddos-ftp-aggregate-states
clear ddos-protection protocols ftp aggregate statistics
clear-ddos-ftp-aggregate-statistics
clear ddos-protection protocols ftp states
clear-ddos-ftp-states
clear ddos-protection protocols ftp statistics
clear-ddos-ftp-statistics
clear ddos-protection protocols ftpv6
clear ddos-protection protocols ftpv6 aggregate
clear ddos-protection protocols ftpv6 aggregate culprit-flows

104 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols ftpv6 aggregate states

clear-ddos-ftpv6-aggregate-states
clear ddos-protection protocols ftpv6 aggregate statistics
clear-ddos-ftpv6-aggregate-statistics
clear ddos-protection protocols ftpv6 states
clear-ddos-ftpv6-states
clear ddos-protection protocols ftpv6 statistics
clear-ddos-ftpv6-statistics
clear ddos-protection protocols gre
clear ddos-protection protocols gre aggregate
clear ddos-protection protocols gre aggregate culprit-flow
clear ddos-protection protocols gre aggregate states
clear ddos-protection protocols gre culprit-flows
clear-ddos-ftp-statistics
clear-ddos-ftpv6-aggregate-states
clear-ddos-ftpv6-aggregate-statistics
clear-ddos-ftpv6-states
clear-ddos-ftpv6-statistics
clear-ddos-gre-aggregate-states
clear ddos-protection protocols gre aggregate statistics
clear-ddos-gre-aggregate-statistics
clear ddos-protection protocols gre states
clear-ddos-gre-states
clear ddos-protection protocols gre statistics
clear-ddos-gre-statistics
clear ddos-protection protocols icmp
clear ddos-protection protocols icmp aggregate
clear ddos-protection protocols icmp aggregate states
clear-ddos-icmp-aggregate-states
clear ddos-protection protocols icmp aggregate statistics
clear-ddos-icmp-aggregate-statistics
clear ddos-protection protocols icmp states
clear-ddos-icmp-states
clear ddos-protection protocols icmp statistics
clear-ddos-icmp-statistics
clear ddos-protection protocols icmpv6
clear ddos-protection protocols icmpv6 aggregate
clear ddos-protection protocols icmpv6 aggregate culprit-flows
clear ddos-protection protocols icmpv6 aggregate states
<clear-ddos-icmpv6-aggregate-states>
clear ddos-protection protocols icmpv6 aggregate statistics
<clear-ddos-icmp-aggregate-statistics>
<clear-ddos-icmpv6-aggregate-statistics>
clear ddos-protection protocols icmpv6 states
<clear-ddos-icmpv6-states>
clear ddos-protection protocols icmpv6 statistics
<clear-ddos-icmpv6-statistics>
clear ddos-protection protocols igmp
clear ddos-protection protocols igmp aggregate
clear ddos-protection protocols igmp aggregate culprit-flows
clear ddos-protection protocols igmp aggregate states
clear-ddos-igmp-aggregate-states
clear ddos-protection protocols igmp aggregate statistics
clear-ddos-igmp-aggregate-statistics
clear ddos-protection protocols igmp states
clear-ddos-igmp-states
clear ddos-protection protocols igmp statistics
clear-ddos-igmp-statistics
clear ddos-protection protocols igmp-snoop
clear ddos-protection protocols igmp-snoop aggregate
clear ddos-protection protocols igmp-snoop aggregate states

Copyright © 2017, Juniper Networks, Inc. 105

Administration Guide for Security Devices

clear-ddos-igmp-snoop-aggregate-states
clear ddos-protection protocols igmp-snoop aggregate statistics
clear-ddos-igmp-snoop-aggregate-statistics
clear ddos-protection protocols igmp-snoop states
clear-ddos-igmp-snoop-states
clear ddos-protection protocols igmp-snoop statistics
clear-ddos-igmp-snoop-statistics
clear ddos-protection protocols igmpv4v6
clear ddos-protection protocols igmpv4v6 aggregate
clear ddos-protection protocols igmpv4v6 aggregate states
clear-ddos-igmpv4v6-aggregate-states
clear ddos-protection protocols igmpv4v6 aggregate statistics
clear ddos-protection protocols igmpv4v6 culprit-flows
clear ddos-protection protocols igmpv4v6 states
clear-ddos-igmpv4v6-states
clear ddos-protection protocols igmpv4v6 statistics
clear-ddos-igmpv4v6-statistics
clear ddos-protection protocols igmpv6
clear ddos-protection protocols igmpv6 aggregate
clear ddos-protection protocols igmpv6 aggregate culprit-flows
clear ddos-protection protocols igmpv6 aggregate states
clear ddos-protection protocols igmpv6 aggregate statistics
clear ddos-protection protocols igmpv6 states
clear ddos-protection protocols igmpv6 statistics
<clear-ddos-igmpv6-statistics>clear-ddos-igmp-snoop-states
clear-ddos-igmp-snoop-statistics
clear-ddos-igmp-statistics
clear-ddos-igmpv4v6-aggregate-states
clear-ddos-igmpv4v6-aggregate-statistics
clear-ddos-igmpv4v6-states
clear-ddos-igmpv4v6-statistics
clear-ddos-igmpv6-aggregate-states
clear ddos-protection protocols igmpv6 aggregate statistics
clear-ddos-igmpv6-aggregate-statistics
clear ddos-protection protocols igmpv6 states
clear-ddos-igmpv6-states
clear ddos-protection protocols inline-ka
clear ddos-protection protocols inline-ka aggregate
clear ddos-protection protocols inline-ka aggregate culprit-flows
clear ddos-protection protocols inline-ka aggregate states
clear ddos-protection protocols inline-ka aggregate statistics
clear ddos-protection protocols inline-ka culprit-flows
clear ddos-protection protocols inline-ka states
clear ddos-protection protocols inline-ka statistics
clear ddos-protection protocols inline-svcs
clear ddos-protection protocols inline-svcs aggregate
clear ddos-protection protocols inline-svcs aggregate culprit-flows
clear ddos-protection protocols inline-svcs aggregate states
clear ddos-protection protocols inline-svcs aggregate statistics
clear ddos-protection protocols inline-svcs culprit-flows
clear ddos-protection protocols inline-svcs states
clear ddos-protection protocols inline-svcs statistics
clear ddos-protection protocols ip-fragments
clear ddos-protection protocols ip-fragments aggregate
clear ddos-protection protocols ip-fragments aggregate states
clear-ddos-ip-frag-aggregate-states
clear ddos-protection protocols ip-fragments aggregate statistics
clear ddos-protection protocols ip-fragments culprit-flows
clear ddos-protection protocols ip-fragments first-fragment
clear ddos-protection protocols ip-fragments first-fragment states
clear-ddos-ip-frag-first-frag-states

106 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols ip-fragments first-fragment statistics

clear-ddos-ip-frag-first-frag-statistics
clear ddos-protection protocols ip-fragments states
clear-ddos-ip-frag-states
clear ddos-protection protocols ip-fragments statistics
clear-ddos-ip-frag-statistics
clear ddos-protection protocols ip-fragments trail-fragment
clear ddos-protection protocols ip-fragments trail-fragment culprit-flows
clear ddos-protection protocols ip-fragments trail-fragment states
clear-ddos-ip-frag-trail-frag-states
clear ddos-protection protocols ip-fragments trail-fragment statistics
clear-ddos-ip-frag-trail-frag-statistics
clear ddos-protection protocols ip-options
clear ddos-protection protocols ip-options aggregate
clear ddos-protection protocols ip-options aggregate states
clear-ddos-ip-opt-aggregate-states
clear ddos-protection protocols ip-options aggregate statistics
clear-ddos-ip-opt-aggregate-statistics
clear ddos-protection protocols ip-options non-v4v6
clear ddos-protection protocols ip-options non-v4v6 states
<clear-ddos-ip-opt-non-v4v6-states>
clear-ddos-ip-frag-aggregate-states
clear-ddos-ip-frag-aggregate-statistics
clear-ddos-ip-frag-first-frag-states
clear-ddos-ip-frag-first-frag-statistics
clear-ddos-ip-frag-states
clear-ddos-ip-frag-statistics
clear-ddos-ip-frag-trail-frag-states
clear-ddos-ip-frag-trail-frag-statistics
clear-ddos-ip-opt-aggregate-states
clear-ddos-ip-opt-aggregate-statistics
clear ddos-protection protocols ip-options non-v4v6 statistics
<clear-ddos-ip-opt-non-v4v6-statistics>
clear ddos-protection protocols ip-options router-alert
clear ddos-protection protocols ip-options router-alert culprit-flows
clear ddos-protection protocols ip-options router-alert states
clear-ddos-ip-opt-rt-alert-states
clear ddos-protection protocols ip-options router-alert statistics
clear-ddos-ip-opt-rt-alert-statistics
clear ddos-protection protocols ip-options states
clear-ddos-ip-opt-states
clear ddos-protection protocols ip-options statistics
clear-ddos-ip-opt-statistics
clear ddos-protection protocols ip-options unclassified
clear ddos-protection protocols ip-options unclassified culprit-flows
clear ddos-protection protocols ip-options unclassified states
clear ddos-protection protocols ip-options unclassified statistics
clear-ddos-ip-opt-unclass-statistics
clear ddos-protection protocols ipv4-unclassified
clear ddos-protection protocols ipv4-unclassified aggregate
clear ddos-protection protocols ipv4-unclassified aggregate states
clear-ddos-ipv4-uncls-aggregate-states
clear ddos-protection protocols ipv4-unclassified aggregate statistics
clear-ddos-ipv4-uncls-aggregate-statistics
clear ddos-protection protocols ipv4-unclassified states
clear-ddos-ipv4-uncls-states
clear ddos-protection protocols ipv4-unclassified statistics
clear-ddos-ipv4-uncls-statistics
clear ddos-protection protocols ipv6-unclassified
clear ddos-protection protocols ipv6-unclassified aggregate
clear ddos-protection protocols ipv6-unclassified aggregate states

Copyright © 2017, Juniper Networks, Inc. 107

Administration Guide for Security Devices

clear-ddos-ipv6-uncls-aggregate-states
clear ddos-protection protocols ipv6-unclassified aggregate statistics
clear-ddos-ipv6-uncls-aggregate-statistics
clear ddos-protection protocols ipv6-unclassified states
clear-ddos-ipv6-uncls-states
clear ddos-protection protocols ipv6-unclassified statistics
clear-ddos-ipv6-uncls-statistics
clear ddos-protection protocols isis
clear ddos-protection protocols isis aggregate
clear ddos-protection protocols isis aggregate culprit-flows
clear ddos-protection protocols isis aggregate states
clear-ddos-ip-opt-rt-alert-states
clear-ddos-ip-opt-rt-alert-statistics
clear-ddos-ip-opt-states
clear-ddos-ip-opt-statistics
clear-ddos-ip-opt-unclass-states
clear-ddos-ip-opt-unclass-statistics
clear-ddos-ipv4-uncls-aggregate-states
clear-ddos-isis-aggregate-states
clear ddos-protection protocols isis aggregate statistics
<clear-ddos-isis-aggregate-statistics>
clear ddos-protection protocols isis culprit-flows
clear ddos-protection protocols isis states
clear-ddos-isis-states
clear ddos-protection protocols isis statistics
clear-ddos-isis-statistics
clear ddos-protection protocols iso-tcc
clear ddos-protection protocols iso-tcc aggregate
clear ddos-protection protocols iso-tcc aggregate culprit-flows
<clear-ddos-iso-tcc-aggregate-flows>
clear ddos-protection protocols iso-tcc aggregate states
<clear-ddos-iso-tcc-aggregate-states>
clear ddos-protection protocols iso-tcc aggregate statistics
<clear-ddos-iso-tcc-aggregate-statistics>
clear ddos-protection protocols iso-tcc culprit-flows
<clear-ddos-iso-tcc-flows>
clear ddos-protection protocols iso-tcc states
<clear-ddos-iso-tcc-states>
clear ddos-protection protocols iso-tcc statistics
<clear-ddos-iso-tcc-statistics>
clear ddos-protection protocols jfm
clear ddos-protection protocols jfm aggregate
clear ddos-protection protocols jfm aggregate culprit-flows
clear ddos-protection protocols jfm aggregate states
clear-ddos-jfm-aggregate-states
clear ddos-protection protocols jfm aggregate statistics
clear-ddos-jfm-aggregate-statistics
clear ddos-protection protocols jfm states
clear-ddos-jfm-states
clear ddos-protection protocols jfm statistics
<clear-ddos-jfm-statistics>
clear ddos-protection protocols keepalive
clear ddos-protection protocols keepalive aggregate
clear ddos-protection protocols keepalive aggregate culprit-flows
clear ddos-protection protocols keepalive aggregate states
clear ddos-protection protocols keepalive aggregate statistics
clear ddos-protection protocols keepalive culprit-flows
clear ddos-protection protocols keepalive states
clear ddos-protection protocols keepalive statistics
clear ddos-protection protocols l2pt
clear ddos-protection protocols l2pt aggregate

108 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols l2pt aggregate states

clear ddos-protection protocols l2pt aggregate statistics
clear ddos-protection protocols l2pt culprit-flows
clear ddos-protection protocols l2pt states
clear ddos-protection protocols l2pt statistics
clear ddos-protection protocols l2tp
clear ddos-protection protocols l2tp aggregate
clear ddos-protection protocols l2tp aggregate culprit-flows
clear ddos-protection protocols l2tp aggregate states
clear-ddos-l2tp-aggregate-states
clear ddos-protection protocols l2tp aggregate statistics
clear-ddos-l2tp-aggregate-statistics
clear ddos-protection protocols l2tp states
clear-ddos-l2tp-states
clear ddos-protection protocols l2tp statistics
clear-ddos-l2tp-statistics
clear ddos-protection protocols lacp
clear ddos-protection protocols lacp aggregate
clear ddos-protection protocols lacp aggregate culprit-flows
clear ddos-protection protocols lacp aggregate states
clear-ddos-lacp-aggregate-states
clear ddos-protection protocols lacp aggregate statistics
clear-ddos-lacp-aggregate-statistics
clear ddos-protection protocols lacp states
clear-ddos-lacp-states
clear ddos-protection protocols lacp statistics
clear-ddos-lacp-statistics
clear ddos-protection protocols ldp
clear ddos-protection protocols ldp aggregate
clear ddos-protection protocols ldp aggregate culprit-flows
clear ddos-protection protocols ldp aggregate states
clear-ddos-isis-states
clear-ddos-isis-statistics
clear-ddos-jfm-aggregate-states
clear-ddos-jfm-aggregate-statistics
clear-ddos-jfm-states
clear-ddos-l2tp-aggregate-states
clear-ddos-l2tp-aggregate-statistics
clear-ddos-l2tp-states
clear-ddos-l2tp-statistics
clear-ddos-lacp-aggregate-states
clear-ddos-lacp-aggregate-statistics
clear-ddos-lacp-states
clear-ddos-lacp-statistics
clear-ddos-ldp-aggregate-states
clear ddos-protection protocols ldp aggregate statistics
clear ddos-protection protocols ldp aggregate statistics
clear ddos-protection protocols ldp culprit-flows
clear ddos-protection protocols ldp culprit-flows
clear ddos-protection protocols ldp states
clear ddos-protection protocols ldp states
clear ddos-protection protocols ldp statistics
clear ddos-protection protocols ldp statistics
clear-ddos-ldp-statistics
clear ddos-protection protocols ldpv6
clear ddos-protection protocols ldpv6
clear ddos-protection protocols ldpv6 aggregate
clear ddos-protection protocols ldpv6 aggregate
clear ddos-protection protocols ldpv6 aggregate culprit-flows
clear ddos-protection protocols ldpv6 aggregate culprit-flows
clear ddos-protection protocols ldpv6 aggregate states

Copyright © 2017, Juniper Networks, Inc. 109

Administration Guide for Security Devices

clear ddos-protection protocols ldpv6 aggregate states

clear ddos-protection protocols ldpv6 aggregate statistics
clear ddos-protection protocols ldpv6 aggregate statistics
clear-ddos-ldpv6-aggregate-statistics
clear ddos-protection protocols ldpv6 states
clear ddos-protection protocols ldpv6 states
clear ddos-protection protocols ldpv6 statistics
clear ddos-protection protocols ldpv6 statistics
clear ddos-protection protocols lldp
clear ddos-protection protocols lldp
clear ddos-protection protocols lldp aggregate
clear ddos-protection protocols lldp aggregate
clear ddos-protection protocols lldp aggregate culprit-flows
clear ddos-protection protocols lldp aggregate culprit-flows
clear ddos-protection protocols lldp aggregate states
clear ddos-protection protocols lldp aggregate states
clear ddos-protection protocols lldp aggregate statistics
clear ddos-protection protocols lldp aggregate statistics
clear ddos-protection protocols lldp states
clear ddos-protection protocols lldp states
clear-ddos-lldp-states
clear ddos-protection protocols lldp statistics
clear ddos-protection protocols lldp statistics
clear ddos-protection protocols lmp
clear ddos-protection protocols lmp
clear ddos-protection protocols lmp aggregate
clear ddos-protection protocols lmp aggregate
clear ddos-protection protocols lmp aggregate culprit-flows
clear ddos-protection protocols lmp aggregate culprit-flows
clear ddos-protection protocols lmp aggregate states
clear ddos-protection protocols lmp aggregate states
clear ddos-protection protocols lmp aggregate statistics
clear ddos-protection protocols lmp aggregate statistics
clear ddos-protection protocols lmp states
clear ddos-protection protocols lmp states
clear ddos-protection protocols lmp statistics
clear ddos-protection protocols lmp statistics
clear ddos-protection protocols lmpv6
clear ddos-protection protocols lmpv6
clear ddos-protection protocols lmpv6 aggregate
clear ddos-protection protocols lmpv6 aggregate
clear ddos-protection protocols lmpv6 aggregate culprit-flows
clear ddos-protection protocols lmpv6 aggregate culprit-flows
clear ddos-protection protocols lmpv6 aggregate states
clear ddos-protection protocols lmpv6 aggregate states
clear ddos-protection protocols lmpv6 aggregate statistics
clear ddos-protection protocols lmpv6 aggregate statistics
clear ddos-protection protocols lmpv6 culprit-flows
clear ddos-protection protocols lmpv6 states
clear-ddos-lmpv6-states
clear ddos-protection protocols lmpv6 statistics
clear-ddos-lmpv6-statistics
clear ddos-protection protocols mac-host
clear ddos-protection protocols mac-host aggregate
clear ddos-protection protocols mac-host aggregate culprit-flows
clear ddos-protection protocols mac-host aggregate states
clear-ddos-mac-host-aggregate-states
clear ddos-protection protocols mac-host aggregate statistics
clear-ddos-mac-host-aggregate-statistics
clear ddos-protection protocols mac-host states
clear-ddos-mac-host-states

110 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols mac-host statistics

clear ddos-protection protocols mcast-snoop
clear ddos-protection protocols mcast-snoop aggregate
clear ddos-protection protocols mcast-snoop aggregate culprit-flows
clear ddos-protection protocols mcast-snoop aggregate states
clear ddos-protection protocols mcast-snoop aggregate statistics
clear ddos-protection protocols mcast-snoop culprit-flows
clear ddos-protection protocols mcast-snoop igmp
clear ddos-protection protocols mcast-snoop igmp culprit-flows
<clear-ddos-mcast-snoop-igmp-flows>
clear ddos-protection protocols mcast-snoop igmp states
<clear-ddos-mcast-snoop-igmp-states>
clear ddos-protection protocols mcast-snoop igmp statistics
<clear-ddos-mcast-snoop-igmp-statistics>
clear ddos-protection protocols mcast-snoop mld
clear ddos-protection protocols mcast-snoop mld culprit-flows
<clear-ddos-mcast-snoop-mld-flows>
clear ddos-protection protocols mcast-snoop mld states
<clear-ddos-mcast-snoop-mld-states>
clear ddos-protection protocols mcast-snoop mld statistics
<clear-ddos-mcast-snoop-mld-statistics>
clear ddos-protection protocols mld
clear ddos-protection protocols mld aggregate
clear ddos-protection protocols mld aggregate culprit-flows
<clear-ddos-mld-aggregate-flows>
clear ddos-protection protocols mld aggregate states
<clear-ddos-mld-aggregate-states>
clear ddos-protection protocols mld aggregate statistics
<clear-ddos-mld-aggregate-statistics>
clear ddos-protection protocols mld culprit-flows
<clear-ddos-mld-flows>
clear ddos-protection protocols mld states
<clear-ddos-mld-states>
clear ddos-protection protocols mld statistics
<clear-ddos-mld-statistics>
clear ddos-protection protocols mlp
clear ddos-protection protocols mlp add
clear ddos-protection protocols mlp add culprit-flows
<clear-ddos-mlp-add-flows>
clear ddos-protection protocols mlp add states
<clear-ddos-mlp-add-states>
clear ddos-protection protocols mlp add statistics
<clear-ddos-mlp-add-statistics>
clear ddos-protection protocols mlp aggregate
clear ddos-protection protocols mlp aggregate culprit-flows
clear ddos-protection protocols mlp aggregate states
clear-ddos-mlp-aggregate-states
clear ddos-protection protocols mlp aggregate statistics
clear-ddos-mlp-aggregate-statistics
clear ddos-protection protocols mlp aging-exception
clear ddos-protection protocols mlp aging-exception culprit-flows
clear ddos-protection protocols mlp aging-exception states
clear-ddos-mlp-aging-exc-states
clear ddos-protection protocols mlp aging-exception statistics
clear-ddos-mlp-aging-exc-statistics
clear ddos-protection protocols mlp packets
clear ddos-protection protocols mlp packets states
clear-ddos-mlp-packets-states
clear ddos-protection protocols mlp packets statistics
clear-ddos-mlp-packets-statistics
clear ddos-protection protocols mlp macpin-exception

Copyright © 2017, Juniper Networks, Inc. 111

Administration Guide for Security Devices

clear ddos-protection protocols mlp macpin-exception culprit-flows

<clear-ddos-mlp-mac-pinning-flows>
clear ddos-protection protocols mlp macpin-exception states
<clear-ddos-mlp-mac-pinning-states>
clear ddos-protection protocols mlp macpin-exception statistics
<clear-ddos-mlp-mac-pinning-statistics>
clear ddos-protection protocols mlp states
clear-ddos-mlp-states
clear ddos-protection protocols mlp statistics
clear-ddos-mlp-statistics
clear ddos-protection protocols mlp unclassified
clear ddos-protection protocols mlp unclassified states
clear-ddos-mlp-unclass-states
clear ddos-protection protocols mlp unclassified statistics
clear-ddos-mlp-unclass-statistics
clear ddos-protection protocols msdp
clear ddos-protection protocols msdp aggregate
clear ddos-protection protocols msdp aggregate states
clear-ddos-msdp-aggregate-states
clear ddos-protection protocols msdp aggregate statistics
clear ddos-protection protocols msdp culprit-flows
clear ddos-protection protocols msdp states
clear-ddos-msdp-states
clear ddos-protection protocols msdp statistics
clear-ddos-msdp-statistics
clear ddos-protection protocols msdpv6
clear ddos-protection protocols msdpv6 aggregate
clear ddos-protection protocols msdpv6 aggregate culprit-flows
clear ddos-protection protocols msdpv6 aggregate states
clear-ddos-msdpv6-aggregate-states
clear ddos-protection protocols msdpv6 aggregate statistics
clear-ddos-msdpv6-aggregate-statistics
clear ddos-protection protocols msdpv6 states
clear-ddos-msdpv6-states
clear ddos-protection protocols msdpv6 statistics
clear-ddos-msdpv6-statistics
clear ddos-protection protocols multicast-copy
clear ddos-protection protocols multicast-copy aggregate
clear ddos-protection protocols multicast-copy aggregate states
clear-ddos-mcast-copy-aggregate-states
clear ddos-protection protocols multicast-copy aggregate statistics
clear-ddos-mcast-copy-aggregate-statistics
clear ddos-protection protocols multicast-copy states
clear-ddos-mcast-copy-states
clear ddos-protection protocols multicast-copy statistics
clear-ddos-mcast-copy-statistics
clear ddos-protection protocols mvrp
clear ddos-protection protocols mvrp aggregate
clear ddos-protection protocols mvrp aggregate states
clear-ddos-mvrp-aggregate-states
clear ddos-protection protocols mvrp aggregate statistics
clear ddos-protection protocols mvrp culprit-flows
clear ddos-protection protocols mvrp states
clear-ddos-mvrp-states
clear ddos-protection protocols mvrp statistics
clear-ddos-mvrp-statistics
clear ddos-protection protocols ndpv6
clear ddos-protection protocols ndpv6 aggregate
clear ddos-protection protocols ndpv6 aggregate states
clear ddos-protection protocols ndpv6 aggregate statistics
clear ddos-protection protocols ndpv6 neighbor-advertisement

112 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols ndpv6 neighbor-advertisement culprit-flows

<clear-ddos-ndpv6-neighb-adv-flows>
clear ddos-protection protocols ndpv6 neighbor-advertisement states
<clear-ddos-ndpv6-neighb-adv-states>
clear ddos-protection protocols ndpv6 neighbor-advertisement statistics
<clear-ddos-ndpv6-neighb-adv-statistics>
clear ddos-protection protocols ndpv6 neighbor-solicitation
clear ddos-protection protocols ndpv6 neighbor-solicitation culprit-flows
<clear-ddos-ndpv6-neighb-sol-flows>
clear ddos-protection protocols ndpv6 neighbor-solicitation states
<clear-ddos-ndpv6-neighb-sol-states>
clear ddos-protection protocols ndpv6 neighbor-solicitation statistics
<clear-ddos-ndpv6-neighb-sol-statistics>
clear ddos-protection protocols ndpv6 redirect
clear ddos-protection protocols ndpv6 redirect culprit-flows
<clear-ddos-ndpv6-redirect-flows>
clear ddos-protection protocols ndpv6 redirect states
<clear-ddos-ndpv6-redirect-states>
clear ddos-protection protocols ndpv6 redirect statistics
<clear-ddos-ndpv6-redirect-statistics>
clear ddos-protection protocols ndpv6 router-advertisement
clear ddos-protection protocols ndpv6 router-advertisement culprit-flows
<clear-ddos-ndpv6-router-adv-flows>
clear ddos-protection protocols ndpv6 router-advertisement states
<clear-ddos-ndpv6-router-adv-states>
clear ddos-protection protocols ndpv6 router-advertisement statistics
<clear-ddos-ndpv6-router-adv-statistics>
clear ddos-protection protocols ndpv6 router-solicitation
clear ddos-protection protocols ndpv6 router-solicitation culprit-flows
<clear-ddos-ndpv6-router-sol-flows>
clear ddos-protection protocols ndpv6 router-solicitation states
<clear-ddos-ndpv6-router-sol-states>
clear ddos-protection protocols ndpv6 router-solicitation statistics
<clear-ddos-ndpv6-router-sol-statistics>
clear ddos-protection protocols ndpv6 states
clear ddos-protection protocols ndpv6 statistics
clear ddos-protection protocols nonucast-switch
clear ddos-protection protocols nonucast-switch aggregate
clear ddos-protection protocols nonucast-switch aggregate culprit-flows
<clear-ddos-nonucast-switch-aggregate-flows>
clear ddos-protection protocols nonucast-switch aggregate states
<clear-ddos-nonucast-switch-aggregate-states>
clear ddos-protection protocols nonucast-switch aggregate statistics
<clear-ddos-nonucast-switch-aggregate-statistics>
clear ddos-protection protocols nonucast-switch culprit-flows
<clear-ddos-nonucast-switch-flows>
clear ddos-protection protocols nonucast-switch states
<clear-ddos-nonucast-switch-states>
clear ddos-protection protocols nonucast-switch statistics
<clear-ddos-nonucast-switch-statistics>
clear ddos-protection protocols ntp aggregate
clear ddos-protection protocols ntp aggregate states
clear-ddos-ntp-aggregate-states
clear ddos-protection protocols ntp aggregate statistics
clear ddos-protection protocols ntp culprit-flows
clear ddos-protection protocols ntp states
clear-ddos-ntp-states
clear ddos-protection protocols ntp statistics
clear-ddos-ntp-statistics
clear ddos-protection protocols oam-cfm
clear ddos-protection protocols oam-cfm aggregate

Copyright © 2017, Juniper Networks, Inc. 113

Administration Guide for Security Devices

clear ddos-protection protocols oam-cfm aggregate culprit-flows

<clear-ddos-oam-cfm-aggregate-flows>
clear ddos-protection protocols oam-cfm aggregate states
<clear-ddos-oam-cfm-aggregate-states>
clear ddos-protection protocols oam-cfm aggregate statistics
<clear-ddos-oam-cfm-aggregate-statistics>
clear ddos-protection protocols oam-cfm culprit-flows
<clear-ddos-oam-cfm-flows>
clear ddos-protection protocols oam-cfm states
<clear-ddos-oam-cfm-states>
clear ddos-protection protocols oam-cfm statistics
<clear-ddos-oam-cfm-statistics>
clear ddos-protection protocols oam-lfm
clear ddos-protection protocols oam-lfm aggregate
clear ddos-protection protocols oam-lfm aggregate states
clear-ddos-oam-lfm-aggregate-states
clear ddos-protection protocols oam-lfm aggregate statistics
clear-ddos-oam-lfm-aggregate-statistics
clear ddos-protection protocols oam-lfm states
clear-ddos-oam-lfm-states
clear ddos-protection protocols oam-lfm statistics
clear-ddos-oam-lfm-statistics
clear ddos-protection protocols ospf
clear ddos-protection protocols ospf aggregate
clear ddos-protection protocols ospf aggregate culprit-flows
clear ddos-protection protocols ospf aggregate states
clear-ddos-ospf-aggregate-states
clear ddos-protection protocols ospf aggregate statistics
clear-ddos-ospf-aggregate-statistics
clear ddos-protection protocols ospf states
clear ddos-protection protocols ospf statistics
clear ddos-protection protocols ospf-hello
clear ddos-protection protocols ospf-hello aggregate
clear ddos-protection protocols ospf-hello aggregate culprit-flows
<clear-ddos-ospf-hello-aggregate-flows>
clear ddos-protection protocols ospf-hello aggregate states
<clear-ddos-ospf-hello-aggregate-states>
clear ddos-protection protocols ospf-hello aggregate statistics
<clear-ddos-ospf-hello-aggregate-statistics>
clear ddos-protection protocols ospf-hello culprit-flows
<clear-ddos-ospf-hello-flows>
clear ddos-protection protocols ospf-hello states
<clear-ddos-ospf-hello-states>
clear ddos-protection protocols ospf-hello statistics
<clear-ddos-ospf-hello-statistics>
clear ddos-protection protocols ospfv3v6
clear ddos-protection protocols ospfv3v6 aggregate
clear ddos-protection protocols ospfv3v6 aggregate culprit-flows
clear ddos-protection protocols ospfv3v6 aggregate states
clear ddos-protection protocols ospfv3v6 aggregate statistics
clear ddos-protection protocols ospfv3v6 states
clear ddos-protection protocols ospfv3v6 statistics
clear-ddos-ldp-states
<clear-ddos-ldp-states>
clear ddos-protection protocols ldp-hello
clear ddos-protection protocols ldp-hello aggregate
clear ddos-protection protocols ldp-hello aggregate culprit-flows
<clear-ddos-ldp-hello-aggregate-flows>
clear ddos-protection protocols ldp-hello aggregate states
<clear-ddos-ldp-hello-aggregate-states>
clear ddos-protection protocols ldp-hello aggregate statistics

114 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-ddos-ldp-hello-aggregate-statistics>
clear ddos-protection protocols ldp-hello culprit-flows
<clear-ddos-ldp-hello-flows>
clear ddos-protection protocols ldp-hello states
<clear-ddos-ldp-hello-states>
clear ddos-protection protocols ldp-hello statistics
<clear-ddos-ldp-hello-statistics>
clear-ddos-ldp-statistics
clear-ddos-ldp-statistics
clear-ddos-ldpv6-aggregate-states
clear-ddos-ldpv6-aggregate-states
clear-ddos-ldpv6-aggregate-statistics
clear-ddos-ldpv6-aggregate-statistics
clear-ddos-ldpv6-states
clear-ddos-ldpv6-states
clear-ddos-ldpv6-statistics
clear-ddos-ldpv6-statistics
clear-ddos-lldp-aggregate-states
clear-ddos-lldp-aggregate-states
clear-ddos-lldp-aggregate-statistics
clear-ddos-lldp-aggregate-statistics
clear-ddos-lldp-states
clear-ddos-lldp-states
clear-ddos-lldp-statistics
clear-ddos-lldp-statistics
clear-ddos-lmp-aggregate-states
clear-ddos-lmp-aggregate-states
clear-ddos-lmp-aggregate-statistics
clear-ddos-lmp-aggregate-statistics
clear-ddos-lmp-states
clear-ddos-lmp-states
clear-ddos-lmp-statistics
clear-ddos-lmp-statistics
clear-ddos-lmpv6-aggregate-states
clear-ddos-lmpv6-aggregate-states
clear-ddos-lmpv6-states
clear-ddos-lmpv6-statistics
clear-ddos-mac-host-aggregate-states
clear-ddos-mac-host-aggregate-statistics
clear-ddos-mac-host-states
clear-ddos-mac-host-statistics
clear-ddos-mcast-copy-aggregate-states
clear-ddos-mcast-copy-aggregate-statistics
clear-ddos-mcast-copy-states
clear-ddos-mcast-copy-statistics
clear-ddos-mlp-aggregate-states
clear-ddos-mlp-aggregate-statistics
clear-ddos-mlp-aging-exc-states
clear-ddos-mlp-aging-exc-statistics
clear-ddos-mlp-packets-states
clear-ddos-mlp-packets-statistics
clear-ddos-mlp-states
clear-ddos-mlp-statistics
clear-ddos-mlp-unclass-states
clear-ddos-mlp-unclass-statistics
clear-ddos-msdp-aggregate-states
clear-ddos-msdp-aggregate-statistics
clear-ddos-msdp-states
clear-ddos-msdp-statistics
clear-ddos-msdpv6-aggregate-states
clear-ddos-msdpv6-aggregate-statistics

Copyright © 2017, Juniper Networks, Inc. 115

Administration Guide for Security Devices

clear-ddos-msdpv6-states
clear-ddos-msdpv6-statistics
clear ddos-protection protocols multihop-bfd
clear ddos-protection protocols multihop-bfd aggregate
clear ddos-protection protocols multihop-bfd aggregate culprit-flows
<clear-ddos-mhop-bfd-aggregate-flows>
clear ddos-protection protocols multihop-bfd aggregate states
<clear-ddos-mhop-bfd-aggregate-states>
clear ddos-protection protocols multihop-bfd aggregate statistics
<clear-ddos-mhop-bfd-aggregate-statistics>
clear ddos-protection protocols multihop-bfd culprit-flows
<clear-ddos-mhop-bfd-flows>
clear ddos-protection protocols multihop-bfd states
<clear-ddos-mhop-bfd-states>
clear ddos-protection protocols multihop-bfd statistics
<clear-ddos-mhop-bfd-statistics>
clear-ddos-mvrp-aggregate-states
clear-ddos-mvrp-aggregate-statistics
clear-ddos-mvrp-states
clear-ddos-mvrp-statistics
clear-ddos-ntp-aggregate-states
clear-ddos-ntp-aggregate-statistics
clear-ddos-ntp-states
clear-ddos-ntp-statistics
clear-ddos-oam-lfm-aggregate-states
clear-ddos-oam-lfm-aggregate-statistics
clear-ddos-oam-lfm-states
clear-ddos-oam-lfm-statistics
clear-ddos-ospf-aggregate-states
clear-ddos-ospf-aggregate-statistics
clear-ddos-ospf-states
clear-ddos-ospf-statistics
clear-ddos-ospfv3v6-aggregate-states
clear ddos-protection protocols ospfv3v6 aggregate statistics
clear-ddos-ospfv3v6-aggregate-statistics
clear ddos-protection protocols ospfv3v6 states
clear-ddos-ospfv3v6-states
clear ddos-protection protocols pimv6
clear-ddos-pim-statistics
clear ddos-protection protocols pim-ctrl
clear ddos-protection protocols pim-ctrl aggregate
clear ddos-protection protocols pim-ctrl aggregate culprit-flows
<clear-ddos-pim-ctrl-aggregate-flows>
clear ddos-protection protocols pim-ctrl aggregate states
<clear-ddos-pim-ctrl-aggregate-states>
clear ddos-protection protocols pim-ctrl aggregate statistics
<clear-ddos-pim-ctrl-aggregate-statistics>
clear ddos-protection protocols pim-ctrl culprit-flows
<clear-ddos-pim-ctrl-flows>
clear ddos-protection protocols pim-ctrl states
<clear-ddos-pim-ctrl-states>
clear ddos-protection protocols pim-ctrl statistics
<clear-ddos-pim-ctrl-statistics>
clear ddos-protection protocols pim-data
clear ddos-protection protocols pim-data aggregate
clear ddos-protection protocols pim-data aggregate culprit-flows
<clear-ddos-pim-data-aggregate-flows>
clear ddos-protection protocols pim-data aggregate states
<clear-ddos-pim-data-aggregate-states>
clear ddos-protection protocols pim-data aggregate statistics
<clear-ddos-pim-data-aggregate-statistics>

116 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols pim-data culprit-flows

<clear-ddos-pim-data-flows>
clear ddos-protection protocols pim-data states
<clear-ddos-pim-data-states>
clear ddos-protection protocols pim-data statistics
<clear-ddos-pim-data-statistics>
clear ddos-protection protocols pfe-alive
clear ddos-protection protocols pfe-alive aggregate
clear ddos-protection protocols pfe-alive aggregate states
clear-ddos-pfe-alive-aggregate-states
clear ddos-protection protocols pfe-alive aggregate statistics
clear ddos-protection protocols pfe-alive culprit-flows
clear ddos-protection protocols pfe-alive states
clear-ddos-pfe-alive-states
clear ddos-protection protocols pfe-alive statistics
clear-ddos-pfe-alive-statistics
clear ddos-protection protocols pim
clear ddos-protection protocols pim aggregate
clear ddos-protection protocols pim aggregate states
clear-ddos-pim-aggregate-states
clear ddos-protection protocols pim aggregate statistics
clear ddos-protection protocols pim culprit-flows
clear ddos-protection protocols pim states
clear-ddos-pim-states
clear ddos-protection protocols pim statistics
clear-ddos-pim-statistics
clear ddos-protection protocols pimv6
clear ddos-protection protocols pimv6 aggregate
clear ddos-protection protocols pimv6 aggregate culprit-flows
clear ddos-protection protocols pimv6 aggregate states
clear ddos-protection protocols pimv6 aggregate statistics
clear ddos-protection protocols pimv6 states
clear ddos-protection protocols pimv6 statistics
clear ddos-protection protocols pkt-inject
clear ddos-protection protocols pkt-inject aggregate
clear ddos-protection protocols pkt-inject aggregate culprit-flows
<clear-ddos-pkt-inject-aggregate-flows>
clear ddos-protection protocols pkt-inject aggregate states
<clear-ddos-pkt-inject-aggregate-states>
clear ddos-protection protocols pkt-inject aggregate statistics
<clear-ddos-pkt-inject-aggregate-statistics>
clear ddos-protection protocols pkt-inject culprit-flows
<clear-ddos-pkt-inject-flows>
clear ddos-protection protocols pkt-inject states
<clear-ddos-pkt-inject-states>
clear ddos-protection protocols pkt-inject statistics
<clear-ddos-pkt-inject-statistics>clear ddos-protection protocols pmvrp
clear ddos-protection protocols pmvrp aggregate
clear ddos-protection protocols pmvrp aggregate states
clear-ddos-pmvrp-aggregate-states
clear ddos-protection protocols pmvrp aggregate statistics
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols pmvrp states
clear-ddos-pmvrp-states
clear ddos-protection protocols pmvrp statistics

Copyright © 2017, Juniper Networks, Inc. 117

Administration Guide for Security Devices

clear-ddos-pmvrp-statistics
clear ddos-protection protocols pos
clear ddos-protection protocols pos aggregate
clear ddos-protection protocols pos aggregate states
clear-ddos-pos-aggregate-states
clear ddos-protection protocols pos aggregate statistics
clear-ddos-pos-aggregate-statistics
clear ddos-protection protocols pos states
clear-ddos-pos-states
clear ddos-protection protocols pos statistics
clear-ddos-pos-statistics
clear ddos-protection protocols ppp
clear ddos-protection protocols ppp aggregate
clear ddos-protection protocols ppp aggregate states
clear-ddos-ppp-aggregate-states
clear ddos-protection protocols ppp aggregate statistics
clear-ddos-ppp-aggregate-statistics
clear ddos-protection protocols ppp authentication
clear ddos-protection protocols ppp authentication states
clear-ddos-ppp-auth-states
clear ddos-protection protocols ppp authentication statistics
clear-ddos-ppp-auth-statistics
clear ddos-protection protocols ppp ipcp
clear ddos-protection protocols ppp ipcp states
clear-ddos-ppp-ipcp-states
clear ddos-protection protocols ppp ipcp statistics
clear-ddos-ppp-ipcp-statistics
clear ddos-protection protocols ppp ipv6cp
clear ddos-protection protocols ppp ipv6cp states
clear-ddos-ppp-ipv6cp-states
clear ddos-protection protocols ppp ipv6cp statistics
clear-ddos-ppp-ipv6cp-statistics
clear ddos-protection protocols ppp isis
clear ddos-protection protocols ppp isis states
clear-ddos-ppp-isis-states
clear ddos-protection protocols ppp isis statistics
clear-ddos-ppp-isis-statistics
clear ddos-protection protocols ppp lcp
clear ddos-protection protocols ppp lcp states
clear-ddos-ppp-lcp-states
clear ddos-protection protocols ppp lcp statistics
clear-ddos-ppp-lcp-statistics
clear ddos-protection protocols ppp mplscp
clear ddos-protection protocols ppp mplscp states
clear-ddos-ppp-mplscp-states
clear ddos-protection protocols ppp mplscp statistics
clear-ddos-ppp-mplscp-statistics
clear ddos-protection protocols ppp states
clear-ddos-ppp-states
clear ddos-protection protocols ppp statistics
clear-ddos-ppp-statistics
clear ddos-protection protocols ppp unclassified
clear ddos-protection protocols ppp unclassified states
clear ddos-protection protocols ppp unclassified statistics
<clear-ddos-ppp-unclass-statistics>
clear ddos-protection protocols pppoe
clear ddos-protection protocols pppoe aggregate
clear ddos-protection protocols pppoe aggregate states
clear-ddos-pppoe-aggregate-states
clear ddos-protection protocols pppoe aggregate statistics
clear-ddos-pppoe-aggregate-statistics

118 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols pppoe padi

clear ddos-protection protocols pppoe padi states
clear-ddos-pppoe-padi-states
clear ddos-protection protocols pppoe padi statistics
clear-ddos-pppoe-padi-statistics
clear ddos-protection protocols pppoe padm
clear ddos-protection protocols pppoe padm states
clear-ddos-pppoe-padm-states
clear ddos-protection protocols pppoe padm statistics
clear-ddos-pppoe-padm-statistics
clear ddos-protection protocols pppoe padn
clear ddos-protection protocols pppoe padn states
clear-ddos-pppoe-padn-states
clear ddos-protection protocols pppoe padn statistics
clear-ddos-pppoe-padn-statistics
clear ddos-protection protocols pppoe pado
clear ddos-protection protocols pppoe pado states
clear-ddos-pppoe-pado-states
clear ddos-protection protocols pppoe pado statistics
clear-ddos-pppoe-pado-statistics
clear ddos-protection protocols pppoe padr
clear ddos-protection protocols pppoe padr states
clear-ddos-pppoe-padr-states
clear ddos-protection protocols pppoe padr statistics
clear-ddos-pppoe-padr-statistics
clear ddos-protection protocols pppoe pads
clear ddos-protection protocols pppoe pads states
clear-ddos-pppoe-pads-states
clear ddos-protection protocols pppoe pads statistics
clear-ddos-pppoe-pads-statistics
clear ddos-protection protocols pppoe padt
clear ddos-protection protocols pppoe padt states
clear-ddos-pppoe-padt-states
clear ddos-protection protocols pppoe padt statistics
clear-ddos-pppoe-padt-statistics
clear ddos-protection protocols pppoe states
clear-ddos-pppoe-states
clear ddos-protection protocols pppoe statistics
clear-ddos-pppoe-statistics
clear ddos-protection protocols proto-802-1x
clear ddos-protection protocols proto-802-1x aggregate
clear ddos-protection protocols proto-802-1x aggregate culprit-flows
<clear-ddos-8021x-aggregate-flows>
clear ddos-protection protocols proto-802-1x aggregate states
<clear-ddos-8021x-aggregate-states>
clear ddos-protection protocols proto-802-1x aggregate statistics
<clear-ddos-8021x-aggregate-statistics>
clear ddos-protection protocols proto-802-1x culprit-flows
<clear-ddos-8021x-flows>
clear ddos-protection protocols proto-802-1x states
<clear-ddos-8021x-states>
clear ddos-protection protocols proto-802-1x statistics
<clear-ddos-8021x-statistics>
clear ddos-protection protocols ptp
clear ddos-protection protocols ptp aggregate
clear ddos-protection protocols ptp aggregate states
clear-ddos-ptp-aggregate-states
clear ddos-protection protocols ptp aggregate statistics
clear-ddos-ptp-aggregate-statistics
clear ddos-protection protocols ptp states
clear-ddos-ptp-states

Copyright © 2017, Juniper Networks, Inc. 119

Administration Guide for Security Devices

clear ddos-protection protocols ptp statistics

clear-ddos-ptp-statistics
clear ddos-protection protocols ptpv6
clear ddos-protection protocols ptpv6 aggregate
clear ddos-protection protocols ptpv6 aggregate culprit-flows
<clear-ddos-ptpv6-aggregate-flows>
clear ddos-protection protocols ptpv6 aggregate states
<clear-ddos-ptpv6-aggregate-states>
clear ddos-protection protocols ptpv6 aggregate statistics
<clear-ddos-ptpv6-aggregate-statistics>
clear ddos-protection protocols ptpv6 culprit-flows
<clear-ddos-ptpv6-flows>
clear ddos-protection protocols ptpv6 states
<clear-ddos-ptpv6-states>
clear ddos-protection protocols ptpv6 statistics
<clear-ddos-ptpv6-statistics>
clear ddos-protection protocols pvstp
clear ddos-protection protocols pvstp aggregate
clear ddos-protection protocols pvstp aggregate states
clear-ddos-pvstp-aggregate-states
clear ddos-protection protocols pvstp aggregate statistics
clear-ddos-pvstp-aggregate-statistics
clear ddos-protection protocols pvstp states
clear-ddos-pvstp-states
clear ddos-protection protocols pvstp statistics
clear-ddos-pvstp-statistics
clear ddos-protection protocols radius
clear ddos-protection protocols radius accounting
clear ddos-protection protocols radius accounting states
clear-ddos-radius-account-states
clear ddos-protection protocols radius accounting statistics
clear-ddos-radius-account-statistics
clear ddos-protection protocols radius aggregate
clear ddos-protection protocols radius aggregate states
clear-ddos-radius-aggregate-states
clear ddos-protection protocols radius aggregate statistics
clear-ddos-radius-aggregate-statistics
clear ddos-protection protocols radius authorization
clear ddos-protection protocols radius authorization states
clear ddos-protection protocols radius authorization statistics
clear-ddos-ospfv3v6-statistics
clear-ddos-pfe-alive-aggregate-states
clear-ddos-pfe-alive-aggregate-statistics
clear-ddos-pfe-alive-states
clear-ddos-pfe-alive-statistics
clear-ddos-pim-aggregate-states
clear-ddos-pim-aggregate-statistics
clear-ddos-pim-states
clear-ddos-pmvrp-aggregate-states
clear-ddos-pmvrp-aggregate-statistics
clear-ddos-pmvrp-states
clear-ddos-pmvrp-statistics
clear-ddos-pos-aggregate-states
clear-ddos-pos-aggregate-statistics
clear-ddos-pos-states
clear-ddos-pos-statistics
clear-ddos-ppp-aggregate-states
clear-ddos-ppp-aggregate-statistics
clear-ddos-ppp-auth-states
clear-ddos-ppp-ipcp-states
clear-ddos-ppp-ipcp-statistics

120 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear-ddos-ppp-ipv6cp-states
clear-ddos-ppp-ipv6cp-statistics
clear-ddos-ppp-isis-states
clear-ddos-ppp-isis-statistics
clear-ddos-ppp-lcp-states
clear-ddos-ppp-lcp-statistics
clear-ddos-ppp-mplscp-states
clear-ddos-ppp-mplscp-statistics
clear-ddos-pppoe-aggregate-states
clear-ddos-pppoe-aggregate-statistics
clear-ddos-pppoe-padi-states
clear-ddos-pppoe-padi-statistics
clear-ddos-pppoe-padm-states
clear-ddos-pppoe-padm-statistics
clear-ddos-pppoe-padn-states
clear-ddos-pppoe-padn-statistics
clear-ddos-pppoe-pado-states
clear-ddos-pppoe-pado-statistics
clear-ddos-pppoe-padr-states
clear-ddos-pppoe-padr-statistics
clear-ddos-pppoe-pads-states
clear-ddos-pppoe-pads-statistics
clear-ddos-pppoe-padt-states
clear-ddos-pppoe-padt-statistics
clear-ddos-pppoe-states
clear-ddos-pppoe-statistics
clear-ddos-ppp-states
clear-ddos-ppp-statistics
clear-ddos-ptp-aggregate-states
clear-ddos-ptp-aggregate-statistics
clear-ddos-ptp-states
clear-ddos-ptp-statistics
clear-ddos-pvstp-aggregate-states
clear-ddos-pvstp-aggregate-statistics
clear-ddos-pvstp-states
clear-ddos-pvstp-statistics
clear-ddos-radius-account-states
clear-ddos-radius-account-statistics
clear-ddos-radius-aggregate-states
clear-ddos-radius-aggregate-statistics
clear-ddos-radius-auth-states
clear ddos-protection protocols radius authorization statistics
clear-ddos-radius-auth-statistics
clear ddos-protection protocols pmvrp culprit-flows
clear ddos-protection protocols radius server
clear ddos-protection protocols radius server states
clear-ddos-radius-server-states
clear ddos-protection protocols radius server statistics
clear-ddos-radius-server-statistics
clear ddos-protection protocols radius states
clear-ddos-radius-states
clear ddos-protection protocols radius statistics
clear-ddos-radius-statistics
clear ddos-protection protocols redirect
clear ddos-protection protocols redirect aggregate
clear ddos-protection protocols redirect aggregate states
clear-ddos-redirect-aggregate-states
clear ddos-protection protocols redirect aggregate statistics
clear-ddos-redirect-aggregate-statistics
clear ddos-protection protocols redirect states
clear-ddos-redirect-states

Copyright © 2017, Juniper Networks, Inc. 121

Administration Guide for Security Devices

clear ddos-protection protocols redirect statistics

clear-ddos-redirect-statistics
clear ddos-protection protocols reject
clear ddos-protection protocols reject aggregate
clear ddos-protection protocols reject aggregate states
clear ddos-protection protocols reject aggregate statistics
clear ddos-protection protocols reject states
clear ddos-protection protocols reject statistics
clear ddos-protection protocols rip
clear ddos-protection protocols rip aggregate
clear ddos-protection protocols rip aggregate states
clear-ddos-rip-aggregate-states
clear ddos-protection protocols rip aggregate statistics
clear-ddos-rip-aggregate-statistics
clear ddos-protection protocols rip states
clear-ddos-rip-states
clear ddos-protection protocols rip statistics
clear-ddos-rip-statistics
clear ddos-protection protocols ripv6
clear ddos-protection protocols ripv6 aggregate
clear ddos-protection protocols ripv6 aggregate states
clear-ddos-ripv6-aggregate-states
clear ddos-protection protocols ripv6 aggregate statistics
clear-ddos-ripv6-aggregate-statistics
clear ddos-protection protocols ripv6 states
clear-ddos-ripv6-states
clear ddos-protection protocols ripv6 statistics
clear-ddos-ripv6-statistics
clear ddos-protection protocols rsvp
clear ddos-protection protocols rsvp aggregate
clear ddos-protection protocols rsvp aggregate states
clear-ddos-rsvp-aggregate-states
clear ddos-protection protocols rsvp aggregate statistics
clear-ddos-rsvp-aggregate-statistics
clear ddos-protection protocols rsvp states
clear-ddos-rsvp-states
clear ddos-protection protocols rsvp statistics
clear-ddos-rsvp-statistics
clear ddos-protection protocols rsvpv6
clear ddos-protection protocols rsvpv6 aggregate
clear ddos-protection protocols rsvpv6 aggregate states
clear-ddos-rsvpv6-aggregate-states
clear ddos-protection protocols rsvpv6 aggregate statistics
clear-ddos-rsvpv6-aggregate-statistics
clear ddos-protection protocols rsvpv6 states
clear-ddos-rsvpv6-states
clear ddos-protection protocols rsvpv6 statistics
clear-ddos-rsvpv6-statistics
clear ddos-protection protocols sample
clear ddos-protection protocols sample aggregate
clear ddos-protection protocols sample aggregate states
<clear-ddos-sample-aggregate-states>
clear ddos-protection protocols sample aggregate statistics
<clear-ddos-sample-aggregate-statistics>
clear ddos-protection protocols sample host
clear ddos-protection protocols sample host states
<clear-ddos-sample-host-states>
clear ddos-protection protocols sample host statistics
<clear-ddos-sample-host-statistics>
clear ddos-protection protocols sample pfe
clear ddos-protection protocols sample pfe culprit-flows

122 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols sample pfe states

<clear-ddos-sample-pfe-states>
clear ddos-protection protocols sample pfe statistics
clear ddos-protection protocols sample sflow
clear ddos-protection protocols sample sflow culprit-flows
<clear-ddos-sample-sflow-flows>
clear ddos-protection protocols sample sflow states
<clear-ddos-sample-sflow-states>
clear ddos-protection protocols sample sflow statistics
<clear-ddos-sample-sflow-statistics>
clear ddos-protection protocols sample states
<clear-ddos-sample-states>
clear ddos-protection protocols sample statistics
<clear-ddos-sample-statistics>
clear ddos-protection protocols sample syslog
clear ddos-protection protocols sample syslog culprit-flows
clear ddos-protection protocols sample syslog states
<clear-ddos-sample-syslog-states>
clear ddos-protection protocols sample syslog statistics
<clear-ddos-sample-syslog-statistics>
clear ddos-protection protocols sample tap
clear ddos-protection protocols sample tap states
clear ddos-protection protocols sample-dest
clear ddos-protection protocols sample-dest aggregate
clear ddos-protection protocols sample-dest aggregate culprit-flows
<clear-ddos-sample-dest-aggregate-flows>
clear ddos-protection protocols sample-dest aggregate states
<clear-ddos-sample-dest-aggregate-states>
clear ddos-protection protocols sample-dest aggregate statistics
<clear-ddos-sample-dest-aggregate-statistics>
clear ddos-protection protocols sample-dest culprit-flows
<clear-ddos-sample-dest-flows>
clear ddos-protection protocols sample-dest states
<clear-ddos-sample-dest-states>
clear ddos-protection protocols sample-dest statistics
<clear-ddos-sample-dest-statistics>
clear ddos-protection protocols sample-source
clear ddos-protection protocols sample-source aggregate
clear ddos-protection protocols sample-source aggregate culprit-flows
<clear-ddos-sample-source-aggregate-flows>
clear ddos-protection protocols sample-source aggregate states
<clear-ddos-sample-source-aggregate-states>
clear ddos-protection protocols sample-source aggregate statistics
<clear-ddos-sample-source-aggregate-statistics>
clear ddos-protection protocols sample-source culprit-flows
<clear-ddos-sample-source-flows>
clear ddos-protection protocols sample-source states
<clear-ddos-sample-source-states>
clear ddos-protection protocols sample-source statistics
<clear-ddos-sample-source-statistics>
clear ddos-protection protocols sample tap statistics
<clear-ddos-sample-tap-statistics>
clear ddos-protection protocols services
clear ddos-protection protocols services aggregate
clear ddos-protection protocols services aggregate states
clear-ddos-services-aggregate-states
clear ddos-protection protocols services aggregate statistics
clear ddos-protection protocols services bsdt
clear ddos-protection protocols services bsdt culprit-flows
<clear-ddos-services-BSDT-flows>
clear ddos-protection protocols services bsdt states

Copyright © 2017, Juniper Networks, Inc. 123

Administration Guide for Security Devices

<clear-ddos-services-BSDT-states>
clear ddos-protection protocols services bsdt statistics
<clear-ddos-services-BSDT-statistics>
clear ddos-protection protocols services culprit-flows
<clear-ddos-services-flows>
clear ddos-protection protocols services packet
clear ddos-protection protocols services packet culprit-flows
<clear-ddos-services-packet-flows>
clear ddos-protection protocols services packet states
<clear-ddos-services-packet-states>
clear ddos-protection protocols services packet statistics
<clear-ddos-services-packet-statistics>
clear ddos-protection protocols services states
clear-ddos-services-states
clear ddos-protection protocols services statistics
clear-ddos-services-statistics
clear ddos-protection protocols snmp
clear ddos-protection protocols snmp aggregate
clear ddos-protection protocols snmp aggregate states
clear-ddos-snmp-aggregate-states
clear ddos-protection protocols snmp aggregate statistics
clear ddos-protection protocols snmp culprit-flows
clear ddos-protection protocols snmp states
clear-ddos-snmp-states
clear ddos-protection protocols snmp statistics
clear-ddos-snmp-statistics
clear ddos-protection protocols snmpv6
clear ddos-protection protocols snmpv6 aggregate
clear ddos-protection protocols snmpv6 aggregate states
clear-ddos-snmpv6-aggregate-states
clear ddos-protection protocols snmpv6 aggregate statistics
clear-ddos-snmpv6-aggregate-statistics
clear ddos-protection protocols snmpv6 states
clear-ddos-snmpv6-states
clear ddos-protection protocols snmpv6 statistics
clear-ddos-snmpv6-statistics
clear ddos-protection protocols ssh
clear ddos-protection protocols ssh aggregate
clear ddos-protection protocols ssh aggregate states
clear-ddos-ssh-aggregate-states
clear ddos-protection protocols ssh aggregate statistics
clear-ddos-ssh-aggregate-statistics
clear ddos-protection protocols ssh states
clear-ddos-ssh-states
clear ddos-protection protocols ssh statistics
clear-ddos-ssh-statistics
clear ddos-protection protocols sshv6
clear ddos-protection protocols sshv6 aggregate
clear ddos-protection protocols sshv6 aggregate states
clear-ddos-sshv6-aggregate-states
clear ddos-protection protocols sshv6 aggregate statistics
clear ddos-protection protocols sshv6 culprit-flows
clear ddos-protection protocols sshv6 states
clear-ddos-sshv6-states
clear ddos-protection protocols sshv6 statistics
clear-ddos-sshv6-statistics
clear ddos-protection protocols states
clear-ddos-protocols-states
clear ddos-protection protocols statistics
clear-ddos-protocols-statistics
clear ddos-protection protocols stp

124 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols stp aggregate

clear ddos-protection protocols stp aggregate states
clear-ddos-stp-aggregate-states
clear ddos-protection protocols stp aggregate statistics
clear-ddos-stp-aggregate-statistics
clear ddos-protection protocols stp states
clear-ddos-stp-states
clear ddos-protection protocols stp statistics
clear-ddos-stp-statistics
clear ddos-protection protocols tacacs
clear ddos-protection protocols tacacs aggregate
clear ddos-protection protocols tacacs aggregate states
clear-ddos-tacacs-aggregate-states
clear ddos-protection protocols tacacs aggregate statistics
clear-ddos-tacacs-aggregate-statistics
clear ddos-protection protocols tacacs states
clear-ddos-tacacs-states
clear ddos-protection protocols tacacs statistics
clear-ddos-tacacs-statistics
clear ddos-protection protocols tcc
clear ddos-protection protocols tcc aggregate
clear ddos-protection protocols tcc aggregate culprit-flows
<clear-ddos-tcc-aggregate-flows>
clear ddos-protection protocols tcc aggregate states
<clear-ddos-tcc-aggregate-states>
clear ddos-protection protocols tcc aggregate statistics
<clear-ddos-tcc-aggregate-statistics>
clear ddos-protection protocols tcc culprit-flows
<clear-ddos-tcc-flows>
clear ddos-protection protocols tcc ethernet-tcc
clear ddos-protection protocols tcc ethernet-tcc culprit-flows
<clear-ddos-tcc-ethernet-tcc-flows>
clear ddos-protection protocols tcc ethernet-tcc states
<clear-ddos-tcc-ethernet-tcc-states>
clear ddos-protection protocols tcc ethernet-tcc statistics
<clear-ddos-tcc-ethernet-tcc-statistics>
clear ddos-protection protocols tcc iso-tcc
clear ddos-protection protocols tcc iso-tcc culprit-flows
<clear-ddos-tcc-iso-tcc-flows>
clear ddos-protection protocols tcc iso-tcc states
<clear-ddos-tcc-iso-tcc-states>
clear ddos-protection protocols tcc iso-tcc statistics
<clear-ddos-tcc-iso-tcc-statistics>
clear ddos-protection protocols tcc states
<clear-ddos-tcc-states>
clear ddos-protection protocols tcc statistics
<clear-ddos-tcc-statistics>
clear ddos-protection protocols tcc unclassified
clear ddos-protection protocols tcc unclassified culprit-flows
<clear-ddos-tcc-unclass-flows>
clear ddos-protection protocols tcc unclassified states
<clear-ddos-tcc-unclass-states>
clear ddos-protection protocols tcc unclassified statistics
<clear-ddos-tcc-unclass-statistics>
clear ddos-protection protocols tcp-flags
clear ddos-protection protocols tcp-flags aggregate
clear ddos-protection protocols tcp-flags aggregate states
clear-ddos-tcp-flags-aggregate-states
clear ddos-protection protocols tcp-flags aggregate statistics
clear-ddos-tcp-flags-aggregate-statistics
clear ddos-protection protocols tcp-flags established

Copyright © 2017, Juniper Networks, Inc. 125

Administration Guide for Security Devices

clear ddos-protection protocols tcp-flags established states

clear-ddos-tcp-flags-establish-states
clear ddos-protection protocols tcp-flags established statistics
clear-ddos-tcp-flags-establish-statistics
clear ddos-protection protocols tcp-flags initial
clear ddos-protection protocols tcp-flags initial culprit-flows
clear ddos-protection protocols tcp-flags initial states
clear-ddos-tcp-flags-initial-states
clear ddos-protection protocols tcp-flags initial statistics
clear-ddos-tcp-flags-initial-statistics
clear ddos-protection protocols tcp-flags states
clear-ddos-tcp-flags-states
clear ddos-protection protocols tcp-flags statistics
clear-ddos-tcp-flags-statistics
clear ddos-protection protocols tcp-flags unclassified
clear ddos-protection protocols tcp-flags unclassified states
clear-ddos-tcp-flags-unclass-states
clear ddos-protection protocols tcp-flags unclassified statistics
clear-ddos-tcp-flags-unclass-statistics
clear ddos-protection protocols telnet
clear ddos-protection protocols telnet aggregate
clear ddos-protection protocols telnet aggregate culprit-flows
clear ddos-protection protocols telnet aggregate states
clear-ddos-telnet-aggregate-states
clear ddos-protection protocols telnet aggregate statistics
clear-ddos-telnet-aggregate-statistics
clear ddos-protection protocols telnet states
clear-ddos-telnet-states
clear ddos-protection protocols telnet statistics
clear-ddos-telnet-statistics
clear ddos-protection protocols telnetv6
clear ddos-protection protocols telnetv6 aggregate
clear ddos-protection protocols telnetv6 aggregate states
clear-ddos-telnetv6-aggregate-states
clear ddos-protection protocols telnetv6 aggregate statistics
clear-ddos-telnetv6-aggregate-statistics
clear ddos-protection protocols telnetv6 states
clear-ddos-telnetv6-states
clear ddos-protection protocols telnetv6 statistics
clear-ddos-telnetv6-statistics
clear ddos-protection protocols ttl
clear ddos-protection protocols ttl aggregate
clear ddos-protection protocols ttl aggregate culprit-flows
clear ddos-protection protocols ttl aggregate states
clear-ddos-ttl-aggregate-states
clear ddos-protection protocols ttl aggregate statistics
clear-ddos-ttl-aggregate-statistics
clear ddos-protection protocols ttl states
clear-ddos-ttl-states
clear ddos-protection protocols ttl statistics
clear-ddos-ttl-statistics
clear ddos-protection protocols tunnel-fragment
clear ddos-protection protocols tunnel-fragment aggregate
clear ddos-protection protocols tunnel-fragment aggregate states
clear-ddos-tun-frag-aggregate-states
clear ddos-protection protocols tunnel-fragment aggregate statistics
clear-ddos-tun-frag-aggregate-statistics
clear ddos-protection protocols tunnel-fragment states
clear-ddos-tun-frag-states
clear ddos-protection protocols tunnel-fragment statistics
clear-ddos-tun-frag-statistics

126 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ddos-protection protocols unclassified

clear ddos-protection protocols unclassified aggregate
clear ddos-protection protocols unclassified aggregate states
clear ddos-protection protocols unclassified aggregate statistics
clear ddos-protection protocols unclassified control-layer2
clear ddos-protection protocols unclassified control-layer2 culprit-flows
clear ddos-protection protocols unclassified control-layer2 states
clear ddos-protection protocols unclassified control-layer2 statistics
clear ddos-protection protocols unclassified control-v4
clear ddos-protection protocols unclassified control-v4 culprit-flows
clear ddos-protection protocols unclassified control-v4 states
clear ddos-protection protocols unclassified control-v4 statistics
clear ddos-protection protocols unclassified control-v6
clear ddos-protection protocols unclassified control-v6 culprit-flows
clear ddos-protection protocols unclassified control-v6 states
clear ddos-protection protocols unclassified control-v6 statistics
clear ddos-protection protocols unclassified filter-v4 culprit-flows
clear ddos-protection protocols unclassified filter-v4 states
clear ddos-protection protocols unclassified filter-v4 statistics
clear ddos-protection protocols unclassified filter-v6
clear ddos-protection protocols unclassified filter-v6 culprit-flows
clear ddos-protection protocols unclassified filter-v6 states
clear ddos-protection protocols unclassified filter-v6 statistics
clear ddos-protection protocols unclassified fw-host
clear ddos-protection protocols unclassified fw-host culprit-flows
<clear-ddos-uncls-fw-host-flows>
clear ddos-protection protocols unclassified fw-host states
<clear-ddos-uncls-fw-host-states>
clear ddos-protection protocols unclassified fw-host statistics
<clear-ddos-uncls-fw-host-statistics>
clear ddos-protection protocols unclassified host-route-v4
clear ddos-protection protocols unclassified host-route-v4 culprit-flows
clear ddos-protection protocols unclassified host-route-v4 states
clear ddos-protection protocols unclassified host-route-v4 states
clear ddos-protection protocols unclassified host-route-v4 statistics
clear ddos-protection protocols unclassified host-route-v6
clear ddos-protection protocols unclassified host-route-v6 culprit-flows
clear ddos-protection protocols unclassified host-route-v6 states
clear ddos-protection protocols unclassified host-route-v6 statistics
clear ddos-protection protocols unclassified mcast-copy
clear ddos-protection protocols unclassified mcast-copy culprit-flows
<clear-ddos-uncls-mcast-copy-flows>
clear ddos-protection protocols unclassified mcast-copy states
<clear-ddos-uncls-mcast-copy-states>
clear ddos-protection protocols unclassified mcast-copy statistics
<clear-ddos-uncls-mcast-copy-statistics>
clear ddos-protection protocols unknown-l2mc
clear ddos-protection protocols unknown-l2mc aggregate
clear ddos-protection protocols unknown-l2mc aggregate culprit-flows
<clear-ddos-unknown-l2mc-aggregate-flows>
clear ddos-protection protocols unknown-l2mc aggregate states
<clear-ddos-unknown-l2mc-aggregate-states>
clear ddos-protection protocols unknown-l2mc aggregate statistics
<clear-ddos-unknown-l2mc-aggregate-statistics>
clear ddos-protection protocols unknown-l2mc culprit-flows
<clear-ddos-unknown-l2mc-flows>
clear ddos-protection protocols unknown-l2mc states
<clear-ddos-unknown-l2mc-states>
clear ddos-protection protocols unknown-l2mc statistics
<clear-ddos-unknown-l2mc-statistics>
clear ddos-protection protocols urpf-fail

Copyright © 2017, Juniper Networks, Inc. 127

Administration Guide for Security Devices

clear ddos-protection protocols urpf-fail aggregate

clear ddos-protection protocols urpf-fail aggregate culprit-flows
<clear-ddos-urpf-fail-aggregate-flows>
clear ddos-protection protocols urpf-fail aggregate states
<clear-ddos-urpf-fail-aggregate-states>
clear ddos-protection protocols urpf-fail aggregate statistics
<clear-ddos-urpf-fail-aggregate-statistics>
clear ddos-protection protocols urpf-fail culprit-flows
<clear-ddos-urpf-fail-flows>
clear ddos-protection protocols urpf-fail states
<clear-ddos-urpf-fail-states>
clear ddos-protection protocols urpf-fail statistics
<clear-ddos-urpf-fail-statistics>
clear ddos-protection protocols vcipc-udp
clear ddos-protection protocols vcipc-udp aggregate
clear ddos-protection protocols vcipc-udp aggregate culprit-flows
<clear-ddos-vcipc-udp-aggregate-flows>
clear ddos-protection protocols vcipc-udp aggregate states
<clear-ddos-vcipc-udp-aggregate-states>
clear ddos-protection protocols vcipc-udp aggregate statistics
<clear-ddos-vcipc-udp-aggregate-statistics>
clear ddos-protection protocols vcipc-udp culprit-flows
<clear-ddos-vcipc-udp-flows>
clear ddos-protection protocols vcipc-udp states
<clear-ddos-vcipc-udp-states>
<clear-ddos-vcipc-udp-statistics>
clear ddos-protection protocols unclassified other
clear ddos-protection protocols unclassified other culprit-flows
clear ddos-protection protocols unclassified other states
clear ddos-protection protocols unclassified other statistics
clear ddos-protection protocols unclassified resolve-v4
clear ddos-protection protocols unclassified resolve-v4 culprit-flows
clear ddos-protection protocols unclassified resolve-v4 states
clear ddos-protection protocols unclassified resolve-v4 statistics
clear ddos-protection protocols unclassified resolve-v6
clear ddos-protection protocols unclassified resolve-v6 culprit-flows
clear ddos-protection protocols unclassified resolve-v6 states
clear ddos-protection protocols unclassified resolve-v6 statistics
clear ddos-protection protocols unclassified states
clear ddos-protection protocols unclassified statistics
<clear-ddos-uncls-statistics>
clear ddos-protection protocols virtual-chassis
clear ddos-protection protocols virtual-chassis aggregate
clear ddos-protection protocols virtual-chassis aggregate culprit-flows
clear ddos-protection protocols virtual-chassis aggregate states
clear-ddos-protocols-states
clear-ddos-protocols-statistics
clear-ddos-radius-server-states
clear-ddos-radius-server-statistics
clear-ddos-radius-states
clear-ddos-radius-statistics
clear ddos-protection protocols re-services
clear ddos-protection protocols re-services aggregate
clear ddos-protection protocols re-services aggregate culprit-flows
<clear-ddos-re-services-aggregate-flows>
clear ddos-protection protocols re-services aggregate states
<clear-ddos-re-services-aggregate-states>
clear ddos-protection protocols re-services aggregate statistics
<clear-ddos-re-services-aggregate-statistics>
clear ddos-protection protocols re-services captive-portal
clear ddos-protection protocols re-services captive-portal culprit-flows

128 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-ddos-re-services-captive-portal-flows>
clear ddos-protection protocols re-services captive-portal states
<clear-ddos-re-services-captive-portal-states>
clear ddos-protection protocols re-services captive-portal statistics
<clear-ddos-re-services-captive-portal-statistics>
clear ddos-protection protocols re-services culprit-flows
<clear-ddos-re-services-flows>
clear ddos-protection protocols re-services states
<clear-ddos-re-services-states>
clear ddos-protection protocols re-services statistics
<clear-ddos-re-services-statistics>
clear ddos-protection protocols re-services-v6
clear ddos-protection protocols re-services-v6 aggregate
clear ddos-protection protocols re-services-v6 aggregate culprit-flows
<clear-ddos-re-services-v6-aggregate-flows>
clear ddos-protection protocols re-services-v6 aggregate states
<clear-ddos-re-services-v6-aggregate-states>
clear ddos-protection protocols re-services-v6 aggregate statistics
<clear-ddos-re-services-v6-aggregate-statistics>
clear ddos-protection protocols re-services-v6 captive-portal
clear ddos-protection protocols re-services-v6 captive-portal culprit-flows
<clear-ddos-re-services-v6-captive-portal-v6-flows>
clear ddos-protection protocols re-services-v6 captive-portal states
<clear-ddos-re-services-v6-captive-portal-v6-states>
clear ddos-protection protocols re-services-v6 captive-portal statistics
<clear-ddos-re-services-v6-captive-portal-v6-statistics>
clear ddos-protection protocols re-services-v6 culprit-flows
<clear-ddos-re-services-v6-flows>
clear ddos-protection protocols re-services-v6 states
<clear-ddos-re-services-v6-states>
clear ddos-protection protocols re-services-v6 statistics
<clear-ddos-re-services-v6-statistics>
clear-ddos-redirect-aggregate-states
clear-ddos-redirect-states
clear-ddos-redirect-statistics
clear-ddos-rip-aggregate-states
clear-ddos-rip-aggregate-statistics
clear-ddos-rip-states
clear-ddos-rip-statistics
clear-ddos-ripv6-aggregate-states
clear-ddos-ripv6-aggregate-statistics
clear-ddos-ripv6-states
clear-ddos-ripv6-statistics
clear-ddos-rsvp-aggregate-states
clear-ddos-rsvp-aggregate-statistics
clear-ddos-rsvp-states
clear-ddos-rsvp-statistics
clear-ddos-rsvpv6-aggregate-states
clear-ddos-rsvpv6-aggregate-statistics
clear-ddos-rsvpv6-states
clear-ddos-rsvpv6-statistics
clear-ddos-services-aggregate-states
clear-ddos-services-aggregate-statistics
clear-ddos-services-states
clear-ddos-services-statistics
clear-ddos-snmp-aggregate-states
clear-ddos-snmp-aggregate-statistics
clear-ddos-snmp-states
clear-ddos-snmp-statistics
clear-ddos-snmpv6-aggregate-states
clear-ddos-snmpv6-aggregate-statistics

Copyright © 2017, Juniper Networks, Inc. 129

Administration Guide for Security Devices

clear-ddos-snmpv6-states
clear-ddos-snmpv6-statistics
clear-ddos-ssh-aggregate-states
clear-ddos-ssh-aggregate-statistics
clear-ddos-ssh-states
clear-ddos-ssh-statistics
clear-ddos-sshv6-aggregate-states
clear-ddos-sshv6-aggregate-statistics
clear-ddos-sshv6-states
clear-ddos-sshv6-statistics
clear-ddos-stp-aggregate-states
clear-ddos-stp-aggregate-statistics
clear-ddos-stp-states
clear-ddos-stp-statistics
clear ddos-protection protocols syslog
clear ddos-protection protocols syslog aggregate
clear ddos-protection protocols syslog aggregate culprit-flows
<clear-ddos-syslog-aggregate-flows>
clear ddos-protection protocols syslog aggregate states
<clear-ddos-syslog-aggregate-states>
clear ddos-protection protocols syslog aggregate statistics
<clear-ddos-syslog-aggregate-statistics>
clear ddos-protection protocols syslog culprit-flows
<clear-ddos-syslog-flows>
clear ddos-protection protocols syslog states
<clear-ddos-syslog-states>
clear ddos-protection protocols syslog statistics
<clear-ddos-syslog-statistics>
clear-ddos-tacacs-aggregate-states
clear-ddos-tacacs-aggregate-statistics
clear-ddos-tacacs-states
clear-ddos-tacacs-statistics
clear-ddos-tcp-flags-aggregate-states
clear-ddos-tcp-flags-aggregate-statistics
clear-ddos-tcp-flags-establish-states
clear-ddos-tcp-flags-establish-statistics
clear-ddos-tcp-flags-initial-states
clear-ddos-tcp-flags-initial-statistics
clear-ddos-tcp-flags-states
clear-ddos-tcp-flags-statistics
clear-ddos-tcp-flags-unclass-states
clear-ddos-tcp-flags-unclass-statistics
clear-ddos-telnet-aggregate-states
clear-ddos-telnet-aggregate-statistics
clear-ddos-telnet-states
clear-ddos-telnet-statistics
clear-ddos-telnetv6-aggregate-states
clear-ddos-telnetv6-aggregate-statistics
clear-ddos-telnetv6-states
clear-ddos-telnetv6-statistics
clear-ddos-ttl-aggregate-states
clear-ddos-ttl-aggregate-statistics
clear-ddos-ttl-states
clear-ddos-ttl-statistics
clear-ddos-tun-frag-aggregate-states
clear-ddos-tun-frag-aggregate-statistics
clear-ddos-tun-frag-states
clear-ddos-tun-frag-statistics
clear ddos-protection protocols tunnel-ka
clear ddos-protection protocols tunnel-ka aggregate
clear ddos-protection protocols tunnel-ka aggregate culprit-flows

130 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-ddos-tunnel-ka-aggregate-flows>
clear ddos-protection protocols tunnel-ka aggregate states
<clear-ddos-tunnel-ka-aggregate-states>
clear ddos-protection protocols tunnel-ka aggregate statistics
<clear-ddos-tunnel-ka-aggregate-statistics>
clear ddos-protection protocols tunnel-ka culprit-flows
<clear-ddos-tunnel-ka-flows>
clear ddos-protection protocols tunnel-ka states
<clear-ddos-tunnel-ka-states>
clear ddos-protection protocols tunnel-ka statistics
<clear-ddos-tunnel-ka-statistics>
clear-ddos-vchassis-aggregate-states
clear ddos-protection protocols virtual-chassis aggregate statistics
clear-ddos-vchassis-aggregate-statistics
clear ddos-protection protocols virtual-chassis control-high
clear ddos-protection protocols virtual-chassis control-high states
clear-ddos-vchassis-control-hi-states
clear ddos-protection protocols virtual-chassis control-high statistics
clear-ddos-vchassis-control-hi-statistics
clear ddos-protection protocols virtual-chassis control-low
clear ddos-protection protocols virtual-chassis control-low states
clear-ddos-vchassis-control-lo-states
clear ddos-protection protocols virtual-chassis control-low statistics
clear-ddos-vchassis-control-lo-statistics
clear ddos-protection protocols virtual-chassis states
clear-ddos-vchassis-states
clear ddos-protection protocols virtual-chassis statistics
clear-ddos-vchassis-statistics
clear ddos-protection protocols virtual-chassis unclassified
clear ddos-protection protocols virtual-chassis unclassified culprit-flows
clear ddos-protection protocols virtual-chassis unclassified states
clear-ddos-vchassis-unclass-states
clear ddos-protection protocols virtual-chassis unclassified statistics
clear-ddos-vchassis-unclass-statistics
clear ddos-protection protocols virtual-chassis vc-packets
clear ddos-protection protocols virtual-chassis vc-packets states
clear-ddos-vchassis-vc-packets-states
clear ddos-protection protocols virtual-chassis vc-packets statistics
clear-ddos-vchassis-vc-packets-statistics
clear ddos-protection protocols virtual-chassis vc-ttl-errors
clear ddos-protection protocols virtual-chassis vc-ttl-errors states
clear-ddos-vchassis-vc-ttl-err-states
clear ddos-protection protocols virtual-chassis vc-ttl-errors statistics
clear-ddos-vchassis-vc-ttl-err-statistics
clear ddos-protection protocols vrrp
clear ddos-protection protocols vrrp aggregate
clear ddos-protection protocols vrrp aggregate states
clear-ddos-vrrp-aggregate-states
clear ddos-protection protocols vrrp aggregate statistics
clear ddos-protection protocols vrrp culprit-flows
clear ddos-protection protocols vrrp statistics
clear-ddos-vrrp-statistics
clear ddos-protection protocols vrrpv6
clear ddos-protection protocols vrrpv6 aggregate
clear ddos-protection protocols vrrpv6 aggregate states
clear-ddos-vrrpv6-aggregate-states
clear ddos-protection protocols vrrpv6 aggregate statistics
clear-ddos-vrrpv6-aggregate-statistics
clear ddos-protection protocols vrrpv6 states
clear-ddos-vrrpv6-states
clear ddos-protection protocols vrrpv6 statistics

Copyright © 2017, Juniper Networks, Inc. 131

Administration Guide for Security Devices

clear-ddos-uncls-host-rt-v4-flows
clear-ddos-vchassis-aggregate-statistics
clear-ddos-vchassis-control-hi-states
clear-ddos-vchassis-control-hi-statistics
clear-ddos-vchassis-control-lo-states
clear-ddos-vchassis-control-lo-statistics
clear-ddos-vchassis-states
clear-ddos-vchassis-statistics
clear-ddos-vchassis-unclass-states
clear-ddos-vchassis-unclass-statistics
clear-ddos-vchassis-vc-packets-states
clear-ddos-vchassis-vc-packets-statistics
clear-ddos-vchassis-vc-ttl-err-states
clear-ddos-vchassis-vc-ttl-err-statistics
clear-ddos-vrrp-aggregate-states
clear-ddos-vrrp-aggregate-statistics
clear-ddos-vrrp-states
clear-ddos-vrrp-statistics
clear-ddos-vrrpv6-aggregate-states
clear-ddos-vrrpv6-aggregate-statistics
clear-ddos-vrrpv6-states
clear-ddos-vrrpv6-statistics
clear ddos-protection protocols vxlan
clear ddos-protection protocols vxlan aggregate
clear ddos-protection protocols vxlan aggregate culprit-flows
clear-ddos-vxlan-aggregate-flows
clear ddos-protection protocols vxlan aggregate states
<clear-ddos-vxlan-aggregate-states>
clear ddos-protection protocols vxlan aggregate statistics
<clear-ddos-vxlan-aggregate-statistics>
clear ddos-protection protocols vxlan culprit-flows
<clear-ddos-vxlan-flows>
clear ddos-protection protocols vxlan states
<clear-ddos-vxlan-states>
clear ddos-protection protocols vxlan statistics
<clear-ddos-vxlan-statistics>
clear dhcp
clear dhcp client
clear dhcp client binding
<clear-dhcp-client-binding-information>
clear dhcp client statistics
<clear-client-statistics-information>
clear dhcp proxy-client
clear dhcp proxy-client statistics
clear dhcp relay
clear dhcp relay binding
<clear-dhcp-relay-binding-information>
clear dhcp relay binding interface
<clear-dhcp-interface-bindings>
clear dhcp relay statistics
<clear-dhcp-relay-statistics-information>
<clear-dhcp-security-binding>
<clear-dhcp-security-binding-interface>
<clear-dhcp-security-binding-ip-address>
<clear-dhcp-security-binding-statistics>
<clear-dhcp-security-binding-vlan>
clear dhcp relay statistics bulk-leasequery-connections
<clear-dhcp-relay-bulk-leasequery-conn-statistics>
clear dhcp relay statistics leasequery
<clear-dhcp-relay-leasequery-statistics>
clear dhcp server

132 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear dhcp server binding

<clear-dhcp-server-binding-information>
clear dhcp server binding interface
<clear-dhcp-server-binding-interface>
clear dhcp server statistics
<clear-server-statistics-information>
clear dhcp statistics
<clear-dhcp-service-statistics-information>
clear dhcp-security statistics
<clear-dhcp-security-statistics>
clear dhcpv6
clear dhcpv6 client
clear dhcpv6 client binding
<clear-dhcpv6-client-binding-information>
clear dhcpv6 client statistics
<clear-dhcpv6-client-statistics-information>
clear dhcpv6 proxy-client
clear dhcpv6 proxy-client statistics
<clear-dhcpv6-proxy-client-statistics-information>
clear dhcpv6 relay
clear dhcpv6 relay binding
clear dhcpv6 relay binding interface
clear dhcpv6 relay statistics
<clear-dhcpv6-relay-statistics-information>
clear dhcpv6 relay statistics bulk-leasequery-connections
<clear-dhcpv6-relay-bulk-leasequery-conn-statistics>
clear dhcpv6 relay statistics leasequery
<clear-dhcpv6-relay-leasequery-statistics>
clear dhcpv6 server
clear dhcpv6 server binding
<clear-dhcpv6-server-binding-information>
clear dhcpv6 server binding interface
<clear-dhcpv6-server-binding-interface>
clear dhcpv6 server statistics
<clear-dhcpv6-server-statistics-information>
clear dhcpv6 server statistics bulk-leasequery-connections
<clear-dhcpv6-server-bulk-leasequery-statistics>
clear dhcpv6 statistics
<clear-dhcpv6-service-statistics-information>
clear diameter
clear diameter function
<clear-diameter-function>
clear diameter peer
<clear-diameter-peer>
<clear-dhcp-binding-information>
<clear-dhcp-conflict-information>
<clear-dhcp-statistics-information>
clear system subscriber-management
clear system subscriber-management arp
<clear-subscriber-management-arp>
clear system subscriber-management arp address
<clear-subscriber-management-arp-address>
clear system subscriber-management arp interface
<clear-subscriber-management-arp-interface>
clear system subscriber-management ipv6-neighbors
<clear-subscriber-management-ipv6-neighbors>
clear system subscriber-management ipv6-neighbors address
<clear-subscriber-management-ipv6-neighbor-address>clear system
subscriber-management ipv6-neighbors interface
<clear-subscriber-management-ipv6-neighbor-interface>
clear system subscriber-management statistics

Copyright © 2017, Juniper Networks, Inc. 133

Administration Guide for Security Devices

<clear-subscriber-management-statistics>
clear dot1x
clear dot1x eapol-block
clear dot1x eapol-block interface
<clear-dot1x-eapol-block-interface-session>
clear dot1x eapol-block mac-address
<clear-dot1x-eapol-block-mac-session>
clear dot1x firewall
<clear-dot1x-firewall>
clear dot1x firewall interface
<clear-dot1x-firewall-interface>
clear dot1x interface
<clear-dot1x-interface-session>
clear dot1x mac-address
<clear-dot1x-mac-session>
clear dot1x statistics
<clear-dot1x-statistics>
clear dot1x statistics interface
<clear-dot1x-statistics-interface>
clear error
clear error bpdu
clear error bpdu interface
<clear-bpdu-error>
clear error loop-detect
clear error loop-detect interface
<clear-loop-detect-error>
clear error mac-rewrite
clear error mac-rewrite interface
<clear-mac-rewrite-error>
clear esis
clear esis adjacency
<clear-esis-adjacency>
clear esis statistics
<clear-esis-statistics>
clear ethernet-switching
clear ethernet-switching evpn
clear ethernet-switching evpn arp-table
<clear-ethernet-switching-evpn-arp-table>
clear ethernet-switching mac-learning-log
<clear-ethernet-switching-mac-learning-log>
clear ethernet-switching recovery-timeout
<clear-ethernet-switching-recovery>
clear ethernet-switching recovery-timeout interface
<clear-ethernet-switching-recovery-interface>
clear ethernet-switching satellite
clear ethernet-switching satellite logging
<clear-satellite-control-logging>
clear ethernet-switching satellite vlan-auto-sense
<clear-satellite-control-plane-vlan-auto-sense>
clear ethernet-switching table
<clear-ethernet-switching-table>
clear ethernet-switching table interface
<clear-ethernet-switching-interface-table>
clear ethernet-switching table persistent-learning
<clear-ethernet-switching-table-persistent-learning>
clear ethernet-switching table persistent-learning interface
<clear-ethernet-switching-table-persistent-learning>
clear ethernet-switching table persistent-learning mac
<clear-ethernet-switching-table-persistent-learning-mac>
clear evpn
clear evpn arp-table

134 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-evpn-arp-table>
clear evpn mac-table
<clear-evpn-mac-table>
clear evpn mac-table interface
<clear-evpn-interface-mac-table>
clear evpn nd-table
<clear-evpn-nd-table>
clear extensible-subscriber-services
clear extensible-subscriber-services counters
<clear-extensible-subscriber-services-counters>
clear extensible-subscriber-services sessions
<clear-extensible-subscriber-services-sessions>
clear fabric
<clear-fabric>
clear fabric statistics
<clear-fabric-statistics>
clear firewall
<clear-firewall-counters>
clear firewall all
<clear-all-firewall-conters>
clear firewall log
<clear-firewall-log>
clear firewall policer
clear firewall policer counter
clear firewall policer counter all
<clear-interface-aggregate-fwd-options>
<clear-interface-aggregate-fwd-options-all>
clear helper
clear helper statistics
<clear-helper-statistics-information>
clear igmp
clear igmp membership
<clear-igmp-membership>
clear igmp snooping
clear igmp snooping membership
<clear-igmp-snooping-membership>
clear igmp snooping membership bridge-domain
<clear-igmp-snooping-bridge-domain-membership>
clear igmp snooping membership vlan
<clear-igmp-snooping-vlan-membership>
clear igmp snooping statistics
<clear-igmp-snooping-statistics>
clear igmp snooping statistics bridge-domain
<clear-igmp-snooping-bridge-domain-statistics>
clear igmp snooping statistics vlan
<clear-igmp-snooping-vlan-statistics>
clear igmp statistics
<clear-igmp-statistics>
clear ike
clear ike security-associations
<clear-ike-security-associations>
clear ike statistics
<clear-ike-statistics>
clear ilmi
clear ilmi statistics
<clear-ilmi-statistics>
clear interfaces
clear interfaces interface-set
clear interfaces interface-set statistics
<clear-interface-set-statistics>
clear interfaces interface-set statistics all

Copyright © 2017, Juniper Networks, Inc. 135

Administration Guide for Security Devices

<clear-interface-set-statistics-all>
clear interfaces interval
<clear-interfaces-interval>
clear interfaces mac-database
<clear-interfaces-mac-database>
clear interfaces mac-database statistics
<clear-interface-mac-database-statistics>
clear interfaces mac-database statistics all
<clear-interface-mac-database-statistics-all>
clear interfaces statistics
<clear-interfaces-statistics>
clear interfaces statistics all
<clear-interfaces-statistics-all>
clear interfaces transport
<clear-interface-transport-information>
clear interfaces transport optics
<clear-interface-transport-optics-information>
clear interfaces transport optics interval
<clear-interface-transport-optics-interval-information>
clear ipsec
clear ipsec security-associations
<clear-ipsec-security-associations>
clear ipv6
clear ipv6 neighbors
<clear-ipv6-nd-information>
clear ipv6 neighbors all
<clear-ipv6-all-neighbors>
clear isis
clear isis adjacency
<clear-isis-adjacency-information>
clear isis database
<clear-isis-database-information>
clear isis layer2-map
<clear-isis-layer2-map-information>
clear isis overload
<clear-isis-overload-information>
clear isis statistics
<clear-isis-statistics-information>
clear ipv6 router-advertisement
clear lacp
clear lacp statistics
clear l2-learning
clear l2-learning evpn
clear l2-learning evpn arp-statistics
<clear-evpn-arp-statistics>
clear l2-learning evpn arp-statistics interface
<clear-evpn-arp-statistics-interface>
clear l2-learning evpn nd-statistics
<clear-evpn-nd-statistics>
clear l2-learning evpn nd-statistics interface
<clear-evpn-nd-statistics-interface>
clear l2-learning mac-move-buffer
<clear-l2-learning-mac-move-buffer>
clear l2-learning mac-move-buffer active
<clear-l2-learning-mac-move-buffer-active>
clear-l2-learning-redundancy-group
<clear-l2-learning-redundancy-group-statistics>
clear l2-learning remote-backbone-edge-bridges
<clear-l2-learning-remote-backbone-edge-bridges>
clear l2circuit
clear ldp

136 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear ldp statistics

<clear-ldp-statistics>
clear ldp statistics interface
<clear-ldp-interface-hello-statistics>
clear ldp neighbor
<clear-ldp-neighbors>
clear ldp session
<clear-ldp-sessions>
clear lldp
clear lldp neighbors
<clear-lldp-neighbors>
clear lldp neighbors interface
<clear-lldp-interface-neighbors>
clear lldp statistics
<clear-lldp-statistics>
clear lldp statistics interface
<clear-lldp-interface-statistics>
clear loop-detect
clear loop-detect statistics
clear loop-detect statistics interface
<clear-loop-detect-statistics-information>
clear mld
clear mld membership
<clear-mld-membership>
clear mld snooping
clear mld snooping membership
<clear-mld-snooping-membership>
clear mld snooping membership bridge-domain
<clear-mld-snooping-bridge-domain-membership>
clear mld snooping membership vlan
<clear-mld-snooping-vlan-membership>
clear mld snooping statistics
<clear-mld-snooping-statistics>
clear mld snooping statistics bridge-domain
<clear-mld-snooping-bridge-domain-statistics>
clear mld snooping statistics vlan
<clear-mld-snooping-vlan-statistics>
clear mld statistics
<clear-mld-statistics>
clear mobile-ip
clear mobile-ip binding
clear mobile-ip binding all
<clear-binding-all>
clear mobile-ip binding ip-address
<clear-binding-ip>
clear mobile-ip binding nai
<clear-binding-nai>
clear mobile-ip visitor
clear mobile-ip visitor all
<clear-visitor-all>
clear mobile-ip visitor ip-address
<clear-visitor-ip>
clear mobile-ip visitor nai
<clear-visitor-nai>
clear mpls
clear mpls lsp
<clear-mpls-lsp-information>
clear mpls static-lsp
<clear-mpls-static-lsp-information>
clear mpls traceroute
clear mpls traceroute database

Copyright © 2017, Juniper Networks, Inc. 137

Administration Guide for Security Devices

clear mpls traceroute database ldp

<clear-mpls-traceroute-database-ldp>
clear msdp
clear msdp cache
<clear-msdp-cache>
clear msdp statistics
<clear-msdp-statistics>
clear multicast
clear multicast bandwidth-admission
<clear-multicast-bandwidth-admission
clear multicast forwarding-cache
clear multicast scope
<clear-multicast-scope-statistics>
clear multicast sessions
<clear-multicast-sessions>
clear multicast statistics
<clear-multicast-statistics>
clear mvrp
clear mvrp statistics
<clear-mvrp-interface-statistics>
clear network-access
clear network-access aaa
clear network-access aaa statistics
<clear-aaa-statistics-table>
clear network-access aaa statistics address-assignment
clear network-access aaa statistics address-assignment client
<clear-aaa-address-assignment-client-statistics>
clear network-access aaa statistics address-assignment pool
<clear-aaa-address-assignment-pool-statistics>
clear network-access aaa subscriber
<clear-aaa-subscriber-table>
clear network-access aaa subscriber statistics
<clear-aaa-subscriber-table-specific-statistics>
clear network-access address-assignment
clear network-access address-assignment preserved
<clear-address-assignment-preserved>
clear network-access ocs
clear network-access ocs statistics
<clear-ocs-statistics-information>
clear network-access pcrf
clear network-access pcrf statistics
<clear-pcrf-statistics-information>
clear network-access pcrf subscribers
<clear-pcrf-subscribers>
clear network-access requests
clear network-access requests pending
<clear-authentication-pending-table>
clear network-access requests statistics
<clear-authentication-statistics>
clear network-access securid-node-secret-file
<clear-node-secret-file>
clear oam
clear oam ethernet
clear oam ethernet connectivity-fault-management
clear oam ethernet connectivity-fault-management continuity-measurement
<clear-cfm-continuity-measurement>
clear oam ethernet connectivity-fault-management delay-statistics
<clear-cfm-delay-statistics>
clear oam ethernet connectivity-fault-management event
<clear-cfm-action-profile-event>
clear oam ethernet connectivity-fault-management loss-statistics

138 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-cfm-loss-statistics>
clear oam ethernet connectivity-fault-management path-database
<clear-cfm-linktrace-path-database>
clear oam ethernet connectivity-fault-management policer
<clear-cfm-policer-statistics>
clear oam ethernet connectivity-fault-management sla-iterator-history
<clear-cfm-iterator-history>
clear oam ethernet connectivity-fault-management sla-iterator-statistics
<clear-cfm-iterator-statistics>
clear oam ethernet connectivity-fault-management statistics
<clear-cfm-statistics>
clear oam ethernet connectivity-fault-management synthetic-loss-statistics
<clear-cfm-slm-statistics>
clear oam ethernet link-fault-management
clear oam ethernet link-fault-management state
<clear-lfmd-state>
clear oam ethernet link-fault-management statistics
<clear-lfmd-statistics>
clear oam ethernet link-fault-management statistics action-profile
<clear-lfmd-action-profile-statistics>
clear oam ethernet lmi
clear oam ethernet lmi statistics
<clear-elmi-statistics>
clear ospf
clear ospf database
<clear-ospf-database-information>
clear ospf database-protection
<clear-ospf-database-protection>
clear ospf io-statistics
<clear-ospf-io-statistics-information>
clear ospf neighbor
<clear-ospf-neighbor-information>
clear ospf overload
<clear-ospf-overload-information>
clear ospf statistics
<clear-ospf-statistics-information>
clear ospf3
clear ospf3 database
<clear-ospf3-database-information>
clear ospf3 database-protection
<clear-ospf-database-protection>
clear ospf3 io-statistics
<clear-ospf3-io-statistics-information>
clear ospf3 neighbor
<clear-ospf3-neighbor-information>
clear ospf3 overload
<clear-ospf3-overload-information>
clear ospf3 statistics
<clear-ospf3-io-statistics-information>
clear ovsdb
clear ovsdb commit
clear ovsdb commit failures
<clear-ovsdb-commit-failure-information>
clear ovsdb statistics
clear ovsdb statistics interface
clear ovsdb statistics interface all
<clear-ovsdb-interfaces-statistics-all>
clear performance-monitoring
clear performance-monitoring mpls
clear performance-monitoring mpls lsp
<clear-pm-mpls-lsp-information>

Copyright © 2017, Juniper Networks, Inc. 139

Administration Guide for Security Devices

clear pfe
clear pfe statistics
clear pfe statistics fabric
clear pfe statistics traffic detail
clear pfe statistics traffic egress-queues fpc
clear pfe statistics traffic multicast
clear pfe statistics traffic multicast fpc
clear pfe tcam-errors
clear pfe tcam-errors all-tcam-stages
<clear-pfe-tcam-errors-all-tcam-stages>
clear pfe tcam-errors app
<clear-pfe-tcam-errors-app>
clear pfe tcam-errors app bd-dtag-validate
<clear-pfe-tcam-errors-app-bd-dtag-validate>
clear pfe tcam-errors app bd-dtag-validate detail
clear pfe tcam-errors app bd-dtag-validate list-related-apps
clear pfe tcam-errors app bd-dtag-validate list-shared-apps
clear pfe tcam-errors app bd-dtag-validate shared-usage
clear pfe tcam-errors app bd-dtag-validate shared-usage detail
clear pfe tcam-errors app bd-tpid-swap
<clear-pfe-tcam-errors-app-bd-tpid-swap>
clear pfe tcam-errors app bd-tpid-swap detail
clear pfe tcam-errors app bd-tpid-swap list-related-apps
clear pfe tcam-errors app bd-tpid-swap list-shared-apps
clear pfe tcam-errors app bd-tpid-swap shared-usage
clear pfe tcam-errors app bd-tpid-swap shared-usage detail
clear pfe tcam-errors app cfm-bd-filter
<clear-pfe-tcam-errors-app-cfm-bd-filter>
clear pfe tcam-errors app cfm-bd-filter detail
clear pfe tcam-errors app cfm-bd-filter list-related-apps
clear pfe tcam-errors app cfm-bd-filter list-shared-apps
clear pfe tcam-errors app cfm-bd-filter shared-usage
clear pfe tcam-errors app cfm-bd-filter shared-usage detail
clear pfe tcam-errors app cfm-filter
<clear-pfe-tcam-errors-app-cfm-filter>
clear pfe tcam-errors app cfm-filter detail
clear pfe tcam-errors app cfm-filter list-related-apps
clear pfe tcam-errors app cfm-filter list-shared-apps
clear pfe tcam-errors app cfm-filter shared-usage
clear pfe tcam-errors app cfm-filter shared-usage detail
clear pfe tcam-errors app cfm-vpls-filter
<clear-pfe-tcam-errors-app-cfm-vpls-filter>
clear pfe tcam-errors app cfm-vpls-filter detail
clear pfe tcam-errors app cfm-vpls-filter list-related-apps
clear pfe tcam-errors app cfm-vpls-filter list-shared-apps
clear pfe tcam-errors app cfm-vpls-filter shared-usage
clear pfe tcam-errors app cfm-vpls-filter shared-usage detail
clear pfe tcam-errors app cfm-vpls-ifl-filter
<clear-pfe-tcam-errors-app-cfm-vpls-ifl-filter>
clear pfe tcam-errors app cfm-vpls-ifl-filter detail
clear pfe tcam-errors app cfm-vpls-ifl-filter list-related-apps
clear pfe tcam-errors app cfm-vpls-ifl-filter list-shared-apps
clear pfe tcam-errors app cfm-vpls-ifl-filter shared-usage
clear pfe tcam-errors app cfm-vpls-ifl-filter shared-usage detail
clear pfe tcam-errors app cos-fc
<clear-pfe-tcam-errors-app-cos-fc>
clear pfe tcam-errors app cos-fc detail
clear pfe tcam-errors app cos-fc list-related-apps
clear pfe tcam-errors app cos-fc list-shared-apps
clear pfe tcam-errors app cos-fc shared-usage
clear pfe tcam-errors app cos-fc shared-usage detail

140 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear pfe tcam-errors app fw-ccc-in

<clear-pfe-tcam-errors-app-fw-ccc-in>
clear pfe tcam-errors app fw-ccc-in detail
clear pfe tcam-errors app fw-ccc-in list-related-apps
clear pfe tcam-errors app fw-ccc-in list-shared-apps
clear pfe tcam-errors app fw-ccc-in shared-usage
clear pfe tcam-errors app fw-ccc-in shared-usage detail
clear pfe tcam-errors app fw-family-out
<clear-pfe-tcam-errors-app-fw-family-out>
clear pfe tcam-errors app fw-family-out detail
clear pfe tcam-errors app fw-family-out list-related-apps
clear pfe tcam-errors app fw-family-out list-shared-apps
clear pfe tcam-errors app fw-family-out shared-usage
clear pfe tcam-errors app fw-family-out shared-usage detail
clear pfe tcam-errors app fw-fbf
<clear-pfe-tcam-errors-app-fw-fbf>
clear pfe tcam-errors app fw-fbf detail
clear pfe tcam-errors app fw-fbf list-related-apps
clear pfe tcam-errors app fw-fbf list-shared-apps
clear pfe tcam-errors app fw-fbf shared-usage
clear pfe tcam-errors app fw-fbf shared-usage detail
clear pfe tcam-errors app fw-fbf-inet6
<clear-pfe-tcam-errors-app-fw-fbf-inet6>
clear pfe tcam-errors app fw-fbf-inet6 detail
clear pfe tcam-errors app fw-fbf-inet6 list-related-apps
clear pfe tcam-errors app fw-fbf-inet6 list-shared-apps
clear pfe tcam-errors app fw-fbf-inet6 shared-usage
clear pfe tcam-errors app fw-fbf-inet6 shared-usage detail
clear pfe tcam-errors app fw-ifl-in
<clear-pfe-tcam-errors-app-fw-ifl-in>
clear pfe tcam-errors app fw-ifl-in detail
clear pfe tcam-errors app fw-ifl-in list-related-apps
clear pfe tcam-errors app fw-ifl-in list-shared-apps
clear pfe tcam-errors app fw-ifl-in shared-usage
clear pfe tcam-errors app fw-ifl-in shared-usage detail
clear pfe tcam-errors app fw-ifl-out
<clear-pfe-tcam-errors-app-fw-ifl-out>
clear pfe tcam-errors app fw-ifl-out detail
clear pfe tcam-errors app fw-ifl-out list-related-apps
clear pfe tcam-errors app fw-ifl-out list-shared-apps
clear pfe tcam-errors app fw-ifl-out shared-usage
clear pfe tcam-errors app fw-ifl-out shared-usage detail
clear pfe tcam-errors app fw-inet-ftf
<clear-pfe-tcam-errors-app-fw-inet-ftf>
clear pfe tcam-errors app fw-inet-ftf detail
clear pfe tcam-errors app fw-inet-ftf list-related-apps
clear pfe tcam-errors app fw-inet-ftf list-shared-apps
clear pfe tcam-errors app fw-inet-ftf shared-usage
clear pfe tcam-errors app fw-inet-ftf shared-usage detail
clear pfe tcam-errors app fw-inet-in
<clear-pfe-tcam-errors-app-fw-inet-in>
clear pfe tcam-errors app fw-inet-in detail
clear pfe tcam-errors app fw-inet-in list-related-apps
clear pfe tcam-errors app fw-inet-in list-shared-apps
clear pfe tcam-errors app fw-inet-in shared-usage
clear pfe tcam-errors app fw-inet-in shared-usage detail
clear pfe tcam-errors app fw-inet-pm
<clear-pfe-tcam-errors-app-fw-inet-pm>
clear pfe tcam-errors app fw-inet-pm detail
clear pfe tcam-errors app fw-inet-pm list-related-apps
clear pfe tcam-errors app fw-inet-pm list-shared-apps

Copyright © 2017, Juniper Networks, Inc. 141

Administration Guide for Security Devices

clear pfe tcam-errors app fw-inet-pm shared-usage

clear pfe tcam-errors app fw-inet-pm shared-usage detail
clear pfe tcam-errors app fw-inet-rpf
<clear-pfe-tcam-errors-app-fw-inet-rpf>
clear pfe tcam-errors app fw-inet-rpf detail
clear pfe tcam-errors app fw-inet-rpf list-related-apps
clear pfe tcam-errors app fw-inet-rpf list-shared-apps
clear pfe tcam-errors app fw-inet-rpf shared-usage
clear pfe tcam-errors app fw-inet-rpf shared-usage detail
clear pfe tcam-errors app fw-inet-rpf
<clear-pfe-tcam-errors-app-fw-inet-rpf>
clear pfe tcam-errors app fw-inet-rpf detail
clear pfe tcam-errors app fw-inet-rpf list-related-apps
clear pfe tcam-errors app fw-inet-rpf list-shared-apps
clear pfe tcam-errors app fw-inet-rpf shared-usage
clear pfe tcam-errors app fw-inet-rpf shared-usage detail
clear pfe tcam-errors app fw-inet6-family-out
<clear-pfe-tcam-errors-app-fw-inet6-family-out>
clear pfe tcam-errors app fw-inet6-family-out detail
clear pfe tcam-errors app fw-inet6-family-out list-related-apps
clear pfe tcam-errors app fw-inet6-family-out list-shared-apps
clear pfe tcam-errors app fw-inet6-family-out shared-usage
clear pfe tcam-errors app fw-inet6-family-out shared-usage detail
clear pfe tcam-errors app fw-inet6-ftf
<clear-pfe-tcam-errors-app-fw-inet6-ftf>
clear pfe tcam-errors app fw-inet6-ftf detail
clear pfe tcam-errors app fw-inet6-ftf list-related-apps
clear pfe tcam-errors app fw-inet6-ftf list-shared-apps
clear pfe tcam-errors app fw-inet6-ftf shared-usage
clear pfe tcam-errors app fw-inet6-ftf shared-usage detail
clear pfe tcam-errors app fw-inet6-in
<clear-pfe-tcam-errors-app-fw-inet6-in>
clear pfe tcam-errors app fw-inet6-in detail
clear pfe tcam-errors app fw-inet6-in list-related-apps
clear pfe tcam-errors app fw-inet6-in list-shared-apps
clear pfe tcam-errors app fw-inet6-in shared-usage
clear pfe tcam-errors app fw-inet6-in shared-usage detail
clear pfe tcam-errors app fw-inet6-rpf
<clear-pfe-tcam-errors-app-fw-inet6-rpf>
clear pfe tcam-errors app fw-inet6-rpf detail
clear pfe tcam-errors app fw-inet6-rpf list-related-apps
clear pfe tcam-errors app fw-inet6-rpf list-shared-apps
clear pfe tcam-errors app fw-inet6-rpf shared-usage
clear pfe tcam-errors app fw-inet6-rpf shared-usage detail
clear pfe tcam-errors app fw-l2-in
<clear-pfe-tcam-errors-app-fw-l2-in>
clear pfe tcam-errors app fw-l2-in detail
clear pfe tcam-errors app fw-l2-in list-related-apps
clear pfe tcam-errors app fw-l2-in list-shared-apps
clear pfe tcam-errors app fw-l2-in shared-usage
clear pfe tcam-errors app fw-l2-in shared-usage detail
clear pfe tcam-errors app fw-mpls-in
<clear-pfe-tcam-errors-app-fw-mpls-in>
clear pfe tcam-errors app fw-mpls-in detail
clear pfe tcam-errors app fw-mpls-in list-related-apps
clear pfe tcam-errors app fw-mpls-in list-shared-apps
clear pfe tcam-errors app fw-mpls-in shared-usage
clear pfe tcam-errors app fw-mpls-in shared-usage detail
clear pfe tcam-errors app fw-semantics
<clear-pfe-tcam-errors-app-fw-semantics>
clear pfe tcam-errors app fw-semantics detail

142 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear pfe tcam-errors app fw-semantics list-related-apps

clear pfe tcam-errors app fw-semantics list-shared-apps
clear pfe tcam-errors app fw-semantics shared-usage
clear pfe tcam-errors app fw-semantics shared-usage detail
clear pfe tcam-errors app fw-vpls-in
<clear-pfe-tcam-errors-app-fw-vpls-in>
clear pfe tcam-errors app fw-vpls-in detail
clear pfe tcam-errors app fw-vpls-in list-related-apps
clear pfe tcam-errors app fw-vpls-in list-shared-apps
clear pfe tcam-errors app fw-vpls-in shared-usage
clear pfe tcam-errors app fw-vpls-in shared-usage detail
clear pfe tcam-errors app gr-ifl-stats-egr
<clear-pfe-tcam-errors-app-gr-ifl-statistics-egr>
clear pfe tcam-errors app gr-ifl-stats-egr detail
clear pfe tcam-errors app gr-ifl-stats-egr list-related-apps
clear pfe tcam-errors app gr-ifl-stats-egr list-shared-apps
clear pfe tcam-errors app gr-ifl-stats-egr shared-usage
clear pfe tcam-errors app gr-ifl-stats-egr shared-usage detail
clear pfe tcam-errors app gr-ifl-stats-ing
<clear-pfe-tcam-errors-app-gr-ifl-statistics-ing>
clear pfe tcam-errors app gr-ifl-stats-ing detail
clear pfe tcam-errors app gr-ifl-stats-ing list-related-apps
clear pfe tcam-errors app gr-ifl-stats-ing list-shared-apps
clear pfe tcam-errors app gr-ifl-stats-ing shared-usage
clear pfe tcam-errors app gr-ifl-stats-ing shared-usage detail
clear pfe tcam-errors app gr-ifl-stats-preing
<clear-pfe-tcam-errors-app-gr-ifl-statistics-preing>
clear pfe tcam-errors app gr-ifl-stats-preing detail
clear pfe tcam-errors app gr-ifl-stats-preing list-related-apps
clear pfe tcam-errors app gr-ifl-stats-preing list-shared-apps
clear pfe tcam-errors app gr-ifl-stats-preing shared-usage
clear pfe tcam-errors app gr-ifl-stats-preing shared-usage detail
< clear pfe tcam-errors app ifd-src-mac-fil
<clear-pfe-tcam-errors-app-ifd-src-mac-fil>
clear pfe tcam-errors app ifd-src-mac-fil detail
clear pfe tcam-errors app ifd-src-mac-fil list-related-apps
clear pfe tcam-errors app ifd-src-mac-fil list-shared-apps
clear pfe tcam-errors app ifd-src-mac-fil shared-usage
clear pfe tcam-errors app ifd-src-mac-fil shared-usage detail
clear pfe tcam-errors app ifl-statistics-in
<clear-pfe-tcam-errors-app-ifl-statistics-in>
clear pfe tcam-errors app ifl-statistics-in detail
clear pfe tcam-errors app ifl-statistics-in list-related-apps
clear pfe tcam-errors app ifl-statistics-in list-shared-apps
clear pfe tcam-errors app ifl-statistics-in shared-usage
clear pfe tcam-errors app ifl-statistics-in shared-usage detail
clear pfe tcam-errors app ifl-statistics-out
<clear-pfe-tcam-errors-app-ifl-statistics-out>
clear pfe tcam-errors app ifl-statistics-out detail
clear pfe tcam-errors app ifl-statistics-out list-related-apps
clear pfe tcam-errors app ifl-statistics-out list-shared-apps
clear pfe tcam-errors app ifl-statistics-out shared-usage
clear pfe tcam-errors app ifl-statistics-out shared-usage detail
clear pfe tcam-errors app ing-out-iff
<clear-pfe-tcam-errors-app-ing-out-iff>
clear pfe tcam-errors app ing-out-iff detail
clear pfe tcam-errors app ing-out-iff list-related-apps
clear pfe tcam-errors app ing-out-iff list-shared-apps
clear pfe tcam-errors app ing-out-iff shared-usage
clear pfe tcam-errors app ing-out-iff shared-usage detail
clear pfe tcam-errors app ip-mac-val

Copyright © 2017, Juniper Networks, Inc. 143

Administration Guide for Security Devices

<clear-pfe-tcam-errors-app-ip-mac-val>
clear pfe tcam-errors app ip-mac-val detail
clear pfe tcam-errors app ip-mac-val list-related-apps
clear pfe tcam-errors app ip-mac-val list-shared-apps
clear pfe tcam-errors app ip-mac-val shared-usage
clear pfe tcam-errors app ip-mac-val shared-usage detail
clear pfe tcam-errors app ip-mac-val-bcast
<clear-pfe-tcam-errors-app-ip-mac-val-bcast>
clear pfe tcam-errors app ip-mac-val-bcast detail
clear pfe tcam-errors app ip-mac-val-bcast list-related-apps
clear pfe tcam-errors app ip-mac-val-bcast list-shared-apps
clear pfe tcam-errors app ip-mac-val-bcast shared-usage
clear pfe tcam-errors app ip-mac-val-bcast shared-usage detail
clear pfe tcam-errors app ipsec-reverse-fil
<clear-pfe-tcam-errors-app-ipsec-reverse-fil>
clear pfe tcam-errors app ipsec-reverse-fil detail
clear pfe tcam-errors app ipsec-reverse-fil list-related-apps
clear pfe tcam-errors app ipsec-reverse-fil list-shared-apps
clear pfe tcam-errors app ipsec-reverse-fil shared-usage
clear pfe tcam-errors app ipsec-reverse-fil shared-usage detail
clear pfe tcam-errors app irb-cos-rw
<clear-pfe-tcam-errors-app-irb-cos-rw>
clear pfe tcam-errors app irb-cos-rw detail
clear pfe tcam-errors app irb-cos-rw list-related-apps
clear pfe tcam-errors app irb-cos-rw list-shared-apps
clear pfe tcam-errors app irb-cos-rw shared-usage
clear pfe tcam-errors app irb-cos-rw shared-usage detail
clear pfe tcam-errors app irb-fixed-cos
<clear-pfe-tcam-errors-app-irb-fixed-cos>
clear pfe tcam-errors app irb-fixed-cos detail
clear pfe tcam-errors app irb-fixed-cos list-related-apps
clear pfe tcam-errors app irb-fixed-cos list-shared-apps
clear pfe tcam-errors app irb-fixed-cos shared-usage
clear pfe tcam-errors app irb-fixed-cos shared-usage detail
clear pfe tcam-errors app irb-inet6-fil
<clear-pfe-tcam-errors-app-irb-inet6-fil>
clear pfe tcam-errors app irb-inet6-fil detail
clear pfe tcam-errors app irb-inet6-fil list-related-apps
clear pfe tcam-errors app irb-inet6-fil list-shared-apps
clear pfe tcam-errors app irb-inet6-fil shared-usage
clear pfe tcam-errors app irb-inet6-fil shared-usage detail
clear pfe tcam-errors app lfm-802.3ah-in
<clear-pfe-tcam-errors-app-lfm-802.3ah-in>
clear pfe tcam-errors app lfm-802.3ah-in detail
clear pfe tcam-errors app lfm-802.3ah-in list-related-apps
clear pfe tcam-errors app lfm-802.3ah-in list-shared-apps
clear pfe tcam-errors app lfm-802.3ah-in shared-usage
clear pfe tcam-errors app lfm-802.3ah-in shared-usage detail
clear pfe tcam-errors app lfm-802.3ah-out
<clear-pfe-tcam-errors-app-lfm-802.3ah-out>
clear pfe tcam-errors app lfm-802.3ah-out detail
clear pfe tcam-errors app lfm-802.3ah-out list-related-apps
clear pfe tcam-errors app lfm-802.3ah-out list-shared-apps
clear pfe tcam-errors app lfm-802.3ah-out shared-usage
clear pfe tcam-errors app lfm-802.3ah-out shared-usage detail
clear pfe tcam-errors app lo0-inet-fil
<clear-pfe-tcam-errors-app-lo0-inet-fil>
clear pfe tcam-errors app lo0-inet-fil detail
clear pfe tcam-errors app lo0-inet-fil list-related-apps
clear pfe tcam-errors app lo0-inet-fil list-shared-apps
clear pfe tcam-errors app lo0-inet-fil shared-usage

144 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear pfe tcam-errors app lo0-inet-fil shared-usage detail

clear pfe tcam-errors app lo0-inet6-fil
<clear-pfe-tcam-errors-app-lo0-inet6-fil>
clear pfe tcam-errors app lo0-inet6-fil detail
clear pfe tcam-errors app lo0-inet6-fil list-related-apps
clear pfe tcam-errors app lo0-inet6-fil list-shared-apps
clear pfe tcam-errors app lo0-inet6-fil shared-usage
clear pfe tcam-errors app lo0-inet6-fil shared-usage detail
clear pfe tcam-errors app mac-drop-cnt
<clear-pfe-tcam-errors-app-mac-drop-cnt>
clear pfe tcam-errors app mac-drop-cnt detail
clear pfe tcam-errors app mac-drop-cnt list-related-apps
clear pfe tcam-errors app mac-drop-cnt list-shared-apps
clear pfe tcam-errors app mac-drop-cnt shared-usage
clear pfe tcam-errors app mac-drop-cnt shared-usage detail
clear pfe tcam-errors app mrouter-port-in
<clear-pfe-tcam-errors-app-mrouter-port-in>
clear pfe tcam-errors app mrouter-port-in detail
clear pfe tcam-errors app mrouter-port-in list-related-apps
clear pfe tcam-errors app mrouter-port-in list-shared-apps
clear pfe tcam-errors app mrouter-port-in shared-usage
clear pfe tcam-errors app mrouter-port-in shared-usage detail
clear pfe tcam-errors app napt-reverse-fil
<clear-pfe-tcam-errors-app-napt-reverse-fil>
clear pfe tcam-errors app napt-reverse-fil detail
clear pfe tcam-errors app napt-reverse-fil list-related-apps
clear pfe tcam-errors app napt-reverse-fil list-shared-apps
clear pfe tcam-errors app napt-reverse-fil shared-usage
clear pfe tcam-errors app napt-reverse-fil shared-usage detail
clear pfe tcam-errors app no-local-switching
<clear-pfe-tcam-errors-app-no-local-switching>
clear pfe tcam-errors app no-local-switching detail
clear pfe tcam-errors app no-local-switching list-related-apps
clear pfe tcam-errors app no-local-switching list-shared-apps
clear pfe tcam-errors app no-local-switching shared-usage
clear pfe tcam-errors app no-local-switching shared-usage detail
clear pfe tcam-errors app ptpoe-cos-rw
<clear-pfe-tcam-errors-app-ptpoe-cos-rw>
clear pfe tcam-errors app ptpoe-cos-rw detail
clear pfe tcam-errors app ptpoe-cos-rw list-related-apps
clear pfe tcam-errors app ptpoe-cos-rw list-shared-apps
clear pfe tcam-errors app ptpoe-cos-rw shared-usage
clear pfe tcam-errors app ptpoe-cos-rw shared-usage detail
clear pfe tcam-errors app rfc2544-layer2-in
<clear-pfe-tcam-errors-app-rfc2544-layer2-in>
clear pfe tcam-errors app rfc2544-layer2-in detail
clear pfe tcam-errors app rfc2544-layer2-in list-related-apps
clear pfe tcam-errors app rfc2544-layer2-in list-shared-apps
clear pfe tcam-errors app rfc2544-layer2-in shared-usage
clear pfe tcam-errors app rfc2544-layer2-in shared-usage detail
clear pfe tcam-errors app rfc2544-layer2-out
<clear-pfe-tcam-errors-app-rfc2544-layer2-out>
clear pfe tcam-errors app rfc2544-layer2-out detail
clear pfe tcam-errors app rfc2544-layer2-out list-related-apps
clear pfe tcam-errors app rfc2544-layer2-out list-shared-apps
clear pfe tcam-errors app rfc2544-layer2-out shared-usage
clear pfe tcam-errors app rfc2544-layer2-out shared-usage detail
clear pfe tcam-errors app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
clear pfe tcam-errors app vpls-mesh-group-mcast detail
clear pfe tcam-errors app vpls-mesh-group-mcast list-related-apps

Copyright © 2017, Juniper Networks, Inc. 145

Administration Guide for Security Devices

clear pfe tcam-errors app vpls-mesh-group-mcast list-shared-apps

clear pfe tcam-errors app vpls-mesh-group-mcast shared-usage
clear pfe tcam-errors app vpls-mesh-group-mcast shared-usage detail
clear pfe tcam-errors app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
clear pfe tcam-errors app vpls-mesh-group-ucast detail
clear pfe tcam-errors app vpls-mesh-group-ucast list-related-apps
clear pfe tcam-errors app vpls-mesh-group-ucast list-shared-apps
clear pfe tcam-errors app vpls-mesh-group-ucast shared-usage
clear pfe tcam-errors app vpls-mesh-group-ucast shared-usage detail
clear pfe tcam-errors tcam-stage
clear pfe tcam-errors tcam-stage egress
<clear-pfe-tcam-errors-egress-tcam-stage>
clear pfe tcam-errors tcam-stage egress app
clear-pfe-tcam-errors-egress-app
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate
<clear-pfe-tcam-errors-egress-app-bd-dtag-validate>
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate detail
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate
list-related-appsclear pfe tcam-errors tcam-stage egress app bd-dtag-validate
list-shared-apps
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate shared-usage
clear pfe tcam-errors tcam-stage egress app bd-dtag-validate shared-usage
detail
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap
<clear-pfe-tcam-errors-egress-app-bd-tpid-swap>
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap detail
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap list-related-apps
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap list-shared-apps
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap shared-usage
clear pfe tcam-errors tcam-stage egress app bd-tpid-swap shared-usage detail
clear pfe tcam-errors tcam-stage egress app fw-family-out
<clear-pfe-tcam-errors-egress-app-fw-family-out>
clear pfe tcam-errors tcam-stage egress app fw-family-out detail
clear pfe tcam-errors tcam-stage egress app fw-family-out list-related-apps
clear pfe tcam-errors tcam-stage egress app fw-family-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app fw-family-out shared-usage
clear pfe tcam-errors tcam-stage egress app fw-family-out shared-usage detail
clear pfe tcam-errors tcam-stage egress app fw-ifl-out
<clear-pfe-tcam-errors-egress-app-fw-ifl-out>
clear pfe tcam-errors tcam-stage egress app fw-ifl-out detail
clear pfe tcam-errors tcam-stage egress app fw-ifl-out list-related-apps
clear pfe tcam-errors tcam-stage egress app fw-ifl-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app fw-ifl-out shared-usage
clear pfe tcam-errors tcam-stage egress app fw-ifl-out shared-usage detail
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out
<clear-pfe-tcam-errors-egress-app-fw-inet6-family-out>
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out detail
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out
list-related-apps
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out shared-usage
clear pfe tcam-errors tcam-stage egress app fw-inet6-family-out shared-usage
detail
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out
<clear-pfe-tcam-errors-egress-app-ifl-statistics-out>
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out detail
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out list-related-apps
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out shared-usage
clear pfe tcam-errors tcam-stage egress app ifl-statistics-out shared-usage

146 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

detail
clear pfe tcam-errors tcam-stage egress app irb-cos-rw
<clear-pfe-tcam-errors-egress-app-irb-cos-rw>
clear pfe tcam-errors tcam-stage egress app irb-cos-rw detail
clear pfe tcam-errors tcam-stage egress app irb-cos-rw list-related-apps
clear pfe tcam-errors tcam-stage egress app irb-cos-rw list-shared-apps
clear pfe tcam-errors tcam-stage egress app irb-cos-rw shared-usage
clear pfe tcam-errors tcam-stage egress app irb-cos-rw shared-usage detail
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out
<clear-pfe-tcam-errors-egress-app-lfm-802.3ah-out>
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out detail
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out list-related-apps
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out shared-usage
clear pfe tcam-errors tcam-stage egress app lfm-802.3ah-out shared-usage detail
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw
<clear-pfe-tcam-errors-egress-app-ptpoe-cos-rw>
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw detail
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw list-related-apps
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw list-shared-apps
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw shared-usage
clear pfe tcam-errors tcam-stage egress app ptpoe-cos-rw shared-usage detail
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out
<clear-pfe-tcam-errors-egress-app-rfc2544-layer2-out>
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out detail
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out list-related-apps
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out list-shared-apps
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out shared-usage
clear pfe tcam-errors tcam-stage egress app rfc2544-layer2-out shared-usage
detail
clear pfe tcam-errors tcam-stage ingress
<clear-pfe-tcam-errors-ingress-tcam-stage>
clear pfe tcam-errors tcam-stage ingress app
<clear-pfe-tcam-errors-ingress-app>
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter
<clear-pfe-tcam-errors-ingress-app-cfm-bd-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-bd-filter shared-usage detail
clear pfe tcam-errors tcam-stage ingress app cfm-filter
<clear-pfe-tcam-errors-ingress-app-cfm-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-filter list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-filter list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-filter shared-usage detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter
<clear-pfe-tcam-errors-ingress-app-cfm-vpls-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter list-related-apps
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-filter shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter
<clear-pfe-tcam-errors-ingress-app-cfm-vpls-ifl-filter>
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter detail
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter
list-related-apps

Copyright © 2017, Juniper Networks, Inc. 147

Administration Guide for Security Devices

clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter

list-shared-apps
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
clear pfe tcam-errors tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in
<clear-pfe-tcam-errors-ingress-app-fw-ccc-in>
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in detail
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-ccc-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in
<clear-pfe-tcam-errors-ingress-app-fw-ifl-in>
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in detail
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-ifl-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf
<clear-pfe-tcam-errors-ingress-app-fw-inet-ftf>
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-ftf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-in
<clear-pfe-tcam-errors-ingress-app-fw-inet-in>
clear pfe tcam-errors tcam-stage ingress app fw-inet-in detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm
<clear-pfe-tcam-errors-ingress-app-fw-inet-pm>
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-pm shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf
<clear-pfe-tcam-errors-ingress-app-fw-inet-rpf>
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet-rpf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf
<clear-pfe-tcam-errors-ingress-app-fw-inet6-ftf>
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet6-ftf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in
<clear-pfe-tcam-errors-ingress-app-fw-inet6-in>
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet6-in shared-usage detail

148 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf

<clear-pfe-tcam-errors-ingress-app-fw-inet6-rpf>
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf detail
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-inet6-rpf shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-l2-in
<clear-pfe-tcam-errors-ingress-app-fw-l2-in>
clear pfe tcam-errors tcam-stage ingress app fw-l2-in detail
clear pfe tcam-errors tcam-stage ingress app fw-l2-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-l2-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-l2-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-l2-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in
<clear-pfe-tcam-errors-ingress-app-fw-mpls-in>
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in detail
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-mpls-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in
<clear-pfe-tcam-errors-ingress-app-fw-vpls-in>
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in detail
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in shared-usage
clear pfe tcam-errors tcam-stage ingress app fw-vpls-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr
<clear-pfe-tcam-errors-ingress-app-gr-ifl-statistics-egr>
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr list-related-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr list-shared-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing
<clear-pfe-tcam-errors-ingress-app-gr-ifl-statistics-ing>
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing list-related-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing list-shared-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing
<clear-pfe-tcam-errors-ingress-app-gr-ifl-statistics-preing>
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing detail
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing
list-related-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing
list-shared-apps
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
clear pfe tcam-errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in
<clear-pfe-tcam-errors-ingress-app-ifl-statistics-in>
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in detail
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in shared-usage
clear pfe tcam-errors tcam-stage ingress app ifl-statistics-in shared-usage

Copyright © 2017, Juniper Networks, Inc. 149

Administration Guide for Security Devices

detail
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil
<clear-pfe-tcam-errors-ingress-app-ipsec-reverse-fil>
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil detail
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app ipsec-reverse-fil shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos
<clear-pfe-tcam-errors-ingress-app-irb-fixed-cos>
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos detail
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos list-related-apps
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos list-shared-apps
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos shared-usage
clear pfe tcam-errors tcam-stage ingress app irb-fixed-cos shared-usage detail
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil
<clear-pfe-tcam-errors-ingress-app-irb-inet6-fil>
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil detail
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app irb-inet6-fil shared-usage detail
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in
<clear-pfe-tcam-errors-ingress-app-lfm-802.3ah-in>
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in detail
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in shared-usage
clear pfe tcam-errors tcam-stage ingress app lfm-802.3ah-in shared-usage detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil
<clear-pfe-tcam-errors-ingress-app-lo0-inet-fil>
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app lo0-inet-fil shared-usage detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil
<clear-pfe-tcam-errors-ingress-app-lo0-inet6-fil>
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil detail
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app lo0-inet6-fil shared-usage detail
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt
<clear-pfe-tcam-errors-ingress-app-mac-drop-cnt>
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt detail
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt list-related-apps
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt list-shared-apps
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt shared-usage
clear pfe tcam-errors tcam-stage ingress app mac-drop-cnt shared-usage detail
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in
<clear-pfe-tcam-errors-ingress-app-mrouter-port-in>
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in detail
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in list-related-apps
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in list-shared-apps
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in shared-usage
clear pfe tcam-errors tcam-stage ingress app mrouter-port-in shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil
<clear-pfe-tcam-errors-ingress-app-napt-reverse-fil>

150 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil detail

clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil list-related-apps
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil list-shared-apps
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil shared-usage
clear pfe tcam-errors tcam-stage ingress app napt-reverse-fil shared-usage
detail
clear pfe tcam-errors tcam-stage ingress app no-local-switching
<clear-pfe-tcam-errors-ingress-app-no-local-switching>
clear pfe tcam-errors tcam-stage ingress app no-local-switching detail
clear pfe tcam-errors tcam-stage ingress app no-local-switching
list-related-apps
clear pfe tcam-errors tcam-stage ingress app no-local-switching list-shared-apps
clear pfe tcam-errors tcam-stage ingress app no-local-switching shared-usage
clear pfe tcam-errors tcam-stage ingress app no-local-switching shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress
<clear-pfe-tcam-errors-pre-ingress-tcam-stage>
clear pfe tcam-errors tcam-stage pre-ingress app
<clear-pfe-tcam-errors-pre-ingress-app>
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc
<clear-pfe-tcam-errors-pre-ingress-app-cos-fc>
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc detail
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app cos-fc shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf
<clear-pfe-tcam-errors-pre-ingress-app-fw-fbf>
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6
<clear-pfe-tcam-errors-pre-ingress-app-fw-fbf-inet6>
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics
<clear-pfe-tcam-errors-pre-ingress-app-fw-semantics>
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics detail
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app fw-semantics shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil
<clear-pfe-tcam-errors-pre-ingress-app-ifd-src-mac-fil>
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil detail
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff
<clear-pfe-tcam-errors-pre-ingress-app-ing-out-iff>

Copyright © 2017, Juniper Networks, Inc. 151

Administration Guide for Security Devices

clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff detail

clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ing-out-iff shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val
<clear-pfe-tcam-errors-pre-ingress-app-ip-mac-val>
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast
<clear-pfe-tcam-errors-pre-ingress-app-ip-mac-val-bcast>
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast detail
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in
<clear-pfe-tcam-errors-pre-ingress-app-rfc2544-layer2-in>
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in detail
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast detail
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
list-related-apps
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
list-shared-apps
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage
clear pfe tcam-errors tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage detail
clear passive-monitoring
<clear-passive-monitoring>
clear passive-monitoring statistics
<clear-passive-monitoring-statistics>
clear pgm
clear pgm negative-acknowledgments

152 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-pgm-negative-acknowledgments>
clear pgm source-path-messages
<clear-pgm-source-path-messages>
clear pgm statistics
<clear-pgm-statistics>
clear pim
clear pim join
<clear-pim-join-state>
clear pim join-distribution
<clear-pim-join-distribution>
clear pim register
<clear-pim-register-state>
clear pim snooping
clear pim snooping join
clear pim snooping statistics
clear pim statistics
<clear-pim-statistics>
clear poe
clear poe telemetries
clear poe telemetries interface
<clear-poe-telemetries-information>
clear ppp
clear ppp statistics
<clear-ppp-statistics-information>
clear pppoe
clear pppoe lockout
<clear-pppoe-lockout-timers>
clear pppoe lockout atm-identifier
<clear-pppoe-lockout-timers-atm>
clear pppoe lockout vlan-identifier
clear pppoe sessions
<clear-pppoe-sessions-information>
clear-pppoe-lockout-timers-vlan
clear pppoe statistics
<clear-pppoe-statistics-information>
clear pppoe statistics interfaces
<clear-pppoe-statistics-interface-information>
clear protection-group
<clear protection-group>
clear protection-group ethernet-ring
<clear-ethernet-ring-information>
clear protection-group ethernet-ring statistics
<clear-ethernet-ring-information>
clear r2cp
clear r2cp radio
<clear-r2cp-radio>
clear r2cp session
<clear-r2cp-session>
clear r2cp statistics
<clear-r2cp-statistics>
clear r2cp statistics radio
clear r2cp statistics session
clear rip
clear rip general-statistics
<clear-rip-general-statistics>
clear rip statistics
<clear-rip-statistics>
clear rip statistics peer
<clear-rip-peer-statistics>
clear ripng
clear ripng general-statistics

Copyright © 2017, Juniper Networks, Inc. 153

Administration Guide for Security Devices

<clear-ripng-general-statistic>
clear ripng statistics
<clear-ripng-statistics>
clear rsvp
clear rsvp session
<clear-rsvp-session-information>
clear rsvp statistics
< clear-rsvp-counters-information>
clear security group-vpn
clear security group-vpn member
clear security group-vpn member group
<clear-gvpn-group-information>
clear security group-vpn member ike
clear security group-vpn member ike security-associations
<clear-group-vpn-ike-security-associations>
clear security group-vpn member ipsec
clear security group-vpn member ipsec security-associations
<clear-gvpn-ipsec-security-association>
clear security group-vpn member ipsec security-associations statistics
<clear-gvpn-ipsec-security-association-statistics>
clear security group-vpn member ipsec statistics
<clear-gvpn-ipsec-statistics>
clear services
clear services accounting flow inline-jflow
<clear-services-accounting-inline-jflow-flows>
clear services alg
clear services alg statistics
<clear-services-alg-statistics>
clear services application-aware-access-list
clear services application-aware-access-list statistics
<clear-application-aware-access-list-statistics-interface>
clear services application-aware-access-list statistics interface
<clear-application-aware-access-list-statistics-interface>
clear services application-aware-access-list statistics subscriber
<clear-application-aware-access-list-statistics-subscriber>
clear services application-identification
clear services application-identification application-system-cache
<clear-appid-application-system-cache>
clear services application-identification counter
<clear-appid-counter>
clear services application-identification counter ssl-encrypted-sessions
<clear-appid-counter-encrypted>
clear services application-identification statistics
<clear-appid-application-statistics>
clear services application-identification statistics cumulative
<clear-appid-application-statistics-cumulative>
clear services application-identification statistics interval
<clear-appid-application-statistics-interval>
clear services border-signaling-gateway
clear services border-signaling-gateway denied-messages
<clear-service-bsg-denied-messages>
clear services border-signaling-gateway name-resolution-cache
clear services border-signaling-gateway name-resolution-cache all
<clear-service-border-signaling-gateway-name-resolution-cache-all>
clear services border-signaling-gateway name-resolution-cache by-fqdn
<clear-border-signaling-gateway-name-resolution-cache-by-fqdn>
clear services border-signaling-gateway statistics
<clear-service-border-signaling-gateway-statistics>
clear services captive-portal-content-delivery
clear services captive-portal-content-delivery statistics
clear services captive-portal-content-delivery statistics interface

154 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-cpcdd-interface-statistics>
clear services cos
clear services cos statistics
<clear-services-cos-statistics>
clear services crtp
clear services crtp statistics
<clear-services-crtp-statistics>
clear services dynamic-flow-capture
clear services dynamic-flow-capture criteria
<clear-services-dynamic-flow-capture-criteria>
clear services dynamic-flow-capture sequence-number
clear services flow-collector
<clear-services-flow-collector-information>
clear services flow-collector statistics
<clear-services-flow-collector-statistics>
clear-service-msp-flow-ipaction-table
clear services ha
clear services ha statistics
<clear-service-ha-statistics-information>
clear services hcm
clear services hcm pic-statistics
<clear-services-hcm-pic-statistics>
clear services hcm statistics
<clear-services-hcm-statistics>
clear services ids
<clear-services-ids-tables>
clear services ids destination-table
<clear-services-ids-destination-table>
clear services ids pair-table
<clear-services-ids-pair-table>
clear services ids source-table
<clear-services-ids-source-table>
clear services inline
clear services inline nat
clear services inline nat pool
<clear-inline-nat-pool-information>
clear services inline nat statistics
<clear-inline-nat-statistics>
clear services inline softwire
clear services inline softwire statistics
<clear-inline-softwire-statistics>
clear services ipsec-vpn
clear services ipsec-vpn ipsec
clear services ipsec-vpn ipsec security-associations
<clear-services-ipsec-vpn-security-associations>
clear services ipsec-vpn ike
clear services ipsec-vpn ike security-associations
<clear-services-ike-security-associations>
clear services ipsec-vpn ike statistics
<clear-services-ike-statistics>
clear services pcp
clear services pcp epoch
clear services pcp statistics
clear services ipsec-vpn ipsec statistics
<clear-ipsec-vpn-statistics>
clear services l2tp
<clear-l2tp-destinations-information>
clear services l2tp disconnect-cause-summary
<clear-l2tp-disconnect-cause-summary>
clear services l2tp multilink
<clear-l2tp-multilink-information>

Copyright © 2017, Juniper Networks, Inc. 155

Administration Guide for Security Devices

clear services l2tp session

<clear-l2tp-session-information>
clear services l2tp destination
<clear-l2tp-destinations-information>
clear services l2tp disconnect-cause-summary
<clear-l2tp-disconnect-cause-summary>
clear services l2tp tunnel
<clear-l2tp-tunnel-information>
clear services l2tp user
<clear-l2tp-user-session-information>
clear services local-policy-decision-function
clear services local-policy-decision-function statistics
clear services local-policy-decision-function statistics interface
<clear-local-policy-decision-function-statistics-interface>
clear services local-policy-decision-function statistics subscriber
<clear-local-policy-decision-function-statistics-subscriber>
clear services server-load-balance
clear services server-load-balance external-manager-statistics
<clear-external-manager-statistics
clear services server-load-balance hash-table
<clear-hash-table-information>
clear services server-load-balance health-monitor-statistics>
<clear-health-monitor-statistics>
clear services server-load-balance real-server-group-statistics
<clear-real-server-group-statistics>
clear services server-load-balance real-server-statistics
<clear-real-server-statistics>
clear services server-load-balance sticky
<clear-sticky-table>
clear services server-load-balance virtual-server-statistics>
<clear-virtual-server-statistics>
clear services service-sets statistics integrity-drops
clear services service-sets statistics syslog
<clear-service-set-syslog-statistics>
clear services service-sets statistics tcp
<clear-service-tcp-tracker-statistics>
clear services stateful-firewall flow-analysis
<clear-service-flow-analysis>
clear services stateful-firewall flows
<clear-service-sfw-flow-table-information>
clear services stateful-firewall sip-call
<clear-service-sfw-sip-call-information>
clear services stateful-firewall sip-register
<clear-service-sfw-sip-register-information>
clear services stateful-firewall statistics
<clear-stateful-firewall-statistics>
clear services stateful-firewall subscriber-analysis
<clear-service-subs-analysis>
clear services subscriber
clear services subscriber sessions
<get-services-subscriber-sessions>
clear services video-monitoring
<clear-service-video-monitoring-information>
clear services video-monitoring mdi
<clear-service-video-monitoring-mdi-information>
clear services video-monitoring mdi alarm
<clear-service-video-monitoring-mdi-alarm-information>
clear services video-monitoring mdi alarm errors
<clear-services-video-monitoring-mdi-alarm-errors>
clear services video-monitoring mdi alarm stats
<clear-services-video-monitoring-mdi-alarm-statistics>

156 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear services video-monitoring mdi errors

<clear-service-video-monitoring-mdi-errors>
clear services video-monitoring mdi statistics
<clear-service-video-monitoring-mdi-statistics>
clear services sessions analysis
<clear-service-msp-session-analysis-information>
clear services softwire
clear services softwire statistics
<clear-services-softwire-statistics>
clear services stateful-firewall
clear services stateful-firewall flow-analysis
<clear-service-flow-analysis>
clear services stateful-firewall flows
<clear-service-sfw-flow-table-information>
clear services pgcp
clear services pgcp gates
<clear-service-pgcp-gates>
clear services pgcp gates gateway
<clear-service-pgcp-gates-gateway>
clear services pgcp statistics
<clear-service-pgcp-statistics>
clear services pgcp statistics gateway
<clear-service-pgcp-statistics-gateway>
<clear-rfc2544-information>
<clear-aborted-tests-information>
<clear-active-tests-information>
<clear-completed-tests-information>
clear sflow
clear sflow collector
clear sflow collector statistics
<clear-sflow-collector-statistics>
clear shmlog
clear shmlog all-info
<clear-shmlog-all-information>
clear shmlog entries
<clear-shmlog-entries>
clear shmlog statistics
<clear-shmlog-statistics>
clear snmp
clear snmp history
<clear-snmp-history>
<clear-health-monitor-routing-engine-history>.
clear snmp statistics
<clear-snmp-statistics>
clear spanning-tree
clear spanning-tree protocol-migration
clear spanning-tree protocol-migration interface
<clear-interface-stp-protocol-migration>
clear spanning-tree statistics
<clear-stp-interface-statistics>
clear spanning-tree statistics bridge
clear spanning-tree statistics interface
clear spanning-tree statistics routing-instance
<clear-stp-routing-instance-statistics>
clear spanning-tree stp-buffer
clear spanning-tree topology-change-counter
<clear-stp-topology-change-counter>
clear synchronous-ethernet
clear synchronous-ethernet esmc
clear synchronous-ethernet esmc statistics
clear system

Copyright © 2017, Juniper Networks, Inc. 157

Administration Guide for Security Devices

clear system boot-media

<clear-boot-media>
clear system login
clear system login lockout
< clear-system-login-lockout>
clear-twamp-information
clear-twamp-server-information
clear-twamp-server-connection-information
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics

158 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear validation
clear validation database
<clear-validation-database>
clear validation session
<clear-validation-session>
clear validation statistics
<clear-validation-statistics>
clear virtual-chassis
clear virtual-chassis heartbeat
<clear-virtual-chassis-heartbeat-statistics>
<clear virtual-chassis protocol>
clear virtual-chassis protocol statistics
<clear-virtual-chassis-statistics>
<clear-virtual-chassis-port-statistics>
clear vpls

Copyright © 2017, Juniper Networks, Inc. 159

Administration Guide for Security Devices

clear vpls mac-address

<clear-vpls-mac-address>
clear vpls mac-table
<clear-vpls-mac-table>
clear vpls mac-table interface
<clear-vpls-interface-mac-table>
request interface rebalance
request pppoe
request pppoe connect
request pppoe disconnect
request security ike debug-disable
<get-disable-ike-debug>
request security ike debug-enable
<get-enable-ike-debug>
request services rpm twamp start
request services rpm twamp start client
<twamp-test-start>
request services rpm twamp stop
request services rpm twamp stop client
<twamp-test-stop>
request snmp
<request-snmp-utility-mib-clear>
<request-snmp-utility-mib-set>
clear vpls statistics
<clear-vpls-statistics>
clear vrrp
<clear-vrrp-information>
clear vrrp interface
<clear-vrrp-interface-statistics>
request mpls
request mpls lsp
request mpls lsp adjust-autobandwidth
<request-mpls-lsp-autobandwidth-adjust>
clear services inline stateful-firewall
clear services inline stateful-firewall flows
<clear-service-inline-sfw-flow-table-information>
clear services inline stateful-firewall statistics
<clear-inline-stateful-firewall-statistics>
clear services service-sets statistics drop-flow-limit>
<clear-service-set-drop-flow-statistics>
clear services service-sets statistics jflow-log
<clear-service-set-jflow-log-statistics>
request services ipsec-vpn ipsec
request services ipsec-vpn ipsec switch
request services ipsec-vpn ipsec switch tunnel
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>

160 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

request unified-edge sgw call-trace show

<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>

Configuration No asscociated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

configure

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can enter configuration mode.

Commands
configure
request snmp
request-snmp-utility-mib-clear
request-snmp-utility-mib-set

Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

control

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Copyright © 2017, Juniper Networks, Inc. 161

Administration Guide for Security Devices

Can perform all control-level operations; can modify any configuration.

Commands request jnu

request jnu role
request jnu schema
request jnu schema add
request jnu schema delete

Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

field

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can view field debug commands.

Commands No associated CLI commands.

Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

firewall

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can view the firewall filter configuration in configuration mode.

162 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

Commands clear unified-edge

clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>

Copyright © 2017, Juniper Networks, Inc. 163

Administration Guide for Security Devices

clear unified-edge sgw

clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control

164 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear unified-edge tdf call-admission-control statistics

<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show firewall
<get-firewall-information>

show firewall counter

<get-firewall-counter-information>

show firewall filter

<get-firewall-filter-information>

show firewall filter version

<get-filter-version>

Copyright © 2017, Juniper Networks, Inc. 165

Administration Guide for Security Devices

show firewall log

<get-firewall-log-information>

show firewall prefix-action-stats

<get-firewall-prefix-action-information>

show policer
<get-policer-information>

Configuration [edit chassis satellite-management]

Hierarchy Levels [edit firewall]
[edit dynamic-profiles firewall]
[edit firewall]
[edit logical-systems firewall]
[edit unified-edge]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• firewall-control on page 166

firewall-control

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can view and configure firewall filter information at the [edit dynamic-profiles firewall],
[edit firewall], and [edit logical-systems firewall] hierarchy levels.

Commands show firewall

<get-firewall-information>

show firewall counter

<get-firewall-counter-information>

show firewall filter

<get-firewall-filter-information>

show firewall filter version

<get-filter-version>

show firewall log

<get-firewall-log-information>

show firewall prefix-action-stats

<get-firewall-prefix-action-information>

show policer

166 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

Configuration [edit dynamic-profiles firewall]

Hierarchy Levels [edit firewall]
[edit logical-systems firewall]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• firewall on page 162

floppy

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can read from and write to the removable media.

Commands No associated CLI commands.

Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

flow-tap

Supported Platforms M Series, MX Series, SRX Series, T Series, vSRX

Can view the flow-tap configuration in configuration mode.

Commands clear unified-edge

clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics

Copyright © 2017, Juniper Networks, Inc. 167

Administration Guide for Security Devices

<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>

168 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear unified-edge sgw charging local-persistent-storage

clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>

Copyright © 2017, Juniper Networks, Inc. 169

Administration Guide for Security Devices

clear unified-edge tdf diameter peer

clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>

Configuration [edit services flow-tap]

Hierarchy Levels [edit services radius-flow-tap]
[edit system services flow-tap-dtcp]
[edit unified-edge]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

170 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

• flow-tap-control on page 171

flow-tap-control

Supported Platforms M Series, MX Series, SRX Series, T Series, vSRX

Can view the flow-tap configuration in configuration mode and can configure flow-tap
configuration information at the [edit services flow-tap], [edit services radius-flow-tap],
and [edit system services flow-tap-dtcp] hierarchy levels.

Commands No associated CLI commands.

Configuration [edit services flow-tap]

Hierarchy Levels [edit services radius-flow-tap]
[edit system services flow-tap-dtcp]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• flow-tap on page 167

flow-tap-operation

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can make flow-tap requests to the router.

Commands No associated CLI commands.

Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

Copyright © 2017, Juniper Networks, Inc. 171

Administration Guide for Security Devices

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

idp-profiler-operation

Supported Platforms M Series, MX Series, SRX Series, T Series, vSRX

Can view profiler data.

Commands No associated CLI commands.

CLI Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

interface

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can view the interface configuration in configuration mode.

Commands clear unified-edge

clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics

172 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>

Copyright © 2017, Juniper Networks, Inc. 173

Administration Guide for Security Devices

clear unified-edge sgw subscribers peer

<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>

174 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

request unified-edge sgw call-trace start

<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>

Configuration [edit accounting-options]

Hierarchy Levels [edit chassis]
[edit class-of-service]
[edit class-of-service interfaces]
[edit dynamic-profiles class-of-service]
[edit dynamic-profiles class-of-service interfaces]
[edit dynamic-profiles interfaces]
[edit dynamic-profiles routing-instances instance system services
dhcp-local-server]
[edit dynamic-profiles routing-instances instance system services
static-subscribers group]
[edit forwarding-options]
[edit interfaces]
[edit jnx-example]
[edit logical-systems forwarding-options]
[edit logical-systems interfaces]
[edit logical-systems routing-instances instance system services
dhcp-local-server]
[edit logical-systems routing-instances instance system services
static-subscribers group]
[edit logical-systems system services dhcp-local-server]
[edit logical-systems system services static-subscribers group]
[edit routing-instances instance system services dhcp-local-server]
[edit routing-instances instance system services static-subscribers group]
[edit services logging]
[edit services radius-flow-tap]
[edit services radius-flow-tap interfaces]
[edit system services dhcp-local-server]
[edit system services static-subscribers group]
[edit unified-edge]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• interface-control on page 176

Copyright © 2017, Juniper Networks, Inc. 175

Administration Guide for Security Devices

interface-control

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can view chassis, class of service (CoS), groups, forwarding options, and interfaces
configuration information. Can edit configuration at the [edit chassis], [edit
class-of-service], [edit groups], [edit forwarding-options], and [edit interfaces] hierarchy
levels.

Commands No associated CLI commands.

Configuration [edit accounting-options]

Hierarchy Levels [edit chassis]
[edit class-of-service]
[edit class-of-service interfaces]
[edit dynamic-profiles class-of-service]
[edit dynamic-profiles class-of-service interfaces]
[edit dynamic-profiles interfaces]
[edit dynamic-profiles routing-instances instance system services
dhcp-local-server]
[edit dynamic-profiles routing-instances instance system services
static-subscribers group]
[edit forwarding-options]
[edit interfaces]
[edit jnx-example]
[edit logical-systems forwarding-options]
[edit logical-systems interfaces]
[edit logical-systems routing-instances instance system services
dhcp-local-server]
[edit logical-systems routing-instances instance system services
static-subscribers group]
[edit logical-systems system services dhcp-local-server]
[edit logical-systems system services static-subscribers group]
[edit routing-instances instance system services dhcp-local-server]
[edit routing-instances instance system services static-subscribers group]
[edit services logging]
[edit services radius-flow-tap]
[edit services radius-flow-tap interfaces]
[edit system services dhcp-local-server]
[edit system services static-subscribers group]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• interface on page 172

176 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

maintenance

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can perform system maintenance, including starting a local shell on the router and
becoming the superuser in the shell, and can halt and reboot the router.

Commands
clear system commit synchronize-server pending-jobs
<clear-pending-commit-sync-jobs>
clear system reboot
<clear-reboot>

clear-system-services-reverse-information
file archive
<file-archive>
file change-owner
<file-change-owner>
<extract-file>
monitor traffic
request chassis afeb
request chassis beacon
<request-chassis-beacon>
request chassis cb
<request-chassis-cb>
request chassis ccg
<request-chassis-ccg>

request chassis cfeb

request chassis cfeb master
request chassis cip
request chassis fabric
request chassis fabric device
request chassis fabric guided-cabling
request chassis fabric plane
request chassis fabric upgrade-bandwidth
request chassis fabric upgrade-bandwidth fpc
request chassis fabric upgrade-bandwidth info
request chassis fan-tray
request chassis feb
<request-feb>

request chassis fpc

<request-chassis-fpc>
request chassis fpc optical-module
<request-fpc-optical-module>
request chassis fpc optical-module amplifier-chain
<request-fpc-optical-module-amplifier-chain>
request chassis fpc optical-module amplifier-chain ila
<request-fpc-optical-module-ila>
request chassis fpc optical-module amplifier-chain ila firmware-upgrade
<request-fpc-optical-module-ila-firmware-upgrade>
request chassis fpc optical-module amplifier-chain ila hard-reset
<request-fpc-optical-module-ila-hard-reset>
request chassis fpc optical-module amplifier-chain ila soft-reset
<request-fpc-optical-module-ila-soft-reset>
request chassis fpc optical-module firmware-upgrade
<request-fpc-optical-module-firmware-upgrade>
request chassis fpm

Copyright © 2017, Juniper Networks, Inc. 177

Administration Guide for Security Devices

request chassis mcs

request chassis mic
request chassis optics
request chassis pcg
request chassis pic
<request-chassis-pic>
request chassis port-led
request chassis port-led start
<request-chassis-port-led-switch-on>
request chassis port-led stop
<request-chassis-port-led-switch-off>

request chassis redundancy

request chassis redundancy feb
<request-redundancy-feb>
request chassis routing-engine
<request-chassis-routing-engine>
request chassis routing-engine hard-disk-test
request chassis routing-engine master
request chassis satellite device-mode
request chassis satellite disable
<request-chassis-satellite-disable>
request chassis satellite enable
<request-chassis-satellite-enable>
request chassis satellite file-copy
<request-chassis-satellite-file-copy>
request chassis satellite install
<request-chassis-satellite-install>
request chassis satellite interface
request chassis satellite login
<request-chassis-satellite-login>
request chassis satellite reboot
<request-chassis-satellite-reboot>
request chassis satellite restart
<request-chassis-satellite-restart>
request chassis satellite restart process
request chassis satellite shell-command
<request-chassis-satellite-shell-command>

request chassis scg

request chassis sfb
request chassis sfm
request chassis sfm master
request chassis sib
<request-chassis-sib>
request chassis sib f13

request chassis sib f2s

request chassis sib optics
request chassis spmb
<request-chassis-spmb>
request chassis ssb
request chassis ssb master
request chassis synchronization
request chassis synchronization force
request chassis synchronization force automatic-switching
request chassis synchronization force mark-failed
request chassis synchronization force unmark-failed
request chassis synchronization switch
request chassis tfeb
request chassis vcpu

178 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

request chassis vnpu

request diagnostics
request diagnostics tdr
request diagnostics tdr abort
request diagnostics tdr abort interface
<abort-tdr-interface-diagnostics>
request diagnostics tdr start
request diagnostics tdr start interface
<request-tdr-interface-diagnostics>
request extension-service
request extension-service start
<extension-service-start>
request extension-service stop
<extension-service-stop>
request l2circuit-switchover
request mpls
request mpls lsp
request mpls lsp adjust-autobandwidth
<request-mpls-lsp-autobandwidth-adjust>
request security
request security certificate
request security certificate enroll
request security datapath-debug
request security datapath-debug action-profile
request security datapath-debug action-profile reload-all
<reload-eedebug-action-profile>

request security idp

<request-idp-security-policy-load>

equest security idp security-package

request security idp security-package download
<request-idp-security-package-download>

request security idp security-package download version

<request-idp-security-package-download-version>

request security idp security-package install

<request-idp-security-package-install>
request security idp security-package offline-download
<request-idp-security-package-offline-download>
request security idp ssl-inspection
request security idp ssl-inspection key
request security idp ssl-inspection key add
<request-idp-ssl-key-add>

request security idp ssl-inspection key delete

<request-idp-ssl-key-delete>
request security idp storage-cleanup
<request-idp-storage-cleanup>
request security ike
request security key-pair
request security pki
request security pki ca-certificate
request security pki ca-certificate ca-profile-group
request security pki ca-certificate ca-profile-group load
request security pki ca-certificate enroll
request security pki local-certificate export
request security pki ca-certificate load
<load-pki-ca-certificate>
request security pki ca-certificate verify

Copyright © 2017, Juniper Networks, Inc. 179

Administration Guide for Security Devices

<verify-pki-ca-certificate>
request security pki crl
request security pki crl load
<load-pki-crl>
request security pki generate-certificate-request
<generate-pki-certificate-request>
request security pki generate-key-pair
<generate-pki-key-pair>
request security pki local-certificate
request security pki local-certificate enroll
request security pki local-certificate generate-self-signed
<generate-pki-self-signed-local-certificate>
request security pki local-certificate load
<load-pki-local-certificate>
request security pki local-certificate verify
<verify-pki-local-certificate>
request security pki verify-integrity-status
<verify-integrity-status>
request services fips
request services fips authorize
request services fips authorize pic
request services fips zeroize
request services fips zeroize pic
request services flow-collector
request services flow-collector change-destination
<request-services-flow-collector-destination>

request services ggsn

request services ggsn pdp
request services ggsn pdp terminate
request services ggsn pdp terminate apn
<request-ggsn-terminate-contexts-apn>

request services ggsn pdp terminate context

<request-ggsn-terminate-context>

request services ggsn pdp terminate context msisdn

<request-ggsn-terminate-msisdn-context>

request services ggsn restart

request services ggsn restart interface
<request-ggsn-restart-interface>

request services ggsn restart node

<request-ggsn-restart-node>

request services ggsn start

request services ggsn start interface
request services ggsn stop
request services ggsn stop interface
<request-ggsn-stop-interface>

request services ggsn stop node

<request-ggsn-stop-node>

request services ggsn trace

request services ggsn trace software
request services ggsn trace software update
<request-ggsn-software-update>

request services ggsn trace start

180 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

request services ggsn trace start imsi

<request-ggsn-start-imsi-trace>

request services ggsn trace start msisdn

<request-ggsn-start-msisdn-trace>

request services ggsn trace stop

request services ggsn trace stop all
<request-ggsn-stop-trace-activity>

request services ggsn trace stop imsi

<request-ggsn-stop-imsi-trace>

request services ggsn trace stop msisdn

<request-ggsn-stop-msisdn-trace>

request support
request support information
request system
request system boot-media
<request-boot-media>
request system certificate
request system certificate add
request system commit
request system commit server
request system commit server pause
<request-commit-server-pause>
request system commit server queue
request system commit server queue cleanup
<request-commit-server-cleanup>
request system commit server start
<request-commit-server-start>
request system configuration
request system configuration rescue
request system configuration rescue delete
<request-delete-rescue-configuration>

request system configuration rescue save

<request-save-rescue-configuration>
request system decrypt
<security-decrypt-password>
request system diagnostics
request system diagnostics log-archive
<request-log>
request system diagnostics transfer-control
<transfer-control>
request system firmware
request system firmware downgrade
request system firmware downgrade cb
<request-fpc-fpga-upgrade>
request system firmware downgrade cb i2c
<request-i2c-fpga-upgrade>
request system firmware downgrade feb
request system firmware downgrade fpc
request system firmware downgrade pic
request system firmware downgrade poe
request system firmware downgrade re
request system firmware downgrade scb
request system firmware downgrade sfm
request system firmware downgrade spmb
request system firmware downgrade ssb

Copyright © 2017, Juniper Networks, Inc. 181

Administration Guide for Security Devices

request system firmware downgrade vcpu

request system firmware upgrade
request system firmware upgrade cb i2c
<request-i2c-fpga-upgrade>
request system firmware upgrade feb
request system firmware upgrade fpc
request system firmware upgrade fpga
request system firmware upgrade fpga cb
<request-cb-fpga-upgrade>
request system firmware upgrade fpga fpc
request system firmware upgrade fpga fpd
<request-fpd-fpga-upgrade>
request system firmware upgrade fpga ftc
<request-ftc-fpga-upgrade>
request system firmware upgrade fpga re
<request-re-fpga-upgrade>

request system firmware upgrade fpga scb

<request-scb-fpga-upgrade>
request system firmware upgrade fpga sib
<request-sib-fpga-upgrade>
request system firmware upgrade pic
request system firmware upgrade poe
request system firmware upgrade re
request system firmware upgrade re bios
request system firmware upgrade scb
request system firmware upgrade sfm
request system firmware upgrade spmb
request system firmware upgrade ssb
request system firmware upgrade vcpu
request system halt
<request-halt>

request system keep-alive

request system license
request system license add
request system license delete
<request-license-delete>
request system license revoke-licenses
<license-revoke-licenses>

request system license save

request system license update
<request-license-update>
request system logout
request system logs
<request-system-logs-copy>

request system partition

request system partition abort
request system partition compact-flash
request system partition hard-disk
request system power-off
<request-power-off>

request system power-on

<request-power-on-other-re>
request system process
request system process terminate
<request-process-terminate>
request system reboot

182 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<request-reboot>
request system recover

request system scripts

request system scripts add
<request-scripts-package-add>

request system scripts convert

request system scripts convert slax-to-xslt
request system scripts convert xslt-to-slax
request system scripts delete
<request-scripts-package-delete>

request system scripts event-scripts

request system scripts event-scripts reload
<reload-event-scripts>

request system scripts refresh-from

<request-script-refresh-from>

request system scripts rollback

<request-scripts-package-rollback>

request system scripts synchronize

<request-scripts-synchronize>

request system snapshot

<request-snapshot>

request system software

request system software abort
request system software abort in-service-upgrade
<abort-in-service-upgrade>

request system software add

<request-package-add>

request system software delete

<request-package-delete>

request system software delete-backup

<request-package-delete-backup>

request system software in-service-upgrade

<request-package-in-service-upgrade>

request system software nonstop-upgrade

<request-package-nonstop-upgrade>
request system software recovery-package
request system software recovery-package add
request system software recovery-package delete
request system software recovery-package extract
request system software recovery-package extract ex-8200-package
request system software recovery-package extract ex-xre200-package
request system software rollback
<request-package-rollback>

request system software validate

<request-package-validate>
request system software validate in-service-upgrade
<check-in-service-upgrade>

Copyright © 2017, Juniper Networks, Inc. 183

Administration Guide for Security Devices

request system storage

request system storage cleanup
<request-system-storage-cleanup>
request system storage cleanup qfabric
<remove-qfabric-repository-contents>
request system storage mount
<request-mount>
request system storage unified-edge
request system storage unified-edge charging
request system storage unified-edge charging media
request system storage unified-edge media
request system storage unified-edge media eject
request system storage unified-edge media prepare
request system storage unmount
<request-unmount>
request system subscriber-management
request system subscriber-management new-sessions-disable
<request-sm-new-sessions-disable>
request system subscriber-management new-sessions-enable
<request-sm-new-sessions-enable>
request system yang enable
<request-yang-enable>
request system yang update
<request-yang-update>
request system yang validate
<request-yang-validate>
request system zeroize
request vmhost
request vmhost cleanup
<request-vmhost-file-cleanup>
request vmhost file-copy
<request-vmhost-file-copy>
request vmhost halt
<request-vmhost-halt>
request vmhost hard-disk-test
<request-vmhost-hard-disk-test>
request vmhost power-off
<request-vmhost-poweroff>
request vmhost power-on
<request-power-on-other-re>
request vmhost reboot
<request-vmhost-reboot>
request vmhost snapshot
<request-vmhost-snapshot>
request vmhost snapshot partition
<request-vmhost-snapshot-partition>
request vmhost snapshot recovery
<request-vmhost-snapshot-recovery>
request vmhost snapshot recovery partition
<request-vmhost-snapshot-recovery-partition>
request vmhost software
request vmhost software abort
request vmhost software abort in-service-upgrade
<abort-in-service-upgrade>
request vmhost software add
<request-vmhost-package-add>
request vmhost software in-service-upgrade
<request-vmhost-package-in-service-upgrade>
request vmhost software rollback
<request-package-rollback>

184 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

request vmhost zeroize

<request-vmhost-zeroize>
request vpls-switchover
set date
set date ntp
show chassis usb
show chassis usb storage
<get-usb-storage-status>
show services fips
show system configuration database
show system configuration database usage
<get-database-usage>
start shell
start shell user
test access
test access profile
<get-radius-profile-access-test-result>

test access radius-server

<get-radius-server-access-test-result>
get-test-services-l2tp-tunnel-result

Configuration
Hierarchy Levels [edit event-options]
[edit security ipsec internal]
[edit security ipsect trusted-channel]
[edit services dynamic-flow-capture traceoptions]
[edit services ggsn]
[edit system fips]
[edit services ggsn rule-space]
[edit system processes daemon-process command]
[edit system scripts]
[edit system scripts commit]
[edit system scripts op]
[edit system scripts snmp]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

network

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can access the network by using the ping, ssh, telnet, and traceroute commands.

Commands
mtrace
mtrace from-source

Copyright © 2017, Juniper Networks, Inc. 185

Administration Guide for Security Devices

mtrace monitor
mtrace to-gateway
ping
<ping>

ping atm
ping clns
ping ethernet
<request-ping-ethernet>
ping fibre-channel
ping mpls
ping mpls bgp
<request-ping-bgp-lsp>
ping mpls l2circuit
ping mpls l2circuit interface
<request-ping-l2circuit-interface>

ping mpls l2circuit virtual-circuit

<request-ping-l2circuit-virtual-circuit>

ping mpls l2vpn

ping mpls l2vpn fec129
ping mpls l2vpn fec129 interface
<request-ping-l2vpn-fec129-interface>
ping mpls l2vpn instance
<request-ping-l2vpn-instance>

ping mpls l2vpn interface

<request-ping-l2vpn-interface>

ping mpls l3vpn

<request-ping-l3vpn>

ping mpls ldp

<request-ping-ldp-lsp>

ping mpls ldp p2mp

<request-ping-ldp-p2mp-lsp>

ping mpls lsp-end-point

<request-ping-lsp-end-point>

ping mpls rsvp

<request-ping-rsvp-lsp>

ping overlay
<request-ping-overlay>
ping vpls
ping vpls instance
<request-ping-vpls-instance>

request routing-engine
request routing-engine login
<request-routing-engine-login>
request routing-engine login other-routing-engine
<request-login-to-other-routing-engine>
request services flow-collector
request services flow-collector test-file-transfer
<request-services-flow-collector-test-file-transfer>

show host

186 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show interfaces level-extra descriptions

show multicast mrinfo
ssh
telnet
traceroute
<traceroute>

traceroute clns
traceroute ethernet
<request-traceroute-ethernet>

traceroute monitor
traceroute mpls
traceroute mpls l2vpn
<traceroute-mpls-l2vpn>
traceroute mpls l2vpn fec129
<traceroute-mpls-mspw>
traceroute mpls ldp
<traceroute-mpls-ldp>
traceroute mpls rsvp
<traceroute-mpls-rsvp>
traceroute overlay
<request-traceroute-overlay>

Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

pgcp-session-mirroring

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can view session mirroring configuration by using the pgcp command.

Commands clear unified-edge

clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics

Copyright © 2017, Juniper Networks, Inc. 187

Administration Guide for Security Devices

<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>

188 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear unified-edge sgw charging path

clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>

Copyright © 2017, Juniper Networks, Inc. 189

Administration Guide for Security Devices

clear unified-edge tdf statistics

<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show services pgcp gates gate-way display session-mirroring

Configuration [edit services pgcp gateway session-mirroring]

Hierarchy Levels [edit services pgcp session-mirroring]
[edit unified-edge]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• pgcp-session-mirroring-control on page 191

190 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

pgcp-session-mirroring-control

Supported Platforms M Series, MX Series, SRX Series, T Series, vSRX

Can modify PGCP session mirroring configuration

Commands show services pgcp gates gate-way display session-mirroring

Configuration
Hierarchy Levels [edit services pgcp gateway session-mirroring]
[edit services pgcp session-mirroring]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• pgcp-session-mirroring on page 187

reset

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can restart software processes by using the restart command and can configure whether
software processes configured at the [edit system processes] hierarchy level are enabled
or disabled.

Commands request chassis cfeb master switch

request chassis cfeb master switch no-confirm
request chassis routing-engine master acquire
request chassis routing-engine master acquire force
request chassis routing-engine master acquire force no-confirm
request chassis routing-engine master acquire no-confirm
request chassis routing-engine master release
request chassis routing-engine master release no-confirm
request chassis routing-engine master switch
request chassis routing-engine master switch no-confirm
request chassis satellite install no-confirm
request chassis sfm master switch
request chassis sfm master switch no-confirm
request chassis ssb master switch
request chassis ssb master switch no-confirm
restart
restart kernel-replication
<restart-kernel-replication>
restart-named-service
restart routing
<routing-restart>

Copyright © 2017, Juniper Networks, Inc. 191

Administration Guide for Security Devices

restart services
restart services border-signaling-gateway
<restart-border-signaling-gateway-service>
restart services pgcp
<restart-pgcp-service>
restart web-management
<restart-web-management>

Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

rollback

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can roll back to previous configurations.

Commands rollback

Configuration
Hierarchy Levels [edit]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

secret

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can view passwords and other authentication keys in the configuration.

192 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

Commands No associated CLI commands.

clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging

Copyright © 2017, Juniper Networks, Inc. 193

Administration Guide for Security Devices

<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>

194 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear unified-edge tdf address-assignment statistics

<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>

Configuration [edit access profile client chap-secret]

Hierarchy Levels [edit access profile client firewall-user password]
[edit access profile client l2tp shared-secret]
[edit access profile client pap-password]
[edit access profile radius-server secret]
[edit access radius clients accounting secret]

Copyright © 2017, Juniper Networks, Inc. 195

Administration Guide for Security Devices

[edit access radius snoop-segments shared-secret]

[edit access radius-disconnect preauthentication-secret]
[edit access radius-disconnect secret]
[edit access radius-server preauthentication-secret]
[edit access radius-server secret]
[edit dynamic-profiles interfaces interface ppp-options chap
default-chap-secret]
[edit dynamic-profiles interfaces interface ppp-options pap default-password]
[edit dynamic-profiles interfaces interface ppp-options pap local-password]
[edit dynamic-profiles interfaces interface unit ppp-options chap
default-chap-secret]
[edit dynamic-profiles interfaces interface unit ppp-options pap
default-password]
[edit dynamic-profiles interfaces interface unit ppp-options pap local-password]
[edit interfaces interface ppp-options chap default-chap-secret]
[edit interfaces interface ppp-options pap default-password]
[edit interfaces interface ppp-options pap local-password]
[edit interfaces interface unit ppp-options chap default-chap-secret]
[edit interfaces interface unit ppp-options pap default-password]
[edit interfaces interface unit ppp-options pap local-password]
[edit logical-systems interfaces interface unit ppp-options chap]
[edit logical-systems interfaces interface unit ppp-options pap
default-password]
[edit logical-systems interfaces interface unit ppp-options pap local-password]
[edit logical-systems routing-instances instance system services
static-subscribers authentication password]
[edit logical-systems routing-instances instance system services
static-subscribers group authentication password]
[edit logical-systems system services static-subscribers authentication
password]
[edit logical-systems system services static-subscribers group authentication
password]
[edit routing-instances instance system services static-subscribers
authentication password]
[edit routing-instances instance system services static-subscribers group
authentication password]
[edit services ggsn apn radius accounting server secret]
[edit services ggsn apn radius authentication server secret]
[edit services ggsn radius server secret]
[edit system accounting destination radius server preauthentication-secret]
[edit system accounting destination radius server secret]
[edit system accounting destination radius server secret]
[edit system accounting destination tacplus server secret]
[edit system radius-server preauthentication-secret]
[edit system radius-server secret]
[edit system services outbound-ssh client secret]
[edit system services packet-triggered-subscribers partition-radius
accounting-shared-secret]
[edit system services static-subscribers authentication password]
[edit system services static-subscribers group authentication password]
[edit system tacplus-server secret]
[edit unified-edge]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

196 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• secret-control on page 197

secret-control

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can view passwords and other authentication keys in the configuration and can modify
them in configuration mode.

Commands No associated CLI commands.

Configuration [edit access profile client chap-secret]

Hierarchy Levels [edit access profile client firewall-user password]
[edit access profile client l2tp shared-secret]
[edit access profile client pap-password]
[edit access profile radius-server secret]
[edit access radius-disconnect secret]
[edit dynamic-profiles interfaces interface ppp-options chap
default-chap-secret]
[edit dynamic-profiles interfaces interface ppp-options pap default-password]
[edit dynamic-profiles interfaces interface ppp-options pap local-password]
[edit dynamic-profiles interfaces interface unit ppp-options chap
default-chap-secret]
[edit dynamic-profiles interfaces interface unit ppp-options pap
default-password]
[edit dynamic-profiles interfaces interface unit ppp-options pap local-password]
[edit interfaces interface ppp-options chap default-chap-secret]
[edit interfaces interface ppp-options pap default-password]
[edit interfaces interface ppp-options pap local-password]
[edit interfaces interface unit ppp-options chap default-chap-secret]
[edit interfaces interface unit ppp-options pap default-password]
[edit interfaces interface unit ppp-options pap local-password]
[edit logical-systems interfaces interface unit ppp-options chap]
[edit logical-systems interfaces interface unit ppp-options pap
default-password]
[edit logical-systems interfaces interface unit ppp-options pap local-password]
[edit logical-systems routing-instances instance system services
static-subscribers authentication password]
[edit logical-systems routing-instances instance system services
static-subscribers group authentication password]
[edit logical-systems system services static-subscribers authentication
password]
[edit logical-systems system services static-subscribers group authentication
password]
[edit routing-instances instance system services static-subscribers
authentication password]
[edit routing-instances instance system services static-subscribers group
authentication password]
[edit services ggsn apn radius accounting server secret]
[edit services ggsn apn radius authentication server secret]
[edit services ggsn radius server secret]

Copyright © 2017, Juniper Networks, Inc. 197

Administration Guide for Security Devices

[edit system accounting destination radius server secret]

[edit system accounting destination tacplus server secret]
[edit system radius-server secret]
[edit system services outbound-ssh client secret]
[edit system services packet-triggered-subscribers partition-radius
accounting-shared-secret]
[edit system services static-subscribers authentication password]
[edit system services static-subscribers group authentication password]
[edit system tacplus-server secret]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• secret on page 192

security

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can view security configuration.

Commands
clear security
clear security alarms
<clear-security-alarm-information>
clear security idp
clear security idp application-ddos
clear security idp application-ddos cache
<clear-idp-appddos-cache>

clear security idp application-identification

clear security idp application-identification application-system-cache
<clear-idp-application-system-cache>

clear security idp application-statistics

<clear-idp-applications-information>

clear security idp attack

clear security idp attack table
<clear-idp-attack-table>

clear security idp counters

<clear-idp-counters-by-counter-class>
clear security idp counters action
clear security idp counters application-ddos
clear security idp counters application-identification
clear security idp counters dfa
clear security idp counters flow
clear security idp counters http-decoder

198 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear security idp counters ips

clear security idp counters log
clear security idp counters memory
clear security idp counters packet
clear security idp counters packet-log
clear security idp counters pdf-decoder
clear security idp counters policy-manager
clear security idp counters ssl-inspection
clear security idp counters tcp-reassembler

clear security idp ssl-inspection

clear security idp ssl-inspection session-id-cache
<clear-idp-ssl-session-cache-information>
clear security idp status
<clear-idp-status-information>
clear security log
<clear-security-log-information>
clear security pki
clear security pki ca-certificate
<clear-pki-ca-certificate>
clear security pki certificate-request
<clear-pki-certificate-request>
clear security pki crl
<clear-pki-crl>
clear security pki key-pair
<clear-pki-key-pair>
clear security pki local-certificate
<clear-pki-local-certificate>
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy

Copyright © 2017, Juniper Networks, Inc. 199

Administration Guide for Security Devices

clear unified-edge ggsn-pgw diameter dcca-gy statistics

<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>

200 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear unified-edge sgw subscribers

<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request security
request security certificate
request security certificate enroll
request security datapath-debug
request security datapath-debug action-profile
request security datapath-debug action-profile reload-all
request security idp
<request-idp-policy-load>
request security idp security-package
request security idp security-package download
<request-idp-security-package-download>

request security idp security-package download version

<request-idp-security-package-download-version>

Copyright © 2017, Juniper Networks, Inc. 201

Administration Guide for Security Devices

request security idp security-package install

<request-idp-security-package-install>

request security idp ssl-inspection

request security idp ssl-inspection key
request security idp ssl-inspection key add
<request-idp-ssl-key-add>

request security idp ssl-inspection key delete

<request-idp-ssl-key-delete>
request security idp storage-cleanup
<request-idp-storage-cleanup>
request security key-pair
request security pki
request security pki ca-certificate
request security pki ca-certificate verify
<verify-pki-ca-certificate>
request security pki ca-certificate enroll
request security pki ca-certificate load
<load-pki-ca-certificate>
request security pki crl
request security pki crl load
<request security pki crl load>
request security pki generate-certificate-request
<generate-pki-certificate-request>
request security pki generate-key-pair
<generate-pki-key-pair>
request security pki local-certificate
request security pki local-certificate verify
<verify-pki-local-certificate>
request security pki verify-integrity-status
<verify-integrity-status>
request security pki local-certificate enroll
request security pki local-certificate generate-self-signed
<generate-pki-self-signed-local-certificate>
request security pki local-certificate load
<load-pki-local-certificate>
request system set-encryption-key
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>

202 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

request unified-edge tdf

request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show security
show security alarms
<get-security-alarm-information>
show security idp
show security idp application-ddos
show security idp application-ddos application
<get-idp-addos-application-information>

show security idp application-identification

show security idp application-identification application-system-cache
<get-idp-application-system-cache>

show security idp application-statistics

<get-idp-applications-information>

show security idp attack

show security idp attack description
<get-idp-attack-description-information>
show security idp attack detail
<get-idp-attack-detail-information>
show security idp attack table
<get-idp-attack-table-information>

show security idp counters

<get-idp-counter-information>
show security idp counters action
show security idp counters application-ddos
show security idp counters application-identification
show security idp counters dfa
show security idp counters flow
show security idp counters http-decoder
show security idp counters ips
show security idp counters log
show security idp counters memory
show security idp counters packet
show security idp counters packet-log
show security idp counters pdf-decoder
show security idp counters policy-manager
show security idp counters ssl-inspection
show security idp counters tcp-reassembler

show security idp logical-system

show security idp logical-system policy-association
show security idp memory
<get-idp-memory-information>

show security idp policies

<get-idp-subscriber-policy-list>

show security idp policy-templates-list

<get-idp-policy-template-information>

Copyright © 2017, Juniper Networks, Inc. 203

Administration Guide for Security Devices

<get-idp-predefined-attack-groups>
<get-idp-predefined-attack-group-filters>
<get-idp-predefined-attacks>
<get-idp-predefined-attack-filters>
<get-idp-recent-security-package-information>
show security idp policy-commit-status
<get-idp-policy-commit-status>

<get-idp-recent-security-package-information>

show security idp security-package-version

<get-idp-security-package-information>

show security idp ssl-inspection

show security idp ssl-inspection key
<get-idp-ssl-key-information>

show security idp ssl-inspection session-id-cache

<get-idp-ssl-session-cache-information>

show security idp status

<get-idp-status-information>

show security idp status detail

<get-idp-detail-status-information>
show security keychain
<get-hakr-keychain-information>
show security log
<get-security-log-information>

show security pki

show security pki ca-certificate
<get-pki-ca-certificate>
show security pki certificate-request
<get-pki-certificate-request>
show security pki crl
<get-pki-crl>
show security pki local-certificate
<get-pki-local-certificate>

Configuration [edit security]

Hierarchy Levels [edit security alarms]
[edit security log]
[edit unified-edge]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• security-control on page 205

204 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

security-control

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can view and configure security information at the [edit security] hierarchy level.

Commands
clear security
clear security alarms
<clear-security-alarm-information>
clear security idp
clear security idp application-ddos
clear security idp application-ddos cache
<clear-idp-appddos-cache>

clear security idp application-identification

clear security idp application-identification application-system-cache
<clear-idp-application-system-cache>

clear security idp application-statistics

<clear-idp-applications-information>

clear security idp attack

clear security idp attack table
<clear-idp-attack-table>

clear security idp counters

<clear-idp-counters-by-counter-class>

clear security idp ssl-inspection

clear security idp ssl-inspection session-id-cache
<clear-idp-ssl-session-cache-information>
clear security idp status
<clear-idp-status-information>
clear security log
<clear-security-log-information>
clear security pki
clear security pki ca-certificate
<clear-pki-ca-certificate>
clear security pki certificate-request
<clear-pki-certificate-request>
clear security pki crl
<clear-pki-crl>
clear security pki key-pair
<clear-pki-key-pair>
clear security pki local-certificate
<clear-pki-local-certificate>
request security
request security certificate
request security certificate enroll
request security datapath-debug
request security datapath-debug action-profile
request security datapath-debug action-profile reload-all
request security idp
<request-idp-policy-load>
request security idp security-package
request security idp security-package download
<request-idp-security-package-download>

Copyright © 2017, Juniper Networks, Inc. 205

Administration Guide for Security Devices

request security idp security-package download version

<request-idp-security-package-download-version>

request security idp security-package install

<request-idp-security-package-install>
request security idp security-package offline-download
<request-idp-security-package-offline-download>
request security idp ssl-inspection
request security idp ssl-inspection key
request security idp ssl-inspection key add
<request-idp-ssl-key-add>

request security idp ssl-inspection key delete

<request-idp-ssl-key-delete>
request security idp storage-cleanup
<request-idp-storage-cleanup>
request security key-pair
request security pki
request security pki ca-certificate
request security pki ca-certificate verify
<verify-pki-ca-certificate>
request security pki ca-certificate enroll
request security pki ca-certificate load
<load-pki-ca-certificate>
request security pki crl
request security pki crl load
<request security pki crl load>
request security pki generate-certificate-request
<generate-pki-certificate-request>
request security pki generate-key-pair
<generate-pki-key-pair>
request security pki local-certificate
request security pki local-certificate verify
<verify-pki-local-certificate>
request security pki local-certificate enroll
request security pki local-certificate generate-self-signed
<generate-pki-self-signed-local-certificate>
request security pki local-certificate load
<load-pki-local-certificate>
request system set-encryption-key
show security
show security alarms
<get-security-alarm-information>
show security idp
show security idp application-ddos
show security idp application-ddos application
<get-idp-addos-application-information>

show security idp application-identification

show security idp application-identification application-system-cache
<get-idp-application-system-cache>

show security idp application-statistics

<get-idp-applications-information>

show security idp attack

show security idp attack description
<get-idp-attack-description-information>
show security idp attack detail
<get-idp-attack-detail-information>
show security idp attack table

206 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-idp-attack-table-information>

show security idp counters

<get-idp-counter-information>
show security idp counters action
show security idp counters application-ddos
show security idp counters application-identification
show security idp counters dfa
show security idp counters flow
show security idp counters http-decoder
show security idp counters ips
show security idp counters log
show security idp counters memory
show security idp counters packet
show security idp counters packet-log
show security idp counters pdf-decoder
show security idp counters policy-manager
show security idp counters ssl-inspection
show security idp counters tcp-reassembler

show security idp logical-system

show security idp logical-system policy-association
show security idp memory
<get-idp-memory-information>

show security idp policies

<get-idp-subscriber-policy-list>

show security idp policy-templates-list

<get-idp-policy-template-information>
<get-idp-predefined-attack-groups>
<get-idp-predefined-attack-group-filters>
<get-idp-predefined-attacks>
<get-idp-predefined-attack-filters>
<get-idp-recent-security-package-information>
show security idp policy-commit-status
<get-idp-policy-commit-status>

<get-idp-recent-security-package-information>

show security idp security-package-version

<get-idp-security-package-information>

show security idp ssl-inspection

show security idp ssl-inspection key
<get-idp-ssl-key-information>

show security idp ssl-inspection session-id-cache

<get-idp-ssl-session-cache-information>

show security idp status

<get-idp-status-information>

show security idp status detail

<get-idp-detail-status-information>
show security keychain
<get-hakr-keychain-information>
show security log
<get-security-log-information>

show security pki

Copyright © 2017, Juniper Networks, Inc. 207

Administration Guide for Security Devices

show security pki ca-certificate

<get-pki-ca-certificate>
show security pki certificate-request
<get-pki-certificate-request>
show security pki crl
<get-pki-crl>
show security pki local-certificate
<get-pki-local-certificate>

Configuration [edit security]

Hierarchy Levels [edit security alarms]
[edit security log]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• security on page 198

shell

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can start a local shell on the router.

Commands start shell

start shell user

Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

snmp

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

208 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

Can view Simple Network Management Protocol (SNMP) configuration.

Commands clear unified-edge

clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>

Copyright © 2017, Juniper Networks, Inc. 209

Administration Guide for Security Devices

clear unified-edge ggsn-pgw subscribers peer

<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics

210 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>

Configuration [edit snmp]

Hierarchy Levels [edit unified-edge]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

Copyright © 2017, Juniper Networks, Inc. 211

Administration Guide for Security Devices

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

system

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can view system-level configuration information.

Commands clear unified-edge

clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>
clear unified-edge ggsn-pgw diameter network-element
clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp

212 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear unified-edge ggsn-pgw gtp peer

clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>
clear unified-edge sgw subscribers charging
<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>

Copyright © 2017, Juniper Networks, Inc. 213

Administration Guide for Security Devices

clear unified-edge tdf aaa radius network-element

clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
request chassis synchronization
request chassis synchronization force
request chassis synchronization force automatic-switching
request chassis synchronization force mark-failed
request chassis synchronization force unmark-failed
request chassis synchronization switch
request path-computation-client retry-delegation
<request-path-computation-retry-delegation>
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>
request unified-edge ggsn-pgw call-trace show
<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>

214 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

request unified-edge sgw call-trace start

<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
request virtual-chassis
request virtual-chassis device-reachability
<get-virtual-chassis-diagnostic-information>
request virtual-chassis member-id
request virtual-chassis member-id delete
delete-virtual-chassis-member-id
request virtual-chassis member-id set
<set-virtual-chassis-member-id>
request virtual-chassis mode
request virtual-chassis mode mixed
<request-virtual-chassis-mode-mixed>
request virtual-chassis reactivate
<request-virtual-chassis-reactivate>
request virtual-chassis recycle
<request-virtual-chassis-recycle>
request virtual-chassis renumber
<request-virtual-chassis-renumber>
request virtual-chassis routing-engine
request virtual-chassis routing-engine master
request virtual-chassis routing-engine master switch
<switch-vc-routing-engine-protocol-master>
request virtual-chassis vc-port
request virtual-chassis vc-port delete
request virtual-chassis vc-port delete fpc-slot
<request-virtual-chassis-vc-port-delete-fpc-slot>
request virtual-chassis vc-port delete pic-slot
<request-virtual-chassis-vc-port-delete-pic-slot>
request virtual-chassis vc-port set
request virtual-chassis vc-port set fpc-slot
<request-virtual-chassis-vc-port-set-fpc-slot>
request virtual-chassis vc-port set interface
<request-virtual-chassis-vc-port-set-interface>
request virtual-chassis vc-port set pic-slot
<request-virtual-chassis-vc-port-set-pic-slot>
<set-virtual-chassis-mode>

Configuration [edit applications]

Hierarchy Levels [edit chassis network-slices]
[edit chassis system-domains]
[edit dynamic-profiles routing-instances instance forwarding-options helpers
tftp]
[edit dynamic-profiles routing-instances instance routing-options fate-sharing]
[edit ethernet-switching-options]
[edit fabric virtual-chassis]
[edit forwarding-options helpers bootp]
[edit forwarding-options helpers domain]

Copyright © 2017, Juniper Networks, Inc. 215

Administration Guide for Security Devices

[edit forwarding-options helpers port]

[edit forwarding-options helpers tftp]
[edit logical-systems]
[edit logical-systems protocols uplink-failure-detection]
[edit logical-systems routing-instances instance forwarding-options helpers
bootp]
[edit logical-systems routing-instances instance forwarding-options helpers
domain]
[edit logical-systems routing-instances instance forwarding-options helpers
port]
[edit logical-systems routing-instances instance forwarding-options helpers
tftp]
[edit logical-systems routing-instances instance routing-options fate-sharing]
[edit logical-systems routing-options fate-sharing]
[edit logical-systems system]
[edit logical-systems system syslog]
[edit poe]
[edit protocols uplink-failure-detection]
[edit routing-instances instance forwarding-options helpers bootp]
[edit routing-instances instance forwarding-options helpers domain]
[edit routing-instances instance forwarding-options helpers port]
[edit routing-instances instance forwarding-options helpers tftp]
[edit routing-instances instance routing-options fate-sharing]
[edit routing-options fate-sharing]
[edit services]
[edit services ggsn charging charging-log traceoptions]
[edit system]
[edit system archival]
[edit system backup-router]
[edit system boot loader authentication]
[edit system compress-configuration-files]
[edit system default-address-selection]
[edit system domain-name]
[edit system domain-search]
[edit system encrypt-configuration-files]
[edit system host-name]
[edit system inet6-backup-router]
[edit system internet-options gre-path-mtu-discovery]
[edit system internet-options ipip-path-mtu-discovery]
[edit system internet-options ipv6-path-mtu-discovery]
[edit system internet-options ipv6-path-mtu-discovery-timeout]
[edit system internet-options ipv6-reject-zero-hop-limit]
[edit system internet-options no-tcp-reset]
[edit system internet-options no-tcp-rfc1323]
[edit system internet-options no-tcp-rfc1323-paws]
[edit system internet-options path-mtu-discovery]
[edit system internet-options source-port upper-limit]
[edit system internet-options source-quench]
[edit system internet-options tcp-drop-synfin-set]
[edit system internet-options tcp-mss]
[edit system license]
[edit system max-configuration-rollbacks]
[edit system max-configurations-on-flash]
[edit system mirror-flash-on-disk]
[edit system no-debugger-on-alt-break]
[edit system no-redirects-ipv6]
[edit system name-server]
[edit no-hidden-commands system]
[edit system no-multicast-echo]
[edit system no-neighbor-learn]
[edit system no-redirects]

216 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

[edit system ports auxiliary log-out-on-disconnect]

[edit system ports auxiliary port-type]
[edit system ports auxiliary silent-with-modem]
[edit system ports console log-out-on-disconnect]
[edit system ports console port-type]
[edit system ports console silent-with-modem]
[edit system processes]
[edit system proxy]
[edit system saved-core-context]
[edit system saved-core-files]
[edit system services]
[edit system services web-management]
[edit system static-host-mapping]
[edit system syslog]
[edit system time-zone]
[edit unified-edge]
[edit virtual-chassis]
[edit virtual-chassis locality-bias]
[edit vlans]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• system-control on page 217

system-control

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can view system-level configuration information and configure it at the [edit system]
hierarchy level.

Configuration [edit applications]

Hierarchy Levels [edit chassis system-domains]
[edit dynamic-profiles routing-instances instance forwarding-options helpers
tftp]
[edit dynamic-profiles routing-instances instance routing-options fate-sharing]
[edit ethernet-switching-options]
[edit forwarding-options helpers bootp]
[edit forwarding-options helpers domain]
[edit forwarding-options helpers port]
[edit forwarding-options helpers tftp]
[edit logical-systems]
[edit logical-systems routing-instances instance forwarding-options helpers
bootp]
[edit logical-systems routing-instances instance forwarding-options helpers
domain]
[edit logical-systems routing-instances instance forwarding-options helpers
port]

Copyright © 2017, Juniper Networks, Inc. 217

Administration Guide for Security Devices

[edit logical-systems routing-instances instance forwarding-options helpers

tftp]
[edit logical-systems routing-instances instance routing-options fate-sharing]
[edit logical-systems routing-options fate-sharing]
[edit logical-systems system]
[edit poe]
[edit routing-instances instance forwarding-options helpers bootp]
[edit routing-instances instance forwarding-options helpers domain]
[edit routing-instances instance forwarding-options helpers port]
[edit routing-instances instance forwarding-options helpers tftp]
[edit routing-instances instance routing-options fate-sharing]
[edit routing-options fate-sharing]
[edit services]
[edit services ggsn charging charging-log traceoptions]
[edit system]
[edit system archival]
[edit system backup-router]
[edit system compress-configuration-files]
[edit system default-address-selection]
[edit system dgasp-in]
[edit system dgasp-usb]
[edit system domain-name]
[edit system domain-search]
[edit system encrypt-configuration-files]
[edit system host-name]
[edit system inet6-backup-router]
[edit system internet-options gre-path-mtu-discovery]
[edit system internet-options ipip-path-mtu-discovery]
[edit system internet-options ipv6-path-mtu-discovery]
[edit system internet-options ipv6-path-mtu-discovery-timeout]
[edit system internet-options ipv6-reject-zero-hop-limit]
[edit system internet-options no-tcp-reset]
[edit system internet-options no-tcp-rfc1323]
[edit system internet-options no-tcp-rfc1323-paws]
[edit system internet-options path-mtu-discovery]
[edit system internet-options source-port upper-limit]
[edit system internet-options source-quench]
[edit system internet-options tcp-drop-synfin-set]
[edit system internet-options tcp-mss]
[edit system license]
[edit system max-configuration-rollbacks]
[edit system max-configurations-on-flash]
[edit system mirror-flash-on-disk]
[edit system name-server]
[edit system no-multicast-echo]
[edit system no-neighbor-learn]
[edit system no-redirects]
[edit system ports auxiliary log-out-on-disconnect]
[edit system ports auxiliary port-type]
[edit system ports console log-out-on-disconnect]
[edit system ports console port-type]
[edit system processes]
[edit system saved-core-context]
[edit system saved-core-files]
[edit system services]
[edit system services web-management]
[edit system static-host-mapping]
[edit system syslog]
[edit system time-zone]
[edit virtual-chassis]
[edit vlans]

218 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• system on page 212

trace

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can view trace file settings and configure trace file properties.

Commands
clear log
<clear-log>
clear log satellite
<clear-log-satellite>
clear unified-edge
clear unified-edge ggsn-pgw
clear unified-edge ggsn-pgw aaa
clear unified-edge ggsn-pgw aaa radius
clear unified-edge ggsn-pgw aaa radius statistics
<clear-mobile-gateway-aaa-radius-statistics>
clear unified-edge ggsn-pgw aaa statistics
<clear-mobile-gateway-aaa-statistics>
clear unified-edge ggsn-pgw address-assignment
clear unified-edge ggsn-pgw address-assignment pool
<clear-mobile-gateway-sm-ippool-pool-sessions>
clear unified-edge ggsn-pgw address-assignment statistics
<clear-mobile-gateway-sm-ippool-statistics>
clear unified-edge ggsn-pgw call-admission-control
clear unified-edge ggsn-pgw call-admission-control statistics
<clear-mobile-gateway-cac-statistics>
clear unified-edge ggsn-pgw charging
clear unified-edge ggsn-pgw charging cdr
<clear-mobile-gateway-charging-clear-cdr>
clear unified-edge ggsn-pgw charging cdr wfa
<clear-mobile-gateway-charging-clear-cdr-wfa>
clear unified-edge ggsn-pgw charging local-persistent-storage
clear unified-edge ggsn-pgw charging local-persistent-storage statistics
<clear-mobile-gateway-charging-clear-lps-stats>
clear unified-edge ggsn-pgw charging path
clear unified-edge ggsn-pgw charging path statistics
<clear-mobile-gateway-charging-clear-path-stats>
clear unified-edge ggsn-pgw charging transfer
clear unified-edge ggsn-pgw charging transfer statistics
<clear-mobile-gateway-charging-clear-xfer-stats>
clear unified-edge ggsn-pgw diameter
clear unified-edge ggsn-pgw diameter dcca-gy
clear unified-edge ggsn-pgw diameter dcca-gy statistics
<clear-mobile-gateway-aaa-diam-stats-gy>

Copyright © 2017, Juniper Networks, Inc. 219

Administration Guide for Security Devices

clear unified-edge ggsn-pgw diameter network-element

clear unified-edge ggsn-pgw diameter network-element statistics
<clear-mobile-gateway-aaa-diam-ne-statistics>
clear unified-edge ggsn-pgw diameter pcc-gx
clear unified-edge ggsn-pgw diameter pcc-gx statistics
<clear-mobile-gateway-aaa-diam-stats-gx>
clear unified-edge ggsn-pgw diameter peer
clear unified-edge ggsn-pgw diameter peer statistics
<clear-mobile-gateway-aaa-diam-peer-statistics>
clear unified-edge ggsn-pgw gtp
clear unified-edge ggsn-pgw gtp peer
clear unified-edge ggsn-pgw gtp peer statistics
<clear-mobile-gateway-gtp-peer-statistics>
clear unified-edge ggsn-pgw gtp statistics
<clear-mobile-gateway-gtp-statistics>
clear unified-edge ggsn-pgw ip-reassembly
clear unified-edge ggsn-pgw ip-reassembly statistics
<clear-mobile-gateways-ip-reassembly-statistics>
clear unified-edge ggsn-pgw statistics
<clear-mobile-gateway-statistics>
clear unified-edge ggsn-pgw subscribers
<clear-mobile-gateway-subscribers>
clear unified-edge ggsn-pgw subscribers bearer
clear unified-edge ggsn-pgw subscribers charging
<clear-mobile-gateway-subscribers-charging>
clear unified-edge ggsn-pgw subscribers peer
<clear-mobile-gateway-subscribers-peer>
clear unified-edge sgw
clear unified-edge sgw call-admission-control
clear unified-edge sgw call-admission-control statistics
<clear-mobile-sgw-cac-statistics>
clear unified-edge sgw charging
clear unified-edge sgw charging cdr
<clear-mobile-gateway-sgw-charging-clear-cdr>
clear unified-edge sgw charging cdr wfa
<clear-mobile-gateway-sgw-charging-clear-cdr-wfa>
clear unified-edge sgw charging local-persistent-storage
clear unified-edge sgw charging local-persistent-storage statistics
<clear-mobile-gateway-sgw-charging-clear-lps-stats>
clear unified-edge sgw charging path
clear unified-edge sgw charging path statistics
<clear-mobile-gateway-sgw-charging-clear-path-stats>
clear unified-edge sgw charging transfer
clear unified-edge sgw charging transfer statistics
<clear-mobile-gateway-sgw-charging-clear-xfer-stats>
clear unified-edge sgw gtp
clear unified-edge sgw gtp peer
clear unified-edge sgw gtp peer statistics
<clear-mobile-sgw-gtp-peer-statistics>
clear unified-edge sgw gtp statistics
<clear-mobile-sgw-gtp-statistics>
clear unified-edge sgw idle-mode-buffering
clear unified-edge sgw idle-mode-buffering statistics
<clear-mobile-gw-sgw-idle-mode-buffering-statistics>
clear unified-edge sgw ip-reassembly
clear unified-edge sgw ip-reassembly statistics
<clear-mobile-gateways-sgw-ip-reassembly-statistics-sgw>
clear unified-edge sgw statistics
<clear-mobile-sgw-statistics>
clear unified-edge sgw subscribers
<clear-mobile-sgw-subscribers>

220 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

clear unified-edge sgw subscribers charging

<clear-mobile-sgw-subscribers-charging>
clear unified-edge sgw subscribers peer
<clear-mobile-sgw-subscribers-peer>
clear unified-edge tdf
clear unified-edge tdf aaa
clear unified-edge tdf aaa radius
clear unified-edge tdf aaa radius client
clear unified-edge tdf aaa radius client statistics
<clear-radius-client-statistics>
clear unified-edge tdf aaa radius network-element
clear unified-edge tdf aaa radius network-element statistics
<clear-radius-network-element-statistics>
clear unified-edge tdf aaa radius server
clear unified-edge tdf aaa radius server statistics
<clear-radius-server-statistics>
clear unified-edge tdf aaa radius snoop-segment
clear unified-edge tdf aaa radius snoop-segment statistics
<clear-radius-snoop-segment-statistics>
clear unified-edge tdf aaa statistics
<clear-tdf-gateway-aaa-statistics>
clear unified-edge tdf address-assignment
clear unified-edge tdf address-assignment pool
<clear-mobile-gateway-tdf-sm-ippool-pool-sessions>
clear unified-edge tdf address-assignment statistics
<clear-mobile-gateway-tdf-sm-ippool-statistics>
clear unified-edge tdf call-admission-control
clear unified-edge tdf call-admission-control statistics
<clear-tdf-cac-statistics>
clear unified-edge tdf diameter
clear unified-edge tdf diameter network-element
clear unified-edge tdf diameter network-element statistics
<clear-diameter-network-element-statistics>
clear unified-edge tdf diameter pcc-gx
clear unified-edge tdf diameter pcc-gx statistics
<clear-diameter-statistics-gx>
clear unified-edge tdf diameter peer
clear unified-edge tdf diameter peer statistics
<clear-diameter-peer-statistics>
clear unified-edge tdf statistics
<clear-tdf-statistics>
clear unified-edge tdf subscribers
<clear-mobile-tdf-subscribers>
clear unified-edge tdf subscribers peer
<clear-mobile-gateway-tdf-subscribers-peer>
monitor
request-monitor-ethernet-delay-measurement
<request-monitor-ethernet-loss-measurement>
monitor interface
monitor interface traffic
monitor label-switched-path
monitor list
monitor start
monitor static-lsp
monitor stop
request unified-edge
request unified-edge ggsn-pgw
request unified-edge ggsn-pgw call-trace
<monitor-mobile-gateways-call-trace-start>
request unified-edge ggsn-pgw call-trace clear
<get-mobile-gateways-call-trace-clear>

Copyright © 2017, Juniper Networks, Inc. 221

Administration Guide for Security Devices

request unified-edge ggsn-pgw call-trace show

<get-mobile-gateways-call-trace-information>
request unified-edge ggsn-pgw call-trace start
<get-mobile-gateways-call-trace-start-information>
request unified-edge ggsn-pgw call-trace stop
<get-mobile-gateways-call-trace-stop-information>
request unified-edge sgw
request unified-edge sgw call-trace
request unified-edge sgw call-trace clear
<get-mobile-gateways-sgw-call-trace-clear>
request unified-edge sgw call-trace show
<get-mobile-gateways-sgw-call-trace-information>
request unified-edge sgw call-trace start
<get-mobile-gateways-sgw-call-trace-start-information>
request unified-edge sgw call-trace stop
<get-mobile-gateways-sgw-call-trace-stop-information>
request unified-edge tdf
request unified-edge tdf call-trace
request unified-edge tdf call-trace clear
<get-mobile-gateways-tdf-call-trace-clear>
request unified-edge tdf call-trace show
<get-mobile-gateways-tdf-call-trace-information>
request unified-edge tdf call-trace start
<get-mobile-gateways-tdf-call-trace-start-information>
request unified-edge tdf call-trace stop
<get-mobile-gateways-tdf-call-trace-stop-information>
show log
<get-log>
show log user
<get-syslog-events>

Configuration [edit unified-edge]

Hierarchy Levels [edit vlans domain multicast-snooping-options traceoptions]
[edit vlans domain protocols igmp-snooping]
[edit vlans domain forwarding-options dhcp-relay traceoptions]
[edit vlans domain protocols igmp-snooping traceoptions]
[edit vlans domain forwarding-options dhcp-relay interface-traceoptions]
[edit vlans domain multicast-snooping-options traceoptions]
[edit vlans domain protocols igmp-snooping traceoptions]
[edit class-of-service application-traffic-control traceoptions]
[edit demux traceoptions]
[edit dynamic-profiles protocols igmp traceoptions]
[edit dynamic-profiles protocols mld traceoptions]
[edit dynamic-profiles class-of-service application-traffic-control
traceoptions]
[edit dynamic-profiles protocols oam ethernet link-fault-management
traceoptions]
[dynamic-profiles protocols oam ethernet lmi]
[edit dynamic-profiles protocols router-advertisement traceoptions]
[edit dynamic-profiles protocols oam gre-tunnel traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain
forwarding-options dhcp-relay traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain
multicast-snooping-options traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain protocols
igmp-snooping traceoptions]
[edit dynamic-profiles routing-instances instance forwarding-options dhcp-relay
traceoptions]
[edit dynamic-profiles routing-instances instance multicast-snooping-options
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group neighbor

222 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp traceoptions]
[edit dynamic-profiles routing-instances instance protocols esis traceoptions]
[edit dynamic-profiles routing-instances instance protocols igmp-snooping
traceoptions]
[edit dynamic-profiles routing-instances instance protocols isis traceoptions]
[edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ldp traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp traceoptions]
[edit dynamic-profiles routing-instances instance protocols mvpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ospf traceoptions]
[edit dynamic-profiles routing-instances instance protocols pim traceoptions]
[edit dynamic-profiles routing-instances instance protocols rip traceoptions]
[edit dynamic-profiles routing-instances instance protocols ripng traceoptions]
[edit dynamic-profiles routing-instances instance protocols router-discovery
traceoptions]
[edit dynamic-profiles routing-instances instance protocols vpls traceoptions]
[edit dynamic-profiles routing-instances instance routing-options multicast
traceoptions]
[edit dynamic-profiles routing-instances instance routing-options traceoptions]
[edit dynamic-profiles routing-instances instance services mobile-ip
traceoptions]
[edit dynamic-profiles routing-instances instance system services
dhcp-local-server traceoptions]
[edit dynamic-profiles routing-options multicast traceoptions]
[edit fabric protocols bgp group neighbor traceoptions]
[edit fabric protocols bgp group traceoptions]
[edit fabric protocols bgp traceoptions]
[edit fabric routing-instances instance routing-options traceoptions]
[edit fabric routing-options traceoptions]
[edit jnx-example traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay
interface-traceoptions]
[edit logical-systems vlans domain multicast-snooping-options traceoptions]
[edit logical-systems vlans domain protocols igmp-snooping traceoptions]
[edit logical-systems forwarding-options dhcp-relay traceoptions]
[edit logical-systems protocols ancp traceoptions]
[edit logical-systems protocols bgp group neighbor traceoptions]
[edit logical-systems protocols bgp group traceoptions]
[edit logical-systems protocols bgp traceoptions]
[edit logical-systems protocols dot1x traceoptions]
[edit logical-systems protocols dvmrp traceoptions]
[edit logical-systems protocols esis traceoptions]
[edit logical-systems protocols igmp traceoptions]
[edit logical-systems protocols igmp-host traceoptions]
[edit logical-systems protocols ilmi traceoptions]
[edit logical-systems protocols isis traceoptions]
[edit logical-systems protocols l2circuit traceoptions]
[edit logical-systems protocols l2iw traceoptions]
[edit logical-systems protocols lacp traceoptions]
[edit logical-systems protocols layer2-control traceoptions]
[edit logical-systems protocols ldp traceoptions]

Copyright © 2017, Juniper Networks, Inc. 223

Administration Guide for Security Devices

[edit logical-systems protocols mld traceoptions]

[edit dynamic-profiles protocols oam ethernet fnp traceoptions]
[edit logical-systems protocols mld-host traceoptions]
[edit logical-systems protocols mpls label-switched-path oam traceoptions]
[edit logical-systems protocols mpls label-switched-path primary oam
traceoptions]
[edit logical-systems protocols mpls label-switched-path secondary oam
traceoptions]
[edit logical-systems protocols mpls oam traceoptions]
[edit logical-systems protocols msdp group peer traceoptions]
[edit logical-systems protocols msdp group traceoptions]
[edit logical-systems protocols msdp peer traceoptions]
[edit logical-systems protocols msdp traceoptions]
[edit logical-systems protocols neighbor-discovery secure traceoptions]
[edit logical-systems protocols oam ethernet fnp traceoptions]
[edit logical-systems protocols oam ethernet link-fault-management traceoptions]
[edit logical-systems protocols oam ethernet lmi traceoptions]
[edit logical-systems protocols ospf traceoptions]
[edit logical-systems protocols pim traceoptions]
[edit logical-systems protocols ppp monitor-session]
[edit logical-systems protocols ppp traceoptions]
[edit logical-systems protocols ppp-service traceoptions]
[edit logical-systems protocols pppoe traceoptions]
[edit logical-systems protocols rip traceoptions]
[edit logical-systems protocols ripng traceoptions]
[edit logical-systems protocols router-advertisement traceoptions]
[edit logical-systems protocols router-discovery traceoptions]
[edit logical-systems protocols rsvp lsp-set traceoptions]
[edit logical-systems protocols rsvp traceoptions]
[edit logical-systems routing-instances instance vlans domain
multicast-snooping-options traceoptions]
[edit logical-systems routing-instances instance vlans domain protocols
igmp-snooping traceoptions]
[edit logical-systems routing-instances instance forwarding-options dhcp-relay
traceoptions]
[edit logical-systems routing-instances instance multicast-snooping-options
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group neighbor
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group
traceoptions]
[edit logical-systems routing-instances instance protocols bgp traceoptions]
[edit logical-systems routing-instances instance protocols esis traceoptions]
[edit logical-systems routing-instances instance protocols igmp-snooping
traceoptions]
[edit logical-systems routing-instances instance protocols isis traceoptions]
[edit logical-systems routing-instances instance protocols l2vpn traceoptions]
[edit logical-systems routing-instances instance protocols ldp traceoptions]
[edit logical-systems routing-instances instance protocols msdp group peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp group
traceoptions]
[edit logical-systems routing-instances instance protocols msdp peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp traceoptions]
[edit logical-systems routing-instances instance protocols mvpn traceoptions]
[edit logical-systems routing-instances instance protocols ospf traceoptions]
[edit logical-systems routing-instances instance protocols pim traceoptions]
[edit logical-systems routing-instances instance protocols rip traceoptions]
[edit logical-systems routing-instances instance protocols ripng traceoptions]
[edit logical-systems routing-instances instance protocols router-discovery

224 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

traceoptions]
[edit logical-systems routing-instances instance protocols vpls traceoptions]
[edit logical-systems routing-instances instance routing-options multicast
traceoptions]
[edit logical-systems routing-instances instance routing-options traceoptions]
[edit logical-systems routing-instances instance services mobile-ip
traceoptions]
[edit logical-systems routing-instances instance system services
dhcp-local-server traceoptions]
[edit logical-systems routing-instances instance system services
dhcp-local-server interface-traceoptions]
[edit logical-systems routing-options multicast traceoptions]
[edit logical-systems routing-options traceoptions]
[edit logical-systems services mobile-ip traceoptions]
[edit logical-systems system services dhcp-local-server traceoptions]
[edit logical-systems system services dhcp-local-server interface-traceoptions]
[edit multicast-snooping-options traceoptions]
[edit protocols ancp traceoptions]
[edit protocols bgp group neighbor traceoptions]
[edit protocols bgp group traceoptions]
[edit protocols bgp traceoptions]
[edit protocols dot1x traceoptions]
[edit protocols dvmrp traceoptions]
[edit protocols esis traceoptions]
[edit protocols igmp traceoptions]
[edit protocols igmp-host traceoptions]
[edit protocols ilmi traceoptions]
[edit protocols isis traceoptions]
[edit protocols l2circuit traceoptions]
[edit protocols l2iw traceoptions]
[edit protocols lacp traceoptions]
[edit protocols layer2-control traceoptions]
[edit protocols ldp traceoptions]
[edit protocols mld traceoptions]
[edit protocols mld-host traceoptions]
[edit protocols mpls label-switched-path oam traceoptions]
[edit protocols mpls label-switched-path primary oam traceoptions]
[edit protocols mpls label-switched-path secondary oam traceoptions]
[edit protocols mpls oam traceoptions]
[edit protocols msdp group peer traceoptions]
[edit protocols msdp group traceoptions]
[edit protocols msdp peer traceoptions]
[edit protocols msdp traceoptions]
[edit protocols neighbor-discovery secure traceoptions]
[edit protocols protocols oam ethernet fnp]
[edit protocols oam ethernet connectivity-fault-management traceoptions]
[edit protocols oam ethernet link-fault-management traceoptions]
[edit protocols oam ethernet lmi traceoptions]
[edit protocols ospf traceoptions]
[edit protocols pim traceoptions]
[edit protocols ppp monitor-session]
[edit protocols ppp traceoptions]
[edit protocols ppp-service traceoptions]
[edit protocols pppoe traceoptions]
[edit protocols rip traceoptions]
[edit protocols ripng traceoptions]
[edit protocols router-advertisement traceoptions]
[edit protocols router-discovery traceoptions]
[edit protocols rsvp lsp-set traceoptions]
[edit protocols rsvp traceoptions]
[edit routing-instances instance vlans domain multicast-snooping-options

Copyright © 2017, Juniper Networks, Inc. 225

Administration Guide for Security Devices

traceoptions]
[edit routing-instances instance vlans domain protocols igmp-snooping
traceoptions]
[edit routing-instances instance multicast-snooping-options traceoptions]
[edit routing-instances instance protocols bgp group neighbor traceoptions]
[edit routing-instances instance protocols bgp group traceoptions]
[edit routing-instances instance protocols bgp traceoptions]
[edit routing-instances instance protocols esis traceoptions]
[edit routing-instances instance protocols igmp-snooping traceoptions]
[edit routing-instances instance protocols isis traceoptions]
[edit routing-instances instance protocols l2vpn traceoptions]
[edit routing-instances instance protocols ldp traceoptions]
[edit routing-instances instance protocols msdp group peer traceoptions]
[edit routing-instances instance protocols msdp group traceoptions]
[edit routing-instances instance protocols msdp peer traceoptions]
[edit routing-instances instance protocols msdp traceoptions]
[edit routing-instances instance protocols mvpn traceoptions]
[edit routing-instances instance protocols ospf traceoptions]
[edit routing-instances instance protocols pim traceoptions]
[edit routing-instances instance protocols rip traceoptions]
[edit routing-instances instance protocols ripng traceoptions]
[edit routing-instances instance protocols router-discovery traceoptions]
[edit routing-instances instance protocols vpls traceoptions]
[edit routing-instances instance routing-options multicast traceoptions]
[edit routing-instances instance routing-options traceoptions]
[edit routing-options multicast traceoptions]
[edit routing-options traceoptions]
[edit security idp traceoptions]
[edit security pki traceoptions]
[edit services adaptive-services-pics traceoptions]
[edit services captive-portal-content-delivery]
[edit services l2tp traceoptions]
[edit services server-load-balance traceoptions]
[edit services logging traceoptions]
[edit services mobile-ip traceoptions]
[edit services ssl traceoptions]
[edit system accounting traceoptions]
[edit system auto-configuration traceoptions]
[edit system ddos-protection traceoptions]
[edit system license traceoptions]
[edit system processes app-engine-virtual-machine-management-service
traceoptions]
[edit system processes datapath-trace-service traceoptions]
[edit system processes dhcp-service interface-traceoptions]
[edit system processes dhcp-service traceoptions]
[edit system processes diameter-service traceoptions]
[edit system processes general-authentication-service traceoptions]
[edit system processes mac-validation traceoptions]
[edit system processes mag-service traceoptions]
[edit system processes process-monitor traceoptions]
[edit system processes resource-cleanup traceoptions]
[edit system processes sdk-service traceoptions]
[edit system processes static-subscribers traceoptions]
[edit system services database-replication traceoptions]
[edit system services dhcp traceoptions]
[edit system services local-policy-decision-function traceoptions]
[edit system services outbound-ssh traceoptions]
[edit system services service-deployment traceoptions]
[edit system services subscriber-management traceoptions]
[edit system services subscriber-management-helper traceoptions]
[edit system services web-management traceoptions]

226 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• trace-control on page 227

trace-control

Supported Platforms EX Series, M Series, MX Series, SRX Series, T Series, vSRX

Can modify trace file settings and configure trace file properties.

Configuration
Hierarchy Levels [edit vlans domain forwarding-options dhcp-relay interface-traceoptions]
[edit vlans domain forwarding-options dhcp-relay traceoptions]
[edit vlans domain multicast-snooping-options traceoptions]
[edit vlans domain protocols igmp-snooping traceoptions]
[edit demux traceoptions]
[edit dynamic-profiles protocols igmp traceoptions]
[edit dynamic-profiles protocols mld traceoptions]
[edit dynamic-profiles protocols oam ethernet link-fault-management
traceoptions]
[dynamic-profiles protocols oam ethernet lmi]
[edit dynamic-profiles protocols router-advertisement traceoptions]
[edit dynamic-profiles protocols oam gre-tunnel traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain
forwarding-options dhcp-relay traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain
multicast-snooping-options traceoptions]
[edit dynamic-profiles routing-instances instance vlans domain protocols
igmp-snooping traceoptions]
[edit dynamic-profiles routing-instances instance forwarding-options dhcp-relay
traceoptions]
[edit dynamic-profiles routing-instances instance multicast-snooping-options
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group neighbor
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols bgp traceoptions]
[edit dynamic-profiles routing-instances instance protocols esis traceoptions]
[edit dynamic-profiles routing-instances instance protocols igmp-snooping
traceoptions]
[edit dynamic-profiles routing-instances instance protocols isis traceoptions]
[edit dynamic-profiles routing-instances instance protocols l2vpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ldp traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group peer
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp group
traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp peer

Copyright © 2017, Juniper Networks, Inc. 227

Administration Guide for Security Devices

traceoptions]
[edit dynamic-profiles routing-instances instance protocols msdp traceoptions]
[edit dynamic-profiles routing-instances instance protocols mvpn traceoptions]
[edit dynamic-profiles routing-instances instance protocols ospf traceoptions]
[edit dynamic-profiles routing-instances instance protocols pim traceoptions]
[edit dynamic-profiles routing-instances instance protocols rip traceoptions]
[edit dynamic-profiles routing-instances instance protocols ripng traceoptions]
[edit dynamic-profiles routing-instances instance protocols router-discovery
traceoptions]
[edit dynamic-profiles routing-instances instance protocols vpls traceoptions]
[edit dynamic-profiles routing-instances instance routing-options multicast
traceoptions]
[edit dynamic-profiles routing-instances instance routing-options traceoptions]
[edit dynamic-profiles routing-instances instance services mobile-ip
traceoptions]
[edit dynamic-profiles routing-instances instance system services
dhcp-local-server traceoptions]
[edit dynamic-profiles routing-options multicast traceoptions]
[edit fabric protocols bgp group neighbor traceoptions]
[edit fabric protocols bgp group traceoptions]
[edit fabric protocols bgp traceoptions]
[edit fabric routing-instances instance routing-options traceoptions]
[edit fabric routing-options traceoptions]
[edit forwarding-options dhcp-relay interface-traceoptions]
[edit forwarding-options dhcp-relay traceoptions]
[edit jnx-example traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay
interface-traceoptions]
[edit logical-systems vlans domain forwarding-options dhcp-relay traceoptions]
[edit logical-systems vlans domain multicast-snooping-options traceoptions]
[edit logical-systems vlans domain protocols igmp-snooping traceoptions]
[edit logical-systems forwarding-options dhcp-relay traceoptions]
[edit logical-systems protocols ancp traceoptions]
[edit logical-systems protocols bgp group neighbor traceoptions]
[edit logical-systems protocols bgp group traceoptions]
[edit logical-systems protocols bgp traceoptions]
[edit logical-systems protocols dot1x traceoptions]
[edit logical-systems protocols dvmrp traceoptions]
[edit logical-systems protocols esis traceoptions]
[edit logical-systems protocols igmp traceoptions]
[edit logical-systems protocols igmp-host traceoptions]
[edit logical-systems protocols ilmi traceoptions]
[edit logical-systems protocols isis traceoptions]
[edit logical-systems protocols l2circuit traceoptions]
[edit logical-systems protocols l2iw traceoptions]
[edit logical-systems protocols lacp traceoptions]
[edit logical-systems protocols layer2-control traceoptions]
[edit logical-systems protocols ldp traceoptions]
[edit logical-systems protocols mld traceoptions]
[edit logical-systems protocols mld-host traceoptions]
[edit logical-systems protocols mpls label-switched-path oam traceoptions]
[edit logical-systems protocols mpls label-switched-path primary oam
traceoptions]
[edit logical-systems protocols mpls label-switched-path secondary oam
traceoptions]
[edit logical-systems protocols mpls oam traceoptions]
[edit logical-systems protocols msdp group peer traceoptions]
[edit logical-systems protocols msdp group traceoptions]
[edit logical-systems protocols msdp peer traceoptions]
[edit logical-systems protocols msdp traceoptions]
[edit logical-systems protocols neighbor-discovery secure traceoptions]

228 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

[edit logical-systems protocols oam ethernet link-fault-management traceoptions]

[edit logical-systems protocols oam ethernet lmi traceoptions]
[edit logical-systems protocols ospf traceoptions]
[edit logical-systems protocols pim traceoptions]
[edit logical-systems protocols ppp monitor-session]
[edit logical-systems protocols ppp traceoptions]
[edit logical-systems protocols ppp-service traceoptions]
[edit logical-systems protocols pppoe traceoptions]
[edit logical-systems protocols rip traceoptions]
[edit logical-systems protocols ripng traceoptions]
[edit logical-systems protocols router-advertisement traceoptions]
[edit logical-systems protocols router-discovery traceoptions]
[edit logical-systems protocols rsvp traceoptions]
[edit logical-systems routing-instances instance vlans domain forwarding-options
dhcp-relay interface-traceoptions]
[edit logical-systems routing-instances instance vlans domain forwarding-options
dhcp-relay traceoptions]
[edit logical-systems routing-instances instance vlans domain
multicast-snooping-options traceoptions]
[edit logical-systems routing-instances instance vlans domain protocols
igmp-snooping traceoptions]
[edit logical-systems routing-instances instance forwarding-options dhcp-relay
traceoptions]
[edit logical-systems routing-instances instance multicast-snooping-options
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group neighbor
traceoptions]
[edit logical-systems routing-instances instance protocols bgp group
traceoptions]
[edit logical-systems routing-instances instance protocols bgp traceoptions]
[edit logical-systems routing-instances instance protocols esis traceoptions]
[edit logical-systems routing-instances instance protocols igmp-snooping
traceoptions]
[edit logical-systems routing-instances instance protocols isis traceoptions]
[edit logical-systems routing-instances instance protocols l2vpn traceoptions]
[edit logical-systems routing-instances instance protocols ldp traceoptions]
[edit logical-systems routing-instances instance protocols msdp group peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp group
traceoptions]
[edit logical-systems routing-instances instance protocols msdp peer
traceoptions]
[edit logical-systems routing-instances instance protocols msdp traceoptions]
[edit logical-systems routing-instances instance protocols mvpn traceoptions]
[edit logical-systems routing-instances instance protocols ospf traceoptions]
[edit logical-systems routing-instances instance protocols pim traceoptions]
[edit logical-systems routing-instances instance protocols rip traceoptions]
[edit logical-systems routing-instances instance protocols ripng traceoptions]
[edit logical-systems routing-instances instance protocols router-discovery
traceoptions]
[edit logical-systems routing-instances instance protocols vpls traceoptions]
[edit logical-systems routing-instances instance routing-options multicast
traceoptions]
[edit logical-systems routing-instances instance routing-options traceoptions]
[edit logical-systems routing-instances instance services mobile-ip
traceoptions]
[edit logical-systems routing-instances instance system services
dhcp-local-server interface-traceoptions]
[edit logical-systems routing-instances instance system services
dhcp-local-server traceoptions]
[edit logical-systems routing-options multicast traceoptions]

Copyright © 2017, Juniper Networks, Inc. 229

Administration Guide for Security Devices

[edit logical-systems routing-options traceoptions]

[edit logical-systems services mobile-ip traceoptions]
[edit logical-systems system services dhcp-local-server interface-traceoptions]
[edit logical-systems system services dhcp-local-server traceoptions]
[edit multicast-snooping-options traceoptions]
[edit protocols ancp traceoptions]
[edit protocols bgp group neighbor traceoptions]
[edit protocols bgp group traceoptions]
[edit protocols bgp traceoptions]
[edit protocols dot1x traceoptions]
[edit protocols dvmrp traceoptions]
[edit protocols esis traceoptions]
[edit protocols igmp traceoptions]
[edit protocols igmp-host traceoptions]
[edit protocols ilmi traceoptions]
[edit protocols isis traceoptions]
[edit protocols l2circuit traceoptions]
[edit protocols l2iw traceoptions]
[edit protocols lacp traceoptions]
[edit protocols layer2-control traceoptions]
[edit protocols ldp traceoptions]
[edit protocols mld traceoptions]
[edit protocols mld-host traceoptions]
[edit protocols mpls label-switched-path oam traceoptions]
[edit protocols mpls label-switched-path primary oam traceoptions]
[edit protocols mpls label-switched-path secondary oam traceoptions]
[edit protocols mpls oam traceoptions]
[edit protocols msdp group peer traceoptions]
[edit protocols msdp group traceoptions]
[edit protocols msdp peer traceoptions]
[edit protocols msdp traceoptions]
[edit protocols neighbor-discovery secure traceoptions]
[edit protocols oam ethernet connectivity-fault-management traceoptions]
[edit protocols oam ethernet link-fault-management traceoptions]
[edit protocols oam ethernet lmi traceoptions]
[edit protocols ospf traceoptions]
[edit protocols pim traceoptions]
[edit protocols ppp monitor-session]
[edit protocols ppp traceoptions]
[edit protocols ppp-service traceoptions]
[edit protocols pppoe traceoptions]
[edit protocols rip traceoptions]
[edit protocols ripng traceoptions]
[edit protocols router-advertisement traceoptions]
[edit protocols router-discovery traceoptions]
[edit protocols rsvp traceoptions]
[edit routing-instances instance vlans domain forwarding-options dhcp-relay
interface-traceoptions]
[edit routing-instances instance vlans domain forwarding-options dhcp-relay
traceoptions]
[edit routing-instances instance vlans domain multicast-snooping-options
traceoptions]
[edit routing-instances instance vlans domain protocols igmp-snooping
traceoptions]
[edit routing-instances instance forwarding-options dhcp-relay traceoptions]
[edit routing-instances instance forwarding-options dhcp-relay
interface-traceoptions]
[edit routing-instances instance multicast-snooping-options traceoptions]
[edit routing-instances instance protocols bgp group neighbor traceoptions]
[edit routing-instances instance protocols bgp group traceoptions]
[edit routing-instances instance protocols bgp traceoptions]

230 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

[edit routing-instances instance protocols esis traceoptions]

[edit routing-instances instance protocols igmp-snooping traceoptions]
[edit routing-instances instance protocols isis traceoptions]
[edit routing-instances instance protocols l2vpn traceoptions]
[edit routing-instances instance protocols ldp traceoptions]
[edit routing-instances instance protocols msdp group peer traceoptions]
[edit routing-instances instance protocols msdp group traceoptions]
[edit routing-instances instance protocols msdp peer traceoptions]
[edit routing-instances instance protocols msdp traceoptions]
[edit routing-instances instance protocols mvpn traceoptions]
[edit routing-instances instance protocols ospf traceoptions]
[edit routing-instances instance protocols pim traceoptions]
[edit routing-instances instance protocols rip traceoptions]
[edit routing-instances instance protocols ripng traceoptions]
[edit routing-instances instance protocols router-discovery traceoptions]
[edit routing-instances instance protocols vpls traceoptions]
[edit routing-instances instance routing-options multicast traceoptions]
[edit routing-instances instance routing-options traceoptions]
[edit routing-instances instance system services dhcp-local-server
interface-traceoptions]
[edit routing-instances instance system services dhcp-local-server traceoptions]
[edit routing-options multicast traceoptions]
[edit routing-options traceoptions]
[edit security idp traceoptions]
[edit security pki traceoptions]
[edit services adaptive-services-pics traceoptions]
[edit services captive-portal-content-delivery]
[edit system ddos-protection traceoptions]
[edit services l2tp traceoptions]
[edit services logging traceoptions]
[edit services mobile-ip traceoptions]
[edit services server-load-balance traceoptions]
[edit services ssl traceoptions]
[edit system accounting traceoptions]
[edit system auto-configuration traceoptions]
[edit system license traceoptions]
[edit system processes datapath-trace-service traceoptions]
[edit system processes diameter-service traceoptions]
[edit system processes general-authentication-service traceoptions]
[edit system processes mac-validation traceoptions]
[edit system processes process-monitor traceoptions]
[edit system processes resource-cleanup traceoptions]
[edit system processes sdk-service traceoptions]
[edit system processes static-subscribers traceoptions]
[edit system services database-replication traceoptions]
[edit system services dhcp traceoptions]
[edit system services dhcp-local-server traceoptions]
[edit system services dhcp-local-server interface-traceoptions]
[edit system services local-policy-decision-function traceoptions]
[edit system services outbound-ssh traceoptions]
[edit system services service-deployment traceoptions]
[edit system services subscriber-management traceoptions]
[edit system services subscriber-management-helper traceoptions]
[edit unified-edge aaa traceoptions]
[edit unified-edge gateways tdf charging traceoptions]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

Copyright © 2017, Juniper Networks, Inc. 231

Administration Guide for Security Devices

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

• trace on page 219

view

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Can view current system-wide, routing table, and protocol-specific values and statistics.

Commands
clear ipv6 router-advertisement
<clear-ipv6-router-advertisement-information>clear l2circuit auto-sensing
<clear-l2ckt-pw-auto-sensing>
clear services redundancy-group
<clear-services-redundancy-group>
clear services redundancy-group statistics
<clear-services-redundancy-group-statistics>
<clear-services-redundancy-set>
clear services service-sets statistics ids
clear services service-sets statistics ids drops
<clear-service-set-ids-drops-statistics>
clear services traffic-load-balance
clear services traffic-load-balance statistics
<clear-service-traffic-load-balance-statistics>
<request-validation-policy>
show
show access-cac interface-set
<get-access-cac-iflset>
show access-security
show access-security router-advertisement-guard
show access-security router-advertisement-guard entries
<show-as-router-advetisement-entry>
show access-security router-advertisement-guard state
<show-as-ra-state>
show access-security router-advertisement-guard statistics
<get-as-router-advertisement-statistics>
show access-security router-advertisement-guard statistics interface
<get-as-router-advertisement-interface>
show accounting

show accounting profile

<get-accounting-profile-information>

show accounting records

<get-accounting-record-information>

show amt
show amt statistics
<get-amt-statistics>
show amt summary
<get-amt-summary>
show amt tunnel

232 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-amt-tunnel-information>
show amt tunnel gateway-address
<get-amt-tunnel-gateway-address>
show amt tunnel tunnel-interface
<get-amt-tunnel-interface>
show analytics collector
<get-analytics-collector>
show ancp
show ancp cos
<get-ancp-cos-information>
show ancp cos last-update
<get-ancp-cos-last-update-information>

show ancp cos pending-update

<get-ancp-cos-pending-information>

show ancp neighbor

<get-ancp-neighbor-information>
show ancp statistics
<get-ancp-stats-information>
show ancp subscriber
<get-ancp-subscriber-information>

show ancp subscriber identifier

<get-ancp-subscriber-identifier-information>show ancp subscriber ip-address
<get-ancp-subscriber-neighbor-information>
show ancp subscriber system-name
<get-ancp-subscriber-mac-information>
show ancp subscriber neighbor
show app-engine
show app-engine information
show app-engine packages
show app-engine packages remote
<get-virtual-machine-package-remote>
show app-engine packages system
<get-virtual-machine-package-system>
show app-engine processes
show app-engine resource-usage
show app-engine route-table
show app-engine routing-instance
show app-engine routing-instance compute-clusters
show app-engine routing-instance virtual-machines
show app-engine status
show app-engine virtual-machine package
<get-virtual-machine-package-information>
show application-monitor
<get-application-monitor-information>
show application-monitor probe
show application-monitor probe flows
<get-application-monitor-probe-flows-information>
show application-monitor probe measurements
<get-application-monitor-probe-measurements>
show application-monitor probe mirrors
<get-application-monitor-probe-mirrors>
show app-engine virtual-machine vm-instance
show aps
<get-aps-information>

show aps group

<get-aps-group-information>
show aps interface

Copyright © 2017, Juniper Networks, Inc. 233

Administration Guide for Security Devices

<get-aps-interface-information>
show arp
<get-arp-table-information>

show as-path
<get-as-path>
show as-path domain
<get-as-path-domain>
show auto-configuration
show auto-configuration interfaces
show backup-selection
<get-backup-selection>
show backup-selection instance
<get-backup-selection-instance>
show bfd
show bfd session
<get-bfd-session-information>

show bfd session address

<get-bfd-session-address>
show bfd session client
<get-bfd-session-client>
show bfd session client rsvp-oam
<get-bfd-session-client-rsvp>
show bfd session client vpls-oam
<get-bfd-session-client-vpls>
show bfd session client vpls-oam instance
<get-bfd-session-client-vpls-instance>
show bfd session discriminator
<get-bfd-session-discriminator>
show bfd session prefix
<get-bfd-session-prefix>
show bfd subscriber
show bfd subscriber session
<get-bfd-subscriber-session>
show bgp
show bgp bmp
<get-bgp-monitoring-protocol-statistics>
show bgp group
<get-bgp-group-information>
show bgp group output-queues
<get-bgp-group-output-queue-information>

show bgp group rtf

<get-bgp-rtf-information>

show bgp group traffic-statistics

<get-bgp-traffic-statistics-information>

show bgp neighbor

<get-bgp-neighbor-information>

show bgp neighbor orf

<get-bgp-orf-information>
show bgp neighbor output-queue
<get-bgp-output-queue-information>
show bgp output-scheduler

show bgp replication

<get-bgp-replication-information>
show bgp summary

234 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-bgp-summary-information>

show bridge
show bridge domain
<get-bridge-instance-information>

show bridge domain operational

<get-operational-bridge-instance-information>
show bridge domain satellite
<get-satellite-control-bridge-domain>
show bridge evpn
show bridge evpn arp-table
<get-bridge-evpn-arp-table>
show bridge evpn nd-table
<get-bridge-evpn-nd-table>
show bridge evpn peer-gateway-macs
<get-bridge-peer-gateway-mac>
<get-bridge-flood-information>
show bridge flood
show bridge flood event-queue
<get-bridge-domain-event-queue-information>
show bridge flood next-hops
show bridge flood next-hops satellite
<get-satellite-control-composite-next-hop>
show bridge flood route
show bridge flood route all-ce-flood
<get-show-bridge-domain-all-ce-flood-route-information>

show bridge flood route all-ve-flood

<get-show-bridge-domain-ve-flood-route-information>
show bridge flood route alt-root-flood
<get-bridge-domain-alt-root-flood-route-information>
show bridge flood route bd-flood
<get-bridge-domain-bd-flood-route-information>
show bridge flood route mlp-flood
<get-bridge-domain-mlp-flood-route-information>
show bridge flood route re-flood
<get-bridge-domain-re-flood-route-information>
show bridge flood satellite
<get-satellite-control-flood-ethernet>
show bridge interface
show bridge interface satellite
<get-satellite-control-bridge-interface>
show bridge mac-table
<get-bridge-mac-table>
show bridge mac-table interface
<get-bridge-interface-mac-table>
show bridge mac-table satellite
<get-satellite-control-bridge-mac-table>
show bridge satellite
show bridge satellite device
<get-satellite-device-db>
show bridge satellite events
<get-satellite-control-history-information>
show bridge satellite logging
<get-satellite-control-logging-information>
show bridge satellite summary
<get-satellite-control-bridge-summary>

show bridge statistics

<get-bridge-statistics-information>

Copyright © 2017, Juniper Networks, Inc. 235

Administration Guide for Security Devices

show chassis
show chassis adc
show chassis alarms
<get-alarm-information>
show chassis alarms fpc
<get-fpc-alarm-information>
show chassis alarms satellite
<get-chassis-alarm-satellite-information>
show chassis beacon
get-chassis-beacon-information>
show chassis beacon cb
<get-chassis-cb-beacon-information>
show chassis environment adc
show chassis environment ccg
<get-environment-ccg-information>
show chassis cfeb
<get-cfeb-information>
show chassis cip
show chassis craft-interface
<get-craft-information>
show chassis environment
<get-environment-information>
show chassis environment cb
<get-environment-cb-information>
show chassis environment cip
<get-environment-cip-information>
show chassis environment feb
<get-environment-feb-information>
show chassis environment fan
show chassis environment fpc
<get-environment-fpc-information>
show chassis environment fpc satellite
<get-chassis-environment-fpc-satellite-info>
show chassis environment fpm
<get-environment-fpm-information>
show chassis environment mcs
<get-environment-mcs-information>
show chassis environment pcg
<get-environment-pcg-information>
show chassis environment pdu
<get-environment-pdu-information>
show chassis environment pem
<get-environment-pem-information>
show chassis environment pem satellite
<get-chassis-environment-pem-satellite-info>
show chassis environment psm
show chassis environment psu
<get-environment-psu-information>
show chassis environment routing-engine
<get-environment-re-information>
show chassis environment routing-engine satellite
<get-chassis-environment-re-satellite-info>
show chassis environment satellite
<get-chassis-environment-satellite-information>
show chassis environment scg
<get-environment-scg-information>
show chassis environment service-node
<get-environment-service-node-information>
show chassis environment sfb
show chassis environment sfm
<get-environment-sfm-information>

236 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show chassis environment sib

<get-environment-sib-information>

show chassis environment sib f13

show chassis environment sib f2s
show chassis ethernet-switch
show chassis ethernet-switch errors
show chassis ethernet-switch statistics
show chassis ethernet-switch temperature
show chassis fabric
show chassis fabric degraded-fabric-reachability
show chassis fabric device
<get-chassis-fabric-information-device>
show chassis fabric connectivity
<get-chassis-fabric-connectivity-information>
show chassis fabric degradation
<get-fm-degradation-information>
show chassis fabric degradation actions
<get-fm-degradation-information-details>
show chassis fabric destinations
<get-fm-fabric-destinations-state>
show chassis fabric errors
show chassis fabric errors autoheal
<get-fm-plane-autoheal-errors>
show chassis fabric errors fpc
<get-fm-fpc-errors>

show chassis fabric errors sib

<get-fm-sib-errors>

show chassis fabric errors sib f13

show chassis fabric errors sib f2s
show chassis fabric feb
show chassis fabric fpcs
<get-fm-fpc-state-information>

show chassis fabric links

<get-chassis-fabric-link-information>
show chassis fabric map
show chassis fabric plane
<get-fm-plane-state-information>

show chassis fabric plane-location

show chassis fabric reachability
<get-fm-fabric-reachability-information>
show chassis fabric sibs
<get-fm-sib-state-information>
show chassis fabric spray-weights
<get-chassis-fabric-spray-weight-information>
show chassis fabric spray-weights from
show chassis fabric spray-weights to
show chassis fabric summary
<get-fm-state-information>

show chassis fabric topology

<get-chassis-fabric-topology-information>
show chassis fabric unreachable-destinations
<get-fm-unreachable-dest-information>
show chassis fan
show chassis fan satellite

Copyright © 2017, Juniper Networks, Inc. 237

Administration Guide for Security Devices

get-chassis-fan-satellite-information
show chassis feb
<get-feb-brief-information>

show chassis feb detail

<get-feb-information>

show chassis firmware

<get-firmware-information>

show chassis firmware detail

<get-firmware-information-detail>
show chassis firmware satellite
<get-chassis-firmware-satellite-information>
show chassis forwarding
<get-fwdd-information>

show chassis fpc

<get-fpc-information>

show chassis fpc errors

<get-fpc-error-information>
show chassis fpc optical-properties
<get-fpc-optical-information>
show chassis fpc optical-properties alarms
<get-fpc-optical-alarms-information>
show chassis fpc optical-properties amplifier-chain
show chassis fpc optical-properties amplifier-chain ila
<get-fpc-optical-amplifier-chain-information>
show chassis fpc optical-properties amplifier-chain ila alarms
<get-fpc-optical-ila-alarms-information>
show chassis fpc optical-properties amplifier-chain ila edfa
<get-fpc-optical-ila-edfa-information>
show chassis fpc optical-properties amplifier-chain ila osc
<get-fpc-optical-ila-osc-information>
show chassis fpc optical-properties amplifier-chain ila pm-current
<get-fpc-optical-ila-pm-current-information>
show chassis fpc optical-properties amplifier-chain ila pm-currentday
<get-fpc-optical-ila-pm-currentday-information>
show chassis fpc optical-properties amplifier-chain ila pm-interval
<get-fpc-optical-ila-pm-interval-information>
show chassis fpc optical-properties amplifier-chain ila pm-previousday
<get-fpc-optical-ila-pm-previousday-information>
show chassis fpc optical-properties amplifier-chain ila summary
<get-fpc-optical-ila-summary-information>
show chassis fpc optical-properties amplifier-chain ila voa
<get-fpc-optical-ila-voa-information>
show chassis fpc optical-properties amplifier-topology
<get-fpc-optical-amplifier-topology-information>
show chassis fpc optical-properties edfa
<get-fpc-optical-edfa-information>
show chassis fpc optical-properties mfg-info
<get-fpc-optical-mfg-info-information>
show chassis fpc optical-properties ocm
<get-fpc-optical-ocm-information>
show chassis fpc optical-properties pm-current
<get-fpc-optical-pm-current-information>
show chassis fpc optical-properties pm-currentday
<get-fpc-optical-pm-currentday-information>
show chassis fpc optical-properties pm-interval
<get-fpc-optical-pm-interval-information>

238 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show chassis fpc optical-properties pm-previousday

<get-fpc-optical-pm-previousday-information>
show chassis fpc optical-properties status
<get-fpc-optical-status-information>
show chassis fpc optical-properties topology
<get-fpc-optical-topology-information>
show chassis fpc optical-properties wss
<get-fpc-optical-wss-information>
show chassis fpc pic-status
<get-pic-information>
show chassis fpc port-status
<get-fpc-port-information>
show chassis fpc-feb-connectivity
<get-fpc-feb-connectivity-information>

show chassis hardware

<get-chassis-inventory>
show chassis hardware satellite
<get-chassis-hardware-satellite-information>
show chassis hss
show chassis hss link-quality
show chassis in-service-upgrade
show chassis ioc-npc-connectivity
<get-ioc-npc-connectivity-information>
show chassis jam-test
<get-jam-test-information>
show chassis lcc-mode
<get-chassis-lcc-mode-information>

show chassis lccs

<get-fru-information>
<get-chassis-led-satellite-information>
show chassis location
<get-chassis-location>

show chassis location fpc

show chassis location interface
show chassis location interface by-name
<get-interface-location-name-information>

show chassis location interface by-slot

<get-interface-location-information>
show chassis mac-addresses
show chassis multicast-loadbalance
<get-chassis-ae-lb-information>

show chassis network-services

<network-services>
show chassis network-slices
<get-gnf-information>

show chassis nonstop-upgrade

show chassis pic
<get-pic-detail>

show chassis power

<get-power-usage-information>

show chassis power detail

<get-power-usage-information-detail>
show chassis power sequence

Copyright © 2017, Juniper Networks, Inc. 239

Administration Guide for Security Devices

show chassis power upgrade

show chassis power-ratings

<get-power-management>

show chassis psd

<get-psd-information>

show chassis redundancy

show chassis redundancy feb
<get-feb-redundancy-information>

show chassis redundancy feb errors

<get-feb-redundancy-error-information>

show chassis redundancy feb redundancy-group

<get-feb-redundancy-group-information>

show chassis redundant-power-system

<get-rps-chassis-information>

show chassis routing-engine

<get-route-engine-information>

show chassis routing-engine bios

<get-bios-version-information>
show chassis routing-engine bios satellite
<get-chassis-routing-engine-bios-satellite-info>
show chassis routing-engine errors
<get-chassis-routing-engine-errors>
show chassis routing-engine satellite
<get-chassis-routing-engine-satellite-information>
show chassis satellite
<get-chassis-satellite-information>
show chassis satellite extended-port
<get-chassis-satellite-extended-port-information>
show chassis satellite interface
<get-chassis-satellite-interface-information>
show chassis satellite neighbor
<get-chassis-satellite-neighbor-information>
show chassis satellite neighbor statistics
<get-chassis-satellite-neighbor-statistics>
show chassis satellite power-budget-statistics
<get-power-budget-information>
show chassis satellite redundancy-group
<get-chassis-satellite-redundancy-group-info>
show chassis satellite redundancy-group devices
<get-chassis-satellite-redundacy-grp-devices-info>
show chassis satellite redundancy-group devices history
<get-chassis-satellite-redundancy-grp-dev-history>
show chassis satellite software
<get-satellite-management-software-information>
show chassis satellite statistics
<get-chassis-satellite-statistics>
show chassis satellite unprovision
<get-chassis-satellite-unprovision-information>
show chassis satellite upgrade-group
<get-chassis-satellite-upgrade-group-information>
show chassis satellite-cluster
<get-chassis-satellite-cluster-information>
show chassis satellite-cluster route

240 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-chassis-satellite-cluster-route>
show chassis satellite-cluster statistics
<get-chassis-satellite-cluster-statistics>
show chassis scb
<get-scb-information>

show chassis service-node

<get-service-node-information>

show chassis sfm

<get-sfm-information>

show chassis sfm detail

show chassis sibs
<get-sib-information>

show chassis spmb

<get-spmb-information>
show chassis spmb errors
<get-spmb-error-information>

show chassis spmb sibs

<get-spmb-sib-information>

show chassis ssb

<get-ssb-information>

show chassis synchronization

<get-clock-synchronization-information>

show chassis synchronization backup

show chassis synchronization gnss
show chassis synchronization master
show chassis system-mode
<get-system-mode-information>
show chassis temperature-thresholds
<get-temperature-threshold-information>
show chassis temperature-thresholds satellite
<get-chassis-temp-thresholds-satellite-info>
show chassis vcpu
show chassis zones
<get-chassis-zones-information>
show class-of-service
<get-cos-information>

show class-of-service adaptive-shaper

<get-cos-adaptive-shaper-information>

show class-of-service application-traffic-control

show class-of-service application-traffic-control counter
show class-of-service application-traffic-control rate-limiters
show class-of-service application-traffic-control rate-limiters rl-all
<get-appqos-swrl-stat-all>
show class-of-service application-traffic-control rate-limiters rl-name
<get-appqos-swrl-stat-name>
show class-of-service application-traffic-control rate-limiters summary
<get-appqos-swrl-stat-summary>
show class-of-service application-traffic-control statistics
show class-of-service application-traffic-control statistics rate-limiter
show class-of-service application-traffic-control statistics rule
<get-appqos-rule-statistics>

Copyright © 2017, Juniper Networks, Inc. 241

Administration Guide for Security Devices

show class-of-service bind-point

<get-cos-bind-point-feature-information>
show class-of-service bind-point interface
<get-cos-interface-feature-information>
show class-of-service bind-point interface-set
<get-cos-interface-set-feature-information>
show class-of-service bind-point routing-instance
<get-cos-routing-instance-feature-information>
show class-of-service bind-point-ownership
<get-cos-bind-point-ownership-summary>
show class-of-service classifier
<get-cos-classifier-information>
show class-of-service client
show class-of-service client internal-id
<get-cos-junos-client-information>
show class-of-service client name
<get-cos-junos-client-information>
show class-of-service client summary
<get-cos-junos-client-summary>

show class-of-service code-point-aliases

<get-cos-code-point-map-information>

show class-of-service congestion-notification

<get-cos-congestion-notification-information>
show class-of-service drop-profile
<get-cos-drop-profile-information>

show class-of-service fabric

show class-of-service fabric scheduler-map
<get-cos-fabric-scheduler-map-information>

show class-of-service fabric statistics

<get-fabric-queue-information>

show class-of-service fabric statistics detail

<get-fabric-queue-detailed-information>

show class-of-service forwarding-class

<get-cos-forwarding-class-information>

show class-of-service forwarding-class-set

<get-cos-forwarding-class-set-information>
show class-of-service forwarding-table
<get-cos-table-information>

show class-of-service forwarding-table classifier

<get-cos-classifier-table-information>

show class-of-service forwarding-table classifier mapping

<get-cos-classifier-table-map-information>

show class-of-service forwarding-table drop-profile

<get-cos-red-information>

show class-of-service forwarding-table fabric

show class-of-service forwarding-table fabric scheduler-map
<get-cos-fwtab-fabric-scheduler-map-information>

show class-of-service forwarding-table forwarding-class-map

<get-cos-forwarding-class-map-table-information>

242 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show class-of-service forwarding-table forwarding-class-map mapping

<get-cos-forwarding-class-map-interface-table-information>

show class-of-service forwarding-table loss-priority-map

<get-cos-loss-priority-map-table-information>

show class-of-service forwarding-table loss-priority-map mapping

<get-cos-loss-priority-map-table-binding-information>

show class-of-service forwarding-table loss-priority-rewrite

<get-cos-loss-priority-rewrite-table-information>
show class-of-service forwarding-table loss-priority-rewrite mapping
<get-cos-loss-priority-rewrite-table-binding-information>
show class-of-service forwarding-table policer
<get-cos-policer-table-map-information>
show class-of-service forwarding-table policy-map
<get-cos-policy-map-table-information>
show class-of-service forwarding-table policy-map mapping
<get-cos-policy-map-table-map-information>show class-of-service forwarding-table
rewrite-rule
<get-cos-rewrite-table-information>

show class-of-service forwarding-table rewrite-rule mapping

<get-cos-rewrite-table-map-information>

show class-of-service forwarding-table scheduler-map

<get-cos-scheduler-map-table-information>
show class-of-service forwarding-table scheduler-map mapping
<get-scheduler-map-table-map-information>

show class-of-service forwarding-table shaper

<get-cos-shaper-table-map-information>

show class-of-service forwarding-table translation-table

<get-cos-translation-table-information>

show class-of-service forwarding-table translation-table mapping

<get-cos-translation-table-mapping-information>

show class-of-service fragmentation-map

<get-cos-fragmentation-map-information>

show class-of-service interface

<get-cos-interface-map-information>

show class-of-service interface-set

<get-cos-interface-set-map-information>

show class-of-service l2tp-session

<get-cos-l2tp-session-map-information>

show class-of-service loss-priority-map

<get-cos-loss-priority-map-information>

show class-of-service loss-priority-rewrite

<get-cos-loss-priority-rewrite-information>
show class-of-service multi-destination
<get-cos-multi-destination-information>
show class-of-service multi-destination classifier-binding
<get-cos-multi-destination-classifier-binding-information>

Copyright © 2017, Juniper Networks, Inc. 243

Administration Guide for Security Devices

show class-of-service packet-buffer

<get-cos-packet-buffer-information>
show class-of-service packet-buffer usage
<get-cos-packet-buffer-usage-information>
show class-of-service policy-map
<get-cos-policy-map-information>

show class-of-service rewrite-rule

<get-cos-rewrite-information>

show class-of-service routing-instance

<get-cos-routing-instance-map-information>

show class-of-service scheduler-hierarchy

show class-of-service scheduler-hierarchy interface
<get-interface-scheduler-hierarchy-information>

show class-of-service scheduler-hierarchy interface-set

<get-interface-set-scheduler-hierarchy-information>

show class-of-service scheduler-map

<get-cos-scheduler-map-information>

show class-of-service traffic-control-profile

<get-cos-traffic-control-profile-information>

show class-of-service translation-table

<get-cos-translation-table-map-information>

show class-of-service virtual-channel

<get-cos-virtual-channel-information>

show class-of-service virtual-channel-group

<get-cos-virtual-channel-group-information>

show cli
show cli authorization
<get-authorization-information>
show cli commands
show cli commands
show cli directory
<get-current-working-directory>
show cli history
show cloud-analytics
show cloud-analytics connections
<get-cloud-analytics-connections>
show cloud-analytics discovery-service
<get-cloud-analytics-discovery-service>
show cloud-analytics linecard
<get-cloud-analytics-lc>
show cloud-analytics resources
<get-cloud-analytics-resources>
show cloud-analytics resources-sampling
<get-cloud-analytics-resources-sampling>
show cloud-analytics resources-summary
<get-cloud-analytics-resources-summary>
show cloud-analytics sensors
<sensor-information>
show cloud-analytics streaming-policies
<get-cloud-analytics-streaming-policies>

244 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show configuration
show connections
<get-ccc-information>
show database-replication
show database-replication statistics
<get-database-replication-statistics-information>

show database-replication summary

<get-database-replication-summary-information>
show ddos-protection
show ddos-protection protocols
<get-ddos-protocols-information>
show ddos-protection protocols all-fiber-channel-enode
<get-ddos-all-fc-enode-information>
show ddos-protection protocols all-fiber-channel-enode aggregate
<get-ddos-all-fc-enode-aggregate>
show ddos-protection protocols all-fiber-channel-enode aggregate culprit-flows
<get-ddos-all-fc-enode-aggregate-flows>
show ddos-protection protocols all-fiber-channel-enode culprit-flows
<get-ddos-all-fc-enode-flows>
show ddos-protection protocols all-fiber-channel-enode flow-detection
<get-ddos-all-fc-enode-flow-parameters>
show ddos-protection protocols all-fiber-channel-enode parameters
<get-ddos-all-fc-enode-parameters>
show ddos-protection protocols all-fiber-channel-enode statistics
<get-ddos-all-fc-enode-statistics>
show ddos-protection protocols all-fiber-channel-enode violations
<get-ddos-all-fc-enode-violations>
show ddos-protection protocols amtv4
show ddos-protection protocols amtv4 aggregate
show ddos-protection protocols amtv4 aggregate culprit-flows
show ddos-protection protocols amtv4 culprit-flows
show ddos-protection protocols amtv4 flow-detection
show ddos-protection protocols amtv4 parameters
show ddos-protection protocols amtv4 statistics
show ddos-protection protocols amtv4 violations
show ddos-protection protocols amtv6
show ddos-protection protocols amtv6 aggregate
show ddos-protection protocols amtv6 aggregate culprit-flows
show ddos-protection protocols amtv6 culprit-flows
show ddos-protection protocols amtv6 flow-detection
show ddos-protection protocols amtv6 statistics
show ddos-protection protocols amtv6 violations

show ddos-protection protocols ancp

<get-ddos-ancp-information>

show ddos-protection protocols ancp aggregate

<get-ddos-ancp-aggregate>
show ddos-protection protocols ancp parameters
<get-ddos-ancp-parameters>

show ddos-protection protocols ancp statistics

<get-ddos-ancp-statistics>
show ddos-protection protocols ancp violations
<get-ddos-ancp-violations>
show ddos-protection protocols ancpv6
<get-ddos-ancpv6-information>
show ddos-protection protocols ancpv6 aggregate
get-ddos-ancpv6-aggregate

Copyright © 2017, Juniper Networks, Inc. 245

Administration Guide for Security Devices

show ddos-protection protocols ancpv6 parameters

get-ddos-ancpv6-parameters
show ddos-protection protocols ancpv6 statistics
get-ddos-ancpv6-statistics
show ddos-protection protocols ancpv6 violations
get-ddos-ancpv6-violations
show ddos-protection protocols arp
get-ddos-arp-information
show ddos-protection protocols arp aggregate
get-ddos-arp-aggregate
show ddos-protection protocols arp parameters
get-ddos-arp-parameters
show ddos-protection protocols arp statistics
get-ddos-arp-statistics
show ddos-protection protocols arp violations
get-ddos-arp-violations
show ddos-protection protocols arp-snoop
<get-ddos-arp-snoop-information>
show ddos-protection protocols arp-snoop aggregate
<get-ddos-arp-snoop-aggregate>
show ddos-protection protocols arp-snoop aggregate culprit-flows
<get-ddos-arp-snoop-aggregate-flows>
show ddos-protection protocols arp-snoop culprit-flows
<get-ddos-arp-snoop-flows>
show ddos-protection protocols arp-snoop flow-detection
<get-ddos-arp-snoop-flow-parameters>
show ddos-protection protocols arp-snoop parameters
<get-ddos-arp-snoop-parameters>
show ddos-protection protocols arp-snoop statistics
<get-ddos-arp-snoop-statistics>
show ddos-protection protocols arp-snoop violations
<get-ddos-arp-snoop-violations>
show ddos-protection protocols atm
get-ddos-atm-information
show ddos-protection protocols atm aggregate
get-ddos-atm-aggregate
show ddos-protection protocols atm parameters
get-ddos-atm-parameters
show ddos-protection protocols atm statistics
get-ddos-atm-statistics
show ddos-protection protocols atm violations
get-ddos-atm-violations
show ddos-protection protocols bfd
get-ddos-bfd-information
show ddos-protection protocols bfd aggregate
get-ddos-bfd-aggregate
show ddos-protection protocols bfd parameters
get-ddos-bfd-parameters
show ddos-protection protocols bfd statistics
get-ddos-bfd-statistics
show ddos-protection protocols bfd violations
get-ddos-bfd-violations
show ddos-protection protocols bfdv6
get-ddos-bfdv6-information
show ddos-protection protocols bfdv6 aggregate
get-ddos-bfdv6-aggregate
show ddos-protection protocols bfdv6 parameters
get-ddos-bfdv6-parameters
show ddos-protection protocols bfdv6 statistics
get-ddos-bfdv6-statistics
show ddos-protection protocols bfdv6 violations

246 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

get-ddos-bfdv6-violations
show ddos-protection protocols bgp
get-ddos-bgp-information
show ddos-protection protocols bgp aggregate
get-ddos-bgp-aggregate
show ddos-protection protocols bgp parameters
get-ddos-bgp-parameters
show ddos-protection protocols bgp statistics
get-ddos-bgp-statistics
show ddos-protection protocols bgp violations
get-ddos-bgp-violations
show ddos-protection protocols bgpv6
get-ddos-bgpv6-information
show ddos-protection protocols bgpv6 aggregate
get-ddos-bgpv6-aggregate
show ddos-protection protocols bgpv6 parameters
get-ddos-bgpv6-parameters
show ddos-protection protocols bgpv6 statistics
get-ddos-bgpv6-statistics
show ddos-protection protocols bgpv6 violations
get-ddos-bgpv6-violations
show ddos-protection protocols bridge-control
<get-ddos-brg-ctrl-information>
show ddos-protection protocols bridge-control aggregate
<get-ddos-brg-ctrl-aggregate>
show ddos-protection protocols bridge-control aggregate culprit-flows
<get-ddos-brg-ctrl-aggregate-flows>
show ddos-protection protocols bridge-control culprit-flows
<get-ddos-brg-ctrl-flows>
show ddos-protection protocols bridge-control flow-detection
<get-ddos-brg-ctrl-flow-parameters>
show ddos-protection protocols bridge-control parameters
<get-ddos-brg-ctrl-parameters>
show ddos-protection protocols bridge-control statistics
<get-ddos-brg-ctrl-statistics>
show ddos-protection protocols bridge-control violations
<get-ddos-brg-ctrl-violations>show ddos-protection protocols demux-autosense
get-ddos-demuxauto-information
show ddos-protection protocols demux-autosense aggregate
get-ddos-demuxauto-aggregate
show ddos-protection protocols demux-autosense parameters
get-ddos-demuxauto-parameters
show ddos-protection protocols demux-autosense statistics
get-ddos-demuxauto-statistics
show ddos-protection protocols demux-autosense violations
get-ddos-demuxauto-violations
show ddos-protection protocols dhcpv4
get-ddos-dhcpv4-information
show ddos-protection protocols dhcpv4 ack
get-ddos-dhcpv4-ack
show ddos-protection protocols dhcpv4 aggregate
get-ddos-dhcpv4-aggregate
show ddos-protection protocols dhcpv4 bad-packets
get-ddos-dhcpv4-bad-pack
show ddos-protection protocols dhcpv4 bootp
get-ddos-dhcpv4-bootp
show ddos-protection protocols dhcpv4 decline
get-ddos-dhcpv4-decline
show ddos-protection protocols dhcpv4 discover
get-ddos-dhcpv4-discover
show ddos-protection protocols dhcpv4 force-renew

Copyright © 2017, Juniper Networks, Inc. 247

Administration Guide for Security Devices

get-ddos-dhcpv4-forcerenew
show ddos-protection protocols dhcpv4 inform
get-ddos-dhcpv4-inform
show ddos-protection protocols dhcpv4 lease-active
get-ddos-dhcpv4-leaseact
show ddos-protection protocols dhcpv4 lease-query
get-ddos-dhcpv4-leasequery
show ddos-protection protocols dhcpv4 lease-unassigned
get-ddos-dhcpv4-leaseuna
show ddos-protection protocols dhcpv4 lease-unknown
get-ddos-dhcpv4-leaseunk
show ddos-protection protocols dhcpv4 nak
get-ddos-dhcpv4-nak
show ddos-protection protocols dhcpv4 no-message-type
get-ddos-dhcpv4-no-msgtype
show ddos-protection protocols dhcpv4 offer
get-ddos-dhcpv4-offer
show ddos-protection protocols dhcpv4 offer culprit-flows
show ddos-protection protocols dhcpv4 parameters
get-ddos-dhcpv4-parameters
show ddos-protection protocols dhcpv4 release
get-ddos-dhcpv4-release
show ddos-protection protocols dhcpv4 renew
get-ddos-dhcpv4-renew
show ddos-protection protocols dhcpv4 request
get-ddos-dhcpv4-request
show ddos-protection protocols dhcpv4 statistics
get-ddos-dhcpv4-statistics
show ddos-protection protocols dhcpv4 unclassified
get-ddos-dhcpv4-unclass
show ddos-protection protocols dhcpv4 violations
get-ddos-dhcpv4-violations
show ddos-protection protocols dhcpv4v6
<get-ddos-dhcpv4v6-information>
show ddos-protection protocols dhcpv4v6 aggregate
<get-ddos-dhcpv4v6-aggregate>
show ddos-protection protocols dhcpv4v6 aggregate culprit-flows
<get-ddos-dhcpv4v6-aggregate-flows>
show ddos-protection protocols dhcpv4v6 culprit-flows
<get-ddos-dhcpv4v6-flows>
show ddos-protection protocols dhcpv4v6 flow-detection
<get-ddos-dhcpv4v6-flow-parameters>
show ddos-protection protocols dhcpv4v6 parameters
<get-ddos-dhcpv4v6-parameters>
show ddos-protection protocols dhcpv4v6 statistics
<get-ddos-dhcpv4v6-statistics>
show ddos-protection protocols dhcpv4v6 violations
<get-ddos-dhcpv4v6-violations>
show ddos-protection protocols dhcpv6
get-ddos-dhcpv6-information
show ddos-protection protocols dhcpv6 advertise
get-ddos-dhcpv6-advertise
show ddos-protection protocols dhcpv6 advertise culprit-flows
show ddos-protection protocols dhcpv6 aggregate
get-ddos-dhcpv6-aggregate
show ddos-protection protocols dhcpv6 confirm
get-ddos-dhcpv6-confirm
show ddos-protection protocols dhcpv6 decline
get-ddos-dhcpv6-decline
show ddos-protection protocols dhcpv6 information-request
get-ddos-dhcpv6-info-req

248 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ddos-protection protocols dhcpv6 leasequery

get-ddos-dhcpv6-leasequery
show ddos-protection protocols dhcpv6 leasequery culprit-flows
show ddos-protection protocols dhcpv6 leasequery-data
get-ddos-dhcpv6-leaseq-da
show ddos-protection protocols dhcpv6 leasequery-done
get-ddos-dhcpv6-leaseq-do
show ddos-protection protocols dhcpv6 leasequery-reply
get-ddos-dhcpv6-leaseq-re
show ddos-protection protocols dhcpv6 parameters
get-ddos-dhcpv6-parameters
show ddos-protection protocols dhcpv6 rebind
get-ddos-dhcpv6-rebind
show ddos-protection protocols dhcpv6 reconfigure
get-ddos-dhcpv6-reconfig
show ddos-protection protocols dhcpv6 relay-forward
get-ddos-dhcpv6-relay-for
show ddos-protection protocols dhcpv6 relay-reply
get-ddos-dhcpv6-relay-rep
show ddos-protection protocols dhcpv6 release
get-ddos-dhcpv6-release
show ddos-protection protocols dhcpv6 renew
get-ddos-dhcpv6-renew
show ddos-protection protocols dhcpv6 reply
get-ddos-dhcpv6-reply
show ddos-protection protocols dhcpv6 request
get-ddos-dhcpv6-request
show ddos-protection protocols dhcpv6 solicit
get-ddos-dhcpv6-solicit
show ddos-protection protocols dhcpv6 statistics
get-ddos-dhcpv6-statistics
show ddos-protection protocols dhcpv6 unclassified
get-ddos-dhcpv6-unclass
show ddos-protection protocols dhcpv6 unclassified culprit-flows
show ddos-protection protocols dhcpv6 violations
get-ddos-dhcpv6-violations
show ddos-protection protocols diameter
get-ddos-diameter-information
show ddos-protection protocols diameter aggregate
get-ddos-diameter-aggregate
show ddos-protection protocols diameter parameters
get-ddos-diameter-parameters
show ddos-protection protocols diameter statistics
get-ddos-diameter-statistics
show ddos-protection protocols diameter violations
get-ddos-diameter-violations
show ddos-protection protocols dns
get-ddos-dns-information
show ddos-protection protocols dns aggregate
get-ddos-dns-aggregate
show ddos-protection protocols dns parameters
get-ddos-dns-parameters
show ddos-protection protocols dns statistics
get-ddos-dns-statistics
show ddos-protection protocols dns violations
get-ddos-dns-violations
show ddos-protection protocols dtcp
get-ddos-dtcp-information
show ddos-protection protocols dtcp aggregate
get-ddos-dtcp-aggregate
show ddos-protection protocols dtcp aggregate culprit-flows

Copyright © 2017, Juniper Networks, Inc. 249

Administration Guide for Security Devices

show ddos-protection protocols dtcp parameters

get-ddos-dtcp-parameters
show ddos-protection protocols dtcp statistics
get-ddos-dtcp-statistics
show ddos-protection protocols dtcp violations
get-ddos-dtcp-violations
show ddos-protection protocols dynamic-vlan
get-ddos-dynvlan-information
show ddos-protection protocols dynamic-vlan aggregate
get-ddos-dynvlan-aggregate
show ddos-protection protocols dynamic-vlan parameters
get-ddos-dynvlan-parameters
show ddos-protection protocols dynamic-vlan statistics
get-ddos-dynvlan-statistics
show ddos-protection protocols dynamic-vlan violations
get-ddos-dynvlan-violations
show ddos-protection protocols egpv6
get-ddos-egpv6-information
show ddos-protection protocols egpv6 aggregate
get-ddos-egpv6-aggregate
show ddos-protection protocols egpv6 parameters
get-ddos-egpv6-parameters
show ddos-protection protocols egpv6 statistics
get-ddos-egpv6-statistics
show ddos-protection protocols egpv6 violations
get-ddos-egpv6-violations
show ddos-protection protocols eoam
get-ddos-eoam-information
show ddos-protection protocols eoam aggregate
get-ddos-eoam-aggregate
show ddos-protection protocols eoam parameters
get-ddos-eoam-parameters
show ddos-protection protocols eoam statistics
get-ddos-eoam-statistics
show ddos-protection protocols eoam violations
get-ddos-eoam-violations
show ddos-protection protocols esmc
get-ddos-esmc-information
show ddos-protection protocols esmc aggregate
get-ddos-esmc-aggregate
show ddos-protection protocols esmc parameters
get-ddos-esmc-parameters
show ddos-protection protocols esmc statistics
get-ddos-esmc-statistics
show ddos-protection protocols esmc violations
get-ddos-esmc-violations
show ddos-protection protocols ethernet-tcc
<get-ddos-eth-tcc-information>
show ddos-protection protocols ethernet-tcc aggregate
<get-ddos-eth-tcc-aggregate>
show ddos-protection protocols ethernet-tcc aggregate culprit-flows
<get-ddos-eth-tcc-aggregate-flows>
show ddos-protection protocols ethernet-tcc culprit-flows
<get-ddos-eth-tcc-flows>
show ddos-protection protocols ethernet-tcc flow-detection
<get-ddos-eth-tcc-flow-parameters>
show ddos-protection protocols ethernet-tcc parameters
<get-ddos-eth-tcc-parameters>
show ddos-protection protocols ethernet-tcc statistics
<get-ddos-eth-tcc-statistics>
show ddos-protection protocols ethernet-tcc violations

250 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-ddos-eth-tcc-violations>
show ddos-protection protocols exceptions
<get-ddos-exception-information>
show ddos-protection protocols exceptions aggregate
<get-ddos-exception-aggregate>
show ddos-protection protocols exceptions aggregate culprit-flows
<get-ddos-exception-aggregate-flows>
show ddos-protection protocols exceptions culprit-flows
<get-ddos-exception-flows>
show ddos-protection protocols exceptions flow-detection
<get-ddos-exception-flow-parameters>
show ddos-protection protocols exceptions mcast-rpf-err
<get-ddos-exception-mcast-rpf>
show ddos-protection protocols exceptions mcast-rpf-err culprit-flows
<get-ddos-exception-mcast-rpf-flows>
show ddos-protection protocols exceptions mtu-exceeded
<get-ddos-exception-mtu-exceed>
show ddos-protection protocols exceptions mtu-exceeded culprit-flows
<get-ddos-exception-mtu-exceed-flows>
show ddos-protection protocols exceptions parameters
<get-ddos-exception-parameters>
show ddos-protection protocols exceptions statistics
<get-ddos-exception-statistics>
show ddos-protection protocols exceptions unclassified
<get-ddos-exception-unclass>
show ddos-protection protocols exceptions unclassified culprit-flows
<get-ddos-exception-unclass-flows>
show ddos-protection protocols exceptions violations
<get-ddos-exception-violations>

show ddos-protection protocols fab-probe

<get-ddos-fab-probe-information>
show ddos-protection protocols fab-probe aggregate
<get-ddos-fab-probe-aggregate>
show ddos-protection protocols fab-probe parameters
<get-ddos-fab-probe-parameters>
show ddos-protection protocols fab-probe statistics
<get-ddos-fab-probe-statistics>
show ddos-protection protocols fab-probe violations
<get-ddos-fab-probe-violations>
show ddos-protection protocols firewall-host
get-ddos-fw-host-information
show ddos-protection protocols firewall-host aggregate
get-ddos-fw-host-aggregate
show ddos-protection protocols firewall-host parameters
get-ddos-fw-host-parameters
show ddos-protection protocols firewall-host statistics
get-ddos-fw-host-statistics
show ddos-protection protocols firewall-host violations
get-ddos-fw-host-violations

show ddos-protection protocols ftp

get-ddos-ftp-information
show ddos-protection protocols ftp aggregate
get-ddos-ftp-aggregate
show ddos-protection protocols ftp parameters
get-ddos-ftp-parameters
show ddos-protection protocols ftp statistics
get-ddos-ftp-statistics
show ddos-protection protocols ftp violations

Copyright © 2017, Juniper Networks, Inc. 251

Administration Guide for Security Devices

get-ddos-ftp-violations
show ddos-protection protocols ftpv6
get-ddos-ftpv6-information
show ddos-protection protocols ftpv6 aggregate
get-ddos-ftpv6-aggregate
show ddos-protection protocols ftpv6 parameters
get-ddos-ftpv6-parameters
show ddos-protection protocols ftpv6 statistics
get-ddos-ftpv6-statistics
show ddos-protection protocols ftpv6 violations
get-ddos-ftpv6-violations
show ddos-protection protocols garp-reply
<get-ddos-garp-reply-information>
show ddos-protection protocols garp-reply aggregate
<get-ddos-garp-reply-aggregate>
show ddos-protection protocols garp-reply aggregate culprit-flows
<get-ddos-garp-reply-aggregate-flows>
show ddos-protection protocols garp-reply culprit-flows
<get-ddos-garp-reply-flows>
show ddos-protection protocols garp-reply flow-detection
<get-ddos-garp-reply-flow-parameters>
show ddos-protection protocols garp-reply parameters
<get-ddos-garp-reply-parameters>
show ddos-protection protocols garp-reply statistics
<get-ddos-garp-reply-statistics>
show ddos-protection protocols garp-reply violations
<get-ddos-garp-reply-violations>
show ddos-protection protocols gre
get-ddos-gre-information
show ddos-protection protocols gre aggregate
get-ddos-gre-aggregate
show ddos-protection protocols gre hbc
<get-ddos-gre-hbc>
show ddos-protection protocols gre hbc culprit-flows
<get-ddos-gre-hbc-flows>
show ddos-protection protocols gre parameters
get-ddos-gre-parameters
show ddos-protection protocols gre punt
<get-ddos-gre-punt>
show ddos-protection protocols gre punt culprit-flows
<get-ddos-gre-punt-flows>
show ddos-protection protocols gre statistics
get-ddos-gre-statistics
show ddos-protection protocols gre violations
get-ddos-gre-violations
show ddos-protection protocols icmp
get-ddos-icmp-information
show ddos-protection protocols icmp aggregate
get-ddos-icmp-aggregate
show ddos-protection protocols icmp parameters
get-ddos-icmp-parameters
show ddos-protection protocols icmp statistics
get-ddos-icmp-statistics
show ddos-protection protocols icmp violations
get-ddos-icmp-violations
show ddos-protection protocols icmpv6
<get-ddos-icmpv6-information>
show ddos-protection protocols icmpv6 aggregate
<get-ddos-icmpv6-aggregate>
show ddos-protection protocols icmpv6 aggregate culprit-flows
<get-ddos-icmpv6-aggregate-flows>

252 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ddos-protection protocols icmpv6 parameters

<get-ddos-icmpv6-parameters>
show ddos-protection protocols icmpv6 statistics
<get-ddos-icmpv6-statistics>
show ddos-protection protocols icmpv6 violations
<get-ddos-icmpv6-violations>
show ddos-protection protocols igmp
get-ddos-igmp-information
show ddos-protection protocols igmp aggregate
get-ddos-igmp-aggregate
show ddos-protection protocols igmp aggregate culprit-flows
show ddos-protection protocols igmp parameters
get-ddos-igmp-parameters
show ddos-protection protocols igmp statistics
get-ddos-igmp-statistics
show ddos-protection protocols igmp violations
get-ddos-igmp-violations
show ddos-protection protocols igmp-snoop
get-ddos-igmp-snoop-information
show ddos-protection protocols igmp-snoop aggregate
get-ddos-igmp-snoop-aggregate
show ddos-protection protocols igmp-snoop parameters
get-ddos-igmp-snoop-parameters
show ddos-protection protocols igmp-snoop statistics
get-ddos-igmp-snoop-statistics
show ddos-protection protocols igmp-snoop violations
get-ddos-igmp-snoop-violations
show ddos-protection protocols igmpv4v6
get-ddos-igmpv4v6-information
show ddos-protection protocols igmpv4v6 aggregate
get-ddos-igmpv4v6-aggregate
show ddos-protection protocols igmpv4v6 aggregate culprit-flows
show ddos-protection protocols igmpv4v6 parameters
get-ddos-igmpv4v6-parameters
show ddos-protection protocols igmpv4v6 statistics
get-ddos-igmpv4v6-statistics
show ddos-protection protocols igmpv4v6 violations
get-ddos-igmpv4v6-violations
show ddos-protection protocols igmpv6
get-ddos-igmpv6-information
show ddos-protection protocols igmpv6 aggregate
get-ddos-igmpv6-aggregate
show ddos-protection protocols igmpv6 parameters
get-ddos-igmpv6-parameters
show ddos-protection protocols igmpv6 statistics
get-ddos-igmpv6-statistics
show ddos-protection protocols igmpv6 violations
get-ddos-igmpv6-violations
show ddos-protection protocols ip-fragments
get-ddos-ip-frag-information
show ddos-protection protocols ip-fragments aggregate
get-ddos-ip-frag-aggregate
show ddos-protection protocols ip-fragments first-fragment
get-ddos-ip-frag-first-frag
show ddos-protection protocols ip-fragments parameters
get-ddos-ip-frag-parameters
show ddos-protection protocols ip-fragments statistics
get-ddos-ip-frag-statistics
show ddos-protection protocols ip-fragments trail-fragment
get-ddos-ip-frag-trail-frag
show ddos-protection protocols ip-fragments violations

Copyright © 2017, Juniper Networks, Inc. 253

Administration Guide for Security Devices

get-ddos-ip-frag-violations
show ddos-protection protocols ip-options
get-ddos-ip-opt-information
show ddos-protection protocols ip-options aggregate
get-ddos-ip-opt-aggregate
show ddos-protection protocols ip-options non-v4v6
<get-ddos-ip-opt-non-v4v6>
show ddos-protection protocols ip-options parameters
get-ddos-ip-opt-parameters
show ddos-protection protocols ip-options router-alert
get-ddos-ip-opt-rt-alert
show ddos-protection protocols ip-options statistics
get-ddos-ip-opt-statistics
show ddos-protection protocols ip-options unclassified
get-ddos-ip-opt-unclass
show ddos-protection protocols ipmc-reserved culprit-flows
<get-ddos-ipmc-reserved-flows>
show ddos-protection protocols ipmc-reserved flow-detection
<get-ddos-ipmc-reserved-flow-parameters>
show ddos-protection protocols ipmc-reserved parameters
<get-ddos-ipmc-reserved-parameters>
show ddos-protection protocols ipmc-reserved statistics
<get-ddos-ipmc-reserved-statistics>
show ddos-protection protocols ipmc-reserved violations
<get-ddos-ipmc-reserved-violations>
show ddos-protection protocols ipmcast-miss
<get-ddos-ipmcast-miss-information>
show ddos-protection protocols ipmcast-miss aggregate
<get-ddos-ipmcast-miss-aggregate>
show ddos-protection protocols ipmcast-miss aggregate culprit-flows
<get-ddos-ipmcast-miss-aggregate-flows>
show ddos-protection protocols ipmcast-miss culprit-flows
<get-ddos-ipmcast-miss-flows>
show ddos-protection protocols ipmcast-miss flow-detection
<get-ddos-ipmcast-miss-flow-parameters>
show ddos-protection protocols ipmcast-miss parameters
<get-ddos-ipmcast-miss-parameters>
show ddos-protection protocols ipmcast-miss statistics
<get-ddos-ipmcast-miss-statistics>
show ddos-protection protocols ipmcast-miss violations
<get-ddos-ipmcast-miss-violations>
show ddos-protection protocols ip-options violations
get-ddos-ip-opt-violations
show ddos-protection protocols ipv4-unclassified
get-ddos-ipv4-uncls-information
show ddos-protection protocols ipv4-unclassified aggregate
get-ddos-ipv4-uncls-aggregate
show ddos-protection protocols ipv4-unclassified parameters
get-ddos-ipv4-uncls-parameters
show ddos-protection protocols ipv4-unclassified statistics
get-ddos-ipv4-uncls-statistics
show ddos-protection protocols ipv4-unclassified violations
get-ddos-ipv4-uncls-violations
show ddos-protection protocols ipv6-unclassified
get-ddos-ipv6-uncls-information
show ddos-protection protocols ipv6-unclassified aggregate
get-ddos-ipv6-uncls-aggregate
show ddos-protection protocols ipv6-unclassified parameters
get-ddos-ipv6-uncls-parameters
show ddos-protection protocols ipv6-unclassified statistics
get-ddos-ipv6-uncls-statistics

254 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ddos-protection protocols ipv6-unclassified violations

get-ddos-ipv6-uncls-violations
show ddos-protection protocols isis
get-ddos-isis-information
show ddos-protection protocols isis aggregate
get-ddos-isis-aggregate
show ddos-protection protocols isis parameters
get-ddos-isis-parameters
show ddos-protection protocols isis statistics
get-ddos-isis-statistics
show ddos-protection protocols isis violations
get-ddos-isis-violations
show ddos-protection protocols iso-tcc
<get-ddos-iso-tcc-information>
show ddos-protection protocols iso-tcc aggregate
<get-ddos-iso-tcc-aggregate>
show ddos-protection protocols iso-tcc aggregate culprit-flows
<get-ddos-iso-tcc-aggregate-flows>
show ddos-protection protocols iso-tcc culprit-flows
<get-ddos-iso-tcc-flows>
show ddos-protection protocols iso-tcc flow-detection
<get-ddos-iso-tcc-flow-parameters>
show ddos-protection protocols iso-tcc parameters
<get-ddos-iso-tcc-parameters>
show ddos-protection protocols iso-tcc statistics
<get-ddos-iso-tcc-statistics>
show ddos-protection protocols iso-tcc violations
<get-ddos-iso-tcc-violations>
show ddos-protection protocols jfm
get-ddos-jfm-information
show ddos-protection protocols jfm aggregate
get-ddos-jfm-aggregate
show ddos-protection protocols jfm parameters
get-ddos-jfm-parameters
show ddos-protection protocols jfm statistics
get-ddos-jfm-statistics
show ddos-protection protocols jfm violations
get-ddos-jfm-violations
show ddos-protection protocols l2tp
get-ddos-l2tp-information
show ddos-protection protocols l2tp aggregate
get-ddos-l2tp-aggregate
show ddos-protection protocols l2tp parameters
get-ddos-l2tp-parameters
show ddos-protection protocols l2tp statistics
get-ddos-l2tp-statistics
show ddos-protection protocols l2tp violations
get-ddos-l2tp-violations
show ddos-protection protocols l3dest-miss
<get-ddos-l3dest-miss-information>
show ddos-protection protocols l3dest-miss aggregate
<get-ddos-l3dest-miss-aggregate>
show ddos-protection protocols l3dest-miss aggregate culprit-flows
<get-ddos-l3dest-miss-aggregate-flows>
show ddos-protection protocols l3dest-miss culprit-flows
<get-ddos-l3dest-miss-flows>
show ddos-protection protocols l3dest-miss flow-detection
<get-ddos-l3dest-miss-flow-parameters>
show ddos-protection protocols l3dest-miss parameters
<get-ddos-l3dest-miss-parameters>
show ddos-protection protocols l3dest-miss statistics

Copyright © 2017, Juniper Networks, Inc. 255

Administration Guide for Security Devices

<get-ddos-l3dest-miss-statistics>
show ddos-protection protocols l3dest-miss violations
<get-ddos-l3dest-miss-violations>
show ddos-protection protocols l3mc-sgv-hit-icl
<get-ddos-l3mc-sgv-hit-icl-information>
show ddos-protection protocols l3mc-sgv-hit-icl aggregate
<get-ddos-l3mc-sgv-hit-icl-aggregate>
show ddos-protection protocols l3mc-sgv-hit-icl aggregate culprit-flows
<get-ddos-l3mc-sgv-hit-icl-aggregate-flows>
show ddos-protection protocols l3mc-sgv-hit-icl culprit-flows
<get-ddos-l3mc-sgv-hit-icl-flows>
show ddos-protection protocols l3mc-sgv-hit-icl flow-detection
<get-ddos-l3mc-sgv-hit-icl-flow-parameters>
show ddos-protection protocols l3mc-sgv-hit-icl parameters
<get-ddos-l3mc-sgv-hit-icl-parameters>
show ddos-protection protocols l3mc-sgv-hit-icl statistics
<get-ddos-l3mc-sgv-hit-icl-statistics>
show ddos-protection protocols l3mc-sgv-hit-icl violations
<get-ddos-l3mc-sgv-hit-icl-violations>
show ddos-protection protocols l3mtu-fail
<get-ddos-l3mtu-fail-information>
show ddos-protection protocols l3mtu-fail aggregate
<get-ddos-l3mtu-fail-aggregate>
show ddos-protection protocols l3mtu-fail aggregate culprit-flows
<get-ddos-l3mtu-fail-aggregate-flows>
show ddos-protection protocols l3mtu-fail culprit-flows
<get-ddos-l3mtu-fail-flows>
show ddos-protection protocols l3mtu-fail flow-detection
<get-ddos-l3mtu-fail-flow-parameters>
show ddos-protection protocols l3mtu-fail parameters
<get-ddos-l3mtu-fail-parameters>
show ddos-protection protocols l3mtu-fail statistics
<get-ddos-l3mtu-fail-statistics>
show ddos-protection protocols l3mtu-fail violations
<get-ddos-l3mtu-fail-violations>
show ddos-protection protocols l3nhop
<get-ddos-l3nhop-information>
show ddos-protection protocols l3nhop aggregate
<get-ddos-l3nhop-aggregate>
show ddos-protection protocols l3nhop aggregate culprit-flows
<get-ddos-l3nhop-aggregate-flows>
show ddos-protection protocols l3nhop culprit-flows
<get-ddos-l3nhop-flows>
show ddos-protection protocols l3nhop flow-detection
<get-ddos-l3nhop-flow-parameters>
show ddos-protection protocols l3nhop parameters
<get-ddos-l3nhop-parameters>
show ddos-protection protocols l3nhop statistics
<get-ddos-l3nhop-statistics>
show ddos-protection protocols l3nhop violations
<get-ddos-l3nhop-violations>
show ddos-protection protocols lacp
<get-ddos-lacp-information>
show ddos-protection protocols lacp aggregate
<get-ddos-lacp-aggregate>
show ddos-protection protocols lacp parameters
<get-ddos-lacp-parameters>
show ddos-protection protocols lacp statistics
<get-ddos-lacp-statistics>
show ddos-protection protocols lacp violations
<get-ddos-lacp-violations>

256 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ddos-protection protocols ldp

<get-ddos-ldp-information>
show ddos-protection protocols ldp aggregate
<get-ddos-ldp-aggregate>
show ddos-protection protocols ldp parameters
<get-ddos-ldp-parameters>
show ddos-protection protocols ldp statistics
<get-ddos-ldp-statistics>
show ddos-protection protocols ldp violations
<get-ddos-ldp-violations>
show ddos-protection protocols ldp-hello
<get-ddos-ldp-hello-information>
show ddos-protection protocols ldp-hello aggregate
<get-ddos-ldp-hello-aggregate>
show ddos-protection protocols ldp-hello aggregate culprit-flows
<get-ddos-ldp-hello-aggregate-flows>
show ddos-protection protocols ldp-hello culprit-flows
<get-ddos-ldp-hello-flows>
show ddos-protection protocols ldp-hello flow-detection
<get-ddos-ldp-hello-flow-parameters>
show ddos-protection protocols ldp-hello parameters
<get-ddos-ldp-hello-parameters>
show ddos-protection protocols ldp-hello statistics
<get-ddos-ldp-hello-statistics>
show ddos-protection protocols ldp-hello violations
<get-ddos-ldp-hello-violations>
show ddos-protection protocols ldpv6
<get-ddos-ldpv6-information>
show ddos-protection protocols ldpv6 aggregate
<get-ddos-ldpv6-aggregate>
show ddos-protection protocols ldpv6 parameters
<get-ddos-ldpv6-parameters>
show ddos-protection protocols ldpv6 statistics
<get-ddos-ldpv6-statistics>
show ddos-protection protocols ldpv6 violations
<get-ddos-ldpv6-violations>
show ddos-protection protocols lldp
<get-ddos-lldp-information>
show ddos-protection protocols lldp aggregate
<get-ddos-lldp-aggregate>
show ddos-protection protocols lldp parameters
<get-ddos-lldp-parameters>
show ddos-protection protocols lldp statistics
<get-ddos-lldp-statistics>
show ddos-protection protocols lldp violations
<get-ddos-lldp-violations>
show ddos-protection protocols lmp
<get-ddos-lmp-information>
show ddos-protection protocols lmp aggregate
<get-ddos-lmp-aggregate>
show ddos-protection protocols lmp parameters
<get-ddos-lmp-parameters>
show ddos-protection protocols lmp statistics
<get-ddos-lmp-statistics>
show ddos-protection protocols lmp violations
<get-ddos-lmp-violations>
show ddos-protection protocols lmpv6
<get-ddos-lmpv6-information>
show ddos-protection protocols lmpv6 aggregate
<get-ddos-lmpv6-aggregate>
show ddos-protection protocols lmpv6 parameters

Copyright © 2017, Juniper Networks, Inc. 257

Administration Guide for Security Devices

<get-ddos-lmpv6-parameters>
show ddos-protection protocols lmpv6 statistics
<get-ddos-lmpv6-statistics>
show ddos-protection protocols lmpv6 violations
<get-ddos-lmpv6-violations>
show ddos-protection protocols localnh
<get-ddos-localnh-information>
show ddos-protection protocols localnh aggregate
<get-ddos-localnh-aggregate>
show ddos-protection protocols localnh aggregate culprit-flows
<get-ddos-localnh-aggregate-flows>
show ddos-protection protocols localnh culprit-flows
<get-ddos-localnh-flows>
show ddos-protection protocols localnh flow-detection
<get-ddos-localnh-flow-parameters>
show ddos-protection protocols localnh parameters
<get-ddos-localnh-parameters>
show ddos-protection protocols localnh statistics
<get-ddos-localnh-statistics>
show ddos-protection protocols localnh violations
<get-ddos-localnh-violations>
show ddos-protection protocols mac-host
<get-ddos-mac-host-information>
show ddos-protection protocols mac-host aggregate
<get-ddos-mac-host-aggregate>
show ddos-protection protocols mac-host aggregate culprit-flows
<get-ddos-mac-host-aggregate-flows>
show ddos-protection protocols mac-host culprit-flows
<get-ddos-mac-host-flows>
show ddos-protection protocols mac-host flow-detection
<get-ddos-mac-host-flow-parameters>
show ddos-protection protocols mac-host parameters
<get-ddos-mac-host-parameters>
show ddos-protection protocols mac-host statistics
<get-ddos-mac-host-statistics>
show ddos-protection protocols mac-host violations
<get-ddos-mac-host-violations>
show ddos-protection protocols martian-address
<get-ddos-martian-address-information>
show ddos-protection protocols martian-address aggregate
<get-ddos-martian-address-aggregate>
show ddos-protection protocols martian-address aggregate culprit-flows
<get-ddos-martian-address-aggregate-flows>
show ddos-protection protocols martian-address culprit-flows
<get-ddos-martian-address-flows>
show ddos-protection protocols martian-address flow-detection
<get-ddos-martian-address-flow-parameters>
show ddos-protection protocols martian-address parameters
<get-ddos-martian-address-parameters>
show ddos-protection protocols martian-address statistics
<get-ddos-martian-address-statistics>
show ddos-protection protocols martian-address violations
<get-ddos-martian-address-violations>
show ddos-protection protocols mac-host
<get-ddos-mac-host-information>
show ddos-protection protocols mac-host aggregate
<get-ddos-mac-host-aggregate>
show ddos-protection protocols mac-host parameters
<get-ddos-mac-host-parameters>
show ddos-protection protocols mac-host statistics
<get-ddos-mac-host-statistics>

258 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ddos-protection protocols mac-host violations

<get-ddos-mac-host-violations>
show ddos-protection protocols mcast-snoop mld
<get-ddos-mcast-snoop-mld>
show ddos-protection protocols mcast-snoop mld culprit-flows
<get-ddos-mcast-snoop-mld-flows>
show ddos-protection protocols mld
<get-ddos-mld-information>
show ddos-protection protocols mld aggregate
<get-ddos-mld-aggregate>
show ddos-protection protocols mld aggregate culprit-flows
show ddos-protection protocols mld culprit-flows
<get-ddos-mld-flows>
show ddos-protection protocols mld flow-detection
<get-ddos-mld-flow-parameters>
show ddos-protection protocols mld parameters
<get-ddos-mld-parameters>
show ddos-protection protocols mld statistics
<get-ddos-mld-statistics>
show ddos-protection protocols mld violations
<get-ddos-mld-violations>
show ddos-protection protocols mlp
<get-ddos-mlp-information>
show ddos-protection protocols mlp add
<get-ddos-mlp-add>
show ddos-protection protocols mlp add culprit-flows
<get-ddos-mlp-add-flows>
show ddos-protection protocols mlp aggregate
<get-ddos-mlp-aggregate>
show ddos-protection protocols mlp aggregate culprit-flows
<get-ddos-mlp-aggregate-flows>
show ddos-protection protocols mlp culprit-flows
<get-ddos-mlp-flows>
show ddos-protection protocols mlp delete
<get-ddos-mlp-delete>
show ddos-protection protocols mlp delete culprit-flows
get-ddos-mlp-delete-flows
show ddos-protection protocols mlp flow-detection
get-ddos-mlp-flow-parameters
show ddos-protection protocols mlp lookup
<get-ddos-mlp-lookup>
show ddos-protection protocols mlp lookup culprit-flows
<get-ddos-mlp-lookup-flows>
show ddos-protection protocols mlp macpin-exception
<get-ddos-mlp-mac-pinning>
show ddos-protection protocols mlp macpin-exception culprit-flows
<get-ddos-mlp-mac-pinning-flows>
show ddos-protection protocols mlp aging-exception
<get-ddos-mlp-aging-exc>
show ddos-protection protocols mlp packets
<get-ddos-mlp-packets>
show ddos-protection protocols mlp parameters
get-ddos-mlp-parameters
show ddos-protection protocols mlp statistics
<get-ddos-mlp-statistics>
show ddos-protection protocols mlp unclassified
<get-ddos-mlp-unclass>
show ddos-protection protocols mlp violations
<get-ddos-mlp-violations>
show ddos-protection protocols msdp
<get-ddos-msdp-information>

Copyright © 2017, Juniper Networks, Inc. 259

Administration Guide for Security Devices

show ddos-protection protocols msdp aggregate

<get-ddos-msdp-aggregate>
show ddos-protection protocols msdp parameters
<get-ddos-msdp-parameters>
show ddos-protection protocols msdp statistics
<get-ddos-msdp-statistics>
show ddos-protection protocols msdp violations
<get-ddos-msdp-violations>
show ddos-protection protocols msdpv6
<get-ddos-msdpv6-information>
show ddos-protection protocols msdpv6 aggregate
<get-ddos-msdpv6-aggregate>
show ddos-protection protocols msdpv6 parameters
<get-ddos-msdpv6-parameters>
show ddos-protection protocols msdpv6 statistics
<get-ddos-msdpv6-statistics>
show ddos-protection protocols msdpv6 violations
<get-ddos-msdpv6-violations>
show ddos-protection protocols multihop-bfd
<get-ddos-mhop-bfd-information>
show ddos-protection protocols multihop-bfd aggregate
<get-ddos-mhop-bfd-aggregate>
show ddos-protection protocols multihop-bfd aggregate culprit-flows
<get-ddos-mhop-bfd-aggregate-flows>
show ddos-protection protocols multihop-bfd culprit-flows
<get-ddos-mhop-bfd-flows>
show ddos-protection protocols multihop-bfd flow-detection
<get-ddos-mhop-bfd-flow-parameters>
show ddos-protection protocols multihop-bfd parameters
<get-ddos-mhop-bfd-parameters>
show ddos-protection protocols multihop-bfd statistics
<get-ddos-mhop-bfd-statistics>
show ddos-protection protocols multihop-bfd violations
<get-ddos-mhop-bfd-violations>show ddos-protection protocols multicast-copy
<get-ddos-mcast-copy-information>
show ddos-protection protocols multicast-copy aggregate
<get-ddos-mcast-copy-aggregate>
show ddos-protection protocols multicast-copy parameters
<get-ddos-mcast-copy-parameters>
show ddos-protection protocols multicast-copy statistics
<get-ddos-mcast-copy-statistics>
show ddos-protection protocols multicast-copy violations
<get-ddos-mcast-copy-violations>
show ddos-protection protocols mvrp
<get-ddos-mvrp-information>
show ddos-protection protocols mvrp aggregate
<get-ddos-mvrp-aggregate>
show ddos-protection protocols mvrp parameters
<get-ddos-mvrp-parameters<
show ddos-protection protocols mvrp statistics
<get-ddos-mvrp-statistics>
show ddos-protection protocols mvrp violations
<get-ddos-mvrp-violations>
show ddos-protection protocols ndpv6
<get-ddos-ndpv6-information>
show ddos-protection protocols ndpv6 aggregate
<get-ddos-ndpv6-aggregate>
show ddos-protection protocols ndpv6 aggregate culprit-flows
<get-ddos-ndpv6-aggregate-flows>
show ddos-protection protocols ndpv6 culprit-flows
<get-ddos-ndpv6-flows>

260 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ddos-protection protocols ndpv6 flow-detection

<get-ddos-ndpv6-flow-parameters>
show ddos-protection protocols ndpv6 neighbor-advertisement
<get-ddos-ndpv6-neighb-adv>
show ddos-protection protocols ndpv6 neighbor-advertisement culprit-flows
<get-ddos-ndpv6-neighb-adv-flows>
show ddos-protection protocols ndpv6 neighbor-solicitation
<get-ddos-ndpv6-neighb-sol>
show ddos-protection protocols ndpv6 neighbor-solicitation culprit-flows
<get-ddos-ndpv6-neighb-sol-flows>
show ddos-protection protocols ndpv6 parameters
<get-ddos-ndpv6-parameters>
show ddos-protection protocols ndpv6 redirect
<get-ddos-ndpv6-redirect>
show ddos-protection protocols ndpv6 redirect culprit-flows
<get-ddos-ndpv6-redirect-flows>
show ddos-protection protocols ndpv6 router-advertisement
<get-ddos-ndpv6-router-adv>
show ddos-protection protocols ndpv6 router-advertisement culprit-flows
<get-ddos-ndpv6-router-adv-flows>
show ddos-protection protocols ndpv6 router-solicitation
<get-ddos-ndpv6-router-sol>
show ddos-protection protocols ndpv6 router-solicitation culprit-flows
<get-ddos-ndpv6-router-sol-flows>
show ddos-protection protocols nonucast-switch
<get-ddos-nonucast-switch-information>
show ddos-protection protocols nonucast-switch aggregate
<get-ddos-nonucast-switch-aggregate>
show ddos-protection protocols nonucast-switch aggregate culprit-flows
<get-ddos-nonucast-switch-aggregate-flows>
show ddos-protection protocols nonucast-switch culprit-flows
<get-ddos-nonucast-switch-flows>
show ddos-protection protocols nonucast-switch flow-detection
<get-ddos-nonucast-switch-flow-parameters>
show ddos-protection protocols nonucast-switch parameters
<get-ddos-nonucast-switch-parameters>
show ddos-protection protocols nonucast-switch statistics
<get-ddos-nonucast-switch-statistics>
show ddos-protection protocols nonucast-switch violations
<get-ddos-nonucast-switch-violations>
show ddos-protection protocols ntp
get-ddos-ntp-information
show ddos-protection protocols ntp aggregate
get-ddos-ntp-aggregate
show ddos-protection protocols ntp parameters
get-ddos-ntp-parameters
show ddos-protection protocols ntp statistics
get-ddos-ntp-statistics
show ddos-protection protocols ntp violations
get-ddos-ntp-violations
show ddos-protection protocols oam-cfm
get-ddos-oam-cfm-information
show ddos-protection protocols oam-cfm aggregate
<get-ddos-oam-cfm-aggregate>
show ddos-protection protocols oam-cfm aggregate culprit-flows
<get-ddos-oam-cfm-aggregate-flows>
show ddos-protection protocols oam-cfm culprit-flows
<get-ddos-oam-cfm-flows>
show ddos-protection protocols oam-cfm flow-detection
<get-ddos-oam-cfm-flow-parameters>
show ddos-protection protocols oam-cfm parameters

Copyright © 2017, Juniper Networks, Inc. 261

Administration Guide for Security Devices

<get-ddos-oam-cfm-parameters>
show ddos-protection protocols oam-cfm statistics
<get-ddos-oam-cfm-statistics>
show ddos-protection protocols oam-cfm violations
<get-ddos-oam-cfm-violations>
show ddos-protection protocols oam-lfm
get-ddos-oam-lfm-information
show ddos-protection protocols oam-lfm aggregate
get-ddos-oam-lfm-aggregate
show ddos-protection protocols oam-lfm parameters
get-ddos-oam-lfm-parameters
show ddos-protection protocols oam-lfm statistics
get-ddos-oam-lfm-statistics
show ddos-protection protocols oam-lfm violations
get-ddos-oam-lfm-violations
show ddos-protection protocols ospf
get-ddos-ospf-information
show ddos-protection protocols ospf aggregate
get-ddos-ospf-aggregate
show ddos-protection protocols ospf parameters
get-ddos-ospf-parameters
show ddos-protection protocols ospf statistics
get-ddos-ospf-statistics
show ddos-protection protocols ospf violations
get-ddos-ospf-violations
show ddos-protection protocols ospf-hello
<get-ddos-ospf-hello-information>
show ddos-protection protocols ospf-hello aggregate
<get-ddos-ospf-hello-aggregate>
show ddos-protection protocols ospf-hello aggregate culprit-flows
<get-ddos-ospf-hello-aggregate-flows>
show ddos-protection protocols ospf-hello culprit-flows
<get-ddos-ospf-hello-flows>
show ddos-protection protocols ospf-hello flow-detection
<get-ddos-ospf-hello-flow-parameters>
show ddos-protection protocols ospf-hello parameters
<get-ddos-ospf-hello-parameters>
show ddos-protection protocols ospf-hello statistics
<get-ddos-ospf-hello-statistics>
show ddos-protection protocols ospf-hello violations
<get-ddos-ospf-hello-violations>
show ddos-protection protocols ospfv3v6
get-ddos-ospfv3v6-information
show ddos-protection protocols ospfv3v6 aggregate
get-ddos-ospfv3v6-aggregate
show ddos-protection protocols ospfv3v6 parameters
get-ddos-ospfv3v6-parameters
show ddos-protection protocols ospfv3v6 statistics
get-ddos-ospfv3v6-statistics
show ddos-protection protocols ospfv3v6 violations
get-ddos-ospfv3v6-violations
show ddos-protection protocols parameters
get-ddos-protocols-parameters
show ddos-protection protocols pfe-alive
get-ddos-pfe-alive-information
show ddos-protection protocols pfe-alive aggregate
get-ddos-pfe-alive-aggregate
show ddos-protection protocols pfe-alive parameters
get-ddos-pfe-alive-parameters
show ddos-protection protocols pfe-alive statistics
get-ddos-pfe-alive-statistics

262 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ddos-protection protocols pfe-alive violations

get-ddos-pfe-alive-violations
show ddos-protection protocols pim
get-ddos-pim-information
show ddos-protection protocols pim aggregate
get-ddos-pim-aggregate
show ddos-protection protocols pim aggregate culprit-flows
show ddos-protection protocols pim parameters
get-ddos-pim-parameters
show ddos-protection protocols pim statistics
get-ddos-pim-statistics
show ddos-protection protocols pim violations
get-ddos-pim-violations
show ddos-protection protocols pim-ctrl
<get-ddos-pim-ctrl-information>
show ddos-protection protocols pim-ctrl aggregate
<get-ddos-pim-ctrl-aggregate>
show ddos-protection protocols pim-ctrl aggregate culprit-flows
<get-ddos-pim-ctrl-aggregate-flows>
show ddos-protection protocols pim-ctrl culprit-flows
<get-ddos-pim-ctrl-flows>
show ddos-protection protocols pim-ctrl flow-detection
<get-ddos-pim-ctrl-flow-parameters>
show ddos-protection protocols pim-ctrl parameters
<get-ddos-pim-ctrl-parameters>
show ddos-protection protocols pim-ctrl statistics
<get-ddos-pim-ctrl-statistics>
show ddos-protection protocols pim-ctrl violations
<get-ddos-pim-ctrl-violations>
show ddos-protection protocols pim-data
<get-ddos-pim-data-information>
show ddos-protection protocols pim-data aggregate
<get-ddos-pim-data-aggregate>
show ddos-protection protocols pim-data aggregate culprit-flows
<get-ddos-pim-data-aggregate-flows>
show ddos-protection protocols pim-data culprit-flows
<get-ddos-pim-data-flows>
show ddos-protection protocols pim-data flow-detection
<get-ddos-pim-data-flow-parameters>
show ddos-protection protocols pim-data parameters
<get-ddos-pim-data-parameters>
show ddos-protection protocols pim-data statistics
<get-ddos-pim-data-statistics>
show ddos-protection protocols pim-data violations
<get-ddos-pim-data-violations>
show ddos-protection protocols pimv6
<get-ddos-pimv6-information>
show ddos-protection protocols pimv6 aggregate
<get-ddos-pimv6-aggregate>
show ddos-protection protocols pimv6 aggregate culprit-flows
show ddos-protection protocols pimv6 parameters
<get-ddos-pimv6-parameters>
show ddos-protection protocols pimv6 statistics
<get-ddos-pimv6-statistics>
show ddos-protection protocols pimv6 violations
<get-ddos-pimv6-violations>
show ddos-protection protocols pkt-inject
<get-ddos-pkt-inject-information>
show ddos-protection protocols pkt-inject aggregate
<get-ddos-pkt-inject-aggregate>
show ddos-protection protocols pkt-inject aggregate culprit-flows

Copyright © 2017, Juniper Networks, Inc. 263

Administration Guide for Security Devices

<get-ddos-pkt-inject-aggregate-flows>
show ddos-protection protocols pkt-inject culprit-flows
<get-ddos-pkt-inject-flows>
show ddos-protection protocols pkt-inject flow-detection
<get-ddos-pkt-inject-flow-parameters>
show ddos-protection protocols pkt-inject parameters
<get-ddos-pkt-inject-parameters>
show ddos-protection protocols pkt-inject statistics
<get-ddos-pkt-inject-statistics>
show ddos-protection protocols pkt-inject violations
<get-ddos-pkt-inject-violations>

show ddos-protection protocols pmvrp

get-ddos-pmvrp-information
show ddos-protection protocols pmvrp aggregate
get-ddos-pmvrp-aggregate
show ddos-protection protocols pmvrp parameters
get-ddos-pmvrp-parameters
show ddos-protection protocols pmvrp statistics
get-ddos-pmvrp-statistics
show ddos-protection protocols pmvrp violations
get-ddos-pmvrp-violations
show ddos-protection protocols pos
get-ddos-pos-information
show ddos-protection protocols pos aggregate
get-ddos-pos-aggregate
show ddos-protection protocols pos aggregate culprit-flows
show ddos-protection protocols pos parameters
get-ddos-pos-parameters
show ddos-protection protocols pos statistics
get-ddos-pos-statistics
show ddos-protection protocols pos violations
get-ddos-pos-violations
show ddos-protection protocols ppp
get-ddos-ppp-information
show ddos-protection protocols ppp aggregate
get-ddos-ppp-aggregate
show ddos-protection protocols ppp authentication
get-ddos-ppp-auth
show ddos-protection protocols ppp authentication culprit-flows
show ddos-protection protocols ppp ipcp
get-ddos-ppp-ipcp
show ddos-protection protocols ppp ipv6cp
get-ddos-ppp-ipv6cp
show ddos-protection protocols ppp isis
get-ddos-ppp-isis
show ddos-protection protocols ppp isis culprit-flows
show ddos-protection protocols ppp lcp
get-ddos-ppp-lcp
show ddos-protection protocols ppp lcp culprit-flows
show ddos-protection protocols ppp mplscp
get-ddos-ppp-mplscp
show ddos-protection protocols ppp mplscp culprit-flows
show ddos-protection protocols ppp parameters
get-ddos-ppp-parameters
show ddos-protection protocols ppp statistics
get-ddos-ppp-statistics
show ddos-protection protocols ppp unclassified
<get-ddos-ppp-unclass>
show ddos-protection protocols ppp violations

264 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

get-ddos-ppp-violations
show ddos-protection protocols pppoe
get-ddos-pppoe-information
show ddos-protection protocols pppoe aggregate
get-ddos-pppoe-aggregate
show ddos-protection protocols pppoe padi
get-ddos-pppoe-padi
show ddos-protection protocols pppoe padm
get-ddos-pppoe-padm
show ddos-protection protocols pppoe padn
get-ddos-pppoe-padn
show ddos-protection protocols pppoe pado
get-ddos-pppoe-pado
show ddos-protection protocols pppoe padr
get-ddos-pppoe-padr
show ddos-protection protocols pppoe pads
get-ddos-pppoe-pads
show ddos-protection protocols pppoe padt
get-ddos-pppoe-padt
show ddos-protection protocols pppoe parameters
get-ddos-pppoe-parameters
show ddos-protection protocols pppoe statistics
get-ddos-pppoe-statistics
show ddos-protection protocols pppoe violations
get-ddos-pppoe-violations
show ddos-protection protocols proto-802-1x
<get-ddos-8021x-information>
show ddos-protection protocols proto-802-1x aggregate
<get-ddos-8021x-aggregate>
show ddos-protection protocols proto-802-1x aggregate culprit-flows
get-ddos-8021x-aggregate-flows
show ddos-protection protocols proto-802-1x culprit-flows
<get-ddos-8021x-flows>
show ddos-protection protocols proto-802-1x flow-detection
<get-ddos-8021x-flow-parameters>
show ddos-protection protocols proto-802-1x parameters
<get-ddos-8021x-parameters>
show ddos-protection protocols proto-802-1x statistics
<get-ddos-8021x-statistics>
show ddos-protection protocols proto-802-1x violations
<get-ddos-8021x-violations>
show ddos-protection protocols ptp
get-ddos-ptp-information
show ddos-protection protocols ptp aggregate
get-ddos-ptp-aggregate
show ddos-protection protocols ptp aggregate culprit-flows
show ddos-protection protocols ptp parameters
get-ddos-ptp-parameters
show ddos-protection protocols ptp statistics
get-ddos-ptp-statistics
show ddos-protection protocols ptp violations
get-ddos-ptp-violations
show ddos-protection protocols ptpv6
<get-ddos-ptpv6-information>
show ddos-protection protocols ptpv6 aggregate
<get-ddos-ptpv6-aggregate>
show ddos-protection protocols ptpv6 aggregate culprit-flows
<get-ddos-ptpv6-aggregate-flows>
show ddos-protection protocols ptpv6 culprit-flows
<get-ddos-ptpv6-flows>
show ddos-protection protocols ptpv6 flow-detection

Copyright © 2017, Juniper Networks, Inc. 265

Administration Guide for Security Devices

<get-ddos-ptpv6-flow-parameters>
show ddos-protection protocols ptpv6 parameters
<get-ddos-ptpv6-parameters>
show ddos-protection protocols ptpv6 statistics
<get-ddos-ptpv6-statistics>
show ddos-protection protocols ptpv6 violations
<get-ddos-ptpv6-violations>
show ddos-protection protocols pvstp
get-ddos-pvstp-information
show ddos-protection protocols pvstp aggregate
get-ddos-pvstp-aggregate
show ddos-protection protocols pvstp parameters
get-ddos-pvstp-parameters
show ddos-protection protocols pvstp statistics
get-ddos-pvstp-statistics
show ddos-protection protocols pvstp violations
get-ddos-pvstp-violations
show ddos-protection protocols radius
get-ddos-radius-information
show ddos-protection protocols radius accounting
get-ddos-radius-account
show ddos-protection protocols radius aggregate
get-ddos-radius-aggregate
show ddos-protection protocols radius accounting culprit-flows
show ddos-protection protocols radius authorization
get-ddos-radius-auth
show ddos-protection protocols radius parameters
get-ddos-radius-parameters
show ddos-protection protocols radius server
get-ddos-radius-server
show ddos-protection protocols radius statistics
get-ddos-radius-statistics
show ddos-protection protocols radius violations
get-ddos-radius-violations
show ddos-protection protocols re-services
<get-ddos-re-services-information>
show ddos-protection protocols re-services aggregate
<get-ddos-re-services-aggregate>
show ddos-protection protocols re-services aggregate culprit-flows
<get-ddos-re-services-aggregate-flows>
show ddos-protection protocols re-services captive-portal
<get-ddos-re-services-captive-portal>
show ddos-protection protocols re-services captive-portal culprit-flows
<get-ddos-re-services-captive-portal-flows>
show ddos-protection protocols re-services culprit-flows
<get-ddos-re-services-flows>
show ddos-protection protocols re-services flow-detection
<get-ddos-re-services-flow-parameters>
show ddos-protection protocols re-services parameters
<get-ddos-re-services-parameters>
show ddos-protection protocols re-services statistics
<get-ddos-re-services-statistics>
show ddos-protection protocols re-services violations
<get-ddos-re-services-violations>
show ddos-protection protocols re-services-v6
<get-ddos-re-services-v6-information>
show ddos-protection protocols re-services-v6 aggregate
<get-ddos-re-services-v6-aggregate>
show ddos-protection protocols re-services-v6 aggregate culprit-flows
<get-ddos-re-services-v6-aggregate-flows>
show ddos-protection protocols re-services-v6 captive-portal

266 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-ddos-re-services-v6-captive-portal-v6>
show ddos-protection protocols re-services-v6 captive-portal culprit-flows
<get-ddos-re-services-v6-captive-portal-v6-flows>
show ddos-protection protocols re-services-v6 culprit-flows
<get-ddos-re-services-v6-flows>
show ddos-protection protocols re-services-v6 flow-detection
<get-ddos-re-services-v6-flow-parameters>
show ddos-protection protocols re-services-v6 parameters
<get-ddos-re-services-v6-parameters>
show ddos-protection protocols re-services-v6 statistics
<get-ddos-re-services-v6-statistics>
show ddos-protection protocols re-services-v6 violations
<get-ddos-re-services-v6-violations>
show ddos-protection protocols redirect
get-ddos-redirect-information
show ddos-protection protocols redirect aggregate
get-ddos-redirect-aggregate
show ddos-protection protocols redirect parameters
get-ddos-redirect-parameters
show ddos-protection protocols redirect statistics
get-ddos-redirect-statistics
show ddos-protection protocols redirect violations
get-ddos-redirect-violations

show ddos-protection protocols reject

<get-ddos-reject-information>
show ddos-protection protocols reject aggregate
<get-ddos-reject-aggregate>
show ddos-protection protocols reject parameters
<get-ddos-reject-parameters>
show ddos-protection protocols reject statistics
<get-ddos-reject-statistics>
show ddos-protection protocols reject violations
<get-ddos-reject-violations>
show ddos-protection protocols rejectv6show ddos-protection protocols rejectv6
aggregate
show ddos-protection protocols rejectv6 aggregate culprit-flows
show ddos-protection protocols rejectv6 flow-detection
show ddos-protection protocols rejectv6 parameters
show ddos-protection protocols rejectv6 statistics
show ddos-protection protocols rejectv6 violations
show ddos-protection protocols rip
get-ddos-rip-information
show ddos-protection protocols rip aggregate
get-ddos-rip-aggregate
show ddos-protection protocols rip aggregate culprit-flows
show ddos-protection protocols rip culprit-flows
show ddos-protection protocols rip parameters
get-ddos-rip-parameters
show ddos-protection protocols rip statistics
get-ddos-rip-statistics
show ddos-protection protocols rip violations
get-ddos-rip-violations
show ddos-protection protocols ripv6
get-ddos-ripv6-information
show ddos-protection protocols ripv6 aggregate
get-ddos-ripv6-aggregate
show ddos-protection protocols ripv6 aggregate culprit-flows
show ddos-protection protocols ripv6 parameters
get-ddos-ripv6-parameters

Copyright © 2017, Juniper Networks, Inc. 267

Administration Guide for Security Devices

show ddos-protection protocols ripv6 statistics

get-ddos-ripv6-statistics
show ddos-protection protocols ripv6 violations
get-ddos-ripv6-violations
show ddos-protection protocols rsvp
get-ddos-rsvp-information
show ddos-protection protocols rsvp aggregate
get-ddos-rsvp-aggregate
show ddos-protection protocols rsvp aggregate culprit-flows
show ddos-protection protocols rsvp parameters
get-ddos-rsvp-parameters
show ddos-protection protocols rsvp statistics
get-ddos-rsvp-statistics
show ddos-protection protocols rsvp violations
get-ddos-rsvp-violations
show ddos-protection protocols rsvpv6
get-ddos-rsvpv6-information
show ddos-protection protocols rsvpv6 aggregate
get-ddos-rsvpv6-aggregate
show ddos-protection protocols rsvpv6 aggregate culprit-flows
show ddos-protection protocols rsvpv6 parameters
get-ddos-rsvpv6-parameters
show ddos-protection protocols rsvpv6 statistics
get-ddos-rsvpv6-statistics
show ddos-protection protocols rsvpv6 violations
get-ddos-rsvpv6-violations
show ddos-protection protocols sample
<get-ddos-sample-information>
show ddos-protection protocols sample aggregate
<get-ddos-sample-aggregate>
show ddos-protection protocols sample aggregate culprit-flows
show ddos-protection protocols sample host
<get-ddos-sample-host>
show ddos-protection protocols sample parameters
<get-ddos-sample-parameters>
show ddos-protection protocols sample pfe
<get-ddos-sample-pfe>
show ddos-protection protocols sample pfe culprit-flows
show ddos-protection protocols sample sflow
<get-ddos-sample-sflow>
show ddos-protection protocols sample sflow culprit-flows
<get-ddos-sample-sflow-flows>
show ddos-protection protocols sample statistics
<get-ddos-sample-statistics>
show ddos-protection protocols sample syslog
show ddos-protection protocols sample tap
<get-ddos-sample-tap>
show ddos-protection protocols sample tap culprit-flows
show ddos-protection protocols sample violations
<get-ddos-sample-violations>
show ddos-protection protocols services
get-ddos-services-information
show ddos-protection protocols sample-dest
<get-ddos-sample-dest-information>
show ddos-protection protocols sample-dest aggregate
<get-ddos-sample-dest-aggregate>
show ddos-protection protocols sample-dest aggregate culprit-flows
<get-ddos-sample-dest-aggregate-flows>
show ddos-protection protocols sample-dest culprit-flows
<get-ddos-sample-dest-flows>
show ddos-protection protocols sample-dest flow-detection

268 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-ddos-sample-dest-flow-parameters>
show ddos-protection protocols sample-dest parameters
<get-ddos-sample-dest-parameters>
show ddos-protection protocols sample-dest statistics
<get-ddos-sample-dest-statistics>
show ddos-protection protocols sample-dest violations
<get-ddos-sample-dest-violations>
show ddos-protection protocols sample-source
<get-ddos-sample-source-information>
show ddos-protection protocols sample-source aggregate
<get-ddos-sample-source-aggregate>
show ddos-protection protocols sample-source aggregate culprit-flows
<get-ddos-sample-source-aggregate-flows>
show ddos-protection protocols sample-source culprit-flows
<get-ddos-sample-source-flows>
show ddos-protection protocols sample-source flow-detection
<get-ddos-sample-source-flow-parameters>
show ddos-protection protocols sample-source parameters
<get-ddos-sample-source-parameters>
show ddos-protection protocols sample-source statistics
<get-ddos-sample-source-statistics>
show ddos-protection protocols sample-source violations
<get-ddos-sample-source-violations>
show ddos-protection protocols services aggregate
<get-ddos-services-aggregate>
show ddos-protection protocols services parameters
<get-ddos-services-parameters>
show ddos-protection protocols services statistics
<get-ddos-services-statistics>
show ddos-protection protocols syslog
<get-ddos-syslog-information>
show ddos-protection protocols syslog aggregate
<get-ddos-syslog-aggregate>
show ddos-protection protocols syslog aggregate culprit-flows
<get-ddos-syslog-aggregate-flows>
show ddos-protection protocols syslog culprit-flows
<get-ddos-syslog-flows>
show ddos-protection protocols syslog flow-detection
<get-ddos-syslog-flow-parameters>
show ddos-protection protocols syslog parameters
<get-ddos-syslog-parameters>
show ddos-protection protocols syslog statistics
<get-ddos-syslog-statistics>
show ddos-protection protocols syslog violations
<get-ddos-syslog-violations>
show ddos-protection protocols services violations
get-ddos-services-violations
show ddos-protection protocols snmp
get-ddos-snmp-information
show ddos-protection protocols snmp aggregate
get-ddos-snmp-aggregate
show ddos-protection protocols snmp aggregate culprit-flows
show ddos-protection protocols snmp parameters
get-ddos-snmp-parameters
show ddos-protection protocols snmp statistics
get-ddos-snmp-statistics
show ddos-protection protocols snmp violations
get-ddos-snmp-violations
show ddos-protection protocols snmpv6
get-ddos-snmpv6-information
show ddos-protection protocols snmpv6 aggregate

Copyright © 2017, Juniper Networks, Inc. 269

Administration Guide for Security Devices

get-ddos-snmpv6-aggregate
show ddos-protection protocols snmpv6 aggregate culprit-flows
show ddos-protection protocols snmpv6 parameters
get-ddos-snmpv6-parameters
show ddos-protection protocols snmpv6 statistics
get-ddos-snmpv6-statistics
show ddos-protection protocols snmpv6 violations
get-ddos-snmpv6-violations
show ddos-protection protocols ssh
get-ddos-ssh-information
show ddos-protection protocols ssh aggregate
get-ddos-ssh-aggregate
show ddos-protection protocols ssh parameters
get-ddos-ssh-parameters
show ddos-protection protocols ssh statistics
get-ddos-ssh-statistics
show ddos-protection protocols ssh violations
get-ddos-ssh-violations
show ddos-protection protocols sshv6
get-ddos-sshv6-information
show ddos-protection protocols sshv6 aggregate
get-ddos-sshv6-aggregate
show ddos-protection protocols sshv6 parameters
get-ddos-sshv6-parameters
show ddos-protection protocols sshv6 statistics
<get-ddos-sshv6-statistics>
show ddos-protection protocols sshv6 violations
<get-ddos-sshv6-violations>
show ddos-protection protocols statistics
<get-ddos-protocols-statistics>
show ddos-protection protocols stp
<get-ddos-stp-information>
show ddos-protection protocols stp aggregate
<get-ddos-stp-aggregate>
show ddos-protection protocols stp parameters
<get-ddos-stp-parameters>
show ddos-protection protocols stp statistics
<get-ddos-stp-statistics>
show ddos-protection protocols stp violations
<get-ddos-stp-violations>
show ddos-protection protocols tacacs
<get-ddos-tacacs-information>
show ddos-protection protocols tacacs aggregate
<get-ddos-tacacs-aggregate>
show ddos-protection protocols tacacs parameters
<get-ddos-tacacs-parameters>
show ddos-protection protocols tacacs statistics
<get-ddos-tacacs-statistics>
show ddos-protection protocols tacacs violations
<get-ddos-tacacs-violations>

show ddos-protection protocols tcc

<get-ddos-tcc-information>
show ddos-protection protocols tcc aggregate
<get-ddos-tcc-aggregate>
show ddos-protection protocols tcc aggregate culprit-flows
<get-ddos-tcc-aggregate-flows>
show ddos-protection protocols tcc culprit-flows
<get-ddos-tcc-flows>
show ddos-protection protocols tcc ethernet-tcc
<get-ddos-tcc-ethernet-tcc>

270 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ddos-protection protocols tcc ethernet-tcc culprit-flows

<get-ddos-tcc-ethernet-tcc-flows>
show ddos-protection protocols tcc flow-detection
<get-ddos-tcc-flow-parameters>
show ddos-protection protocols tcc iso-tcc
<get-ddos-tcc-iso-tcc>
show ddos-protection protocols tcc iso-tcc culprit-flows
<get-ddos-tcc-iso-tcc-flows>
show ddos-protection protocols tcc parameters
<get-ddos-tcc-parameters>
show ddos-protection protocols tcc statistics
<get-ddos-tcc-statistics>
show ddos-protection protocols tcc unclassified
<get-ddos-tcc-unclass>
show ddos-protection protocols tcc unclassified culprit-flows
<get-ddos-tcc-unclass-flows>
show ddos-protection protocols tcc violations
<get-ddos-tcc-violations>
show ddos-protection protocols tcp-flags
<get-ddos-tcp-flags-information>
show ddos-protection protocols tcp-flags aggregate
<get-ddos-tcp-flags-aggregate>
show ddos-protection protocols tcp-flags established
<get-ddos-tcp-flags-establish>
show ddos-protection protocols tcp-flags initial
<get-ddos-tcp-flags-initial>
show ddos-protection protocols tcp-flags parameters
<get-ddos-tcp-flags-parameters>
show ddos-protection protocols tcp-flags statistics
<get-ddos-tcp-flags-statistics>
show ddos-protection protocols tcp-flags unclassified
<get-ddos-tcp-flags-unclass>
show ddos-protection protocols tcp-flags violations
<get-ddos-tcp-flags-violations>
show ddos-protection protocols telnet
<get-ddos-telnet-information>
show ddos-protection protocols telnet aggregate
<get-ddos-telnet-aggregate>
show ddos-protection protocols telnet aggregate culprit-flows
show ddos-protection protocols telnet parameters
<get-ddos-telnet-parameters>
show ddos-protection protocols telnet statistics
<get-ddos-telnet-statistics>
show ddos-protection protocols telnet violations
<get-ddos-telnet-violations>
show ddos-protection protocols telnetv6
<get-ddos-telnetv6-information>
show ddos-protection protocols telnetv6 aggregate
<get-ddos-telnetv6-aggregate>
show ddos-protection protocols telnetv6 aggregate culprit-flows
show ddos-protection protocols telnetv6 parameters
<get-ddos-telnetv6-parameters>
show ddos-protection protocols telnetv6 statistics
<get-ddos-telnetv6-statistics>
show ddos-protection protocols telnetv6 violations
<get-ddos-telnetv6-violations>
show ddos-protection protocols ttl
<get-ddos-ttl-information>
show ddos-protection protocols ttl aggregate
<get-ddos-ttl-aggregate>
show ddos-protection protocols ttl parameters

Copyright © 2017, Juniper Networks, Inc. 271

Administration Guide for Security Devices

<get-ddos-ttl-parameters>
show ddos-protection protocols ttl statistics
<get-ddos-ttl-statistics>
show ddos-protection protocols ttl violations
<get-ddos-ttl-violations>
show ddos-protection protocols tunnel-fragment
<get-ddos-tun-frag-information>
show ddos-protection protocols tunnel-fragment aggregate
<get-ddos-tun-frag-aggregate>
show ddos-protection protocols tunnel-fragment aggregate culprit-flows
show ddos-protection protocols tunnel-fragment parameters
<get-ddos-tun-frag-parameters>
show ddos-protection protocols tunnel-fragment statistics
<get-ddos-tun-frag-statistics>
show ddos-protection protocols tunnel-fragment violations
<get-ddos-tun-frag-violations>
show ddos-protection protocols tunnel-ka
<get-ddos-tunnel-ka-information>
show ddos-protection protocols tunnel-ka aggregate
<get-ddos-tunnel-ka-aggregate>
show ddos-protection protocols tunnel-ka aggregate culprit-flows
<get-ddos-tunnel-ka-aggregate-flows>
show ddos-protection protocols tunnel-ka culprit-flows
<get-ddos-tunnel-ka-flows>
show ddos-protection protocols tunnel-ka flow-detection
<get-ddos-tunnel-ka-flow-parameters>
show ddos-protection protocols tunnel-ka parameters
<get-ddos-tunnel-ka-parameters>
show ddos-protection protocols tunnel-ka statistics
<get-ddos-tunnel-ka-statistics>
show ddos-protection protocols tunnel-ka violations
<get-ddos-tunnel-ka-violations>
show ddos-protection protocols unknown-l2mc
<get-ddos-unknown-l2mc-information>
show ddos-protection protocols unknown-l2mc aggregate
<get-ddos-unknown-l2mc-aggregate>
show ddos-protection protocols unknown-l2mc aggregate culprit-flows
<get-ddos-unknown-l2mc-aggregate-flows>
show ddos-protection protocols unknown-l2mc culprit-flows
<get-ddos-unknown-l2mc-flows>
show ddos-protection protocols unknown-l2mc flow-detection
<get-ddos-unknown-l2mc-flow-parameters>
show ddos-protection protocols unknown-l2mc parameters
<get-ddos-unknown-l2mc-parameters>
show ddos-protection protocols unknown-l2mc statistics
<get-ddos-unknown-l2mc-statistics>
show ddos-protection protocols unknown-l2mc violations
<get-ddos-unknown-l2mc-violations>
show ddos-protection protocols unclassified
<get-ddos-uncls-information>
show ddos-protection protocols unclassified aggregate
<get-ddos-uncls-aggregate>
show ddos-protection protocols unclassified parameters
<get-ddos-uncls-parameters>
show ddos-protection protocols unclassified resolve-v4
show ddos-protection protocols unclassified resolve-v4 culprit-flows
show ddos-protection protocols unclassified resolve-v6
show ddos-protection protocols unclassified resolve-v6 culprit-flows
show ddos-protection protocols unclassified statistics
<get-ddos-uncls-statistics>
show ddos-protection protocols unclassified violations

272 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-ddos-uncls-violations>
show ddos-protection protocols urpf-fail
<get-ddos-urpf-fail-information>
show ddos-protection protocols urpf-fail aggregate
<get-ddos-urpf-fail-aggregate>
show ddos-protection protocols urpf-fail aggregate culprit-flows
<get-ddos-urpf-fail-aggregate-flows>
show ddos-protection protocols urpf-fail culprit-flows
<get-ddos-urpf-fail-flows>
show ddos-protection protocols urpf-fail flow-detection
<get-ddos-urpf-fail-flow-parameters>
show ddos-protection protocols urpf-fail parameters
<get-ddos-urpf-fail-parameters>
show ddos-protection protocols urpf-fail statistics
<get-ddos-urpf-fail-statistics>
show ddos-protection protocols urpf-fail violations
<get-ddos-urpf-fail-violations>
show ddos-protection protocols vcipc-udp
<get-ddos-vcipc-udp-information>
show ddos-protection protocols vcipc-udp aggregate
<get-ddos-vcipc-udp-aggregate>
show ddos-protection protocols vcipc-udp aggregate culprit-flows
<get-ddos-vcipc-udp-aggregate-flows>
show ddos-protection protocols vcipc-udp culprit-flows
<get-ddos-vcipc-udp-flows>
show ddos-protection protocols vcipc-udp flow-detection
<get-ddos-vcipc-udp-flow-parameters>
show ddos-protection protocols vcipc-udp parameters
<get-ddos-vcipc-udp-parameters>
show ddos-protection protocols vcipc-udp statistics
<get-ddos-vcipc-udp-statistics>
show ddos-protection protocols vcipc-udp violations
<get-ddos-vcipc-udp-violations>
show ddos-protection protocols violations
get-ddos-protocols-violations
show ddos-protection protocols virtual-chassis
get-ddos-vchassis-information
show ddos-protection protocols virtual-chassis aggregate
get-ddos-vchassis-aggregate
show ddos-protection protocols virtual-chassis aggregate culprit-flows
show ddos-protection protocols virtual-chassis control-high
get-ddos-vchassis-control-hi
show ddos-protection protocols virtual-chassis control-low
get-ddos-vchassis-control-lo
show ddos-protection protocols virtual-chassis parameters
get-ddos-vchassis-parameters
show ddos-protection protocols virtual-chassis statistics
get-ddos-vchassis-statistics
show ddos-protection protocols virtual-chassis unclassified
get-ddos-vchassis-unclass
show ddos-protection protocols virtual-chassis vc-packets
get-ddos-vchassis-vc-packets
show ddos-protection protocols virtual-chassis vc-ttl-errors
get-ddos-vchassis-vc-ttl-err
show ddos-protection protocols virtual-chassis violations
get-ddos-vchassis-violations
show ddos-protection protocols vrrp
get-ddos-vrrp-information
show ddos-protection protocols vrrp aggregate
get-ddos-vrrp-aggregate
show ddos-protection protocols vrrp aggregate culprit-flows

Copyright © 2017, Juniper Networks, Inc. 273

Administration Guide for Security Devices

show ddos-protection protocols vrrp parameters

get-ddos-vrrp-parameters
show ddos-protection protocols vrrp statistics
get-ddos-vrrp-statistics
show ddos-protection protocols vrrp violations
get-ddos-vrrp-violations
show ddos-protection protocols vrrpv6
get-ddos-vrrpv6-information
show ddos-protection protocols vrrpv6 aggregate
get-ddos-vrrpv6-aggregate
show ddos-protection protocols vrrpv6 aggregate culprit-flows
show ddos-protection protocols vrrpv6 parameters
get-ddos-vrrpv6-parameters
show ddos-protection protocols vrrpv6 statistics
get-ddos-vrrpv6-statistics
show ddos-protection protocols vrrpv6 violations
get-ddos-vrrpv6-violations
show ddos-protection statistics
get-ddos-statistics-information
show ddos-protection version
get-ddos-version
show ddos-protection protocols vxlan
<get-ddos-vxlan-information>
show ddos-protection protocols vxlan aggregate
<get-ddos-vxlan-aggregate>
show ddos-protection protocols vxlan aggregate culprit-flows
<get-ddos-vxlan-aggregate-flows>
show ddos-protection protocols vxlan culprit-flows
<get-ddos-vxlan-flows>
show ddos-protection protocols vxlan flow-detection
<get-ddos-vxlan-flow-parameters>
show ddos-protection protocols vxlan parameters
<get-ddos-vxlan-parameters>
show ddos-protection protocols vxlan statistics
<get-ddos-vxlan-statistics>
show ddos-protection protocols vxlan violations
<get-ddos-vxlan-violations>
show dhcp
show dhcp proxy-client
show dhcp proxy-client binding
show dhcp proxy-client servers
show dhcp proxy-client statistics
<get-proxy-dhcp-client-statistics-information>
show dhcp relay
show dhcp relay binding
<get-dhcp-relay-binding-information>

show dhcp relay binding interface

<get-dhcp-relay-interface-bindings>
show dhcp relay binding lease-time-violation
<get-dhcp-relay-binding-ltv-information>
show dhcp relay statistics
<get-dhcp-relay-statistics-information>
show dhcp relay statistics bulk-leasequery-connections
<get-dhcp-relay-bulk-leasequery-conn-statistics>
show dhcp relay statistics leasequery
<get-dhcp-relay-leasequery-statistics>

show dhcp server

show dhcp server binding
<get-dhcp-server-binding-information>

274 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show dhcp server binding interface

<get-dhcp-relay-binding-interface>
show dhcp server binding lease-time-violation
<get-dhcp-server-binding-ltv-information>
show dhcp server statistics
<get-dhcp-server-statistics-information>
show dhcp statistics
<get-dhcp-service-statistics-information>
show dhcp-security
<get-dhcp-security-arp-inspection-statistics>
show dhcp-security binding
<get-dhcp-security-binding>
show dhcp-security binding interface
<get-dhcp-security-binding-interface>
show dhcp-security binding ip-address
<get-dhcp-security-binding-ip-address>
show dhcp-security binding ip-source-guard
<get-dhcp-security-ip-source-guard>
show dhcp-security binding statistics
<get-dhcp-security-binding-statistics>
show dhcp-security binding vlan
get-dhcp-security-binding-vlan
show dhcp-security ipv6
show dhcp-security ipv6 binding
<get-dhcpv6-security-binding>
show dhcp-security ipv6 binding interface
<get-dhcpv6-security-binding-interface>
show dhcp-security ipv6 binding ipv6-address
<get-dhcpv6-security-binding-ip-address>
show dhcp-security ipv6 binding vlan
<get-dhcpv6-security-binding-vlan>
show dhcp-security ipv6 statistics
<get-dhcp-ipv6-statistics>
show dhcp-security neighbor-discovery-inspection
show dhcp-security neighbor-discovery-inspection statistics
<get-dhcp-security-nd-inspection-statistics>
show dhcp-security neighbor-discovery-inspection statistics interface
<get-dhcp-security-ndi-interface>
show dhcp-security statistics
<get-dhcp-security-statistics>

show dhcpv6
show dhcpv6 client
show dhcpv6 client binding
get-dhcpv6-client-binding-information
show dhcpv6 client binding interface
<get-dhcpv6-client-binding-information-by-interface>
show dhcpv6 client statistics
<get-dhcpv6-client-statistics-information>
show dhcpv6 proxy-client
show dhcpv6 proxy-client binding
show dhcpv6 proxy-client statistics
<get-proxy-dhcpv6-client-statistics-information>
show dhcpv6 relay
show dhcpv6 relay binding
<get-dhcpv6-relay-binding-information>
show dhcpv6 relay binding interface
<get-dhcpv6-relay-binding-interface>
show dhcpv6 relay binding lease-time-violation
<get-dhcpv6-relay-binding-ltv-information>

Copyright © 2017, Juniper Networks, Inc. 275

Administration Guide for Security Devices

show dhcpv6 relay statistics

<get-dhcpv6-relay-statistics-information>
show dhcpv6 relay statistics bulk-leasequery-connections
<get-dhcpv6-relay-bulk-leasequery-conn-statistics>
show dhcpv6 relay statistics leasequery
<get-dhcpv6-relay-leasequery-statistics>
show dhcpv6 server
show dhcpv6 server binding
<get-dhcpv6-server-binding-information>

show dhcpv6 server binding interface

<get-dhcpv6-server-binding-interface>
show dhcpv6 server binding lease-time-violation
<get-dhcpv6-server-binding-ltv-information>
show dhcpv6 server statistics
<get-dhcpv6-server-statistics-information>
show dhcpv6 server statistics bulk-leasequery-connections
<get-dhcpv6-server-bulk-leasequery-conn-statistics>
show dhcpv6 statistics
<get-dhcpv6-service-statistics-information>
show diagnostics
show diagnostics tdr
<get-tdr-interface-information>
show diagnostics tdr interface
<get-tdr-interface-status>
show diameter
<get-diameter-information>
show diameter function
<get-diameter-function-information>
show diameter function statistics
<get-diameter-function-statistics>
show diameter instance
<get-diameter-instance-information>
show diameter network-element
<get-diameter-network-element-information>
show diameter network-element map
<get-diameter-network-element-map-information>
show diameter peer
<get-diameter-peer-information>
show diameter peer map
<get-diameter-peer-map-information>
show diameter peer statistics
<get-diameter-peer-statistics>
show diameter route
<get-diameter-route-information>
show dot1x
show dot1x accounting-attributes
get-dot1x-accounting-attributes
show dot1x accounting-attributes interface
<get-dot1x-interface-accounting-attributes>show dot1x
authentication-failed-users
<get-dot1x-authentication-failed-users>
show dot1x interface
<get-dot1x-interface-information>
show dot1x static-mac-address
<get-dot1x-static-mac-addresess>
show dot1x static-mac-address interface
<get-dot1x-interface-mac-addresses>
show dvmrp
show dvmrp interfaces
<get-dvmrp-interfaces-information>

276 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show dvmrp neighbors

<get-dvmrp-neighbors-information>
show dvmrp prefix
<get-dvmrp-prefix-information>
show dvmrp prunes
<get-dvmrp-prunes-information>
show dynamic-profile
<get-dynamic-profile>
show dynamic-profile session
<get-dynamic-profile-session-information>
show dynamic-tunnels
show dynamic-tunnels database
<get-dynamic-tunnels-database>
show ethernet-switching mac-learning-log
<get-ethernet-switching-log-information>
show ethernet-switching mac-notification
<get-ethernet-switching-mac-notification-information>
show ethernet-switching flood next-hops
show ethernet-switching flood next-hops satellite
<get-satellite-control-composite-next-hop>
show ethernet-switching flood satellite
<get-satellite-control-flood>
show ethernet-switching nh-learn-entity
<get-l2-learning-nh-learn-entries>
show ethernet-switching redundancy-groups
<get-ethernet-switching-redundancy-groups>
show ethernet-switching satellite
show ethernet-switching satellite device
<get-satellite-device-db>
show ethernet-switching satellite events
<get-satellite-control-history-information>
show ethernet-switching satellite logging
<get-satellite-control-logging-information>
show ethernet-switching satellite summary
<get-satellite-control-bridge-summary>
show ethernet-switching table satellite
<get-satellite-control-bridge-mac-table>
show ethernet-switching vxlan-tunnel-end-point esi
<get-ethernet-switching-vxlan-esi-info>
show ethernet-switching vxlan-tunnel-end-point remote
<get-ethernet-switching-vxlan-rvtep-info>
show ethernet-switching vxlan-tunnel-end-point remote esi
<get-ethernet-switching-vxlan-esi-info>
show ethernet-switching vxlan-tunnel-end-point remote vtep-source-interface
<get-ethernet-switching-vxlan-remote-svtep-ip-information>
show ethernet-switching vxlan-tunnel-end-point source ip
<get-ethernet-switching-vxlan-svtep-ip-information>
show ephemeral-configuration
show esis
show esis adjacency
<get-esis-adjacency-information>
show esis interface
<get-esis-interface-information>
show esis statistics
<get-esis-statistics-information>
show event-options
show event-options event-scripts
show event-options event-scripts policies
<get-event-scripts-policies>
<get-event-summary>
show evpn

Copyright © 2017, Juniper Networks, Inc. 277

Administration Guide for Security Devices

show evpn arp-table

<get-evpn-arp-table>
show evpn flood
<get-evpn-flood-information>
show evpn flood event-queue
<get-evpn-event-queue-information>
show evpn flood route
show evpn flood route all-ce-flood
<get-evpn-all-ce-flood-route-information>
show evpn flood route all-flood
<get-evpn-all-flood-route-information>
show evpn flood route alt-root-flood
<get-evpn-alt-root-flood-route-information>
show evpn flood route ce-flood
<get-evpn-ce-flood-route-information>
show evpn flood route mlp-flood
<get-evpn-mlp-flood-route-information>
show evpn flood route re-flood
<get-evpn-re-flood-route-information>
show evpn instance
<get-evpn-instance-information>show evpn ip-prefix-database
<get-evpn-ip-prefix-database-information>
show evpn l3-context
<get-evpn-l3-context-information>
show evpn mac-table
<get-evpn-mac-table>
show evpn mac-table interface
<get-evpn-interface-mac-table>
show evpn nd-table
<get-evpn-nd-table>
show evpn peer-gateway-macs
<get-evpn-peer-gateway-mac>
show evpn statistics
<get-evpn-statistics-information>
show evpn vpws-instance
<get-evpn-vpws-information>
show extensible-subscriber-services
show extensible-subscriber-services accounting
<get-extensible-subscriber-services-accounting>
show extensible-subscriber-services counters
<get-extensible-subscriber-services-counters>
show extensible-subscriber-services dictionary
<get-extensible-subscriber-services-dictionary>
show extensible-subscriber-services services
<get-extensible-subscriber-services-services>
show extensible-subscriber-services sessions
<get-extensible-subscriber-services-sessions>
show extension-provider
show extension-provider system
show extension-provider system connections
<get-mspinfo-connections>
show extension-provider system packages
<get-mspinfo-packages>
show extension-provider system processes
<get-mspinfo-processes>
show extension-provider system processes brief
<get-mspinfo-processes-brief>
show extension-provider system processes extensive
<get-mspinfo-processes-extensive>
show extension-provider system uptime
<get-mspinfo-uptime>

278 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show extension-provider system virtual-memory

<get-core-key-list>
<get-fabric-summary-information>
<get-key-vg-binding>
<get-mac-ip-binding-information>
<get-mc-ccpc-cache-ccpc-select>
<get-mc-ccpc-cache-root-candidates>
<get-mc-ccpc-cache-spf>
<get-mc-ccpc-src-mod-filters>
<get-mc-edge-cache-ccpc-select>
<get-mc-edge-map-to-key-binding>
<get-mc-edge-key-to-map-binding>
<get-mc-edge-vg-portmap>
<get-mc-nsf>
<get-mc-root-cache-trunk>
<get-mc-root-key-to-map-binding>
<get-layer2-group-membership-entries>
<get-layer3-group-membership-entries>
<get-layer3-multicast-pending-routes>
<get-layer3-multicast-receivers>
<get-mc-root-map-to-key-binding>
<get-mc-root-vg-pfemap>
<get-fabric-multicast-statistics>
<get-mc-vccpdf-adjacency-database>
<get-mspinfo-virtual-memory>
get-fabric-statistics
get-fabric-summary-information
<get-vlan-domain-map-information>
show fabric multicast dirty-key-info
<get-mc-dirty-key-info>
show fabric multicast edge corekey-ifls-filters
<get-mc-edge-corekey-ifls-filters>
show fabric multicast edge ine-ifls-filters
<get-mc-edge-ine-ifls-filters>
show fabric multicast edge src-mod-filters
<get-mc-edge-src-mod-filters>
show fabric multicast graph
show fabric multicast graph core-tree
<get-fabric-multicast-graph>
show fabric multicast steal-key-info
<get-mc-steal-key-info>
show forwarding-options
show forwarding-options enhanced-hash-key
show forwarding-options enhanced-hash-key fpc
show forwarding-options hyper-mode
<get forwarding-options hyper-mode>
show forwarding-options load-balance
show forwarding-options next-hop-group
<get-forwarding-options-next-hop-group>
show forwarding-options port-mirroring
<get-forwarding-options-port-mirroring>
show helper
show helper statistics
<get-helper-statistics-information>
show hfrr
show hfrr profiles
show iccp
<get-inter-chassis-control-protocol-information>
show igmp
show igmp group
<get-igmp-group-information>

Copyright © 2017, Juniper Networks, Inc. 279

Administration Guide for Security Devices

show igmp interface

<get-igmp-interface-information>
show igmp output-group
<get-igmp-output-group-information>
show igmp snooping
show igmp snooping interface
<get-igmp-snooping-interface-information>
show igmp snooping interface bridge-domain
<get-igmp-snooping-bridge-domain-interface>
show igmp snooping membership
<get-igmp-snooping-membership-information>
show igmp snooping membership bridge-domain
show igmp snooping options
<get-igmp-snooping-options-information>
show igmp snooping options
get-igmp-snooping-options-information
show igmp snooping statistics
<get-igmp-snooping-statistics-information>
show igmp snooping statistics bridge-domain
<get-igmp-snooping-bridge-domain-membership>
show igmp statistics
<get-igmp-statistics-information>

show ike
show ike security-associations
<get-ike-security-associations-information>

show ilmi
<get-ilmi-information>
show ilmi interface
<get-ilmi-interface-information>
show ilmi statistics
<get-ilmi-statistics>
show ingress-replication
<get-ingress-replication-information>
show interfaces
<get-interface-information>
show interfaces anchor-group
show interfaces controller
<get-interface-controller-information>
show interfaces destination-class
<get-destination-class-statistics>

show interfaces destination-class all

<get-all-destination-class-statistics>
show interfaces diagnostics
show interfaces diagnostics optics
<get-interface-optics-diagnostics-information>
show interfaces diagnostics optics satellite
<show-interface-optics-diagnostics-satellite>
show interfaces distribution-list
<get-distribution-list-information>

show interfaces far-end-interval

<show-interfaces-far-end-interval>
show interfaces filters
<get-interface-filter-information>

show interfaces forwarding-class-counters

<get-interface-fc-counters-information>

280 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show interfaces interface-set

<get-interface-set-information>
show interfaces interface-set queue
<get-interface-set-queue-information>

show interfaces interval

<show-interfaces-interval>
show interfaces lib-clients
<get-dcd-lib-client-data>
show interfaces load-balancing
<interface-load-balancing>
show interfaces mac-database
<get-mac-database>

show interfaces mc-ae

<get-mc-ae-interface-information>
show interfaces mc-ae revertive-info
<get-mc-ae-revertive-information>
show interfaces policers
<get-interface-policer-information>

show interfaces queue

<get-interface-queue-information>

show interfaces redundancy

<get-redundancy-status>
show interfaces redundancy detail
<get-redundancy-status-details>
show interfaces routing
show interfaces source-class
<get-source-class-statistics>

show interfaces source-class all

<get-all-source-class-statistics>
show interfaces targeting
<get-targeting-information>
show interfaces transport
<get-interface-transport-information>
show interfaces transport optics
<get-interface-transport-optics-information>
show interfaces transport optics interval
<get-interface-transport-optics-interval-information>
show interfaces voq
<get-interface-voq-information>
show ipsec
show ipsec redundancy
show ipsec redundancy interface
<get-ipsec-pic-redundancy-information>

show ipsec redundancy security-associations

<get-ipsec-tunnel-redundancy-information>

show ipsec security-associations

<get-security-associations-information>

show ipv6
show ipv6 neighbors
<get-ipv6-nd-information>

show ipv6 router-advertisement

<get-ipv6-ra-information>

Copyright © 2017, Juniper Networks, Inc. 281

Administration Guide for Security Devices

show isis
show isis adjacency
<get-isis-adjacency-information>

show isis authentication

<get-isis-authentication-information>

show isis backup

show isis backup coverage
<get-isis-backup-coverage-information>

show isis backup label-switched-path

<get-isis-backup-lsp-information>

show isis backup spf

show isis backup spf results

<get-isis-backup-spf-results-information>
show isis bgp-orr
<get-isis-bgporr-information>

show isis context-identifier

<get-isis-context-identifier-information>

show isis context-identifier identifier

<get-isis-context-identifier-origin-information>
show isis database
<get-isis-database-information>

show isis hostname

<get-isis-hostname-information>

show isis interface

<get-isis-interface-information>
show isis interface-group
<get-isis-interface-group-information>
show isis layer2-map
<get-isis-layer2-map-information>

show isis overview

<get-isis-overview-information>

show isis route

<get-isis-route-information>

show isis spf

show isis spf brief
<get-isis-spf-results-brief-information>

show isis spf log

<get-isis-spf-log-information>

show isis spf results

<get-isis-spf-results-information>

show isis statistics

<get-isis-statistics-information>

show l2-learning
show l2-learning backbone-instance

282 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-l2-learning-backbone-instance>
show l2-learning evpn
show l2-learning evpn arp-statistics
<get-evpn-arp-statistics>
show l2-learning evpn arp-statistics interface
<get-evpn-arp-statistics-interface>
show l2-learning evpn nd-statistics
<get-evpn-nd-statistics>
show l2-learning evpn nd-statistics interface
<get-evpn-nd-statistics-interface>
show l2-learning global-information
<get-l2-learning-global-information>
show l2-learning global-mac-count
<get-l2-learning-global-mac-count>
show l2-learning instance
<get-l2-learning-routing-instances>
show l2-learning interface
<get-l2-learning-interface-information>
show l2-learning mac-move-buffer
<get-l2-learning-mac-move-buffer-information>
show l2-learning provider-instance
<get-l2-learning-provider-instance>
show l2-learning redundancy-groups
<get-l2-learning-redundancy-groups>
show l2-learning remote-backbone-edge-bridges
<get-l2-learning-remote-backbone-edge-bridges>
show l2-learning vxlan-tunnel-end-point
show l2-learning vxlan-tunnel-end-point esi
<get-l2-learning-vxlan-esi-info>show l2-learning vxlan-tunnel-end-point remote
<get-l2-learning-vxlan-rvtep-info>
show l2-learning vxlan-tunnel-end-point remote ip
<get-l2-learning-vxlan-rvtep-ip-information>
show l2-learning vxlan-tunnel-end-point remote mac-table
<get-l2-learning-vxlan-rvtep-mactable-information>
show l2-learning vxlan-tunnel-end-point remote vtep-source-interface
<get-l2-learning-vxlan-remote-svtep-ip-information>
show l2-learning vxlan-tunnel-end-point source
<get-l2-learning-vxlan-svtep-info>
show l2-learning vxlan-tunnel-end-point source ip
<get-l2-learning-vxlan-svtep-ip-information>
show l2circuit
show l2circuit auto-sensing
<get-l2ckt-pw-auto-sensing-information>
show l2circuit connections
<get-l2ckt-connection-information>

show l2cpd
show l2cpd task
<get-l2cpd-task-information>
show l2cpd task io
<get-l2cpd-tasks-io-statistics>
show l2cpd task memory
<get-l2cpd-task-memory>
show l2cpd task replication
<get-l2cpd-replication-information>
show l2vpn
show l2vpn connections
<get-l2vpn-connection-information>

show lacp
show lacp interfaces

Copyright © 2017, Juniper Networks, Inc. 283

Administration Guide for Security Devices

<get-lacp-interface-information>
show lacp statistics
show lacp statistics interfaces
<get-lacp-interface-statistics>
show lacp timeouts
show ldp
show ldp database
<get-ldp-database-information>

show ldp fec-filters

<get-ldp-fec-filters-information>

show ldp interface

<get-ldp-interface-information>

show ldp neighbor

<get-ldp-neighbor-information>

show ldp oam

<get-ldp-oam-information>
show ldp overview
<get-ldp-overview-information>
show ldp p2mp
show ldp p2mp fec
<get-ldp-p2mp-fec-information>
show ldp p2mp path
<get-ldp-p2mp-path-information>
show ldp p2mp tunnel
<get-ldp-p2mp-tunnel-information>
show ldp path
<get-ldp-path-information>

show ldp rib-groups

<get-ldp-rib-groups-information>
show ldp route
<get-ldp-route-information>

show ldp session

<get-ldp-session-information>

show ldp statistics

<get-ldp-statistics-information>

show ldp traffic-statistics

<get-ldp-traffic-statistics-information>

show link-management
<get-lm-information>

show link-management peer

<get-lm-peer-information>

show link-management routing

<get-lm-routing-information>

show link-management routing peer

<get-lm-routing-peer-information>

show link-management routing resource

<get-lm-routing-resource-information>

284 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show link-management routing te-link

<get-lm-routing-te-link-information>

show lldp
<get-lldp-information>

show lldp detail

<get-lldp-information-detail>

show lldp local-information

<get-lldp-local-info>

show lldp neighbors

<get-lldp-neighbors-information>

show lldp neighbors interface

<get-lldp-interface-neighbors>
show lldp remote-global-statistics
<get-lldp-remote-global-statistics>

show lldp statistics

<get-lldp-statistics-information>

show lldp statistics interface

<get-lldp-interface-statistics>
show loop-detect
show loop-detect interface
<get-loop-detect-interface-information>
show loop-detect statistics
show loop-detect statistics interface
<get-loop-detect-interface-statistics-information>
show link-management statistics
<get-lm-statistics-information>

show link-management statistics peer

<get-lm-peer-statistics>

show link-management te-link

<get-lm-te-link-information>

show mac-rewrite
show mac-rewrite interface
<get-mac-rewrite-interface-information>
show mld
show mld group
<get-mld-group-information>

show mld interface

<get-mld-interface-information>

show mld output-group

<get-mld-output-group-information>

show mld snooping

show mld snooping interface
<get-mld-snooping-interface-information>
show mld snooping interface bridge-domain
<get-mld-snooping-bridge-domain-interface>
show mld snooping interface vlan
<get-mld-snooping-vlan-interface>
show mld snooping membership

Copyright © 2017, Juniper Networks, Inc. 285

Administration Guide for Security Devices

<get-mld-snooping-membership-information>
show mld snooping membership bridge-domain
<get-mld-snooping-bridge-domain-membership>
show mld snooping membership vlan
<get-mld-snooping-vlan-membership>
show mld snooping statistics
<get-mld-snooping-statistics-information>
show mld snooping statistics bridge-domain
<get-mld-snooping-bridge-domain-statistics>
show mld snooping statistics vlan
<get-mld-snooping-vlan-statistics>
show mld statistics
<get-mld-statistics-information>

show mobile-ip
show mobile-ip home-agent
show mobile-ip home-agent binding
<get-mip-binding-information>

show mobile-ip home-agent binding ip-address

<get-ip-mip-binding-information>

show mobile-ip home-agent binding nai

<get-nai-mip-binding-information>

show mobile-ip home-agent binding summary

<get-summary-mip-binding-information>

show mobile-ip home-agent interface

<get-mip-ha-interface-information>

show mobile-ip home-agent overview

<get-mip-ha-overview-information>

show mobile-ip home-agent traffic

<get-mip-ha-traffic-information>

show mobile-ip home-agent virtual-network

<get-mip-ha-virtual-network-information>

show mobile-ip tunnel

<get-mip-tunnel-information>
show mobile-ip wimax
show mobile-ip wimax release
<get-mip-wimax-release-information>

show mpls
show mpls abstract-hop-membership
<get-mpls-abstract-hop-membership-information>
show mpls admin-groups
<get-mpls-admin-group-information>

show mpls admin-groups-extended

<get-mpls-admin-group-extended-information>
show mpls association
show mpls association iif
<get-mpls-association-iif-information>
show mpls association oif
<get-mpls-association-oif-information>
show mpls association path
<get-mpls-association-path-information>

286 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show mpls call-admission-control

<get-mpls-call-admission-control-information>

show mpls context-identifier

<get-mpls-context-identifier-information>
show mpls correlation
show mpls correlation label
<get-mpls-correlation-label-information>
show mpls correlation nexthop-id
<get-mpls-correlation-nexthop-information>

show network-access address-assignment preserved

<get-address-assignment-preserved-table>
show network-access domain-map
show network-access domain-map statistics
<get-domain-map-statistics>
show mpls cspf
<get-mpls-cspf-information>

show mpls diffserv-te

<get-mpls-diffserv-te-information>
show mpls egress-protection
show mpls interface
<get-mpls-interface-information>
show mpls label
<get mpls-label-space>
show mpls label usage
<get mpls-label-space-usage>

show mpls lsp

<get-mpls-lsp-information>
show mpls lsp abstract-computation
<get-mpls-lsp-abstract-computation>

show mpls lsp autobandwidth

<get-mpls-lsp-autobandwidth>
show mpls srlg
<get-mpls-srlg-information>
show oam ethernet fnp
show oam ethernet fnp interface
show oam ethernet fnp messages
show oam ethernet fnp status
<get-fnp-status>
show mpls lsp defaults
<get-mpls-lsp-defaults-information>

show mpls path

<get-mpls-path-information>

show mpls static-lsp

<get-mpls-static-lsp-information>
show mpls traceroute
show mpls traceroute database
show mpls traceroute database ldp
<get-mpls-traceroute-database-ldp>
show msdp
<get-msdp-information>
show msdp source
<get-msdp-source-information>

show msdp source-active

Copyright © 2017, Juniper Networks, Inc. 287

Administration Guide for Security Devices

<get-msdp-source-active-information>

show msdp statistics

<get-msdp-statistics-information>
show multi-chassis
show multi-chassis mc-lag
show multi-chassis mc-lag configuration-consistency
<get-mclag-config-consistency-information>
show multi-chassis mc-lag configuration-consistency global-config
<get-mclag-global-config-consistency-information>
show multi-chassis mc-lag configuration-consistency icl-config
<get-mclag-icl-config-consistency-information>
show multi-chassis mc-lag configuration-consistency
list-of-parameters<get-mclag-config-consistency-information-params>
show multi-chassis mc-lag configuration-consistency mcae-config
get-mclag-config-consistency-information-mcae
show multi-chassis mc-lag configuration-consistency vlan-config
<get-mclag-vlan-config-consistency-information>
show multi-chassis mc-lag configuration-consistency vrrp-config
<get-mclag-vrrp-config-consistency-information>
show multicast
show multicast backup-pe-groups
<get-multicast-backup-pe-groups-information>

show multicast backup-pe-groups address

<get-multicast-backup-pe-address-information>

show multicast backup-pe-groups group

<get-multicast-backup-pe-group-information>
show multicast ecid-mapping
show multicast ecid-mapping satellite
<get-satellite-control-ecid>
show multicast flow-map
<get-multicast-flow-maps-information>

show multicast interface

<get-multicast-interface-information>

show multicast next-hops

<get-multicast-next-hops-information>
show multicast next-hops satellite
<get-satellite-control-next-hop>

show multicast pim-to-igmp-proxy

<get-multicast-pim-to-igmp-proxy-information>

show multicast pim-to-mld-proxy

<get-multicast-pim-to-mld-proxy-information>

show multicast route

<get-multicast-route-information>

show multicast rpf

<get-multicast-rpf-information>

show multicast scope

<get-multicast-scope-information>

show multicast sessions

<get-multicast-sessions-information>

288 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show multicast snooping

show multicast snooping next-hops
<get-multicast-snooping-next-hops-information>

show multicast snooping next-hops satellite

<get-satellite-control-indirect-next-hop>
show multicast snooping route
<get-multicast-snooping-route-information>
show multicast snooping route satellite
get-satellite-control-multicast

show multicast statistics

<get-multicast-statistics-information>
show multicast statistics satellite
<get-satellite-control-statistics>
show multicast summary
show multicast summary satellite
<get-satellite-control-summary>

show multicast usage

<get-multicast-usage-information>

show mvpn
show mvpn c-multicast
<get-mvpn-c-multicasti-route>
show mvpn instance
<get-mvpn-instance-information>

show mvpn neighbor

<get-mvpn-neighbor-information>
show mvpn suppressed
get-mvpn-suppressed-information
show mvrp
<get-mvrp-information>

show mvrp applicant-state

<get-mvrp-applicant-information>

show mvrp dynamic-vlan-memberships

<get-mvrp-dynamic-vlan-memberships>

show mvrp interface

<get-mvrp-interface-information>

show mvrp registration-state

<get-mvrp-registration-state>

show mvrp statistics

<get-mvrp-interface-statistics>

show network-access
show network-access aaa
show network-access aaa radius-servers
<get-radius-servers-table>
show network-access aaa statistics
<get-aaa-module-statistics>

show network-access aaa statistics address-assignment

show network-access aaa statistics address-assignment client
<get-address-assignment-client-statistics>

Copyright © 2017, Juniper Networks, Inc. 289

Administration Guide for Security Devices

show network-access aaa statistics address-assignment pool

<get-address-assignment-pool-statistics>
show network-access aaa subscribers
<get-aaa-subscriber-table>

show network-access aaa subscribers session-id

show network-access aaa subscribers statistics

<get-aaa-subscriber-statistics>

show network-access aaa terminate-code

<get-aaa-terminate-code>
show network-access aaa terminate-code aaa
<get-aaa-terminate-code-aaa>
show network-access aaa terminate-code dhcp
<get-aaa-terminate-code-dhcp>
show network-access aaa terminate-code l2tp
<get-aaa-terminate-code-l2tp>
show network-access aaa terminate-code ppp
<get-aaa-terminate-code-ppp>
show network-access aaa terminate-code reverse
<get-aaa-terminate-code-reverse>
show network-access aaa terminate-code reverse aaa
get-aaa-terminate-code-reverse-aaa>
show network-access aaa terminate-code reverse dhcp
<get-aaa-terminate-code-reverse-dhcp>
show network-access aaa terminate-code reverse l2tp
<get-aaa-terminate-code-reverse-l2tp>
show network-access aaa terminate-code reverse ppp
<get-aaa-terminate-code-reverse-ppp>
show network-access address-assignment
show network-access address-assignment pool
<get-address-assignment-pool-table>
show network-access nasreq
show network-access nasreq statistics
get-nasreq-counters
show network-access ocs
show network-access ocs state
<get-ocs-state-information>
show network-access ocs statistics
<get-ocs-statistics-information>
show network-access pcrf
show network-access pcrf state
<get-pcrf-state-information>
show network-access pcrf statistics
<get-pcrf-statistics-information>

show network-access requests

show network-access requests pending
<get-authentication-pending-table>

show network-access requests statistics

<get-authentication-statistics>

show network-access securid-node-secret-file

<get-node-secret-file-table>

show nonstop-routing
<get-nonstop-routing-information>

show ntp

290 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ntp associations

show ntp status
show oam
show oam ethernet
show oam ethernet connectivity-fault-management sla-iterator-history
<get-cfm-iterator-history>
show oam ethernet connectivity-fault-management
show oam ethernet connectivity-fault-management adjacencies
<get-cfm-adjacency-information>
show oam ethernet connectivity-fault-management delay-statistics
<get-cfm-delay-statistics>

show oam ethernet connectivity-fault-management forwarding-state

show oam ethernet connectivity-fault-management forwarding-state instance
<get-cfm-forwarding-state-instance-information>

show oam ethernet connectivity-fault-management forwarding-state interface

<get-cfm-forwarding-state-interface-information>

show oam ethernet connectivity-fault-management interfaces

<get-cfm-interfaces-information>
show oam ethernet connectivity-fault-management loss-statistics
<get-cfm-loss-statistics>
show oam ethernet connectivity-fault-management mep-database
<get-cfm-mep-database>

show oam ethernet connectivity-fault-management mep-statistics

<get-cfm-mep-statistics>

show oam ethernet connectivity-fault-management mip

<get-cfm-mip-information>

show oam ethernet connectivity-fault-management path-database

<get-cfm-linktrace-path-database>

show oam ethernet connectivity-fault-management policer

<get-evc-information>

show oam ethernet connectivity-fault-management sla-iterator-statistics

<get-cfm-iterator-statistics>
show oam ethernet evc
<get-evc-infromation>
show oam ethernet link-fault-management
<get-lfmd-information>

show oam ethernet lmi

<get-elmi-information>

show oam ethernet lmi statistics

<get-elmi-statistics>

show openflow
show openflow capability
show openflow controller
show openflow filters
show openflow flows
show openflow interfaces
show openflow statistics
show openflow statistics flows
show openflow statistics interfaces
show openflow statistics packet

Copyright © 2017, Juniper Networks, Inc. 291

Administration Guide for Security Devices

show openflow statistics packet in

show openflow statistics packet out
show openflow statistics queue
show openflow statistics summary
show openflow statistics tables
show openflow summary
show openflow switch

show ospf
show ospf backup
show ospf backup coverage
<get-ospf-backup-coverage-information>

show ospf backup lsp

<get-ospf-backup-lsp-information>

show ospf backup neighbor

<get-ospf-backup-neighbor-information>

show ospf backup spf

<get-ospf-backup-spf-information>
show ospf bgp-orr
<get-ospf-bgporr-information>

show ospf context-identifier

<get-ospf-context-id-information>

show ospf database

<get-ospf-database-information>

show ospf interface

<get-ospf-interface-information>

show ospf io-statistics

<get-ospf-io-statistics-information>

show ospf log

<get-ospf-log-information>

show ospf neighbor

<get-ospf-neighbor-information>

show ospf overview

<get-ospf-overview-information>

show ospf route

<get-ospf-route-information>

show ospf statistics

<get-ospf-statistics-information>

show ospf3
show ospf3 backup
show ospf3 backup coverage
<get-ospf3-backup-coverage-information>

show ospf3 backup lsp

<get-ospf3-backup-lsp-information>

show ospf3 backup neighbor

<get-ospf3-backup-neighbor-information>

292 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show ospf3 backup spf

<get-ospf3-backup-spf-information>
show ospf3 bgp-orr
<get-ospf-bgporr-information>

show ospf3 database

<get-ospf3-database-information>

show ospf3 interface

<get-ospf3-interface-information>

show ospf3 io-statistics

<get-ospf3-io-statistics-information>

show ospf3 log

<get-ospf3-log-information>

show ospf3 neighbor

<get-ospf3-neighbor-information>

show ospf3 overview

<get-ospf3-overview-information>

show ospf3 route

<get-ospf3-route-information>

show ospf3 statistics

<get-ospf3-statistics-information>
show overlay
<get-cloud-analytics-overlay-information>
show overlay vxlan
<get-cloud-analytics-overlay-vxlan-information>
show overlay vxlan vni
<get-application-monitor-overlay-vxlan-information>
show overlay vxlan vtep
<get-application-monitor-overlay-vtep-information>
show ovsdb
show ovsdb commit
show ovsdb commit failures
<get-ovsdb-commit-failure-information>

show ovsdb tunnels

<get-ovsdb-tunnels-information>
show ovsdb virtual-tunnel-end-point
<get-ovsdb-vtep-information>
show passive-monitoring
<get-passive-monitoring-information>

show passive-monitoring error

<get-passive-monitoring-error-information>

show passive-monitoring flow

<get-passive-monitoring-flow-information>

show passive-monitoring memory

<get-passive-monitoring-memory-information>

show passive-monitoring status

<get-passive-monitoring-status-information>

Copyright © 2017, Juniper Networks, Inc. 293

Administration Guide for Security Devices

show passive-monitoring usage

<get-passive-monitoring-usage-information>
show path-computation-client
show path-computation-client active-pce
show path-computation-client lsp-retry-pending
<get-path-computation-client-lsp-retry-pending>
show path-computation-client statistics
show performance-monitoring
show performance-monitoring mpls
show performance-monitoring mpls lsp
<get-pm-mpls-lsp-information>
show pfe
show pfe cfeb
show pfe data
<get-pfe-data>
show pfe feb
show pfe filter
show pfe filter hw
show pfe filter hw summary
show pfe fpc
show pfe fwdd
show pfe lcc
show pfe next-hop
show pfe pfem
show pfe pfem detail
show pfe pfem extensive
show pfe route
show pfe route clnp
show pfe route clnp table
show pfe route inet6
show pfe route inet6 hw
show pfe route inet6 hw host
show pfe route inet6 hw lpm
show pfe route inet6 hw multicast

show pfe route inet6 table

show pfe route ip
show pfe route ip table
show pfe route iso
show pfe route iso table
show pfe scb
show pfe sfm
show pfe ssb
show pfe statistics
show pfe statistics exceptions
show pfe statistics fabric
show pfe statistics ip
show pfe route ip hw
show pfe route ip hw host
show pfe route ip hw lpm
show pfe route ip hw multicast
show pfe route summary
show pfe route summary hw
show pfe statistics ip6
show pfe statistics traffic
<get-pfe-statistics>
show pfe statistics traffic bandwidth
<get-pfe-traffic-statistics-bandwidth>

show pfe statistics traffic cpu

show pfe statistics traffic cpu fpe

294 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show pfe statistics traffic detail

<get-pfe-traffic-statistics>
show pfe statistics traffic egress-queues
show pfe statistics traffic egress-queues fpc
show pfe statistics traffic multicast
show pfe statistics traffic multicast fpcshow pfe statistics traffic protocol
show pfe tcam
show pfe tcam app
<get-pfe-tcam-app-list>
show pfe tcam app bd-dtag-validate
<get-pfe-tcam-app-list-bd-dtag-validate>
show pfe tcam app bd-dtag-validate detail
show pfe tcam app bd-dtag-validate list-related-apps
show pfe tcam app bd-dtag-validate list-shared-apps
show pfe tcam app bd-dtag-validate shared-usage
show pfe tcam app bd-dtag-validate shared-usage detail
show pfe tcam app bd-tpid-swap
<get-pfe-tcam-app-list-bd-tpid-swap>
show pfe tcam app bd-tpid-swap detail
show pfe tcam app bd-tpid-swap list-related-apps
show pfe tcam app bd-tpid-swap list-shared-apps
show pfe tcam app bd-tpid-swap shared-usage
show pfe tcam app bd-tpid-swap shared-usage detail
show pfe tcam app cfm-bd-filter
<get-pfe-tcam-app-list-cfm-bd-filter>
show pfe tcam app cfm-bd-filter detail
show pfe tcam app cfm-bd-filter list-related-apps
show pfe tcam app cfm-bd-filter list-shared-apps
show pfe tcam app cfm-bd-filter shared-usage
show pfe tcam app cfm-bd-filter shared-usage detail
show pfe tcam app cfm-filter
<get-pfe-tcam-app-list-cfm-filter>
show pfe tcam app cfm-filter list-related-apps
show pfe tcam app cfm-filter list-shared-apps
show pfe tcam app cfm-filter shared-usage
show pfe tcam app cfm-filter shared-usage detail
show pfe tcam app cfm-vpls-filter
<get-pfe-tcam-app-list-cfm-vpls-filter>
show pfe tcam app cfm-vpls-filter detail
show pfe tcam app cfm-vpls-filter list-related-apps
show pfe tcam app cfm-vpls-filter list-shared-apps
show pfe tcam app cfm-vpls-filter shared-usage
show pfe tcam app cfm-vpls-filter shared-usage detail
show pfe tcam app cfm-vpls-ifl-filter
<get-pfe-tcam-app-list-cfm-vpls-ifl-filter>
show pfe tcam app cfm-vpls-ifl-filter detail
show pfe tcam app cfm-vpls-ifl-filter list-related-apps
show pfe tcam app cfm-vpls-ifl-filter list-shared-apps
show pfe tcam app cfm-vpls-ifl-filter shared-usage
show pfe tcam app cfm-vpls-ifl-filter shared-usage detail
show pfe tcam app cos-fc
<get-pfe-tcam-app-list-cos-fc>
show pfe tcam app cos-fc detail
show pfe tcam app cos-fc list-related-apps
show pfe tcam app cos-fc list-shared-apps
show pfe tcam app cos-fc shared-usage
show pfe tcam app cos-fc shared-usage detail
show pfe tcam app fw-ccc-in
<get-pfe-tcam-app-list-fw-ccc-in>
show pfe tcam app fw-ccc-in detail
show pfe tcam app fw-ccc-in list-related-apps

Copyright © 2017, Juniper Networks, Inc. 295

Administration Guide for Security Devices

show pfe tcam app fw-ccc-in list-shared-apps

show pfe tcam app fw-ccc-in shared-usage
show pfe tcam app fw-ccc-in shared-usage detail
show pfe tcam app fw-family-out
<get-pfe-tcam-app-list-fw-family-out>
show pfe tcam app fw-family-out detail
show pfe tcam app fw-family-out list-related-apps
show pfe tcam app fw-family-out list-shared-apps
show pfe tcam app fw-family-out shared-usage
show pfe tcam app fw-family-out shared-usage detail
show pfe tcam app fw-fbf
<get-pfe-tcam-app-list-fw-fbf>
show pfe tcam app fw-fbf detail
show pfe tcam app fw-fbf list-related-apps
show pfe tcam app fw-fbf list-shared-apps
show pfe tcam app fw-fbf shared-usage
show pfe tcam app fw-fbf shared-usage detail
show pfe tcam app fw-fbf-inet6
<get-pfe-tcam-app-list-fw-fbf-inet6>
show pfe tcam app fw-fbf-inet6 detail
show pfe tcam app fw-fbf-inet6 list-related-apps
show pfe tcam app fw-fbf-inet6 list-shared-apps
show pfe tcam app fw-fbf-inet6 shared-usage
show pfe tcam app fw-fbf-inet6 shared-usage detail
show pfe tcam app fw-ifl-in
<get-pfe-tcam-app-list-fw-ifl-in>
show pfe tcam app fw-ifl-in detail
show pfe tcam app fw-ifl-in list-related-apps
show pfe tcam app fw-ifl-in list-shared-apps
show pfe tcam app fw-ifl-in shared-usage
show pfe tcam app fw-ifl-in shared-usage detail
show pfe tcam app fw-ifl-out
<get-pfe-tcam-app-list-fw-ifl-out>
show pfe tcam app fw-ifl-out detail
show pfe tcam app fw-ifl-out list-related-apps
show pfe tcam app fw-ifl-out list-shared-apps
show pfe tcam app fw-ifl-out shared-usage
show pfe tcam app fw-ifl-out shared-usage detail
show pfe tcam app fw-inet-ftf
<get-pfe-tcam-app-list-fw-inet-ftf>
show pfe tcam app fw-inet-ftf detail
show pfe tcam app fw-inet-ftf list-related-apps
show pfe tcam app fw-inet-ftf list-shared-apps
show pfe tcam app fw-inet-ftf shared-usage
show pfe tcam app fw-inet-ftf shared-usage detail
show pfe tcam app fw-inet-in
<get-pfe-tcam-app-list-fw-inet-in>
show pfe tcam app fw-inet-in detail
show pfe tcam app fw-inet-in list-related-apps
show pfe tcam app fw-inet-in list-shared-apps
show pfe tcam app fw-inet-in shared-usage
show pfe tcam app fw-inet-in shared-usage detail
show pfe tcam app fw-inet-pm
<get-pfe-tcam-app-list-fw-inet-pm>
show pfe tcam app fw-inet-pm detail
show pfe tcam app fw-inet-pm list-related-apps
show pfe tcam app fw-inet-pm list-shared-apps
show pfe tcam app fw-inet-pm shared-usage
show pfe tcam app fw-inet-pm shared-usage detail
show pfe tcam app fw-inet-rpf
<get-pfe-tcam-app-list-fw-inet-rpf>

296 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show pfe tcam app fw-inet-rpf detail

show pfe tcam app fw-inet-rpf list-related-apps
show pfe tcam app fw-inet-rpf list-shared-apps
show pfe tcam app fw-inet-rpf shared-usage
show pfe tcam app fw-inet-rpf shared-usage detail
show pfe tcam app fw-inet6-family-out
<get-pfe-tcam-app-list-fw-inet6-family-out>
show pfe tcam app fw-inet6-family-out detail
show pfe tcam app fw-inet6-family-out list-related-apps
show pfe tcam app fw-inet6-family-out list-shared-apps
show pfe tcam app fw-inet6-family-out shared-usage
show pfe tcam app fw-inet6-family-out shared-usage detail
show pfe tcam app fw-inet6-ftf
<get-pfe-tcam-app-list-fw-inet6-ftf>
show pfe tcam app fw-inet6-ftf detail
show pfe tcam app fw-inet6-ftf list-related-apps
show pfe tcam app fw-inet6-ftf list-shared-apps
show pfe tcam app fw-inet6-ftf shared-usage
show pfe tcam app fw-inet6-ftf shared-usage detail
show pfe tcam app fw-inet6-in
<get-pfe-tcam-app-list-fw-inet6-in>
show pfe tcam app fw-inet6-in detail
show pfe tcam app fw-inet6-in list-related-apps
show pfe tcam app fw-inet6-in list-shared-apps
show pfe tcam app fw-inet6-in shared-usage
show pfe tcam app fw-inet6-in shared-usage detail
show pfe tcam app fw-inet6-rpf
<get-pfe-tcam-app-list-fw-inet6-rpf>
show pfe tcam app fw-inet6-rpf detail
show pfe tcam app fw-inet6-rpf list-related-apps
show pfe tcam app fw-inet6-rpf list-shared-apps
show pfe tcam app fw-inet6-rpf shared-usage
show pfe tcam app fw-inet6-rpf shared-usage detail
show pfe tcam app fw-l2-in
<get-pfe-tcam-app-list-fw-l2-in>
show pfe tcam app fw-l2-in detail
show pfe tcam app fw-l2-in list-related-apps
show pfe tcam app fw-l2-in list-shared-apps
show pfe tcam app fw-l2-in shared-usage
show pfe tcam app fw-l2-in shared-usage detail
show pfe tcam app fw-mpls-in
<get-pfe-tcam-app-list-fw-mpls-in>
show pfe tcam app fw-mpls-in detail
show pfe tcam app fw-mpls-in list-related-apps
show pfe tcam app fw-mpls-in list-shared-apps
show pfe tcam app fw-mpls-in shared-usage
show pfe tcam app fw-mpls-in shared-usage detail
show pfe tcam app fw-semantics
<get-pfe-tcam-app-list-fw-semantics>
show pfe tcam app fw-semantics detail
show pfe tcam app fw-semantics list-related-apps
show pfe tcam app fw-semantics list-shared-apps
show pfe tcam app fw-semantics shared-usage
show pfe tcam app fw-semantics shared-usage detail
show pfe tcam app fw-vpls-in
<get-pfe-tcam-app-list-fw-vpls-in>
show pfe tcam app fw-vpls-in detail
show pfe tcam app fw-vpls-in list-related-apps
show pfe tcam app fw-vpls-in list-shared-apps
show pfe tcam app fw-vpls-in shared-usage
show pfe tcam app fw-vpls-in shared-usage detail

Copyright © 2017, Juniper Networks, Inc. 297

Administration Guide for Security Devices

show pfe tcam app gr-ifl-stats-egr

<get-pfe-tcam-app-list-gr-ifl-statistics-egr>
show pfe tcam app gr-ifl-stats-egr detail
show pfe tcam app gr-ifl-stats-egr list-related-apps
show pfe tcam app gr-ifl-stats-egr list-shared-apps
show pfe tcam app gr-ifl-stats-egr shared-usage
show pfe tcam app gr-ifl-stats-egr shared-usage detail
show pfe tcam app gr-ifl-stats-ing
<get-pfe-tcam-app-list-gr-ifl-statistics-ing>
show pfe tcam app gr-ifl-stats-ing detail
show pfe tcam app gr-ifl-stats-ing list-related-apps
show pfe tcam app gr-ifl-stats-ing list-shared-apps
show pfe tcam app gr-ifl-stats-ing shared-usage
show pfe tcam app gr-ifl-stats-ing shared-usage detail
show pfe tcam app gr-ifl-stats-preing
<get-pfe-tcam-app-list-gr-ifl-statistics-preing>
show pfe tcam app gr-ifl-stats-preing detail
show pfe tcam app gr-ifl-stats-preing list-related-apps
show pfe tcam app gr-ifl-stats-preing list-shared-apps
show pfe tcam app gr-ifl-stats-preing shared-usage
show pfe tcam app gr-ifl-stats-preing shared-usage detail
show pfe tcam app ifd-src-mac-fil
<get-pfe-tcam-app-list-ifd-src-mac-fil>
show pfe tcam app ifd-src-mac-fil detail
show pfe tcam app ifd-src-mac-fil list-related-apps
show pfe tcam app ifd-src-mac-fil list-shared-apps
show pfe tcam app ifd-src-mac-fil shared-usage
show pfe tcam app ifd-src-mac-fil shared-usage detail
show pfe tcam app ifl-statistics-in
<get-pfe-tcam-app-list-ifl-statistics-in>
show pfe tcam app ifl-statistics-in detail
show pfe tcam app ifl-statistics-in list-related-apps
show pfe tcam app ifl-statistics-in list-shared-apps
show pfe tcam app ifl-statistics-in shared-usage
show pfe tcam app ifl-statistics-in shared-usage detail
show pfe tcam app ifl-statistics-out
<get-pfe-tcam-app-list-ifl-statistics-out>
show pfe tcam app ifl-statistics-out detail
show pfe tcam app ifl-statistics-out list-related-apps
show pfe tcam app ifl-statistics-out list-shared-apps
show pfe tcam app ifl-statistics-out shared-usage
show pfe tcam app ifl-statistics-out shared-usage detail
show pfe tcam app ing-out-iff
<get-pfe-tcam-app-list-ing-out-iff>
show pfe tcam app ing-out-iff detail
show pfe tcam app ing-out-iff list-related-apps
show pfe tcam app ing-out-iff list-shared-apps
show pfe tcam app ing-out-iff shared-usage
show pfe tcam app ing-out-iff shared-usage detail
show pfe tcam app ip-mac-val
<get-pfe-tcam-app-list-ip-mac-val>
show pfe tcam app ip-mac-val detail
show pfe tcam app ip-mac-val list-related-apps
show pfe tcam app ip-mac-val list-shared-apps
show pfe tcam app ip-mac-val shared-usage
show pfe tcam app ip-mac-val shared-usage detail
show pfe tcam app ip-mac-val-bcast
<get-pfe-tcam-app-list-ip-mac-val-bcast>
show pfe tcam app ip-mac-val-bcast detail
show pfe tcam app ip-mac-val-bcast list-related-apps
show pfe tcam app ip-mac-val-bcast list-shared-apps

298 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show pfe tcam app ip-mac-val-bcast shared-usage

show pfe tcam app ip-mac-val-bcast shared-usage detail
show pfe tcam app ipsec-reverse-fil
<get-pfe-tcam-app-list-ipsec-reverse-fil>
show pfe tcam app ipsec-reverse-fil detail
show pfe tcam app ipsec-reverse-fil list-related-apps
show pfe tcam app ipsec-reverse-fil list-shared-apps
show pfe tcam app ipsec-reverse-fil shared-usage
show pfe tcam app ipsec-reverse-fil shared-usage detail
show pfe tcam app irb-cos-rw
<get-pfe-tcam-app-list-irb-cos-rw>
show pfe tcam app irb-cos-rw detail
show pfe tcam app irb-cos-rw list-related-apps
show pfe tcam app irb-cos-rw list-shared-apps
show pfe tcam app irb-cos-rw shared-usage
show pfe tcam app irb-cos-rw shared-usage detail
show pfe tcam app irb-fixed-cos
<get-pfe-tcam-app-list-irb-fixed-cos>
show pfe tcam app irb-fixed-cos detail
show pfe tcam app irb-fixed-cos list-related-apps
show pfe tcam app irb-fixed-cos list-shared-apps
show pfe tcam app irb-fixed-cos shared-usage
show pfe tcam app irb-fixed-cos shared-usage detail
show pfe tcam app irb-inet6-fil
<get-pfe-tcam-app-list-irb-inet6-fil>
show pfe tcam app irb-inet6-fil detail
show pfe tcam app irb-inet6-fil list-related-apps
show pfe tcam app irb-inet6-fil list-shared-apps
show pfe tcam app irb-inet6-fil shared-usage
show pfe tcam app irb-inet6-fil shared-usage detail
show pfe tcam app lfm-802.3ah-in
<get-pfe-tcam-app-list-lfm-802.3ah-in>
show pfe tcam app lfm-802.3ah-in detail
show pfe tcam app lfm-802.3ah-in list-related-apps
show pfe tcam app lfm-802.3ah-in list-shared-apps
show pfe tcam app lfm-802.3ah-in shared-usage
show pfe tcam app lfm-802.3ah-in shared-usage detail
show pfe tcam app lfm-802.3ah-out
<get-pfe-tcam-app-list-lfm-802.3ah-out>
show pfe tcam app lfm-802.3ah-out detail
show pfe tcam app lfm-802.3ah-out list-related-apps
show pfe tcam app lfm-802.3ah-out list-shared-apps
show pfe tcam app lfm-802.3ah-out shared-usage
show pfe tcam app lfm-802.3ah-out shared-usage detail
show pfe tcam app lo0-inet-fil
<get-pfe-tcam-app-list-lo0-inet-fil>
show pfe tcam app lo0-inet-fil detail
show pfe tcam app lo0-inet-fil list-related-apps
show pfe tcam app lo0-inet-fil list-shared-apps
show pfe tcam app lo0-inet-fil shared-usage
show pfe tcam app lo0-inet-fil shared-usage detail
show pfe tcam app lo0-inet6-fil
<get-pfe-tcam-app-list-lo0-inet6-fil>
show pfe tcam app lo0-inet6-fil detail
show pfe tcam app lo0-inet6-fil list-related-apps
show pfe tcam app lo0-inet6-fil list-shared-apps
show pfe tcam app lo0-inet6-fil shared-usage
show pfe tcam app lo0-inet6-fil shared-usage detail
show pfe tcam app mac-drop-cnt
<get-pfe-tcam-app-list-mac-drop-cnt>
show pfe tcam app mac-drop-cnt detail

Copyright © 2017, Juniper Networks, Inc. 299

Administration Guide for Security Devices

show pfe tcam app mac-drop-cnt list-related-apps

show pfe tcam app mac-drop-cnt list-shared-apps
show pfe tcam app mac-drop-cnt shared-usage
show pfe tcam app mac-drop-cnt shared-usage detail
show pfe tcam app mrouter-port-in
<get-pfe-tcam-app-list-mrouter-port-in>
show pfe tcam app mrouter-port-in detail
show pfe tcam app mrouter-port-in list-related-apps
show pfe tcam app mrouter-port-in list-shared-apps
show pfe tcam app mrouter-port-in shared-usage
show pfe tcam app mrouter-port-in shared-usage detail
show pfe tcam app napt-reverse-fil
<get-pfe-tcam-app-list-napt-reverse-fil>
show pfe tcam app napt-reverse-fil detail
show pfe tcam app napt-reverse-fil list-related-apps
show pfe tcam app napt-reverse-fil list-shared-apps
show pfe tcam app napt-reverse-fil shared-usage
show pfe tcam app napt-reverse-fil shared-usage detail
show pfe tcam app no-local-switching
<get-pfe-tcam-app-list-no-local-switching>
show pfe tcam app no-local-switching detail
show pfe tcam app no-local-switching list-related-apps
show pfe tcam app no-local-switching list-shared-apps
show pfe tcam app no-local-switching shared-usage
show pfe tcam app no-local-switching shared-usage detail
show pfe tcam app ptpoe-cos-rw
<get-pfe-tcam-app-list-ptpoe-cos-rw>
show pfe tcam app ptpoe-cos-rw detail
show pfe tcam app ptpoe-cos-rw list-related-apps
show pfe tcam app ptpoe-cos-rw list-shared-apps
show pfe tcam app ptpoe-cos-rw shared-usage
show pfe tcam app ptpoe-cos-rw shared-usage detail
show pfe tcam app rfc2544-layer2-in
<get-pfe-tcam-app-list-rfc2544-layer2-in>
show pfe tcam app rfc2544-layer2-in detail
show pfe tcam app rfc2544-layer2-in list-related-apps
show pfe tcam app rfc2544-layer2-in list-shared-apps
show pfe tcam app rfc2544-layer2-in shared-usage
show pfe tcam app rfc2544-layer2-in shared-usage detail
show pfe tcam app rfc2544-layer2-out
<get-pfe-tcam-app-list-rfc2544-layer2-out>
show pfe tcam app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam app vpls-mesh-group-mcast detail
show pfe tcam app vpls-mesh-group-mcast list-related-apps
show pfe tcam app vpls-mesh-group-mcast list-shared-apps
show pfe tcam app vpls-mesh-group-mcast shared-usage
show pfe tcam app vpls-mesh-group-mcast shared-usage detail
show pfe tcam app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam app vpls-mesh-group-ucast detail
show pfe tcam app vpls-mesh-group-ucast list-related-apps
show pfe tcam app vpls-mesh-group-ucast list-shared-apps
show pfe tcam app vpls-mesh-group-ucast shared-usage
show pfe tcam app vpls-mesh-group-ucast shared-usage detail
show pfe tcam app cfm-filter detail
show pfe tcam errors app fw-inet-rpf
<get-pfe-tcam-errors-app-fw-inet-rpf>
show pfe tcam errors app fw-inet-rpf detail
show pfe tcam errors app fw-inet-rpf list-related-apps
show pfe tcam errors app fw-inet-rpf list-shared-apps

300 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show pfe tcam errors app fw-inet-rpf shared-usage

show pfe tcam errors app fw-inet-rpf shared-usage detail
show pfe tcam errors app fw-inet6-rpf
<get-pfe-tcam-errors-app-fw-inet6-rpf>
show pfe tcam errors app fw-inet6-rpf detail
show pfe tcam errors app fw-inet6-rpf list-related-apps
show pfe tcam errors app fw-inet6-rpf list-shared-apps
show pfe tcam errors app fw-inet6-rpf shared-usage
show pfe tcam errors app fw-inet6-rpf shared-usage detail
show pfe tcam errors app gr-ifl-stats-egr
<get-pfe-tcam-errors-app-gr-ifl-statistics-egr>
show pfe tcam errors app gr-ifl-stats-egr detail
show pfe tcam errors app gr-ifl-stats-egr list-related-apps
show pfe tcam errors app gr-ifl-stats-egr list-shared-apps
show pfe tcam errors app gr-ifl-stats-egr shared-usage
show pfe tcam errors app gr-ifl-stats-egr shared-usage detail
show pfe tcam errors app gr-ifl-stats-ing
<get-pfe-tcam-errors-app-gr-ifl-statistics-ing>
show pfe tcam errors app gr-ifl-stats-ing detail
show pfe tcam errors app gr-ifl-stats-ing list-related-apps
show pfe tcam errors app gr-ifl-stats-ing list-shared-apps
show pfe tcam errors app gr-ifl-stats-ing shared-usage
show pfe tcam errors app gr-ifl-stats-ing shared-usage detail
show pfe tcam errors app gr-ifl-stats-preing
<get-pfe-tcam-errors-app-gr-ifl-statistics-preing>
show pfe tcam errors app gr-ifl-stats-preing detail
show pfe tcam errors app gr-ifl-stats-preing list-related-apps
show pfe tcam errors app gr-ifl-stats-preing list-shared-apps
show pfe tcam errors app gr-ifl-stats-preing shared-usage
show pfe tcam errors app gr-ifl-stats-preing shared-usage detail
show pfe tcam errors app ing-out-iff
<get-pfe-tcam-errors-app-ing-out-iff>
show pfe tcam errors app ing-out-iff detail
show pfe tcam errors app ing-out-iff list-related-apps
show pfe tcam errors app ing-out-iff list-shared-apps
show pfe tcam errors app ing-out-iff shared-usage
show pfe tcam errors app ing-out-iff shared-usage detail
show pfe tcam errors app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam errors app vpls-mesh-group-mcast detail
show pfe tcam errors app vpls-mesh-group-mcast list-related-apps
show pfe tcam errors app vpls-mesh-group-mcast list-shared-apps
show pfe tcam errors app vpls-mesh-group-mcast shared-usage
show pfe tcam errors app vpls-mesh-group-mcast shared-usage detail
show pfe tcam errors app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam errors app vpls-mesh-group-ucast detail
show pfe tcam errors app vpls-mesh-group-ucast list-related-apps
show pfe tcam errors app vpls-mesh-group-ucast list-shared-apps
show pfe tcam errors app vpls-mesh-group-ucast shared-usage
show pfe tcam errors app vpls-mesh-group-ucast shared-usage detail
show pfe tcam errors tcam-stage ingress app fw-inet-rpf
<get-pfe-tcam-errors-ingress-tcam-stage-fw-inet-rpf>
show pfe tcam errors tcam-stage ingress app fw-inet-rpf detail
show pfe tcam errors tcam-stage ingress app fw-inet-rpf list-related-apps
show pfe tcam errors tcam-stage ingress app fw-inet-rpf list-shared-apps
show pfe tcam errors tcam-stage ingress app fw-inet-rpf shared-usage
show pfe tcam errors tcam-stage ingress app fw-inet-rpf shared-usage detail
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf
<get-pfe-tcam-errors-ingress-tcam-stage-fw-inet6-rpf>
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf detail

Copyright © 2017, Juniper Networks, Inc. 301

Administration Guide for Security Devices

show pfe tcam errors tcam-stage ingress app fw-inet6-rpf list-related-apps

show pfe tcam errors tcam-stage ingress app fw-inet6-rpf list-shared-apps
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf shared-usage
show pfe tcam errors tcam-stage ingress app fw-inet6-rpf shared-usage detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr
<get-pfe-tcam-errors-ingress-tcam-stage-gr-ifl-statistics-egr>
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr list-related-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr list-shared-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-egr shared-usage
detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing
<get-pfe-tcam-errors-ingress-tcam-stage-gr-ifl-statistics-ing>
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing list-related-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing list-shared-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-ing shared-usage
detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing
<get-pfe-tcam-errors-ingress-tcam-stage-gr-ifl-statistics-preing>
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing detail
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing
list-related-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing list-shared-apps
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
show pfe tcam errors tcam-stage ingress app gr-ifl-stats-preing shared-usage
detail
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff
<get-pfe-tcam-errors-pre-ingress-app-ing-out-iff>
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff detail
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff list-related-apps
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff list-shared-apps
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff shared-usage
show pfe tcam errors tcam-stage pre-ingress app ing-out-iff shared-usage detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
list-related-apps
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
list-shared-apps
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast detail
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
list-related-apps
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
list-shared-apps
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage
show pfe tcam errors tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage detail
show pfe tcam usage app fw-inet-rpf
<get-pfe-tcam-usage-app-fw-inet-rpf>
show pfe tcam usage app fw-inet-rpf detail

302 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show pfe tcam usage app fw-inet-rpf list-related-apps

show pfe tcam usage app fw-inet-rpf list-shared-apps
show pfe tcam usage app fw-inet-rpf shared-usage
show pfe tcam usage app fw-inet-rpf shared-usage detail
show pfe tcam usage app fw-inet6-rpf
<get-pfe-tcam-usage-app-fw-inet6-rpf>
show pfe tcam usage app fw-inet6-rpf detail
show pfe tcam usage app fw-inet6-rpf list-related-apps
show pfe tcam usage app fw-inet6-rpf list-shared-apps
show pfe tcam usage app fw-inet6-rpf shared-usage
show pfe tcam usage app fw-inet6-rpf shared-usage detail
show pfe tcam usage app gr-ifl-stats-egr
<get-pfe-tcam-usage-app-gr-ifl-statistics-egr>
show pfe tcam usage app gr-ifl-stats-egr detail
show pfe tcam usage app gr-ifl-stats-egr list-related-apps
show pfe tcam usage app gr-ifl-stats-egr list-shared-apps
show pfe tcam usage app gr-ifl-stats-egr shared-usage
show pfe tcam usage app gr-ifl-stats-egr shared-usage detail
show pfe tcam usage app gr-ifl-stats-ing
<get-pfe-tcam-usage-app-gr-ifl-statistics-ing>
show pfe tcam usage app gr-ifl-stats-ing detail
show pfe tcam usage app gr-ifl-stats-ing list-related-apps
show pfe tcam usage app gr-ifl-stats-ing list-shared-apps
show pfe tcam usage app gr-ifl-stats-ing shared-usage
show pfe tcam usage app gr-ifl-stats-ing shared-usage detail
show pfe tcam usage app gr-ifl-stats-preing
<get-pfe-tcam-usage-app-gr-ifl-statistics-preing>
show pfe tcam usage app gr-ifl-stats-preing detail
show pfe tcam usage app gr-ifl-stats-preing list-related-apps
show pfe tcam usage app gr-ifl-stats-preing list-shared-apps
show pfe tcam usage app gr-ifl-stats-preing shared-usage
show pfe tcam usage app gr-ifl-stats-preing shared-usage detail
show pfe tcam usage app ing-out-iff
<get-pfe-tcam-usage-app-ing-out-iff>
show pfe tcam usage app ing-out-iff detail
show pfe tcam usage app ing-out-iff list-related-apps
show pfe tcam usage app ing-out-iff list-shared-apps
show pfe tcam usage app ing-out-iff shared-usage
show pfe tcam usage app ing-out-iff shared-usage detail
show pfe tcam usage app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam usage app vpls-mesh-group-mcast detail
show pfe tcam usage app vpls-mesh-group-mcast list-related-apps
show pfe tcam usage app vpls-mesh-group-mcast list-shared-apps
show pfe tcam usage app vpls-mesh-group-mcast shared-usage
show pfe tcam usage app vpls-mesh-group-mcast shared-usage detail
show pfe tcam usage app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam usage app vpls-mesh-group-ucast detail
show pfe tcam usage app vpls-mesh-group-ucast list-related-apps
show pfe tcam usage app vpls-mesh-group-ucast list-shared-apps
show pfe tcam usage app vpls-mesh-group-ucast shared-usage
show pfe tcam usage app vpls-mesh-group-ucast shared-usage detail
show pfe tcam usage tcam-stage egress app rfc2544-layer2-out shared-usage
detail
show pfe tcam usage tcam-stage egress detail
get-pfe-tcam-usage-egress-tcam-stage-detail
show pfe tcam usage tcam-stage ingress
<get-pfe-tcam-usage-ingress-tcam-stage>
show pfe tcam usage tcam-stage ingress app
<get-pfe-tcam-usage-ingress-app>

Copyright © 2017, Juniper Networks, Inc. 303

Administration Guide for Security Devices

show pfe tcam usage tcam-stage ingress app cfm-bd-filter

<get-pfe-tcam-usage-ingress-app-cfm-bd-filter>
show pfe tcam usage tcam-stage ingress app cfm-bd-filter detail
show pfe tcam usage tcam-stage ingress app cfm-bd-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-bd-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-bd-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-bd-filter shared-usage detail
show pfe tcam usage tcam-stage ingress app cfm-filter
<get-pfe-tcam-usage-ingress-app-cfm-filter>
show pfe tcam usage tcam-stage ingress app cfm-filter detail
show pfe tcam usage tcam-stage ingress app cfm-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-filter shared-usage detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter
<get-pfe-tcam-usage-ingress-app-cfm-vpls-filter>
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-vpls-filter shared-usage detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter
<get-pfe-tcam-usage-ingress-app-cfm-vpls-ifl-filter>
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter detail
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter list-related-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter list-shared-apps
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
show pfe tcam usage tcam-stage ingress app cfm-vpls-ifl-filter shared-usage
detail
show pfe tcam usage tcam-stage ingress app fw-ccc-in
<get-pfe-tcam-usage-ingress-app-fw-ccc-in>
show pfe tcam usage tcam-stage ingress app fw-ccc-in detail
show pfe tcam usage tcam-stage ingress app fw-ccc-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-ccc-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-ccc-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-ccc-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-ifl-in
<get-pfe-tcam-usage-ingress-app-fw-ifl-in>
show pfe tcam usage tcam-stage ingress app fw-ifl-in detail
show pfe tcam usage tcam-stage ingress app fw-ifl-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-ifl-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-ifl-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-ifl-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-ftf
<get-pfe-tcam-usage-ingress-app-fw-inet-ftf>
show pfe tcam usage tcam-stage ingress app fw-inet-ftf detail
show pfe tcam usage tcam-stage ingress app fw-inet-ftf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-ftf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-ftf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-ftf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-in
<get-pfe-tcam-usage-ingress-app-fw-inet-in>
show pfe tcam usage tcam-stage ingress app fw-inet-in detail
show pfe tcam usage tcam-stage ingress app fw-inet-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-pm
<get-pfe-tcam-usage-ingress-app-fw-inet-pm>
show pfe tcam usage tcam-stage ingress app fw-inet-pm detail
show pfe tcam usage tcam-stage ingress app fw-inet-pm list-related-apps

304 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show pfe tcam usage tcam-stage ingress app fw-inet-pm list-shared-apps

show pfe tcam usage tcam-stage ingress app fw-inet-pm shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-pm shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet-rpf
<get-pfe-tcam-usage-ingress-app-fw-inet-rpf>
show pfe tcam usage tcam-stage ingress app fw-inet-rpf detail
show pfe tcam usage tcam-stage ingress app fw-inet-rpf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet-rpf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet-rpf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet-rpf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf
<get-pfe-tcam-usage-ingress-app-fw-inet6-ftf>
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf detail
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet6-ftf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet6-in
<get-pfe-tcam-usage-ingress-app-fw-inet6-in>
show pfe tcam usage tcam-stage ingress app fw-inet6-in detail
show pfe tcam usage tcam-stage ingress app fw-inet6-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet6-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf
<get-pfe-tcam-usage-ingress-app-fw-inet6-rpf>
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf detail
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf list-related-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf shared-usage
show pfe tcam usage tcam-stage ingress app fw-inet6-rpf shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-l2-in
<get-pfe-tcam-usage-ingress-app-fw-l2-in>
show pfe tcam usage tcam-stage ingress app fw-l2-in detail
show pfe tcam usage tcam-stage ingress app fw-l2-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-l2-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-l2-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-l2-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-mpls-in
<get-pfe-tcam-usage-ingress-app-fw-mpls-in>
show pfe tcam usage tcam-stage ingress app fw-mpls-in detail
show pfe tcam usage tcam-stage ingress app fw-mpls-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-mpls-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-mpls-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-mpls-in shared-usage detail
show pfe tcam usage tcam-stage ingress app fw-vpls-in
<get-pfe-tcam-usage-ingress-app-fw-vpls-in>
show pfe tcam usage tcam-stage ingress app fw-vpls-in detail
show pfe tcam usage tcam-stage ingress app fw-vpls-in list-related-apps
show pfe tcam usage tcam-stage ingress app fw-vpls-in list-shared-apps
show pfe tcam usage tcam-stage ingress app fw-vpls-in shared-usage
show pfe tcam usage tcam-stage ingress app fw-vpls-in shared-usage detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr
<get-pfe-tcam-usage-ingress-app-gr-ifl-statistics-egr>
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr list-related-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr list-shared-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr shared-usage
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-egr shared-usage detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing
<get-pfe-tcam-usage-ingress-app-gr-ifl-statistics-ing>

Copyright © 2017, Juniper Networks, Inc. 305

Administration Guide for Security Devices

show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing detail

show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing list-related-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing list-shared-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing shared-usage
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-ing shared-usage detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing
<get-pfe-tcam-usage-ingress-app-gr-ifl-statistics-preing>
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing detail
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing list-related-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing list-shared-apps
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing shared-usage
show pfe tcam usage tcam-stage ingress app gr-ifl-stats-preing shared-usage
detail
show pfe tcam usage tcam-stage ingress app ifl-statistics-in
<get-pfe-tcam-usage-ingress-app-ifl-statistics-in>
show pfe tcam usage tcam-stage ingress app ifl-statistics-in detail
show pfe tcam usage tcam-stage ingress app ifl-statistics-in list-related-apps
show pfe tcam usage tcam-stage ingress app ifl-statistics-in list-shared-apps
show pfe tcam usage tcam-stage ingress app ifl-statistics-in shared-usage
show pfe tcam usage tcam-stage ingress app ifl-statistics-in shared-usage
detail
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil
<get-pfe-tcam-usage-ingress-app-ipsec-reverse-fil>
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil detail
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil list-related-apps
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil shared-usage
show pfe tcam usage tcam-stage ingress app ipsec-reverse-fil shared-usage
detail
show pfe tcam usage tcam-stage ingress app irb-fixed-cos
<get-pfe-tcam-usage-ingress-app-irb-fixed-cos>
show pfe tcam usage tcam-stage ingress app irb-fixed-cos detail
show pfe tcam usage tcam-stage ingress app irb-fixed-cos list-related-apps
show pfe tcam usage tcam-stage ingress app irb-fixed-cos list-shared-apps
show pfe tcam usage tcam-stage ingress app irb-fixed-cos shared-usage
show pfe tcam usage tcam-stage ingress app irb-fixed-cos shared-usage detail
show pfe tcam usage tcam-stage ingress app irb-inet6-fil
<get-pfe-tcam-usage-ingress-app-irb-inet6-fil>
show pfe tcam usage tcam-stage ingress app irb-inet6-fil detail
show pfe tcam usage tcam-stage ingress app irb-inet6-fil list-related-apps
show pfe tcam usage tcam-stage ingress app irb-inet6-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app irb-inet6-fil shared-usage
show pfe tcam usage tcam-stage ingress app irb-inet6-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in
<get-pfe-tcam-usage-ingress-app-lfm-802.3ah-in>
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in detail
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in list-related-apps
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in list-shared-apps
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in shared-usage
show pfe tcam usage tcam-stage ingress app lfm-802.3ah-in shared-usage detail
show pfe tcam usage tcam-stage ingress app lo0-inet-fil
<get-pfe-tcam-usage-ingress-app-lo0-inet-fil>
show pfe tcam usage tcam-stage ingress app lo0-inet-fil detail
show pfe tcam usage tcam-stage ingress app lo0-inet-fil list-related-apps
show pfe tcam usage tcam-stage ingress app lo0-inet-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app lo0-inet-fil shared-usage
show pfe tcam usage tcam-stage ingress app lo0-inet-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil
<get-pfe-tcam-usage-ingress-app-lo0-inet6-fil>
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil detail
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil list-related-apps

306 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show pfe tcam usage tcam-stage ingress app lo0-inet6-fil list-shared-apps

show pfe tcam usage tcam-stage ingress app lo0-inet6-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil shared-usage
show pfe tcam usage tcam-stage ingress app lo0-inet6-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app mac-drop-cnt
<get-pfe-tcam-usage-ingress-app-mac-drop-cnt>
show pfe tcam usage tcam-stage ingress app mac-drop-cnt detail
show pfe tcam usage tcam-stage ingress app mac-drop-cnt list-related-apps
show pfe tcam usage tcam-stage ingress app mac-drop-cnt list-shared-apps
show pfe tcam usage tcam-stage ingress app mac-drop-cnt shared-usage
show pfe tcam usage tcam-stage ingress app mac-drop-cnt shared-usage detail
<get-pfe-tcam-usage-ingress-app-mrouter-port-in>
show pfe tcam usage tcam-stage ingress app mrouter-port-in detail
show pfe tcam usage tcam-stage ingress app mrouter-port-in list-related-apps
show pfe tcam usage tcam-stage ingress app mrouter-port-in list-shared-apps
show pfe tcam usage tcam-stage ingress app mrouter-port-in shared-usage
show pfe tcam usage tcam-stage ingress app mrouter-port-in shared-usage detail
show pfe tcam usage tcam-stage ingress app napt-reverse-fil
<get-pfe-tcam-usage-ingress-app-napt-reverse-fil>
show pfe tcam usage tcam-stage ingress app napt-reverse-fil detail
show pfe tcam usage tcam-stage ingress app napt-reverse-fil list-related-apps
show pfe tcam usage tcam-stage ingress app napt-reverse-fil list-shared-apps
show pfe tcam usage tcam-stage ingress app napt-reverse-fil shared-usage
show pfe tcam usage tcam-stage ingress app napt-reverse-fil shared-usage detail
show pfe tcam usage tcam-stage ingress app no-local-switching
<get-pfe-tcam-usage-ingress-app-no-local-switching>
show pfe tcam usage tcam-stage ingress app no-local-switching detail
show pfe tcam usage tcam-stage ingress app no-local-switching list-related-apps
show pfe tcam usage tcam-stage ingress app no-local-switching list-shared-apps
show pfe tcam usage tcam-stage ingress app no-local-switching shared-usage
show pfe tcam usage tcam-stage ingress app no-local-switching shared-usage
detail
show pfe tcam usage tcam-stage ingress detail
<get-pfe-tcam-usage-ingress-tcam-stage-detail>
show pfe tcam usage tcam-stage pre-ingress
<get-pfe-tcam-usage-pre-ingress-tcam-stage>
show pfe tcam usage tcam-stage pre-ingress app
<get-pfe-tcam-usage-pre-ingress-app>
show pfe tcam usage tcam-stage pre-ingress app cos-fc
<get-pfe-tcam-usage-pre-ingress-app-cos-fc>
show pfe tcam usage tcam-stage pre-ingress app cos-fc detail
show pfe tcam usage tcam-stage pre-ingress app cos-fc list-related-apps
show pfe tcam usage tcam-stage pre-ingress app cos-fc list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app cos-fc shared-usage
show pfe tcam usage tcam-stage pre-ingress app cos-fc shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf
<get-pfe-tcam-usage-pre-ingress-app-fw-fbf>
show pfe tcam usage tcam-stage pre-ingress app fw-fbf detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf list-related-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf shared-usage
show pfe tcam usage tcam-stage pre-ingress app fw-fbf shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6
<get-pfe-tcam-usage-pre-ingress-app-fw-fbf-inet6>
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 detail
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 list-related-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 shared-usage
show pfe tcam usage tcam-stage pre-ingress app fw-fbf-inet6 shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app fw-semantics
<get-pfe-tcam-usage-pre-ingress-app-fw-semantics>

Copyright © 2017, Juniper Networks, Inc. 307

Administration Guide for Security Devices

show pfe tcam usage tcam-stage pre-ingress app fw-semantics detail

show pfe tcam usage tcam-stage pre-ingress app fw-semantics list-related-apps
show pfe tcam usage tcam-stage pre-ingress app fw-semantics list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app fw-semantics shared-usage
show pfe tcam usage tcam-stage pre-ingress app fw-semantics shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil
<get-pfe-tcam-usage-pre-ingress-app-ifd-src-mac-fil>
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil detail
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
show pfe tcam usage tcam-stage pre-ingress app ifd-src-mac-fil shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff
<get-pfe-tcam-usage-pre-ingress-app-ing-out-iff>
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff detail
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff list-related-apps
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff shared-usage
show pfe tcam usage tcam-stage pre-ingress app ing-out-iff shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val
<get-pfe-tcam-usage-pre-ingress-app-ip-mac-val>
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val list-related-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val shared-usage
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast
<get-pfe-tcam-usage-pre-ingress-app-ip-mac-val-bcast>
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast detail
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast
list-related-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
show pfe tcam usage tcam-stage pre-ingress app ip-mac-val-bcast shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in
<get-pfe-tcam-usage-pre-ingress-app-rfc2544-layer2-in>
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in detail
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in
list-related-apps
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in
list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
show pfe tcam usage tcam-stage pre-ingress app rfc2544-layer2-in shared-usage
detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
<get-upper-level-xml-name-vpls-mesh-group-mcast>
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
list-related-apps
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-mcast
shared-usage detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
<get-upper-level-xml-name-vpls-mesh-group-ucast>
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast detail
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
list-related-apps

308 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast

list-shared-apps
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage
show pfe tcam usage tcam-stage pre-ingress app vpls-mesh-group-ucast
shared-usage detail
show pfe tcam usage tcam-stage pre-ingress detail
<get-pfe-tcam-usage-pre-ingress-tcam-stage-detail>
show pfe terse
<get-pfe-information>

show pfe version brief

show pfe version detail
show pgm
show pgm negative-acknowledgments
<get-pgm-nak>

show pgm source-path-messages

<get-pgm-source-path-messages>

show pgm statistics

<get-pgm-statistics>

show pim
show pim bidirectional
show pim bidirectional df-election
<get-pim-bidir-df-election-information>
show pim bidirectional df-election interface
<get-pim-bidir-df-election-interface-information>
show pim bootstrap
<get-pim-bootstrap-information>

show pim interfaces

<get-pim-interfaces-information>

show pim join

<get-pim-join-information>

show pim mdt

<get-pim-mdt-information>

show pim mdt data-mdt-joins

<get-pim-data-mdt-join-information>
show pim mvpn
<get-pim-mvpn-information>

show pim neighbors

<get-pim-neighbors-information>

show pim rps

<get-pim-rps-information>
show pim snooping
show pim snooping interfaces
show pim snooping join
show pim snooping neighbors
show pim snooping statistics
show pim source
<get-pim-source-information>

show pim statistics

<get-pim-statistics-information>

Copyright © 2017, Juniper Networks, Inc. 309

Administration Guide for Security Devices

show policy
show policy conditions
show policy damping
show ppp
show ppp address-pool
<get-ppp-address-pool-information>

show ppp interface

<get-ppp-interface-information>

show ppp statistics

<get-ppp-statistics-information>

show ppp summary

<get-ppp-summary-information>

show pppoe
show pppoe interfaces
<get-pppoe-interface-information>
show pppoe lockout
<get-pppoe-lockout-information>
show pppoe lockout atm-identifier
<get-pppoe-lockout-atm-information>
show pppoe lockout vlan-identifier
<get-pppoe-lockout-vlan-information>

show pppoe service-name-tables

<get-pppoe-service-name-table-information>

show pppoe statistics

<get-pppoe-statistics-information>

show pppoe underlying-interfaces

<get-pppoe-underlying-interface-information>

show pppoe version

<get-pppoe-version>
show programmable-rpd
show programmable-rpd clients
<get-programmable-rpd-client-information>

show protection-group
show protection-group ethernet-aps
<show-protection-group-ethernet-aps>
show protection-group ethernet-ring
show protection-group ethernet-ring aps
<get-raps-pdu-information>
show protection-group ethernet-ring data-channel
<get-ring-data-channel-information>
show protection-group ethernet-ring interface
<get-ring-interface-information>
show protection-group ethernet-ring node-state
<get-raps-state-machine-information>
show protection-group ethernet-ring node-state
show protection-group ethernet-ring statistics
<get-ring-tatistics>
show protection-group ethernet-ring vlan
<get-ring-vlan-information>
show ptp
show ptp clock

310 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

get-ptp-clock>
show ptp global-information
get-ptp-global-information>
show ptp hybrid
show ptp hybrid config
<get-ptp-hybrid-mapping>
show ptp hybrid status
<get-ptp-hybrid-status>
show ptp last-tod-update
<get-last-tod-update>
show ptp lock-status
get-ptp-lock-status>
show ptp master
<get-ptp-master>
show ptp path-trace
<get-ptp-path-trace>
show ptp port
<get-ptp-port>
show ptp quality-level-mapping
<get-ptp-quality-level-mapping>
show ptp slave
<get-ptp-slave>
show ptp stateful
<get-ptp-stateful>
show ptp statistics
<get-ptp-statistics>
show r2cp
show r2cp interfaces
<get-r2cp-interface-information>
show r2cp radio
<get-r2cp-radio-information>
show r2cp sessions
<get-r2cp-session-information>
show r2cp statistics
<get-r2cp-statistics>
show redundant-power-system
show redundant-power-system led
show redundant-power-system multi-backup
<get-rps-scale-information>
show redundant-power-system network
<get-rps-network-information>
show redundant-power-system power-supply
show redundant-power-system status
show redundant-power-system upgrade
<get-rps-upgrade-information>
show redundant-power-system version
show rip
show rip general-statistics
<get-rip-general-statistics-information>

show rip neighbor

<get-rip-neighbor-information>

show rip statistics

<get-rip-statistics-information>
show rip statistics peer
<get-rip-peer-information>
show ripng
show ripng general-statistics
<get-ripng-general-statistics-information>

Copyright © 2017, Juniper Networks, Inc. 311

Administration Guide for Security Devices

show ripng neighbor

<get-ripng-neighbor-information>
show ripng statistics
<get-ripng-statistics-information>
show route
<get-route-information>

show route cumulative

<get-route-cumulative>

show route export

<get-rtexport-table-information>

show route export instance

<get-rtexport-instance-information>

show route localization

<get-fib-localization-information>
show route export vrf-target
<get-rtexport-target-information>

show route flow

show route flow validation
<get-rtflow-dep-information>

show route forwarding-table

<get-forwarding-table-information>

show route instance

<get-instance-information>

show route instance operational

<get-operational-routing-instance-information>

show route martians

<get-route-martians>
show route resolution
<get-route-resolution-information>
show route resolution summary
<get-route-resolution-summary>
show route resolution unresolved
show route rib-groups
<get-route-rib-groups>
show route snooping
<get-route-snooping-information>
show route snooping summary
<get-route-snooping-summary>
show route summary
<get-route-summary-information>

show rsvp
show rsvp interface
<get-rsvp-interface-information>

show rsvp neighbor

<get-rsvp-neighbor-information>

show rsvp route-session-id

<get-rsvp-route-session-id-information>

show rsvp session

312 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-rsvp-session-information>

show rsvp statistics

<get-rsvp-statistics-information>

show rsvp version

<get-rsvp-version-information>

show sap
show sap listen
<get-sap-listen-information>
show security group-vpn member kek
show security group-vpn member kek security-associations
<get-gvpn-kek-security-associations-information>

show services
show services accounting
<get-service-accounting-information>

show services accounting aggregation

<get-service-accounting-aggregation-information>

show services accounting aggregation as

<get-service-accounting-aggregation-as-information>

show services accounting aggregation destination-prefix

<get-service-accounting-aggregation-destination-prefix-information>

show services accounting aggregation protocol-port

<get-service-accounting-aggregation-protocol-port-information>

show services accounting aggregation source-destination-prefix

<get-service-accounting-aggregation-source-destination-prefix-information>

show services accounting aggregation source-prefix

<get-service-accounting-aggregation-source-prefix-information>

show services accounting aggregation template

<get-service-accounting-aggregation-template-information>

show services accounting errors

<get-service-accounting-errors-information>

show services accounting flow

<get-service-accounting-flow-information>

show services accounting flow-detail

<get-service-accounting-flow-detail>

show services accounting memory

<get-service-accounting-memory-information>

show services accounting packet-size-distribution

<get-packet-distribution-information>

show services accounting status

<get-service-accounting-status-information>

show services accounting usage

<get-service-accounting-usage-information>

Copyright © 2017, Juniper Networks, Inc. 313

Administration Guide for Security Devices

show services alg

show services alg conversations
<get-service-msp-alg-conversation-information>
show services alg sip-globals
<get-service-msp-alg-sip-globals-information>
show services alg statistics
show services application-aware-access-list
show services application-aware-access-list flows
show services application-aware-access-list flows interface
<get-application-aware-access-list-flows-interface>
show services application-aware-access-list flows subscriber
<get-application-aware-access-list-flows-subscriber>
show services application-aware-access-list statistics
show services application-aware-access-list statistics interface
<get-application-aware-access-list-statistics-interface>
show services application-aware-access-list statistics subscriber
<get-application-aware-access-list-statistics-subscriber>
show services application-identification
show services application-identification application
show services application-identification application detail
<get-appid-application-signature-detail>
show services application-identification application summary
<get-appid-application-signature-summary>
show services application-identification application-system-cache
<get-appid-application-system-cache>

show services application-identification counter

<get-appid-counter>
show services application-identification counter ssl-encrypted-sessions
<get-appid-counter-encrypted>
show services application-identification group
show services application-identification group detail

<get-appid-application-group-detail>
show services application-identification group summary
<get-appid-application-group-summary>
show services application-identification statistics
show services application-identification statistics application-groups
<get-appid-application-group-statistics>
show services application-identification statistics applications
<get-appid-application-statistics>
show services application-identification status
<get-appid-staus-information>
show services application-identification version
<get-appid-package-version>

show services border-signaling-gateway

show services border-signaling-gateway accounting
show services border-signaling-gateway accounting statistics
<get-service-border-signaling-gateway-charging-statistics>
show services border-signaling-gateway accounting status
<get-service-border-signaling-gateway-charging-status>
show services border-signaling-gateway admission-control
<get-service-border-signaling-gateway-statistics-admission-control>

show services border-signaling-gateway by-call-context-id

<get-service-bsg-information-by-call-context-id>

show services border-signaling-gateway by-contact

<get-service-border-signaling-gateway-information-by-contact>

314 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show services border-signaling-gateway by-request-uri

<get-service-border-signaling-gateway-information-by-request-uri>

show services border-signaling-gateway calls

<get-service-border-signaling-gateway-statistics-calls>

show services border-signaling-gateway calls-duration

<get-service-border-signaling-gateway-calls-duration>

show services border-signaling-gateway calls-failed

how services border-signaling-gateway charging

show services border-signaling-gateway charging statistics
<get-service-border-signaling-gateway-charging-statistics>
show services border-signaling-gateway charging status
<get-service-border-signaling-gateway-charging-status>
show services border-signaling-gateway denied-messages
<get-service-bsg-denied-messages>

show services border-signaling-gateway embedded-spdf

<get-service-border-signaling-gateway-embedded-spdf>

show services border-signaling-gateway embedded-spdf status

<get-service-border-signaling-gateway-embedded-spdf-status>

show services border-signaling-gateway name-resolution-cache

show services border-signaling-gateway name-resolution-cache all

<get-service-border-signaling-gateway-name-resolution-cache-all>

show services border-signaling-gateway name-resolution-cache by-fqdn

<get-border-signaling-gateway-name-resolution-cache-by-fqdn>
show services border-signaling-gateway status
<get-service-bsg-status-information>
show services captive-portal-content-delivery
show services captive-portal-content-delivery pic
<get-cpcd-pic-information>
show services captive-portal-content-delivery profile
<get-cpcd-profile>
show services captive-portal-content-delivery rule
<get-cpcd-rule>
show services captive-portal-content-delivery ruleset
<get-cpcd-rule-set>
show services captive-portal-content-delivery sset
<get-cpcd-service-set>
show services captive-portal-content-delivery statistics
<get-cpcd-pic-statistics>
show services captive-portal-content-delivery statistics interface
show services capture
<get-service-capture>
show services cos
show services cos statistics
<get-service-cos-statistics-information>

show services cos statistics diffserv

<get-service-cos-diffserv-statistics>

show services cos statistics forwarding-class

<get-service-cos-forwarding-class-statistics>

Copyright © 2017, Juniper Networks, Inc. 315

Administration Guide for Security Devices

show services crtp

<get-service-crtp-params-information>

show services crtp extensive

<get-service-crtp-extensive-information>

show services crtp flows

<get-service-crtp-flow-table-information>

show services dynamic-flow-capture

show services dynamic-flow-capture content-destination
<get-services-dynamic-flow-capture-content-destination-information>

show services dynamic-flow-capture control-source

<get-services-dynamic-flow-capture-control-source-information>

show services dynamic-flow-capture statistics

<get-services-dfc-statistics-information>
show extension-service
show extension-service status
<jet-application-status>
show services fips
show system commit synchronize-server pending-jobs
<get-pending-commit-sync-jobs>
show services fips pic
show services fips pic status
<get-fips-pic-status-information>

show services flow-collector

<get-services-flow-collector-information>

show services flow-collector file

<get-services-flow-collector-file-information>

show services flow-collector input

<get-services-flow-collector-input-information>

show services flow-table

show services flow-table statistics
<get-flow-table-statistics-information>

show services flows

<get-service-msp-flow-table-information>

show services ggsn

show services ggsn diagnostics
show services ggsn diagnostics pdp
<get-pdp-diagnostics-per-apn>

show services ggsn statistics

<get-ggsn-statistics>

show services ggsn statistics apn

<get-ggsn-apn-statistics-information>

show services ggsn statistics charging

<get-ggsn-charging-statistics-information>

show services ggsn statistics gtp

<get-ggsn-gtp-statistics-information>

316 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show services ggsn statistics gtp-prime

<get-ggsn-gtp-prime-statistics-information>

show services ggsn statistics imsi

<get-ggsn-imsi-user-information>

show services ggsn statistics l2tp-tunnel

<get-ggsn-l2tp-tunnel-statistics-information>

show services ggsn statistics msisdn

show services ggsn statistics radius
<get-ggsn-radius-statistics-information>

show services ggsn statistics sgsn

<get-ggsn-sgsn-statistics-information>

show services ggsn status

<get-ggsn-interface-information>

show services ggsn trace

show services ggsn trace all
<get-ggsn-trace>

show services ggsn trace imsi

<get-ggsn-imsi-trace>

show services ggsn trace msisdn

<get-ggsn-msisdn-trace>
show services ha
<get-service-ha-info>
show services hcm
show services hcm pic-statistics
<get-service-hcm-pic-statistics-information>
show services ids
show services ids destination-table
<get-service-ids-destination-table-information>

show services ids pair-table

<get-service-ids-pair-table-information>

show services ids source-table

<get-service-ids-source-table-information>

show services inline

show services inline ip-reassembly
show services inline ip-reassembly statistics
show services inline nat
show services inline nat mappings
show services inline nat mappings nptv6
<get-inline-nat-mapping-nptv6-information>
show services inline nat pool
<get-inline-nat-pool-information>
show services inline nat statistics
<get-inline-nat-statistics-information>
show services inline softwire
show services inline softwire statistics
<get-inline-service-sw-statistics-information>
show services inline stateful-firewall
show services inline stateful-firewall flows
<get-inline-sfw-flow-table-information>
show services inline stateful-firewall statistics

Copyright © 2017, Juniper Networks, Inc. 317

Administration Guide for Security Devices

<get-inline-sfw-statistics-information>
show services ipsec-vpn
show services ipsec-vpn ike
show services ipsec-vpn ike security-associations
<get-ike-services-security-associations-information>

show services ipsec-vpn ike statistics

<get-ike-services-statistics>
show services ipsec-vpn ipsec
show services ipsec-vpn ipsec security-associations
<get-services-security-associations-information>

show services ipsec-vpn ipsec statistics

<get-services-ipsec-statistics-information>

show services l2tp

show services l2tp client
<get-l2tp-client-information>
show services l2tp destination
<get-l2tp-destination-information>
show services l2tp destination lockout
<get-services-l2tp-destination-lockout>
show services l2tp disconnect-cause-summary<
<get-l2tp-disconnect-cause-summary>
show services l2tp multilink
<get-l2tp-multilink-information>

show services l2tp radius

show services l2tp radius accounting
show services l2tp radius accounting servers
<get-services-l2tp-radius-accounting-servers-information>

show services l2tp radius accounting statistics

<get-services-l2tp-radius-accounting-statistics-information>

show services l2tp radius authentication

show services l2tp radius authentication servers
<get-services-l2tp-radius-authentication-servers-information>

show services l2tp radius authentication statistics

<get-services-l2tp-radius-authentication-statistics-information>

show services l2tp radius servers

<get-services-l2tp-radius-authentication-accounting-servers-information>

show services l2tp radius statistics

<get-services-l2tp-radius-authentication-accounting-statistics-information>

show services l2tp session

<get-l2tp-session-information>
show services l2tp session-limit-group
<get-l2tp-session-limit-group-information>

show services l2tp summary

<get-l2tp-summary-information>

show services l2tp tunnel

<get-l2tp-tunnel-information>
show services l2tp tunnel-group
<get-l2tp-tunnel-group-information>

318 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show services l2tp user

<get-l2tp-user-information>
show services link-services
show services link-services cpu-usage
<get-link-services-cpu-usage>

show services local-policy-decision-function

show services local-policy-decision-function flows
show services local-policy-decision-function flows interface
<get-local-policy-decision-function-flows-interface>
show services local-policy-decision-function flows subscriber
<get-local-policy-decision-function-flows-subscriber>
show services local-policy-decision-function statistics
show services local-policy-decision-function statistics interface
<get-local-policy-decision-function-statistics-interface>
show services local-policy-decision-function statistics subscriber
<get-local-policy-decision-function-statistics-subscriber>
show services logging
show services logging history
show services logging history client
show services logging logfiles
show services match-policies
<get-services-match-policies>
show services mobile
show services mobile hcm
show services mobile hcm statistics
show services nat
show services nat ipv6-multicast-interfaces
<get-service-nat-ipv6-multicast-information>

show services nat deterministic-nat

show services nat deterministic-nat internal-host
show services nat deterministic-nat nat-port-block
show services nat mappings
<get-service-nat-mapping-address-pooling-paired>
show services nat mappings brief
<get-service-nat-mapping-brief>
show services nat mappings detail
show services nat mappings endpoint-independent
<get-service-nat-mapping-endpoint-independent>
show services nat mappings brief
<get-service-nat-mapping-brief>
show services nat mappings detail
<get-service-nat-mapping-detail>
show services nat mappings pcp
show services nat mappings summary
<get-service-nat-mapping-summary>
show services nat pool
<get-service-nat-pool-information>
show services pcp
show services pgcp
show services pgcp active-configuration
<get-pgcpd-active-configuration>

show services pgcp active-configuration gateway

<get-service-pgcp-active-configuration-gateway>

show services pgcp conversations

<get-service-pgcp-conversation-information>

show services pgcp conversations gateway

Copyright © 2017, Juniper Networks, Inc. 319

Administration Guide for Security Devices

<get-service-pgcp-conversation-information-gateway>

show services pgcp flows

<get-service-pgcp-flow-table-information>

show services pgcp flows gateway

<get-service-pgcp-flow-table-information-gateway>

show services pgcp gate

<get-service-pgcp-gate>

show services pgcp gate gateway

<get-service-pgcp-gate-gateway>

show services pgcp gates

<get-service-pgcp-gates>

show services pgcp gates gateway

<get-service-pgcp-gates-gateway>

show services pgcp root-termination

<get-services-pgcpd-root-termination>

show services pgcp root-termination gateway

<get-services-pgcpd-root-termination-gateway>

show services pgcp statistics

<get-service-pgcp-statistics>

show services pgcp statistics gateway

<get-service-pgcp-statistics-gateway>

show services pgcp terminations

<get-service-pgcp-terminations>

show services pgcp terminations gateway

<get-service-pgcp-terminations-gateway>
show services redundancy-group
<get-services-redundancy-group-information>
show services redundancy-group rg-id
<get-services-redundancy-group-id-information>

show services rpm

show services rpm active-servers
<get-active-servers>

show services rpm history-results

<get-history-results>

show services rpm probe-results

<get-probe-results>

show services rpm twamp

<twamp-information>
show services rpm twamp client
<twamp-client-information>
show services rpm twamp client connection
<twamp-client-connection-information>
show services rpm twamp client history-results
<twamp-get-history-results>
show services rpm twamp client probe-results

320 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<twamp-get-probe-results>
show services rpm twamp client session
<twamp-client-test-session>
show services rpm twamp server
<twamp-server-information>
show services rpm twamp server connection
<twamp-server-connection-information>
show services rpm twamp server session
<twamp-server-session-information>
show services server-load-balance
show services server-load-balance external-manager
show services server-load-balance external-manager information
show services server-load-balance external-manager statistics
<get-external-manager-statistics-information>
show services server-load-balance hash-table
<get-hash-table-information>
show services server-load-balance health-monitor
show services server-load-balance health-monitor information
<get-real-server-health-monitor-information>
show services server-load-balance health-monitor statistics
<get-real-server-health-monitor-statistics-information>
show services server-load-balance real-server
show services server-load-balance real-server statistics
<get-real-server-statistics-information>
show services server-load-balance real-server-group
show services server-load-balance real-server-group information
<get-real-server-group-information>
show services server-load-balance real-server-group statistics
<get-real-server-group-statistics-information>
show services server-load-balance sticky
<get-sticky-table-information>
show services server-load-balance virtual-server
show services server-load-balance virtual-server information
<get-virtual-server-information>
show services server-load-balance virtual-server statistics
<get-virtual-server-statistics-information>
show services service-identification
show services service-identification header-redirect
show services service-identification header-redirect statistics
<get-header-redirect-set-statistics-information>

show services service-identification statistics

<get-service-identification-statistics-information>

show services service-identification uri-redirect

show services service-identification uri-redirect statistics
<get-uri-redirect-set-statistics-information>

show services service-sets

show services service-sets cpu-usage
<get-service-set-cpu-statistics>

show services service-sets memory-usage

<get-service-set-memory-statistics>

show services service-sets memory-usage zone

show services service-sets plug-ins
<get-service-set-plugin-summary>

show services service-sets statistics

show services service-sets statistics drop-flow-limit

Copyright © 2017, Juniper Networks, Inc. 321

Administration Guide for Security Devices

<get-service-set-drop-flow-statistics>
show services service-sets statistics ids
show services service-sets statistics ids drops
<get-service-set-ids-drops-statistics>
show services service-sets statistics jflow-log
<get-service-set-jflow-log-statistics>
show services service-sets statistics packet-drops
<get-service-set-packet-drop-statistics>

show services service-sets statistics syslog

<get-service-set-syslog-statistics>
show services service-sets statistics tcp
<get-service-set-tcp-tracker-statistics>
show services service-sets statistics tcp-mss
<get-service-set-tcp-mss-statistics>

show services service-sets summary

<get-service-set-summary-information>

show services sessions

<get-msp-session-table>
show services sessions analysis
<show-service-msp-session-analysis-information>
show services sessions count
<get-service-msp-sess-count-information>
show services sessions utilization
<get-services-sessions-utilization>

show services softwire

<get-service-softwire-table-information>

show services softwire flows

<get-service-fwnat-flow-table-information>

show services softwire statistics

<get-service-softwire-statistics-information>

show services stateful-firewall

show services stateful-firewall flow-analysis
<get-service-flow-analysis-information>
show services stateful-firewall conversations
<get-service-sfw-conversation-information>

show services stateful-firewall flows

<get-service-sfw-flow-table-information>
show services stateful-firewall redundancy-statistics
<get-service-sfw-redundancy-statistics>

show services stateful-firewall sip-call

<get-service-sfw-sip-call-information>

show services stateful-firewall sip-register

<get-service-sfw-sip-register-information>

show services stateful-firewall statistics

<get-service-sfw-statistics-information>

show services stateful-firewall statistics application-protocol

<et-sfw-application-protocol-statistics>
show services stateful-firewall subscriber-analysis

322 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-service-subs-analysis-information>
show services subscriber
show services subscriber bandwidth
show services subscriber bandwidth client-id
<get-services-subscriber-bandwidth-by-session-id>
show services subscriber bandwidth interface
<get-services-subscriber-bandwidth-by-interface>
show services subscriber bandwidth ip-address
<get-services-subscriber-bandwidth-by-ip-address>
show services subscriber bandwidth service-interface
<get-services-subscriber-bandwidth-by-service-interface>
show services subscriber dynamic-policies
<get-services-subscriber-dynamic-policies>
show services subscriber flows
<get-services-subscriber-flows>
show services subscriber sessions
<get-services-subscriber-session>
show services subscriber statistics
<get-services-subscriber-statistics>
show services traffic-detection-function
show services traffic-detection-function hcm
show services traffic-detection-function hcm statistics
<get-service-tdf-hcm-sessions-stats>
show services traffic-detection-function sessions
<get-service-tdf-sessions-information>
show services traffic-load-balance
show services traffic-load-balance statistics
<get-traffic-load-balance-statistics>
show services unified-access-control
show services unified-access-control authentication-table
<get-uac-auth-table>
show services unified-access-control counters
<get-uac-counters>
show services unified-access-control policies
<get-uac-policies>
show services unified-access-control roles
<get-uac-role-entries>
show services unified-access-control status
<get-uac-status>
show services video-monitoring
<get-service-video-monitoring-information>
show services video-monitoring mdi
<get-service-video-monitoring-mdi-information
show services video-monitoring mdi alarms
<get-services-video-monitoring-mdi-alarms-information>
show services video-monitoring mdi alarms errors
<get-services-video-monitoring-mdi-alarms-errors-information>
show services video-monitoring mdi alarms stats
<get-services-video-monitoring-mdi-alarms-stats-information>
show services video-monitoring mdi errors>
<get-service-video-monitoring-mdi-errors-information>
show services video-monitoring mdi flow
<get-service-video-monitoring-mdi-flows-information>
show services video-monitoring mdi stats
<get-service-video-monitoring-mdi-stats-information>
show shmlog
show shmlog argument-mappings
<get-shmlog-argument-mappings>
show shmlog configuration
<show-shmlog-configuration>
show shmlog entries

Copyright © 2017, Juniper Networks, Inc. 323

Administration Guide for Security Devices

<show-shmlog-entries>
show shmlog logs-summary
<show-shmlog-logsummary>
show shmlog statistics
<show-shmlog-statistics>
show snmp
show snmp health-monitor
<get-health-monitor-information>

show snmp health-monitor alarms

<get-health-monitor-alarm-information>

show snmp health-monitor logs

<get-health-monitor-log-information>
show snmp health-monitor routing-engine
show snmp health-monitor routing-engine history
<get-health-monitor-routing-engine-history>
show snmp health-monitor routing-engine history cpu
<get-routing-engine-cpu-history>
show snmp health-monitor routing-engine history memory
<get-routing-engine-memory-history>
show snmp health-monitor routing-engine history open-files-count
<get-routing-engine-fd-history>
show snmp health-monitor routing-engine history process-count
<get-routing-engine-pcount-history>
show snmp health-monitor routing-engine history storage
<get-routing-engine-storage-history>
show snmp health-monitor routing-engine history temperature
<get-routing-engine-temperature-history>
show snmp health-monitor routing-engine status
<get-health-monitor-routing-engine-information>
show snmp health-monitor routing-engine status detail

show snmp inform-statistics

<get-snmp-inform-statistics>

show snmp mib

show snmp mib get
<get-snmp-object>

show snmp mib get-next

<get-next-snmp-object>

show snmp mib walk

<get-walk-snmp-object>

show snmp proxy

show snmp rmon
<get-rmon-information>

show snmp rmon alarms

<get-rmon-alarm-information>

show snmp rmon events

<get-rmon-event-information>

show snmp rmon history

<get-rmon-history-information>

show snmp rmon logs

<get-rmon-log-information>

324 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show snmp statistics

<get-snmp-information>

show snmp v3
<get-snmp-v3-information>

show snmp v3 access

<get-snmp-v3-access-information>

show snmp v3 community

<get-snmp-v3-community-information>

show snmp v3 general

<get-snmp-v3-general-information>

show snmp v3 groups

<get-snmp-v3-group-information>

show snmp v3 notify

<get-snmp-v3-notify-information>

show snmp v3 notify filter

<get-snmp-v3-notify-filter-information>

show snmp v3 target

<get-snmp-v3-target-information>

show snmp v3 target address

<get-snmp-v3-target-address-information>

show snmp v3 target parameters

<get-snmp-v3-target-parameters-information>

show snmp v3 users

<get-snmp-v3-usm-user-information>

show spanning-tree
show spanning-tree bridge
<get-stp-bridge-information>
show spanning-tree interface
<get-stp-interface-information>
show spanning-tree mstp
show spanning-tree mstp configuration
<get-mstp-configuration-information>
show spanning-tree statistics
<get-stp-interface-statistics>
show spanning-tree statistics bridge
show spanning-tree statistics interface
show spanning-tree statistics routing-instance
<get-stp-routing-instance-statistics>
show spanning-tree stp-buffer
show spanning-tree stp-buffer see-all
show ssl-certificates
<get-ssl-certificate-information>
show static-subscribers
show static-subscribers sessions
<show subscribers
<get-subscribers>
show subscribers summary
<get-subscribers-summary>

Copyright © 2017, Juniper Networks, Inc. 325

Administration Guide for Security Devices

<get-syslog-filenames>

show synchronous-ethernet
show synchronous-ethernet esmc
show synchronous-ethernet esmc statistics
show synchronous-ethernet esmc transmit
show synchronous-ethernet global-information
show system
show system alarms
<get-system-alarm-information>

show system auto-snapshot

show system boot-messages
show system buffers
show system certificate
show system commit
<get-commit-information>
show system commit revision
<get-commit-revision-information>
show system commit server
<get-commit-server-information>
show system commit ephemeral
<get-ephemeral-commit-information>
show system commit server queue
<get-commit-server-queue-information>
show system commit synchronize-server
show system configuration
show system configuration archival
<get-system-archival>

show system configuration rescue

<get-rescue-information>

show system connections

show system core-dumps
<get-system-core-dumps>
show system core-dumps core-file-info
<get-core-file-information>

show system core-dumps kernel-crashinfo

show system core-dumps satellite
<get-core-file-satellite>
show system core-dumps transfer-status
show system diagnostics
show system diagnostics inventory
show system diagnostics usage
show system directory-usage
<get-directory-usage-information>

show system firmware

<get-system-firmware-information>
show system khms-stats

show system license

<get-license-summary-information>

show system license installed

<get-license-information>
show system license key-content
show system license keys

326 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-license-key-information>

show system license usage

<get-license-usage-summary>
show system login
show system login lockout
<get-system-login-lockout-information>
show system memory
<show system processes
show system processes brief
show system processes esc-node
show system processes extensive
show system processes health
<get-process-health-information>

show system processes providers

show system processes host-processes detail
show system processes providers
show system processes resource-limits
<get-system-process-resource-limits>
show system processes summary
show system queues
show system reboot
show system resource-cleanup
show system resource-cleanup processes
<get-system-resource-cleanup-processes-information>
<get-resource-monitor-fpc-information>
<get-resource-monitor-fpc-slot-information>

show system rollback

<get-rollback-information>

show system services

show system services dhcp
show system services dhcp binding
<get-dhcp-binding-information>

show system services dhcp conflict

<get-dhcp-conflict-information>

show system services dhcp global

<get-dhcp-global-information>

show system services dhcp pool

<get-dhcp-pool-information>

show system services dhcp statistics

<get-dhcp-statistics-information>

show system services reverse

<get-system-services-reverse-information>

show system services service-deployment

<get-service-deployment-service-information>

show system snapshot

<get-snapshot-information>

show system software

show system software backup
<get-package-backup-information>

Copyright © 2017, Juniper Networks, Inc. 327

Administration Guide for Security Devices

<get-software-installation-status>
show system software recovery-package
show system software rollback
<show-package-rollback>

show system statistics

<get-statistics-information>

show system statistics bridge

<get-system-bridge-statistics>
show system statistics extended
show system statistics vpls
show system storage
<get-system-storage>
show system storage partitions
<get-system-storage-partitions>
show system storage satellite
<get-system-storage-satellite>
show system subscriber-management
show system subscriber-management arp
<get-subscriber-management-arp>
show system subscriber-management arp address
<get-subscriber-management-arp-address>
show system subscriber-management arp interface
<get-subscriber-management-arp-interface>
show system subscriber-management ipv6-neighbors
<get-subscriber-management-ipv6-neighbors>
show system subscriber-management ipv6-neighbors address
<get-subscriber-management-ipv6-neighbor-address>
show system subscriber-management ipv6-neighbors interface
<get-subscriber-management-ipv6-neighbor-interface>.
show system subscriber-management route
<get-subscriber-management-route>
show system subscriber-management route next-hop
<get-subscriber-management-route-nh>
show system subscriber-management route prefix
show system subscriber-management route summary
<get-subscriber-management-route-summary>
show system subscriber-management statistics
<get-subscriber-management-statistics>
show system subscriber-management summary
show system switchover
<get-switchover-information>

show system uptime

<get-system-uptime-information>

show system users

<get-system-users-information>

show system virtual-memory

show system yang
show system yang package
<get-system-yang-packages>
show task
show task io
show task logical-system-mux
<get-lrmuxd-task-information>
show task logical-system-mux io
<get-lrmuxd-tasks-io-statistics>
show task logical-system-mux memory

328 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-lrmuxd-task-memory>
show task memory
show task replication
<get-routing-task-replication-state>
show task snooping
show task snooping io
show task snooping memory
<get-snooping-task-memory-information>
show ted
show ted database
<get-ted-database-information>

show ted link

<get-ted-link-information>

show ted protocol

<get-ted-protocol-information>
show unified-edge
show unified-edge gateways
show unified-edge ggsn-pgw
show unified-edge ggsn-pgw aaa
show unified-edge ggsn-pgw aaa network-element
show unified-edge ggsn-pgw aaa network-element status
show unified-edge ggsn-pgw aaa network-element-group
show unified-edge ggsn-pgw aaa network-element-group status
show unified-edge ggsn-pgw aaa radius
show unified-edge ggsn-pgw aaa radius statistics
show unified-edge ggsn-pgw aaa statistics
show unified-edge ggsn-pgw address-assignment
show unified-edge ggsn-pgw address-assignment group
show unified-edge ggsn-pgw address-assignment pool
show unified-edge ggsn-pgw address-assignment service-mode
show unified-edge ggsn-pgw address-assignment statistics
show unified-edge ggsn-pgw apn
show unified-edge ggsn-pgw apn service-mode
show unified-edge ggsn-pgw apn statistics
show unified-edge ggsn-pgw call-rate
show unified-edge ggsn-pgw call-rate statistics
show unified-edge ggsn-pgw charging
show unified-edge ggsn-pgw charging global
show unified-edge ggsn-pgw charging global statistics
show unified-edge ggsn-pgw charging local-persistent-storage
show unified-edge ggsn-pgw charging local-persistent-storage statistics
show unified-edge ggsn-pgw charging path
show unified-edge ggsn-pgw charging path statistics
show unified-edge ggsn-pgw charging path status
show unified-edge ggsn-pgw charging service-mode
show unified-edge ggsn-pgw charging transfer
show unified-edge ggsn-pgw charging transfer statistics
show unified-edge ggsn-pgw charging transfer status
show unified-edge ggsn-pgw charging trigger-profile
show unified-edge ggsn-pgw gtp
show unified-edge ggsn-pgw gtp peer
show unified-edge ggsn-pgw gtp peer count
show unified-edge ggsn-pgw gtp peer history
show unified-edge ggsn-pgw gtp peer statistics
show unified-edge ggsn-pgw gtp statistics
show unified-edge ggsn-pgw ip-reassembly
show unified-edge ggsn-pgw ip-reassembly statistics
show unified-edge ggsn-pgw resource-manager
show unified-edge ggsn-pgw resource-manager clients

Copyright © 2017, Juniper Networks, Inc. 329

Administration Guide for Security Devices

show unified-edge ggsn-pgw service-mode

show unified-edge ggsn-pgw statistics
show unified-edge ggsn-pgw statistics traffic-class
show unified-edge ggsn-pgw status
show unified-edge ggsn-pgw status gtp-peer
show unified-edge ggsn-pgw status preemption-list
show unified-edge ggsn-pgw status session-state
show unified-edge ggsn-pgw subscribers
show unified-edge ggsn-pgw subscribers charging
show unified-edge ggsn-pgw subscribers traffic-class
show unified-edge ggsn-pgw system
show unified-edge ggsn-pgw system interfaces
show unified-edge ggsn-pgw system interfaces service-mode
show unified-edge sgw
show unified-edge sgw call-rate
show unified-edge sgw call-rate statistics
show unified-edge sgw charging
show unified-edge sgw charging global
show unified-edge sgw charging global statistics
show unified-edge sgw charging local-persistent-storage
show unified-edge sgw charging local-persistent-storage statistics
show unified-edge sgw charging path
show unified-edge sgw charging path statistics
show unified-edge sgw charging path status
show unified-edge sgw charging service-mode
show unified-edge sgw charging transfer
show unified-edge sgw charging transfer statistics
show unified-edge sgw charging transfer status
show unified-edge sgw charging trigger-profile
show unified-edge sgw gtp
show unified-edge sgw gtp peer
show unified-edge sgw gtp peer count
show unified-edge sgw gtp peer history
show unified-edge sgw gtp peer statistics
show unified-edge sgw gtp statistics
show unified-edge sgw idle-mode-buffering
show unified-edge sgw idle-mode-buffering statistics
show unified-edge sgw ip-reassembly
show unified-edge sgw ip-reassembly statistics
show unified-edge sgw resource-manager
show unified-edge sgw resource-manager clients
show unified-edge sgw service-mode
show unified-edge sgw statistics
show unified-edge sgw status
show unified-edge sgw status gtp-peer
show unified-edge sgw status preemption-list
show unified-edge sgw status session-state
show unified-edge sgw subscribers
show unified-edge sgw subscribers charging
show unified-edge sgw system
show unified-edge sgw system interfaces
show unified-edge sgw system interfaces service-mode
<get-mobile-serving-gateway-interface-service-mode>
show unified-edge tdf
show unified-edge tdf aaa
show unified-edge tdf aaa radius
show unified-edge tdf aaa radius client
show unified-edge tdf aaa radius client statistics
<radius-client-statistics>
show unified-edge tdf aaa radius client status
show unified-edge tdf aaa radius network-element

330 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

show unified-edge tdf aaa radius network-element statistics

<get-aaa-radius-element-statistics>
show unified-edge tdf aaa radius network-element status>
<get-aaa-radius-element-status>
show unified-edge tdf aaa radius server
show unified-edge tdf aaa radius server statistics
radius-server-statistics
show unified-edge tdf aaa radius server status
<get-aaa-radius-server-status>
show unified-edge tdf aaa radius snoop-segment
show unified-edge tdf aaa radius snoop-segment statistics
<radius-snoop-segment-statistics>
show unified-edge tdf aaa statistics
<get-tdf-gateway-aaa-statistics>
show unified-edge tdf address-assignment
show unified-edge tdf address-assignment pool
<get-tdf-gateway-sm-ippool-pool-information>
show unified-edge tdf address-assignment service-mode
<get-tdf-address-assign-service-mode>
show unified-edge tdf address-assignment statistics
<get-tdf-gateway-sm-ippool-statistics>
show unified-edge tdf call-admission-control
show unified-edge tdf call-admission-control statistics
<get-tdf-cac-statistics>
show unified-edge tdf call-rate
show unified-edge tdf call-rate statistics
<get-tdf-call-rate-statistics>
show unified-edge tdf diameter
show unified-edge tdf diameter network-element
show unified-edge tdf diameter network-element statistics
<get-diameter-network-element-statistics>
show unified-edge tdf diameter network-element status
<get-diamieter-network-element-status>
show unified-edge tdf diameter pcc-gx
show unified-edge tdf diameter pcc-gx statistics
<get-diameter-statistics-gx>
show unified-edge tdf diameter peer
show unified-edge tdf diameter peer statistics
<get-gateway-diameter-peer-statistics>
show unified-edge tdf diameter peer status
<get-diameter-peer-status>
show unified-edge tdf domain
show unified-edge tdf domain service-mode
<get-mobile-gateways-domain-service-mode>
show unified-edge tdf domain statistics
<get-mobile-gateways-domain-statistics>
show unified-edge tdf resource-manager
show unified-edge tdf resource-manager clients
<get-mobile-gateway-tdf-client-status-information>
show unified-edge tdf service-mode
<get-tdf-gateway-service-mode>
show unified-edge tdf statistics
<get-tdf-statistics>
show unified-edge tdf status
<get-tdf-gateway-status>
show unified-edge tdf status subscriber-state
<get-tdf-gateways-status-state>
show unified-edge tdf subscribers
<get-tdf-gateway-subscribers>
show unified-edge tdf subscribers data-plane
<get-tdf-gateway-subscriber-dataplane-statistics>

Copyright © 2017, Juniper Networks, Inc. 331

Administration Guide for Security Devices

show unified-edge tdf subscribers stuck

<get-tdf-gateway-stuck-subscribers>
show unified-edge tdf system
show unified-edge tdf system interfaces
<get-tdf-interfaces-information>
show unified-edge tdf system interfaces service-mode
<get-mobile-tdf-interface-service-mode>
show version
<get-software-information>

show virtual-chassis
show virtual-chassis active-topology
<get-virtual-chassis-active-topology>
show virtual-chassis device-topology
<get-virtual-chassis-device-topology>
show virtual-chassis fast-failover
<get-virtual-chassis-fast-failover>
show virtual-chassis heartbeat
<get-virtual-chassis-heartbeat-information>
show virtual-chassis login
<get-virtual-chassis-login>
show virtual-chassis mode
<get-virtual-chassis-mode-information>
show virtual-chassis protocol
show virtual-chassis protocol adjacency
<get-virtual-chassis-adjacency-information>
show virtual-chassis protocol database
<get-virtual-chassis-database-information>
show virtual-chassis protocol interface
<get-virtual-chassis-interface-information>
show virtual-chassis protocol route
<get-virtual-chassis-route-information>
show virtual-chassis protocol statistics
<get-virtual-chassis-statistics-information>
show virtual-chassis status
<get-virtual-chassis-information>
show virtual-chassis vc-path
<get-virtual-chassis-packet-path>
show virtual-chassis vc-port
<get-virtual-chassis-port-information>
show virtual-chassis vc-port diagnostics
show virtual-chassis vc-port diagnostics optics
<get-virtual-chassis-optics-diagnostics>
show virtual-chassis vc-port lag-hash
<get-virtual-chassis-port-lag-hash-information>
show virtual-chassis vc-port statistics
<get-virtual-chassis-port-statistics>
show vlans
<get-vlan-information>
show vlans operational
<get-operational-vlan-instance-information>
show vlans satellite
<get-satellite-control-bridge-domain>
show vmhost
show vmhost bridge
<get-vmhost-bridge-information>
show vmhost crash
<get-vmhost-crash-information>
show vmhost hardware
<get-vmhost-hardware>
show vmhost information

332 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

<get-vmhost-information>
show vmhost logs
<get-vmhost-logs-information>
show vmhost management-if
<get-vmhost-management-if-info>
show vmhost netstat
<get-vmhost-netstat>
show vmhost processes
<get-vmhost-processes-information>
show vmhost resource-usage
<get-vmhost-resource-usage-information>
show vmhost snapshot
<get-vmhost-snapshot-information>
show vmhost status
<get-vmhost-staus>
show vmhost uptime
<get-vmhost-uptime>
show vmhost version
<get-vmhost-version-information>

show vpls
show vpls connections
<get-vpls-connection-information>

show vpls flood

show vpls flood event-queue
<get-vpls-event-queue-information>

show vpls flood route

show vpls flood route all-ce-flood
<get-vpls-all-ce-flood-route-information>

show vpls flood route all-flood

<get-vpls-all-flood-route-information>

show vpls flood route alt-root-flood

<get-vpls-alt-root-flood-route-information>

show vpls flood route ce-flood

<get-vpls-ce-flood-route-information>

show vpls flood route mlp-flood

<get-vpls-mlp-flood-route-information>

show vpls flood route re-flood

<get-vpls-re-flood-route-information>

show vpls mac-table

<get-vpls-mac-table>

show vpls mac-table interface

<get-vpls-interface-mac-table>

show vpls statistics

<get-vpls-statistics-information>

show vrrp
show vrrp interface
show vrrp track
test interface
test interface fdl-line-loop

Copyright © 2017, Juniper Networks, Inc. 333

Administration Guide for Security Devices

test interface fdl-line-loop ansi

test interface fdl-line-loop ansi initiate
test interface fdl-line-loop ansi terminate
test interface fdl-line-loop bellcore
test interface fdl-line-loop bellcore initiate
test interface fdl-line-loop bellcore terminate
test interface fdl-payload-loop
test interface fdl-payload-loop ansi
test interface fdl-payload-loop ansi initiate
test interface fdl-payload-loop ansi terminate
test interface fdl-payload-loop bellcore
test interface fdl-payload-loop bellcore initiate
test interface fdl-payload-loop bellcore terminate
test interface inband-line-loop
test interface inband-line-loop ansi
test interface inband-line-loop ansi initiate
test interface inband-line-loop ansi terminate
test interface inband-line-loop bellcore
test interface inband-line-loop bellcore initiate
test interface inband-line-loop bellcore terminate
test interface inband-line-loop initiate
test interface inband-line-loop terminate
test interface inband-payload-loop
test interface inband-payload-loop ansi
test interface inband-payload-loop ansi initiate
test interface inband-payload-loop ansi terminate
test interface inband-payload-loop bellcore
test interface inband-payload-loop bellcore initiate
test interface inband-payload-loop bellcore terminate
test msdp
test msdp dependent-peers
test msdp rpf-peer
test policy
<

Configuration [edit dynamic-profiles routing-instances instance services mobile-ip home-agent

Hierarchy Levels enable-service]
[edit logical-systems routing-instances instance services mobile-ip home-agent
enable-service]
[edit logical-systems services mobile-ip home-agent enable-service]
[edit routing-instances instance services mobile-ip home-agent enable-service]
[edit services mobile-ip home-agent enable-service]

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

view-configuration

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

334 Copyright © 2017, Juniper Networks, Inc.

 Chapter 4: Permissions Flags for User Access Privileges

Can view all of the configuration (not including secrets).

Commands No associated CLI commands.

Configuration No associated CLI configuration hierarchy levels and statements.

Hierarchy Levels

Related • Access Privilege User Permission Flags Overview on page 80

Documentation
• Understanding Junos OS Access Privilege Levels on page 7

• Example: Configuring User Permissions with Access Privilege Levels on page 39

• Example: Configuring User Permissions with Access Privileges for Operational Mode
Commands on page 44

• Example: Configuring User Permissions with Access Privileges for Configuration

Statements and Hierarchies on page 56

Copyright © 2017, Juniper Networks, Inc. 335

Administration Guide for Security Devices

336 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 5

Configuring Authentication Methods

• Configuring RADIUS Server Authentication on page 337

• Example: Configuring a RADIUS Server for System Authentication on page 340
• Configuring TACACS+ Authentication on page 343
• Example: Configuring a TACACS+ Server for System Authentication on page 346
• Example: Configuring Authentication Order on page 349

Configuring RADIUS Server Authentication

Supported Platforms SRX Series

RADIUS authentication is a method of authenticating users who attempt to access the

router or switch.

NOTE: This feature is supported on SRX1500, SRX5400, SRX5600, and

SRX5800 devices.

The Junos OS supports two protocols for central authentication of users on multiple
routers: RADIUS and TACACS+. We recommend RADIUS because it is a multivendor
IETF standard, and its features are more widely accepted than those of TACACS+ or
other proprietary systems. In addition, we recommend using a one-time-password system
for increased security, and that all vendors of these systems support RADIUS.

You should use RADIUS when your priorities are interoperability and performance:

• Interoperability—RADIUS is more interoperable than TACACS+, primarily because of

the proprietary nature of TACACS+. While TACACS+ supports more protocols, RADIUS
is universally supported.

• Performance—RADIUS is much lighter on your routers and switches and for this reason,
network engineers generally prefer RADIUS over TACACS+.

To use RADIUS authentication on the device, configure information about one or more
RADIUS servers on the network by including one radius-server statement at the [edit
system] hierarchy level for each RADIUS server.

Copyright © 2017, Juniper Networks, Inc. 337

Administration Guide for Security Devices

Because remote authentication is configured on multiple devices, it is commonly

configured inside of a configuration group. As such, the steps shown here are in a
configuration group called global. Using a configuration group is optional.

To configure authentication by a RADIUS server:

1. Add an IPv4 or IPv6 server address.

• Configure an IPv4 source address and server address:

[edit groups global]

user@host# set system radius-server server-address source-address source-address

For example:

[edit groups global]

user@host# set system radius-server 192.168.17.28 source-address 192.168.17.1

• Configure an IPv6 source address and server address:

[edit groups global system radius-server server-address]

user@host# set server-address secret “secretkey” source-address source-address

For example:

[edit groups global system radius-server ::17.22.22.162]

user@host# set secret $9$ABC123 source-address ::17.22.22.1

The source address is a valid IPv4 or IPv6 address configured on one of the router
or switch interfaces. This configuration sets a fixed address as the source address
for locally generated IP packets.

Server address is a unique IPv4 or IPv6 address that is assigned to a particular server
and used to route information to the server. If the Junos OS device has several
interfaces that can reach the RADIUS server, assign an IP address that Junos OS
can use for all its communication with the RADIUS server.

2. Include a shared secret password.

You must specify a password in the secret password statement. If the password
contains spaces, enclose it in quotation marks. The secret password used by the local
router or switch must match that used by the server. The secret password configures
the password that the Junos OS device uses to access the RADIUS server.

[edit groups global system radius-server server-address]

user@host# set secret password

For example:

[edit groups global system radius-server 192.168.69.162]

user@host# set secret $9$ABC123ABC123

3. If necessary, specify a port on which to contact the RADIUS server.

By default, port number 1812 is used (as specified in RFC 2865).

338 Copyright © 2017, Juniper Networks, Inc.

 Chapter 5: Configuring Authentication Methods

NOTE: You can also specify an accounting port to send accounting packets
with the accounting-port statement. The default is 1813 (as specified in
RFC 2866).

[edit groups global system radius-server server-address]

user@host# set port port-number

For example:

[edit groups global system radius-server 192.168.69.162]

user@host# set port 1845

4. Specify the order in which Junos OS attempts authentication.

You must include the authentication-order statement in your remote authentication

configuration.

The example assumes your network includes both RADIUS and TACACS+ servers. In
this example, whenever a user attempts to log in, Junos OS begins by querying the
RADIUS server for authentication. If it fails, it next attempts authentication with locally
configured user accounts. Finally the TACACS+ server is tried.

[edit groups global system]

user@host# set authentication-order [ authentication-methods ]

For example:

[edit groups global system]

user@host# set authentication-order [ radius password tacplus ]

5. Assign a login class to RADIUS-authenticated users.

You can assign different user templates and login classes to RADIUS-authenticated
users. This allows RADIUS-authenticated users to be granted different administrative
permissions on the Junos OS device. By default, RADIUS-authenticated users use the
remote user template and are assigned to the associated class, which is specified in
the remote user template, if the remote user template is configured. The username
remote is a special case in Junos OS. It acts as a template for users who are
authenticated by a remote server, but do not have a locally-configured user account
on the device. In this method, Junos OS applies the permissions of the remote template
to those authenticated users without a locally defined account. All users mapped to
the remote template are of the same login class.

In the Junos OS configuration, a user template is configured in the same way as a

regular local user account, except that no local authentication password is configured
because the authentication is remotely performed on the RADIUS server.

• To use the same permissions for all RADIUS-authenticated users:

[edit groups global system login]

user@host# set user remote class class

Copyright © 2017, Juniper Networks, Inc. 339

Administration Guide for Security Devices

For example:

[edit groups global system login]

user@host# set user remote class super-user

• To have different login classes be used for different RADIUS-authenticated users,

granting them different permissions:

a. Create multiple user templates in the Junos OS configuration.

Every user template can be assigned a different login class.

For example:

[edit groups global system login]

set user RO class read-only
set user OP class operator
set user SU class super-user
set user remote full-name "default remote access user template"
set user remote class read-only

b. Have the RADIUS server specify the name of the user template to be applied to
the authenticated user.

For a RADIUS server to indicate which user template is to be applied, it needs to

include the Juniper-Local-User-Name attribute (Vendor 2636, type 1, string)
Juniper VSA (vendor-specific attribute) in the RADIUS Access-Accept message.
The string value in the Juniper-Local-User-Name must correspond to the name
of a configured user template on the device. For a list of relevant Juniper RADIUS
VSAs, see Juniper Networks Vendor-Specific RADIUS Attributes.

If the Juniper-Local-User-Name is not included in the Access-Accept message

or the string contains a user template name that does not exist on the device,
the user is assigned to the remote user template, if configured. If it is not
configured, authentication fails for the user.

After logging in, the remotely authenticated user retains the same username
that was used to log in. However, the user inherits the user class from the assigned
user template.

In a RADIUS server, users can be assigned a Juniper-Local-User-Name string,

which indicates the user template to be used in the Junos OS device. From the
previous example, the string would be RO, OP, or SU.

Configuration of the RADIUS server depends on the server being used. For
instructions for the Juniper Steel-Belted Radius server, see Steel-Belted Radius
(SBR) Enterprise. For information on using FreeRADIUS, see
http://kb.juniper.net/InfoCenter/index?page=content&id=KB19446.

Example: Configuring a RADIUS Server for System Authentication

Supported Platforms SRX Series, vSRX

340 Copyright © 2017, Juniper Networks, Inc.

 Chapter 5: Configuring Authentication Methods

This example shows how to configure a RADIUS server for system authentication.

• Requirements on page 341

• Overview on page 341
• Configuration on page 341
• Verification on page 343

Requirements
Before you begin:

• Perform the initial device configuration. See the Getting Started Guide for your device.

• Configure at least one RADIUS server. For more details, see RADIUS Authentication and
Accounting Servers Configuration Overview.

Overview
In this example, you add a new RADIUS server with an IP address of 172.16.98.1 and specify
the shared secret password of the RADIUS server as Radiussecret1. The secret is stored
as an encrypted value in the configuration database. Finally, you specify the source
address to be included in the RADIUS server requests by the device. In most cases you
can use the loopback address of the device, which in this example is 10.0.0.1.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set system radius-server address 172.16.98.1

set system radius-server 172.16.98.1 secret Radiussecret1
set system radius-server 172.16.98.1 source-address 10.0.0.1

GUI Step-by-Step To configure a RADIUS server for system authentication:

Procedure
1. In the J-Web user interface, select Configure>System Properties>User Management.

2. Click Edit. The Edit User Management dialog box appears.

3. Select the Authentication Method and Order tab.

4. In the RADIUS section, click Add. The Add Radius Server dialog box appears.

5. In the IP Address box, type the server’s 32–bit IP address.

6. In the Password and Confirm Password boxes, type the secret password for the server
and verify your entry.

Copyright © 2017, Juniper Networks, Inc. 341

Administration Guide for Security Devices

7. In the Server Port box, type the appropriate port.

8. In the Source Address box, type the source IP address of the server.

9. In the Retry Attempts box, specify the number of times that the server should try to
verify the user’s credentials.

10. In the Time Out box, specify the amount of time (in seconds) the device should wait
for a response from the server.

11. Click OK to check your configuration and save it as a candidate configuration.

12. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure a RADIUS server for system authentication:

1. Add a new RADIUS server and set its IP address.

[edit system]
user@host# set radius-server address 172.16.98.1

2. Specify the shared secret (password) of the RADIUS server.

[edit system]
user@host# set radius-server 172.16.98.1 secret Radiussecret1

3. Specify the device’s loopback address source address.

[edit system]
user@host# set radius-server 172.16.98.1 source-address 10.0.0.1

Results From configuration mode, confirm your configuration by entering the show system
radius-server command. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.

[edit]
user@host# show system radius-server
radius-server 172.16.98.1 {
secret Radiussecret1;
source-address 10.0.0.1;
}

If you are done configuring the device, enter commit from configuration mode.

342 Copyright © 2017, Juniper Networks, Inc.

 Chapter 5: Configuring Authentication Methods

NOTE: To completely set up RADIUS authentication, you must create user

template accounts and specify a system authentication order. Do one of the
following tasks:

• Configure a system authentication order. See “Example: Configuring

Authentication Order” on page 349.

• Configure a user. See “Example: Configuring New Users” on page 17.

• Configure local user template accounts. See “Example: Creating Template

Accounts” on page 21.

Verification
Confirm that the configuration is working properly.

Verifying the RADIUS Server System Authentication Configuration

Purpose Verify that the RADIUS server has been configured for system authentication.

Action From operational mode, enter the show system radius-server command.

Related • Understanding User Authentication Methods on page 12

Documentation
• Understanding User Accounts on page 6

• Example: Configuring a TACACS+ Server for System Authentication on page 346

• Understanding Login Classes on page 3

Configuring TACACS+ Authentication

Supported Platforms M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

TACACS+ authentication is a method of authenticating users who attempt to access

the router or switch. Tasks to configure TACACS+ configuration are:

• Configuring TACACS+ Server Details on page 343

• Specifying a Source Address for the Junos OS to Access External TACACS+
Servers on page 344
• Configuring the Same Authentication Service for Multiple TACACS+ Servers on page 345
• Configuring Juniper Networks Vendor-Specific TACACS+ Attributes on page 345

Configuring TACACS+ Server Details

Supported Platforms

Copyright © 2017, Juniper Networks, Inc. 343

Administration Guide for Security Devices

To use TACACS+ authentication on the router or switch, configure information about

one or more TACACS+ servers on the network by including the tacplus-server statement
at the [edit system] hierarchy level:

[edit system]
tacplus-server server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}

server-address is the address of the TACACS+ server.

port-number is the TACACS+ server port number.

You must specify a secret (password) that the local router or switch passes to the
TACACS+ client by including the secret statement. If the password included spaces,
enclose the password in quotation marks. The secret used by the local router or switch
must match that used by the server.

Optionally, you can specify the length of time that the local router or switch waits to
receive a response from a TACACS+ server by including the timeout statement. By default,
the router or switch waits 3 seconds. You can configure this to be a value in the range
from 1 through 90 seconds.

Optionally, you can have the software maintain one open Transmission Control Protocol
(TCP) connection to the server for multiple requests, rather than opening a connection
for each connection attempt by including the single-connection statement.

NOTE: Early versions of the TACACS+ server do not support the

single-connection option. If you specify this option and the server does not
support it, the Junos OS will be unable to communicate with that TACACS+
server.

To configure multiple TACACS+ servers, include multiple tacplus-server statements.

To configure a set of users that share a single account for authorization purposes, you
create a template user. To do this, include the user statement at the [edit system login]
hierarchy level, as described in Overview of Template Accounts for RADIUS and TACACS+
Authentication.

Specifying a Source Address for the Junos OS to Access External TACACS+ Servers

Supported Platforms

You can specify which source address the Junos OS uses when accessing your network
to contact an external TACACS+ server for authentication. You can also specify which
source address the Junos OS uses when contacting a TACACS+ server for sending
accounting information.

344 Copyright © 2017, Juniper Networks, Inc.

 Chapter 5: Configuring Authentication Methods

To specify a source address for a TACACS+ server for authentication, include the
source-address statement at the [edit system tacplus-server server-address] hierarchy
level:

[edit system tacplus-server server-address]

source-address source-address;

source-address is a valid IP address configured on one of the router or switch interfaces.

To specify a source address for a TACACS+ server for system accounting, include the
source-address statement at the [edit system accounting destination tacplus server
server-address] hierarchy level:

[edit system accounting destination tacplus server server-address]

source-address source-address;

source-address is a valid IP address configured on one of the router or switch interfaces.

Configuring the Same Authentication Service for Multiple TACACS+ Servers

Supported Platforms SRX Series, vSRX

To configure the same authentication service for multiple TACACS+ servers, include
statements at the [edit system tacplus-server] and [edit system tacplus-options] hierarchy
levels. For information about how to configure a TACACS+ server at the [edit system
tacplus-server] hierarchy level, see “Configuring TACACS+ Authentication” on page 343.

To assign the same authentication service to multiple TACACS+ servers, include the
service-name statement at the [edit system tacplus-options] hierarchy level:

[edit system tacplus-options]

service-name service-name;

service-name is the name of the authentication service. By default, the service name is
set to junos-exec.

The following example shows how to configure the same authentication service for
multiple TACACS+ servers:

[edit system]
tacplus-server {
10.2.2.2 secret "$ABC123"; ## SECRET-DATA
10.3.3.3 secret "$ABC123";## SECRET-DATA
}
tacplus-options {
service-name bob;
}

Configuring Juniper Networks Vendor-Specific TACACS+ Attributes

Supported Platforms SRX Series, vSRX

The Juniper Networks Vendor-Specific TACACS+ Attributes enable you to configure

access privileges for users on a TACACS+ server. They are specified in the TACACS+
server configuration file on a per-user basis. The Junos OS retrieves these attributes

Copyright © 2017, Juniper Networks, Inc. 345

Administration Guide for Security Devices

through an authorization request of the TACACS+ server after authenticating a user. You
do not need to configure these attributes to run the Junos OS with TACACS+.

To specify these attributes, include a service statement of the following form in the
TACACS+ server configuration file:

service = junos-exec {
local-user-name = <username-local-to-router>
allow-commands = "<allow-commands-regex>"
allow-configuration-regexps = "<allow-configuration-regex>"
deny-commands = "<deny-commands-regex>"
deny-configuration-regexps = "<deny-configuration-regex>"
}

This service statement can appear in a user or group statement.

Related • Example: Configuring a TACACS+ Server for System Authentication on page 346
Documentation

Example: Configuring a TACACS+ Server for System Authentication

Supported Platforms SRX Series, vSRX

This example shows how to configure a TACACS+ server for system authentication.

• Requirements on page 346

• Overview on page 346
• Configuration on page 346
• Verification on page 348

Requirements
Before you begin:

• Perform the initial device configuration. See the Getting Started Guide for your device.

• Configure at least one TACACS+ server.

Overview
In this example, you set the IP address to 172.16.98.24 and the shared secret password
of the TACACS+ server to Tacacssecret1. The secret password is stored as an encrypted
value in the configuration database. You then set the loopback source address as 10.0.0.1

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set system tacplus-server address 172.16.98.24

set system tacplus-server 172.16.98.24 secret Tacacssecret1

346 Copyright © 2017, Juniper Networks, Inc.

 Chapter 5: Configuring Authentication Methods

set system tacplus-server 172.16.98.24 source-address 10.0.0.1

GUI Step-by-Step To configure a TACACS+ server for system authentication:

Procedure
1. In the J-Web user interface, select Configure>System Properties>User Management.

2. Click Edit. The Edit User Management dialog box appears.

3. Select the Authentication Method and Order tab.

4. In the TACACS section, click Add. The Add TACACS Server dialog box appears.

5. In the IP Address box, type the server’s 32–bit IP address.

6. In the Password and Confirm Password boxes, type the secret password for the server
and verify your entry.

7. In the Server Port box, type the appropriate port.

8. In the Source Address box, type the locally configured interface address, which is used
as the source address for TACACS+ packets.

NOTE: The Source Address box can accept either a hostname or an IP

address.

9. In the Retry Attempts box, specify the number of times that the server should try to
verify the user’s credentials.

10. In the Time Out box, specify the amount of time (in seconds) the device should wait
for a response from the server.

11. Click OK to check your configuration and save it as a candidate configuration.

12. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure a TACACS+ server for system authentication:

1. Add a new TACACS+ server and set its IP address.

Copyright © 2017, Juniper Networks, Inc. 347

Administration Guide for Security Devices

[edit system]
user@host# set tacplus-server address 172.16.98.24

2. Specify the shared secret (password) of the TACACS+ server.

[edit system]
user@host# set tacplus-server 172.16.98.24 secret Tacacssecret1

3. Specify the device’s loopback address as the source address.

[edit system]
user@host# set tacplus-server 172.16.98.24 source-address 10.0.0.1

Results From configuration mode, confirm your configuration by entering the show system
tacplus-server command. If the output does not display the intended configuration, repeat
the configuration instructions in this example to correct it.

[edit]
user@host# show system tacplus-server
tacplus-server 172.16.98.24 {
secret Tacacssecret1;
source-address 10.0.0.1;
}

If you are done configuring the device, enter commit from configuration mode.

NOTE: To completely set up TACACS+ authentication, you must create user

template accounts and specify a system authentication order. Do one of the
following tasks:

• Configure a system authentication order. See “Example: Configuring

Authentication Order” on page 349.

• Configure a user. See “Example: Configuring New Users” on page 17.

• Configure local user template accounts. See “Example: Creating Template

Accounts” on page 21.

Verification
Confirm that the configuration is working properly.

Verifying the TACACS+ Server System Authentication Configuration

Purpose Verify that the TACACS+ server has been configured for system authentication.

Action From operational mode, enter the show system tacplus-server command.

348 Copyright © 2017, Juniper Networks, Inc.

 Chapter 5: Configuring Authentication Methods

Related • Understanding User Authentication Methods on page 12

Documentation
• Understanding User Accounts on page 6

• Example: Configuring a RADIUS Server for System Authentication on page 340

• Understanding Login Classes on page 3

Example: Configuring Authentication Order

Supported Platforms SRX Series, vSRX

This example shows how to configure authentication order.

• Requirements on page 349

• Overview on page 349
• Configuration on page 349
• Verification on page 351

Requirements
Before you begin, perform the initial device configuration. See the Getting Started Guide
for your device.

Overview
You can configure the authentication methods that the device uses to verify that a user
can gain access. For each login attempt, the device tries the authentication methods in
order, starting with the first one, until the password matches. If you do not configure
system authentication, users are verified based on their configured local passwords.

This example configures the device to attempt user authentication with the local password
first, then with the RADIUS server, and finally with the TACACS+ server.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

insert system authentication-order radius after password

insert system authentication-order tacplus after radius

GUI Step-by-Step To configure authentication order:

Procedure
1. In the J-Web user interface, select Configure>System Properties>User Management.

2. Click Edit. The Edit User Management dialog box appears.

3. Select the Authentication Method and Order tab.

Copyright © 2017, Juniper Networks, Inc. 349

Administration Guide for Security Devices

4. Under Available Methods, select the authentication method the device should use to
authenticate users, and use the arrow button to move the item to the Selected Methods
list. Available methods include:

• RADIUS

• TACACS+

• Local Password

If you want to use multiple methods to authenticate users, repeat this step to add the
additional methods to the Selected Methods list.

5. Under Selected Methods, use the Up Arrow and Down Arrow to specify the order in
which the device should execute the authentication methods.

6. Click OK to check your configuration and save it as a candidate configuration.

7. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure authentication order:

1. Add RADIUS authentication to the authentication order.

[edit]
user@host# insert system authentication-order radius after password

2. Add TACACS+ authentication to the authentication order.

[edit]
user@host# insert system authentication-order tacplus after radius

Results From configuration mode, confirm your configuration by entering the show system
authentication-order command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.

[edit]
user@host# show system authentication-order
authentication-order [password, radius, tacplus];

If you are done configuring the device, enter commit from configuration mode.

350 Copyright © 2017, Juniper Networks, Inc.

 Chapter 5: Configuring Authentication Methods

NOTE: To completely set up RADIUS or TACACS+ authentication, you must

configure at least one RADIUS or TACACS+ server and create user template
accounts. Do one of the following tasks:

• Configure a RADIUS server. See “Example: Configuring a RADIUS Server

for System Authentication” on page 340.

• Configure a TACACS+ server. See “Example: Configuring a TACACS+ Server

for System Authentication” on page 346.

• Configure a user. See “Example: Configuring New Users” on page 17.

• Configure template accounts. See “Example: Creating Template Accounts”

on page 21.

Verification
Confirm that the configuration is working properly.

Verifying the Authentication Order Configuration

Purpose Verify that the authentication order has been configured.

Action From operational mode, enter the show system authentication-order command.

Related • Understanding User Authentication Methods on page 12

Documentation
• Understanding User Accounts on page 6

• Understanding Login Classes on page 3

Copyright © 2017, Juniper Networks, Inc. 351

Administration Guide for Security Devices

352 Copyright © 2017, Juniper Networks, Inc.

PART 2

Configuring Remote Access to an SRX

Series Appliances
• Configuring Secure Web Access on page 355
• Setting up USB Modems for Remote Management on page 363
• Configuring Telnet and SSH Access to an SRX Series Appliance on page 383

Copyright © 2017, Juniper Networks, Inc. 353

Administration Guide for Security Devices

354 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 6

Configuring Secure Web Access

• Secure Web Access Overview on page 355

• Generating an SSL Certificate Using the openssl Command on page 356
• Generating a Self-Signed SSL Certificate on page 356
• Manually Generating Self-Signed SSL Certificates on page 357
• Configuring Device Addresses on page 358
• Enabling Access Services on page 358
• Example: Configuring Secure Web Access on page 359
• Adding, Editing, and Deleting Certificates on the Device on page 362

Secure Web Access Overview

Supported Platforms SRX Series, vSRX

You can manage a Juniper Networks device remotely through the J-Web interface. To
communicate with the device, the J-Web interface uses the Hypertext Transfer Protocol
(HTTP). HTTP allows easy Web access but no encryption. The data that is transmitted
between the Web browser and the device by means of HTTP is vulnerable to interception
and attack. To enable secure Web access, the Juniper Networks devices support HTTP
over Secure Sockets Layer (HTTPS). You can enable HTTP or HTTPS access on specific
interfaces and ports as needed.

The Juniper Networks device uses the Secure Sockets Layer (SSL) protocol to provide
secure device management through the Web interface. SSL uses public-private key
technology that requires a paired private key and an authentication certificate for providing
the SSL service. SSL encrypts communication between your device and the Web browser
with a session key negotiated by the SSL server certificate.

An SSL certificate includes identifying information such as a public key and a signature
made by a certificate authority (CA). When you access the device through HTTPS, an
SSL handshake authenticates the server and the client and begins a secure session. If
the information does not match or the certificate has expired, you cannot access the
device through HTTPS.

Without SSL encryption, communication between your device and the browser is sent
in the open and can be intercepted. We recommend that you enable HTTPS access on
your WAN interfaces.

Copyright © 2017, Juniper Networks, Inc. 355

Administration Guide for Security Devices

HTTP access is enabled by default on the built-in management interfaces. By default,

HTTPS access is supported on any interface with an SSL server certificate.

Related • Generating an SSL Certificate Using the openssl Command on page 356
Documentation
• Generating a Self-Signed SSL Certificate on page 356

• Configuring Device Addresses on page 358

• Example: Configuring Secure Web Access on page 359

Generating an SSL Certificate Using the openssl Command

Supported Platforms SRX Series, vSRX

To generate an SSL certificate using the openssl command:

1. Enter openssl in the CLI. The openssl command generates a self-signed SSL certificate
in privacy-enhanced mail (PEM) format. It writes the certificate and an unencrypted
1024-bit RSA private key to the specified file.

NOTE: Run this command on a LINUX or UNIX device because Juniper

Networks Services Gateways do not support the openssl command.

% openssl req –x509 –nodes –newkey rsa:1024 –keyout filename.pem -out

filename.pem

Replace filename with the name of a file in which you want the SSL certificate to be
written—for example, new.pem.

2. When prompted, type the appropriate information in the identification form. For
example, type US for the country name.

3. Display the contents of the file new.pem.

cat new.pem

Copy the contents of this file for installing the SSL certificate.

Related • Secure Web Access Overview on page 355

Documentation

Generating a Self-Signed SSL Certificate

Supported Platforms SRX Series, vSRX

To generate a self-signed SSL certificate on Juniper Networks devices:

1. Establish basic connectivity.

356 Copyright © 2017, Juniper Networks, Inc.

 Chapter 6: Configuring Secure Web Access

2. Reboot the system. The self-signed certificate is automatically generated at bootup

time.

user@host> request system reboot

Reboot the system ? [yes,no] yes

3. Specify system-generated-certificate under HTTPS Web management.

[edit]
user@host# show system services web-management https
system-generated-certificate

Related • Generating an SSL Certificate Using the openssl Command on page 356
Documentation

Manually Generating Self-Signed SSL Certificates

Supported Platforms SRX Series, vSRX

To manually generate a self-signed SSL certificate on Juniper Networks devices:

1. Establish basic connectivity.

2. If you have root login access, you can manually generate the self-signed certificate
by using the following commands:

root@host> request security pki generate-size 512 certificate-id certname

Generated key pair sslcert, key size 512 bits

root@host> request security pki local-certificate generate-self-signed certificate-id

cert-name email email domain-name domain-name ip-address ip-address subject
“DC= Domain name, CN= Common-Name, OU= Organizational-Unit-name, O=
Organization-Name, ST= state, C= Country”

Self-signed certificate generated and loaded successfully

NOTE: When generating the certificate, you must specify the subject,
e-mail address, and either domain-name or ip-address.

3. Specify local-certificate under HTTPS Web management.

[edit]
root@host# show system services web-management https local-certificate certname

Related • Generating a Self-Signed SSL Certificate on page 356

Documentation

Copyright © 2017, Juniper Networks, Inc. 357

Administration Guide for Security Devices

Configuring Device Addresses

Supported Platforms SRX Series, vSRX

You can use the Management tab to configure IPv4 and loopback addresses on the
device.

To configure IPv4 and loopback addresses:

1. In the J-Web user interface, select Configure>System Properties>Management Access.

2. Click Edit. The Edit Management Access dialog box appears.

3. Select the Management tab.

4. If you want to enable a loopback address for the device, enter an address and
corresponding subnet mask in the Loopback address section.

5. If you want to enable an IPv4 address for the device, select IPv4 address and enter a
corresponding management port, subnet mask, and default gateway.

6. Click OK to save the configuration or Cancel to clear it.

Related • Enabling Access Services on page 358

Documentation

Enabling Access Services

Supported Platforms SRX Series, vSRX

You can use the Services tab to specify the type of connections that users can make to
the device. For instance, you can enable secure HTTPS sessions to the device or enable
access to the Junos XML protocol XML scripting API.

To enable access services:

1. In the J-Web user interface, select Configure>System Properties>Management Access.

2. Click Edit. The Edit Management Access dialog box appears.

3. Select the Services tab.

4. If you want to enable users to create secure Telnet or secure SSH connections to the
device, select Enable Telnet or Enable SSH.

358 Copyright © 2017, Juniper Networks, Inc.

 Chapter 6: Configuring Secure Web Access

5. If you want to enable access to the Junos XML protocol XML scripting API, select
Enable Junos XML protocol over clear text or Enable Junos XML protocol over SSL. If
you enable Junos XML protocol over SSL, select the certificate you want to use for
encryption from the Junos XML protocol certificate drop-down list.

6. Select Enable HTTP if you want users to connect to device interfaces over an HTTP
connection. Then specify the interfaces that should use the HTTP connection:

• Enable on all interfaces—Select this option if you want to enable HTTP on all device
interfaces.

• Selected interfaces—Use the arrow buttons to populate this list with individual
interfaces if you want to enable HTTP on only some of the device interfaces.

7. If you want users to connect to device interfaces over a secure HTTPS connection,
select Enable HTTPS. Then select which certificate you want to use to secure the
connection from the HTTPS certificates list and specify the interfaces that should use
the HTTPS connection:

• Enable on all interfaces—Select this option if you want to enable HTTPS on all device
interfaces.

• Selected interfaces—Use the arrow buttons to populate this list with individual
interfaces if you want to enable HTTPS on only some of the device interfaces.

8. Click OK to save the configuration or Cancel to clear it.

To verify that Web access is enabled correctly, connect to the device using one of the
following methods:

• For HTTP access—In your Web browser, type http://URL or http://IP address.

• For HTTPS access—In your Web browser, type https://URL or https://IP address.

• For SSL Junos XML protocol access—A Junos XML protocol client such as Junos Scope
is required.

Related • Configuring Device Addresses on page 358

Documentation

Example: Configuring Secure Web Access

Supported Platforms SRX Series, vSRX

This example shows how to configure secure Web access on your device.

• Requirements on page 360

• Overview on page 360
• Configuration on page 360
• Verification on page 361

Copyright © 2017, Juniper Networks, Inc. 359

Administration Guide for Security Devices

Requirements
No special configuration beyond device initialization is required before configuring this
feature.

NOTE: You can enable HTTPS access on specified interfaces. If you enable
HTTPS without specifying an interface, HTTPS is enabled on all interfaces.

Overview
In this example, you import the SSL certificate that you have generated as a new and
private key in PEM format. You then enable HTTPS access and specify the SSL certificate
to be used for authentication. Finally, you specify the port as 8443 on which HTTPS
access is to be enabled.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set security certificates local new load-key-file /var/tmp/new.pem

set system services web-management https local-certificate new port 8443

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure secure Web access on your device:

1. Import the SSL certificate and private key.

[edit security]
user@host# set certificates local new load-key-file /var/tmp/new.pem

2. Enable HTTPS access and specify the SSL certificate and port.

[edit system]
user@host# set services web-management https local-certificate new port 8443

Results From configuration mode, confirm your configuration by entering the show security
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

[edit]
user@host# show security
certificates {
local {

360 Copyright © 2017, Juniper Networks, Inc.

 Chapter 6: Configuring Secure Web Access

new {
"-----BEGIN RSA PRIVATE KEY-----\nMIICXQIBAAKBgQC/C5UI4frNqbi
qPwbTiOkJvqoDw2YgYse0Z5zzVJyErgSg954T\nEuHM67Ck8hAOrCnb0YO+SY
Y5rCXLf4+2s8k9EypLtYRw/Ts66DZoXI4viqE7HSsK\n5sQw/UDBIw7/MJ+OpA
... KYiFf4CbBBbjlMQJ0HFudW6ISVBslONkzX+FT\ni95ddka6iIRnArEb4VFCRh+
e1QBdp1UjziYf7NuzDx4Z\n -----END RSA PRIVATE KEY-----\n-----BEGIN
CERTIFICATE----- \nMIIDjDCCAvWgAwIBAgIBADANBgkqhkiG9w0BAQQ ...
FADCBkTELMAkGA1UEBhMCdXMx\nCzAJBgNVBAgTAmNhMRIwEAYDVQQHEwlzdW5ue
HB1YnMxDTALBgNVBAMTBGpucHIxJDAiBgkqhkiG\n9w0BCQEWFW5iaGFyZ2F2YUB
fLUYAnBYmsYWOH\n -----END CERTIFICATE-----\n"; ## SECRET-DATA
}
}
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

• Verifying an SSL Certificate Configuration on page 361

• Verifying a Secure Access Configuration on page 361

Verifying an SSL Certificate Configuration

Purpose Verify the SSL certificate configuration.

Action From operational mode, enter the show security command.

Verifying a Secure Access Configuration

Purpose Verify the secure access configuration.

Action From operational mode, enter the show system services command. The following sample
output displays the sample values for secure Web access:

[edit]
user@host# show system services
web-management {
http;
https {
port 8443;
local-certificate new;
}
}

Related • Secure Web Access Overview on page 355

Documentation
• Generating an SSL Certificate Using the openssl Command on page 356

• Generating a Self-Signed SSL Certificate on page 356

Copyright © 2017, Juniper Networks, Inc. 361

Administration Guide for Security Devices

• Configuring Device Addresses on page 358

Adding, Editing, and Deleting Certificates on the Device

Supported Platforms SRX Series, vSRX

You can use the Certificates tab to upload SSL certificates to the device, edit existing
certificates on the device, or delete certificates from the device. You can use the
certificates to secure HTTPS and Junos XML protocol sessions.

To add, edit, or delete a certificate:

1. In the J-Web user interface, select Configure>System Properties>Management Access.

2. Click Edit. The Edit Management Access dialog box appears.

3. Select the Certificates tab.

4. Choose one of the following options:

• If you want to add a new certificate, click Add. The Add Certificate section is
expanded.

• If you want to edit the information for an existing certificate, select it and click Edit.
The Edit Certificate section is expanded.

• If you want to delete an existing certificate, select it and click Delete. (You can skip
the remaining steps in this section.)

5. In the Certificate Name box, type a name—for example, new.

6. In the Certificate content box, paste the generated certificate and RSA private key.

7. Click Save.

8. Click OK to save the configuration or Cancel to clear it.

Related • Generating an SSL Certificate Using the openssl Command on page 356
Documentation

362 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 7

Setting up USB Modems for Remote

Management

• USB Modem Interface Overview on page 363

• USB Modem Configuration Overview on page 366
• Example: Configuring a USB Modem Interface on page 369
• Example: Configuring a Dialer Interface on page 372
• Example: Configuring a Dialer Interface for USB Modem Dial-In on page 376
• Configuring a Dial-Up Modem Connection Remotely on page 378
• Connecting to the Device Remotely on page 379
• Modifying USB Modem Initialization Commands on page 380
• Resetting USB Modems on page 381

USB Modem Interface Overview

Supported Platforms SRX Series

Juniper Networks SRX Series devices support the use of USB modems for remote
management. You can use Telnet or SSH to connect to the device from a remote location
through two modems over a telephone network. The USB modem is connected to the
USB port on the device, and a second modem is connected to a remote management
device such as a PC or laptop computer.

NOTE: Starting with Junos OS Release 15.1X49-D10, USB modems are no

longer supported for dial backup on SRX300, SRX320, SRX340, SRX345,
SRX550HM devices.

You can configure your device to fail over to a USB modem connection when the primary
Internet connection experiences interruption.

A USB modem connects to a device through modem interfaces that you configure. The
device applies its own modem AT commands to initialize the attached modem. Modem
setup requires that you connect and configure the USB modem at the device and the
modem at the user end of the network.

Copyright © 2017, Juniper Networks, Inc. 363

Administration Guide for Security Devices

You use either the J-Web configuration editor or CLI configuration editor to configure the
USB modem and its supporting dialer interfaces.

NOTE: Low-latency traffic such as VoIP traffic is not supported over USB
modem connections.

NOTE: We recommend using a US Robotics USB 56k V.92 Modem, model

number USR Model 5637.

USB Modem Interfaces

You configure two types of interfaces for USB modem connectivity:

• A physical interface which uses the naming convention umd0. The device creates this
interface when a USB modem is connected to the USB port.

• A logical interface called the dialer interface. You use the dialer interface, dln, to
configure dialing properties for USB modem connections. The dialer interface can be
configured using Point-to-Point Protocol (PPP) encapsulation. You can also configure
the dialer interface to support authentication protocols—PPP Challenge Handshake
(CHAP) or Password Authentication Protocol (PAP). You can configure multiple dialer
interfaces for different functions on the device. After configuring the dialer interface,
you must configure a backup method such as a dialer backup, a dialer filter, or a dialer
watch.

The USB modem provides a dial-in remote management interface, and supports dialer
interface features by sharing the same dial pool as a dialer interface. The dial pool allows
the logical dialer interface and the physical interface to be bound together dynamically
on a per-call basis. You can configure the USB modem to operate either as a dial-in
console for management or as a dial-in WAN backup interface. Dialer pool priority has
a range from 1 to 255, with 1 designating the lowest priority interfaces and 255 designating
the highest priority interfaces.

Dialer Interface Rules

The following rules apply when you configure dialer interfaces for USB modem
connections:

• The dialer interface must be configured to use PPP encapsulation. You cannot configure
Cisco High-Level Data Link Control (HDLC) or Multilink PPP (MLPPP) encapsulation
on dialer interfaces.

• The dialer interface cannot be configured as a constituent link in a multilink bundle.

• The dialer interface can perform backup, dialer filter, and dialer watch functions, but
these operations are mutually exclusive. You can configure a single dialer interface to
operate in only one of the following ways:

• As a backup interface—for one primary interface

364 Copyright © 2017, Juniper Networks, Inc.

 Chapter 7: Setting up USB Modems for Remote Management

• As a dialer filter

• As a dialer watch interface

The backup dialer interfaces are activated only when the primary interface fails. USB
modem backup connectivity is supported on all interfaces except lsq-0/0/0.

The dial-on-demand routing backup method allows a USB modem connection to be

activated only when network traffic configured as an “interesting packet” arrives on the
network. Once the network traffic is sent, an inactivity timer is triggered and the connection
is closed. You define an interesting packet using the dialer filter feature of the device. To
configure dial-on-demand routing backup using a dialer filter, you first configure the dialer
filter and then apply the filter to the dialer interface.

Dialer watch is a backup method that integrates backup dialing with routing capabilities
and provides reliable connectivity without relying on a dialer filter to trigger outgoing USB
modem connections. With dialer watch, the device monitors the existence of a specified
route. If the route disappears, the dialer interface initiates the USB modem connection
as a backup connection.

How the Device Initializes USB Modems

When you connect the USB modem to the USB port on the device, the device applies
the modem AT commands configured in the init-command-string command to the
initialization commands on the modem.

If you do not configure modem AT commands for the init-command-string command,

the device applies the following default sequence of initialization commands to the
modem: AT S7=45 S0=0 V1 X4 &C1 E0 Q0 &Q8 %C0. Table 8 on page 365 describes the
commands. For more information about these commands, see the documentation for
your modem.

Table 8: Default Modem Initialization Commands

Modem Command Description

AT Attention. Informs the modem that a command follows.

S7=45 Instructs the modem to wait 45 seconds for a telecommunications service provider
(carrier) signal before terminating the call.

S0=0 Disables the auto answer feature, whereby the modem automatically answers calls.

V1 Displays result codes as words.

&C1 Disables reset of the modem when it loses the carrier signal.

E0 Disables the display on the local terminal of commands issued to the modem from
the local terminal.

Q0 Enables the display of result codes.

Copyright © 2017, Juniper Networks, Inc. 365

Administration Guide for Security Devices

Table 8: Default Modem Initialization Commands (continued)

Modem Command Description

&Q8 Enables Microcom Networking Protocol (MNP) error control mode.

%C0 Disables data compression.

When the device applies the modem AT commands in the init-command-string command
or the default sequence of initialization commands to the modem, it compares them to
the initialization commands already configured on the modem and makes the following
changes:

• If the commands are the same, the device overrides existing modem values that do
not match. For example, if the initialization commands on the modem include S0=0
and the device’s init-command-string command includes S0=2, the device applies
S0=2.

• If the initialization commands on the modem do not include a command in the device’s
init-command-string command, the device adds it. For example, if the
init-command-string command includes the command L2, but the modem commands
do not include it, the device adds L2 to the initialization commands configured on the
modem.

NOTE: On SRX210 devices, the USB modem interface can handle bidirectional
traffic of up to 19 Kbps. On oversubscription of this amount (that is,
bidirectional traffic of 20 Kbps or above), keepalives do not get exchanged,
and the interface goes down. (Platform support depends on the Junos OS
release in your installation.)

Release History Table Release Description

15.1X49-D10 Starting with Junos OS Release 15.1X49-D10, USB modems are no longer
supported for dial backup on SRX300, SRX320, SRX340, SRX345,
SRX550HM devices.

Related • USB Modem Configuration Overview on page 366

Documentation
• Example: Configuring a USB Modem Interface on page 369

• Example: Configuring a Dialer Interface for USB Modem Dial-In on page 376

USB Modem Configuration Overview

Supported Platforms SRX Series

366 Copyright © 2017, Juniper Networks, Inc.

 Chapter 7: Setting up USB Modems for Remote Management

NOTE: Starting with Junos OS Release 15.1X49-D10, USB modems are no

longer supported for dial backup on SRX300, SRX320, SRX340, and SRX345
devices.

Before you begin:

1. Install device hardware. For more information, see the Getting Started Guide for your
device.

2. Establish basic connectivity. For more information, see the Getting Started Guide for
your device.

3. Order a US Robotics USB 56k V.92 Modem, model number USR Model 5637
(http://www.usr.com/).

4. Order a public switched telephone network (PSTN) line from your telecommunications
service provider. Contact your service provider for more information.

5. Connect the USB modem to the device's USB port.

NOTE: When you connect the USB modem to the USB port on the device,
the USB modem is initialized with the modem initialization string
configured for the USB modem interface on the device.

a. Plug the modem into the USB port.

b. Connect the modem to your telephone network.

Suppose you have a branch office router and a head office router each with a USB modem
interface and a dialer interface. This example shows you how to establish a backup
connection between the branch office and head office routers. See Table 9 on page 368
for a summarized description of the procedure.

Copyright © 2017, Juniper Networks, Inc. 367

Administration Guide for Security Devices

Table 9: Configuring Branch Office and Head Office Routers for USB Modem Backup Connectivity
Router Location Configuration Requirement Procedure

Branch Office Configure the logical dialer interface on the To configure the logical dialer interface,
branch office router for USB modem dial see “Example: Configuring a USB Modem
backup. Interface” on page 369.

Configure the dialer interface dl0 on the Configure the dialer interface using one
branch office router using one of the following of the following backup methods:
backup methods:
• To configure dl0 as a backup for
• Configure the dialer interface dl0 as the t1-1/0/0 see Example: Configuring
backup interface on the branch office Dialer Interfaces and Backup Methods
router's primary T1 interface t1-1/0/0. for USB Modem Dial Backup.
• Configure a dialer filter on the branch office • To configure a dialer filter on dl0, see
router's dialer interface. Example: Configuring Dialer Interfaces
• Configure a dialer watch on the branch and Backup Methods for USB Modem
office router's dialer interface. Dial Backup.
• To configure a dialer watch on dl0, see
Example: Configuring Dialer Interfaces
and Backup Methods for USB Modem
Dial Backup.

Head Office Configure dial-in on the dialer interface dl0 To configure dial-in on the head office
on the head office router. router, see “Example: Configuring a Dialer
Interface for USB Modem Dial-In” on
page 376.

If the dialer interface is configured to accept only calls from a specific caller ID, the device
matches the incoming call's caller ID against the caller IDs configured on its dialer
interfaces. If an exact match is not found and the incoming call's caller ID has more digits
than the configured caller IDs, the device performs a right-to-left match of the incoming
call's caller ID with the configured caller IDs and accepts the incoming call if a match is
found. For example, if the incoming call's caller ID is 4085321091 and the caller ID
configured on a dialer interface is 5321091, the incoming call is accepted. Each dialer
interface accepts calls from only callers whose caller IDs are configured on it.

See Table 10 on page 368 for a list of available incoming map options.

Table 10: Incoming Map Options

Option Description

accept-all Dialer interface accepts all incoming calls.

You can configure the accept-all option for only one of the dialer interfaces
associated with a USB modem physical interface. The dialer interface with the
accept-all option configured is used only if the incoming call's caller ID does not
match the caller IDs configured on other dialer interfaces.

368 Copyright © 2017, Juniper Networks, Inc.

 Chapter 7: Setting up USB Modems for Remote Management

Table 10: Incoming Map Options (continued)

Option Description

caller Dialer interface accepts calls from a specific caller ID. You can configure a
maximum of 15 caller IDs per dialer interface.

The same caller ID must not be configured on different dialer interfaces.

However, you can configure caller IDs with more or fewer digits on different
dialer interfaces. For example, you can configure the caller IDs 14085551515,
4085551515, and 5551515 on different dialer interfaces.

You configure dialer interfaces to support PAP. PAP allows a simple method for a peer
to establish its identity using a two-way handshake during initial link establishment. After
the link is established, an ID and password pair are repeatedly sent by the peer to the
authenticator until authentication is acknowledged or the connection is terminated.

Release History Table Release Description

15.1X49-D10 Starting with Junos OS Release 15.1X49-D10, USB modems are no longer
supported for dial backup on SRX300, SRX320, SRX340, and SRX345
devices.

Related • USB Modem Interface Overview on page 363

Documentation
• Example: Configuring a USB Modem Interface on page 369

Example: Configuring a USB Modem Interface

Supported Platforms SRX Series

This example shows how to configure a USB modem interface for dial backup.

NOTE: Starting with Junos OS Release 15.1X49-D10, USB modems are no

longer supported for dial backup on SRX300, SRX320, SRX340, and SRX345
devices.

• Requirements on page 369

• Overview on page 370
• Configuration on page 370
• Verification on page 371

Requirements
No special configuration beyond device initialization is required before configuring this
feature.

Copyright © 2017, Juniper Networks, Inc. 369

Administration Guide for Security Devices

Overview
In this example, you create an interface called as umd0 for USB modem connectivity
and set the dialer pool priority to 25. You also configure a modem initialization string to
autoanswer after a specified number of rings. The default modem initialization string is
AT S7=45 S0=0 V1 X4 &C1 E0 Q0 &Q8 %C0. The modem command S0=0 disables the
modem from autoanswering the calls. Finally, you set the modem to act as a dial-in WAN
backup interface.

Configuration

CLI Quick To quickly configure this example, copy the following command, paste it into a text file,
Configuration remove any line breaks, change any details necessary to match your network configuration,
copy and paste the command into the CLI at the [edit] hierarchy level, and then enter
commit from configuration mode.

set interfaces umd0 dialer-options pool usb-modem-dialer-pool priority 25

set modem-options init-command-string "ATS0=2 \n" dialin routable

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure a USB modem interface for dial backup:

1. Create an interface.

[edit]
user@host# edit interfaces umd0

2. Set the dialer options and priority.

[edit interfaces umd0]

user@host# set dialer-options pool usb-modem-dialer-pool priority 25

3. Specify the modem options.

[edit interfaces umd0]

user@host# set modem-options init-command-string "ATS0=2 \n"

4. Set the modem to act as a dial-in WAN backup interface.

[edit interfaces umd0]

user@host# set modem-options dialin routable

Results From configuration mode, confirm your configuration by entering the show interface umd0
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

[edit]
user@host# show interface umd0

370 Copyright © 2017, Juniper Networks, Inc.

 Chapter 7: Setting up USB Modems for Remote Management

modem-options {
init-command-string "ATS0=2 \n";
dialin routable;
}
dialer-options {
pool usb-modem-dialer-pool priority 25;
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying the Configuration

Purpose Verify a USB modem interface for dial backup.

Action From configuration mode, enter the show interfaces umd0 extensive command. The
output shows a summary of interface information and displays the modem status.

Physical interface: umd0, Enabled, Physical link is Up

Interface index: 64, SNMP ifIndex: 33, Generation: 1
Type: Async-Serial, Link-level type: PPP-Subordinate, MTU: 1504,
Clocking: Unspecified, Speed: MODEM
Device flags : Present Running
Interface flags: Point-To-Point SNMP-Traps Internal: 0x4000
Link flags : None
Hold-times : Up 0 ms, Down 0 ms
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 21672
Output bytes : 22558
Input packets: 1782
Output packets: 1832
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards:
0,
Resource errors: 0
Output errors:
Carrier transitions: 63, Errors: 0, Drops: 0, MTU errors: 0, Resource errors:
0
MODEM status:
Modem type : LT V.92 1.0 MT5634ZBA-USB-V92 Data/Fax Modem

(Dual Config) Version 2.27m

Initialization command string : ATS0=2
Initialization status : Ok
Call status : Connected to 4085551515
Call duration : 13429 seconds
Call direction : Dialin
Baud rate : 33600 bps
Most recent error code : NO CARRIER

Copyright © 2017, Juniper Networks, Inc. 371

Administration Guide for Security Devices

Logical interface umd0.0 (Index 2) (SNMP ifIndex 34) (Generation 1)

Flags: Point-To-Point SNMP-Traps Encapsulation: PPP-Subordinate

Release History Table Release Description

15.1X49-D10 Starting with Junos OS Release 15.1X49-D10, USB modems are no longer
supported for dial backup on SRX300, SRX320, SRX340, and SRX345
devices.

Related • USB Modem Configuration Overview on page 366

Documentation
• USB Modem Interface Overview on page 363

• Example: Configuring a Dialer Interface for USB Modem Dial-In on page 376

Example: Configuring a Dialer Interface

Supported Platforms SRX Series, vSRX

This example shows how to configure a logical dialer interface for an SRX300, SRX320,
SRX340, or SRX345 device.

• Requirements on page 372

• Overview on page 372
• Configuration on page 373
• Verification on page 374

Requirements
Before you begin:

• Install device hardware and establish basic connectivity. See the Getting Started Guide
for your device.

• Order a US Robotics USB 56k V.92 Modem, model number USR Model 5637, from US
Robotics (http://www.usr.com/).

• Order a dial-up modem for the PC or laptop computer at the remote location from
where you want to connect to the device.

• Order a PSTN line from your telecommunications service provider. Contact your service
provider.

Overview
In this example, you configure a logical dialer interface called dl0 to establish USB
connectivity. You can configure multiple dialer interfaces for different functions on the
device. You add a description to differentiate among different dialer interfaces. For
example, this modem is called USB-modem-remote-management. Configure PPP

372 Copyright © 2017, Juniper Networks, Inc.

 Chapter 7: Setting up USB Modems for Remote Management

encapsulation and set the logical unit as 0. You then specify the name of the dialer pool
as usb-modem-dialer-pool and set the source and destination IP addresses as 172.20.10.2,
and 172.20.10.1, respectively.

NOTE: You cannot configure Cisco High-Level Data Link Control (HDLC) or
Multilink PPP (MLPPP) encapsulation on dialer interfaces used in USB modem
connections.

NOTE: If you configure multiple dialer interfaces, ensure that the same IP
subnet address is not configured on different dialer interfaces. Configuring
the same IP subnet address on multiple dialer interfaces can result in
inconsistency in the route and packet loss. The device might route packets
through another dialer interface with the IP subnet address instead of through
the dialer interface to which the USB modem call is mapped.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set interfaces dl0 description USB-modem-remote-management encapsulation ppp

set interfaces dl0 unit 0 dialer-options pool usb-modem-dialer-pool
set interfaces dl0 unit 0 family inet address 172.20.10.2 destination 172.20.10.1

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure a logical dialer interface for the device:

1. Create an interface.

[edit]
user@host# set interfaces dl0

2. Add a description and configure PPP encapsulation.

[edit interfaces dl0]

user@host# set description USB-modem-remote-management
user@host# set encapsulation ppp

3. Create the logical unit.

NOTE: The logical unit number must be 0.

Copyright © 2017, Juniper Networks, Inc. 373

Administration Guide for Security Devices

[edit interfaces dl0]

user@host# set unit 0

4. Configure the name of the dialer pool to use for USB modem connectivity.

[edit interfaces dl0 unit 0]

user@host# set dialer-options pool usb-modem-dialer-pool

5. Configure source and destination IP addresses for the dialer interface.

[edit interfaces dl0 unit 0]

user@host# set family inet address 172.20.10.2 destination 172.20.10.1

Results From configuration mode, confirm your configuration by entering the show interfaces dl0
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

[edit]
user@host# show interfaces dl0
description USB-modem-remote-management;
encapsulation ppp;
unit 0 {
family inet {
address 172.20.10.2/32 {
destination 172.20.10.1;
}
}
dialer-options {
pool usb-modem-dialer-pool;
}
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying a Dialer Interface

Purpose Verify that the dialer interface has been configured.

Action From configuration mode, enter the show interfaces dl0 extensive command. The output
shows a summary of dialer interface information.

Physical interface: dl0, Enabled, Physical link is Up

Interface index: 128, SNMP ifIndex: 24, Generation: 129
Type: 27, Link-level type: PPP, MTU: 1504, Clocking: Unspecified, Speed:
Unspecified
Device flags : Present Running
Interface flags: SNMP-Traps
Link type : Full-Duplex

374 Copyright © 2017, Juniper Networks, Inc.

 Chapter 7: Setting up USB Modems for Remote Management

Link flags : Keepalives

Physical info : Unspecified
Hold-times : Up 0 ms, Down 0 ms
Current address: Unspecified, Hardware address: Unspecified
Alternate link address: Unspecified
Last flapped : Never
Statistics last cleared: Never
Traffic statistics:
Input bytes : 13859 0 bps
Output bytes : 0 0 bps
Input packets: 317 0 pps
Output packets: 0 0 pps
Input errors:
Errors: 0, Drops: 0, Framing errors: 0, Runts: 0, Giants: 0, Policed discards:
0,
Resource errors: 0
Output errors:
Carrier transitions: 0, Errors: 0, Drops: 0, MTU errors: 0, Resource errors:
0

Logical interface dl0.0 (Index 70) (SNMP ifIndex 75) (Generation 146)
Description: USB-modem-remote-management
Flags: Point-To-Point SNMP-Traps 0x4000 LinkAddress 23-0 Encapsulation: PPP
Dialer:
State: Active, Dial pool: usb-modem-dialer-pool
Dial strings: 220
Subordinate interfaces: umd0 (Index 64)
Activation delay: 0, Deactivation delay: 0
Initial route check delay: 120
Redial delay: 3
Callback wait period: 5
Load threshold: 0, Load interval: 60
Bandwidth: 115200
Traffic statistics:
Input bytes : 24839
Output bytes : 17792
Input packets: 489
Output packets: 340
Local statistics:
Input bytes : 10980
Output bytes : 17792
Input packets: 172
Output packets: 340
Transit statistics:
Input bytes : 13859 0 bps
Output bytes : 0 0 bps
Input packets: 317 0 pps
Output packets: 0 0 pps
LCP state: Opened
NCP state: inet: Opened, inet6: Not-configured, iso: Not-configured,
mpls: Not-configured
CHAP state: Success
Protocol inet, MTU: 1500, Generation: 136, Route table: 0
Flags: None
Addresses, Flags: Is-Preferred Is-Primary
Destination: 172.20.10.1, Local: 172.20.10.2, Broadcast: Unspecified,
Generation: 134

Copyright © 2017, Juniper Networks, Inc. 375

Administration Guide for Security Devices

Related • USB Modem Interface Overview on page 363

Documentation
• USB Modem Configuration Overview on page 366

• Example: Configuring a USB Modem Interface on page 369

• Example: Configuring a Dialer Interface for USB Modem Dial-In on page 376

Example: Configuring a Dialer Interface for USB Modem Dial-In

Supported Platforms SRX Series

This example shows how to configure a dialer interface for USB modem dial-in.

NOTE: Starting with Junos OS Release 15.1X49-D10, USB modems are no

longer supported for dial-in to a dialer interface on SRX300, SRX320, SRX340,
and SRX345 devices.

• Requirements on page 376

• Overview on page 376
• Configuration on page 377
• Verification on page 377

Requirements
No special configuration beyond device initialization is required before configuring this
feature.

Overview
To enable connections to the USB modem from a remote location, you must configure
the dialer interfaces set up for USB modem use to accept incoming calls. You can
configure a dialer interface to accept all incoming calls or accept only calls from one or
more caller IDs.

If the dialer interface is configured to accept only calls from a specific caller ID, the system
matches the incoming call's caller ID against the caller IDs configured on its dialer
interfaces. If an exact match is not found and the incoming call's caller ID has more digits
than the configured caller IDs, the system performs a right-to-left match of the incoming
call's caller ID with the configured caller IDs and accepts the incoming call if a match is
found. For example, if the incoming call's caller ID is 4085550115 and the caller ID
configured on a dialer interface is 5550115, the incoming call is accepted. Each dialer
interface accepts calls from only callers whose caller IDs are configured on it.

You can configure the following incoming map options for the dialer interface:

• accept-all—Dialer interface accepts all incoming calls.

You can configure the accept-all option for only one of the dialer interfaces associated
with a USB modem physical interface. The device uses the dialer interface with the

376 Copyright © 2017, Juniper Networks, Inc.

 Chapter 7: Setting up USB Modems for Remote Management

accept-all option configured only if the incoming call's caller ID does not match the
caller IDs configured on other dialer interfaces.

• caller—Dialer interface accepts calls from a specific caller ID—for example, 4085550115.
You can configure a maximum of 15 caller IDs per dialer interface.

The same caller ID must not be configured on different dialer interfaces. However, you
can configure caller IDs with more or fewer digits on different dialer interfaces. For
example, you can configure the caller IDs 14085550115, 4085550115, and 5550115 on
different dialer interfaces.

In this example, you configure the incoming map option as caller 4085550115 for dialer
interface dl0.

Configuration

CLI Quick To quickly configure this example, copy the following command, paste it into a text file,
Configuration remove any line breaks, change any details necessary to match your network configuration,
copy and paste the command into the CLI at the [edit] hierarchy level, and then enter
commit from configuration mode.

set interfaces dl0 unit 0 dialer-options incoming-map caller 4085550115

Step-by-Step To configure a dialer interface for USB modem dial-in:

Procedure
1. Select a dialer interface.

[edit]
user@host# edit interfaces dl0

2. Configure the incoming map options.

[edit]
user@host# edit unit 0 dialer-options incoming-map caller 4085551515

3. If you are done configuring the device, commit the configuration.

[edit]
user@host# commit

Verification
To verify the configuration is working properly, enter the show interface dl0 command.

Copyright © 2017, Juniper Networks, Inc. 377

Administration Guide for Security Devices

Release History Table Release Description

15.1X49-D10 Starting with Junos OS Release 15.1X49-D10, USB modems are no longer
supported for dial-in to a dialer interface on SRX300, SRX320, SRX340,
and SRX345 devices.

Related • USB Modem Configuration Overview on page 366

Documentation
• Example: Configuring a USB Modem Interface on page 369

Configuring a Dial-Up Modem Connection Remotely

Supported Platforms SRX Series, vSRX

To remotely connect to the USB modem connected to the USB port on the device, you
must configure a dial-up modem connection on the PC or laptop computer at your remote
location. Configure the dial-up modem connection properties to disable IP header
compression.

To configure a dial-up modem connection remotely:

1. At your remote location, connect a modem to a management device such as a PC or

laptop computer.

2. Connect the modem to your telephone network.

3. On the PC or laptop computer, select Start>Settings>Control Panel>Network

Connections. The Network Connections page appearts.

4. Click Create a new connection. The New Connection Wizard appears.

5. Click Next. The New Connection Wizard: Network Connection Type page appears.

6. Select Connect to the network at my workplace, and then click Next.

The New Connection Wizard: Network Connection page appears.

7. Select Dial-up connection, and then click Next. The New Connection Wizard: Connection
Name page appears.

8. In the Company Name box, type the dial-up connection name, for example
USB-modem-connect. Then, click Next. The New Connection Wizard: Phone Number
to Dial page appears.

9. In the Phone number box, type the telephone number of the PSTN line connected to
the USB modem at the device end.

378 Copyright © 2017, Juniper Networks, Inc.

 Chapter 7: Setting up USB Modems for Remote Management

10. Click Next twice, and then click Finish. The Connect USB-modem-connect page
appears.

11. If CHAP is configured on the dialer interface used for the USB modem interface at the
device end, type the username and password configured in the CHAP configuration
in the User name and Password boxes.

12. Click Properties. The USB-modem-connect Properties page appears.

13. In the Networking tab, select Internet Protocol (TCP/IP), and then click Properties.
The Internet Protocol (TCP/IP) Properties page appears.

14. Click Advanced. The Advanced TCP/IP Settings page appears.

15. Clear the Use IP header compression check box.

Related • USB Modem Interface Overview on page 363

Documentation
• USB Modem Configuration Overview on page 366

• Connecting to the Device Remotely on page 379

Connecting to the Device Remotely

Supported Platforms SRX Series, vSRX

To remotely connect to the device through a USB modem connected to the USB port on
the device:

1. On the PC or laptop computer at your remote location, select Start>Settings>Control

Panel>Network Connections. The Network Connections page appears.

2. Double-click the USB-modem-connect dial-up connection. The Connect

USB-modem-connect page appears.

3. Click Dial to connect to the Juniper Networks device.

When the connection is complete, you can use Telnet or SSH to connect to the device.

Related • USB Modem Interface Overview on page 363

Documentation
• USB Modem Configuration Overview on page 366

• Configuring a Dial-Up Modem Connection Remotely on page 378

Copyright © 2017, Juniper Networks, Inc. 379

Administration Guide for Security Devices

Modifying USB Modem Initialization Commands

Supported Platforms SRX Series

NOTE: These instructions use Hayes-compatible modem commands to

configure the modem. If your modem is not Hayes-compatible, see the
documentation for your modem and enter equivalent modem commands.
Applies to SRX300, SRX320, SRX340, SRX345 devices.

You can use the CLI configuration editor to override the value of an initialization command
configured on the USB modem or configure additional commands for initializing USB
modems.

NOTE: If you modify modem initialization commands when a call is in

progress, the new initialization sequence is applied on the modem only when
the call ends.

You can configure the following modem AT commands to initialize the USB modem:

• The command S0=2 configures the modem to automatically answer calls on the
second ring.

• The command L2 configures medium speaker volume on the modem.

You can insert spaces between commands.

When you configure modem commands in the CLI configuration editor, you must follow
these conventions:

• Use the newline character \n to indicate the end of a command sequence.

• Enclose the command string in double quotation marks.

You can override the value of the S0=0 command in the initialization sequence configured
on the modem and add the L2 command.

To modify the initialization commands on a USB modem:

1. Configure the modem AT commands to initialize the USB modem.

[edit interfaces umd0]

user@host# set modem-options init-command-string "AT S0=2 L2 \n"

2. If you are done configuring the device, enter commit from configuration mode.

Related • USB Modem Interface Overview on page 363

Documentation
• USB Modem Configuration Overview on page 366

380 Copyright © 2017, Juniper Networks, Inc.

 Chapter 7: Setting up USB Modems for Remote Management

• Resetting USB Modems on page 381

Resetting USB Modems

Supported Platforms SRX Series

For SRX300, SRX320, SRX340, and SRX345 devices, if the USB modem does not respond,
you can reset the modem.

CAUTION: If you reset the modem when a call is in progress, the call is
terminated.

To reset the USB modem, in operational mode, enter the following command:

user@host> request interface modem reset umd0

Related • USB Modem Interface Overview on page 363

Documentation
• USB Modem Configuration Overview on page 366

• Modifying USB Modem Initialization Commands on page 380

Copyright © 2017, Juniper Networks, Inc. 381

Administration Guide for Security Devices

382 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 8

Configuring Telnet and SSH Access to an

SRX Series Appliance

• Securing the Console Port Configuration Overview on page 383

• Configuring Password Retry Limits for Telnet and SSH Access on page 384
• Example: Controlling Management Access on SRX Series Devices on page 385
• Example: Configuring a Filter to Block Telnet and SSH Access on page 389
• The telnet Command on page 394
• The ssh Command on page 396
• Configuring Outbound SSH Service on page 397

Securing the Console Port Configuration Overview

Supported Platforms SRX Series, vSRX

You can use the console port on the device to connect to the device through an RJ-45
serial cable. From the console port, you can use the CLI to configure the device. By default,
the console port is enabled. To secure the console port, you can configure the device to
take the following actions:

• Log out of the console session when you unplug the serial cable connected to the
console port.

• Disable root login connections to the console. This action prevents a non-root user
from performing password recovery operation using the console.

• Disable the console port. We recommend disabling the console port to prevent
unauthorized access to the device, especially when the device is used as customer
premises equipment (CPE) and is forwarding sensitive traffic.

NOTE: It is not always possible to disable the console port, because console
access is important during operations such as software upgrades.

To secure the console port:

1. Do one of the following:

Copyright © 2017, Juniper Networks, Inc. 383

Administration Guide for Security Devices

• Disable the console port. Enter

[edit system ports console]

user@host# set disable

• Disable root login connections to the console. Enter

[edit system ports console]

user@host# set insecure

NOTE: After configuring the console port as insecure, if a user tries to

perform password recovery operation by booting in single-user mode,
the device will prompt for the root password. This way, the user will be
unable to log in to single-user mode for password recovery unless the
root password is known.

• Log out the console session when the serial cable connected to the console port is
unplugged. Enter

[edit system ports console]

user@host# set log-out-on-disconnect

2. If you are done configuring the device, enter commit from configuration mode.

Related • The telnet Command on page 394

Documentation
• The ssh Command on page 396

• Configuring Password Retry Limits for Telnet and SSH Access on page 384

• Configuring Reverse Telnet and Reverse SSH

Configuring Password Retry Limits for Telnet and SSH Access

Supported Platforms SRX Series, vSRX

To prevent brute force and dictionary attacks, the device performs the following actions
for Telnet or SSH sessions by default:

• Disconnects a session after a maximum of 10 consecutive password retries.

• After the second password retry, introduces a delay in multiples of 5 seconds between
subsequent password retries.

For example, the device introduces a delay of 5 seconds between the third and fourth
password retry, a delay of 10 seconds between the fourth and fifth password retry, and
so on.

• Enforces a minimum session time of 20 seconds during which a session cannot be

disconnected. Configuring the minimum session time prevents malicious users from
disconnecting sessions before the password retry delay goes into effect, and attempting
brute force and dictionary attacks with multiple logins.

384 Copyright © 2017, Juniper Networks, Inc.

 Chapter 8: Configuring Telnet and SSH Access to an SRX Series Appliance

You can configure the password retry limits for Telnet and SSH access. In this example,
you configure the device to take the following actions for Telnet and SSH sessions:

• Allow a maximum of four consecutive password retries before disconnecting a session.

• Introduce a delay in multiples of 5 seconds between password retries that occur after
the second password retry.

• Enforce a minimum session time of 40 seconds during which a session cannot be

disconnected.

To configure password retry limits for Telnet and SSH access:

1. Set the maximum number of consecutive password retries before a Telnet or SSH or
telnet session is disconnected. The default number is 10, but you can set a number
from 1 through 10.

[edit system login retry-options]

user@host# set tries-before-disconnect 4

2. Set the threshold number of password retries after which a delay is introduced between
two consecutive password retries. The default number is 2, but you can specify a value
from 1 through 3.

[edit system login retry-options]

user@host# set backoff-threshold 2

3. Set the delay (in seconds) between consecutive password retries after the threshold
number of password retries. The default delay is in multiples of 5 seconds, but you
can specify a value from 5 through 10 seconds.

[edit system login retry-options]

user@host# set backoff-factor 5

4. Set the minimum length of time (in seconds) during which a Telnet or SSH session
cannot be disconnected. The default is 20 seconds, but you can specify an interval
from 20 through 60 seconds.

[edit system login retry-options]

user@host# set minimum-time 40

5. If you are done configuring the device, enter commit from configuration mode.

Related • The telnet Command on page 394

Documentation
• The ssh Command on page 396

• Configuring Reverse Telnet and Reverse SSH

Example: Controlling Management Access on SRX Series Devices

Supported Platforms SRX Series, vSRX

Copyright © 2017, Juniper Networks, Inc. 385

Administration Guide for Security Devices

This example shows how to control management access on SRX Series devices.

• Requirements on page 386

• Overview on page 386
• Configuration on page 386
• Verification on page 388

Requirements
No special configuration beyond device initialization is required before configuring this
feature.

Overview
By default, any host on the trusted interface can manage a security device. To limit the
IP addresses that can manage a device, you can configure a firewall filter to deny all,
with the exception of the IP address or addresses to which you want to grant management
access. This example shows how to limit management access to a specific IP addresses
to allow it to manage SRX Series devices.

Configuration
• Configuring an IP Address List to Restrict Management Access to a Device on page 386

Configuring an IP Address List to Restrict Management Access to a Device

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set policy-options prefix-list manager-ip 192.168.4.254/32

set policy-options prefix-list manager-ip 10.0.0.0/8
set firewall filter manager-ip term block_non_manager from source-address 0.0.0.0/0
set firewall filter manager-ip term block_non_manager from source-prefix-list manager-ip
except
set firewall filter manager-ip term block_non_manager from protocol tcp
set firewall filter manager-ip term block_non_manager from destination-port ssh
set firewall filter manager-ip term block_non_manager from destination-port https
set firewall filter manager-ip term block_non_manager from destination-port telnet
set firewall filter manager-ip term block_non_manager from destination-port http
set firewall filter manager-ip term block_non_manager then discard
set firewall filter manager-ip term accept_everything_else then accept
set interfaces lo0 unit 0 family inet filter input manager-ip

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

1. Define a set of host addresses, called "manager-ip", that are allowed to manage
the device.

[edit policy-options]

386 Copyright © 2017, Juniper Networks, Inc.

 Chapter 8: Configuring Telnet and SSH Access to an SRX Series Appliance

user@host# set prefix-list manager-ip 192.168.4.254/32

user@host# set prefix-list manager-ip 10.0.0.0/8

NOTE: The configured list is referenced in the actual filter, where you
can change your defined set of addresses.

2. Configure a firewall filter to deny traffic from all IP addresses except the IP addresses
defined in the "manager-ip" list. Management traffic that uses any of the listed
destination ports is rejected when the traffic comes from an address in the list.

[edit firewall filter]

user@host# set manager-ip term block_non_manager from source-address 0.0.0.0/0
user@host# set manager-ip term block_non_manager from source-prefix-list
manager-ip except
user@host# set manager-ip term block_non_manager from protocol tcp
user@host# set manager-ip term block_non_manager from destination-port ssh
user@host# set manager-ip term block_non_manager from destination-port https
user@host# set manager-ip term block_non_manager from destination-port telnet
user@host# set manager-ip term block_non_manager from destination-port http
user@host# set manager-ip term block_non_manager then discard
user@host# set manager-ip term accept_everything_else then accept

3. Apply stateless firewall filters to the loopback interface to filter the packets
originating from the hosts to which you are granting management access.

[edit interfaces lo0 unit 0 ]

user@host# set family inet filter input manager-ip

NOTE: This configuration applies to traffic that terminates at the device.

For traffic that terminates at the device interface (such as IPsec, OSPF,
RIP, or BGP), you must also include the management IP addresses in
the manager-ip prefix-list.

Results From configuration mode, confirm your configuration by entering show configuration
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

user@host# show configuration policy-options

prefix-list manager-ip {
10.0.0.0/8;
192.168.4.254/32;
}

user@host# show configuration firewall

filter manager-ip {
term block_non_manager {
from {

Copyright © 2017, Juniper Networks, Inc. 387

Administration Guide for Security Devices

source-address {
0.0.0.0/0;
}
source-prefix-list {
manager-ip except;
}
protocol tcp;
destination-port [ ssh https telnet http ];
}
then {
discard;
}
}
term accept_everything_else {
then accept;
}
}

user@host# show configuration interfaces

lo0 {
unit 0 {
family inet {
filter {
input manager-ip;
}
}
}
}

user@host# show configuration interfaces lo0

unit 0 {
family inet {
filter {
input manager-ip;
}
}
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying Interfaces

Purpose Verify if the interfaces are configured correctly.

Action From operational mode, enter the following commands:

• show policy-options

• show firewall

• show interfaces

388 Copyright © 2017, Juniper Networks, Inc.

 Chapter 8: Configuring Telnet and SSH Access to an SRX Series Appliance

Related • Securing the Console Port Configuration Overview on page 383

Documentation

Example: Configuring a Filter to Block Telnet and SSH Access

Supported Platforms SRX Series, vSRX

• Requirements on page 389

• Overview on page 389
• Configuration on page 389
• Verification on page 392

Requirements
You must have access to a remote host that has network connectivity with this device.

Overview
In this example, you create an IPv4 stateless firewall filter that logs and rejects Telnet
or SSH access packets unless the packet is destined for or originates from the
192.168.1.0/24 subnet.

• To match packets destined for or originating from the address 192.168.1.0/24 subnet,
you use the source-address 192.168.1.0/24 IPv4 match condition.

• To match packets destined for or originating from a TCP port, Telnet port, or SSH port,
you use the protocol tcp, port telnet, and telnet ssh IPv4 match conditions.

Configuration
The following example requires you to navigate various levels in the configuration
hierarchy. For information about navigating the CLI, see Using the CLI Editor in Configuration
Mode.

To configure this example, perform the following tasks:

• Configure the Stateless Firewall Filter on page 390

• Apply the Firewall Filter to the Loopback Interface on page 390
• Confirm and Commit Your Candidate Configuration on page 391

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set firewall family inet filter local_acl term terminal_access from source-address
192.168.1.0/24
set firewall family inet filter local_acl term terminal_access from protocol tcp
set firewall family inet filter local_acl term terminal_access from port ssh
set firewall family inet filter local_acl term terminal_access from port telnet
set firewall family inet filter local_acl term terminal_access then accept
set firewall family inet filter local_acl term terminal_access_denied from protocol tcp

Copyright © 2017, Juniper Networks, Inc. 389

Administration Guide for Security Devices

set firewall family inet filter local_acl term terminal_access_denied from port ssh
set firewall family inet filter local_acl term terminal_access_denied from port telnet
set firewall family inet filter local_acl term terminal_access_denied then log
set firewall family inet filter local_acl term terminal_access_denied then reject
set firewall family inet filter local_acl term default-term then accept
set interfaces lo0 unit 0 family inet filter input local_acl
set interfaces lo0 unit 0 family inet address 127.0.0.1/32

Configure the Stateless Firewall Filter

Step-by-Step To configure the stateless firewall filter that selectively blocks Telnet and SSH access:
Procedure
1. Create the stateless firewall filter local_acl.

[edit]
user@myhost# edit firewall family inet filter local_acl

2. Define the filter term terminal_access.

[edit firewall family inet filter local_acl]

user@myhost# set term terminal_access from source-address 192.168.1.0/24
user@myhost# set term terminal_access from protocol tcp
user@myhost# set term terminal_access from port ssh
user@myhost# set term terminal_access from port telnet
user@myhost# set term terminal_access then accept

3. Define the filter term terminal_access_denied.

[edit firewall family inet filter local_acl]

user@myhost# set term terminal_access_denied from protocol tcp
user@myhost# set term terminal_access_denied from port ssh
user@myhost# set term terminal_access_denied from port telnet
user@myhost# set term terminal_access_denied then log
user@myhost# set term terminal_access_denied then reject
user@myhost# set term default-term then accept

Apply the Firewall Filter to the Loopback Interface

Step-by-Step • To apply the firewall filter to the loopback interface:

Procedure
[edit]
user@myhost# set interfaces lo0 unit 0 family inet filter input local_acl
user@myhost# set interfaces lo0 unit 0 family inet address 127.0.0.1/32

390 Copyright © 2017, Juniper Networks, Inc.

 Chapter 8: Configuring Telnet and SSH Access to an SRX Series Appliance

Confirm and Commit Your Candidate Configuration

Step-by-Step To confirm and then commit your candidate configuration:

Procedure
1. Confirm the configuration of the stateless firewall filter by entering the show firewall
configuration mode command. If the command output does not display the intended
configuration, repeat the instructions in this example to correct the configuration.

[edit]
user@myhost# show firewall
family inet {
filter local_acl {
term terminal_access {
from {
source-address {
192.168.1.0/24;
}
protocol tcp;
port [ssh telnet];
}
then accept;
}
term terminal_access_denied {
from {
protocol tcp;
port [ssh telnet];
}
then {
log;
reject;
}
}
term default-term {
then accept;
}
}
}

2. Confirm the configuration of the interface by entering the show interfaces

configuration mode command. If the command output does not display the intended
configuration, repeat the instructions in this example to correct the configuration.

[edit]
user@myhost# show interfaces
lo0 {
unit 0 {
family inet {
filter {
input local_acl;
}
source-address 127.0.0.1/32;
}
}
}

Copyright © 2017, Juniper Networks, Inc. 391

Administration Guide for Security Devices

3. If you are done configuring the device, commit your candidate configuration.

[edit]
user@myhost# commit

Verification
Confirm that the configuration is working properly.

• Verifying Accepted Packets on page 392

• Verifying Logged and Rejected Packets on page 393

Verifying Accepted Packets

Purpose Verify that the actions of the firewall filter terms are taken.

Action 1. Clear the firewall log on your router or switch.

user@myhost> clear firewall log

2. From a host at an IP address within the 192.168.1.0/24 subnet, use the ssh hostname
command to verify that you can log in to the device using only SSH. This packet should
be accepted, and the packet header information for this packet should not be logged
in the firewall filter log buffer in the Packet Forwarding Engine.

user@host-A> ssh myhost

user@myhosts’s password:
--- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC

% cli
user@myhost>

3. From a host at an IP address within the 192.168.1.0/24 subnet, use the telnet hostname
command to verify that you can log in to your router or switch using only Telnet. This
packet should be accepted, and the packet header information for this packet
should not be logged in the firewall filter log buffer in the Packet Forwarding Engine.

user@host-A> telnet myhost

Trying 192.168.249.71...
Connected to myhost-fxp0.example.net.
Escape character is '^]'.

host (ttyp0)

login: user
Password:

--- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC

% cli
user@myhost>

392 Copyright © 2017, Juniper Networks, Inc.

 Chapter 8: Configuring Telnet and SSH Access to an SRX Series Appliance

4. Use the show firewall log command to verify that the routing table on the device does
not contain any entries with a source address in the 192.168.1.0/24 subnet.

user@myhost> show firewall log

Verifying Logged and Rejected Packets

Purpose Verify that the actions of the firewall filter terms are taken.

Copyright © 2017, Juniper Networks, Inc. 393

Administration Guide for Security Devices

Action 1. Clear the firewall log on your router or switch.

user@myhost> clear firewall log

2. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the ssh hostname
command to verify that you cannot log in to the device using only SSH. This packet
should be rejected, and the packet header information for this packet should be logged
in the firewall filter log buffer in the Packet Forwarding Engine.

user@host-B ssh myhost

ssh: connect to host sugar port 22: Connection refused
--- JUNOS 11.1-20101102.0 built 2010-11-02 04:48:46 UTC
%

3. From a host at an IP address outside of the 192.168.1.0/24 subnet, use the telnet
hostname command to verify that you can log in to the device using only Telnet. This
packet should be rejected, and the packet header information for this packet should
be logged in the firewall filter log buffer in the PFE.

user@host-B> telnet myhost

Trying 192.168.249.71...
telnet: connect to address 192.168.187.3: Connection refused
telnet: Unable to connect to remote host
%

4. Use the show firewall log command to verify that the routing table on the device does
not contain any entries with a source address in the 192.168.1.0/24 subnet.

user@myhost> show firewall log

Time Filter Action Interface Protocol Src Addr Dest Addr

18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1
18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1
18:41:25 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1
...
18:43:06 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1
18:43:06 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1
18:43:06 local_acl R fxp0.0 TCP 192.168.187.5 192.168.187.1
...

The telnet Command

Supported Platforms SRX Series, vSRX

You can use the CLI telnet command to open a Telnet session to a remote device:

user@host> telnet host <8bit> <bypass-routing> <inet> <interface interface-name>

<no-resolve> <port port> <routing-instance routing-instance-name> <source address>

394 Copyright © 2017, Juniper Networks, Inc.

 Chapter 8: Configuring Telnet and SSH Access to an SRX Series Appliance

NOTE: On SRX100, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340,

SRX345, and SRX1500 devices, the maximum number of concurrent Telnet
sessions is indicated in the following table. Platform support depends on the
Junos OS release in your installation.

SRX300
SRX210 SRX320
SRX100 SRX220 SRX240 SRX340 SRX345 SRX1500

3 3 5 3 5 5

To exit the Telnet session and return to the Telnet command prompt, press Ctrl-].

To exit the Telnet session and return to the CLI command prompt, enter quit.

Table 11 on page 395 describes the telnet command options.

Table 11: CLI telnet Command Options

Option Description

8bit Use an 8-bit data path.

bypass-routing Bypass the routing tables and open a Telnet session only to hosts on directly attached
interfaces. If the host is not on a directly attached interface, an error message is returned.

host Open a Telnet session to the specified hostname or IP address.

inet Force the Telnet session to an IPv4 destination.

interface source-interface Open a Telnet session to a host on the specified interface. If you do not include this
option, all interfaces are used.

no-resolve Suppress the display of symbolic names.

port port Specify the port number or service name on the host.

routing-instance Use the specified routing instance for the Telnet session.
routing-instance-name

source address Use the specified source address for the Telnet session.

Related • The ssh Command on page 396

Documentation
• Configuring Password Retry Limits for Telnet and SSH Access on page 384

• Configuring Reverse Telnet and Reverse SSH

Copyright © 2017, Juniper Networks, Inc. 395

Administration Guide for Security Devices

The ssh Command

Supported Platforms SRX Series, vSRX

You can use the CLI ssh command to use the secure shell (SSH) program to open a
connection to a remote device:

user@host> ssh host <bypass-routing> <inet> <interface interface-name>

<routing-instance routing-instance-name> <source address> <v1> <v2>

NOTE: On SRX100, SRX210, SRX220, SRX240, SRX300, SRX320, SRX340,

SRX345, and SRX1500 devices, the maximum number of concurrent SSH
sessions is indicated in the following table. Platform support depends on the
Junos OS release in your installation.

SRX300
SRX210 SRX320
SRX100 SRX220 SRX240 SRX340 SRX345 SRX1500

3 3 5 3 5 5

Table 12 on page 396 describes the ssh command options.

Table 12: CLI ssh Command Options

Option Description

bypass-routing Bypass the routing tables and open an SSH connection only to hosts on directly attached
interfaces. If the host is not on a directly attached interface, an error message is returned.

host Open an SSH connection to the specified hostname or IP address.

inet Force the SSH connection to an IPv4 destination.

interface source-interface Open an SSH connection to a host on the specified interface. If you do not include this
option, all interfaces are used.

routing-instance Use the specified routing instance for the SSH connection.
routing-instance-name

source address Use the specified source address for the SSH connection.

v1 Force SSH to use version 1 for the connection.

v2 Force SSH to use version 2 for the connection.

Related • The telnet Command on page 394

Documentation
• Configuring Password Retry Limits for Telnet and SSH Access on page 384

396 Copyright © 2017, Juniper Networks, Inc.

 Chapter 8: Configuring Telnet and SSH Access to an SRX Series Appliance

• Configuring Reverse Telnet and Reverse SSH

Configuring Outbound SSH Service

Supported Platforms SRX Series

You can configure a device running the Junos OS to initiate a TCP/IP connection with a
client management application that would be blocked if the client attempted to initiate
the connection (for example, if the device is behind a firewall). The outbound-ssh
command instructs the device to create a TCP/IP connection with the client management
application and to forward the identity of the device. Once the connection is established,
the management application acts as the client and initiates the SSH sequence, and the
device acts as the server and authenticates the client.

NOTE: There is no initiation command with outbound SSH. Once outbound

SSH is configured and committed, the device begins to initiate an outbound
SSH connection based on the committed configuration. The device repeatedly
attempts to create this connection until successful. If the connection between
the device and the client management application is dropped, the device
again attempts to create a new outbound SSH connection until successful.
This connection is maintained until the outbound SSH stanza is removed
from the configuration.

To configure the device for outbound SSH connections, include the outbound-ssh
statement at the [edit system services] hierarchy level:

[edit system services outbound-ssh]

The following topics describe the tasks for configuring the outbound SSH service:

• Configuring the Device Identifier for Outbound SSH Connections on page 397
• Sending the Public SSH Host Key to the Outbound SSH Client on page 398
• Configuring Keepalive Messages for Outbound SSH Connections on page 399
• Configuring a New Outbound SSH Connection on page 399
• Configuring the Outbound SSH Client to Accept NETCONF as an Available
Service on page 399
• Configuring Outbound SSH Clients on page 400

Configuring the Device Identifier for Outbound SSH Connections

Each time the device establishes an outbound SSH connection, it first sends an initiation
sequence to the management client. This sequence identifies the device to the
management client. Within this transmission is the value of device-id.

To configure the device identifier of the device, include the device-id statement at the
[edit system services outbound-ssh client client-id] hierarchy level:

Copyright © 2017, Juniper Networks, Inc. 397

Administration Guide for Security Devices

[edit system services outbound-ssh client client-id]

device-id device-id;

The initiation sequence when secret is not configured:

MSG-ID: DEVICE-CONN-INFO\r\n
MSG-VER: V1\r\n
DEVICE-ID: <device-id>\r\n

Sending the Public SSH Host Key to the Outbound SSH Client
Each time the router or switch establishes an outbound SSH connection, it first sends
an initiation sequence to the management client. This sequence identifies the router or
switch to the management client. Within this transmission is the value of device-id.

To configure the device identifier of the router or switch, include the device-id statement
at the [edit system services outbound-ssh client client-id] hierarchy level:

[edit system services outbound-ssh client client-id]

device-id device-id;

The initiation sequence when secret is not configured:

MSG-ID: DEVICE-CONN-INFO\r\n
MSG-VER: V1\r\n
DEVICE-ID: <device-id>\r\n

During the initialization of an SSH connection, the client authenticates the identity of the
device using the public SSH host key of the device. Therefore, before the client can initiate
the SSH sequence, it needs the public SSH key of the device. When you configure the
secret statement, the device passes its public SSH key as part of the outbound SSH
connection initiation sequence.

When the secret statement is set and the device establishes an outbound SSH connection,
the device communicates its device ID, its public SSH key, and an SHA1 hash derived in
part from the secret statement. The value of the secret statement is shared between the
device and the management client. The client uses the shared secret to authenticate
the public SSH host key it is receiving to determine whether the public key is from the
device identified by the device-id statement.

Using the secret statement to transport the public SSH host key is optional. You can
manually transport and install the public key onto the client system.

NOTE: Including the secret statement means that the device sends its public
SSH host key every time it establishes a connection to the client. It is then up
to the client to decide what to do with the SSH host key if it already has one
for that device. We recommend that you replace the client’s copy with the
new key. Host keys can change for various reasons and by replacing the key
each time a connection is established, you ensure that the client has the
latest key.

398 Copyright © 2017, Juniper Networks, Inc.

 Chapter 8: Configuring Telnet and SSH Access to an SRX Series Appliance

To send the router’s or switch’s public SSH host key when the device connects to the
client, include the secret statement at the [edit system services outbound-ssh client
client-id] hierarchy level:

[edit system services outbound-ssh client client-id]

secret password;

The following message is sent by the device when the secret attribute is configured:

MSG-ID: DEVICE-CONN-INFO\r\n
MSG-VER: V1\r\n
DEVICE-ID: <device-id>\r\n
HOST-KEY: <public-hot-key>\r\n
HMAC:<HMAC(pub-SSH-host-key, <secret>>)>\r\n

Configuring Keepalive Messages for Outbound SSH Connections

Once the client application has the router’s or switch’s public SSH host key, it can then
initiate the SSH sequence as if it had created the TCP/IP connection and can authenticate
the device using its copy of the router’s or switch’s public host SSH key as part of that
sequence. The device authenticates the client user through the mechanisms supported
in the Junos OS (RSA/DSA public string or password authentication).

To enable the device to send SSH protocol keepalive messages to the client application,
configure the keep-alive statement at the [edit system services outbound-ssh client
client-id] hierarchy level:

[edit system services outbound-ssh client client-id]

keep-alive {
retry number;
timeout seconds;
}

Configuring a New Outbound SSH Connection

When disconnected, the device begins to initiate a new outbound SSH connection. To
specify how the device reconnects to the server after a connection is dropped, include
the reconnect-strategy statement at the [edit system services outbound-ssh client client-id]
hierarchy level:

[edit system services outbound-ssh client-id]

reconnect-strategy (sticky | in-order);

You can also specify the number of retry attempts and set the amount of time before
the reconnection attempts stop. See “Configuring Keepalive Messages for Outbound
SSH Connections” on page 399.

Configuring the Outbound SSH Client to Accept NETCONF as an Available Service

To configure the application to accept NETCONF as an available service, include the
services netconf statement at the [edit system services outbound-ssh client client-id]
hierarchy level:

[edit system services outbound-ssh client client-id]

services {
netconf;

Copyright © 2017, Juniper Networks, Inc. 399

Administration Guide for Security Devices

Configuring Outbound SSH Clients

To configure the clients available for this outbound SSH connection, list each client with
a separate address statement at the [edit system services outbound-ssh client client-id]
hierarchy level:

[edit system services outbound-ssh client client-id]

address address {
retry number;
timeout seconds;
port port-number;
}

NOTE: Outbound SSH connections support IPv4 and IPv6 address formats.

400 Copyright © 2017, Juniper Networks, Inc.

PART 3

Configuring DNS
• Configuring DNS Server Caching, DNSSEC, and DNS Proxy on page 403

Copyright © 2017, Juniper Networks, Inc. 401

Administration Guide for Security Devices

402 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 9

Configuring DNS Server Caching, DNSSEC,

and DNS Proxy

• DNS Overview on page 403

• Example: Configuring the TTL Value for DNS Server Caching on page 404
• DNSSEC Overview on page 405
• Example: Configuring DNSSEC on page 405
• Example: Configuring Keys for DNSSEC on page 406
• Example: Configuring Secure Domains and Trusted Keys for DNSSEC on page 406
• DNS Proxy Overview on page 408
• Configuring the Device as a DNS Proxy on page 413

DNS Overview

Supported Platforms SRX Series, vSRX

A Domain Name System (DNS) is a distributed hierarchical system that converts

hostnames to IP addresses. The DNS is divided into sections called zones. Each zone has
name servers that respond to the queries belonging to their zones.

This topic includes the following sections:

• DNS Components on page 403

• DNS Server Caching on page 404

DNS Components
DNS includes three main components:

• DNS resolver — Resides on the client side of the DNS. When a user sends a hostname
request, the resolver sends a DNS query request to the name servers to request the
hostname's IP address.

• Name servers — Processes the DNS query requests received from the DNS resolver
and returns the IP address to the resolver.

• Resource records — Data elements that define the basic structure and content of the
DNS.

Copyright © 2017, Juniper Networks, Inc. 403

Administration Guide for Security Devices

DNS Server Caching

DNS name servers are responsible for providing the hostname IP address to users. The
TTL field in the resource record defines the period for which DNS query results are cached.
When the TTL value expires, the name server sends a fresh DNS query and updates the
cache.

Related • Example: Configuring the TTL Value for DNS Server Caching on page 404
Documentation
• DNSSEC Overview on page 405

Example: Configuring the TTL Value for DNS Server Caching

Supported Platforms SRX Series, vSRX

This example shows how to configure the TTL value for a DNS server cache to define
the period for which DNS query results are cached.

• Requirements on page 404

• Overview on page 404
• Configuration on page 404
• Verification on page 405

Requirements
No special configuration beyond device initialization is required before performing this
task.

Overview
The DNS name server stores DNS query responses in its cache for the TTL period specified
in the TTL field of the resource record. When the TTL value expires, the name server
sends a fresh DNS query and updates the cache. You can configure the TTL value from
0 to 604,800 seconds. You can also configure the TTL value for cached negative
responses. Negative caching is the storing of the record that a value does not exist. In
this example, you set the maximum TTL value for cached (and negative cached)
responses to 86,400 seconds.

Configuration

Step-by-Step To configure the TTL value for a DNS server cache:

Procedure
1. Specify the maximum TTL value for cached responses, in seconds.

[edit]
user@host# set system services dns max-cache-ttl 86400

2. Specify the maximum TTL value for negative cached responses, in seconds.

[edit]
user@host# set system services dns max-ncache-ttl 86400

404 Copyright © 2017, Juniper Networks, Inc.

 Chapter 9: Configuring DNS Server Caching, DNSSEC, and DNS Proxy

3. If you are done configuring the device, commit the configuration.

[edit]
user@host# commit

Verification
To verify the configuration is working properly, enter the show system services command.

Related • DNS Overview on page 403

Documentation

DNSSEC Overview

Supported Platforms SRX Series, vSRX

Junos OS devices support the domain name service security extensions (DNSSEC)
standard. DNSSEC is an extension of DNS that provides authentication and integrity
verification of data by using public-key based signatures.

In DNSSEC, all the resource records in a DNS are signed with the private key of the zone
owner. The DNS resolver uses the public key of the owner to validate the signature. The
zone owner generates a private key to encrypt the hash of a set of resource records. The
private key is stored in RRSIG record. The corresponding public key is stored in the DNSKEY
record. The resolver uses the public key to decrypt the RRSIG and compares the result
with the hash of the resource record to verify that it has not been altered.

Similarly, the hash of the public DNSKEY is stored in a DS record in a parent zone. The
zone owner generates a private key to encrypt the hash of the public key. The private key
is stored in the RRSIG record. The resolver retrieves the DS record and its corresponding
RRSIG record and public key. Using the public key, the resolver decrypts the RRSIG record
and compares the result with the hash of the public DNSKEY to verify that it has not been
altered. This establishes a chain of trust between the resolver and the name servers.

Related • DNS Overview on page 403

Documentation
• Example: Configuring Keys for DNSSEC on page 406

• Example: Configuring Secure Domains and Trusted Keys for DNSSEC on page 406

Example: Configuring DNSSEC

Supported Platforms SRX Series, vSRX

DNS-enabled devices run a DNS resolver (proxy) that listens on loopback address 127.0.0.1
or ::1. The DNS resolver performs a hostname resolution for DNSSEC. Users need to set
name server IP address to 127.0.0.1 or ::1 so the DNS resolver forwards all DNS queries to
DNSSEC instead of to DNS. If the name server IP address is not set, DNS will handle all
queries instead of to DNSSEC.

The following example shows how to set the server IP address to 127.0.0.1:

Copyright © 2017, Juniper Networks, Inc. 405

Administration Guide for Security Devices

[edit]
user@host# set system name-server 127.0.0.1

The DNSSEC feature is enabled by default. You can disable DNSSEC in the server by
using the following CLI command:

[edit]
set system services dns dnssec disable

Related • DNSSEC Overview on page 405

Documentation

Example: Configuring Keys for DNSSEC

Supported Platforms SRX Series, vSRX

You can load a public key from a file or you can copy and paste the key file from a terminal.
In both cases, you must save the keys to the configuration instead of to a file. The following
example shows how to load a key from a file:

[edit system services dns dnssec trusted-keys]

#load-key filename

The following example explains how to load the key from a terminal:

[edit system services dns dnssec trusted-keys]

# set key “...pasted-text...”

If you are done loading the keys from the file or terminal, click commit in the CLI editor.

Related • DNSSEC Overview on page 405

Documentation
• Example: Configuring Secure Domains and Trusted Keys for DNSSEC on page 406

Example: Configuring Secure Domains and Trusted Keys for DNSSEC

Supported Platforms SRX Series, vSRX

This example shows how to configure secure domains and trusted keys for DNSSEC.

• Requirements on page 406

• Overview on page 406
• Configuration on page 407

Requirements
Set the name server IP address so the DNS resolver forwards all DNS queries to DNSSEC
instead of DNS. See “Example: Configuring DNSSEC” on page 405 for more information.

Overview
You can configure secure domains and assign trusted keys to the domains. Both signed
and unsigned responses can be validated when DNSSEC is enabled.

406 Copyright © 2017, Juniper Networks, Inc.

 Chapter 9: Configuring DNS Server Caching, DNSSEC, and DNS Proxy

When you configure a domain as a secure domain and if DNSSEC is enabled, all unsigned
responses to that domain are ignored and the server returns a SERVFAIL error code to
the client for the unsigned responses. If the domain is not configured as a secure domain,
unsigned responses will be accepted.

When the server receives a signed response, it checks if the DNSKEY in the response
matches any of the trusted keys that are configured. If it finds a match, the server accepts
the signed response.

You can also attach a DNS root zone as a trusted anchor to a secure domain to validate
the signed responses. When the server receives a signed response, it queries the DNS
root zone for a DS record. When it receives the DS record, it checks if the DNSKEY in the
DS record matches the DNSKEY in the signed response. If it finds a match, the server
accepts the signed response.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set system services dns dnssec secure-domains domain1.net

set system services dns dnssec secure-domains domain2.net
set system services dns dnssec trusted-keys key domain1.net.ABC123ABCh
set system services dns dnssec dlv domain domain2.net trusted-anchor dlv.isc.org

Step-by-Step To configure secure domains and trusted keys for DNSSEC:

Procedure
1. Configure domain1.net and domain2.net as secure domains.

[edit]
user@host# set system services dns dnssec secure-domains domain1.net
user@host# set system services dns dnssec secure-domains domain2.net

2. Configure trusted keys to domain1.net.

[edit]
user@host# set system services dns dnssec trusted-keys key
"domain1.net.ABC123ABCh"

3. Attach a root zone div.isc.org as a trusted anchor to a secure domain.

[edit]
user@host# set system services dns dnssec dlv domain domain2.net trusted-anchor
dlv.isc.org

Results From configuration mode, confirm your configuration by entering the show system services
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

dns {

Copyright © 2017, Juniper Networks, Inc. 407

Administration Guide for Security Devices

dnssec {
trusted-keys {
key domain1.net.ABC123ABCh; ## SECRET-DATA
}
dlv {
domain domain2.net trusted-anchor dlv.isc.org;
}
secure-domains {
domain1.net;
domain2.net;
}
}
}

If you are done configuring the device, enter commit from configuration mode.

Related • DNSSEC Overview on page 405

Documentation
• Example: Configuring Keys for DNSSEC on page 406

DNS Proxy Overview

Supported Platforms SRX Series, vSRX

A dynamic name system (DNS) proxy allows clients to use an SRX300, SRX320, SRX340,
SRX345, SRX550M, or SRX1500 device as a DNS proxy server. A DNS proxy improves
domain lookup performance by caching previous lookups. A typical DNS proxy processes
DNS queries by issuing a new DNS resolution query to each name server that it has
detected until the hostname is resolved.

• DNS Proxy Cache on page 408

• DNS Proxy with Split DNS on page 409
• Dynamic Domain Name System Client on page 411

DNS Proxy Cache

When a DNS query is resolved by a DNS proxy, the result is stored in the device's DNS
cache. This stored cache helps the device to resolve subsequent queries from the same
domain and avoid network latency delay.

NOTE: If the proxy cache is not available, the device sends the query to the
configured DNS server, which results in network latency delays.

DNS proxy maintains a cache entry for each resolved DNS query. These entries have a
time-to-live (TTL) timer so the device purges each entry from the cache as it reaches its
TTL and expires. You can clear a cache by using the clear cache command , or the cache
will automatically expire along with TTL when it goes to zero.

408 Copyright © 2017, Juniper Networks, Inc.

 Chapter 9: Configuring DNS Server Caching, DNSSEC, and DNS Proxy

DNS Proxy with Split DNS

The split DNS proxy feature allows you to configure your proxy server to split the DNS
query based on both the interface and the domain name. You can also configure a set
of name servers and associate then with a given domain name. When you query that
domain name, the device sends the DNS queries to only those name servers that are
configured for that domain name to ensure localization of DNS queries.

You can configure the transport method used to resolve a given domain name—for
example, when the device connects to the corporate network through an IPsec VPN or
any other secure tunnel. When you configure a secure VPN tunnel to transport the domain
names belonging to the corporate network, the DNS resolution queries are not leaked to
the ISP DNS server and are contained within the corporate network.

You can also configure a set of default domain (*) and name servers under the default
domain to resolve the DNS queries for a domain for which a name server is not configured.

Each DNS proxy must be associated with an interface. If an interface has no DNS proxy
configuration, all the DNS queries received on that interface are dropped.

Figure 5 on page 410 shows how the split DNS proxy works in a corporate network.

Copyright © 2017, Juniper Networks, Inc. 409

Administration Guide for Security Devices

Figure 5: DNS Proxy with Split DNS

In the corporate network shown in Figure 5 on page 410, a PC client that points to the SRX
Series device as its DNS server makes two queries—to www.your-isp.com and to
www.intranet.com, The DNS proxy redirects the www.intranet.com, query to the
www.intranet.com DNS server (203.0.113.253), while the www.your-isp.com query is
redirected to the ISP DNS server (209.100.3.130). Although the query for
www.your-isp.com is sent to the ISP DNS server as a regular DNS query using clear text
protocols (TCP/UDP), the query for the www.intranet.com domain goes to the intranet’s
DNS servers over a secure VPN tunnel.

A split DNS proxy has the following advantages:

410 Copyright © 2017, Juniper Networks, Inc.

 Chapter 9: Configuring DNS Server Caching, DNSSEC, and DNS Proxy

• Domain lookups are usually more efficient. For example, DNS queries meant for a
corporate domain (such as acme.com) can go to the corporate DNS server exclusively,
while all others go to the ISP DNS server. Splitting DNS lookups reduces the load on
the corporate server and can also prevent corporate domain information from leaking
onto the Internet.

• A DNS proxy allows you to transmit selected DNS queries through a tunnel interface,
which prevents malicious users from learning about the internal configuration of a
network. For example, DNS queries bound for the corporate server can pass through
a tunnel interface to use security features such as authentication and encryption.

Dynamic Domain Name System Client

Dynamic DNS (DDNS) allows clients to dynamically update IP addresses for registered
domain names. This feature is useful when an ISP uses Point-to-Point Protocol (PPP),
Dynamic Host Configuration Protocol (DHCP), or external authentication (XAuth) to
dynamically change the IP address for a customer premises equipment (CPE) router
(such as a security device) that protects a Web server. Internet clients can reach the Web
server by using a domain name even if the IP address of the security device has previously
changed dynamically.

A DDNS server maintains a list of the dynamically changed addresses and their associated
domain names. The device updates these DDNS servers with this information periodically
or in response to IP address changes. The Junos OS DDNS client supports popular DDNS
servers such as dyndns.org and ddo.jp

Figure 6 on page 412 illustrates how the DDNS client works.

Copyright © 2017, Juniper Networks, Inc. 411

Administration Guide for Security Devices

Figure 6: Dynamic DNS

The IP address of the internal Web server is translated by Network Address Translation
(NAT) to the IP address of the untrust zone interface on the device. The hostname

412 Copyright © 2017, Juniper Networks, Inc.

 Chapter 9: Configuring DNS Server Caching, DNSSEC, and DNS Proxy

abc-host.com is registered with the DDNS server and is associated with the IP address
of the device’s untrust zone interface, which is monitored by the DDNS client on the
device. When the IP address of abc-host.com is changed, the DDNS server is informed
of the new address.

If a client in the network shown in Figure 6 on page 412 needs to access abc-host.com,
the client queries the DNS servers on the Internet. When the query reaches the DDNS
server, it resolves the request and provides the client with the latest IP address of
abc-host.com.

Related • Configuring the Device as a DNS Proxy on page 413

Documentation

Configuring the Device as a DNS Proxy

Supported Platforms SRX Series, vSRX

The Junos operating system (Junos OS) incorporates domain name system (DNS)
support, which allows you to use domain names as well as IP addresses for identifying
locations. A DNS server keeps a table of the IP addresses associated with domain names.
Using DNS enables an SRX300, SRX320, SRX340, SRX345, SRX550M, or SRX1500
device to reference locations by domain name (such as www.example.net) in addition
to using the routable IP address.

DNS features include:

• DNS proxy cache—The device proxies hostname resolution requests on behalf of the
clients behind the SRX Series device. DNS proxy improves domain lookup performance
by using caching.

• Split DNS—The device redirects DNS queries over a secure connection to a specified
DNS server in the private network. Split DNS prevents malicious users from learning
the network configuration, and thus also prevents domain information leaks. Once
configured, split DNS operates transparently.

• Dynamic DNS (DDNS) client—Servers protected by the device remain accessible

despite dynamic IP address changes. For example, a protected Web server continues
to be accessible with the same hostname, even after the dynamic IP address is changed
because of address reassignment by the Dynamic Host Configuration Protocol (DHCP)
or Point-to-Point Protocol (PPP) by Internet service provider (ISP).

Copyright © 2017, Juniper Networks, Inc. 413

Administration Guide for Security Devices

To configure the device as a DNS proxy, you enable DNS on a logical interface and
configure DNS proxy servers. Configuring a static cache enables branch office and
corporate devices to use hostnames to communicate. Configuring dynamic DNS (DDNS)
clients allows IP address changes.

Perform the following procedure to configure the device as a DNS proxy server by enabling
DNS proxy on a logical interface—for example, ge-2/0/0.0—and configuring a set of
name servers that are to be used for resolving the specified domain names. You can
specify a default domain name by using an asterisk (*) and then configure a set of name
servers for resolution. Use this approach when you need global name servers to resolve
domain name entries that do not have a specific name server configured.

1. DNS proxy with split dns configuration

• Enable DNS proxy on a logical interface.

[edit system services]

user@host# set dns dns-proxy interface ge-2/0/0.0

• Configure view for split DNS, specify the internal IP interface to handle the DNS
query and view the logical subnet address.

[edit system services]

user@host# system services dns dns-proxy view internal match-clients 1.1.1.0/24

• Set a default internal domain name, and specify IP server for forwarding the DNS
query according to their IP addresses.

[edit system services]

user@host# set system services dns dns-proxy view internal domain aa.internal.com
forwarders 1.1.1.1
user@host# set system services dns dns-proxy view internal domain bb.internal.com
forwarders 2.2.2.2

• Configure view for split DNS, specify the external IP interface to handle the DNS
query and view the logical subnet address.

[edit system services]

user@host# system services dns dns-proxy view external match-clients 11.1.1.0/24

• Set a default external domain name, and specify IP server for forwarding the DNS
query according to their IP addresses.

[edit system services]

user@host# system services dns dns-proxy view external domain aa.external.com
forwarders 3.3.3.3
user@host# system services dns dns-proxy view external domain bb.external.com
forwarders 4.4.4.4

• If you are done configuring the device, commit the configuration.

[edit]
user@host# commit

To verify if the configuration is working properly, execute the show command.

user@host> show system services dns dns-proxy

2. DNS proxy cache configuration

414 Copyright © 2017, Juniper Networks, Inc.

 Chapter 9: Configuring DNS Server Caching, DNSSEC, and DNS Proxy

• Configure the dns proxy static cache entries to specify the host's IPv4 address.

[edit system services]

user@host# set system services dns dns-proxy cache aa.example.net inet 10.10.10.10
user@host# set system services dns dns-proxy cache bb.example.net inet
20.20.20.20

• If you are done configuring the device, commit the configuration.

[edit]
user@host# commit

To verify if the configuration is working properly, execute the show command.

user@host> show system services dns dns-proxy

3. Dynamic DNS proxy configuration

• Enable client.

[edit system services]

user@host# set dynamic-dns client abc.com agent juniper interface ge-2/0/0.0
username test password test123

• If you are done configuring the device, commit the configuration.

[edit]
user@host# commit

To verify if the configuration is working properly

user@host> show system services dynamic-dns

Related • Configuring the Device as a DNS Proxy on page 413

Documentation

Copyright © 2017, Juniper Networks, Inc. 415

Administration Guide for Security Devices

416 Copyright © 2017, Juniper Networks, Inc.

PART 4

Configuring DHCP Access Service for IP

Address Management
• Understanding DHCP Services on page 419
• Configuring a DHCP Local Server on page 447
• Configuring a DHCP Client on page 461
• Configuring a DHCP Relay Agent on page 471
• Configuring a DHCPv6 Local Server on page 479
• Configuring a DHCPv6 Client on page 491
• Configuring DHCP in Cluster Mode on page 501

Copyright © 2017, Juniper Networks, Inc. 417

Administration Guide for Security Devices

418 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 10

Understanding DHCP Services

• DHCP Overview on page 419

• DHCP Server, Client, and Relay Agent Overview on page 423
• DHCP Settings and Restrictions Overview on page 424
• Understanding Cascaded DHCPv6 Prefix Delegating on page 425
• Example - Configuring DHCPv6 Prefix Delegation (PD) over Point-to-Point Protocol
over Ethernet (PPPoE) on page 426

DHCP Overview

Supported Platforms SRX Series, vSRX

The Dynamic Host Configuration Protocol (DHCP) can serve as a DHCP local server, a
DHCP client, or a DHCP relay agent.

DHCP Local Server

You can enable an SRX Series device to function as a DHCP local server, and then
configure its options on the device. The DHCP local server provides an IP address and
other configuration information in response to a client request.

To configure the DHCP local server on the device, include the dhcp-local-server statement
at the [edit system services] hierarchy level.

NOTE: You cannot configure the DHCP local server and the DHCP relay agent
on the same interface.

DHCP Client, DHCP Local Server, and Address-Assignment Pool Interaction

In a typical branch network configuration, the DHCP client is on the subscriber’s computer,
and the DHCP local server is configured on the device. The following steps provide a

Copyright © 2017, Juniper Networks, Inc. 419

Administration Guide for Security Devices

high-level description of the interaction among the DHCP client, DHCP local server, and
address-assignment pools.

1. The DHCP client sends a discover packet to one or more DHCP local servers in the
network to obtain configuration parameters and an IP address for the subscriber.

2. Each DHCP local server that receives the discover packet then searches its
address-assignment pool for the client address and configuration options. Each local
server creates an entry in its internal client table to keep track of the client state, then
sends a DHCP offer packet to the client.

3. On receipt of the offer packet, the DHCP client selects the DHCP local server from
which to obtain configuration information and sends a request packet indicating the
DHCP local server selected to grant the address and configuration information.

4. The selected DHCP local server sends an acknowledgement packet to the client that
contains the client address lease and configuration parameters. The server and client
installs the host route and ARP entry, and then monitors the lease state.

DHCP Local Server and Address-Assignment Pools

In a DHCP local server operation, the client address and configuration information reside
in centralized address-assignment pools, that are managed independently from the
DHCP local server and they can be shared by different client applications.

Configuring a DHCP environment that includes a DHCP local server requires two
independent configuration operations, which you can complete in any order. In one
operation, you configure the DHCP local server on the device and specify how the DHCP
local server determines which address-assignment pool to use. In the other operation,
you configure the address-assignment pools used by the DHCP local server. The
address-assignment pools contain the IP addresses, named address ranges, and
configuration information for DHCP clients.

NOTE: The DHCP local server and the address-assignment pools used by
the server must be configured in the same routing instance.

DHCP Client
DHCP configuration consists of configuring DHCP clients and a DHCP local server. A
client configuration determines how clients send a message requesting an IP address,
while a server configuration enables the server to send an IP address back to the client.

For the device to operate as a DHCP client, you configure a logical interface on the device
to obtain an IP address from the DHCP local server in the network. You set the vendor
class ID, lease time, DHCP server address, retransmission attempts, and retry interval.

420 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

DHCP Relay Agent

You can configure DHCP relay options on the device and enable the device to function
as a DHCP relay agent. A DHCP relay agent forwards DHCP request and reply packets
between a DHCP client and a DHCP local server.

To configure the DHCP relay agent on the router, include the dhcp-relay statement at
the [edit forwarding-options] hierarchy level.

You can also include the dhcp-relay statement at the following hierarchy level:

[edit routing-instances routing-instance-name forwarding-options]

DHCP Client, DHCP Relay Agent, and DHCP Local Servers

In a typical branch network configuration, the DHCP client is on the subscriber’s computer,
and the DHCP relay agent is configured on the device between the DHCP client and one
or more DHCP local servers.

The following steps describe, at a high level, how the DHCP client, DHCP relay agent,
and DHCP local server interact in a configuration that includes two DHCP local servers.

1. The DHCP client sends a discover packet to find a DHCP local server in the network
from which to obtain configuration parameters for the subscriber, including an IP
address.

2. The DHCP relay agent receives the discover packet and forwards copies to each of
the two DHCP local servers. The DHCP relay agent then creates an entry in its internal
client table to keep track of the client’s state.

3. In response to receiving the discover packet, each DHCP local server sends an offer
packet to the client. The DHCP relay agent receives the offer packets and forwards
them to the DHCP client.

4. On receipt of the offer packets, the DHCP client selects the DHCP local server from
which to obtain configuration information. Typically, the client selects the server that
offers the longest lease time on the IP address.

5. The DHCP client sends a request packet that specifies the DHCP local server from
which to obtain configuration information.

6. The DHCP local server requested by the client sends an acknowledgement (ACK)
packet that contains the client’s configuration parameters.

7. The DHCP relay agent receives the ACK packet and forwards it to the client.

8. The DHCP client receives the ACK packet and stores the configuration information.

Copyright © 2017, Juniper Networks, Inc. 421

Administration Guide for Security Devices

9. If configured to do so, the DHCP relay agent installs a host route and Address
Resolution Protocol (ARP) entry for this client.

10. After establishing the initial lease on the IP address, the DHCP client and the DHCP
local server use unicast transmission to negotiate lease renewal or release.

Considerations
The following considerations apply when you enable a DHCP local server, DHCP relay
agent, or DHCP client in a routing instance:

• The DHCP local server, DHCP relay agent, and DHCP client can be configured in one
routing instance, but the functionality is mutually exclusive on one interface. If the
DHCP client is enabled on one interface, the DHCP local server or the DHCP relay agent
cannot be enabled on that interface.

• The DHCP client, DHCP relay agent and DHCP local server services act independently
in their respective routing instance. The following features can function simultaneously
on a device:

• DHCP client and DHCP local server

• DHCP client and DHCP relay agent

• Multiple routing instances. Each instance can have a DHCP local server, DHCP relay
agent, or DHCP client, or each routing instance can have a DHCP client and DHCP
local server or a DHCP client and DHCP relay agent.

• In Junos Release 12.1X46, autoinstallation is not compatible with jDHCPd:

version 12.1X46-D40.2;
system {
/* not compatible with jDHCPd */ <<<<<<
autoinstallation {
usb {
disable;
}
}

NOTE: Before you enable DHCP services in a routing instance, you must
remove all the configuration related to DHCP services that does not include
routing instance support. If you do not do this, the old default routing instance
configuration will override the new routing instance configuration.

NOTE: On all SRX Series devices, logical systems and routing instances are
not supported for a DHCP client in chassis cluster mode.

Related • Understanding DHCP Server Operation on page 447

Documentation

422 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

• Understanding DHCP Client Operation on page 461

• Understanding DHCP Relay Agent Operation on page 471

DHCP Server, Client, and Relay Agent Overview

Supported Platforms SRX Series, vSRX

A Dynamic Host Configuration Protocol (DHCP) server can automatically allocate IP

addresses and also deliver configuration settings to client hosts on a subnet. DHCP lets
network administrators centrally manage a pool of IP addresses among hosts and
automate the assignment of IP addresses in a network. An IP address can be leased to
a host for a limited period of time, allowing the DHCP server to share a limited number
of IP addresses among a group of hosts that do not need permanent IP addresses.

The Juniper Networks device acts as the DHCP server, providing IP addresses and settings
to hosts, such as PCs, that are connected to device interfaces. The DHCP server is
compatible with the DHCP servers of other vendors on the network.

The device can also operate as a DHCP client and DHCP relay agent.

DHCP is based on BOOTP, a bootstrap protocol that allows a client to discover its own
IP address, the IP address of a server host, and the name of a bootstrap file. DHCP servers
can handle requests from BOOTP clients, but provide additional capabilities beyond
BOOTP, such as the automatic allocation of reusable IP addresses and additional
configuration options.

NOTE: Although a Juniper Networks device can act as a DHCP server, a DHCP
client, or DHCP relay agent at the same time, you cannot configure more than
one DHCP role on a single interface.

DHCP provides two primary functions:

• Allocate temporary or permanent IP addresses to clients.

• Store, manage, and provide client configuration parameters.

NOTE: On all SRX Series devices, DHCPv4 is supported only in Layer 3 mode;
the DHCP server and DHCP client are not supported in Layer 2 transparent
mode.

Related • DHCP Server Configuration Overview on page 448

Documentation
• Understanding DHCP Server Operation on page 447

• Understanding DHCP Client Operation on page 461

• Understanding DHCP Relay Agent Operation on page 471

Copyright © 2017, Juniper Networks, Inc. 423

Administration Guide for Security Devices

• DHCP Settings and Restrictions Overview on page 424

DHCP Settings and Restrictions Overview

Supported Platforms SRX Series, vSRX

This section contains the following topics:

• Propagation of TCP/IP Settings for DHCP on page 424

• DHCP Conflict Detection and Resolution on page 424
• DHCP Interface Restrictions on page 424

Propagation of TCP/IP Settings for DHCP

The Juniper Networks device can operate simultaneously as a client of the DHCP server
in the untrust zone and a DHCP server to the clients in the trust zone. The device takes
the TCP/IP settings that it receives as a DHCP client and forwards them as a DHCP server
to the clients in the trust zone. The device interface in the untrust zone operates as the
DHCP client, receiving IP addresses dynamically from an Internet service provider (ISP)
on the external network.

During the DHCP protocol exchange, the device receives TCP/IP settings from the external
network on its DHCP client interface. Settings include the address of the ISP's DHCP
name server and other server addresses. These settings are propagated to the DHCP
server pools configured on the device to fulfill host requests for IP addresses on the
device's internal network.

DHCP Conflict Detection and Resolution

A client that receives an IP address from the device operating as a DHCP server performs
a series of Address Resolution Protocol (ARP) tests to verify that the address is available
and no conflicts exist. If the client detects an address conflict, it informs the DHCP server
about the conflict and can request another IP address from the DHCP server.

The device maintains a log of all client-detected conflicts and removes addresses with
conflicts from the DHCP address pool. To display the conflicts list, you use the show
system services dhcp conflict command. The addresses in the conflicts list remain excluded
until you use the clear system services dhcp conflict command to manually clear the list.

DHCP Interface Restrictions

The device supports DHCP client requests received on any Ethernet interface. DHCP
requests received from a relay agent are supported on all interface types.

DHCP is not supported on interfaces that are part of a virtual private network (VPN).

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• Understanding DHCP Server Operation on page 447

• Understanding DHCP Client Operation on page 461

424 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

• Understanding DHCP Relay Agent Operation on page 471

Understanding Cascaded DHCPv6 Prefix Delegating

Supported Platforms SRX Series

You can use DHCPv6 client prefix delegation to automate the delegation of IPv6 prefixes
to the customer premises equipment (CPE). With prefix delegation, a delegating device
delegates IPv6 prefixes to a requesting device. The requesting device then uses the
prefixes to assign global IPv6 addresses to the devices on the subscriber LAN. The
requesting device can also assign subnet addresses to subnets on the LAN.

With cascaded prefix delegation, the IPv6 address block is delegated to a DHCPv6 client
that is running on the WAN interface of a customer edge device. The identity association
(IA) for the client is used for the identity association for prefix delegation (IA_PD). The
CE device requests, through DHCPv6, an IPv6 address with the IA type of nontemporary
addresses (IA_NA). Both IA_PD and IA_NA are requesting in the same DHCPv6 exchange.

Figure 7: IPv6 Prefix Delegation

CUSTOMER
NETWORK

ISP Edge Customer

router router
Point-to-point link

PE CPE

CUSTOMER
NETWORK

g043512
The topology in Figure 7 on page 425shows an SRX Series device acting as the CPE. The
WAN interface links to the provider edge (PE) device and the LAN interfaces link to the
customer networks. The service provider delegates a prefix (delegated-prefix) and an
IPv6 address (cpe-wan-ipv6-address) to a DHCPv6 client. When a requesting device
receives that IPv6 address through the DHCPv6 client, the device must install the IPv6
address on its WAN interface. The DHCPv6 client then divides the delegated prefix into
sub-prefixes and subsequently assigns them to the connected LAN interfaces of the CPE
device, making some subset of the remaining space available for sub-prefix delegation.

A CPE assigns sub-prefixes to its LAN interfaces and broadcasts the sub-prefixes through
device advertisement. In this scenario, the CPE acts as a sub-PE and delegates
sub-prefixes and assigns them to sub-CPEs.

NOTE: The requirements of sub-prefix delegation are the same as for the
prefix delegation defined in RFC 3769.

Copyright © 2017, Juniper Networks, Inc. 425

Administration Guide for Security Devices

Figure 8: Sub-prefix Delegation

CUSTOMER
Sub CPE NETWORK

ISP Edge Customer

router router
Point-to-point link

PE CPE

Sub CPE CUSTOMER

NETWORK

g043513
There can be multi-level sub prefix delegations, see Figure 8 on page 426. The top level
CPE gets a delegated prefix from the PE and delegates the sub prefixes to second level
sub-CPEs, then to the third level sub-CPEs, and finally to the end levels. The end level
sub-CPEs assign the IPv6 address to end hosts through SLAAC, stateless DHCPv6 or
stateful DHCPv6. This is called cascaded prefix delegating.

Related •

Documentation

Example - Configuring DHCPv6 Prefix Delegation (PD) over Point-to-Point Protocol

over Ethernet (PPPoE)

Supported Platforms SRX300, SRX320, SRX340, SRX345, SRX550M

This example shows how to configure DHCPv6 PD over PPPoE on SRX Series devices.

• Requirements on page 426

• Overview on page 426
• Configuration on page 427
• Verification on page 441

Requirements
No special configuration beyond the device initialization is required before configuring
this feature.

Overview
The example uses SRX550M devices for configuring DHCPv6 PD over PPPoE. Before
you begin, configure DHCPv6 server to permit in host-inbound traffic and receive DHCPv6
packet. Provide a host-name to establish PPPoE session. To enable IPv6, chassis reboot
is required.

Configuring DHCPv6 PD over PPPoE involves the following configurations:

• Configuring DHCPv6 Server

• DHCPv6 Client (PD)

• DHCPv6 Client (Auto)

426 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

Topology

The following illustration describes DHCPv6 PD over PPPoE topology which provide a
configuration suite using SRX Series devices.

Figure 9 on page 427 shows the topology used in this example.

Figure 9: Configuring SRX Series Devices for DHCPv6 PD over PPPoE

pp0 (ge-0/0/1) pp0 (ge-0/0/1) ge-0/0/2 ge-0/0/0
3000::1/64 linklocal 2001:1:1:1::1/64 (ia-pd) 2001:1:1:226:88ff:fe38:b500/64 (ia-na)

PPPoE 2001:1:1:1::/64

g043753
SRX550M SRX550M SRX550M
DHCPv6 Server DHCPv6 Client (PD) DHCPv6 Client (Auto config)

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

Quick configuration for DHCPv6 Server:

• DHCPv6 server configuration

set interfaces ge-0/0/2 unit 0 family inet6

set system services dhcp-local-server dhcpv6 overrides interface-client-limit 100
set system services dhcp-local-server dhcpv6 group my-group overrides
interface-client-limit 200
set system services dhcp-local-server dhcpv6 group my-group overrides delegated-pool
v6-pd-pool
set system services dhcp-local-server dhcpv6 group my-group interface pp0.0

• PPPoE configuration

set system host-name SRX550M

set interfaces ge-0/0/1 unit 0 encapsulation ppp-over-ether
set interfaces pp0 unit 0 ppp-options chap access-profile prof-ge001
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/1.0
set interfaces pp0 unit 0 pppoe-options server
set interfaces pp0 unit 0 family inet6 address 3000::1/64

• Router advertisement configuration

set protocols router-advertisement interface pp0.0 max-advertisement-interval 20

set protocols router-advertisement interface pp0.0 min-advertisement-interval 10
set protocols router-advertisement interface pp0.0 managed-configuration
set protocols router-advertisement interface pp0.0 other-stateful-configuration
set protocols router-advertisement interface pp0.0 prefix 3000::1/64

• Enable IPv6

set security forwarding-options family inet6 mode flow-based

• PPPoE profile configuration

Copyright © 2017, Juniper Networks, Inc. 427

Administration Guide for Security Devices

set access profile prof-ge001 client test_user chap-secret test

• PD address pool configuration

set access address-assignment pool v6-pd-pool family inet6 prefix 2001:1:1::/48

set access address-assignment pool v6-pd-pool family inet6 range vp-pd prefix-length
48
set access address-assignment pool v6-pd-pool family inet6 dhcp-attributes dns-server
3000::1

• Security zone configuration

set security zones security-zone trust interface pp0.0 host-inbound-traffic

system-services dhcpv6

Quick configuration for DHCPv6 Client (PD):

• DHCPv6 server configuration for autoconfig device

set interfaces ge-0/0/2 unit 0 family inet6

set system services dhcp-local-server dhcpv6 overrides interface-client-limit 10
set system services dhcp-local-server dhcpv6 overrides process-inform pool p1
set system services dhcp-local-server dhcpv6 group ipv6 interface ge-0/0/2.0

• PPPoE configuration

set system host-name SRX550M

set interfaces ge-0/0/1 unit 0 encapsulation ppp-over-ether
set interfaces pp0 unit 0 ppp-options chap default-chap-secret test
set interfaces pp0 unit 0 ppp-options chap local-name test_user
set interfaces pp0 unit 0 ppp-options chap passive
set interfaces pp0 unit 0 pppoe-options underlying-interface ge-0/0/1.0
set interfaces pp0 unit 0 pppoe-options client

• DHCPv6 client configuration

set interfaces pp0 unit 0 family inet6 dhcpv6-client client-type statefull

set interfaces pp0 unit 0 family inet6 dhcpv6-client client-ia-type ia-pd
set interfaces pp0 unit 0 family inet6 dhcpv6-client update-router-advertisement
interface ge-0/0/2.0 other-stateful-configuration
set interfaces pp0 unit 0 family inet6 dhcpv6-client update-router-advertisement
interface ge-0/0/2.0 max-advertisement-interval 10
set interfaces pp0 unit 0 family inet6 dhcpv6-client update-router-advertisement
interface ge-0/0/2.0 min-advertisement-interval 5
set interfaces pp0 unit 0 family inet6 dhcpv6-client client-identifier duid-type duid-ll
set interfaces pp0 unit 0 family inet6 dhcpv6-client req-option dns-server
set interfaces pp0 unit 0 family inet6 dhcpv6-client update-server
set protocols router-advertisement interface pp0.0

• Enable IPv6

set security forwarding-options family inet6 mode flow-based

• DHCPv6 server propagate configuration

set access address-assignment pool p1 family inet6 prefix 2001::/16

set access address-assignment pool p1 family inet6 dhcp-attributes propagate-settings
pp0.0

• Security zone configuration

428 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

set security zones security-zone untrust interface pp0.0 host-inbound-traffic

system-services dhcpv6
set security zones security-zone trust interface ge-0/0/2.0 host-inbound-traffic
system-services dhcpv6

Quick configuration for DHCPv6 Client (Auto):

• DHCPv6 client configuration

set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-type autoconfig

set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-ia-type ia-na
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client client-identifier duid-type
duid-ll
set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client req-option dns-server

• Router advertisement configuration

set protocols router-advertisement interface fe-0/0/0.0

• Enable IPv6

set security forwarding-options family inet6 mode flow-based

• Security zone configuration

set security zones security-zone trust interface fe-0/0/0.0 host-inbound-traffic

system-services dhcpv6

Copyright © 2017, Juniper Networks, Inc. 429

Administration Guide for Security Devices

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

1. To configure DHCPv6 server on SRX550M device:

a. Set the interface.

[edit]
user@host# set interfaces ge-0/0/2 unit 0 family inet6

b. Configure a DHCP local server.

[edit ]
user@host# set system services dhcp-local-server dhcpv6

c. Set a default limit for all DHCPv6 groups.

[edit system services dhcp-local-server dhcpv6]

user@host# set overrides interface-client-limit 100

d. Set a custom client limit for the group.

[edit system services dhcp-local-server dhcpv6]

user@host# set group my-group overrides interface-client-limit 200

e. Specify delegated pool name.

[edit system services dhcp-local-server dhcpv6]

user@host# set group my-group overrides delegated-pool v6-pd-pool

f. Create a group called my-group that contains pp0 interface.

[edit system services dhcp-local-server dhcpv6]

user@host# set group my-group interface pp0.0

2. Configuring PPPoE:

a. Set interface to encapsulate PPPoE.

[edit]
user@host# set interfaces ge-0/0/1 unit 0 encapsulation ppp-over-ether

b. Set chap access profile value.

[edit system interface]

user@host# set interface pp0 unit 0 ppp-options chap access-profile prof-ge001

c. Set underlying interface name.

[edit system interface]

user@host# set interface pp0 unit 0 pppoe-options underlying-interface
ge-0/0/1.0

d. Set PPPoE-options server.

[edit system interface]

user@host# set interface pp0 unit 0 pppoe-options server

e. Set family name and address.

[edit system interface]

user@host# set interface pp0 unit 0 family inet6 address 3000::1/64

430 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

3. Configuring Router advertisement:

a. Set max advertisement interval limit.

[edit system protocol]

user@host# set protocols router-advertisement interface pp0.0
max-advertisement-interval 20

b. Set minimum advertisement interval limit.

[edit system protocol]

user@host# set protocols router-advertisement interface pp0.0
min-advertisement-interval 10

c. Set the configuration state to managed configuration.

[edit system protocol]

user@host# set protocols router-advertisement interface pp0.0
managed-configuration

d. Set the configuration state to other stateful configuration.

[edit system protocol]

user@host# set protocols router-advertisement interface pp0.0
other-stateful-configuration

e. Set the prefix value.

[edit system protocol]

user@host# set protocols router-advertisement interface pp0.0 prefix 3000::1/64

4. Enable IPv6:

a. Set the family name and mode to enable IPv6.

[edit]
user@host# set security forwarding-options family inet6 mode flow-based

5. Configuring PPPoE profile:

a. Set access profile name, client name and chap secret.

[edit]
user@host# set access profile prof-ge001 client test_user chap-secret test

6. Configuring PD address pool:

a. Set address-assignment pool name, family name and prefix.

[edit]
user@host# set access address-assignment pool v6-pd-pool family inet6 prefix
2001:1:1::/48

b. Set range and prefix length.

[edit]
user@host# set access address-assignment pool v6-pd-pool family inet6 range
vp-pd prefix-length 48

c. Set dhcp attributes with dns server value.

[edit]

Copyright © 2017, Juniper Networks, Inc. 431

Administration Guide for Security Devices

user@host# set access address-assignment pool v6-pd-pool family inet6

dhcp-attributes dns-server 3000::1

7. Configuring Security zone:

a. Set the zone name, interface and host-inbound-traffic system-services.

[edit]
user@host# set security zones security-zone trust interface pp0.0
host-inbound-traffic system-services dhcpv6

Step-by-Step 1. To configure DHCPv6 client (PD) on SRX550M device:

Procedure
a. Set the interface.

[edit]
user@host# set interfaces ge-0/0/2 unit 0 family inet6

b. Set DHCPv6 local server to override the interface client limit.

[edit]
user@host# set system services dhcp-local-server dhcpv6 overrides
interface-client-limit 10

c. Set the process-inform pool name.

[edit]
user@host# set system services dhcp-local-server dhcpv6 overrides
process-inform pool p1

d. Set group name and interface.

[edit]
user@host# set system services dhcp-local-server dhcpv6 group ipv6 interface
ge-0/0/2.0

2. Configuring PPPoE:

a. Set the interface to encapsulate ppp over ethernet.

[edit system interface]

user@host# set interface ge-0/0/1 unit 0 encapsulation ppp-over-ether

b. Set default chap secret.

[edit system interface]

user@host# set interfaces pp0 unit 0 ppp-options chap default-chap-secret
test

c. Set chap local name.

[edit system interface]

user@host# set interfaces pp0 unit 0 ppp-options chap local-name test_user

d. Set PPP options chap state.

[edit system interface]

user@host# set interfaces pp0 unit 0 ppp-options chap passive

e. Set underlying-interface.

[edit system interface]

432 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

user@host# set interfaces pp0 unit 0 pppoe-options underlying-interface

ge-0/0/1.0

f. Set pppoe-options.

[edit system interface]

user@host# set interfaces pp0 unit 0 pppoe-options client

3. Configuring DHCPv6 client:

a. Set the family name and dhcpv6 client type.

[edit]
user@host# set interfaces pp0 unit 0 family inet6 dhcpv6-client client-type
statefull

b. Set the dhcpv6 client identity association type.

[edit]
user@host# set interfaces pp0 unit 0 family inet6 dhcpv6-client client-ia-type
ia-pd

c. Set update-router-advertisement interface and other stateful-configuration.

[edit]
user@host# set interfaces pp0 unit 0 family inet6 dhcpv6-client
update-router-advertisement interface ge-0/0/2.0 other-stateful-configuration

d. Set maximum advertisement interval value.

[edit]
user@host# set interfaces pp0 unit 0 family inet6 dhcpv6-client
update-router-advertisement interface ge-0/0/2.0 max-advertisement-interval
10

e. Set minimum advertisement interval value.

[edit]
user@host# set interfaces pp0 unit 0 family inet6 dhcpv6-client
update-router-advertisement interface ge-0/0/2.0 min-advertisement-interval
5

f. Set client-identifier duid type.

[edit]
user@host# set interfaces pp0 unit 0 family inet6 dhcpv6-client client-identifier
duid-type duid-11

g. Set requested option for DHCPv6 client.

[edit]
user@host# set interfaces pp0 unit 0 family inet6 dhcpv6-client req-option
dns-server

h. Update the server.

[edit]
user@host# set interfaces pp0 unit 0 family inet6 dhcpv6-client update-server

i. Set the protocols and the interface.

[edit]
user@host# set protocols router-advertisement interface pp0.0

Copyright © 2017, Juniper Networks, Inc. 433

Administration Guide for Security Devices

4. Enable IPv6

a. Set the family name and mode to enable IPv6.

[edit]
user@host# set security forwarding-options family inet6 mode flow-based

5. Configuring DHCPv6 server to propagate DNS server information to end device:

a. Set address assignment pool name, family name and prefix.

[edit]
user@host# set access address-assignment pool p1 family inet6 prefix 2001::/16

b. Set the interface name for propagating TCP/IP settings to pool.

[edit]
user@host# set access address-assignment pool p1 family inet6 dhcp-attributes
propagate-settings pp0.0

6. Configuring security zone:

a. Set the zone name, untrust interface and system services.

[edit]
user@host# set security zones security-zone trust interface pp0.0
host-inbound-traffic system-services dhcpv6

b. Set the trust interface.

[edit]
user@host# set security zones security-zone trust interface ge-0/0/2.0
host-inbound-traffic system-services dhcpv6

Step-by-Step 1. To configure DHCPv6 client (Auto) on SRX550M device:

Procedure
a. Set the interface, unit value, family name and DHCPv6 client type.

[edit system interface]

user@host# set interfaces fe-0/0/0 unit 0 family inet6 dhcpv6-client client-type
autoconfig

b. Set Dhcpv6 client identity association type.

[edit system interface]

user@host# set interfaces fe-0/0/0 unit 0 family inet6 dhcpv6-client
client-ia-type ia-na

c. Set client-identifier type.

[edit system interface]

user@host# set interfaces fe-0/0/0 unit 0 family inet6 dhcpv6-client
client-identifier duid-type duid-11

d. Set DHCPV6 client requested option.

[edit system interface]

user@host# set interfaces fe-0/0/0 unit 0 family inet6 dhcpv6-client req-option
dns-server

2. Configuring router advertisement:

a. Set the protocol and interface.

434 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

[edit]
user@host# set protocols router-advertisement interface fe-0/0/0.0

3. Enable IPv6.

a. Set family name and mode.

[edit]
user@host# set security forwarding-options family inet6 mode flow-based

4. Configuring security zone:

5. Set the zone name, trust interface and system services.

[edit]
user@host# set security zones security-zone trust interface pp0.0
host-inbound-traffic system-services dhcpv6

Results

• Result for DHCPv6 Server:

From configuration mode, confirm your configuration by entering the show system services
dhcp-local-server, show interfaces, show protocols, show security forwarding-options,
show access profile prof-ge001, show access address-assignment pool, and show security
zones commands. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

[edit]
user@host# show system services dhcp-local-server
dhcpv6 {
overrides {
interface-client-limit 100;
}
group my-group {
overrides {
interface-client-limit 200;
delegated-pool v6-pd-pool;
}
interface pp0.0set;
interface pp0.0;
}
}
...
[edit]
user@host# show interfaces
ge-0/0/1 {
unit 0 {
encapsulation ppp-over-ether;
}
}
pt-1/0/0 {
vdsl-options {
vdsl-profile auto;
}

Copyright © 2017, Juniper Networks, Inc. 435

Administration Guide for Security Devices

}
pp0 {
unit 0 {
ppp-options {
chap {
default-chap-secret "$ABC123"; ## SECRET-DATA
}
}
}
}
ge-0/0/1 {
unit 0 {
encapsulation ppp-over-ether;
}
}
pt-1/0/0 {
vdsl-options {
vdsl-profile auto;
}
}
pp0 {
unit 0 {
ppp-options {
chap {
default-chap-secret "$ABC123"; ## SECRET-DATA
}
}
}
}
...
[edit]
user@host# show protocols
interface pp0.0 {
max-advertisement-interval 20;
min-advertisement-interval 10;
managed-configuration;
other-stateful-configuration;
prefix 3000::1/64;
}
...
[edit]
user@host# show security forwarding-options
family {
inet6 {
mode flow-based;
}
}
...
[edit]
user@host# show access address-assignment
pool v6-pd-pool {
family inet6 {
prefix 2001:1:1::/48;
range vp-pd prefix-length 48;
dhcp-attributes {
dns-server {

436 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

3000::1;
}
}
}
}
...
[edit]
user@host# show security zones
security-zone Host {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
dhcpv6;
}
}
}
}
}

• Result for DHCPv6 Client (PD):

[edit]
user@host# show system services dhcp-local-server
dhcpv6 {
overrides {
interface-client-limit 10;
process-inform {
pool p1;
}
}
group my-group {
overrides {
interface-client-limit 200;
delegated-pool v6-pd-pool;
}
interface pp0.0;
}
group ipv6 {
interface ge-0/0/2.0;
}
}
...
[edit]
user@host# show interfaces
ge-0/0/1 {

Copyright © 2017, Juniper Networks, Inc. 437

Administration Guide for Security Devices

unit 0 {
encapsulation ppp-over-ether;
}
}
pt-1/0/0 {
vdsl-options {
vdsl-profile auto;
}
}
pp0 {
unit 0 {
ppp-options {
chap {
default-chap-secret "$ABC123"; ## SECRET-DATA
local-name test_user;
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/1.0;
client;
}
}
}
...
[edit]
user@host# show interfaces pp0
unit 0 {
ppp-options {
chap {
default-chap-secret "$ABC123"; ## SECRET-DATA
local-name test_user;
passive;
}
}
pppoe-options {
underlying-interface ge-0/0/1.0;
client;
}
family inet6 {
dhcpv6-client {
client-type statefull;
client-ia-type ia-pd;
update-router-advertisement {
interface ge-0/0/2.0 {
other-stateful-configuration;
max-advertisement-interval 10;
min-advertisement-interval 5;
}
}
client-identifier duid-type duid-ll;
req-option dns-server;
}
}
}
...

438 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

[edit]
user@host# show security forwarding-options
family {
inet6 {
mode flow-based;
}
}
...
[edit]
user@host# show access address-assignment
pool v6-pd-pool {
family inet6 {
prefix 2001:1:1::/48;
range vp-pd prefix-length 48;
dhcp-attributes {
dns-server {
3000::1;
}
}
}
}
pool p1 {
family inet6 {
prefix 2001::/16;
dhcp-attributes {
propagate-settings pp0.0;
}
}
}
...
[edit]
user@host# show access address-assignment
security-zone Host {
host-inbound-traffic {
system-services {
all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
dhcpv6;
}
}
}
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
dhcpv6;
}

Copyright © 2017, Juniper Networks, Inc. 439

Administration Guide for Security Devices

}
}
}
}
security-zone untrust {
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
dhcpv6;
}
}
}
}
}

• Result for DHCPv6 Client (Auto):

[edit]
user@host# show interfaces ge-0/0/0
unit 0 {
family inet6 {
dhcpv6-client {
client-type autoconfig;
client-ia-type ia-na;
req-option dns-server;
}
}
}
...
[edit]
user@host# show protocols
router-advertisement {
interface pp0.0 {
max-advertisement-interval 20;
min-advertisement-interval 10;
managed-configuration;
other-stateful-configuration;
prefix 3000::1/64;
}
interface fe-0/0/0.0;
}
...
[edit]
user@host# show security forwarding-options
family {
inet6 {
mode flow-based;
}
}
...
[edit]
user@host# show security zones
security-zone Host {
host-inbound-traffic {
system-services {

440 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

all;
}
}
interfaces {
ge-0/0/0.0;
}
}
security-zone trust {
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
dhcpv6;
}
}
}
ge-0/0/2.0 {
host-inbound-traffic {
system-services {
dhcpv6;
}
}
}
fe-0/0/0.0 {
host-inbound-traffic {
system-services {
dhcpv6;
}
}
}
}
}
security-zone untrust {
interfaces {
pp0.0 {
host-inbound-traffic {
system-services {
dhcpv6;
}
}
}
}
}

Verification
Confirm that the configuration is working properly.

Verifying DHCPv6 Server Configuration

Purpose Verify that the DHCPv6 Server has been configured.

Action • From operational mode, enter the show dhcpv6 server binding command.

Copyright © 2017, Juniper Networks, Inc. 441

Administration Guide for Security Devices

The following output shows the options for the show dhcpv6 server binding command.

[edit]
user@host>show dhcpv6 server binding detail
Session Id: 75
Client IPv6 Prefix: 2001:1:1::/48
Client DUID: LL0x1-3c:94:d5:98:90:01
State:
BOUND(DHCPV6_LOCAL_SERVER_STATE_BOUND)
Lease Expires: 2016-03-26 10:12:37 JST
Lease Expires in: 86213 seconds
Lease Start: 2016-03-25 10:12:37 JST
Last Packet Received: 2016-03-25 10:12:50 JST
Incoming Client Interface: pp0.0
Server Ip Address: 0.0.0.0
Client Prefix Pool Name: v6-pd-pool
Client Id Length: 10
Client Id: /0x00030001/0x3c94d598/0x9001

• From operational mode, enter the show route table inet6.0 command.

The following output shows the options for the show route table inet6.0 command.

[edit]
user@host>show route table inet6.0
inet6.0: 4 destinations, 4 routes (4 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

2001:1:1::/48 *[Access/13] 00:03:45 <<<<<< Route for end device

will be automatically generated
> to fe80::3e94:d50f:fc98:8600 via pp0.0
3000::/64 *[Direct/0] 00:04:04
> via pp0.0
3000::1/128 *[Local/0] 19:53:18
Local via pp0.0
fe80::b2c6:9a0f:fc7d:6900/128
*[Local/0] 19:53:18
Local via pp0.0

• From operational mode, enter the show interfaces pp0.0 terse command.

The following output shows the options for the show interfaces pp0.0 terse command.

[edit]
user@host>show interfaces pp0.0 terse
Interface Admin Link Proto Local Remote
pp0.0 up up inet6 3000::1/64
fe80::b2c6:9a0f:fc7d:6900/64

Verifying DHCPv6 Client (PD) Configuration

Purpose Verify that the DHCPv6 Client (PD) has been configured.

Action • From operational mode, enter the show dhcpv6 client binding detail command.

The following output shows the options for the show dhcpv6 client binding detail
command.

[edit]

442 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

user@host>show dhcpv6 client binding detail

Client Interface: pp0.0
Hardware Address: 3c:94:d5:98:86:01
State: BOUND(DHCPV6_CLIENT_STATE_BOUND) <<<<<
SRX is bound to prefix via pp0.0
ClientType: STATEFUL
Lease Expires: 2016-03-26 10:12:50 JST
Lease Expires in: 86232 seconds
Lease Start: 2016-03-25 10:12:50 JST
Bind Type: IA_PD
Client DUID: LL0x29-3c:94:d5:98:86:01
Rapid Commit: Off
Server Ip Address: fe80::b2c6:9a0f:fc7d:6900
Update Server Yes
Client IP Prefix: 2001:1:1::/48
DHCP options:
Name: server-identifier, Value: VENDOR0x00000583-0x41453530
Name: dns-recursive-server, Value: 3000::1

• From operational mode, enter the show dhcpv6 server binding detail command.

The following output shows the options for the show dhcpv6 server binding detail
command.

[edit]
user@host>show dhcpv6 server binding detail
Session Id: 75
Client IPv6 Prefix: 2001:1:1::/48
Client DUID: LL0x1-3c:94:d5:98:90:01
State:
BOUND(DHCPV6_LOCAL_SERVER_STATE_BOUND)
Lease Expires: 2016-03-26 10:12:37 JST
Lease Expires in: 86213 seconds
Lease Start: 2016-03-25 10:12:37 JST
Last Packet Received: 2016-03-25 10:12:50 JST
Incoming Client Interface: pp0.0
Server Ip Address: 0.0.0.0
Client Prefix Pool Name: v6-pd-pool
Client Id Length: 10
Client Id: /0x00030001/0x3c94d598/0x9001

• From operational mode, enter the show route table inet6.0 command.

The following output shows the options for the show route table inet6.0 command.

[edit]
user@host>show route table inet6.0
inet6.0: 7 destinations, 7 routes (7 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

::/0 *[Access-internal/12] 00:03:35

> to fe80::b2c6:9a0f:fc7d:6900 via pp0.0
2001:1:1:1::/64 *[Direct/0] 00:03:48
> via ge-0/0/2.0
2001:1:1:1::1/128 *[Local/0] 00:03:48 <<<<<< IPv6 address allocated
by Prefix delegation
Local via ge-0/0/2.0
3000::/64 *[Access-internal/12] 00:03:35
> to fe80::b2c6:9a0f:fc7d:6900 via pp0.0
fe80::/64 *[Direct/0] 00:03:48
> via ge-0/0/2.0
fe80::3e94:d50f:fc98:8600/128

Copyright © 2017, Juniper Networks, Inc. 443

Administration Guide for Security Devices

*[Local/0] 19:05:19
Local via pp0.0
fe80::3e94:d5ff:fe98:8602/128
*[Local/0] 00:03:48
Local via ge-0/0/2.0

• From operational mode, enter the show interfaces pp0.0 terse command.

The following output shows the options for the show interfaces pp0.0 terse command.

[edit]
user@host>show interfaces pp0.0 terse
Interface Admin Link Proto Local Remote
pp0.0 up up inet6 fe80::3e94:d50f:fc98:8600/64

• From operational mode, enter the show interfaces ge-0/0/2.0 terse command.

The following output shows the options for the show interfaces ge-0/0/2.0 terse
command.

[edit]
user@host>show interfaces ge-0/0/2.0 terse
Interface Admin Link Proto Local Remote
ge-0/0/2.0 up up inet6 2000:1:1:1::1/64
fe80::3e94:d5ff:fe98:8602/64

• From operational mode, enter the show ipv6 router-advertisement command.

The following output shows the options for the show ipv6 router-advertisement
command.

[edit]
user@host>show ipv6 router-advertisement
Interface: pp0.0
Advertisements sent: 3, last sent 00:01:56 ago
Solicits received: 0
Advertisements received: 10
Advertisement from fe80::b2c6:9a0f:fc7d:6900, heard 00:00:08 ago
Managed: 1 [0]
Other configuration: 1 [0]
Reachable time: 0 ms
Default lifetime: 60 sec [1800 sec]
Retransmit timer: 0 ms
Current hop limit: 64
Prefix: 3000::/64
Valid lifetime: 2592000 sec
Preferred lifetime: 604800 sec
On link: 1
Autonomous: 1
Interface: ge-0/0/2.0
Advertisements sent: 24, last sent 00:00:03 ago
Solicits received: 0
Advertisements received: 0

Verifying DHCPv6 client (Auto) Configuration

Purpose Verify that the DHCPv6 client (Auto) has been configured.

444 Copyright © 2017, Juniper Networks, Inc.

 Chapter 10: Understanding DHCP Services

Action • From operational mode, enter the show dhcpv6 client binding detail command.

The following output shows the options for the show dhcpv6 client binding detail
command.

[edit]
user@host>show dhcpv6 client binding detail
Client Interface: fe-0/0/0.0
Hardware Address: 00:26:88:38:b5:00
State: BOUND(DHCPV6_CLIENT_STATE_BOUND)
ClientType: AUTO
Lease Expires: 2016-03-26 10:15:35 JST
Lease Expires in: 86395 seconds
Lease Start: 2016-03-25 10:15:35 JST
Bind Type: IA_NA
Client DUID: LL0x3-00:26:88:38:b5:00
Rapid Commit: Off
Server Ip Address: fe80::3e94:d5ff:fe98:8602
Client IP Address: 2001:1:1:1:226:88ff:fe38:b500/128
Client IP Prefix: 2001:1:1:1::/64

DHCP options:
Name: server-identifier, Value: VENDOR0x00000583-0x414c3131

• From operational mode, enter the show route table inet6.0 command.

The following output shows the options for the show route table inet6.0 command.

[edit]
user@host>show route table inet6.0
inet6.0: 5 destinations, 6 routes (5 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

::/0 *[Access-internal/12] 00:02:36

> to fe80::3e94:d5ff:fe98:8602 via fe-0/0/0.0
2001:1:1:1::/64 *[Access-internal/12] 00:02:36
> to fe80::3e94:d5ff:fe98:8602 via fe-0/0/0.0
2001:1:1:1:226:88ff:fe38:b500/128
*[Direct/0] 00:02:36
> via fe-0/0/0.0
[Local/0] 00:02:36
Local via fe-0/0/0.0
fe80::/64 *[Direct/0] 1w3d 15:51:19
> via fe-0/0/0.0
fe80::226:88ff:fe38:b500/128
*[Local/0] 1w3d 15:51:19
Local via fe-0/0/0.0

• From operational mode, enter the show ipv6 router-advertisement command.

The following output shows the options for the show ipv6 router-advertisement
command.

[edit]
user@host>show ipv6 router-advertisement
Interface: fe-0/0/0.0
Advertisements sent: 1, last sent 00:02:45 ago
Solicits received: 0
Advertisements received: 8
Advertisement from fe80::3e94:d5ff:fe98:8602, heard 00:00:02 ago
Managed: 0
Other configuration: 1 [0]

Copyright © 2017, Juniper Networks, Inc. 445

Administration Guide for Security Devices

Reachable time: 0 ms
Default lifetime: 30 sec [1800 sec]
Retransmit timer: 0 ms
Current hop limit: 64
Prefix: 2001:1:1:1::/64
Valid lifetime: 86400 sec
Preferred lifetime: 86400 sec
On link: 1
Autonomous: 1

446 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 11

Configuring a DHCP Local Server

• Understanding DHCP Server Operation on page 447

• DHCP Server Configuration Overview on page 448
• Minimum DHCP Local Server Configuration on page 449
• Configuring Address-Assignment Pools on page 450
• Configuring an Address-Assignment Pool Name and Addresses on page 451
• Configuring a Named Address Range for Dynamic Address Assignment on page 451
• Configuring Static Address Assignments on page 452
• Enabling TCP/IP Propagation on a DHCP Local Server on page 453
• Verifying and Managing DHCP Local Server Configuration on page 454
• Example: Configuring the Device as a DHCP Server on page 454

Understanding DHCP Server Operation

Supported Platforms SRX Series, vSRX

As a DHCP server, a Juniper Networks device can provide temporary IP addresses from
an IP address pool to all clients on a specified subnet, a process known as dynamic
binding. Juniper Networks devices can also perform static binding, assigning permanent
IP addresses to specific clients based on their media access control (MAC) addresses.
Static bindings take precedence over dynamic bindings.

This section contains the following topics:

• DHCP Options on page 447

• Compatibility with Autoinstallation on page 448
• Chassis Cluster Support on page 448

DHCP Options
In addition to its primary DHCP server functions, you can also configure the device to
send configuration settings like the following to clients through DHCP:

• IP address of the DHCP server (Juniper Networks device)

• List of Domain Name System (DNS) and NetBIOS servers

Copyright © 2017, Juniper Networks, Inc. 447

Administration Guide for Security Devices

• List of gateway routers

• IP address of the boot server and the filename of the boot file to use

• DHCP options defined in RFC 2132, DHCP Options and BOOTP Vendor Extensions

Compatibility with Autoinstallation

The functions of a Juniper Networks device acting as a DHCP server are compatible with
the autoinstallation feature. The DHCP server automatically checks any autoinstallation
settings for conflicts and gives the autoinstallation settings priority over corresponding
DHCP settings. For example, an IP address set by autoinstallation takes precedence over
an IP address set by the DHCP server.

Chassis Cluster Support

DHCP server operations are supported on all SRX Series devices in chassis cluster mode.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• Example: Configuring the Device as a DHCP Server on page 454

• Understanding DHCP Client Operation on page 461

• Understanding DHCP Relay Agent Operation on page 471

DHCP Server Configuration Overview

Supported Platforms SRX Series, vSRX

A typical DHCP server configuration provides the following configuration settings for a
particular subnet on a device interface:

• An IP address pool, with one address excluded from the pool.

• Default and maximum lease times.

• Domain search suffixes. These suffixes specify the domain search list used by a client
when resolving hostnames with DNS.

• A DNS name server.

• Device solicitation address option (option 32). The IP address excluded from the IP
address pool is reserved for this option.

In addition, the DHCP server might assign a static address to at least one client on the
subnet. Table 13 on page 448 provides the settings and values for the sample DHCP server
configuration.

Table 13: Sample DHCP Server Configuration Settings

Setting Sample Value

DHCP Subnet Configuration

Address pool subnet address 192.168.2.0/24

448 Copyright © 2017, Juniper Networks, Inc.

 Chapter 11: Configuring a DHCP Local Server

Table 13: Sample DHCP Server Configuration Settings (continued)

Setting Sample Value

High address in the pool range 192.168.2.254

Low address in the pool range 192.168.2.2

Address pool default lease time, in seconds 1,209,600 (14 days)

Address pool maximum lease time, in seconds 2,419,200 (28 days)

Domain search suffixes mycompany.net

mylab.net

Address to exclude from the pool 192.168.2.33

DNS server address 192.168.10.2

Identifier code for router solicitation address option 32

Type choice for router solicitation address option Ip address

IP address for router solicitation address option 192.168.2.33

DHCP MAC Address Configuration

Static binding MAC address 01:03:05:07:09:0B

Fixed address 192.168.2.50

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• Understanding DHCP Server Operation on page 447

• Understanding DHCP Client Operation on page 461

• Understanding DHCP Relay Agent Operation on page 471

• RFC 3397, Dynamic Host Configuration Protocol (DHCP) Domain Search Option

Minimum DHCP Local Server Configuration

Supported Platforms SRX Series, vSRX

The following sample output shows the minimum configuration you must use to configure
an SRX300, SRX320, SRX340, SRX345, SRX550M, or SRX1500 device as a DHCP local
server. In this output, the server group is named mobileusers, and the DHCP local server
is enabled on interface ge-1/0/1.0 within the group.

[edit access]
address-assignment {

Copyright © 2017, Juniper Networks, Inc. 449

Administration Guide for Security Devices

pool acmenetwork family inet {

network 192.168.1.0/24;
}
}

edit system services

dhcp-local-server {
group mobileusers {
interface ge-1/0/1.0
}
}

edit interfaces ge-1/0/1 unit 0

family {
inet {
address 192.168.1.1/24
}
}

NOTE: You can configure the DHCP local server in a routing instance by using
the dhcp-local server, interface, and address-assignment statements in the
[edit routing-instances] hierarchy level.

Related • Configuring Address-Assignment Pools on page 450

Documentation

Configuring Address-Assignment Pools

Supported Platforms SRX Series, vSRX

The address-assignment pool feature for SRX300, SRX320, SRX340, SRX345, SRX550M,
and SRX1500 devices enables you to create address pools that can be shared by different
client applications such as DHCPv4 or DHCPv6.

To configure an address-assignment pool:

1. Configure the address-assignment pool name and specify the addresses for the pool.

See “Configuring an Address-Assignment Pool Name and Addresses” on page 451.

2. (Optional) Configure named ranges (subsets) of addresses.

See “Configuring a Named Address Range for Dynamic Address Assignment” on

page 451.

3. (Optional;IPv4 only) Create static address bindings.

See “Configuring Static Address Assignments” on page 452.

4. (Optional) Configure attributes for DHCP clients.

450 Copyright © 2017, Juniper Networks, Inc.

 Chapter 11: Configuring a DHCP Local Server

See “Configuring DHCP Client-Specific Attributes for Address-Assignment Pools” on

page 462.

Related • Configuring an Address-Assignment Pool Name and Addresses on page 451

Documentation

Configuring an Address-Assignment Pool Name and Addresses

Supported Platforms SRX Series, vSRX

When configuring an address-assignment pool on SRX300, SRX320, SRX340, SRX345,

SRX1500, and SRX550M devices, you must specify the name of the pool and its addresses.

To configure an IPv4 address-assignment pool:

1. Configure the name of the pool and specify the IPv4 family.

[edit access]
user@host# edit address-assignment pool blr-pool family inet

2. Configure the network address and the prefix length of the addresses in the pool.

[edit access address-assignment pool blr-pool family inet]

user@host# set network 192.168.0.0/16

NOTE: You can configure an IPv4 address-assignment pool in a routing

instance by configuring the address-assignment statements in the [edit
routing-instances] hierarchy level.

Related • Configuring Address-Assignment Pools on page 450

Documentation

Configuring a Named Address Range for Dynamic Address Assignment

Supported Platforms SRX Series, vSRX

You can optionally configure multiple named ranges, or subsets, of addresses within an
address-assignment pool. During a dynamic address assignment, a client can be assigned
an address from a specific named range. To create a named range, you specify a name
for the range and define the address range.

NOTE: Supported only on SRX300, SRX320, SRX340, SRX345, SRX1500,

and SRX550M devices.

To create a named range within an IPv4 address-assignment pool:

1. Specify the name of the address-assignment pool.

Copyright © 2017, Juniper Networks, Inc. 451

Administration Guide for Security Devices

[edit access]
user@host# edit address-assignment pool blr-pool family inet

2. Configure the name of the range and the lower and upper boundaries of the addresses
in the range.

[edit access address-assignment pool isp_1 family inet]

user@host# set range southeast low 192.168.102.2 high 192.168.102.254

NOTE: To configure named address ranges in a routing instance, configure

the address-assignment statements in the [edit routing-instances] hierarchy
level.

Related • Configuring Address-Assignment Pools on page 450

Documentation

Configuring Static Address Assignments

Supported Platforms SRX Series, vSRX

You can optionally create a static IPv4 address binding by reserving a specific address
for a particular client. The address is removed from the address-assignment pool so that
it is not assigned to another client. When you reserve an address, you identify the client
host and create a binding between the client MAC address and the assigned IP address.

NOTE: This feature is supported on SRX300, SRX320, SRX340, SRX345,

SRX550M, and SRX1500 devices.

To configure a static IPv4 address binding:

1. Specify the name of the IPv4 address-assignment pool containing the IP address you
want to reserve for the client.

[edit access]
user@host# edit address-assignment pool blr-pool family inet

2. Specify the name of the client for the static binding, the client MAC address, and the
IP address to reserve for the client. This configuration specifies that the client with
MAC address 01:03:05:07:09:0b is always assigned IP address 192.168.10.2.

[edit access address-assignment pool blr-pool family inet]

user@host# set host svale6_boston_net hardware-address 01:03:05:07:09:0b
ip-address 192.168.10.2

452 Copyright © 2017, Juniper Networks, Inc.

 Chapter 11: Configuring a DHCP Local Server

NOTE: To configure static binding for an IPv4 address in a routing instance,

configure the address-assignment statements in the [edit routing-instances]
hierarchy.

Related • Configuring Address-Assignment Pools on page 450

Documentation

Enabling TCP/IP Propagation on a DHCP Local Server

Supported Platforms SRX Series, vSRX

This topic describes how to configure TCP/IP settings on a DHCP local server, which
includes a DHCP client and a DHCP local server.

NOTE: This feature is supported on SRX300, SRX320, SRX340, SRX345,

SRX550M, and SRX1500 devices.

To enable TCP/IP setting propagation on a DHCP local server:

1. Configure the update-server option on the DHCP client.

[edit interfaces ge-0/0/1 unit 0 family inet]

dhcp-client {
update-server;
}

2. Configure the address pool to specify the interface (where update-server is configured)
from which TCP/IP settings can be propagated.

[edit access]
address-assignment {
pool sprint family inet {
network 192.168.2.0/24;
dhcp-attributes {
propagate-settings ge-0/0/1.0;
}
}
}

3. Configure the DHCP local server.

edit system services

dhcp-local-server {
group bob {
interface ge-1/0/1.0
}
}

Copyright © 2017, Juniper Networks, Inc. 453

Administration Guide for Security Devices

Related • Minimum DHCP Local Server Configuration on page 449

Documentation

Verifying and Managing DHCP Local Server Configuration

Supported Platforms SRX Series, vSRX

Purpose View or clear information about client address bindings and statistics for the DHCP local
server.

NOTE: This feature is supported on SRX300, SRX320, SRX340, SRX345,

SRX550M, and SRX1500 devices.

Action • To display the address bindings in the client table on the DHCP local server:

user@host> show dhcp server binding

• To display DHCP local server statistics:

user@host> show dhcp server statistics

• To clear the binding state of a DHCP client from the client table on the DHCP local
server:

user@host> clear dhcp server binding

• To clear all DHCP local server statistics:

user@host> clear dhcp server statistics

NOTE: To clear or view information about client bindings and statistics in a

routing instance, run the following commands:

• show dhcp server binding routing instance <routing-instance name>

• show dhcp server statistics routing instance <routing-instance name>

• clear dhcp server binding routing instance <routing-instance name>

• clear dhcp server statistics routing instance <routing-instance name>

Related • Minimum DHCP Local Server Configuration on page 449

Documentation

Example: Configuring the Device as a DHCP Server

Supported Platforms SRX Series, vSRX

This example shows how to configure the device as a DHCP server.

454 Copyright © 2017, Juniper Networks, Inc.

 Chapter 11: Configuring a DHCP Local Server

For information on how to configure JDHCP in a routing instance, see

https://kb.juniper.net/InfoCenter/index?page=content=KB26897=search=true.

• Requirements on page 455

• Overview on page 455
• Configuration on page 455
• Verification on page 458

Requirements
Before you begin:

• Determine the IP address pools and the lease durations to use for each subnet.

• Obtain the MAC addresses of the clients that require permanent IP addresses. Determine
the IP addresses to use for these clients.

• List the IP addresses that are available for the servers and devices on your network;
for example, DNS, NetBIOS servers, boot servers, and gateway devices. See the
Understanding Management Predefined Policy Applications.

• Determine the DHCP options required by the subnets and clients in your network.

Overview
In this example, you configure the device as a DHCP server. You specify the IP address
pool as 192.168.2.0/24 and from a low range of 192.168.2.2 to a high range of 192.168.2.254.
You set the maximum-lease-time to 2,419,200. Then you specify the DNS server IP
address as 192.168.10.2.

WARNING: Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD

(DHCP daemon) configuration on all SRX Series devices is being deprecated.
and only the new JDHCP CLI is supported. When you upgrade to Junos OS
Release 15.1X49-D60 and later releases on a device that already has the
DHCPD configuration, the following warning messages are displayed:

WARNING: The DHCP configuration command used will be deprecated in future

Junos releases.

WARNING: Please see documentation for updated commands.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the set access hierarchy
level, and then enter commit from configuration mode.

set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.1/24

set system services dhcp-local-server group g1 interface ge-0/0/2.0

Copyright © 2017, Juniper Networks, Inc. 455

Administration Guide for Security Devices

set access address-assignment pool p1 family inet network 192.168.2.0/24

set access address-assignment pool p1 family inet range r1 low 192.168.2.2
set access address-assignment pool p1 family inet range r1 high 192.168.2.254
set access address-assignment pool p1 family inet dhcp-attributes maximum-lease-time
2419200
set access address-assignment pool p1 family inet dhcp-attributes name-server
192.168.10.2

GUI Step-by-Step To configure the device as a DHCP server, specify the DHCP pool information, server
Procedure information, lease time, and option information:

1. In the J-Web interface, select Configure > DHCP > DHCP Services.

2. Select DHCP Pools. Click Add.

3. Specify the IP address that is used as the source address the DHCP server includes
in IP packets when communicating with clients. The address is included in the DHCP
packet in option 54.

4. Specify the subnet information for the IPv4 address-assignment pool. Type
192.168.2.0/24.

5. In the Address Range Low, type 192.168.2.2.

6. In the Address Range High, type 192.168.2.254.

7. In the Exclude Addresses box, type the addresses you want excluded from a DHCP
address pool. Type 192.168.0.20

8. Specify the server identifier to assign to any DHCP clients in this address pool. The
identifier can be used to identify a DHCP server in a DHCP message.

9. Specify the domain name to assign to any DHCP clients in this address pool.

10. Specify the next server that DHCP clients need to contact. Type 192.168.10.2

11. Define the maximum amount of time (in seconds) that DHCP should lease an address.
Type 2419200.

12. Define DHCP option 32, the device solicitation address option. You must enter a
numeric value for option code. Select the option type from the list that corresponds
to the option code.

456 Copyright © 2017, Juniper Networks, Inc.

 Chapter 11: Configuring a DHCP Local Server

13. Click OK.

14. If you are done configuring the device, click Commit > Commit.

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure the device as a DHCP server:

1. Configure an interface with an IP address on which the DHCP server will be reachable.

[edit]
user@host# set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.1/24

2. Configure the DHCP server.

[edit]
user@host# set system services dhcp-local-server group g1 interface ge-0/0/2.0

3. Create an address pool for IPv4 addresses that can be assigned to clients. The
addresses in the pool must be on the subnet in which the DHCP clients reside. Do
not include addresses that are already in use on the network.

[edit]]
user@host# set access address-assignment pool p1 family inet network
192.168.2.0/24

4. (Optional) Specify the IP address pool range. Define a range of addresses in the
address-assignment pool. The range is a subset of addresses within the pool that
can be assigned to clients. If no range is specified, then all addresses within the pool
are available for assignment. Configure the name of the range and the lower and
upper boundaries of the addresses in the range.

[edit]]
user@host# set access address-assignment pool p1 192.168.2.0/24 address-range
low 192.168.2.2 high 192.168.2.254

5. (Optional) Configure one or more routers as the default gateway on the client’s
subnet.

[edit]
user@host# set access address-assignment pool p1 family inet dhcp-attributes
router 192.168.10.3

6. (Optional) Configure the IP address that is used as the source address for the DHCP
server in messages exchanged with the client. Clients use this information to
distinguish between lease offers.

[edit]

Copyright © 2017, Juniper Networks, Inc. 457

Administration Guide for Security Devices

user@host# set access address-assignment pool pool1 family inet dhcp-attributes

server-identifier 192.168.10.1

7. (Optional) Specify the maximum time period, in seconds, that a client holds the
lease for an assigned IP address if the client does not renew the lease.

[edit]
user@host# set access address-assignment pool pool1 family inet dhcp-attributes
maximum-lease-time 2419200

8. (Optional) Specify user-defined options to be included in DHCP packets

[edit]
user@host# set access address-assignment pool pool1 family inet dhcp-attributes
option 98 string test98

9. Assign a fixed IP address with the MAC address of the client.

[edit]
user@host# set system services static-binding 01:03:05:07:09:0B
fixed-address 192.168.2.50

Results From configuration mode, confirm your configuration by entering the show system services
dhcp-local-server command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.

[edit]
user@host# show system services dhcp-local-server
pool 192.168.2.0/24 {
address-range low 192.168.2.2 high 192.168.2.254;
maximum-lease-time 2419200;
name-server {
192.168.10.2;
}
option 32 ip-address 192.168.2.33;
}
static-binding 01:03:05:07:09:0B {
fixed-address {
192.168.2.50;
}
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

• Verifying the DHCP Binding Database on page 459

• Verifying DHCP Server Operation on page 459

458 Copyright © 2017, Juniper Networks, Inc.

 Chapter 11: Configuring a DHCP Local Server

Verifying the DHCP Binding Database

Purpose Verify that the DHCP binding database reflects the DHCP server configuration.

Action From operational mode, enter these commands:

• show dhcp server binding command to display all active bindings in the database.

• show dhcp server binding address detail command (where address is the IP address of
the client) to display more information about a client.

These commands produce following sample output:

user@host> show dhcp server binding

IP Address Hardware Address Type Lease expires at

30.1.1.20 00:12:1e:a9:7b:81 dynamic 2007-05-11 11:14:43 PDT

user@host> show dhcp server binding address detail

IP address 192.0.2.2
Hardware address 00:a0:12:00:13:02
Pool 192.0.2.0/24
Interface fe-0/0/0, relayed by 192.0.2.200

Lease information:
Type DHCP
Obtained at 2004-05-02 13:01:42 PDT
Expires at 2004-05-03 13:01:42 PDT
State active

DHCP options:
Name: name-server, Value: { 6.6.6.6, 6.6.6.7 }
Name: domain-name, Value: mydomain.tld
Code: 32, Type: ip-address, Value: 192.0.2.33

Verifying DHCP Server Operation

Purpose Verify that the DHCP server operation has been configured.

Action From operational mode, enter the following command:

• show dhcp server statistics command to verify the DHCP server statistics.

user@host> show dhcp server statistics

Packets dropped:
Total 0

Messages received:
BOOTREQUEST 45
DHCPDECLINE 0
DHCPDISCOVER 1

Copyright © 2017, Juniper Networks, Inc. 459

Administration Guide for Security Devices

DHCPINFORM 39
DHCPRELEASE 0
DHCPREQUEST 5
DHCPLEASEQUERY 0
DHCPBULKLEASEQUERY 0

Messages sent:
BOOTREPLY 6
DHCPOFFER 1
DHCPACK 3
DHCPNAK 2
DHCPFORCERENEW 0
DHCPLEASEUNASSIGNED 0
DHCPLEASEUNKNOWN 0
DHCPLEASEACTIVE 0
DHCPLEASEQUERYDONE 0

Release History Table Release Description

15.1X49-D60 Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD (DHCP
daemon) configuration on all SRX Series devices is being deprecated.
and only the new JDHCP CLI is supported.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• Understanding DHCP Server Operation on page 447

• Understanding DHCP Relay Agent Operation on page 471

• DHCP Settings and Restrictions Overview on page 424

460 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 12

Configuring a DHCP Client

• Understanding DHCP Client Operation on page 461

• Minimum DHCP Client Configuration on page 461
• Configuring DHCP Client-Specific Attributes for Address-Assignment Pools on page 462
• Configuring Optional DHCP Client Attributes on page 463
• Verifying and Managing DHCP Client Configuration on page 464
• Example: Configuring the Device as a DHCP Client on page 465

Understanding DHCP Client Operation

Supported Platforms SRX Series, vSRX

A Juniper Networks device can act as a DHCP client, receiving its TCP/IP settings and
the IP address for any physical interface in any security zone from an external DHCP
server. The device can also act as a DHCP server, providing TCP/IP settings and IP
addresses to clients in any zone. When the device operates as a DHCP client and a DHCP
server simultaneously, it can transfer the TCP/IP settings learned through its DHCP client
module to its default DHCP server module. For the device to operate as a DHCP client,
you configure a logical interface on the device to obtain an IP address from the DHCP
server in the network. You set the vendor class ID, lease time, DHCP server address,
retransmission attempts, and retry interval. You can renew DHCP client releases.

DHCP client operations are supported on all SRX Series devices in chassis cluster mode.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• Understanding DHCP Relay Agent Operation on page 471

• DHCP Settings and Restrictions Overview on page 424

Minimum DHCP Client Configuration

Supported Platforms SRX Series, vSRX

Copyright © 2017, Juniper Networks, Inc. 461

Administration Guide for Security Devices

The following sample output shows the minimum configuration you must use to configure
an SRX300, SRX320, SRX340, SRX345, SRX550M, or SRX1500 device as a DHCP client.
In this output, the interface is ge-0/0/0 and the logical unit is 0.

[edit interfaces]
ge-0/0/0 {
unit 0 {
family inet {
dhcp-client
}
}
}

NOTE: To configure a DHCP client in a routing instance, add the interface in

a routing instance using the [edit routing-instances] hierarchy.

Related • Configuring Optional DHCP Client Attributes on page 463

Documentation

Configuring DHCP Client-Specific Attributes for Address-Assignment Pools

Supported Platforms SRX Series, vSRX

You use the address-assignment pool feature to include application-specific attributes

when clients obtain an address. The client application, such as DHCP, uses the attributes
to determine how addresses are assigned and to provide optional application-specific
characteristics to the client. For example, the DHCP application might specify that a
client that matches certain prerequisite information is dynamically assigned an address
from a particular named range. Based on which named range is used, DHCP specifies
additional DHCP attributes such as the boot file that the client uses, the DNS server, and
the maximum lease time.

NOTE: This feature is supported on SRX300, SRX320, SRX340, SRX345,

SRX550M, and SRX1500 devices.

You use the dhcp-attributes statement to configure DHCP client-specific attributes for
address-assignment pools.

To configure address-assignment pool attributes for DHCP clients:

1. Specify the name of the address-assignment pool.

[edit access]
user@host# edit address-assignment pool blr-pool family inet

2. Configure optional DHCP client attributes.

[edit access address-assignment pool blr-pool family inet]

user@host# set dhcp-attributes maximum-lease-time 2419200

462 Copyright © 2017, Juniper Networks, Inc.

 Chapter 12: Configuring a DHCP Client

user@host# set dhcp-attributes name-server 192.168.10.2

user@host# set dhcp-attributes boot-file boot-file.txt
user@host# set dhcp-attributes boot-file boot-server example.com

NOTE: To configure DHCP client-specific attributes in a routing instance,

configure the dhcp-attributes statements in the [edit routing-instances]
hierarchy.

Related • Configuring Address-Assignment Pools on page 450

Documentation

Configuring Optional DHCP Client Attributes

Supported Platforms SRX Series, vSRX

For the device to operate as a DHCP client, you configure a logical interface on the device
to obtain an IP address from the DHCP local server in the network. You can then set the
client-identifier, options no-hostname, lease time, retransmission attempts, retry interval,
preferred DHCP local server address, and vendor class ID.

To configure optional DHCP client attributes on SRX300, SRX320, SRX340, SRX550M,

and SRX1500 devices:

1. Configure the DHCP client identifier prefix as the routing instance name.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set client-identifier prefix host

2. Configure the DHCP options no-hostname if you do not want the client to send
hostname (RFC option code 12) in the packets.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set options no-hostname

3. Set the DHCP lease time.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set lease-time 86400

4. Set the number of attempts allowed to retransmit a DHCP packet.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set retransmission-attempt 6

5. Set the interval (in seconds) allowed between retransmission attempts. The range
is 4 through 64. The default is 4 seconds.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set retransmission-interval 5

Copyright © 2017, Juniper Networks, Inc. 463

Administration Guide for Security Devices

6. Set the IPv4 address of the preferred DHCP local server.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set server-address 10.1.1.1

7. Set the vendor class ID for the DHCP client.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set vendor-id ether

NOTE: To configure the DHCP client in a routing instance, configure the

interface in the [edit routing-instances] hierarchy.

Related • Minimum DHCP Client Configuration on page 461

Documentation

Verifying and Managing DHCP Client Configuration

Supported Platforms SRX Series, vSRX

Purpose View or clear information about client address bindings and statistics for the DHCP client
on SRX300, SRX320, SRX340, SRX550M, and SRX1500 devices.

Action • To display the address bindings in the client table on the DHCP client:

user@host> show dhcp client binding

• To display DHCP client statistics:

user@host> show dhcp client statistics

• To clear the binding state of a DHCP client from the client table on the DHCP client:

user@host> clear dhcp client binding

• To clear all DHCP client statistics:

user@host> clear dhcp client statistics

NOTE: To clear or view information about client bindings and statistics in a

routing instance, run the following commands:

• show dhcp client binding routing instance <routing-instance name>

• show dhcp client statistics routing instance <routing-instance name>

• clear dhcp client binding routing instance <routing-instance name>

• clear dhcp client statistics routing instance <routing-instance name>

464 Copyright © 2017, Juniper Networks, Inc.

 Chapter 12: Configuring a DHCP Client

Related • Example: Configuring the Device as a DHCP Client on page 465

Documentation

Example: Configuring the Device as a DHCP Client

Supported Platforms SRX Series, vSRX

This example shows how to configure the device as a DHCP client.

• Requirements on page 465

• Overview on page 465
• Configuration on page 466
• Verification on page 468

Requirements
Before you begin:

• Determine the IP address pools and the lease durations to use for each subnet. You
can use the show system services dhcp pool CLI command to view information on DHCP
address pools.

• Obtain the MAC addresses of the clients that require permanent IP addresses. Determine
the IP addresses to use for these clients.

• List the IP addresses that are available for the servers and devices on your network;
for example, DNS, NetBIOS servers, boot servers, and gateway devices. See the
Understanding Management Predefined Policy Applications.

• Determine the DHCP options required by the subnets and clients in your network. See
Creating User-Defined DHCP Options Not Included in the Default Junos Implementation
of the DHCP Server

Overview
In this example, you configure the device as a DHCP client. You specify the interface as
ge-0/0/2, set the logical unit as 0, and create a DHCP inet family. You then specify the
DHCP client identifier as 00:0a:12:00:12:12 in hexadecimal. You use hexadecimal if the
client identifier is a MAC address. You set the options no-hostname if you do not want
the DHCP client to send the hostname with the packets. You set the DHCP lease time
as 86,400 seconds. The range is from 60 through 2,147,483,647 seconds.

Then you set the number of retransmission attempts to 6. The range is from 0 through
6, and the default is 4. You set the retransmission interval to 5 seconds. The range is from
4 through 64, and the default is 4 seconds. Finally, you set the IPv4 address of the
preferred DHCP server to 10.1.1.1 and the vendor class ID to ether.

WARNING: Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD

(DHCP daemon) configuration on all SRX Series devices is being deprecated
and only the new JDHCP CLI is supported. When you upgrade to Junos OS

Copyright © 2017, Juniper Networks, Inc. 465

Administration Guide for Security Devices

Release 15.1X49-D60 and later releases on a device that already has the
DHCPD configuration, the following warning messages are displayed:

WARNING: The DHCP configuration command used will be deprecated in future

Junos releases.

WARNING: Please see documentation for updated commands.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set interfaces ge-0/0/2 unit 0 family inet dhcp-client client-identifier prefix host-name
set interfaces ge-0/0/2 unit 0 family inet dhcp-client lease-time 86400
set interfaces ge-0/0/2 unit 0 family inet dhcp-client retransmission-attempt 6
set interfaces ge-0/0/2 unit 0 family inet dhcp-client retransmission-interval 5
set interfaces ge-0/0/2 unit 0 family inet dhcp-client server-address 192.168.2.1
set interfaces ge-0/0/2 unit 0 family inet dhcp-client vendor-id ether
set interfaces ge-0/0/2 unit 0 family inet dhcp-client options no-hostname

GUI Step-by-Step To configure the device as a DHCP client:

Procedure
1. In the J-Web interface, select Configure > Services > DHCP > DHCP Client.

2. Under Interfaces, add ge-0/0/2.0.

3. Configure the DHCP client identifier as either an ASCII or hexadecimal value.

4. From the Client identifier choice list, select hexadecimal.

5. In the Hexadecimal box, type the client identifier—00:0a:12:00:12:12.

6. Set the DHCP lease time in seconds. This is the lease time in seconds requested in a
DHCP client protocol packet; the range is 60 through 2,147,483,647. Type 86400.

7. Set the retransmission number of attempts to 6. This is the number of attempts to

retransmit the DHCP client protocol packet. The range is 0 through 6.

8. Set the retransmission interval in seconds to 5. This is the number of seconds between
successive transmissions. The range is 4 through 64. The default is 4 seconds.

9. Set the IPv4 address of the preferred DHCP server. Type 192.168.2.1.

466 Copyright © 2017, Juniper Networks, Inc.

 Chapter 12: Configuring a DHCP Client

10. Set the vendor class ID. This is the vendor class identification for the DHCP client.
Type ether.

11. Configure options no-hostname if you do not want the client to send hostname in the
packets (RFC option code 12).

12. Click OK.

13. If you are done configuring the device, click Commit >.

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure the device as a DHCP client:

1. Specify the DHCP client interface.

[edit]
user@host# edit interfaces ge-0/0/2 unit 0 family inet dhcp-client

2. Configure the DHCP client identifier as a hexadecimal value.

[edit interfaces ge-0/0/2 unit 0 family inet dhcp-client]

user@host# set client-identifier prefix host

3. Set the DHCP lease time.

[edit interfaces ge-0/0/2 unit 0 family inet dhcp-client]

user@host# set lease-time 86400

4. Set the number of attempts allowed to retransmit a DHCP packet.

[edit interfaces ge-0/0/2 unit 0 family inet dhcp-client]

user@host# set retransmission-attempt 6

5. Set the interval (in seconds) allowed between retransmission attempts. The range
is 4 through 64. The default is 4 seconds.

[edit interfaces ge-0/0/2 unit 0 family inet dhcp-client]

user@host# set retransmission-interval 5

6. Set the IPv4 address of the preferred DHCP server.

[edit interfaces ge-0/0/2 unit 0 family inet dhcp-client]

user@host# set server-address 192.168.2.1

7. Set the vendor class ID for the DHCP client.

[edit interfaces ge-0/0/2 unit 0 family inet dhcp-client]

Copyright © 2017, Juniper Networks, Inc. 467

Administration Guide for Security Devices

user@host# set vendor-id ether

8. Configure options no-hostname if you do not want the client to send the hostname
in packets.

[edit interfaces ge-0/0/2 unit 0 family inet dhcp-client]

user@host# set options no-hostname

Results From configuration mode, confirm your configuration by entering the show interfaces
ge-0/0/2 unit 0 family inet command. If the output does not display the intended
configuration, repeat the configuration instructions in this example to correct it.

[edit]
user@host# show interfaces ge-0/0/2 unit 0 family inet
dhcp-client {
client-identifier hexadecimal 00:0a:12:00:12:12;
options no-hostname;
lease-time 86400;
retransmission-attempt 6;
retransmission-interval 5;
server-address 192.168.2.1;
update-server;
vendor-id ether;
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

• Verifying the DHCP Client on page 468

Verifying the DHCP Client

Purpose Verify that the DHCP client information has been configured.

Action From operational mode, enter these commands:

• show dhcp client binding command to display the binding state of a Dynamic Host
Configuration Protocol (DHCP) client.

• show dhcp client statistics command to display client statistics.

These commands produce the following sample output:

user@host> show dhcp client binding

IP address Hardware address Expires State Interface

192.168.2.2 88:a2:5e:0a:d6:03 2419093 BOUND ge-0/0/2.

468 Copyright © 2017, Juniper Networks, Inc.

 Chapter 12: Configuring a DHCP Client

user@host> show dhcp client statistics

Packets dropped:
Total 2
Send error 2

Messages received:
BOOTREPLY 6
DHCPOFFER 4
DHCPACK 2
DHCPNAK 0
DHCPFORCERENEW 0

Messages sent:
BOOTREQUEST 39
DHCPDECLINE 0
DHCPDISCOVER 23
DHCPREQUEST 16
DHCPINFORM 0
DHCPRELEASE 0
DHCPRENEW 0
DHCPREBIND 0

Release History Table Release Description

15.1X49-D60 Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD (DHCP
daemon) configuration on all SRX Series devices is being deprecated
and only the new JDHCP CLI is supported.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• Understanding DHCP Server Operation on page 447

• Understanding DHCP Client Operation on page 461

• DHCP Settings and Restrictions Overview on page 424

Copyright © 2017, Juniper Networks, Inc. 469

Administration Guide for Security Devices

470 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 13

Configuring a DHCP Relay Agent

• Understanding DHCP Relay Agent Operation on page 471

• Minimum DHCP Relay Agent Configuration on page 471
• Verifying and Managing DHCP Relay Configuration on page 472
• Example: Configuring the Device as a BOOTP or DHCP Relay Agent on page 473

Understanding DHCP Relay Agent Operation

Supported Platforms SRX Series, vSRX

A Juniper Networks device operating as a DHCP relay agent forwards incoming requests
from BOOTP and DHCP clients to a specified BOOTP or DHCP server. Client requests
can pass through virtual private network (VPN) tunnels.

You cannot configure a single device interface to operate as both a DHCP client and a
DHCP relay.

NOTE: The DHCP requests received on an interface are associated to a DHCP

pool that is in the same subnet as the primary IP address/subnet on an
interface. If an interface is associated with multiple IP addresses/subnets,
the device uses the lowest numerically assigned IP address as the primary
IP address/subnet for the interface. To change the IP address/subnet that
is listed as the primary address on an interface, use the set interfaces <
interface name > unit 0 family inet xxx.xxx.xxx.xxx/yy primary command and
commit the change.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• Understanding DHCP Server Operation on page 447

• DHCP Settings and Restrictions Overview on page 424

Minimum DHCP Relay Agent Configuration

Supported Platforms SRX Series, vSRX

Copyright © 2017, Juniper Networks, Inc. 471

Administration Guide for Security Devices

The following sample output shows the minimum configuration you must use to configure
an SRX Series device as a DHCP relay agent. In this output, the active server group is
named server-1 and its IP address is 203.0.113.1. The DHCP relay agent configuration is
applied to a group named bob. Within this group, the DHCP relay agent is enabled on
interface ge-1/0/1.0.

[edit forwarding-options]
dhcp-relay {
server-group {
server-1 {
203.0.113.1;
}
}
active-server-group server-1;
group bob {
interface ge-1/0/1.0;
}
}

NOTE: To configure the DHCP relay agent in a routing instance, configure

the dhcp-relay statements in the [edit routing-instances] hierarchy level.

Related • Verifying and Managing DHCP Relay Configuration on page 472

Documentation

Verifying and Managing DHCP Relay Configuration

Supported Platforms SRX Series, vSRX

Purpose View or clear address bindings or statistics for DHCP relay agent clients.

Action • To display the address bindings for DHCP relay agent clients:

user@host> show dhcp relay binding

• To display DHCP relay agent statistics:

user@host> show dhcp relay statistics

• To clear the binding state of DHCP relay agent clients:

user@host> clear dhcp relay binding

• To clear all DHCP relay agent statistics:

user@host> clear dhcp relay statistics

To clear or view information about client bindings and statistics in a routing instance, run
the following commands:

• show dhcp relay binding routing instance <routing-instance name>

• show dhcp relay statistics routing instance <routing-instance name>

472 Copyright © 2017, Juniper Networks, Inc.

 Chapter 13: Configuring a DHCP Relay Agent

• clear dhcp relay binding routing instance <routing-instance name>

• clear dhcp relay statistics routing instance <routing-instance name>

NOTE: On all SRX Series devices, DHCP relay is unable to update the binding
status based on DHCP_RENEW and DHCP_RELEASE messages.

Related • Minimum DHCP Relay Agent Configuration on page 471

Documentation

Example: Configuring the Device as a BOOTP or DHCP Relay Agent

Supported Platforms SRX Series, vSRX

This example shows how to configure the device as a BOOTP or DHCP relay agent.

• Requirements on page 473

• Overview on page 473
• Configuration on page 474
• Verification on page 478

Requirements
No special configuration beyond device initialization is required before configuring this
feature.

Overview
In this example, you enable the DHCP relay agent to relay BOOTP or DHCP messages to
a BOOTP server. You enable VPN encryption to allow client requests to pass through the
VPN tunnel. You specify the IP time-to-live value to be set in responses to the client as
20. The range is from 1 through 255. You then set the maximum number of hops allowed
per packet to 10. The range is from 4 through 16.

Then you specify the minimum number of seconds before requests are forwarded as
300. The range is from 0 through 30,000 seconds. You set the description of the server
(the value is a string), and you specify a valid server name or address to the server to
forward (the value is an IPv4 address). You define the routing instance, whose value is
a nonreserved text string of 128 or fewer characters. You then specify the incoming BOOTP
or DHCP request forwarding interface as ge-0/0/0. You enable the broadcast option if
the Layer 2 interface is unknown.

You then specify the IP time-to-live value to be set in responses to the client as 30. The
range is from 1 through 255. You set the description of the server as text and the DHCP
option as 82. You set the maximum number of hops allowed per packet to 20 and specify
the minimum number of seconds as 400 before requests are forwarded. You enable the

Copyright © 2017, Juniper Networks, Inc. 473

Administration Guide for Security Devices

no listen option. Finally, you enable VPN encryption to allow client requests to pass
through the VPN tunnel.

WARNING: Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD

(DHCP daemon) configuration on all SRX Series devices is being deprecated
and only the new JDHCP CLI is supported. When you upgrade to Junos OS
Release 15.1X49-D60 and later releases on a device that already has the
DHCPD configuration, the following warning messages are displayed:

WARNING: The DHCP configuration command used will be deprecated in future

Junos releases.

WARNING: Please see documentation for updated commands.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set forwarding-options helpers bootp relay agent-option

set forwarding-options helpers bootp vpn
set forwarding-options helpers bootp client-response-ttl 20
set forwarding-options helpers bootp maximum-hop-count 10
set forwarding-options helpers bootp minimum-wait-time 300
set forwarding-options helpers bootp description text
set forwarding-options helpers bootp server 198.51.110.2
set forwarding-options helpers bootp server 198.51.110.2 routing instance rt-i-1
set forwarding-options helpers bootp interface ge-0/0/0
set forwarding-options helpers bootp interface ge-0/0/0 broadcast
set forwarding-options helpers bootp interface ge-0/0/0 client-response-ttl 30
set forwarding-options helpers bootp interface ge-0/0/0 description text
set forwarding-options helpers bootp interface ge-0/0/0 dhcp-option82
set forwarding-options helpers bootp interface ge-0/0/0 maximum-hop-count 20
set forwarding-options helpers bootp interface ge-0/0/0 minimum-wait-time 400
set forwarding-options helpers bootp interface ge-0/0/0 no-listen
set forwarding-options helpers bootp interface ge-0/0/0 vpn

GUI Step-by-Step To configure the device as a BOOTP/DHCP relay agent:

Procedure
1. In the J-Web user interface, select Configure>Services>DHCP>Boot DHCP Relay.

2. Select the DHCP relay agent check box to enable the BOOTP/DHCP relay agent.

3. Select the VPN encryption check box.

4. In the Client response TTL box, type 20.

474 Copyright © 2017, Juniper Networks, Inc.

 Chapter 13: Configuring a DHCP Relay Agent

5. In the Maximum hop count box, type 10.

6. In the Minimum wait time box, type 300.

7. In the Description box, type the description of the server.

8. Add a new server. Next to Server, click Add new Entry.

9. Next to the Name box, type 198.51.110.2.

10. Define the routing instance. Next to Routing instance, click Add new entry.

11. In the Name box, type rt-i-1 and click OK. A routing instance is optional.

12. Add a new interface. Next to Interface, click Add new entry.

13. In the Interface name box, type the interface name. For example, type ge-0/0/0.

14. In the Client response TTL box, type 30.

15. In the Description box, type the description of the server.

16. Select the Dhcp option 82 check box.

17. In the Maximum hop count box, type 20.

18. In the Minimum wait time box, type 400.

19. Select the No listen check box.

20. Select the VPN encryption check box.

21. Click OK until you return to the Configuration page.

22. Click OK to check your configuration and save it as a candidate configuration.

23. If you are done configuring the device, click Commit Options>Commit.

Copyright © 2017, Juniper Networks, Inc. 475

Administration Guide for Security Devices

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure the device as a BOOTP or DHCP relay agent:

1. Set the DHCP relay agent.

[edit]
user@host# edit forwarding-options helpers bootp
user@host# set relay agent-option

2. Enable VPN encryption to allow client requests to pass through VPN tunnel.

[edit forwarding-options helpers bootp]

user@host# set vpn

3. Set the IP time-to-live value. .

[edit forwarding-options helpers bootp]

user@host# set client-response-ttl 20

4. Set the maximum number of hops allowed per packet.

[edit forwarding-options helpers bootp]

user@host# set maximum-hop-count 10

5. Set the minimum wait time in seconds.

[edit forwarding-options helpers bootp]

user@host# set minimum-wait-time 300

6. Specify the description of the server.

[edit forwarding-options helpers bootp]

user@host# set description text

7. Add a new server.

[edit forwarding-options helpers bootp]

user@host# set server 198.51.110.2

8. Define the routing instance.

[edit forwarding-options helpers bootp]

user@host# set server 198.51.110.2 routing-instance rt-i-1

9. Define the incoming BootP request forwarding interface.

[edit forwarding-options helpers bootp]

user@host# set interface ge-0/0/0

10. Enable broadcast option.

476 Copyright © 2017, Juniper Networks, Inc.

 Chapter 13: Configuring a DHCP Relay Agent

[edit forwarding-options helpers bootp interface ge-0/0/0]

user@host# set broadcast

11. Define the IP time-to-live value.

[edit forwarding-options helpers bootp interface ge-0/0/0]

user@host# set client-response-ttl 30

12. Specify the description of the server.

[edit forwarding-options helpers bootp interface ge-0/0/0]

user@host# set description text

13. Set the DHCP option 82.

[edit forwarding-options helpers bootp interface ge-0/0/0]

user@host# set dhcp-option82

14. Specify the maximum number of hops allowed per packet.

[edit forwarding-options helpers bootp interface ge-0/0/0]

user@host# set forwarding-options helpers bootp interface ge-0/0/0
maximum-hop-count 20

15. Set the minimum wait time.

[edit forwarding-options helpers bootp interface ge-0/0/0]

user@host# set minimum-wait-time 400

16. Set the no listen option.

[edit forwarding-options helpers bootp interface ge-0/0/0]

user@host# set no-listen

17. Enable VPN encryption to allow client requests to pass through the VPN tunnel.

[edit forwarding-options helpers bootp interface ge-0/0/0]

user@host# set vpn

Results From configuration mode, confirm your configuration by entering the show
forwarding-options command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.

[edit]
user@host# show forwarding-options
helpers {
bootp {
relay-agent-option;
description text;
server 198.51.110.2 routing-instance rt-i-1;
maximum-hop-count 10;
minimum-wait-time 300;

Copyright © 2017, Juniper Networks, Inc. 477

Administration Guide for Security Devices

client-response-ttl 20;
vpn;
interface {
ge-0/0/0 {
no-listen;
broadcast;
description text;
maximum-hop-count 20;
minimum-wait-time 400;
client-response-ttl 30;
vpn;
dhcp-option82;
}
}
}
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying DHCP Relay Statistics

Purpose Verify that the DHCP Relay statistics have been configured.

Action From operational mode, enter the show system services dhcp relay-statistics command.

user@host> show system services dhcp relay-statistics

Received Packets: 4 Forwarded Packets 4 Dropped Packets

4 Due to missing interface in relay database: 4 Due to missing
matching routing instance: 0 Due to an error during packet read: 0 Due
to an error during packet send: 0 Due to invalid server address: 0 Due
to missing valid local address: 0 Due to missing route to server/client: 0

Release History Table Release Description

15.1X49-D60 Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD (DHCP
daemon) configuration on all SRX Series devices is being deprecated
and only the new JDHCP CLI is supported.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• Understanding DHCP Relay Agent Operation on page 471

• DHCP Settings and Restrictions Overview on page 424

478 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 14

Configuring a DHCPv6 Local Server

• DHCPv6 Server Overview on page 479

• Creating a Security Policy for DHCPv6 on page 480
• Example: Configuring DHCPv6 Server Options on page 481
• Example: Configuring an Address-Assignment Pool on page 484
• Configuring a Named Address Range for Dynamic Address Assignment on page 486
• Configuring Address-Assignment Pool Linking on page 487
• Configuring DHCP Client-Specific Attributes on page 488
• Configuring an Address-Assignment Pool for Router Advertisement on page 489
• Understanding DHCPv6 Client and Server Identification on page 489

DHCPv6 Server Overview

Supported Platforms SRX Series

A Dynamic Host Configuration Protocol version 6 (DHCPv6) server can automatically

allocate IP addresses to IP version 6 (IPv6) clients and deliver configuration settings to
client hosts on a subnet or to requesting devices that need an IPv6 prefix. A DHCPv6
server lets network administrators centrally manage a pool of IP addresses among hosts
and automate the assignment of IP addresses in a network. Supported on SRX1500,
SRX5400, SRX5600, and SRX5800 devices only.

NOTE: SRX Series devices do not support DHCP client authentication. In a

DHCPv6 deployment, security policies control access through the device for
any DHCP client that has received an address and other attributes from the
DHCPv6 server.

Some features include:

• Configuration for a specific interface or a group of interfaces

• Stateless address autoconfiguration (SLAAC)

• Prefix delegation, including access-internal route installation

• DHCPv6 server groups

Copyright © 2017, Juniper Networks, Inc. 479

Administration Guide for Security Devices

The DHCPv6 server configuration usually consists of DHCPv6 options for clients, an IPv6
prefix, an address pool that contains IPv6 address ranges and options, and a security
policy to allow DHCPv6 traffic. In a typical setup the provider Juniper Networks device is
configured as an IPv6 prefix delegation server that assigns addresses to the customer
edge device. The customer’s edge router then provides addresses to internal devices.

To configure DHCPv6 local server on a device, you include the DHCPv6 statement at the
[edit system services dhcp-local-server] hierarchy level. You then create an address
assignment pool for DHCPv6 that is configured in the [edit access address-assignment
pool] hierarchy level using the family inet6 statement.

You can also include the dhcpv6 statement at the [edit routing-instances
routing-instance-name system services dhcp-local-server] hierarchy.

NOTE: Existing DHCPv4 configurations in the [edit system services dhcp]

hierarchy are not affected when you upgrade to Junos OS Release 10.4 from
an earlier version or enable DHCPv6 server.

Related • Example: Configuring DHCPv6 Server Options on page 481

Documentation
• Example: Configuring an Address-Assignment Pool on page 484

• Configuring a Named Address Range for Dynamic Address Assignment on page 486

• Creating a Security Policy for DHCPv6 on page 480

Creating a Security Policy for DHCPv6

Supported Platforms SRX Series

For the DHCPv6 server to allow DHCPv6 requests, you must create a security policy to
enable DHCPv6 traffic. In this example, the zone my-zone allows DHCPv6 traffic from
the zone untrust, and the ge-0/0/3.0 interface is configured with the IPv6 address
2001:db8:3001::1.

To create a security zone policy to allow DHCPv6 on SRX1500, SRX5400, SRX5600,

and SRX5800 devices:

1. Create the zone and add an interface to that zone.

[edit security zones]

user@host# edit security-zone my-zone interfaces ge-0/0/3.0

2. Configure host inbound traffic system services to allow DCHPv6.

[edit security zones security-zone my-zone interfaces ge-0/0/3.0]

user@host# set host-inbound-traffic system-services dhcpv6

3. If you are done configuring the device, enter commit from configuration mode.

480 Copyright © 2017, Juniper Networks, Inc.

 Chapter 14: Configuring a DHCPv6 Local Server

Related • DHCPv6 Server Overview on page 479

Documentation
• Example: Configuring DHCPv6 Server Options on page 481

• Example: Configuring an Address-Assignment Pool on page 484

Example: Configuring DHCPv6 Server Options

Supported Platforms SRX Series

This example shows how to configure DHCPv6 server options on SRX1500, SRX5400,
SRX5600, and SRX5800 devices.

• Requirements on page 481

• Overview on page 481
• Configuration on page 481
• Verification on page 483

Requirements
Before you begin:

• Determine the IPv6 address pool range.

• Determine the IPv6 prefix. See the Understanding Address Books.

• Determine the grace period, maximum lease time, or any custom options that should
be applied to clients.

• List the IP addresses that are available for the devices on your network; for example,
DNS and SIP servers.

Overview
In this example, you set a default client limit as 100 for all DHCPv6 groups. You then
create a group called my-group that contains at least one interface. In this case, the
interface is ge-0/0/3.0. You set a range of interfaces using the upto command and set
a custom client limit as 200 for group my-group that overrides the default limit. Finally,
you configure interface ge-0/0/3.0 with IPv6 address 2001:db8:3001::1/64 and set router
advertisement for interface ge-0/0/3.0. Starting with Junos OS Release 15.X49-D70,
you can add the option dynamic-server to dynamically support prefix and attributes that
are updated by the WAN server.

NOTE: A DHCPv6 group must contain at least one interface.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network

Copyright © 2017, Juniper Networks, Inc. 481

Administration Guide for Security Devices

configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set system services dhcp-local-server dhcpv6 overrides interface-client-limit 100

set system services dhcp-local-server dhcpv6 dynamic-server
set system services dhcp-local-server dhcpv6 group my-group interface ge-0/0/3.0
set system services dhcp-local-server dhcpv6 group my-group interface ge-0/0/3.0 upto
ge-0/0/6.0
set system services dhcp-local-server dhcpv6 group my-group overrides
interface-client-limit 200
set interfaces ge-0/0/3 unit 0 family inet6 address 2001:db8:3000::1/64
set protocols router-advertisement interface ge-0/0/3.0 prefix 2001:db8:3000::/64

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure DHCPv6 server options:

1. Configure a DHCP local server.

[edit]
user@host# edit system services dhcp-local-server dhcpv6

2. Set a default limit for all DHCPv6 groups.

[edit system services dhcp-local-server dhcpv6]

user@host# set overrides interface-client-limit 100

3. Add a dynamic server that automatically adds prefix and attributes that are updated
by the WAN server.

[edit]
user@host# edit system services dhcp-local-server dhcpv6 dynamic-server

4. Specify a group name and interface.

[edit system services dhcp-local-server dhcpv6]

user@host# set group my-group interface ge-0/0/3.0

5. Set a range of interfaces.

[edit system services dhcp-local-server dhcpv6]

user@host# set group my-group interface ge-0/0/3.0 upto ge-0/0/6.0

6. Set a custom client limit for the group.

[edit system services dhcp-local-server dhcpv6]

user@host# set group my-group overrides interface-client-limit 200

7. Configure an interface with an IPv6 address.

[edit interfaces]
user@host# set ge-0/0/3 unit 0 family inet6 address 2001:db8:3000::1/64

482 Copyright © 2017, Juniper Networks, Inc.

 Chapter 14: Configuring a DHCPv6 Local Server

8. Set router advertisement for the interface.

[edit protocols]
user@host# set router-advertisement interface ge-0/0/3.0 prefix
2001:db8:3000::/64

Results From configuration mode, confirm your configuration by entering the show system services
dhcp-local-server, show interfaces ge-0/0/3, and show protocols commands. If the output
does not display the intended configuration, repeat the configuration instructions in this
example to correct it.

[edit]
user@host# show system services dhcp-local-server
dhcpv6 {
dynamic-server
overrides {
interface-client-limit 100;
}
group my-group {
overrides {
interface-client-limit 200;
}
interface ge-0/0/3.0 {
upto ge-0/0/6.0;
}
}
}
[edit]
user@host# show interfaces ge-0/0/3
unit 0 {
family inet6 {
address 2001:db8:3000::1/64;
}
}
[edit]
user@host# show protocols
router-advertisement {
interface ge-0/0/3.0 {
prefix 2001:db8:3000::1/64;
}
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying DHCPv6 Local Server Configuration

Purpose Verify that the client address bindings and statistics for the DHCPv6 local server have
been configured

Copyright © 2017, Juniper Networks, Inc. 483

Administration Guide for Security Devices

Action From operational mode, enter these commands:

• show dhcpv6 server binding command to display the address bindings in the client
table on the DHCPv6 local server.

• show dhcpv6 server statistics command to display the DHCPv6 local server statistics.

• clear dhcpv6 server bindings all command to clear all DHCPv6 local server bindings.
You can clear all bindings or clear a specific interface, or routing instance.

• clear dhcpv6 server statistics command to clear all DHCPv6 local server statistics.

Release History Table Release Description

15.1X49-D70 Starting with Junos OS Release 15.X49-D70, you can add the option
dynamic-server to dynamically support prefix and attributes that are
updated by the WAN server.

Related • DHCPv6 Server Overview on page 479

Documentation
• Example: Configuring an Address-Assignment Pool on page 484

• Configuring a Named Address Range for Dynamic Address Assignment on page 486

• Creating a Security Policy for DHCPv6 on page 480

Example: Configuring an Address-Assignment Pool

Supported Platforms SRX Series

This example shows how to configure an address-assignment pool on SRX1500,

SRX5400, SRX5600, and SRX5800 devices.

• Requirements on page 484

• Overview on page 484
• Configuration on page 485
• Verification on page 486

Requirements
Before you begin:

• Specify the name of the address-assignment pool and configure addresses for the
pool.

• Set DHCPv6 attributes for the address-assignment pool.

Overview
In this example, you configure an address-pool called my-pool and specify the IPv6 family
as inet6. You configure the IPv6 prefix as 2001:db8:3000:1::/64, the range name as range1,

484 Copyright © 2017, Juniper Networks, Inc.

 Chapter 14: Configuring a DHCPv6 Local Server

and the IPv6 range for DHCPv6 clients from a low of 2001:db8:3000:1::/64 to a high of
2001:db8:3000:200::/64. You can define the range based on the lower and upper
boundaries of the prefixes in the range or based on the length of the prefixes in the range.
Finally, you specify the DHCPv6 attribute for the DNS server as 2001:db8:3001::1, the
grace period as 3600, and the maximum lease time as 120.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

set access address-assignment pool my-pool family inet6 prefix 2001:db8:3000:1::/64

set access address-assignment pool my-pool family inet6 range range1 low
32001:db8:3000:1::/64 high 2001:db8:3000:200::/64
set access address-assignment pool my-pool family inet6 dhcp-attributes dns-server
2001:db8:3001::1
set access address-assignment pool my-pool family inet6 dhcp-attributes grace-period
3600
set access address-assignment pool my-pool family inet6 dhcp-attributes
maximum-lease-time 120

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure an IPv6 address-assignment pool:

1. Configure an address-pool and specify the IPv6 family.

[edit access]
user@host# edit address-assignment pool my-pool family inet6

2. Configure the IPv6 prefix, the range name, and IPv6 range for DHCPv6 clients.

[edit access address-assignment pool my-pool family inet6]

user@host# set prefix 2001:db8:3000:1::/64
user@host# set range range1 low 2001:db8:3000:1::/64 high
2001:db8:3000:200::/64

3. Configure the DHCPv6 attribute for the DNS server for the address pool.

[edit access address-assignment pool my-pool family inet6]

user@host# set dhcp-attributes dns-server 2001:db8:3001::1

4. Configure the DHCPv6 attribute for the grace period.

[edit access address-assignment pool my-pool family inet6]

user@host# set dhcp-attributes grace-period 3600

5. Configure the DHCPv6 attribute for the maximum lease time.

Copyright © 2017, Juniper Networks, Inc. 485

Administration Guide for Security Devices

[edit access address-assignment pool my-pool family inet6]

user@host# set dhcp-attributes maximum-lease-time 120

Results From configuration mode, confirm your configuration by entering the show access
address-assignment command. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.

[edit]
user@host# show access address-assignment
pool my-pool {
family inet6 {
prefix 2001:db8:3000:1::/64;
range range1 {
low 2001:db8:3000:1::/64 ;
high 2001:db8:3000:200::/64;
}
dhcp-attributes {
maximum-lease-time 120;
grace-period 3600;
dns-server {
2001:db8:3001::1;
}
}
}
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying Configuration

Purpose Verify that the address-assignment pool has been configured.

Action From operational mode, enter the show access address-assignment command.

Related • DHCPv6 Server Overview on page 479

Documentation
• Example: Configuring DHCPv6 Server Options on page 481

• Configuring a Named Address Range for Dynamic Address Assignment on page 486

• Creating a Security Policy for DHCPv6 on page 480

Configuring a Named Address Range for Dynamic Address Assignment

Supported Platforms SRX Series

486 Copyright © 2017, Juniper Networks, Inc.

 Chapter 14: Configuring a DHCPv6 Local Server

You can optionally configure multiple named ranges, or subsets of addresses, within an
address-assignment pool. During dynamic address assignment, a client can be assigned
an address from a specific named range. To create a named range, you specify a name
for the range and define the address range and DHCPv6 attributes.

NOTE: Supported only on SRX1500, SRX5400, SRX5600, and SRX5800

devices.

To configure a named address range for dynamic address assignment:

1. Specify the name of the address-assignment pool and the IPv6 family.

[edit access]
user@host# edit address-assignment pool my-pool2 family inet6

2. Configure the IPv6 prefix and then define the range name and IPv6 range for DHCPv6
clients. You can define the range based on the lower and upper boundaries of the
prefixes in the range, or based on the length of the prefixes in the range.

[edit access address-assignment pool my-pool2 family inet6]

user@host# set prefix 2001:db8:3000:5::/64
user@host# set range range2 low 2001:db8:3000:2::/64 high 2001:db8:3000:300::/64

3. Configure DHCPv6 attributes for the address pool.

[edit access address-assignment pool my-pool2 family inet6]

user@host# set dhcp-attributes dns-server 2001:db8:18:: grace-period 3600
maximum-lease-time 120

4. If you are done configuring the device, enter commit from configuration mode.

Related • Configuring Address-Assignment Pool Linking on page 487

Documentation

Configuring Address-Assignment Pool Linking

Supported Platforms SRX Series

Address-assignment pool linking enables you to specify a secondary address pool for
the device to use when the primary address-assignment pool is fully allocated. When
the primary pool has no available addresses remaining, the device automatically switches
over to the linked secondary pool and begins allocating addresses from that pool. The
device uses a secondary pool only when the primary address-assignment pool is fully
allocated.

You can create a chain of multiple linked pools. For example, you can link pool A to pool
B, and link pool B to pool C. When pool A has no available addresses, the device switches
to pool B for addresses. When pool B is exhausted, the device switches to pool C. There
is no limit to the number of linked pools in a chain. However, you cannot create multiple

Copyright © 2017, Juniper Networks, Inc. 487

Administration Guide for Security Devices

links to or from the same pool—a pool can be linked to only one secondary pool, and a
secondary pool can be linked from only one primary pool.

To link a primary address-assignment pool named pool1 to a secondary pool named

pool2 on SRX1500, SRX5400, SRX5600, or SRX5800 devices:

[edit access address-assignment]

user@host# set pool pool1 link pool2

Related • Configuring a Named Address Range for Dynamic Address Assignment on page 451
Documentation

Configuring DHCP Client-Specific Attributes

Supported Platforms SRX Series

You use the address-assignment pool feature to include application-specific attributes

when clients obtain an address. A client application, such as DHCPv6, uses the attributes
to determine how addresses are assigned and to provide optional application-specific
characteristics to the client. For example, the DHCPv6 application might specify that a
client that matches certain prerequisite information is dynamically assigned an address
from a particular named range. Based on which named range is used, DHCPv6 specifies
additional DHCPv6 attributes such as the DNS server or the maximum lease time for
clients.

NOTE: For SRX1500, SRX5400, SRX5600, and SRX5800 devices only.

You use the dhcp-attributes statement to configure DHCPv6 client-specific attributes

for address-assignment pools at the [edit access address-assignment pool pool-name
family inet6] hierarchy.

Table 14 on page 488 describes the DHCPv6 client attributes for configuring IPv6
address-assignment pools.

Table 14: DHCPv6 Attributes

DHCPv6
Attribute Description Option

dns-server IPv6 address of DNS server to which clients can 23

send DNS queries

grace-period Grace period offered with the lease –

maximum-lease-time Maximum lease time allowed by the DHCPv6 –

server

option User-defined options –

sip-server-address IPv6 address of SIP outbound proxy server 22

488 Copyright © 2017, Juniper Networks, Inc.

 Chapter 14: Configuring a DHCPv6 Local Server

Table 14: DHCPv6 Attributes (continued)

DHCPv6
Attribute Description Option

sip-server-domain-name Domain name of the SIP outbound proxy server 21

Related • Configuring a Named Address Range for Dynamic Address Assignment on page 486
Documentation

Configuring an Address-Assignment Pool for Router Advertisement

Supported Platforms SRX Series

For SRX1500, SRX5400, SRX5600, and SRX5800 devices, you can create an
address-assignment pool that is explicitly used for router advertisement address
assignment. You populate the address-assignment pool using the standard procedure,
but you additionally specify that the pool is used for router advertisement.

To configure an address-assignment pool that is used for router advertisement:

1. Create the IPv6 address-assignment pool.

2. Specify that the address-assignment pool is used for router advertisement.

[edit access address-assignment]

user@host# set neighbor-discovery-router-advertisement router1

3. If you are done configuring the device, enter commit from configuration mode.

Related • Configuring a Named Address Range for Dynamic Address Assignment on page 486
Documentation

Understanding DHCPv6 Client and Server Identification

Supported Platforms SRX Series

Each DHCPv6 client and server is identified by a DHCP unique identifier (DUID). The DUID
is unique across all DHCPv6 clients and servers, and it is stable for any specific client or
server. DHCPv6 clients use DUIDs to identify a server in messages where a server needs
to be identified. DHCPv6 servers use DUIDs to determine the configuration parameters
to be used for clients and in the association of addresses with clients.

NOTE: This feature is supported on SRX300, SRX320, SRX340, SRX550M,

and SRX1500 devices.

The DUID is a 2-octet type code represented in network byte order, followed by a variable
number of octets that make up the actual identifier; for example,

Copyright © 2017, Juniper Networks, Inc. 489

Administration Guide for Security Devices

00:02:00:01:02:03:04:05:07:a0. A DUID can be up to 128 octets in length (excluding the

type code). The following types are currently defined for the DUID parameter:

• Type 1—Link Layer address plus time (duid-llt)

• Type 2—Vendor-assigned unique ID based on enterprise number (vendor)

• Type 3—Link Llayer address (duid-ll)

The duid-llt DUID consists of a 2-octet type field that contains the value 1, a 2-octet
hardware type code, 4 octets that signify a time value, followed by the Link Layer address
of any one network interface that is connected to the DHCP device at the time that the
DUID is generated.

The vendor DUID is assigned by the vendor to the device and contains the vendor's
registered private enterprise number as maintained by the identity association for
nontemporary addresses (IA_NA) assignment, followed by a unique identifier assigned
by the vendor.

The duid-ll DUID contains a 2-octet type field that stores the value 3, and a 2-octet
network hardware type code, followed by the Link Layer address of any one network
interface that is permanently connected to the client or server device.

Related • DHCPv6 Client Overview on page 491

Documentation

490 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 15

Configuring a DHCPv6 Client

• DHCPv6 Client Overview on page 491

• Minimum DHCPv6 Client Configuration on page 492
• Configuring Optional DHCPv6 Client Attributes on page 494
• Configuring Nontemporary Address Assignment on page 495
• Configuring Identity Associations for Nontemporary Addresses and Prefix
Delegation on page 496
• Configuring Auto-Prefix Delegation on page 496
• Configuring the DHCPv6 Client Rapid Commit Option on page 497
• Configuring a DHCPv6 Client in Autoconfig Mode on page 498
• Configuring TCP/IP Propagation on a DHCPv6 Client on page 499

DHCPv6 Client Overview

Supported Platforms SRX Series

Copyright © 2017, Juniper Networks, Inc. 491

Administration Guide for Security Devices

A Juniper Networks device can act as a Dynamic Host Configuration Protocol version 6
(DHCPv6) client, receiving its TCP/IP settings and the IPv6 address for any physical
interface in any security zone from an external DHCPv6 server. When the device operates
as a DHCPv6 client and a DHCPv6 server simultaneously, it can transfer the TCP/IP
settings learned through its DHCPv6 client module to its default DHCPv6 server module.
For the device to operate as a DHCPv6 client, you configure a logical interface on the
device to obtain an IPv6 address from the DHCPv6 server in the network.

DHCPv6 client support for Juniper Networks devices includes the following features:

• Identity association for nontemporary addresses (IA_NA)

• Identity association for prefix delegation (IA_PD)

• Rapid commit

• TCP/IP propagation

• Auto-prefix delegation

• Autoconfig mode (stateful and stateless)

To configure the DHCPv6 client on the device, include the dhcpv6-client statement at
the [edit interfaces] hierarchy level.

NOTE: To configure a DHCPv6 client in a routing instance, add the interface

in a routing instance using the [edit routing-instances] hierarchy.

NOTE: On all SRX Series devices, DHCPv6 client authentication is not

supported.

NOTE: On SRX300, SRX320, SRX340, SRX345, and SRX550M devices,

DHCPv6 client does not support:

• Temporary addresses

• Reconfigure messages

• Multiple identity association for nontemporary addresses (IA_NA)

• Multiple prefixes in a single identity association for prefix delegation (IA_PD)

• Multiple prefixes in a single router advertisement

Related • Minimum DHCPv6 Client Configuration on page 492

Documentation

Minimum DHCPv6 Client Configuration

Supported Platforms SRX Series

492 Copyright © 2017, Juniper Networks, Inc.

 Chapter 15: Configuring a DHCPv6 Client

This topic describes the minimum configuration you must use to configure an SRX300,
SRX320, SRX340, SRX345, SRX550M, or SRX1500 device as a DHCPv6 client.

To configure the device as a DHCPv6 client:

1. Specify the DHCPv6 client interface.

[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client

2. Configure the DHCPv6 client type. The client type can be autoconfig or statefull.

• To enable DHCPv6 auto configuration mode, configure the client type as autoconfig.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-type autoconfig

• For stateful address assignment, configure the client type as statefull.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-type statefull

3. Specify the identity association type.

• To configure identity association for nontemporary address (IA_NA) assignment,

specify the client-ia type as ia-na.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-ia-type ia-na

• To configure identity association for prefix delegation (IA_PD), specify the

client-ia-type as ia-pd.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-ia-type ia-pd

4. Configure the DHCPv6 client identifier by specifying the DHCP unique identifier (DUID)
type. The following DUID types are supported:

• Link Layer address (duid-ll)

• Link Layer address plus time (duid-llt)

• Vendor-assigned unique ID based on enterprise number (vendor)

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-identifier duid-type duid-ll

NOTE: To configure a DHCPv6 client in a routing instance, add the interface

to a routing instance using the [edit routing-instances] hierarchy.

Related • DHCPv6 Client Overview on page 491

Documentation

Copyright © 2017, Juniper Networks, Inc. 493

Administration Guide for Security Devices

Configuring Optional DHCPv6 Client Attributes

Supported Platforms SRX Series

To enable a device to operate as a DHCPv6 client, you configure a logical interface on

the device to obtain an IPv6 address from the DHCPv6 local server in the network. You
can then specify the retransmission attempts, client requested configuration options,
interface used to delegate prefixes, rapid commit, and update server options.

To configure optional DHCPv6 client attributes:

1. Specify one of the following DHCPv6 client requested configuration options:

• dns-server

• domain

• ntp-server

• sip-domain

• sip-server

For example, to specify the DHCPv6 client requested option as dns-server:

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set req-option dns-server

2. Set the number of attempts allowed to retransmit a DHCPv6 client protocol packet.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set retransmission-attempt 6

3. Configure the update-server option on the DHCPv6 client.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set update-server

4. Specify the interface used to delegate prefixes.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set update-router-advertisement interface ge-0/0/0

5. Configure the two-message (rapid commit) exchange option for address assignment.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set rapid-commit

NOTE: To configure a DHCPv6 client in a routing instance, add the interface

to a routing instance using the [edit routing-instances] hierarchy.

494 Copyright © 2017, Juniper Networks, Inc.

 Chapter 15: Configuring a DHCPv6 Client

NOTE: On all SRX Series devices, DHCPv6 client authentication is not

supported.

NOTE: On SRX300, SRX320, SRX340, and SRX345, and SRX550M devices,

DHCPv6 client does not support:

• Temporary addresses

• Reconfigure messages

• Multiple identity association for nontemporary addresses (IA_NA)

• Multiple prefixes in a single identity association for prefix delegation (IA_PD)

• Multiple prefixes in a single router advertisement

Related • Minimum DHCPv6 Client Configuration on page 492

Documentation

Configuring Nontemporary Address Assignment

Supported Platforms SRX Series

Nontemporary address assignment is also known as stateful address assignment. In the

stateful address assignment mode, the DHCPv6 client requests global addresses from
the DHCPv6 server. Based on the DHCPv6 server’s response, the DHCPv6 client assigns
the global addresses to interfaces and sets a lease time for all valid responses. When
the lease time expires, the DHCPv6 client renews the lease from the DHCPv6 server.

NOTE: This feature is supported on SRX300, SRX320, SRX340, SRX550M,

and SRX1500 devices.

To configure nontemporary (stateful) address assignment:

1. Specify the DHCPv6 client interface.

[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client

2. Configure the client type as statefull.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-type statefull

3. Specify the IA_NA assignment.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-ia-type ia-na

Copyright © 2017, Juniper Networks, Inc. 495

Administration Guide for Security Devices

Related • Minimum DHCPv6 Client Configuration on page 492

Documentation

Configuring Identity Associations for Nontemporary Addresses and Prefix Delegation

Supported Platforms SRX Series

The DHCPv6 client requests IPv6 addresses and prefixes from the DHCPv6 server. Based
on the DHCPv6 server’s response, the DHCPv6 client assigns the IPv6 addresses to
interfaces and sets a lease time for all valid responses. When the lease time expires, the
DHCPv6 client renews the lease from the DHCPv6 server.

To configure identity association for nontemporary addresses (IA_NA) and identity

association for prefix delegation (IA_PD) on SRX300, SRX320, SRX340, SRX550M, and
SRX1500 devices:

1. Specify the DHCPv6 client interface.

[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client

2. Configure the client type as statefull.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-type statefull

3. Specify the IA_NA.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-ia-type ia-na

4. Specify the IA_PD.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-ia-type ia-pd

Related • Minimum DHCPv6 Client Configuration on page 492

Documentation

Configuring Auto-Prefix Delegation

Supported Platforms SRX Series

496 Copyright © 2017, Juniper Networks, Inc.

 Chapter 15: Configuring a DHCPv6 Client

You can use DHCPv6 client prefix delegation to automate the delegation of IPv6 prefixes
to the customer premises equipment (CPE). With prefix delegation, a delegating router
delegates IPv6 prefixes to a requesting router. The requesting router then uses the prefixes
to assign global IPv6 addresses to the devices on the subscriber LAN. The requesting
router can also assign subnet addresses to subnets on the LAN.

To configure auto-prefix delegation for SRX300, SRX320. SRX340, SRX345, SRX550M,

and SRX1500 devices:

1. Configure the DHCPv6 client type as statefull.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-type statefull

2. Specify the identity association type as ia-na for nontemporary addresses.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-ia-type ia-na

3. Specify the identity association type as ia-pd for prefix delegation.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-ia-type ia-pd

4. Configure the DHCPv6 client identifier by specifying the DUID type.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-identifier duid-type duid-ll

5. Specify the interface used to delegate prefixes.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set update-router-advertisement interface ge-0/0/0

Related • Minimum DHCPv6 Client Configuration on page 492

Documentation
• Configuring Optional DHCPv6 Client Attributes on page 494

Configuring the DHCPv6 Client Rapid Commit Option

Supported Platforms SRX Series

Copyright © 2017, Juniper Networks, Inc. 497

Administration Guide for Security Devices

The DHCPv6 client can obtain configuration parameters from a DHCPv6 server through
a rapid two-message exchange (solicit and reply). When the rapid commit option is
enabled by both the DHCPv6 client and the DHCPv6 server, the two-message exchange
is used, rather than the default four-method exchange (solicit, advertise, request, and
reply). The two-message exchange provides faster client configuration and is beneficial
in environments in which networks are under a heavy load.

To configure the DHCPv6 client to support the DHCPv6 rapid commit option on SRX300,
SRX320, SRX340, SRX550M, and SRX1500 devices:

1. Specify the DHCPv6 client interface.

[edit]
user@host# set interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client

2. Configure the two-message exchange option for address assignment.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set rapid-commit

Related • DHCPv6 Client Overview on page 491

Documentation

Configuring a DHCPv6 Client in Autoconfig Mode

Supported Platforms SRX Series

A DHCPv6 client configured in autoconfig mode acts as a stateful client, a stateless client
(DHCPv6 server is required for TCP/IP configuration), and stateless–no DHCP client,
based on the managed (M) and other configuration (O) bits in the received router
advertisement messages.

If the managed bit is 1 and the other configuration bit is 0, the DHCPv6 client acts as a
stateful client. In stateful mode, the client receives IPv6 addresses from the DHCPv6
server, based on the identity association for nontemporary addresses (IA_NA) assignment.

If the managed bit is 0 and the other configuration bit is 1, the DHCPv6 client acts as a
stateless client. In stateless mode, the addresses are automatically configured, based
on the prefixes in the router advertisement messages received from the router. The
stateless client receives configuration parameters from the DHCPv6 server.

If the managed bit is 0 and the other configuration bit is also 0, the DHCPv6 client acts
as a stateless–no DHCP client. In the stateless–no DHCP mode, the client receives IPv6
addresses from the router advertisement messages.

To configure DHCPv6 client in autoconfig mode on SRX300, SRX320, SRX340, SRX550M,

and SRX1500 devices:

1. Configure the DHCPv6 client type as autoconfig.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-type autoconfig

498 Copyright © 2017, Juniper Networks, Inc.

 Chapter 15: Configuring a DHCPv6 Client

2. Specify the identity association type as ia-na for nontemporary addresses.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set client-ia-type ia-na

3. Specify the interface on which to configure router advertisement.

[edit protocols router-advertisement]

user@host# set interface ge-0/0/1.0

Related • Minimum DHCPv6 Client Configuration on page 492

Documentation
• Configuring Optional DHCPv6 Client Attributes on page 494

Configuring TCP/IP Propagation on a DHCPv6 Client

Supported Platforms SRX Series

You can enable or disable the propagation of TCP/IP settings received on the device
acting as a DHCPv6 client. The settings can be propagated to the server pool running on
the device. This topic describes how to configure TCP/IP settings on a DHCPv6 client,
where both the DHCPv6 client and DHCPv6 server are on the same device.

NOTE: This feature is supported on SRX300, SRX320, SRX340, SRX550M,

and SRX1500 devices.

To configure TCP/IP setting propagation on a DHCPv6 client:

1. Configure the update-server option on the DHCPv6 client.

[edit interfaces ge-0/0/0 unit 0 family inet6 dhcpv6-client]

user@host# set update-server

2. Configure the address pool to specify the interface (where update-server is configured)
from which TCP/IP settings can be propagated.

[edit access]
user@host# set address-assignment pool 2 family inet6 dhcp-attributes
propagate-settings ge-0/0/0

Related • DHCPv6 Client Overview on page 491

Documentation
• Minimum DHCPv6 Client Configuration on page 492

Copyright © 2017, Juniper Networks, Inc. 499

Administration Guide for Security Devices

500 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 16

Configuring DHCP in Cluster Mode

• Example: Configuring the Device as a DHCP Server in Chassis Cluster Mode on page 501
• Example: Configuring the Device as a DHCP Client in Chassis Cluster Mode on page 507

Example: Configuring the Device as a DHCP Server in Chassis Cluster Mode

Supported Platforms SRX Series, vSRX

This example shows how to configure a DHCP server in chassis cluster mode.

• Requirements on page 501

• Overview on page 501
• Configuration on page 502
• Verification on page 506

Requirements
This example uses the following hardware and software components:

• Two SRX Series devices as DHCP servers

• One SRX Series device as DHCP client

• Junos OS Release 12.1X47-D10 or later for SRX Series Services Gateways

Before you begin:

• Determine the IP address pools and the lease durations to use for each subnet.

• Obtain the MAC addresses of the clients that require permanent IP addresses. Determine
the IP addresses to use for these clients.

• List the IP addresses that are available for the servers and devices on your network;
for example, DNS, NetBIOS servers, boot servers, and gateway devices.

• Determine the DHCP options required by the subnets and clients in your network.

Overview
In this example, you configure two SRX Series devices as DHCP servers and a third SRX
Series device as a DHCP client. Configure the two DHCP servers in chassis cluster mode.

Copyright © 2017, Juniper Networks, Inc. 501

Administration Guide for Security Devices

For the DHCP server, configure the SRX Series device as a DHCP local server with minimum
DHCP local server configurations. You specify the server group as g1 and enable the DHCP
local server on interface reth1.

For the DHCP client, you specify the interface as ge-0/0/1, set the logical unit as 0, and
create a DHCP inet family. You then specify the DHCP client identifier as 00:0a:12:00:12:12
in hexadecimal. You use hexadecimal if the client identifier is a MAC address. You set
the DHCP lease time as 86,400 seconds. The range is from 60 through 2,147,483,647
seconds.

You set the number of retransmission attempts to 6. The range is from 0 through 6, and
the default is 4. You set the retransmission interval to 5 seconds. The range is from 4
through 64, and the default is 4 seconds. Finally, you set the IPv4 address of the preferred
DHCP server to 10.1.1.1 and the vendor class ID to ether.

WARNING: Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD

(DHCP daemon) configuration on all SRX Series devices has been deprecated
and only the new DHCP CLI is supported. When you upgrade to Junos OS
Release 15.1X49-D60 and later releases on a device that already has the
DHCPD configuration, the following warning messages are displayed:

WARNING: The DHCP configuration command used will be deprecated in future

Junos releases.

WARNING: Please see documentation for updated commands.

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

Configure DHCP Server 1 and Server 2:

set system services dhcp-local-server group g1 interface reth1

set access address-assignment pool p1 family inet network 203.0.113.1/10
set access address-assignment pool p1 family inet range r1 low 203.0.113.5
set access address-assignment pool p1 family inet range r1 high 203.0.113.20

Configure chassis cluster on DHCP Server 1 and DHCP Server 2:

set chassis cluster reth-count 4

set chassis cluster control-link-recovery
set chassis cluster heartbeat-interval 2000
set chassis cluster redundancy-group 0 node 0 priority 200
set chassis cluster redundancy-group 0 node 1 priority 1
set interfaces ge-0/0/1 gigether-options redundant-parent reth1
set interfaces ge-6/0/1 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1
set interfaces reth1 unit 0 family inet address 10.1.1.1/24

502 Copyright © 2017, Juniper Networks, Inc.

 Chapter 16: Configuring DHCP in Cluster Mode

Configure the DHCP client:

set interfaces ge-0/0/1 unit 0 family inet dhcp-client

set interfaces ge-0/0/1 unit 0 family inet dhcp-client client-identifier user-id ascii
00:0a:12:00:12:12
set interfaces ge-0/0/1 unit 0 family inet dhcp-client lease-time 86400
set interfaces ge-0/0/1 unit 0 family inet dhcp-client retransmission-attempt 6
set interfaces ge-0/0/1 unit 0 family inet dhcp-client retransmission-interval 5
set interfaces ge-0/0/1 unit 0 family inet dhcp-client server-address 10.1.1.1
set interfaces ge-0/0/1 unit 0 family inet dhcp-client vendor-id ether

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure the devices as DHCP servers:

1. Configure the DHCP local server.

[edit system services]

user@host# set dhcp-local-server group g1 interface reth1

2. Configure an address pool.

[edit access]
user@host# set address-assignment pool p1 family inet network 203.0.113.1/10
user@host# set address-assignment pool p1 family inet range r1 low 203.0.113.5
user@host# set address-assignment pool p1 family inet range r1 high 203.0.113.20

Step-by-Step To configure the DHCP servers in chassis cluster mode:

Procedure
1. Specify the number of redundant Ethernet interfaces for the chassis cluster.

{primary:node0}[edit]
user@host# set chassis cluster reth-count 4

2. Enable control link recovery.

{primary:node0}[edit]
user@host# set chassis cluster control-link-recovery

3. Configure heartbeat settings.

{primary:node0}[edit]
user@host# set chassis cluster heartbeat-interval 2000

4. Configure the redundancy groups.

{primary:node0}[edit]
user@host# set chassis cluster redundancy-group 0 node 0 priority 200
user@host# set chassis cluster redundancy-group 0 node 1 priority 1

Copyright © 2017, Juniper Networks, Inc. 503

Administration Guide for Security Devices

5. Configure redundant Ethernet interfaces.

{primary:node0}[edit]
user@host# set interfaces ge-0/0/1 gigether-options redundant-parent reth1
user@host# set interfaces ge-6/0/1 gigether-options redundant-parent reth1
user@host# set interfaces reth1 redundant-ether-options redundancy-group 1
user@host# set interfaces reth1 unit 0 family inet address 10.1.1.1/24

Step-by-Step To configure the device as DHCP client:

Procedure
1. Specify the DHCP client interface.

[edit]
user@host# edit interfaces ge-0/0/1 unit 0 family inet dhcp-client

2. Configure the DHCP client identifier as a hexadecimal value.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set client-identifier user-id ascii 00:0a:12:00:12:12

3. Set the DHCP lease time.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set lease-time 86400

4. Set the number of attempts allowed to retransmit a DHCP packet.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set retransmission-attempt 6

5. Set the interval (in seconds) allowed between retransmission attempts. The range
is 4 through 64. The default is 4 seconds.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set retransmission-interval 5

6. Set the IPv4 address of the preferred DHCP server.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set server-address 10.1.1.1

7. Set the vendor class ID for the DHCP client.

[edit interfaces ge-0/0/1 unit 0 family inet dhcp-client]

user@host# set vendor-id ether

Results From configuration mode, confirm your configuration by entering the show commands.
If the output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.

[edit]

504 Copyright © 2017, Juniper Networks, Inc.

 Chapter 16: Configuring DHCP in Cluster Mode

user@host# show system services

dhcp-local-server {
group g1 {
interface reth1.0;
}
}

[edit]
user@host# show access address-assignment
pool p1 {
family inet {
network 203.0.113.1/10;
range r1 {
low 203.0.113.5;
high 203.0.113.20;
}
}
}

[edit]
user@host# show chassis cluster
control-link-recovery;
reth-count 4;
heartbeat-interval 2000;
redundancy-group 0 {
node 0 priority 200;
node 1 priority 1;
}

[edit]
user@host# show interfaces reth1
redundant-ether-options {
redundancy-group 1;
}
unit 0 {
family inet {
address 10.1.1.1.24;
}
}

[edit]
user@host# show interfaces ge-0/0/1 unit 0 family inet
dhcp-client {
client-identifier user-id ascii 00:0a:12:00:12:12;
lease-time 86400;
retransmission-attempt 6;
retransmission-interval 5;
server-address 10.1.1.1;
vendor-id ether;
}

If you are done configuring the device, enter commit from configuration mode.

Copyright © 2017, Juniper Networks, Inc. 505

Administration Guide for Security Devices

Verification

Verifying the DHCP Server in Chassis Cluster Mode

Purpose Verify that the DHCP server is working in chassis cluster mode.

Action From operational mode, enter the show dhcp server binding and show dhcp server statistics
commands.

user@host> show dhcp server binding

IP address Session Id Hardware address Expires State Interface

10.1.1.1 1 64:87:88:79:a3:81 81855 BOUND reth1

user@host> show dhcp server statistics

Packets dropped:
Total 0
dhcp-service total 0

Messages received:
BOOTREQUEST 2
DHCPDECLINE 0
DHCPDISCOVER 1
DHCPINFORM 0
DHCPRELEASE 0
DHCPREQUEST 1

Messages sent:
BOOTREPLY 2
DHCPOFFER 1
DHCPACK 0
DHCPNAK 0
DHCPFORCERENEW 0

Meaning The sample output shows that DHCP servers configured in the example work in a chassis
cluster.

Release History Table Release Description

15.1X49-D60 Starting with Junos OS Release 15.1X49-D60, the legacy DHCPD (DHCP
daemon) configuration on all SRX Series devices has been deprecated
and only the new DHCP CLI is supported.

Related • Understanding DHCP Server Operation on page 447

Documentation

506 Copyright © 2017, Juniper Networks, Inc.

 Chapter 16: Configuring DHCP in Cluster Mode

Example: Configuring the Device as a DHCP Client in Chassis Cluster Mode

Supported Platforms SRX Series, vSRX

This example shows how to configure the device as a DHCP client in chassis cluster
mode.

• Requirements on page 507

• Overview on page 507
• Configuration on page 508
• Verification on page 511

Requirements
This example uses the following hardware and software components:

• Two SRX Series devices as DHCP client

• One SRX Series device as DHCP server

• Junos OS Release 12.1X47-D10 or later for SRX Series Services Gateways

Before you begin:

• Determine the IP address pools and the lease durations to use for each subnet.

• Obtain the MAC addresses of the clients that require permanent IP addresses. Determine
the IP addresses to use for these clients.

• List the IP addresses that are available for the servers and devices on your network;
for example, DNS, NetBIOS servers, boot servers, and gateway devices.

• Determine the DHCP options required by the subnets and clients in your network.

Overview
In this example, you configure two SRX Series devices as DHCP clients and a third SRX
Series device as a DHCP server. Configure the two DHCP clients in chassis cluster mode.

For DHCP clients, you specify the interface as reth1, set the logical unit as 0, and create
a DHCP inet family. You then specify the DHCP client identifier as 00:0a:12:00:12:12 in
hexadecimal. You use hexadecimal if the client identifier is a MAC address. You set the
options no-hostname if you do not want the DHCP client to send the hostname with the
packets. You set the DHCP lease time as 86,400 seconds. The range is from 60 through
2,147,483,647 seconds. You set the number of retransmission attempts to 6. The range
is from 0 through 6, and the default is 4. You set the retransmission interval to 5 seconds.
The range is from 4 through 64, and the default is 4 seconds. Finally, you set the IPv4
address of the preferred DHCP server to 203.0.113.1 and the vendor class ID to ether.

For the DHCP server, configure the SRX Series device as a DHCP local server with minimum
DHCP local server configurations. You specify the server group as g1 and enable the DHCP
local server on interface ge-0/0/2.0.

Copyright © 2017, Juniper Networks, Inc. 507

Administration Guide for Security Devices

Configuration

CLI Quick To quickly configure this example, copy the following commands, paste them into a text
Configuration file, remove any line breaks, change any details necessary to match your network
configuration, copy and paste the commands into the CLI at the [edit] hierarchy level,
and then enter commit from configuration mode.

Configure DHCP Client 1 and Client 2:

set interfaces reth1 unit 0 family inet dhcp-client

set interfaces reth1 unit 0 family inet dhcp-client client-identifier user-id ascii
00:0a:12:00:12:12
set interfaces reth1 unit 0 family inet dhcp-client options no-hostname
set interfaces reth1 unit 0 family inet dhcp-client lease-time 86400
set interfaces reth1 unit 0 family inet dhcp-client retransmission-attempt 6
set interfaces reth1 unit 0 family inet dhcp-client retransmission-interval 5
set interfaces reth1 unit 0 family inet dhcp-client server-address 203.0.113.1
set interfaces reth1 unit 0 family inet dhcp-client vendor-id ether

Configure chassis cluster on Client 1 and Client 2:

set chassis cluster reth-count 2

set chassis cluster control-link-recovery
set chassis cluster heartbeat-interval 1000
set chassis cluster redundancy-group 1 node 0 priority 100
set chassis cluster redundancy-group 1 node 1 priority 1
set chassis cluster redundancy-group 0 node 0 priority 100
set chassis cluster redundancy-group 0 node 1 priority 1
set interfaces ge-0/0/1 gigether-options redundant-parent reth1
set interfaces ge-4/0/1 gigether-options redundant-parent reth1
set interfaces reth1 redundant-ether-options redundancy-group 1

Configure the DHCP server:

set system service dhcp-local-server group g1 interface ge-0/0/2.0

set interfaces ge-0/0/2 unit 0 family inet address 203.0.113.1/24
set access address-assignment pool p1 family inet network 203.0.113.0/24
set access address-assignment pool p1 family inet range r1 low 203.0.113.5
set access address-assignment pool p1 family inet range r1 high 203.0.113.20

Step-by-Step The following example requires you to navigate various levels in the configuration
Procedure hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration
Mode in the CLI User Guide.

To configure the devices as DHCP clients:

1. Specify the DHCP client interface.

[edit]
user@host# edit interfaces reth1 unit 0 family inet dhcp-client

2. Configure the DHCP client identifier as a hexadecimal value.

[edit interfaces reth1 unit 0 family inet dhcp-client]

user@host# set client-identifier user-id ascii 00:0a:12:00:12:12

508 Copyright © 2017, Juniper Networks, Inc.

 Chapter 16: Configuring DHCP in Cluster Mode

3. Set the hostname if you do not want the DHCP client to send hostname in the
packets (RFC option code 12).

[edit interfaces reth1 unit 0 family inet dhcp-client]

user@host# set options no-hostname

4. Set the DHCP lease time.

[edit interfaces reth1 unit 0 family inet dhcp-client]

user@host# set lease-time 86400

5. Set the number of attempts allowed to retransmit a DHCP packet.

[edit interfaces reth1 unit 0 family inet dhcp-client]

user@host# set retransmission-attempt 6

6. Set the interval (in seconds) allowed between retransmission attempts. The range
is 4 through 64. The default is 4 seconds.

[edit interfaces reth1 unit 0 family inet dhcp-client]

user@host# set retransmission-interval 5

7. Set the IPv4 address of the preferred DHCP server.

[edit interfaces reth1 unit 0 family inet dhcp-client]

user@host# set server-address 203.0.113.1

8. Set the vendor class ID for the DHCP client.

[edit interfaces reth1 unit 0 family inet dhcp-client]

user@host# set vendor-id ether

Step-by-Step To configure the DHCP clients in chassis cluster mode:

Procedure
1. Specify the number of redundant Ethernet interfaces for the chassis cluster.

{primary:node0}[edit]
user@host# set chassis cluster reth-count 2

2. Enable control link recovery.

{primary:node0}[edit]
user@host# set chassis cluster control-link-recovery

3. Configure heartbeat settings.

{primary:node0}[edit]
user@host# set chassis cluster heartbeat-interval 1000

4. Configure the redundancy groups.

{primary:node0}[edit]
user@host# set chassis cluster redundancy-group 1 node 0 priority 100

Copyright © 2017, Juniper Networks, Inc. 509

Administration Guide for Security Devices

user@host# set chassis cluster redundancy-group 1 node 1 priority 1

user@host# set chassis cluster redundancy-group 0 node 0 priority 100
user@host# set chassis cluster redundancy-group 0 node 1 priority 1

5. Configure redundant Ethernet interfaces.

{primary:node0}[edit]
user@host# set interfaces ge-0/0/1 gigether-options redundant-parent reth1
user@host# set interfaces reth1 redundant-ether-options redundancy-group 1

Step-by-Step To configure the device as DHCP server:

Procedure
1. Configure the DHCP local server.

[edit system services]

user@host# set dhcp-local-server group g1 interface ge-0/0/2.0

2. Configure IP address of the server.

[edit interfaces]
user@host# set interfaces ge-0/0/2 unit 0 family inet address 203.0.113.1/24

3. Configure an address pool.

[edit access]
user@host# set address-assignment pool p1 family inet network 203.0.113.0/24
user@host# set address-assignment pool p1 family inet range r1 low 203.0.113.5
user@host# set address-assignment pool p1 family inet range r1 high 203.0.113.20

Results From configuration mode, confirm your configuration by entering the show commands.
If the output does not display the intended configuration, repeat the configuration
instructions in this example to correct it.

[edit]
user@host# show interfaces reth1 unit 0 family inet
dhcp-client {
client-identifier user-id ascii 00:0a:12:00:12:12;
options no-hostname;
lease-time 86400;
retransmission-attempt 6;
retransmission-interval 5;
server-address 203.0.113.1;
vendor-id ether;
}

[edit]
user@host# show chassis cluster
control-link-recovery;
reth-count 2;
heartbeat-interval 1000;
redundancy-group 0 {
node 0 priority 100;

510 Copyright © 2017, Juniper Networks, Inc.

 Chapter 16: Configuring DHCP in Cluster Mode

node 1 priority 1;
}
redundancy-group 1{
node 0 priority 100;
node 1 priority 1;
}

[edit]
user@host# show interfaces reth1
redundant-ether-options {
redundancy-group 1;
}

[edit]
user@host# show access address-assignment
pool p1 {
family inet {
network 203.0.113.0/24;
range r1 {
low 203.0.113.5;
high 203.0.113.20;
}
}
}

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying the DHCP Client in Chassis Cluster Mode

Purpose Verify that the DHCP client is working in chassis cluster mode.

Action From operational mode, enter the show dhcp client binding, show dhcp client statistics
and show dhcp client binding interface reth1 detail commands.

user@host> show dhcp client binding

IP address Hardware address Expires State Interface

203.0.113.14 00:1f:12:e3:34:01 84587 BOUND reth1.0

user@host> show dhcp client statistics

Packets dropped:
Total 4
Send error 4

Messages received:
BOOTREPLY 3
DHCPOFFER 1
DHCPACK 2
DHCPNAK 0
DHCPFORCERENEW 0

Copyright © 2017, Juniper Networks, Inc. 511

Administration Guide for Security Devices

Messages sent:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 5
DHCPREQUEST 8
DHCPINFORM 0
DHCPRELEASE 1
DHCPRENEW 0
DHCPREBIND 0

user@host> show dhcp client binding interface reth1 detail

Client Interface: reth1.0

Hardware Address: 00:10:db:ff:10:01
State: BOUND(LOCAL_CLIENT_STATE_BOUND)
Lease Expires: 2013-12-18 10:15:36 CST
Lease Expires in: 30 seconds
Lease Start: 2013-12-17 10:15:36 CST
Server Identifier: 203.0.113.1
Client IP Address: 10.1.1.14
Update Server No

DHCP options:
Name: dhcp-lease-time, Value: 1 day
Name: server-identifier, Value: 10.1.1.1
Name: subnet-mask, Value: 255.255.255.0

Meaning The sample output shows that DHCP clients configured in the example work in a chassis
cluster.

Related • Understanding DHCP Client Operation on page 461

Documentation
•

512 Copyright © 2017, Juniper Networks, Inc.

PART 5

Managing System Files

• Performing File Management Tasks on page 515

Copyright © 2017, Juniper Networks, Inc. 513

Administration Guide for Security Devices

514 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 17

Performing File Management Tasks

• File Management Overview on page 515

• Decrypting Configuration Files on page 516
• Encrypting Configuration Files on page 516
• Modifying the Encryption Key on page 518
• Cleaning Up Files in J-Web on page 518
• Cleaning Up Files with the CLI on page 519
• Deleting Files on page 520
• Deleting the Backup Software Image on page 521
• Downloading Files on page 522
• Configuring RADIUS System Accounting on page 523
• Managing Accounting Files on page 526

File Management Overview

Supported Platforms SRX Series, vSRX

You can use the J-Web user interface and the CLI to perform routine file management
operations such as archiving log files and deleting unused log files, cleaning up temporary
files and crash files, and downloading log files from the routing platform to your computer.
You can also encrypt the configuration files with the CLI to prevent unauthorized users
from viewing sensitive configuration information.

Before you perform any file management tasks, you must perform the initial device
configuration described in the Getting Started Guide for your device.

Related • Cleaning Up Files in J-Web on page 518

Documentation
• Cleaning Up Files with the CLI on page 519

• Managing Accounting Files on page 526

• Encrypting Configuration Files on page 516

• Decrypting Configuration Files on page 516

Copyright © 2017, Juniper Networks, Inc. 515

Administration Guide for Security Devices

Decrypting Configuration Files

Supported Platforms SRX Series, vSRX

To disable the encryption of configuration files on a device and make them readable to
all:

1. Enter operational mode in the CLI.

2. Verify your permission to decrypt configuration files on this device by entering the
encryption key for the device.

user@host> request system set-encryption-key

Enter EEPROM stored encryption key:
Verifying EEPROM stored encryption key:

3. At the second prompt, reenter the encryption key.

4. Enter configuration mode in the CLI.

5. Enable configuration file decryption.

[edit]
user@host# edit system
user@host# set no-encrypt-configuration-files

6. Begin the decryption process by committing the configuration.

[edit]
user@host# commit
commit complete

Related • Encrypting Configuration Files on page 516

Documentation

Encrypting Configuration Files

Supported Platforms SRX Series, vSRX

To configure an encryption key in EEPROM and determine the encryption process, enter
one of the request system set-encryption-key commands in operational mode described
in Table 15 on page 517.

NOTE: The request system set-encryption-key command is not supported on

SRX5400, SRX5600, and SRX5800 devices; therefore, this task does not
apply to such devices.

516 Copyright © 2017, Juniper Networks, Inc.

 Chapter 17: Performing File Management Tasks

Table 15: request system set-encryption-key Commands

CLI Command Description

request system set-encryption-key Sets the encryption key and enables default configuration file
encryption:

• AES encryption for the Canada and U.S. version of Junos OS

• DES encryption for the international version of Junos OS

request system set-encryption-key algorithm des Sets the encryption key and specifies configuration file
encryption by DES.

request system set-encryption-key unique Sets the encryption key and enables default configuration file
encryption with a unique encryption key that includes the
chassis serial number of the device.

Configuration files encrypted with the unique key can be

decrypted only on the current device. You cannot copy such
configuration files to another device and decrypt them.

request system set-encryption-key des unique Sets the encryption key and specifies configuration file
encryption by DES with a unique encryption key.

To encrypt configuration files on a device:

1. Enter operational mode in the CLI.

2. Configure an encryption key in EEPROM and determine the encryption process; for
example, enter the request system set-encryption-key command.

user@host> request system set-encryption-key

Enter EEPROM stored encryption key:

3. At the prompt, enter the encryption key. The encryption key must have at least six
characters.

Enter EEPROM stored encryption key:juniper1

Verifying EEPROM stored encryption key:

4. At the second prompt, reenter the encryption key.

5. Enter configuration mode in the CLI.

6. Enable configuration file encryption to take place.

[edit]
user@host# edit system
user@host# set encrypt-configuration-files

7. Begin the encryption process by committing the configuration.

[edit]

Copyright © 2017, Juniper Networks, Inc. 517

Administration Guide for Security Devices

user@host# commit
commit complete

Related • Managing Accounting Files on page 526

Documentation
• Decrypting Configuration Files on page 516

Modifying the Encryption Key

Supported Platforms SRX Series, vSRX

When you modify the encryption key, the configuration files are decrypted and then
reencrypted with the new encryption key.

To modify the encryption key:

1. Enter operational mode in the CLI.

2. Configure a new encryption key in EEPROM and determine the encryption process;
for example, enter the request system set-encryption-key command.

user@host> request system set-encryption-key

Enter EEPROM stored encryption key:

3. At the prompt, enter the new encryption key. The encryption key must have at least
six characters.

Enter EEPROM stored encryption key:juniperone

Verifying EEPROM stored encryption key:

4. At the second prompt, reenter the new encryption key.

Related • Managing Accounting Files on page 526

Documentation
• Encrypting Configuration Files on page 516

• Decrypting Configuration Files on page 516

Cleaning Up Files in J-Web

Supported Platforms SRX Series, vSRX

You can use the J-Web user interface to rotate log files and delete unnecessary files on
the device. If you are running low on storage space, the file cleanup procedure quickly
identifies files that can be deleted.

The file cleanup procedure performs the following tasks:

518 Copyright © 2017, Juniper Networks, Inc.

 Chapter 17: Performing File Management Tasks

• Rotates log files—Archives all information in the current log files and creates fresh log
files.

• Deletes log files in /var/log—Deletes any files that are not currently being written to.

• Deletes temporary files in /var/tmp—Deletes any files that have not been accessed
within two days.

• Deletes all crash files in /var/crash—Deletes any core files that the device has written
during an error.

• Deletes all software images (*.tgz files) in /var/sw/pkg—Deletes any software images
copied to this directory during software upgrades.

To rotate log files and delete unnecessary files with the J-Web user interface:

1. In the J-Web user interface, select Maintain>Files.

2. In the Clean Up Files section, click Clean Up Files. The device rotates log files and
identifies the files that can be safely deleted.

The J-Web user interface displays the files that you can delete and the amount of
space that will be freed on the file system.

3. Click one of the following buttons on the confirmation page:

• To delete the files and return to the Files page, click OK.

• To cancel your entries and return to the list of files in the directory, click Cancel.

Related • Managing Accounting Files on page 526

Documentation
• Encrypting Configuration Files on page 516

• Decrypting Configuration Files on page 516

• Cleaning Up Files with the CLI on page 519

Cleaning Up Files with the CLI

Supported Platforms SRX Series, vSRX

You can use the CLI request system storage cleanup command to rotate log files and
delete unnecessary files on the device. If you are running low on storage space, the file
cleanup procedure quickly identifies files that can be deleted.

The file cleanup procedure performs the following tasks:

• Rotates log files—Archives all information in the current log files, deletes old archives,
and creates fresh log files.

• Deletes log files in /var/log—Deletes any files that are not currently being written to.

Copyright © 2017, Juniper Networks, Inc. 519

Administration Guide for Security Devices

• Deletes temporary files in /var/tmp—Deletes any files that have not been accessed
within two days.

• Deletes all crash files in /var/crash—Deletes any core files that the device has written
during an error.

• Deletes all software images (*.tgz files) in /var/sw/pkg—Deletes any software images
copied to this directory during software upgrades.

To rotate log files and delete unnecessary files with the CLI:

1. Enter operational mode in the CLI.

2. Rotate log files and identify the files that can be safely deleted.

user@host> request system storage cleanup

The device rotates log files and displays the files that you can delete.

3. Enter yes at the prompt to delete the files.

NOTE: You can issue the request system storage cleanup dry-run command
to review the list of files that can be deleted with the request system storage
cleanup command, without actually deleting the files.

NOTE:
On SRX Series devices, the /var hierarchy is hosted in a separate partition
(instead of the root partition). If Junos OS installation fails as a result of
insufficient space:

• Use the request system storage cleanup command to delete temporary files.

• Delete any user-created files in both the root partition and under the /var
hierarchy.

Related • Cleaning Up Files in J-Web on page 518

Documentation
• Managing Accounting Files on page 526

• Encrypting Configuration Files on page 516

• Decrypting Configuration Files on page 516

Deleting Files

Supported Platforms SRX Series, vSRX

520 Copyright © 2017, Juniper Networks, Inc.

 Chapter 17: Performing File Management Tasks

You can use the J-Web user interface to delete an individual file from the device. When
you delete the file, it is permanently removed from the file system.

CAUTION: If you are unsure whether to delete a file from the device, we
recommend using the Cleanup Files tool. This tool determines which files can
be safely deleted from the file system.

To delete files with the J-Web user interface:

1. In the J-Web user interface, select Maintain>Files.

2. In the Download and Delete Files section, click one of the following file types:

• Log Files—Lists the log files located in the /var/log directory on the device.

• Temporary Files—Lists the temporary files located in the /var/tmp directory on the
device.

• Old Junos OS—Lists the software images in the (*.tgz files) in the /var/sw/pkg
directory on the device.

• Crash (Core) Files—Lists the core files located in the /var/crash directory on the
device.

The J-Web user interface displays the files located in the directory.

3. Check the box next to each file you plan to delete.

4. Click Delete.

The J-Web user interface displays the files you can delete and the amount of space
that will be freed on the file system.

5. Click one of the following buttons on the confirmation page:

• To delete the files and return to the Files page, click OK.

• To cancel your entries and return to the list of files in the directory, click Cancel.

Related • Managing Accounting Files on page 526

Documentation

Deleting the Backup Software Image

Supported Platforms SRX Series, vSRX

Junos OS keeps a backup image of the software that was previously installed so that
you can downgrade to that version of the software if necessary. You can use the J-Web
user interface to delete this backup image. If you delete this image, you cannot downgrade
to this particular version of the software.

Copyright © 2017, Juniper Networks, Inc. 521

Administration Guide for Security Devices

To delete the backup software image:

1. In the J-Web user interface, select Maintain>Files.

2. Review the backup image information listed in the Delete Backup Junos Package
section.

3. Click the Delete backup Junos package link to delete the backup image.

4. Click one of the following buttons on the confirmation page:

• To delete the backup image and return to the Files page, click OK.

• To cancel the deletion of the backup image and return to the Files page, click Cancel.

Related • Deleting Files on page 520

Documentation

Downloading Files

Supported Platforms SRX Series, vSRX

You can use the J-Web user interface to download a copy of an individual file from the
device. When you download a file, it is not deleted from the file system.

To download files with the J-Web user interface:

1. In the J-Web user interface, select Maintain>Files.

2. In the Download and Delete Files section, click one of the following file types:

• Log Files—Lists the log files located in the /var/log directory on the device.

• Temporary Files—Lists the temporary files located in the /var/tmp directory on the
device.

• Old Junos OS—Lists the software images located in the (*.tgz files) in the /var/sw/pkg
directory on the device.

• Crash (Core) Files—Lists the core files located in the /var/crash directory on the
device.

The J-Web user interface displays the files located in the directory.

3. Click Download to download an individual file.

4. Choose a location for the browser to save the file.

The file is downloaded.

Related • Managing Accounting Files on page 526

Documentation

522 Copyright © 2017, Juniper Networks, Inc.

 Chapter 17: Performing File Management Tasks

Configuring RADIUS System Accounting

Supported Platforms EX Series, M Series, MX Series, OCX1100, PTX Series, QFX Series, SRX Series, T Series

With RADIUS accounting enabled, Juniper Networks routers or switches, acting as RADIUS
clients, can notify the RADIUS server about user activities such as software logins,
configuration changes, and interactive commands. The framework for RADIUS accounting
is described in RFC 2866.

NOTE: Supported on SRX1500, SRX5400, SRX5600, and SRX5800 devices

only.

Tasks for configuring RADIUS system accounting are:

1. Configuring Auditing of User Events on a RADIUS Server on page 523

2. Specifying RADIUS Server Accounting and Auditing Events on page 523

3. Configuring RADIUS Server Accounting on page 524

Configuring Auditing of User Events on a RADIUS Server

To audit user events, include the following statements at the [edit system accounting]
hierarchy level:

[edit system accounting]

events [ events ];
destination {
radius {
server {
server-address {
accounting-port port-number;
secret password;
source-address address;
retry number;
timeout seconds;
}
}
}
}

Specifying RADIUS Server Accounting and Auditing Events

To specify the events you want to audit when using a RADIUS server for authentication,
include the events statement at the [edit system accounting] hierarchy level:

[edit system accounting]

events [ events ];

events is one or more of the following:

• login—Audit logins

• change-log—Audit configuration changes

Copyright © 2017, Juniper Networks, Inc. 523

Administration Guide for Security Devices

• interactive-commands—Audit interactive commands (any command-line input)

Configuring RADIUS Server Accounting

To configure RADIUS server accounting, include the server statement at the [edit system
accounting destination radius] hierarchy level:

server {
server-address {
accounting-port port-number;
secret password;
source-address address;
retry number;
timeout seconds;
}
}

server-address specifies the address of the RADIUS server. To configure multiple RADIUS
servers, include multiple server statements.

NOTE: If no RADIUS servers are configured at the [edit system accounting

destination radius] statement hierarchy level, the Junos OS uses the RADIUS
servers configured at the [edit system radius-server] hierarchy level.

accounting-port port-number specifies the RADIUS server accounting port number.

The default port number is 1813.

NOTE: If you enable RADIUS accounting at the [edit access profile profile-name
accounting-order] hierarchy level, accounting is triggered on the default port
of 1813 even if you do not specify a value for the accounting-port statement.

You must specify a secret (password) that the local router or switch passes to the RADIUS
client by including the secret statement. If the password contains spaces, enclose the
entire password in quotation marks (“ “).

In the source-address statement, specify a source address for the RADIUS server. Each
RADIUS request sent to a RADIUS server uses the specified source address. The source
address is a valid IPv4 address (in case if radius-server address is IPv4) or IPv6 address
(in case if radius-server address is IPv6) configured on one of the router or switch
interfaces.

Optionally, you can specify the number of times that the router or switch attempts to
contact a RADIUS authentication server by including the retry statement. By default, the
router or switch retries three times. You can configure the router or switch to retry from
1 through 10 times.

Optionally, you can specify the length of time that the local router or switch waits to
receive a response from a RADIUS server by including the timeout statement. By default,

524 Copyright © 2017, Juniper Networks, Inc.

 Chapter 17: Performing File Management Tasks

the router or switch waits 3 seconds. You can configure the timeout to be from 1 through
90 seconds.

Starting with Junos OS Release 14.1, you can configure the enhanced-accounting statement
to view the attribute values of a logged in user. If you use the enhanced-accounting
statement at the [edit system radius-options] hierarchy level, the RADIUS attributes such
as access method, remote port, and access privileges can be audited. You can limit the
number of attribute values to be displayed for auditing by using the enhanced-avs-max
<number> statement at the [edit system accounting] hierarchy level.

[edit system radius-options]

enhanced-accounting;

[edit system accounting]

enhanced-avs-max <number>;

When a Juniper Networks router or switch is configured with RADIUS accounting, it sends
Accounting-Start and Accounting-Stop messages to the RADIUS server. These messages
contain information about user activities such as software logins, configuration changes,
and interactive commands. This information is typically used for monitoring a network,
collecting usage statistics, and ensuring that users are billed properly.

The following example shows three servers (10.5.5.5, 10.6.6.6, and 10.7.7.7) configured
for RADIUS accounting:

system {
accounting {
events [ login change-log interactive-commands ];
destination {
radius {
server {
10.5.5.5 {
accounting-port 3333;
secret $ABC123;
source-address 10.1.1.1;
retry 3;
timeout 3;
}
10.6.6.6 secret $ABC123;
10.7.7.7 secret $ABC123;
}
}
}
}
}

Copyright © 2017, Juniper Networks, Inc. 525

Administration Guide for Security Devices

Release History Table Release Description

14.1 Starting with Junos OS Release 14.1, you can configure the
enhanced-accounting statement to view the attribute values of a logged
in user.

Managing Accounting Files

Supported Platforms SRX Series, vSRX

If you configure your SRX300, SRX320, SRX340, SRX345, SRX550M, or SRX1500 devices
to capture accounting data in log files, set the location for your accounting files to the
DRAM.

The default location for accounting files is the cfs/var/log directory on the CompactFlash
(CF) card. The nonpersistent option minimizes the read/write traffic to your CF card. We
recommend that you use the nonpersistent option for all accounting files configured on
your system.

To store accounting log files in DRAM instead of the CF card:

1. Enter configuration mode in the CLI.

2. Create an accounting data log file in DRAM and replace filename with the name of
the file.

[edit]
user@host# edit accounting-options file filename

3. Store accounting log files in the DRAM file.

[edit]
user@host# set file filename nonpersistent

CAUTION: If log files for accounting data are stored on DRAM, these files are
lost when the device reboots. Therefore, we recommend that you back up
these files periodically.

Related • Accounting Options Overview

Documentation

526 Copyright © 2017, Juniper Networks, Inc.

PART 6

Working with Junos OS Licenses

• Managing Junos OS Licenses on page 529

Copyright © 2017, Juniper Networks, Inc. 527

Administration Guide for Security Devices

528 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 18

Managing Junos OS Licenses

• Junos OS Feature License Keys on page 529

• Software Feature Licenses for SRX Series Devices on page 531
• Displaying License Keys in J-Web on page 531
• Downloading License Keys on page 532
• Generating a License Key on page 532
• Saving License Keys on page 533
• Updating License Keys on page 533
• Example: Adding a New License Key on page 534
• Example: Deleting a License Key on page 537

Junos OS Feature License Keys

Supported Platforms SRX Series, vSRX

This section contains the following topics:

• License Key Components on page 529

• License Management Fields Summary on page 530

License Key Components

A license key consists of two parts:

• License ID—Alphanumeric string that uniquely identifies the license key. When a license
is generated, it is given a license ID.

• License data—Block of binary data that defines and stores all license key objects.

For example, in the following typical license key, the string XXXXXXXXXX is the license
ID, and the trailing block of data is the license data:

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx

Copyright © 2017, Juniper Networks, Inc. 529

Administration Guide for Security Devices

The license data defines the device ID for which the license is valid and the version of the
license.

License Management Fields Summary

The Licenses page displays a summary of licensed features that are configured on the
device and a list of licenses that are installed on the device. The information on the license
management page is summarized in Table 16 on page 530.

Table 16: Summary of License Management Fields

Field Name Definition

Feature Summary
Feature Name of the licensed feature:

• Features—Software feature licenses.

• All features—All-inclusive licenses

Licenses Used Number of licenses currently being used on the device. Usage is determined by the
configuration on the device. If a feature license exists and that feature is configured, the
license is considered used.

Licenses Installed Number of licenses installed on the device for the particular feature.

Licenses Needed Number of licenses required for legal use of the feature. Usage is determined by the
configuration on the device: If a feature is configured and the license for that feature is not
installed, a single license is needed.

Installed Licenses
ID Unique alphanumeric ID of the license.

State Valid—The installed license key is valid.

Invalid—The installed license key is not valid.

Version Numeric version number of the license key.

Group If the license defines a group license, this field displays the group definition.

If the license requires a group license, this field displays the required group definition.

NOTE: Because group licenses are currently unsupported, this field is always blank.

Enabled Features Name of the feature that is enabled with the particular license.

Expiry Verify that the expiration information for the license is correct.

For Junos OS, only permanent licenses are supported. If a license has expired, it is shown as
invalid.

Related • Generating a License Key on page 532

Documentation

530 Copyright © 2017, Juniper Networks, Inc.

 Chapter 18: Managing Junos OS Licenses

• Updating License Keys on page 533

• Saving License Keys on page 533

• Downloading License Keys on page 532

Software Feature Licenses for SRX Series Devices

Supported Platforms SRX Series, vSRX

For information about how to purchase a software license, contact your Juniper Networks
sales representative at http://www.juniper.net/in/en/contact-us/. Platform support
depends on the Junos OS release in your installation.

Each feature license is tied to exactly one software feature, and that license is valid for
exactly one device.

NOTE: For the most up-to-date license models available, contact your Juniper
account team.

Related • License Enforcement

Documentation
• Junos OS Feature License Keys on page 529

Displaying License Keys in J-Web

Supported Platforms SRX Series, vSRX

To display license keys installed on the device:

1. In the J-Web interface, select Maintain>Licenses.

2. Under Installed Licenses, click Display Keys to display all the license keys installed on
the device.

A screen displaying the license keys in text format appears. Multiple licenses are
separated by a blank line.

Related • Junos OS Feature License Keys on page 529

Documentation
• Generating a License Key on page 532

• Example: Adding a New License Key on page 534

• Example: Deleting a License Key on page 537

• Downloading License Keys on page 532

Copyright © 2017, Juniper Networks, Inc. 531

Administration Guide for Security Devices

Downloading License Keys

Supported Platforms SRX Series, vSRX

To download license keys installed on the device:

1. In the J-Web interface, select Maintain>Licenses.

2. Under Installed Licenses, click Download Keys to download all the license keys installed
on the device to a single file.

3. Select Save it to disk and specify the file to which the license keys are to be written.

Related • Junos OS Feature License Keys on page 529

Documentation
• Generating a License Key on page 532

• Example: Adding a New License Key on page 534

• Example: Deleting a License Key on page 537

Generating a License Key

Supported Platforms SRX Series, vSRX

To generate a license key:

1. Gather the authorization code that you received when you purchased your license as
well as your device serial number.

2. Go to the Juniper Networks licensing page at:

https://www.juniper.net/lcrs/generateLicense.do

3. Enter the device serial number and authorization code in the webpage and click
Generate. Depending on the type of license you purchased, you will receive one of the
following responses:

• License key—If you purchased a perpetual license, you will receive a license key
from the licensing management system. You can enter this key directly into the
system to activate the feature on your device.

• License key entitlement—If you purchased a subscription-based license, you will

receive a license key entitlement from the licensing management system. You can
use this entitlement to validate your license on the Juniper Networks licensing server
and download the feature license from the server to your device.

Related • Example: Adding a New License Key on page 534

Documentation

532 Copyright © 2017, Juniper Networks, Inc.

 Chapter 18: Managing Junos OS Licenses

• Example: Deleting a License Key on page 537

• Updating License Keys on page 533

• Downloading License Keys on page 532

Saving License Keys

Supported Platforms SRX Series, vSRX

To save license keys installed on the device:

1. From operational mode, save the installed license keys to a file or URL.

user@host>request system license save filename | url

For example, the following command saves the installed license keys to a file named
license.config:

request system license save ftp://user@host/license.conf

Related • Junos OS Feature License Keys on page 529

Documentation
• Generating a License Key on page 532

• Example: Adding a New License Key on page 534

• Example: Deleting a License Key on page 537

• Downloading License Keys on page 532

Updating License Keys

Supported Platforms SRX Series, vSRX

Copyright © 2017, Juniper Networks, Inc. 533

Administration Guide for Security Devices

To update a license key from the device:

1. From operational mode, do one of the following tasks:

• Update the license keys automatically.

user@host> request system license update

NOTE: The request system license update command will always use the
default Juniper license server https://ae1.juniper.net

You can only use this command to update subscription-based licenses (such as
UTM).

• Update the trial license keys automatically.

user@host>request system license update trial

Related • Junos OS Feature License Keys on page 529

Documentation
• Generating a License Key on page 532

• Example: Adding a New License Key on page 534

• Example: Deleting a License Key on page 537

• Downloading License Keys on page 532

Example: Adding a New License Key

Supported Platforms SRX Series, vSRX

This example shows how to add a new license key.

• Requirements on page 534

• Overview on page 534
• Configuration on page 535
• Verification on page 536

Requirements
Before you begin, confirm that your Junos OS feature requires you to purchase, install,
and manage a separate software license.

Overview
You can add a license key from a file or URL, from a terminal, or from the J-Web user
interface. Use the filename option to activate a perpetual license directly on the device.
(Most feature licenses are perpetual.) Use the url to send a subscription-based license
key entitlement (such as UTM) to the Juniper Networks licensing server for authorization.
If authorized, the server downloads the license to the device and activates it.

534 Copyright © 2017, Juniper Networks, Inc.

 Chapter 18: Managing Junos OS Licenses

In this example, the file name is bgp-reflection.

Configuration

CLI Quick To quickly configure this section of the example, copy the following commands, paste
Configuration them into a text file, remove any line breaks, change any details necessary to match your
network configuration, copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.

From operational mode, you can add a license key in either way:

• From a file or URL:

user@hostname> request system license add bgp-reflection

• From the terminal:

user@hostname> request system license add terminal

GUI Step-by-Step To add a new license key:

Procedure
1. In the J-Web user interface, select Maintain>Licenses.

2. Under Installed Licenses, click Add to add a new license key.

3. Do one of the following, using a blank line to separate multiple license keys:

• In the License File URL box, type the full URL to the destination file containing the
license key to be added.

• In the License Key Text box, paste the license key text, in plain-text format, for the
license to be added.

4. Click OK to add the license key.

NOTE: If you added the SRX100 Memory Upgrade license, the device
reboots immediately and comes back up as a high-memory device.

5. Click OK to check your configuration and save it as a candidate configuration.

6. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step To add a new license key:

Procedure
1. From operational mode, add a license key in either way:

• From a file or URL:

user@host> request system license add bgp-reflection

Copyright © 2017, Juniper Networks, Inc. 535

Administration Guide for Security Devices

• From the terminal:

user@host>request system license add terminal

2. When prompted, enter the license key, separating multiple license keys with a blank
line. If the license key you enter is invalid, an error is generated when you press Ctrl-D
to exit license entry mode.

NOTE: If you added the SRX100 Memory Upgrade license, the device
reboots immediately and comes back up as a high-memory device.

Results From operational mode, confirm your configuration by entering the show system license
command. If the output does not display the intended configuration, repeat the
configuration instructions in this example to correct it.

user@hostname> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
bgp-reflection 0 1 0 permanent

Licenses installed:
License identifier: G0300000xxxx
License version: 2
Valid for device: JN001875AB
Features:
bgp-reflection - Border Gateway Protocol route reflection
permanent

License identifier: G0300000xxxx

License version: 2
Valid for device: JN001875AB

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

Verifying Installed Licenses

Purpose Verify that the expected licenses have been installed and are active on the device.

Action From operational mode, enter the show system license command.

The output shows a list of the licenses used and a list of the licenses installed on the
device and when they expire.

536 Copyright © 2017, Juniper Networks, Inc.

 Chapter 18: Managing Junos OS Licenses

Verifying License Usage

Purpose Verify that the licenses fully cover the feature configuration on the device.

Action From operational mode, enter the show system license usage command.

user@hostname> show system license usage

Licenses Licenses Licenses Expiry

Feature name used installed needed
bgp-reflection 1 1 0 permanent

The output shows a list of the licenses installed on the device and how they are used.

Verifying Installed License Keys

Purpose Verify that the license keys were installed on the device.

Action From operational mode, enter the show system license keys command.

user@hostname> show system license keys

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

The output shows a list of the license keys installed on the device. Verify that each
expected license key is present.

Related • Junos OS Feature License Keys on page 529

Documentation
• Generating a License Key on page 532

• Example: Deleting a License Key on page 537

• Updating License Keys on page 533

• Downloading License Keys on page 532

Example: Deleting a License Key

Supported Platforms SRX Series, vSRX

Copyright © 2017, Juniper Networks, Inc. 537

Administration Guide for Security Devices

This example shows how to delete a license key.

• Requirements on page 538

• Overview on page 538
• Configuration on page 538
• Verification on page 539

Requirements
Before you delete a license key, confirm that it is no longer needed.

Overview
You can delete a license key from the CLI or J-Web user interface. In this example, the
license ID is G0300000xxxx.

Configuration

CLI Quick To quickly configure this section of the example, copy the following commands, paste
Configuration them into a text file, remove any line breaks, change any details necessary to match your
network configuration, copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.

user@host> request system license delete G0300000xxxx

GUI Step-by-Step To delete a license key:

Procedure
1. In the J-Web user interface, select Maintain>Licenses.

2. Select the check box of the license or licenses you want to delete.

3. Click Delete.

NOTE: If you deleted the SRX100 Memory Upgrade license, the device
reboots immediately and comes back up as a low-memory device.

4. Click OK to check your configuration and save it as a candidate configuration.

5. If you are done configuring the device, click Commit Options>Commit.

Step-by-Step To delete a license key:

Procedure
1. From operational mode, for each license, enter the following command and specify
the license ID. You can delete only one license at a time.

user@host> request system license delete G0300000xxxx

538 Copyright © 2017, Juniper Networks, Inc.

 Chapter 18: Managing Junos OS Licenses

NOTE: If you deleted the SRX100 Memory Upgrade license, the device
reboots immediately and comes back up as a low-memory device.

Results From configuration mode, confirm your deletion by entering the show system license
command. The license key you deleted will be removed. If the output does not display
the intended configuration, repeat the configuration instructions in this example to correct
it.

If you are done configuring the device, enter commit from configuration mode.

Verification
Confirm that the configuration is working properly.

• Verifying Installed Licenses on page 539

Verifying Installed Licenses

Purpose Verify that the expected licenses have been removed from the device.

Action From operational mode, enter the show system license command.

Related • Generating a License Key on page 532

Documentation
• Example: Adding a New License Key on page 534

• Updating License Keys on page 533

• Downloading License Keys on page 532

Copyright © 2017, Juniper Networks, Inc. 539

Administration Guide for Security Devices

540 Copyright © 2017, Juniper Networks, Inc.

PART 7

Configuration Statements and

Operational Commands
• Configuration Statements on page 543
• Operational Commands on page 655

Copyright © 2017, Juniper Networks, Inc. 541

Administration Guide for Security Devices

542 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 19

Configuration Statements

• address-assignment (Access) on page 546

• address-pool (Access) on page 549
• allow-configuration on page 550
• allow-configuration-regexps on page 551
• authentication-key on page 552
• authentication-order on page 553
• boot-server (NTP) on page 554
• broadcast on page 555
• broadcast-client on page 556
• ciphers on page 557
• connection-limit on page 558
• client-ia-type on page 559
• client-identifier (dhcp-client) on page 560
• client-identifier (dhcpv6-client) on page 561
• client-list-name (SNMP) on page 562
• client-type on page 562
• deny-configuration on page 563
• deny-configuration-regexps on page 564
• destination (Accounting) on page 565
• dhcp-attributes (Access IPv4 Address Pools) on page 566
• dhcp-attributes (Access IPv6 Address Pools) on page 568
• dhcp-client on page 570
• dhcp-local-server (System Services) on page 571
• dhcpv6 (System Services) on page 575
• dhcpv6-client on page 579
• disable (System Services) on page 580
• dlv on page 581
• dynamic-pool on page 582

Copyright © 2017, Juniper Networks, Inc. 543

Administration Guide for Security Devices

• dynamic-server on page 583

• family (Security Forwarding Options) on page 584
• file (System Logging) on page 585
• forwarding-options (Security) on page 588
• group (System Services DHCP) on page 589
• host (SSH Known Hosts) on page 592
• hostkey-algorithm on page 593
• idle-timeout (System) on page 594
• interface (System Services DHCP) on page 595
• interfaces (ARP) on page 596
• interfaces (Security Zones) on page 597
• interface-traceoptions (System Services DHCP) on page 598
• internet-options on page 600
• kernel-replication (System) on page 601
• lease-time (dhcp-client) on page 602
• location on page 603
• lockout-period on page 604
• macs on page 605
• max-pre-authentication-packets on page 606
• multicast-client on page 607
• name-server (Access) on page 607
• neighbor-discovery-router-advertisement (Access) on page 608
• ntp on page 609
• outbound-ssh on page 610
• overrides (System Services DHCP) on page 612
• peer (NTP) on page 613
• prefix on page 614
• profilerd on page 615
• proxy on page 616
• radius-options on page 617
• radius-server on page 618
• rapid-commit on page 619
• reconfigure (System Services DHCP) on page 620
• req-option on page 622
• retransmission-attempt (dhcp-client) on page 623
• retransmission-attempt (dhcpv6-client) on page 624
• retransmission-interval (dhcp-client) on page 625

544 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

• root-authentication on page 626

• single-connection on page 627
• server (NTP) on page 628
• server-address (dhcp-client) on page 629
• source-address (NTP, RADIUS, System Logging, or TACACS+) on page 630
• ssh-known-hosts on page 631
• static-subscribers on page 632
• statistics-service on page 632
• subscriber-management on page 633
• subscriber-management-helper on page 634
• system master password on page 635
• tacplus on page 636
• tacplus-options on page 637
• tacplus-server on page 639
• traceoptions (Outbound SSH) on page 641
• trusted-key on page 642
• uac-service on page 643
• update-router-advertisement on page 644
• update-server (dhcp-client) on page 644
• update-server (dhcpv6-client) on page 645
• usb-control on page 645
• use-interface on page 646
• user-id on page 646
• vendor-id on page 647
• vpn (Forwarding Options) on page 647
• watchdog on page 648
• web-management on page 649
• web-management (System Services) on page 650

Copyright © 2017, Juniper Networks, Inc. 545

Administration Guide for Security Devices

address-assignment (Access)

Supported Platforms SRX Series

Syntax address-assignment {
abated-utilization percentage;
abated-utilization-v6 percentage;
high-utilization percentage;
high-utilization-v6 percentage;
neighbor-discovery-router-advertisement ndra-name;
pool pool-name {
family {
inet {
dhcp-attributes {
boot-file boot-file-name;
boot-server boot-server-name;
domain-name domain-name;
grace-period seconds;
maximum-lease-time (seconds | infinite);
name-server ipv4-address;
netbios-node-type (b-node | h-node | m-node | p-node);
next-server next-server-name;
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
option-match {
option-82 {
circuit-id match-value {
range range-name;
}
remote-id match-value;
range range-name;
}
}
}
propagate-ppp-settings [interface-name];
propagate-settings interface-name;

546 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

router ipv4-address;
server-identifier ip-address;
sip-server {
ip-address ipv4-address;
name sip-server-name;
}
tftp-server server-name;
wins-server ipv4-address;
}
host hostname {
hardware-address mac-address;
ip-address reserved-address;
}
network network address;
range range-name {
high upper-limit;
low lower-limit;
}
excluded-range range-name
high upper-limit;
low lower-limit;
}
xauth-attributes {
primary-dns ip-address;
primary-wins ip-address;
secondary-dns ip-address;
secondary-wins ip-address;
}
}
inet6 {
dhcp-attributes {
dns-server ipv6-address;
grace-period seconds;
maximum-lease-time (seconds | infinite);
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
propagate-ppp-settings [interface-name];
sip-server-address ipv6-address;

Copyright © 2017, Juniper Networks, Inc. 547

Administration Guide for Security Devices

sip-server-domain-name domain-name;
}
prefix ipv6-network-prefix;
range range-name {
high upper-limit;
low lower-limit;
prefix-length delegated-prefix-length;
}
excluded-range range-name
high upper-limit;
low lower-limit;
}
}
link pool-name;
}
}

Hierarchy Level [edit access]

Release Information Statement introduced in Junos OS Release 10.4 for SRX300, SRX320, SRX340, SRX345,
SRX550HM devices.

Description The address-assignment pool feature enables you to create IPv4 and IPv6 address pools
that different client applications can share. For example, multiple client applications,
such as DHCPv4 or DHCPv6, can use an address-assignment pool to provide addresses
for their particular clients.

Required Privilege access—To view this statement in the configuration.

Level access-control—To add this statement to the configuration.

Related • Dynamic VPN Overview

Documentation

548 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

address-pool (Access)

Supported Platforms M Series, MX Series, SRX Series, T Series

Syntax address-pool pool-name {

address address or address prefix;
address-range {
high upper-limit;
low lower-limit;
mask network-mask;
}
primary-dns IP address;
primary-wins IP address;
secondary-dns IP address;
secondary-wins IP address;
}

Hierarchy Level [edit access]

Release Information Statement introduced in Junos OS Release 10.4.

Description Create an address-pool for L2TP clients.

Options • pool-name—Name assigned to the address-pool.

• address—Configure subnet information for the address-pool.

• address-range—Defines the address range available for clients.

• primary-dns—Specify the primary-dns IP address.

• secondary-dns—Specify the secondary-dns IP address.

• primary-wins—Specify the primary-wins IP address.

• secondary-wins—Specify the secondary-wins IP address.

Required Privilege access—To view this statement in the configuration.

Level access-control—To add this statement to the configuration.

Related • access-control on page 85

Documentation

Copyright © 2017, Juniper Networks, Inc. 549

Administration Guide for Security Devices

allow-configuration

Supported Platforms SRX Series

Syntax allow-configuration "regular-expression";

Hierarchy Level [edit system login class class-name]

Release Information Statement introduced before Junos OS Release 7.4.

Statement introduced in Junos OS Release 11.2 for SRX Series devices.

Description Explicitly allow configuration access to the specified levels in the hierarchy even if the
permissions set with the permissions statement do not grant such access by default.

Default If you omit this statement and the deny-configuration statement, users can edit only
those commands for which they have access privileges through the permissions statement.

Options regular-expression—Extended (modern) regular expression as defined in POSIX 1003.2.

If the regular expression contains any spaces, operators, or wildcard characters,
enclose it in quotation marks.

Required Privilege admin—To view this statement in the configuration.

Level admin-control—To add this statement to the configuration.

550 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

allow-configuration-regexps

Supported Platforms SRX Series

Syntax allow-configuration-regexps "regular expression 1" "regular expression 2";

Hierarchy Level [edit system login class class-name]

Release Information Statement introduced in Junos OS Release 11.2.

Description Explicitly allow configuration access to specified hierarchies using regular expressions
even if the permissions set with the permissions statement allow that access.

The statement deny-configuration-regexps takes precedence if it is used in the same

login class definition.

Default If you do not configure this statement or the deny-configuration-regexps statement, users
can edit only those commands for which they have access privileges set with the
permissions statement.

Options regular expression—Extended (modern) regular expression as defined in POSIX 1003.2.

If the regular expression contains any spaces, operators, or wildcard characters,
enclose it in quotation marks.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 551

Administration Guide for Security Devices

authentication-key

Supported Platforms SRX Series

Syntax authentication-key key-number type md5 value <password>;

Hierarchy Level [edit system ntp]

Release Information Statement introduced before Junos OS Release 7.4.

Description Configure Network Time Protocol (NTP) authentication keys so that the SRX Series
device can send authenticated packets. If you configure the SRX Series device to operate
in authenticated mode, you must configure a key.

Both the keys and the authentication scheme (MD5) must be identical between a set of
peers sharing the same key number.

Options key-number—Positive integer that identifies the key.

type md5—Authentication type. It can only be md5.

value password—The key itself, which can be from 1 through 8 ASCII characters. If the key
contains spaces, enclose it in quotation marks.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • ntp on page 609

Documentation

552 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

authentication-order

Supported Platforms EX Series, M Series, SRX Series, T Series

Syntax authentication-order [method1 method2...];

Hierarchy Level [edit system]

Release Information Statement introduced before Junos OS Release 7.4.

Statement introduced in Junos OS Release 9.0 for EX Series switches.

Description Configure the order in which the software tries different user authentication methods
when attempting to authenticate a user. For each login attempt, the software tries the
authentication methods in order, starting with the first one, until the password matches.

Default If you do not include the authentication-order statement, users are verified based on their
configured passwords.

Options One or more of the following authentication methods listed in the order in which they
must be tried:

• password—Use the password configured for the user with the authentication statement
at the [edit system login user] hierarchy level.

• radius—Use RADIUS authentication services.

• tacplus—Use TACACS+ authentication services.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • Understanding User Authentication Methods on page 12

Documentation

Copyright © 2017, Juniper Networks, Inc. 553

Administration Guide for Security Devices

boot-server (NTP)

Supported Platforms SRX Series

Syntax boot-server (address | hostname);

Hierarchy Level [edit system ntp]

Release Information Statement introduced before Junos OS Release 7.4.

Description Configure the server that NTP queries when the SRX Series device boots to determine
the local date and time.

When you boot the SRX Series device, it issues an ntpdate request, which polls a network
server to determine the local date and time. You need to configure a server that the SRX
Series device uses to determine the time when the SRX Series device boots. You can
configure either an IP address or a hostname for the boot server. If you configure a
hostname instead of an IP address, the ntpdate request resolves the hostname to an IP
address when the SRX Series device boots up.

If you configure an NTP boot server, then when the SRX Series device boots, it immediately
synchronizes with the boot server even if the NTP process is explicitly disabled or if the
time difference between the client and the boot server exceeds the threshold value of
1000 seconds.

Options • address—The IP address of an NTP boot server.

• hostname—The hostname of an NTP boot server.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • ntp on page 609

Documentation

554 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

broadcast

Supported Platforms SRX Series

Syntax broadcast address <key key-number> <routing-instance-name routing-instance-name> <ttl

value> <version value>;

Hierarchy Level [edit system ntp]

Release Information Statement introduced before Junos OS Release 7.4.

Description Configure the SRX Series device to operate in broadcast mode with the remote system
at the specified address. In this mode, the SRX Series device sends periodic broadcast
messages to a client population at the specified broadcast or multicast address. Normally,
you include this statement only when the SRX Series device is operating as a transmitter.

Options address—The broadcast address on one of the local networks or a multicast address
assigned to NTP. You must specify an address, not a hostname. If the multicast
address is used, it must be 224.0.1.1.

key key-number—(Optional) All packets sent to the address include authentication fields
that are encrypted using the specified key number.
Range: Any unsigned 32-bit integer

routing-instance-name routing-instance-name—(Optional) The routing instance name in

which the interface has an address in the broadcast subnet.
Default: The default routing instance is used to broadcast packets.

ttl value—(Optional) Time-to-live (TTL) value to use.

Range: 1 through 255
Default: 1

version value—(Optional) Specify the version number to be used in outgoing NTP packets.
Range: 1 through 4
Default: 4

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • ntp on page 609

Documentation

Copyright © 2017, Juniper Networks, Inc. 555

Administration Guide for Security Devices

broadcast-client

Supported Platforms SRX Series

Syntax broadcast-client;

Hierarchy Level [edit system ntp]

Release Information Statement introduced before Junos OS Release 7.4.

Description Configure the SRX Series device to listen for broadcast messages on the local network
to discover other servers on the same subnet.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • ntp on page 609

Documentation

556 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

ciphers

Supported Platforms MX Series, PTX Series, SRX Series, vSRX

Syntax ciphers [ cipher-1 cipher-2 cipher-3 ...]

Hierarchy Level [edit system services ssh]

Release Information Statement introduced in Junos OS Release 11.2.

Description Specify the set of ciphers the SSH server can use to perform encryption and decryption
functions.

Options • 3des-cbc—Triple Data Encryption Standard (DES) in Cipher Block Chaining (CBC)
mode.

• aes128-cbc—128-bit Advanced Encryption Standard (AES) in CBC mode.

• aes128-ctr—128-bit AES in counter mode.

• aes128-gcm@openssh.com—128-bit AES in Galois/Counter Mode.

• aes192-cbc—192-bit AES in CBC mode.

• aes192-ctr—192-bit AES in counter mode.

• aes256-cbc—256-bit AES in CBC mode.

• aes256-ctr—256-bit AES in counter mode.

• aes256-gcm@openssh.com—256-bit AES in Galois/Counter Mode.

• arcfour—128-bit RC4-stream cipher in CBC mode.

• arcfour128—128-bit RC4-stream cipher in CBC mode.

• arcfour256—256-bit RC4-stream cipher in CBC mode.

• blowfish-cbc—128-bit blowfish-symmetric block cipher in CBC mode.

• cast128-cbc—128-bit cast in CBC mode.

• chacha20-poly1305@openssh.com—ChaCha20 stream cipher and Poly1305 MAC

NOTE: Ciphers represent a set. To configure SSH ciphers use the set command
as shown in the following example:

user@host#set system services ssh ciphers [ aes256-cbc aes192-cbc ]

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 557

Administration Guide for Security Devices

Related • Configuring SSH Service for Remote Access to the Router or Switch
Documentation
• key-exchange

• macs on page 605

connection-limit

Supported Platforms SRX Series, vSRX

Syntax connection-limit limit;

Hierarchy Level [edit system services finger]

[edit system services ftp]
[edit system services netconf ssh]
[edit system services ssh]
[edit system services telnet]
[edit system services xnm-clear-text]
[edit system services xnm-ssl]

Release Information Statement introduced in Junos OS Release 11.4.

Description Configure the maximum number of connection sessions for each type of system services
(finger, ftp, ssh, telnet, xnm-clear-text, or xnm-ssl) per protocol (either IPv6 or IPv4).

Options limit—Maximum number of established connections per protocol (either IPv6 or IPv4).

On SRX5400, SRX5600, and SRX5800 devices, the range and default value are as
follows:
Range: 1 through 250
Default: 75

On SRX300, SRX320, SRX340, and SRX345, and SRX550M devices, the range is as
follows:
Range: 1 through 5

NOTE: The actual number of maximum connections depends on the

availability of system resources, and might be fewer than the configured
connection-limit value if the system resources are limited.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

558 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

client-ia-type

Supported Platforms SRX Series, vSRX

Syntax client-ia-type {
ia-na;
ia-pd;
}

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family inet6 dhcpv6-client]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX550M, and SRX1500 devices.

Description Configure the DHCPv6 client identity association type.

Options ia-na— Identity association for nontemporary address

ia-pd—Identity association for prefix delegation

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • DHCPv6 Client Overview on page 491

Documentation

Copyright © 2017, Juniper Networks, Inc. 559

Administration Guide for Security Devices

client-identifier (dhcp-client)

Supported Platforms SRX Series, vSRX

Syntax client-identifier {
user-id {ascii ascii hexadecimal hexadecimal;
use-interface-description {logical |device};
prefix [host-name routing-instance-name];
}

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description The DHCP server identifies a client by a client-identifier value.

Options The remaining statements are explained separately. See CLI Explorer.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • DHCPv6 Client Overview on page 491

Documentation

560 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

client-identifier (dhcpv6-client)

Supported Platforms SRX Series

Syntax client-identifier duid-type (duid-ll | duid-llt | vendor);

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description The DHCPv6 server identifies a client by a client-identifier value.

Options duid-type—The DHCPv6 client is identified by a DHCP unique identifier (DUID).

duid-ll—Link Layer address.

duid-llt—Link Layer address plus time.

vendor—Vendor-assigned unique ID based on the enterprise number.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • DHCPv6 Client Overview on page 491

Documentation

Copyright © 2017, Juniper Networks, Inc. 561

Administration Guide for Security Devices

client-list-name (SNMP)

Syntax client-list-name client-list-name ;

Hierarchy Level [edit snmp community community-name ]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify the name of the list of SNMP network management system (NSM) clients that
are authorized to collect information about network operations. You cannot use an SNMP
client list and individually configured SNMP clients in the same configuration.

Options client-list-name — Name of the client list. Client list is the list of IP address prefixes defined
with the prefix-list statement in the policy-options hierarchy.

Required Privilege snmp—To view this statement in the configuration.

Level snmp-control—To add this statement to the configuration.

Related • Understanding the SNMP Implementation in Junos OS

Documentation
• Standard SNMP MIBs Supported by Junos OS

client-type

Supported Platforms SRX Series, vSRX

Syntax client-type (autoconfig | statefull);

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family inet6 dhcpv6-client]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX550M, and SRX1500 devices.

Description The type of DHCPv6 client.

Options • autoconfig—Autoconfig client type for router advertisement

• statefull— Stateful client type for address assignment

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • DHCPv6 Client Overview on page 491

Documentation

562 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

deny-configuration

Supported Platforms SRX Series

Syntax deny-configuration "regular-expression";

Hierarchy Level [edit system login class]

Release Information Statement introduced before Junos OS Release 7.4.

Statement introduced in Junos OS Release 11.2 for SRX Series devices.

Description Explicitly deny configuration access to the specified levels in the hierarchy even if the
permissions set with the permissions statement grant such access by default.

Default If you omit this statement and the allow-configuration statement, users can edit those
levels in the configuration hierarchy for which they have access privileges through the
permissions statement.

Options regular-expression—Extended (modern) regular expression as defined in POSIX 1003.2.

If the regular expression contains any spaces, operators, or wildcard characters,
enclose it in quotation marks.

Required Privilege admin—To view this statement in the configuration.

Level admin-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 563

Administration Guide for Security Devices

deny-configuration-regexps

Supported Platforms SRX Series

Syntax deny-configuration-regexps "regular expression 1" "regular expression 2";

Hierarchy Level [edit system login class class-name]

Release Information Statement introduced in Junos OS Release 11.2.

Statement introduced in Junos OS Release 11.2 for SRX Series devices.

Description Explicitly deny configuration access to specified hierarchies using regular expressions
even if the permissions set with the permissions statement allow that access.

Expressions configured with this statement take precedence over

allow-configuration-regexps if the two statements are used in the same login class
definition.

Default If you do not configure this statement or the deny-configuration-regexps statement, users
can edit only those commands for which they have access privileges set with the
permissions statement.

Options regular expression—Extended (modern) regular expression as defined in POSIX 1003.2.

If the regular expression contains any spaces, operators, or wildcard characters,
enclose it in quotation marks.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

564 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

destination (Accounting)

Supported Platforms SRX Series

Syntax destination {
radius {
server {
server-address {
accounting-port port-number;
max-outstanding-requests value;
port port-number;
retry value;
secret password;
source-address source-address;
timeout seconds;
}
}
}
tacplus {
server {
server-address {
port port-number;
secret password;
single-connection;
timeout seconds;
}
}
}
}

Hierarchy Level [edit system accounting]

Release Information Statement introduced before Junos OS Release 7.4.

radius statement added in Junos OS Release 7.4. Support for IPv6 source address added
in Junos OS Release 12.1X47-D15 for SRX1500, SRX5400, SRX5600, and SRX5800
devices.

Description Configure the authentication server.

Options The remaining statements are explained separately. See CLI Explorer.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 565

Administration Guide for Security Devices

dhcp-attributes (Access IPv4 Address Pools)

Supported Platforms SRX Series, vSRX

Syntax dhcp-attributes {
boot-file boot-file-name;
boot-server boot-server-name;
domain-name domain-name;
grace-period seconds;
maximum-lease-time (seconds | infinite);
name-server ipv4-address;
netbios-node-type (b-node | h-node | m-node | p-node);
next-server next-server-name;
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
option-match {
option-82 {
circuit-id match-value {
range range-name;
}
remote-id match-value;
range range-name;
}
}
}
propagate-ppp-settings [interface-name];
propagate-settings interface-name;
router ipv4-address;
server-identifier ip-address;
sip-server {
ip-address ipv4-address;
name sip-server-name;
}
tftp-server server-name;
wins-server ipv4-address;
}

566 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

Hierarchy Level [edit access address-assignment pool pool-name family inet]

Release Information Statement introduced in Junos OS Release 10.4.

Description Configure attributes for IPv4 address pools that can be used by different clients. The
DHCP attributes for this statement uses standard IPv4 DHCP options.

Required Privilege access—To view this statement in the configuration.

Level access-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

Copyright © 2017, Juniper Networks, Inc. 567

Administration Guide for Security Devices

dhcp-attributes (Access IPv6 Address Pools)

Supported Platforms SRX Series, vSRX

Syntax dhcp-attributes {
dns-server ipv6-address;
grace-period seconds;
maximum-lease-time (seconds | infinite);
option dhcp-option-identifier-code {
array {
byte [8-bit-value];
flag [ false| off |on |true];
integer [32-bit-numeric-values];
ip-address [ip-address];
short [signed-16-bit-numeric-value];
string [character string value];
unsigned-integer [unsigned-32-bit-numeric-value];
unsigned-short [16-bit-numeric-value];
}
byte 8-bit-value;
flag (false | off | on | true);
integer 32-bit-numeric-values;
ip-address ip-address;
short signed-16-bit-numeric-value;
string character string value;
unsigned-integer unsigned-32-bit-numeric-value;
unsigned-short 16-bit-numeric-value;
}
propagate-ppp-settings [interface-name];
sip-server-address ipv6-address;
sip-server-domain-name domain-name;
}

Hierarchy Level [edit access address-assignment pool pool-name family inet6]

Release Information Statement introduced in Junos OS Release 10.4.

Description Configure attributes for address pools that can be used by different clients.

Options • dns-server IPv6-address—Specify a DNS server to which clients can send DNS queries.

• grace-period seconds —Specify the grace period offered with the lease.

Range: 0 through 4,294,967,295 seconds

Default: 0 (no grace period)

• maximum-lease-time seconds—Specify the maximum length of time in seconds for

which a client can request and hold a lease on a DHCP server.

Range: 30 through 4,294,967,295 seconds

Default: 86,400 seconds (24 hours)

568 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

• option dhcp-option-identifier-code—Specify the DHCP option identifier code.

• propagate-ppp-settings [interface-name—Specify PPP interface name for propagating

DNS or WINS settings.

• sip-server-address IPv6-address—Specify the IPv6 address of the SIP outbound proxy

server.

• sip-server-domain-name domain-name—Specify the domain name of the SIP outbound

proxy server.

Required Privilege access—To view this statement in the configuration.

Level access-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

Copyright © 2017, Juniper Networks, Inc. 569

Administration Guide for Security Devices

dhcp-client

Supported Platforms SRX Series, vSRX

Syntax dhcp-client {
client-identifier {
prefix {
host-name;
logical-system-name;
routing-instance-name;
}
use-interface-description (device | logical);
user-id (ascii string| hexadecimal string);
}
lease-time (length | infinite);
retransmission-attempt value;
retransmission-interval seconds;
server-address server-address;
update-server;
vendor-id vendor-id ;
}

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Configure the Dynamic Host Configuration Protocol (DHCP) client.

Options The remaining statements are explained separately. See CLI Explorer.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

570 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

dhcp-local-server (System Services)

Supported Platforms SRX Series

Syntax dhcp-local-server {
dhcpv6 {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
group group-name {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}

Copyright © 2017, Juniper Networks, Inc. 571

Administration Guide for Security Devices

junos-default-profile;
use-primary dynamic-profile;
}
interface interface-name {
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
exclude;
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
service-profile service-profile-name
trace ;
upto interface-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}

572 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}

Copyright © 2017, Juniper Networks, Inc. 573

Administration Guide for Security Devices

service-profile service-profile-name;
}
group group-name {
interface interface-name {
exclude;
upto upto-interface-name;
}
}
}

Hierarchy Level [edit system services]

Release Information Statement introduced in Junos OS Release 10.4.

Description Configure DHCP Local Server for DHCPv6, forwarding snoop (unicast) packets, and
setting traceoptions.

NOTE: SRX Series devices do not support client authentication.

Options The remaining statements are explained separately. See CLI Explorer.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

574 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

dhcpv6 (System Services)

Supported Platforms SRX Series

Syntax dhcpv6 {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
group group-name {
authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;

Copyright © 2017, Juniper Networks, Inc. 575

Administration Guide for Security Devices

use-primary dynamic-profile;
}
interface interface-name {
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
exclude;
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
service-profile service-profile-name
trace ;
upto interface-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;

576 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}
liveness-detection {
failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;

Copyright © 2017, Juniper Networks, Inc. 577

Administration Guide for Security Devices

Hierarchy Level [edit system services]

Release Information Statement introduced in Junos OS Release 10.4.

Description Configure DHCPv6 server to provide IPv6 addresses to clients.

NOTE: SRX Series devices do not support client authentication.

Options • duplicate-clients-on-interface—Allow duplicate clients on different interfaces in a

subnet.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

578 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

dhcpv6-client

Supported Platforms SRX Series, vSRX

Syntax dhcpv6-client {
client-ia-type {
ia-na;
ia-pd;
}
client-identifier duid-type (duid-ll | duid-llt | vendor);
client-type (autoconfig | statefull);
rapid-commit;
req-option (dns-server | domain | fqdn | nis-domain | nis-server | ntp-server | sip-domain
| sip-server |time-zone | vendor-spec);
retransmission-attempt number;
update-router-advertisement {
interface interface-name;
}
update-server;
}

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family inet6]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX550M, and SRX1500 devices.

Description Configure the Dynamic Host Configuration Protocol version 6 (DHCPv6) client.

Options client-ia-type— Identity association type for DHCPv6 client. This statement is mandatory.

client-identifier duid-type— Identity a client by a client-identifier value. This statement is

mandatory.

client-type— Identify the type of DHCPv6 client. This statement is mandatory.

rapid-commit— The use of the two-message exchange for address assignment.

req-option— Specify options requested by the DHCPv6 client.

retransmission-attempt number— Specify the number of times the device retransmits a

DHCPv6 client packet if a DHCPv6 server fails to respond. After the specified number
of attempts, no further attempts at reaching a server are made.

update-router-advertisement— Specify the interface used to delegate prefixes.

update-server— Propagate TCP/IP settings to the DHCPv6 server.

For detailed information about these commands, see CLI Explorer.

Copyright © 2017, Juniper Networks, Inc. 579

Administration Guide for Security Devices

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• Minimum DHCPv6 Client Configuration on page 492

disable (System Services)

Supported Platforms SRX Series, vSRX

Syntax disable;

Hierarchy Level [edit system services dns dnssec]

Release Information Statement introduced in Junos OS Release 10.2 .

Description Disables DNSSEC in the DNS server.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

580 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

dlv

Supported Platforms SRX Series, vSRX

Syntax dlv {
domain-name domain-name trusted-anchor trusted-anchor;
}

Hierarchy Level [edit system services dns dnssec]

Release Information Statement introduced in Junos OS Release 10.2 .

Description Configure DNSSEC Lookaside Validation (DLV).

Options • domain-name domain-name—Specify the secure domain server name.

• trusted-anchor trusted-anchor—Specify the trusted DLV anchor.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

Copyright © 2017, Juniper Networks, Inc. 581

Administration Guide for Security Devices

dynamic-pool

Supported Platforms SRX Series

Syntax address-assignment {
dynamic-pool <dynamic-pool>{
family {
inet6 {
from-interface <interface>;
delegated-prefix-length <network-prefix-length>;
range <range-name> {
masked-low <masked-low>;
masked-high <masked-high>;
prefix-length <prefix-length>;
}
dhcp-attributes {
dns-server <address>;
t1-percentage <t1-percentage>;
t2-percentage <t2-percentage>;
preferred-lifetime <preferred-lifetime>;
valid-lifetime <valid-lifetime>;
}
}
}
}
}

Hierarchy Level [edit access]

Release Information Statement introduced in Junos OS Release 15.1X49-D70.

Description Configure the dynamic pool updated by the client running on the WAN interface.

Options The remaining statements are explained separately.

Required Privilege access—To view this statement in the configuration.

Level access-control—To add this statement to the configuration.

Related • Configuring Address-Assignment Pools on page 450

Documentation
• address-assignment (Access) on page 546

582 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

dynamic-server

Supported Platforms SRX Series

Syntax dhcpv6 {
dynamic-server {
group <group> {
neighbor-discovery-router-advertisement <ndra-pool>;
interface <interface> {
overrides {
delegated-pool <delegated-pool>;
ia-na-pool <ia-na-pool>;
process-inform {
pool <pool>;
}
}
}
}
}
}

Hierarchy Level [edit system services]

Release Information Statement introduced in Junos OS Release 15.1X49-D70.

Description Configure the server running on a LAN interface.

Options The remaining statements are explained separately.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • dhcp-local-server (System Services) on page 571

Documentation
• dhcp-client on page 570

Copyright © 2017, Juniper Networks, Inc. 583

Administration Guide for Security Devices

family (Security Forwarding Options)

Supported Platforms SRX Series, vSRX

Syntax family {
inet6 {
mode (drop | flow-based | packet-based);
}
iso {
mode packet-based;
}
mpls {
mode packet-based;
}
}

Hierarchy Level [edit security forwarding-options]

Release Information Statement introduced in Junos OS Release 8.5 .

Description Determine the protocol family to be used for packet forwarding.

NOTE: Packet-based processing is not supported on the following SRX Series

devices: SRX5400, SRX5600, and SRX5800.

Options The remaining statements are explained separately. See CLI Explorer.

Required Privilege security—To view this statement in the configuration.

Level security-control—To add this statement to the configuration.

Related • MPLS Overview

Documentation

584 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

file (System Logging)

Supported Platforms M Series, MX Series, SRX Series, T Series

Syntax file filename {

allow-duplicates;
any (alert | any | critical | emergency | error | info | none | notice | warning);
archive {
archive-sites {
url password;
}
(binary-data | no-binary-data);
files number;
size size;
start-time start-time;
transfer-interval transfer-interval;
(world-readable | no-world-readable);
}
authorization (alert | any | critical | emergency | error | info | none | notice | warning);
change-log (alert | any | critical | emergency | error | info | none | notice | warning);
conflict-log (alert | any | critical | emergency | error | info | none | notice | warning);
daemon (alert | any | critical | emergency | error | info | none | notice | warning);
dfc (alert | any | critical | emergency | error | info | none | notice | warning);
explicit-priority;
external (alert | any | critical | emergency | error | info | none | notice | warning);
firewall (alert | any | critical | emergency | error | info | none | notice | warning);
ftp (alert | any | critical | emergency | error | info | none | notice | warning);
interactive-commands (alert | any | critical | emergency | error | info | none | notice | warning);
kernel (alert | any | critical | emergency | error | info | none | notice | warning);
match "regular-expression";
ntp (alert | any | critical | emergency | error | info | none | notice | warning);
pfe (alert | any | critical | emergency | error | info | none | notice | warning);
security (alert | any | critical | emergency | error | info | none | notice | warning);
structured-data {
brief;
}
user (alert | any | critical | emergency | error | info | none | notice | warning);
}

Hierarchy Level [edit system syslog]

Release Information Statement introduced before Junos OS Release 12.1X47 for SRX Series.

Description Specify the file in which to log data.

Options • filename—Specify the name of the file in which to log data.

• allow-duplicates—Do not suppress the repeated messages.

• any—Specify all facilities information.

• alert—Specify the conditions that should be corrected immediately.

Copyright © 2017, Juniper Networks, Inc. 585

Administration Guide for Security Devices

• critical—Specify the critical conditions.

• emergency—Specify the conditions that cause security functions to stop.

• error—Specify the general error conditions.

• info—Specify the information about normal security operations.

• none—Do not specify any messages.

• notice—Specify the conditions that should be handled specifically.

• warning—Specify the general warning conditions.

• archive—Specify the archive file information.

• archive-sites—Specify a list of destination URLs for the archived log files.

• url—Specify the primary and failover URLs to receive archive files.

• binary-data—Mark file such that it contains binary data.

• no-binary-data—Do not mark the file such that it contains binary data.

• files—Specify the number of files to be archived. Range: 1 through 1000 files.

• size—Specify the size of files to be archived. Range: 65,536 through 1,073,741,824

bytes.

• world-readable—Allow any user to read the log file.

• no-world-readable—Do not allow any user to read the log file.

• start-time—Specify the start time for file transmission. Enter the start time in the
yyyy-mm-dd.hh:mm format.

• transfer-interval—Specify the frequency at which to transfer the files to archive sites.

• authorization—Specify the authorization system.

• change-log—Specify the configuration change log.

• conflict-log—Specify the configuration conflict log.

• daemon—Specify the various system processes.

• dfc—Specify the dynamic flow capture.

• explicit-priority—Include the priority and facility in messages.

• external—Specify the local external applications.

• firewall—Specify the firewall filtering system.

• ftp—Specify the FTP process.

• interactive-commands—Specify the commands executed by the UI.

• kernel—Specify the kernel information.

• match—Specify the regular expression for lines to be logged.

• ntp—Specify the NTP process.

586 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

• pfe—Specify the Packet Forwarding Engine.

• security—Specify the security-related information.

• structured-data—Log the messages in structured log format.

• brief—Omit English language text from the end of the logged message.

• user—Specify the user processes.

• info—Specify the informational messages.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 587

Administration Guide for Security Devices

forwarding-options (Security)

Supported Platforms SRX Series, vSRX

Syntax forwarding-options {
family {
inet6 {
mode (drop | flow-based | packet-based);
}
iso {
mode packet-based;
}
mpls {
mode packet-based;
}
}
}

Hierarchy Level [edit security]

Release Information Statement introduced in Junos OS Release 8.5 .

Description Determine how the inet6, iso, and mpls protocol families manage security forwarding
options.

NOTE:
• Packet-based processing is not supported on the following SRX Series
devices: SRX5400, SRX5600, and SRX5800.

• On SRX Series devices, the default mode for processing traffic is flow mode.
To configure an SRX Series device as a border router, you must change the
mode from flow-based processing to packet-based processing. Use the
set security forwarding-options family mpls mode packet-based statement
to configure the SRX device to packet mode. You must reboot the device
for the configuration to take effect.

Options The remaining statements are explained separately. See CLI Explorer.

Required Privilege security—To view this statement in the configuration.

Level security-control—To add this statement to the configuration.

Related • MPLS Overview

Documentation
• Understanding Packet-Based Processing

• Juniper Networks Devices Processing Overview

588 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

group (System Services DHCP)

Supported Platforms SRX Series, vSRX

Syntax group group-name {

authentication {
password password;
username-include {
circuit-type;
client-id;
delimiter delimiter-character;
domain-name domain-name;
interface-name;
logical-system-name;
relay-agent-interface-id;
relay-agent-remote-id;
relay-agent-subscriber-id;
routing-instance-name;
user-prefix user-prefix;
}
}
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile;
}
interface interface-name {
dynamic-profile {
profile-name;
aggregate-clients {
merge;
replace;
}
junos-default-profile;
use-primary dynamic-profile-name;
}
exclude;
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
service-profile service-profile-name
trace ;
upto interface-name;
}
liveness-detection {

Copyright © 2017, Juniper Networks, Inc. 589

Administration Guide for Security Devices

failure-action {
clear-binding;
clear-binding-if-interface-up;
log-only;
}
method {
bfd {
detection-time {
threshold milliseconds;
}
holddown-interval interval;
minimum-interval milliseconds;
minimum-receive-interval milliseconds;
multiplier number;
no-adaptation;
session-mode (automatic | multihop | single-hop);
transmit-interval {
minimum-interval milliseconds;
threshold milliseconds;
}
version (0 | 1 | automatic);
}
}
overrides {
delegated-pool pool-name;
interface-client-limit number;
process-inform {
pool pool-name;
}
rapid-commit ;
}
reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}
service-profile service-profile-name;
}

Hierarchy Level [edit system services dhcp-local-server dhcpv6]

Release Information Statement introduced in Junos OS Release 10.4.

Description Configure a group of interfaces that have a common configuration.

The remaining statements are explained separately. See CLI Explorer.

590 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

Options • group-name—Name of the group.

NOTE: SRX Series devices do not support DHCP client authentication.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege access—To view this statement in the configuration.

Level access-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• DHCP Server Configuration Overview on page 448

Copyright © 2017, Juniper Networks, Inc. 591

Administration Guide for Security Devices

host (SSH Known Hosts)

Supported Platforms SRX Series, vSRX

Syntax host hostname {

dsa-key dsa-key;
ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key;
ecdsa-sha2-nistp384-key ecdsa-sha2-nistp384-key;
ecdsa-sha2-nistp521-key ecdsa-sha2-nistp521-key;
rsa-key rsa-key;
rsa1-key rsa1-key;
}

Hierarchy Level [edit security ssh-known-hosts]

Release Information Statement modified in Junos OS Release 8.5.

Description Configure the type of base-64 encoded host key.

Options • hostname—Name of the SSH known host.

• dsa-key dsa-key—Digital Signature Algorithm (DSA) for SSH version 2

• ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key—Elliptic Curve Digital Signature

Algorithm (ECDSA)

• ecdsa-sha2-nistp384-key ecdsa-sha2-nistp384-key—Elliptic Curve Digital Signature

Algorithm (ECDSA)

• ecdsa-sha2-nistp521-key ecdsa-sha2-nistp521-key—Elliptic Curve Digital Signature

Algorithm (ECDSA)

• rsa-key rsa-key—RSA public key algorithm, which supports encryption and digital
signatures for SSH version 1 and SSH version 2

• rsa1-key rsa1-key—RSA public key algorithm, which supports encryption and digital
signatures for SSH version 1

Required Privilege security—To view this statement in the configuration.

Level security-control—To add this statement to the configuration.

Related • Generating an SSL Certificate Using the openssl Command on page 356
Documentation
• Generating a Self-Signed SSL Certificate on page 356

592 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

hostkey-algorithm

Supported Platforms M Series, MX Series, SRX Series, vSRX

Syntax hostkey-algorithm (algorithm | no-algorithm);

Hierarchy Level [edit system services ssh]

Release Information Statement introduced in Junos OS Release 11.2.

(algorithm | no-algorithm) statements introduced in Junos OS Release 12.2.

Description Allow or disallow a host-key signature algorithm for the SSH host to use to authenticate
another host.

Options algorithm—Allow the following host-key signature algorithms:

• ssh-ecdsa—Allow generation of an ECDSA host-key.

• ssh-dss—Allow generation of a 1024-bit DSA host-key.

NOTE: DSA keys are not supported in FIPS, so the ssh-dss option is not
available on systems operating in FIPS mode.

• ssh-rsa—Allow generation of an RSA host-key.

no-algorithm—Do not allow the following host-key signature algorithms:

• no-ssh-dss—Do not allow generation of a 1024-bit Digital Signature Algorithm (DSA)

host-key.

• no-ssh-ecdsa—Do not allow generation of an Elliptic Curve Digital Signature Algorithm

(ECDSA) host-key.

• no-ssh-rsa—Do not allow generation of an RSA host-key.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • Generating an SSL Certificate Using the openssl Command on page 356
Documentation
• Generating a Self-Signed SSL Certificate on page 356

Copyright © 2017, Juniper Networks, Inc. 593

Administration Guide for Security Devices

idle-timeout (System)

Supported Platforms SRX Series, vSRX

Syntax idle-timeout idle-timeout;

Hierarchy Level [edit system login]

Release Information Statement introduced in Junos OS Release 16.1 for the M Series, MX Series, and PTX
Series.
Statement introduced in Junos OS Release 15.1X49-D70 for the vSRX, SRX4100, SRX4200
and SRX1500 devices.

Description Configure the maximum time for which the C shell or CLI console session can be idle.
The user (including the root user) is logged out after the expiry of idle-timeout.

Options idle-timeout— Maximum idle time before logout.

Range: 1 through 60 minutes

Required Privilege admin—To view this statement in the configuration.

Level admin-control—To add this statement to the configuration.

594 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

interface (System Services DHCP)

Supported Platforms SRX Series, vSRX

Syntax interface interface-name {

exclude;
overrides {
interface-client-limit number;
}
trace;
upto upto-interface-name;
}

Hierarchy Level [edit system services dhcp-local-server dhcpv6 group group-name]

Release Information Statement introduced in Junos OS Release 10.4.

Description Specify one or more interfaces, or a range of interfaces, that are within a specified group
on which the DHCP local server is enabled. You can repeat the interface interface-name
statement to specify multiple interfaces within a group, but you cannot specify the same
interface in more than one group.

Options • interface-name—Name of the interface.

• trace—Enable tracing of the interface specified by the interface-name argument.

• upto upto-interface-name—The upper end of the range of interfaces; the lower end of
the range is the interface-name entry. The interface device name of the
upto-interface-name must be the same as the device name of the interface-name.

Required Privilege security—To view this statement in the configuration.

Level security-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• DHCP Server Configuration Overview on page 448

Copyright © 2017, Juniper Networks, Inc. 595

Administration Guide for Security Devices

interfaces (ARP)

Supported Platforms SRX Series, vSRX

Syntax interfaces {
interface-name {
aging-timer minutes;
}
}

Hierarchy Level [edit system arp]

Release Information Statement introduced before Junos OS Release 9.4.

Description Specify the Address Resolution Protocol (ARP) aging timer in minutes for a logical
interface.

Options aging-timer minutes—Time between ARP updates, in minutes.

Range: 1 through 240

Default: 20

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• DHCP Server Configuration Overview on page 448

596 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

interfaces (Security Zones)

Supported Platforms SRX Series, vSRX

Syntax interfaces interface-name {

host-inbound-traffic {
protocols protocol-name {
except;
}
system-services service-name {
except;
}
}
}

Hierarchy Level [edit security zones functional-zone management],

[edit security zones security-zone zone-name]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify the set of interfaces that are part of the zone.

Options interface-name —Name of the interface.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege security—To view this statement in the configuration.

Level security-control—To add this statement to the configuration.

Related • Understanding Security Zones

Documentation

Copyright © 2017, Juniper Networks, Inc. 597

Administration Guide for Security Devices

interface-traceoptions (System Services DHCP)

Supported Platforms SRX Series, vSRX

Syntax interface-traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
level (all | error | info | notice | verbose | warning);
no-remote-trace;
}

Hierarchy Level [edit routing-instances routing-instance-name system services dhcp-local-server],

[edit system services dhcp-local-server]

Release Information Statement introduced in Junos OS Release 10.4.

Description Configure extended DHCP local server tracing operations that can be enabled on a specific
interface or group of interfaces. You use the interface interface-name trace statement at
the [edit system services group group-name] hierarchy level to enable the tracing operation
on the specific interfaces.

Options file-name—Name of the file to receive the output of the tracing operation. Enclose the
name in quotation marks (“ ”). All files are placed in a file named jdhcpd in the
directory /var/log. If you include the file statement, you must specify a filename.

files number—(Optional) Maximum number of trace files. When a trace file named
trace-file reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and
so on, until the maximum number of trace files is reached. Then the oldest trace file
is overwritten. If you specify a maximum number of files, you also must specify a
maximum file size with the size option.
Range: 2 through 1000
Default: 3 files

flag flag—Tracing operation to perform. To specify more than one tracing operation,
include multiple flag statements. You can include the following flags:

• all—Trace all events

• dhcpv6-packet—Trace DHCPv6 packet decoding operations.

• dhcpv6-packet-option—Trace DHCPv6 option decoding operations.

• dhcpv6-state—Trace changes in state for DHCPv6 operations.

• packet—Trace packet decoding operations

598 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

• packet-option—Trace DHCP option decoding operations

• state—Trace changes in state

match regular-expression—(Optional) Refine the output to include lines that contain the
regular expression.

no-remote-trace—Disable remote tracing.

no-world-readable—(Optional) Disable unrestricted file access.

size size—(Optional) Maximum size of each trace file, in kilobytes (KB), megabytes (MB),
or gigabytes (GB). If you specify a maximum file size, you also must specify a
maximum number of trace files with the files option.
Syntax: xk to specify KB, xm to specify MB, or xg to specify GB
Range: 10 KB through 1 GB
Default: 128 KB

world-readable—(Optional) Enable unrestricted file access.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• DHCP Server Configuration Overview on page 448

Copyright © 2017, Juniper Networks, Inc. 599

Administration Guide for Security Devices

internet-options

Supported Platforms SRX Series, vSRX

Syntax internet-options {
icmpv4-rate-limit {
bucket size seconds;
packet-rate packet-rate;
}
icmpv6-rate-limit {
bucket size seconds;
packet-rate packet-rate;
}
ipv6-duplicate-addr-detection-transmits number;
no-path-mtu-discovery;
no-source-quench;
no-tcp-reset;
no-tcp-rfc1323;
no-tcp-rfc1323-paws;
path-mtu-discovery;
source-port {
upper-limit range;
}
source-quench;
tcp-drop-synfin-set;
}

Hierarchy Level [edit system]

Release Information Statement introduced in Junos OS Release 11.1.

Description Configure tunable options for Internet operations.

Options • icmpv4-rate-limit—Configure rate-limiting parameters for Internet Control Message

Protocol version 4 (ICMPv4) messages.

• bucket-size seconds—Set ICMP rate-limiting maximum bucket size in seconds.

• packet-rate packet-rate— Set ICMP rate-limiting packets earned per second.

• icmpv6-rate-limit—Configure rate-limiting parameters for Internet Control Message

Protocol version 6 (ICMPv6) messages.

• bucket-size seconds—Set ICMP rate-limiting maximum bucket size in seconds.

• packet-rate packet-rate— Set ICMP rate-limiting packets earned per second.

• ipv6-duplicate-addr-detection-transmits number—Control the number of attempts for

IPv6 duplicate address detection.

• no-path-mtu-discovery—Do not enable path maximum transmission unit (MTU)

discovery on TCP connections.

600 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

• no-source-quench—Do not react to incoming ICMP source quench messages.

• no-tcp-reset—Do not send RST TCP packets for packets sent to non-listening ports.

• no-tcp-rfc1323—Disable RFC 1323 TCP extensions.

• no-tcp-rfc1323-paws—Disable RFC 1323 Protection Against Wrapped Sequence Number

extension.

• path-mtu-discovery—Enable path MTU discovery on TCP connections.

• source-port—Configure source port selection parameters.

• upper-limit range—Specify upper limit of source port selection range.

• source-quench—React to incoming ICMP source quench messages.

• tcp-drop-synfin-set—Drop TCP packets that have both SYN and FIN flags.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

kernel-replication (System)

Supported Platforms SRX Series, vSRX

Syntax kernel-replication;

Hierarchy Level [edit system]

Release Information Statement introduced in Junos OS Release 11.1.

Description Configure kernel replication.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 601

Administration Guide for Security Devices

lease-time (dhcp-client)

Supported Platforms SRX Series, vSRX

Syntax lease-time seconds;

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Specify the time to negotiate and exchange Dynamic Host Configuration Protocol (DHCP)
information.

Options seconds— Request time to negotiate and exchange information.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

602 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

location

Supported Platforms SRX Series, vSRX

Syntax location {
altitude feet;
building name;
country -code code;
floor number;
hcoord horizontal-coordinate;
lata service-area;
latitude degrees;
longitude degrees;
npa-nxx number;
postal-code postal-code;
rack number;
vcoord vertical-coordinate;
}

Hierarchy Level [edit system]

Release Information Statement introduced in Junos OS Release 8.5.

Description Configure the physical location of the device.

Options • altitude feet—Number of feet above sea level.

• building name—Name of building. The name of the building can be 1 to 28 characters

in length. If the string contains spaces, enclose it in quotation marks (" ").

• country-code code—Two-letter country code.

• floor number—Floor number in the building.

• hcoord horizontal-coordinate—Bellcore Horizontal Coordinate.

• lata service-area—Long-distance service area.

• latitude degrees—Latitude in degree format.

• longitude degrees—Longitude in degree format.

• npa-nxx number—First six digits of the phone number (area code and exchange).

• postal-code postal-code—Zip code or Postal code.

• rack number—Rack number.

• vcoord vertical-coordinate—Bellcore Vertical Coordinate.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 603

Administration Guide for Security Devices

lockout-period

Supported Platforms M Series, MX Series, SRX Series, T Series

Syntax lockout-period minutes;

Hierarchy Level [edit system login retry-options]

Release Information Statement introduced in Junos OS Release 11.2.

Description Configure the amount of time before the user can attempt to log in to the router after
being locked out due to the number of failed login attempts specified in the
tries-before-disconnect statement.

Options minutes—Amount of time before the user can attempt to log in after being locked out.
Default: Off
Range: 1 through 43200

Required Privilege admin—To view this statement in the configuration.

Level admin-control—To add this statement to the configuration.

Related • Limiting the Number of User Login Attempts for SSH and Telnet Sessions
Documentation
• Handling Authorization Failure on page 33

• Example: Configuring System Retry Options on page 34

• retry-options

• clear system login lockout on page 669

• show system login lockout on page 757

604 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

macs

Supported Platforms MX Series, PTX Series, SRX Series, vSRX

Syntax macs [algorithm1 algorithm2...]

Hierarchy Level [edit system services ssh]

Release Information Statement introduced in Junos OS Release 11.2.

SHA-2 options introduced in Junos OS Release 12.1.

Description Specify the set of message authentication code (MAC) algorithms that the SSH server
can use to authenticate messages.

Options Specify one or more of the following MAC algorithms to authenticate messages:

• hmac-md5—Hash-based MAC using Message-Digest 5 (MD5)

• hmac-md5-96—96-bits of hash-based MAC using MD5

• hmac-md5-96-etm@openssh.com—96-bits of hash-based Encrypt-then-MAC using

MD5

• hmac-md5-etm@openssh.com—Hash-based Encrypt-then-MAC using MMD5

• hmac-ripemd160—Hash-based MAC using RIPEMD

• hmac-ripemd160-etm@openssh.com—Hash-based Encrypt-then-MAC using RIPEMD

• hmac-sha1—Hash-based MAC using secure hash algorithm-1 (SHA-1)

• hmac-sha1-96—96-bits of hash-based MAC using SHA-1

• hmac-sha1-96-etm@openssh.com—96-bits of hash-based Encrypt-then-MAC using

SHA-1

• hmac-sha1-etm@openssh.com—Hash-based Encrypt-then-MAC using SHA-1

• hmac-sha2-256—256-bits of hash-based MAC using secure hash algorithm-2 (SHA-2)

• hmac-sha2-256-etm@openssh.com—Hash-based Encrypt-then-Mac using SHA-2

• hmac-sha2-512—512-bits of hash-based MAC using SHA-2

• hmac-sha2-512-etm@openssh.com—Hash-based Encrypt-then-Mac using SHA-2

• umac-128-etm@openssh.com—Encrypt-then-MAC using UMAC-128 algorithm specified

in RFC4418

• umac-128@openssh.com—UMAC-128 algorithm specified in RFC4418

• umac-64-etm@openssh.com—Encrypt-then-MAC using UMAC-64 algorithm specified

in RFC4418

• umac-64@openssh.com—UMAC-64 algorithm specified in RFC4418

Copyright © 2017, Juniper Networks, Inc. 605

Administration Guide for Security Devices

NOTE: The macs configuration statement represents a set. Therefore, it must

be configured as shown in the following example.

user@host#set system services ssh macs [hmac-md5 hmac-sha1]

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • key-exchange
Documentation
• ciphers on page 557

max-pre-authentication-packets

Supported Platforms SRX Series, vSRX

Syntax max-pre-authentication-packets value;

Hierarchy Level [edit system services ssh]

Release Information Statement introduced in Junos OS Release 12.3X48-D10.

Description Define the number of pre-authentication SSH packets that the SSH server will accept
prior to user authentication.

Options value—Maximum number of pre-authentication SSH packets that the server will accept.
Range: 20 through 2147483647.
Default: 128

Required Privilege admin-control—To add this statement to the configuration.

Level

Related • The ssh Command on page 396

Documentation

606 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

multicast-client

Supported Platforms SRX Series

Syntax multicast-client <address>;

Hierarchy Level [edit system ntp]

Release Information Statement introduced before Junos OS Release 7.4.

Description For NTP, configure the SRX Series device to listen for multicast messages on the local
network to discover other servers on the same subnet.

Options address—(Optional) One or more IP addresses. If you specify addresses, the SRX Series
device joins those multicast groups.
Default: 224.0.1.1.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • ntp on page 609

Documentation

name-server (Access)

Syntax name-server address

Hierarchy Level [edit access address-assignment pool <name> family (inet | inet6) xauth-attributes]

Release Information Statement introduced in Junos OS Release 10.4.

Description Specify the DNS server IP address for an address-assignment pool.

Required Privilege access—To view this statement in the configuration.

Level access-control—To add this statement to the configuration.

Related • address-assignment (Access) on page 546

Documentation

Copyright © 2017, Juniper Networks, Inc. 607

Administration Guide for Security Devices

neighbor-discovery-router-advertisement (Access)

Supported Platforms SRX Series, vSRX

Syntax neighbor-discovery-router-advertisement ndra-pool-name;

Hierarchy Level [edit access address-assignment]

Release Information Statement introduced in Junos OS Release 10.4.

Description Configure the name of the address-assignment pool used to assign the router
advertisement prefix.

Options ndra-pool-name—Name of the address assignment pool.

Required Privilege access—To view this statement in the configuration.

Level access-control—To add this statement to the configuration.

Related
Documentation

608 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

ntp

Supported Platforms SRX Series

Syntax ntp {
authentication-key key-number type md5 value <password>;
boot-server <address>;
broadcast <address> <key key-number> <routing-instance routing-instance-name> <version
value> <ttl value>;
broadcast-client;
multicast-client <address>;
peer address <key key-number> <version value> <prefer>;
server address <key key-number> <version value> <prefer>;
source-address source-address <routing-instance routing-instance-name>;
trusted-key [key-numbers];
}

Hierarchy Level [edit system]

Release Information Statement introduced before Junos OS Release 7.4.

Description Configure Network Time Protocol (NTP) on the SRX Series device.

The remaining statements are explained separately.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 609

Administration Guide for Security Devices

outbound-ssh

Supported Platforms SRX Series, vSRX

Syntax outbound-ssh {
client client-id {
address address {
port port-number;
retry number;
timeout seconds;
}
device-id device-id;
keep-alive {
retry number;
timeout seconds;
}
reconnect-strategy (in-order | sticky);
secret password;
services netconf;
}
traceoptions {
file filename <files number> <match regex> <size size> <world-readable |
no-world-readable>;
flag flag;
no-remote-trace;
}
}

Hierarchy Level [edit system services]

Release Information Statement introduced in Junos OS Release 10.4.

Support for IPv6 address added in Junos OS Release 12.1X47-D15.

Description Initiate outbound SSH connections.

Options client client-id—Defines a device-initiated connection. This value serves to uniquely identify
the outbound-ssh configuration stanza. Each outbound-ssh stanza represents a
single outbound SSH connection. Thus, the administrator is free to assign the client-id
any meaningful unique value.

address address—Specifies the IPv4 or IPv6 address or hostname of the client.

port port-number—Specifies the port at which a server listens for outbound SSH connection
requests.

retry number—Specifies the maximum number of connection attempts a device can make
to the specified IP address. The default is three attempts.

timeout seconds—Specifies how long the application waits between attempts to reconnect
to the specified IP address, in seconds. The default is 15 seconds.

610 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

device device-id—Identifies the device to the management client. Each time the device
establishes an outbound SSH connection, it first sends an initiation sequence
(device-id) to the management client.

keep-alive—Enables the device to send SSH protocol keepalive messages to the client
application. The timeout statement specifies how long the device waits to receive
data before sending a request for acknowledgment from the application. The default
is 15 seconds. The retry statement specifies how many keepalive messages the router
sends without receiving a response from the client. When that number is exceeded,
the device disconnects from the application, ending the outbound SSH connection.
The default is three retries.

reconnect-strategy (in-order|sticky)—Specifies how the device reconnects to the server

after a connection is dropped.
in-order—Configures the device to reconnect to the first configured server. If this
server is unavailable, the device tries to connect to the next configured server. This
process repeats until a connection is completed.

sticky—Configures the device to reconnect to the server from which it disconnected.

secret password—Sends the device’s public SSH host key when the device connects to
the client.

services netconf—Configures the application to accept NETCONF as an available service.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • traceoptions (Outbound SSH) on page 641

Documentation
• Configuring Outbound SSH Service on page 397

Copyright © 2017, Juniper Networks, Inc. 611

Administration Guide for Security Devices

overrides (System Services DHCP)

Supported Platforms SRX Series, vSRX

Syntax overrides {
interface-client-limit number;
}

Hierarchy Level [edit system services dhcp-local-server dhcpv6]

[edit system services dhcp-local-server dhcpv6 group group-name]
[edit system services dhcp-local-server dhcpv6 group group-name interface interface-name]

Release Information Statement introduced in Junos OS Release 10.4.

Description Override the default configuration settings for the extended DHCP local server. Specifying
the overrides statement with no subordinate statements removes all DHCP local server
overrides at that hierarchy level.

• To override global DHCP local server configuration options, include the overrides
statement and its subordinate statements at the [edit system services dhcp-local-server]
hierarchy level.

• To override configuration options for a named group of interfaces, include the

statements at the [edit system services dhcp-local-server dhcpv6 group group-name]
hierarchy level.

• To override configuration options for a specific interface within a named group of

interfaces, include the statements at the [edit system services dhcp-local-server dhcpv6
group group-name interface interface-name] hierarchy level.

• Use the DHCPv6 hierarchy levels to override DHCPv6 configuration options.

Options interface-client-limit number—Sets the maximum number of DHCP clients per interface
allowed for a specific group or for all groups. A group specification takes precedence
over a global specification for the members of that group.
Range: 1 through 500,000
Default: No limit

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

612 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

peer (NTP)

Supported Platforms SRX Series

Syntax peer address <key key-number> <version value> <prefer>;

Hierarchy Level [edit system ntp]

Release Information Statement introduced before Junos OS Release 7.4.

Description For NTP, configure the SRX Series device to operate in symmetric active mode with the
remote system at the specified address. In this mode, the SRX Series device and the
remote system can synchronize with each other. This configuration is useful in a network
in which either the SRX Series device or the remote system might be a better source of
time.

Options address—Address of the remote system. You must specify an address, not a hostname.

key key-number—(Optional) All packets sent to the address include authentication fields
that are encrypted using the specified key number.
Range: Any unsigned 32-bit integer

prefer—(Optional) Mark the remote system as the preferred host, which means that if
all other factors are equal, this remote system is chosen for synchronization among
a set of correctly operating systems.

version value—(Optional) Specify the NTP version number to be used in outgoing NTP
packets.
Range: 1 through 4
Default: 4

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • ntp on page 609

Documentation

Copyright © 2017, Juniper Networks, Inc. 613

Administration Guide for Security Devices

prefix

Supported Platforms SRX Series, vSRX

Syntax prefix {
host-name;
logical-system-name;
routing-instance-name;
}

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client
client-identifier]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Specify a prefix as a client identifier.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related
Documentation

614 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

profilerd

Supported Platforms SRX Series, vSRX

Syntax profilerd {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}

Hierarchy Level [edit system processes]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify the profiler process.

Options • command binary-file-path—Path to binary for process.

• disable—Disable the profiler process.

• failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.

• alternate-media—Configure the device to switch to backup media that contains a

version of the system if a software process fails repeatedly.

• other-routing-engine—Instruct the secondary Routing Engine to take mastership if

a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, then the device reboots from the secondary
Routing Engine.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 615

Administration Guide for Security Devices

proxy

Supported Platforms SRX Series, vSRX

Syntax proxy {
password password;
port port-number;
server url;
username user-name;
}

Hierarchy Level [edit system]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify the proxy information for the router.

Options • password password—Password configured in the proxy server.

• port port number—Proxy server port number.

Range: 0 through 65,535

• server url—URL or IP address of the proxy server host.

• username username—Username configured in the proxy server.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

616 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

radius-options

Supported Platforms SRX Series

Syntax radius-options {
attributes {
nas-ip-address nas-ip-address;
}
password-protocol mschap-v2;
}

Hierarchy Level [edit system]

Release Information Statement introduced in Junos OS Release 8.5. Support for network access server (NAS)
IPv6 address added in Junos OS Release 12.1X47-D15 for SRX1500, SRX5400, SRX5600,
and SRX5800 devices.

Description Configure RADIUS options for the NAS-IP address for outgoing RADIUS packets and
password protocol used in RADIUS packets.

Options • attributes—Configure RADIUS attributes.

• nas-ip-address nas-ip-address—Valid IPv4 or IPv6 address of the NAS requesting

user authentication.

• password-protocol mschap-v2—Protocol MS-CHAPv2, used for password authentication

and password changing.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • radius-server on page 618

Documentation

Copyright © 2017, Juniper Networks, Inc. 617

Administration Guide for Security Devices

radius-server

Supported Platforms SRX Series

Syntax radius-server server-address {

accounting-port port-number;
max-outstanding-requests value;
port port-number;
retry value;
secret password;
source-address source-address;
timeout seconds;
}

Hierarchy Level [edit system]

Release Information Statement introduced in Junos OS Release 8.5. Support for IPv6 source address added
in Junos OS Release 12.1X47-D15 for SRX1500, SRX5400, SRX5600, and SRX5800
devices.

Description Configure RADIUS server address for subscriber access management, Layer 2 Tunnelling
Protocol (L2TP), or (Point-to-Point Protocol (PPP).

To configure multiple RADIUS servers, include multiple radius-server statements. The

servers are tried in order and in a round-robin fashion until a valid response is received
from one of the servers or until all the configured retry limits are reached.

Options • server-address—Address of the RADIUS server.

• accounting-port port-number—RADIUS server accounting port number.

Range: 1 through 65,335 files

Default: 1813

• port port-number—RADIUS server authentication port number.

Range: 1 through 65,335 files

Default: 1812

• retry value—Number of times that the router is allowed to attempt to contact a RADIUS
server.

Range: 1 through 10

Default: 3

• secret password—Password to use; it can include spaces if the character string is

enclosed in quotation marks.

• max-outstanding-requests value—Maximum number of outstanding requests in flight

to server.

618 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

Range: 1 through 65,335 files

• source-address source-address—Valid IPv4 or IPv6 address configured on one of the

router or switch interfaces.

• timeout seconds—Amount of time to wait.

Range: 1 through 90 seconds

Default: 3 seconds

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

rapid-commit

Supported Platforms SRX Series, vSRX

Syntax rapid-commit;

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX550M, and SRX1500 devices.

Description Used to signal the use of the two-message exchange for address assignment.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • DHCPv6 Client Overview on page 491

Documentation
• Understanding DHCPv6 Client and Server Identification on page 489

Copyright © 2017, Juniper Networks, Inc. 619

Administration Guide for Security Devices

reconfigure (System Services DHCP)

Supported Platforms SRX Series, vSRX

Syntax reconfigure {
attempts number;
clear-on-abort;
strict;
timeout number;
token token-name;
trigger {
radius-disconnect;
}
}

Hierarchy Level [edit system services dhcp-local-server dhcpv6]

[edit system services dhcp-local-server group group-name]
[edit system services dhcp-local-server dhcpv6 group group-name]

Release Information Statement introduced in Junos OS Release 10.4.

Description Enable dynamic reconfiguration triggered by the DHCP local server of all DHCP clients
or only the DHCP clients serviced by the specified group of interfaces. A group
configuration takes precedence over a DHCP local server configuration.

Options attempts number—Configure maximum number of attempts to reconfigure all DHCP

clients or only the DHCP clients serviced by the specified group of interfaces before
reconfiguration is considered to have failed. A group configuration takes precedence
over a DHCP local server configuration.
Range: 1 through 10 attempts
Default: 8 attempts

clear-on-abort —Delete all DHCP clients or only the DHCP clients serviced by the specified
group of interfaces when reconfiguration fails; that is, when the maximum number
of retry attempts have been made without success. A group configuration takes
precedence over a DHCP local server configuration.

strict —Configure the system to only allow packets that contain the reconfigure accept
option.

timeout seconds—Configure the initial value in seconds between attempts to reconfigure

all DHCP clients or only the DHCP clients serviced by the specified group of interfaces.
Each successive attempts doubles the interval between attempts. For example, if
the first value is 2, the first retry is attempted 2 seconds after the first attempt fails.
The second retry is attempted 4 seconds after the first retry fails. The third retry is
attempted 8 seconds after the second retry fails, and so on. A group configuration
takes precedence over a DHCP local server configuration.
Range: 1 through 10 seconds

620 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

Default: 2 seconds

token token-name—Configure a plain-text token for all DHCP clients or only the clients
specified by the specified group of interfaces. The default is null (empty string).

trigger — Specify DHCP reconfigure trigger.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation
• DHCP Server Configuration Overview on page 448

Copyright © 2017, Juniper Networks, Inc. 621

Administration Guide for Security Devices

req-option

Supported Platforms SRX Series, vSRX

Syntax req-option (dns-server | domain | fqdn | nis-domain | nis-server | ntp-server | sip-domain |

sip-server | time-zone | vendor-spec);

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX550M, and SRX1500 devices.

Description The configuration options requested by the DHCPv6 client.

Options dns-server—Specify a DNS server.

domain—Specify a domain name.

fqdn—Specify a fully qualified domain name.

nis-domain—Specify a Network Information Service (NIS) domain.

nis-server—Specify a Network Information Service (NIS) server.

ntp-server—Specify a Network Time Protocol (NTP) server.

sip-domain—Specify a Session Initiation Protocol (SIP) domain.

sip-server—Specify a Session Initiation Protocol (SIP) server.

time-zone—Specify a time zone.

vendor-spec—Specify vendor specification.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

622 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

retransmission-attempt (dhcp-client)

Supported Platforms SRX Series, vSRX

Syntax retransmission-attempts number;

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Specify the number of times the device attempts to retransmit a Dynamic Host Control
Protocol (DHCP) packet fallback.

Options number—Number of attempts to retransmit the packet.

Range: 0 through 6

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • Understanding DHCP Client Operation on page 461

Documentation
• Minimum DHCP Client Configuration on page 461

Copyright © 2017, Juniper Networks, Inc. 623

Administration Guide for Security Devices

retransmission-attempt (dhcpv6-client)

Supported Platforms SRX Series

Syntax retransmission-attempt number;

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX550M, and SRX1500 devices.

Description Specify the number of times the device retransmits a DHCPv6 client packet if a DHCPv6
server fails to respond. After the specified number of attempts, no further attempts at
reaching a server are made.

Options number—Number of retransmit attempts

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related
Documentation

624 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

retransmission-interval (dhcp-client)

Supported Platforms SRX Series, vSRX

Syntax retransmission-interval seconds;

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Specify the initial retransmission interval. Successive retransmission intervals are doubled
as per RFC2131.

NOTE: Though the SRX series devices implement the exponential backoff,
as described in RFC 2131, the retransmit attempt does not stop when the
retransmission interval reaches 64 seconds. The packet is transmitted till
the retransmission attempt is reached. For example, if you configure the
retransmission-attempt to 5 and the retransmission-interval to 20, the sequence
of retransmission-interval is 20, 40, 80, 160, 320.

Options seconds—Number of seconds before initial retransmission.

Range: The range is 4 through 64. The default is 4 seconds.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related • Understanding DHCPv6 Client and Server Identification on page 489

Documentation

Copyright © 2017, Juniper Networks, Inc. 625

Administration Guide for Security Devices

root-authentication

Supported Platforms SRX Series, vSRX

Syntax root-authentication {
encrypted-password password;
load-key-file URL;
plain-text-password;
ssh-dsa public-key {
<from pattern-list>;
}
ssh-rsa public-key {
<from pattern-list>;
}
}

Hierarchy Level [edit system]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify authentication information for the root login.

Options • encrypted-password password—Specify the encrypted authentication password. You

must configure a password whose number of characters range from 1 through 128
characters and enclose the password in quotation marks.

• plain-text-password—The CLI prompts you for a password encrypts it, and stores the
encrypted version in its user database.

• load-key-fileURL—File URL containing one or more SSH keys.

• ssh-dsa public-key—SSH DSA public key string.

• from pattern-list—Pattern list of allowed hosts.

• ssh-rsa public-key—SSH RSA public key string.

• from pattern-list—Pattern list of allowed hosts.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

626 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

single-connection

Supported Platforms SRX Series, vSRX

Syntax single-connection;

Hierarchy Level [edit system accounting destination tacplus server server-address]

[edit system tacplus-server server-address]

Release Information Statement introduced in Junos OS Release 8.5.

Description Optimize the attempt to connect to a TACACS+ server. Junos OS maintains one open
TCP connection to the server for multiple requests rather than opening a connection for
each connection attempt.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 627

Administration Guide for Security Devices

server (NTP)

Supported Platforms SRX Series

Syntax server address <key key-number> <version value> <prefer>;

Hierarchy Level [edit system ntp]

Release Information Statement introduced before Junos OS Release 7.4.

Description For NTP, configure the SRX Series device to operate in client mode with the remote
system at the specified address. In this mode, the SRX Series device can be synchronized
with the remote system, but the remote system can never be synchronized with the SRX
Series device.

If the NTP client time drifts so that the difference in time from the NTP server exceeds
128 milliseconds, the client is automatically stepped back into synchronization. If the
offset between the NTP client and server exceeds the 1000-second threshold, the client
still synchronizes with the server, but it also generates a system log message noting that
the threshold was exceeded.

Options address—Address of the remote system. You must specify an address, not a hostname.

key key-number—(Optional) Use the specified key number to encrypt authentication

fields in all packets sent to the specified address.
Range: Any unsigned 32-bit integer

prefer—(Optional) Mark the remote system as the preferred host, which means that if
all other things are equal, this remote system is chosen for synchronization among
a set of correctly operating systems.

version value—(Optional) Specify the version number to be used in outgoing NTP packets.
Range: 1 through 4
Default: 4

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • ntp on page 609

Documentation

628 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

server-address (dhcp-client)

Supported Platforms SRX Series, vSRX

Syntax server address ip-address;

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Specify the preferred DHCP server address that is sent to DHCP clients.

Options ip-address—DHCP server address.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related
Documentation

Copyright © 2017, Juniper Networks, Inc. 629

Administration Guide for Security Devices

source-address (NTP, RADIUS, System Logging, or TACACS+)

Supported Platforms SRX Series

Syntax source-address source-address <routing-instance routing-instance-name>;

Hierarchy Level [edit system accounting destination radius server server-address],

[edit system accounting destination tacplus server server-address],
[edit system ntp],
[edit system radius-server server-address],
[edit system syslog],
[edit system tacplus-server server-address]

Release Information Statement introduced before Junos OS Release 7.4.

Description Specify a source address for each configured TACACS+ server, RADIUS server, or NTP
server, or the source address to record in system log messages that are directed to a
remote machine.

Options source-address—A valid IP address configured on one of the SRX Series devices. For
system logging, the address is recorded as the message source in messages sent to
the remote machines specified in all host hostname statements at the [edit system
syslog] hierarchy level, but not for messages directed to the other Routing Engine.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • ntp on page 609

Documentation

630 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

ssh-known-hosts

Supported Platforms SRX Series, vSRX

Syntax ssh-known-hosts {
fetch-from-server server-name;
host hostname {
dsa-key dsa-key;
ecdsa-sha2-nistp256-key ecdsa-sha2-nistp256-key;
ecdsa-sha2-nistp384-key ecdsa-sha2-nistp384-key;
ecdsa-sha2-nistp521-key ecdsa-sha2-nistp521-key;
rsa-key rsa-key;
rsa1-key rsa1-key;
}
load-key-file key-file;
}

Hierarchy Level [edit security]

Release Information Statement modified in Junos OS Release 8.5.

Description Configure SSH support for known hosts and for administering SSH host key updates.

Options • fetch-from-server server-name—Retrieve SSH public host key information from a

specified server.

• load-key-file key-file—Import SSH host-key information from the specified

/var/tmp/ssh-known-hosts file.

The remaining statements are explained separately. See CLI Explorer.

Required Privilege security—To view this statement in the configuration.

Level security-control—To add this statement to the configuration.

Related
Documentation

Copyright © 2017, Juniper Networks, Inc. 631

Administration Guide for Security Devices

static-subscribers

Supported Platforms SRX Series, vSRX

Syntax static-subscribers {
disable;
}

Hierarchy Level [edit system processes]

Release Information Statement introduced in Junos OS Release 8.5.

Description Associate subscribers with statically configured interfaces, and provide dynamic service
activation for these subscribers.

Options disable—Disable the static subscribers process.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

statistics-service

Supported Platforms SRX Series, vSRX

Syntax statistics-service {
command binary-file-path;
disable;
}

Hierarchy Level [edit system processes]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify the Packet Forwarding Engine (PFE) statistics service management process.

Options • command binary-file-path—Path to the binary process.

• disable—Disable the Packet Forwarding Engine (PFE) statistics service management

process.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

632 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

subscriber-management

Supported Platforms SRX Series, vSRX

Syntax subscriber-management {
command binary-file-path;
disable;
}

Hierarchy Level [edit system processes]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify the subscriber management process.

Options • command binary-file-path—Path to the binary process.

• disable—Disable the subscriber management process.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 633

Administration Guide for Security Devices

subscriber-management-helper

Supported Platforms SRX Series, vSRX

Syntax subscriber-management-helper {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}

Hierarchy Level [edit system processes]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify the subscriber management helper process.

Options • command binary-file-path—Path to the binary process.

• disable—Disable the subscriber management helper process.

• failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.

• alternate-media—Configure the device to switch to backup media that contains a

version of the system if a software process fails repeatedly.

• other-routing-engine—Instruct the secondary Routing Engine to take mastership if

a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, then the device reboots from the secondary
Routing Engine.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

634 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

system master password

Supported Platforms SRX Series

Syntax set system master-password plain-text-password

Master password: ***
Repeat master password: ***

Hierarchy Level system

Release Information Statement introduced in Junos OS Release 15.1X49-D50.

Description Use to set a master password in a hidden configuration within the Junos OS configuration
database.

Options set system master-password iteration-count—(Optional) The number of iterations to use

for the PBKDF2 hash function. The range is 10 through 10000. Default value is 100.
High iteration counts can impact system performance on systems with many secrets.

set system master-password pseudorandom-function (hmac-sha1 | hmac-sha2-256 |

hmac-sha2-512); default hmac-sha2-256—(Optional) Hash (prf) algorithmto be used
for the PBKDF2 key derivation.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • request system decrypt password

Documentation

Copyright © 2017, Juniper Networks, Inc. 635

Administration Guide for Security Devices

tacplus

Supported Platforms SRX Series, vSRX

Syntax tacplus {
server server-address {
port port-number;
secret password;
single-connection;
source-address source-address;
timeout seconds;
}
}

Hierarchy Level [edit system accounting destination]

Release Information Statement introduced before Junos OS Release 7.4.

Description Configure the TACACS+ accounting server.

Options • server-address —Specify the address of the TACACS+ authentication server.

• port number—Configure the port number on which to contact the TACACS+ server.

• single-connection—Optimize attempts to connect to a TACACS+ server. The software

maintains one open TCP connection to the server for multiple requests rather than
opening a connection for each connection attempt.

• source-address address—Configure a source address for each configured TACACS+

server.

• timeout seconds—Configure the amount of time that the local device waits to receive
a response from a TACACS+ server.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • Example: Configuring a TACACS+ Server for System Authentication on page 346
Documentation

636 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

tacplus-options

Supported Platforms EX Series, M Series, MX Series, OCX1100, PTX Series, QFabric System, QFX Series, SRX Series,
T Series

Syntax tacplus-options {
(exclude-cmd-attribute | no-cmd-attribute-value);
enhanced-accounting;
service-name service-name;
timestamp-and-timezone;
}

Hierarchy Level [edit system]

Release Information Statement introduced before Junos OS Release 7.4.

Statement introduced in Junos OS Release 9.0 for EX Series switches.
no-cmd-attribute-value and exclude-cmd-attribute options introduced in Junos OS
Release 9.3.
Statement introduced in Junos OS Release 11.1 for QFX Series.
timestamp-and-timezone option introduced in Junos OS Release 12.2.
enhanced-accounting option introduced in Junos OS Release 14.1.
Statement introduced in Junos OS Release 14.1X53-D20 for OCX Series switches.

Description Configure TACACS+ options for authentication and accounting.

Options enhanced-accounting—View the attribute values of a logged in user.

exclude-cmd-attribute—Exclude the cmd attribute value completely from start and stop
accounting records to enable logging of accounting records in the correct log file on
a TACACS+ server.

no-cmd-attribute-value—Set the cmd attribute value to an empty string in the TACACS+

accounting start and stop requests to enable logging of accounting records in the
correct log file on a TACACS+ server.

service-name service-name—Name of the authentication service used when you configure

multiple TACACS+ servers to use the same authentication service.
Default: junos-exec

timestamp-and-timezone—Include this statement if you want start time, stop time, and
timezone attributes included in start/stop accounting records.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • Configuring the Same Authentication Service for Multiple TACACS+ Servers on page 345
Documentation
• Configuring TACACS+ System Accounting

Copyright © 2017, Juniper Networks, Inc. 637

Administration Guide for Security Devices

• Junos OS Authentication Order for RADIUS, TACACS+, and Password Authentication

• enhanced-accounting

638 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

tacplus-server

Supported Platforms EX Series, M Series, PTX Series, SRX Series, T Series, vSRX

Syntax tacplus-server server-address {

port port-number;
secret password;
single-connection;
source-address source-address;
timeoutseconds;
}

Hierarchy Level [edit system]

Release Information Statement introduced before Junos OS Release 7.4.

Statement introduced in Junos OS Release 9.0 for EX Series switches.

Description Configure the TACACS+ server.

Options • server-address—Address of the TACACS+ authentication server.

NOTE: Wildcard characters cannot be used in the TACACS server address

or source address. This is because the TACACS server and source can
accept both IPv4 and IPv6 addresses and, if you use wildcard characters
for these addresses, Junos OS cannot validate mismatching server and
source address families.

• port—Port number of TACACS+ authentication server.

• secret—Password to use with the RADIUS or TACACS+ server. The secret password
used by the local router or switch must match that used by the server. Password to
use; can include spaces included in quotation marks.

• single-connection—Optimize attempts to connect to a TACACS+ server. The software

maintains one open TCP connection to the server for multiple requests rather than
opening a connection for each connection attempt.

• source-address—Source address for each configured TACACS+ server, RADIUS server,

NTP server, or the source address to record in system log messages that are directed
to a remote machine. Configure a valid IP address on one of the device interfaces. For
system logging, the address is recorded as the message source in messages sent to
the remote machines specified in all host hostname statements at the
[edit system syslog] hierarchy level.

• timeout—The amount of time that the local device waits to receive a response from a
RADIUS or TACACS+ server. The timeout range is 1 through 90 seconds. The default
is 3 seconds.

Copyright © 2017, Juniper Networks, Inc. 639

Administration Guide for Security Devices

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • Example: Configuring a TACACS+ Server for System Authentication on page 346
Documentation

640 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

traceoptions (Outbound SSH)

Supported Platforms SRX Series, vSRX

Syntax traceoptions {
file {
filename ;
files number;
match regular-expression;
size maximum-file-size;
(world-readable | no-world-readable);
}
flag flag;
no-remote-trace;
}

Hierarchy Level [edit system services outbound-ssh]

Release Information Statement introduced in Junos OS Release 10.4.

Description Set the trace options.

Options • file—Configure the trace file information.

• filename—Name of the file to receive the output of the tracing operation. Enclose
the name within quotation marks. All files are placed in the directory /var/log. By
default, the name of the file is the name of the process being traced.

• files number—Maximum number of trace files. When a trace file named trace-file
reaches its maximum size, it is renamed totrace-file.0 , then trace-file.1, and so on,
until the maximum number of trace files is reached. The oldest archived file is
overwritten.

If you specify a maximum number of files, you also must specify a maximum file size
with the size option and a filename.

Range: 2 through 1000 files

Default: 10 files

• match regular-expression—Refine the output to include lines that contain the regular
expression.

• size maximum-file-size—Maximum size of each trace file, in kilobytes (KB), megabytes

(MB), or gigabytes (GB). When a trace file named trace-file reaches this size, it is
renamed trace-file.0. When trace-file again reaches its maximum size, trace-file.0 is
renamed trace-file.1 and trace-file is renamed trace-file.0. This renaming scheme
continues until the maximum number of trace files is reached. Then the oldest trace
file is overwritten.

If you specify a maximum number of files, you also must specify a maximum file size
with the size option and a filename.

Copyright © 2017, Juniper Networks, Inc. 641

Administration Guide for Security Devices

Syntax: x K to specify KB, x m to specify MB, or x g to specify GB

Range: 10 KB through 1 GB

Default: 128 KB

• world-readable | no-world-readable—By default, log files can be accessed only by

the user who configures the tracing operation. The world-readable option enables
any user to read the file. To explicitly set the default behavior, use the
no-world-readable option.

• flag—Specify the tracing operation to perform. To specify more than one tracing
operation, include multiple flag statements. You can include the following flags.

• all—Trace all events.

• configuration—Trace configuration events.

• connectivity—Trace TCP connection handling.

• no-remote-trace—Disable remote tracing.

Required Privilege trace—To view this statement in the configuration.

Level trace-control—To add this statement to the configuration.

Related • Displaying Log and Trace Files

Documentation

trusted-key

Supported Platforms SRX Series

Syntax trusted-key [key-numbers];

Hierarchy Level [edit system ntp]

Release Information Statement introduced before Junos OS Release 7.4.

Description For NTP, configure the keys you are allowed to use when you configure the SRX Series
device to synchronize its time with other systems on the network.

Options key-numbers—One or more key numbers. Each key can be any 32-bit unsigned integer
except 0.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • ntp on page 609

Documentation

642 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

uac-service

Supported Platforms SRX Series, vSRX

Syntax uac-service {
command binary-file-path;
disable;
failover (alternate-media | other-routing-engine);
}

Hierarchy Level [edit system processes]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify the unified access control daemon process.

Options • command binary-file-path—Path to the binary process.

• disable—Disable the unified access control daemon process.

• failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.

• alternate-media—Configure the device to switch to backup media that contains a

version of the system if a software process fails repeatedly.

• other-routing-engine—Instruct the secondary Routing Engine to take mastership if

a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, then the device reboots from the secondary
Routing Engine.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • Firewall User Authentication Overview

Documentation

Copyright © 2017, Juniper Networks, Inc. 643

Administration Guide for Security Devices

update-router-advertisement

Supported Platforms SRX Series

Syntax update-router-advertisement (interface interface-name);

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX550M, and SRX1500 devices.

Description Specify the interface used to delegate prefixes.

Options interface interface-name—Interface on which to delegate prefixes

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related
Documentation

update-server (dhcp-client)

Supported Platforms SRX Series, vSRX

Syntax update-server;

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Propagate DHCP options to a local DHCP server.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related
Documentation

644 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

update-server (dhcpv6-client)

Supported Platforms SRX Series

Syntax update-server;

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcpv6-client]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX550M, and SRX1500 devices.

Description Propagate TCP/IP settings to the DHCPv6 server.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related
Documentation

usb-control

Supported Platforms SRX Series, vSRX

Syntax usb-control {
command binary-file-path;
disable;
}

Hierarchy Level [edit system processes]

Release Information Statement introduced in Junos OS Release 8.5 for SRX300, SRX320, SRX340, SRX345,
and SRX550M devices.

Description Specify the universal serial bus (USB) supervise process.

Options • command binary-file-path—Path to the binary process.

• disable—Disable the universal serial bus (USB) supervise process.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 645

Administration Guide for Security Devices

use-interface

Supported Platforms SRX Series, vSRX

Syntax use-interface-description {logical |device};

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client
client-identifier]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description The description configured at the physical or logical interface level is used for client
identification.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related
Documentation

user-id

Supported Platforms SRX Series, vSRX

Syntax user-id {ascii ascii hexadecimal hexadecimal};

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client
client-identifier]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Specify an ASCII or hexadecimal user ID for the Dynamic Host Configuration Protocol
(DHCP) client.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related
Documentation

646 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

vendor-id

Supported Platforms SRX Series, vSRX

Syntax vendor-id vendor-id;

Hierarchy Level [edit interfaces interface-name unit logical-unit-number family family dhcp-client]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Configure a vendor class ID for the Dynamic Host Configuration Protocol (DHCP) client.

Options vendor-id—Vendor class ID.

Required Privilege interface—To view this statement in the configuration.

Level interface-control—To add this statement to the configuration.

Related
Documentation

vpn (Forwarding Options)

Syntax vpn;

Hierarchy Level [edit forwarding-options helpers bootp]

Release Information Statement introduced in Junos OS Release 9.0.

Description For Dynamic Host Configuration Protocol (DHCP) or BOOTP client request forwarding,
enable virtual private network (VPN) encryption for a client request to pass through a
VPN tunnel.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • DHCP Server, Client, and Relay Agent Overview on page 423
Documentation

Copyright © 2017, Juniper Networks, Inc. 647

Administration Guide for Security Devices

watchdog

Supported Platforms SRX Series, vSRX

Syntax watchdog {
disable;
enable;
timeout value;
}

Hierarchy Level [edit system processes]

Release Information Statement introduced in Junos OS Release 8.5.

Description Enable or disable the watchdog timer when Junos OS encounters a problem.

Options • disable—Disable the watchdog timer.

• enable—Enable the watchdog timer.

• timeout value—Specify amount of time to wait in seconds.

Range: 1 through 3600 seconds.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

648 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

web-management

Supported Platforms SRX Series, vSRX

Syntax web-management {
disable;
failover (alternate-media | other-routing-engine);
}

Hierarchy Level [edit system processes]

Release Information Statement introduced in Junos OS Release 8.5.

Description Specify the Web management process.

Options • disable—Disable the Web management process.

• failover—Configure the device to reboot if the software process fails four times within
30 seconds, and specify the software to use during the reboot.

• alternate-media—Configure the device to switch to backup media that contains a

version of the system if a software process fails repeatedly.

• other-routing-engine—Instruct the secondary Routing Engine to take mastership if

a software process fails. If this statement is configured for a process, and that process
fails four times within 30 seconds, then the device reboots from the secondary
Routing Engine.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Copyright © 2017, Juniper Networks, Inc. 649

Administration Guide for Security Devices

web-management (System Services)

Supported Platforms SRX Series, vSRX

Syntax web-management {
http {
interfaces interface-names ;
port port;
}
https {
interfaces interface-names;
local-certificate name;
pki-local-certificate name;
system-generated-certificate name;
port port;
}
management url management url;
session {
idle-timout minutes;
session-limit number;
}
traceoptions {
file {
filename;
files number;
match regular-expression;
size maximum-file-size;
(no-world-readable | world-readable);
}
flag flag;
level level;
no-remote-trace;
}
}

Hierarchy Level [edit system services]

Release Information Statement introduced in Junos OS Release 9.0.

Support for https introduced for SRX5400, SRX5600, and SRX5800 devices starting
from Junos OS Release 12.1X44-D10 and on vSRX, SRX300, SRX320, SRX340, SRX345,
SRX550M, and SRX1500 devices starting from Junos OS Release 15.1X49-D40.

Description Configure settings for HTTP or HTTPS access. HTTP access allows management of the
device using the J-Web interface. HTTPS access allows secure management of the device
using the J-Web interface. With HTTPS access, communication is encrypted between
your browser and the webserver for your device.

NOTE: On SRX340 and SRX345 devices, the factory-default configuration

has a generic HTTP configuration. To use ge and fxp0 ports as management
ports, you must use the set system services web-management http command.

650 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

The Web management HTTP and HTTPS interfaces are changed to fxp0.0
and from ge-0/0/1.0 through ge-0/0/7.0.

Copyright © 2017, Juniper Networks, Inc. 651

Administration Guide for Security Devices

Options control—Disable the SBC process.

• max-threads—Maximum simultaneous threads to handle requests.

Range: 0 through 16

http—Configure HTTP.

• interface [value]—Interface value that accepts HTTP access.

• port number—TCP port for incoming HTTP connections.

Range: 1 through 65,535

https—Configure HTTPS.

• interface [value]—Interface value that accept HTTP access.

• port number—TCP port for incoming HTTP connections.

Range: 1 through 65,535

• local-certificate—X.509 certificate to use from the configuration.

• pki-local-certificate—X.509 certificate to use from the PKI local store.

• system-generated-certificate—X.509 certificate generated automatically by the

system.

management url management url—URL path for Web management access.

session—Configure the Web-management session.

• idle-timout minutes—Default timeout of Web-management sessions in minutes.

• session-limit number—Maximum number of Web-management sessions to allow.

traceoptions—Set the trace options.

• file—Configure the trace file information.

• filename—Name of the file to receive the output of the tracing operation. Enclose
the name in quotation marks. All files are placed in the directory /var/log. By
default, the name of the file is the name of the process being traced.

• files number— Maximum number of trace files. When a trace file named trace-file
reaches its maximum size, it is renamed trace-file.0, then trace-file.1, and so on,
until the maximum number of trace files is reached. Then the oldest trace file
is overwritten.

If you specify a maximum number of files, you also must specify a maximum
file size with the size maximum file-size option.

Range: 2 through 1000 files

Default: 10 files

• match regular-expression—Refine the output to include lines that contain the regular
expression.

652 Copyright © 2017, Juniper Networks, Inc.

 Chapter 19: Configuration Statements

• size maximum-file-size—Maximum size of each trace file, in kilobytes (KB),

megabytes (MB), or gigabytes (GB).

Range: 10 KB through 1 GB

Default: 128 KB

If you specify a maximum file size, you also must specify a maximum number of
trace files with the files number option.

• (world-readable | no-world-readable)— By default, log files can be accessed only

by the user who configures the tracing operation. The world-readable option enables
any user to read the file. To explicitly set the default behavior, use the
no-world-readable option.

• flag flag—Specify which tracing operation to perform. To specify more than one
tracing operation, include multiple flag statements. You can include the following
flags.

• all—Trace all areas.

• configuration—Trace configuration.

• dynamic-vpn—Trace dynamic VPN events.

• init—Trace the daemon init process.

• mgd—Trace MGD requests.

• webauth—Trace Web authentication requests.

• level level —Specify the level of debugging output.

• all—Match all levels.

• error—Match error conditions.

• info—Match informational messages.

• notice—Match conditions that should be handled specially.

• verbose—Match verbose messages.

• warning—Match warning messages.

• no-remote-trace—Disable remote tracing.

Required Privilege system—To view this statement in the configuration.

Level system-control—To add this statement to the configuration.

Related • Firewall User Authentication Overview

Documentation
• Dynamic VPN Overview

Copyright © 2017, Juniper Networks, Inc. 653

Administration Guide for Security Devices

654 Copyright © 2017, Juniper Networks, Inc.

CHAPTER 20

Operational Commands

• clear dhcp client binding

• clear dhcp client statistics
• clear dhcp relay binding
• clear dhcp relay statistics
• clear dhcp server binding
• clear dhcp server statistics
• clear dhcpv6 client binding
• clear dhcpv6 client statistics
• clear dhcpv6 server binding (Local Server)
• clear dhcpv6 server statistics (Local Server)
• clear security ssh key-pair-identity
• clear system login lockout
• file archive
• file checksum md5
• file checksum sha1
• file checksum sha-256
• file compare
• file copy
• file delete
• file list
• file rename
• file show
• request dhcp client renew
• request dhcpv6 client renew
• request security ssh key-pair-identity generate
• request security tpm master-encryption-password set
• request system autorecovery state
• request system decrypt password

Copyright © 2017, Juniper Networks, Inc. 655

Administration Guide for Security Devices

• request system download abort

• request system download clear
• request system download pause
• request system download resume
• request system download start
• request system firmware upgrade
• request system license update
• request system power-off fpc
• request system services dhcp
• request system snapshot (Maintenance)
• request system software abort in-service-upgrade (ICU)
• request system software add (Maintenance)
• request system reboot
• request system software rollback (SRX Series)
• request system zeroize
• restart (Reset)
• Restart Commands Overview on page 714
• show chassis routing-engine (View)
• show cli authorization
• show dhcp client binding
• show dhcp client statistics
• show dhcp relay binding
• show dhcp relay statistics
• show dhcp server binding
• show dhcp server statistics
• show dhcpv6 client binding
• show dhcpv6 client statistics
• show dhcpv6 server binding (View)
• show dhcpv6 server statistics (View)
• show firewall (View)
• show security ssh key-pair-identity
• show security tpm status
• show system autorecovery state
• show system download
• show system license (View)
• show system login lockout
• show system services dhcp client

656 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

• show system services dhcp relay-statistics

• show system snapshot media
• show system storage partitions (View SRX Series)

Copyright © 2017, Juniper Networks, Inc. 657

Administration Guide for Security Devices

clear dhcp client binding

Supported Platforms SRX Series, vSRX

Syntax clear dhcp client binding

[all|interface <interface-name>]
[routing-instance <routing-instance-name>]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Clear the binding state of a Dynamic Host Configuration Protocol (DHCP) client from
the DHCP client table.

Options all—(Optional) Clear the binding state for all DHCP clients.

interface <interface-name>—(Optional) Clear the binding state for DHCP clients on the
specified interface.

routing-instance <routing-instance-name>—(Optional) Clear the binding state for DHCP

clients on the specified routing instance. If you do not specify a routing instance,
binding state is cleared for DHCP clients on the default routing instance.

Required Privilege clear

Level

Related • show dhcp client binding on page 720

Documentation

Output Fields This command produces no output.

658 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

clear dhcp client statistics

Supported Platforms SRX Series, vSRX

Syntax clear dhcp client statistics

<all>
<interface>
<routing-instance>

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Clear all Dynamic Host Configuration Protocol (DHCP) client statistics.

Options all—(Optional) Clear all the DHCP client statistics.

interface—(Optional) Clear the statistics for DHCP clients on the specified interface.

routing-instance —(Optional) Clear the statistics for DHCP clients on the specified routing
instance. If you do not specify a routing instance, statistics are cleared for the default
routing instance.

Required Privilege clear

Level

Related • show dhcp client statistics on page 723

Documentation

Output Fields This command produces no output.

Copyright © 2017, Juniper Networks, Inc. 659

Administration Guide for Security Devices

clear dhcp relay binding

Supported Platforms SRX Series, vSRX

Syntax clear dhcp relay binding

<all | ip-address | mac-address>
<interface interface-name>
<routing-instance routing-instance-name>

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Clear the binding state of a Dynamic Host Configuration Protocol (DHCP) client from
the client table.

Options all—(Optional) Clear the binding state for all DHCP clients.

ip-address— (Optional) Clear the binding state for the DHCP client, using the specified
IP address.

mac-address—(Optional) Clear the binding state for the DHCP client, using the specified
MAC address.

interface interface-name—(Optional) Clear the binding state for DHCP clients on the
specified interface

routing-instance routing-instance-name—(Optional) Clear the binding state for DHCP

clients on the specified routing instance. If you do not specify a routing instance, the
binding state is cleared for the default routing instance.

Required Privilege clear

Level

Related • show dhcp relay binding on page 725

Documentation

Output Fields This command produces no output.

660 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

clear dhcp relay statistics

Supported Platforms SRX Series, vSRX

Syntax clear dhcp relay statistics

<routing-instance routing-instance-name>

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Clear all Dynamic Host Configuration Protocol (DHCP) relay statistics.

Options routing-instance routing-instance-name—(Optional) Clear the DHCP relay statistics on

the specified routing instance. If you do not specify a routing instance name, statistics
are cleared for the default routing instance.

Required Privilege clear

Level

Related • show dhcp relay statistics on page 728

Documentation

Output Fields This command produces no output.

Copyright © 2017, Juniper Networks, Inc. 661

Administration Guide for Security Devices

clear dhcp server binding

Supported Platforms SRX Series, vSRX

Syntax clear dhcp server binding

<all | ip-address | mac-address>
<interface interface-name>
<routing-instance routing-instance-name>

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Clear the binding state of a Dynamic Host Configuration Protocol (DHCP) client from
the client table on the DHCP local server.

Options all—(Optional) Clear the binding state for all DHCP clients.

ip-address— (Optional) Clear the binding state for the DHCP client, using the specified
IP address.

mac-address—(Optional) Clear the binding state for the DHCP client, using the specified
MAC address.

interface interface-name—(Optional) Clear the binding state for DHCP clients on the
specified interface.

routing-instance routing-instance-name—(Optional) Clear the binding state for DHCP

clients on the specified routing instance.

Required Privilege clear

Level

Related • show dhcp server binding on page 730

Documentation

Output Fields This command produces no output.

662 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

clear dhcp server statistics

Supported Platforms SRX Series, vSRX

Syntax clear dhcp server statistics

<routing-instance routing-instance-name>

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Clear all Dynamic Host Configuration Protocol (DHCP) local server statistics.

Options routing-instance routing-instance-name—(Optional) Clear the statistics for DHCP clients

on the specified routing instance. If you do not specify a routing instance, statistics
are cleared for the default routing instance.

Required Privilege clear

Level

Related • show dhcp server statistics on page 732

Documentation

Output Fields This command produces no output.

Copyright © 2017, Juniper Networks, Inc. 663

Administration Guide for Security Devices

clear dhcpv6 client binding

Supported Platforms SRX Series

Syntax clear dhcpv6 client binding

[all | interface interface-name]
[routing-instance routing-instance-name]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Clear the binding state of a Dynamic Host Configuration Protocol (DHCPv6) client from
the DHCPv6 client table.

Options all—(Optional) Clear the binding state for all DHCPv6 clients.

interface interface-name—(Optional) Clear the binding state for DHCPv6 clients on the
specified interface.

routing-instance routing-instance-name—(Optional) Clear the binding state for DHCPv6

clients on the specified routing instance. If you do not specify a routing instance, the
binding state is cleared for DHCPv6 clients on the default routing instance.

Required Privilege clear

Level

Related • show dhcpv6 client binding on page 734

Documentation

Output Fields This command produces no output.

664 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

clear dhcpv6 client statistics

Supported Platforms SRX Series

Syntax clear dhcpv6 client statistics

routing-instance routing-instance-name

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Clear all DHCPv6 client statistics.

Options routing-instance routing-instance-name—(Optional) Clear the statistics for DHCPv6 clients

on the specified routing instance. If you do not specify a routing instance, statistics
are cleared for the default routing instance.

Required Privilege clear

Level

Related • show dhcpv6 client statistics on page 736

Documentation

Output Fields This command produces no output.

Copyright © 2017, Juniper Networks, Inc. 665

Administration Guide for Security Devices

clear dhcpv6 server binding (Local Server)

Supported Platforms SRX Series

Syntax clear dhcpv6 server binding

<all | client-id | ip-address | session-id>
<interface interface-name>
<routing-instance routing-instance-name>

Release Information Command introduced in Junos OS Release 10.4.

Description Clear the binding state of a DHCPv6 client from the client table on the DHCPv6 local
server.

Options • all—(Optional) Clear the binding state for all DHCPv6 clients.

• client-id—(Optional) Clear the binding state for the DHCPv6 client with the specified
client ID (option 1).

• ip-address—(Optional) Clear the binding state for the DHCPv6 client with the specified
address.

• session-id—(Optional) Clear the binding state for the DHCPv6 client with the specified
session ID.

• interface interface-name—(Optional) Clear the binding state for DHCPv6 clients on

the specified interface.

• routing-instance routing-instance-name—(Optional) Clear the binding state for DHCPv6

clients on the specified routing instance.

Required Privilege clear

Level

Related • show dhcpv6 server binding (View) on page 738

Documentation

666 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

clear dhcpv6 server statistics (Local Server)

Supported Platforms SRX Series

Syntax clear dhcpv6 server statistics

<logical-system logical-system-name>
<routing-instance routing-instance-name>

Release Information Command introduced in Junos OS Release 10.4.

Description Clear all DHCPv6 local server statistics.

Options logical-system logical-system-name—(Optional) Clear the statistics for DHCPv6 clients

on the specified logical system. If you do not specify a logical system, statistics are
cleared for the default logical system.

routing-instance routing-instance-name—(Optional) Clear the statistics for DHCPv6 clients

on the specified routing instance. If you do not specify a routing instance, statistics
are cleared for the default routing instance.

Required Privilege clear

Level

Related • show dhcpv6 server statistics (View) on page 743

Documentation

Copyright © 2017, Juniper Networks, Inc. 667

Administration Guide for Security Devices

clear security ssh key-pair-identity

Supported Platforms SRX Series, vSRX

Syntax clear security ssh key-pair-identity<identity-name>; all

Release Information Command introduced in Junos OS Release 15.1X49-D70.

Description Clear private and public SSH key pair for the specified files.

Options • identity-name—Identity name.

• all— Clear all the key-pair files.

Required Privilege clear

Level

Related • request security ssh key-pair-identity generate on page 686

Documentation
• show security ssh key-pair-identity on page 748

List of Sample Output clear security ssh key-pair-identity sample on page 668

Output Fields

Sample Output

clear security ssh key-pair-identity sample

user@host> clear security ssh key-pair-identity sample
SSH key sample was removed

668 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

clear system login lockout

Supported Platforms EX Series, M Series, MX Series, PTX Series, T Series

Syntax clear system login lockout

<all>
<user username>

Release Information Command introduced in Junos OS Release 11.2.

Description Unlock the user account locked as a result of invalid login attempts.

Options all—Clear all locked user accounts.

user username—Clear the specified locked user account.

Required Privilege clear

Level

Related • lockout-period on page 604

Documentation
• show system login lockout on page 757

Output Fields This command produces no output.

Copyright © 2017, Juniper Networks, Inc. 669

Administration Guide for Security Devices

file archive

Supported Platforms SRX Series

Syntax file archive destination destination source source

<compress>

Release Information Command introduced before Junos OS Release 7.4.

Description Archive, and optionally compress, one or multiple local system files as a single file, locally
or at a remote location.

Options destination destination—Name of the created archive. Specify the destination as a URL
or filename.

source source— Path of directory to archive.

compress—(Optional) Compress the archived file with the GNU zip (gzip) compression
utility. The compressed files have the suffix .tgz.

Required Privilege maintenance

Level

Related • Administration Guide for Security Devices

Documentation

List of Sample Output file archive (Multiple Files) on page 670

file archive (Single File) on page 670
file archive (with Compression) on page 671

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

file archive (Multiple Files)

The following sample command archives all message files in the local directory
/var/log/messages as the single file messages-archive.tar.

user@host> file archive source /var/log/messages* destination /var/log/messages-archive.tar

/usr/bin/tar: Removing leading / from absolute path names in the archive.

file archive (Single File)

The following sample command archives one message file in the local directory
/var/log/messages as the single file messages-archive.tar.

user@host> file archive source /var/log/messages destination /var/log/messages-archive.tar

/usr/bin/tar: Removing leading / from absolute path names in the archive.
user@host

670 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

file archive (with Compression)

The following sample command archives and compresses all message files in the local
directory /var/log/messages as the single file messages-archive.tar.

user@host> file archive compress source /var/log/messages* destination

/var/log/messages-archive.tgz
/usr/bin/tar: Removing leading / from absolute path names in the archive.

Copyright © 2017, Juniper Networks, Inc. 671

Administration Guide for Security Devices

file checksum md5

Supported Platforms SRX Series

Syntax file checksum md5 path

Release Information Command introduced before Junos OS Release 7.4.

Description Calculate the Message Digest 5 (MD5) checksum of a file.

Options path—(Optional) Path to a filename.

Required Privilege maintenance

Level

Related • Administration Guide for Security Devices

Documentation
• file checksum sha1 on page 673

• file checksum sha-256 on page 674

List of Sample Output file checksum md5 on page 672

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

file checksum md5

user@host> file checksum md5 jbundle-5.3R2.4-export-signed.tgz
MD5 (jbundle-5.3R2.4-export-signed.tgz) = 2a3b69e43f9bd4893729cc16f505a0f5

672 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

file checksum sha1

Supported Platforms SRX Series

Syntax file checksum sha1 path

Release Information Command introduced in Junos OS Release 9.5.

Description Calculate the Secure Hash Algorithm (SHA-1) checksum of a file.

Options path—(Optional) Path to a filename.

Required Privilege maintenance

Level

Related • Administration Guide for Security Devices

Documentation
• file checksum md5 on page 672

• file checksum sha-256 on page 674

List of Sample Output file checksum sha1 on page 673

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

file checksum sha1

user@host> file checksum sha1 /var/db/scripts/opscript.slax

SHA1 (/var/db/scripts/commitscript.slax) = ba9e47120c7ce55cff29afd73eacd370e162c676

Copyright © 2017, Juniper Networks, Inc. 673

Administration Guide for Security Devices

file checksum sha-256

Supported Platforms SRX Series

Syntax file checksum sha-256 path

Release Information Command introduced in Junos OS Release 9.5.

Description Calculate the Secure Hash Algorithm 2 family (SHA-256) checksum of a file.

Options path—(Optional) Path to a filename.

Required Privilege maintenance

Level view
view-configuration

Related • Administration Guide for Security Devices

Documentation
• file checksum sha1 on page 673

• file checksum md5 on page 672

List of Sample Output file checksum sha-256 on page 674

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

file checksum sha-256

user@host> file checksum sha-256 /var/db/scripts/commitscript.slax

SHA256 (/var/db/scripts/commitscript.slax) =
94c2b061fb55399e15babd2529453815601a602b5c98e5c12ed929c9d343dd71

674 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

file compare

Supported Platforms SRX Series, vSRX

Syntax file compare (files from-file to-file) <context | unified> <ignore-white-space>

Release Information Command introduced before Junos OS Release 7.4.

Description Compare two local files and describe the differences between them in default, context,
or unified output styles:

• default—In the first line of output, c means lines were changed between the two files,
d means lines were deleted between the two files, and a means lines were added
between the two files. The numbers preceding this alphabetical marker represent the
first file, and the lines after the alphabetical marker represent the second file. A left
angle bracket (<) in front of output lines refers to the first file. A right angle bracket (>)
in front of output lines refers to the second file.

• context—The display is divided into two parts. The first part is the first file; the second
part is the second file. Output lines preceded by an exclamation point (!) have changed.
Additions are marked with a plus sign (+), and deletions are marked with a
minus sign (-).

• unified—The display is preceded by the line number from the first and the second file
(xx,xxx,x). Before the line number, additions to the file are marked with a plus sign (+),
and deletions to the file are marked with a minus sign (-). The body of the output
contains the affected lines. Changes are viewed as additions plus deletions.

Options files from-file—Names of files to compare.

files to-file—Names of files to compare against.

context—(Optional) Display output in context format.

ignore-white-space—(Optional) Ignore changes in the amount of white space.

unified—(Optional) Display output in unified format.

Required Privilege none

Level

Related • Administration Guide for Security Devices

Documentation

List of Sample Output file compare files on page 676

file compare files context on page 676
file compare files unified on page 676
file compare files unified ignore-white-space on page 677

Copyright © 2017, Juniper Networks, Inc. 675

Administration Guide for Security Devices

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

file compare files

user@host> file compare files /tmp/one /tmp/two
100c100
< full-name "File 1";
---
> full-name "File 2";
102c102
< class foo; # 'foo' is not defined
---
> class super-user;

file compare files context

user@host> file compare files /tmp/one /tmp/two context
*** /tmp/one Wed Dec 3 17:12:50 2003
--- /tmp/two Wed Dec 3 09:13:14 2003
***************
*** 97,104 ****
}
}
user bill {
! full-name "Bill Smith";
! class foo; # 'foo' is not defined
authentication {
encrypted-password SECRET;
}
--- 97,105 ----
}
}
user bill {
! full-name "Bill Smith";
! uid 1089;
! class super-user;
authentication {
encrypted-password SECRET;
}

file compare files unified

user@host> file compare files /tmp/one /tmp/two unified
--- /tmp/one Wed Dec 3 17:12:50 2003
+++ /tmp/two Wed Dec 3 09:13:14 2003
@@ -97,8 +97,9 @@
}
}
user bill {
- full-name "Bill Smith";
- class foo; # 'foo' is not defined
+ full-name "Bill Smith";
+ uid 1089;
+ class super-user;
authentication {
encrypted-passwordSECRET;
}

676 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

file compare files unified ignore-white-space

user@host> file compare files /tmp/one /tmp/two unified ignore-white-space
--- /tmp/one Wed Dec 3 09:13:10 2003
+++ /tmp/two Wed Dec 3 09:13:14 2003
@@ -99,7 +99,7 @@
user bill {
full-name "Bill Smith";
uid 1089;
- class foo; # 'foo' is not defined
+ class super-user;
authentication {
encrypted-password <SECRET>; # SECRET-DATA
}

Copyright © 2017, Juniper Networks, Inc. 677

Administration Guide for Security Devices

file copy

Supported Platforms SRX Series

Syntax file copy source destination

<source-address source- address>

Release Information Command introduced before Junos OS Release 7.4.

Description Copy files from one location to another location on the local device or to a location on a
remote device that is reachable by the local device.

WARNING: The sslv3-support option is not available for configuration with

the set system services xnm-ssl and file copy commands. SSLv3 is no longer
supported or available.

You can use the set system services xnm-ssl sslv3-support command to enable
SSLv3 for a Junos XML protocol client application to use as the protocol to
connect to the Junos XML protocol server on a device, and you can use the
file copy source destination sslv3-support command to enable the copying of
files from an SSLv3 URL.

Using SSLv3 presents a potential security vulnerability, and we recommend

that you not use SSLv3. For more details about this security vulnerability, go
to http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10656.

Required Privilege maintenance

Level

Related • Administration Guide for Security Devices

Documentation

List of Sample Output Copy a File from the Local Device to a Personal Computer on page 678
Copy a Configuration File Between Routing Engines on page 679
Copy a Log File Between Routing Engines on page 679
Copy a File Using FTP on page 679
Copy a File Using FTP and Requiring a Password on page 679
Copy a File Using Secure Copy on page 679

Sample Output
The following are examples of a variety of file copy scenarios.

Copy a File from the Local Device to a Personal Computer

user@host> file copy /var/tmp/rpd.core.4 mypc:/c/junipero/tmp

678 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

...transferring.file...... | 0 KB | 0.3 kB/s | ETA: 00:00:00 | 100%

Copy a Configuration File Between Routing Engines

The following sample command copies a configuration file from Routing Engine 0 to
Routing Engine 1:

user@host> file copy /config/juniper.conf re1:/var/tmp/copied-juniper.conf

Copy a Log File Between Routing Engines

The following sample command copies a log file from Routing Engine 0 to Routing Engine
1:

user@host> file copy lcc0-re0:/var/log/chassisd lcc0-re1:/var/tmp

Copy a File Using FTP

To use anonymous FTP to copy a local file to a remote system:

user@host>file copy filename ftp://hostname/filename

In the following example, /config/juniper.conf is the local file and hostname is the FTP
server:

user@host> file copy /config/juniper.confftp://hostname/juniper.conf

Receiving ftp: //hostname/juniper.conf (2198 bytes): 100%
2198 bytes transferred in 0.0 seconds (2.69 MBps)

Copy a File Using FTP and Requiring a Password

To use FTP where you require more privacy and are prompted for a password:

root@host> file copy filename ftp://user@hostname/filename

In the following example, /config/juniper.conf is the local file and hostname is the FTP
server:

root@host> file copy /config/juniper.conf ftp://user@hostname/juniper.conf

Password for user@hostname: ******
Receiving ftp: //user@hostname/juniper.conf (2198 bytes): 100%
2198 bytes transferred in 0.0 seconds (2.69 MBps)

Copy a File Using Secure Copy

To use scp to copy a local file to a remote system:

root@host> file copy filename scp://user@hostname/path/filename

In the following example, /config/juniper.conf is the local file, user is the username, and
ssh-host is the scp server:

root@host> file copy /config/juniper.conf scp://user@ssh-host/tmp/juniper.conf

user@ssh-host's password: ******
juniper.conf 100%
|*********************************************************************************|
2198 00:00

Copyright © 2017, Juniper Networks, Inc. 679

Administration Guide for Security Devices

file delete

Supported Platforms SRX Series

Syntax file delete path

<purge>

Release Information Command introduced before Junos OS Release 7.4.

Description Delete a path on the device.

Options path—Name of the path to delete.

purge—(Optional) Overwrite regular files before deleting them.

Required Privilege maintenance

Level

Related • Administration Guide for Security Devices

Documentation

List of Sample Output file delete on page 680

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

file delete
user@host> file list /var/tmp
dcd.core
rpd.core
snmpd.core

user@host> file delete /var/tmp/snmpd.core

user@host> file list /var/tmp
dcd.core
rpd.core

680 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

file list

Supported Platforms SRX Series

Syntax file list path

<detail | recursive>

Release Information Command introduced before Junos OS Release 7.4.

Description Display a list of paths on the device.

Options path—(Optional) Display a list of paths.

detail | recursive—(Optional) Display detailed output or descend recursively through the

directory hierarchy, respectively.

Additional Information The default directory is the home directory of the user logged in to the device. To view
available directories, enter a space and then a slash (/) after the file list command. To
view files within a specific directory, include a slash followed by the directory and,
optionally, subdirectory name after the file list command.

Required Privilege maintenance

Level

Related • Administration Guide for Security Devices

Documentation

List of Sample Output file list on page 681

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

file list
user@host> file list /var/tmp
dcd.core
rpd.core
snmpd.core

Copyright © 2017, Juniper Networks, Inc. 681

Administration Guide for Security Devices

file rename

Supported Platforms SRX Series

Syntax file rename source destination

Release Information Command introduced before Junos OS Release 7.4.

Description Rename a file on the device.

Options destination—New name for the file.

source—Original name of the file.

Required Privilege maintenance

Level

Related • Administration Guide for Security Devices

Documentation

List of Sample Output file rename on page 682

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

file rename

The following example lists the files in /var/tmp, renames one of the files, and then
displays the list of files again to reveal the newly named file.

user@host> file list /var/tmp

dcd.core
rpd.core
snmpd.core

user@host> file rename /var/tmp/dcd.core /var/tmp/dcd.core.990413

user@host> file list /var/tmp
dcd.core.990413
rpd.core
snmpd.core

682 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

file show

Supported Platforms SRX Series

Syntax file show filename

<encoding (base64 | raw)>

Release Information Command introduced before Junos OS Release 7.4.

Description Display the contents of a file.

Options filename—Name of a file.

encoding (base64 | raw)—(Optional) Encode file contents with base64 encoding or show
raw text.

Required Privilege maintenance

Level

Related • Administration Guide for Security Devices

Documentation

List of Sample Output file show on page 683

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

file show
user@host> file show /var/log/messages
Apr 13 21:00:08 romney /kernel: so-1/1/2: loopback suspected; going to standby.
Apr 13 21:00:40 romney /kernel: so-1/1/2: loopback suspected; going to standby.
Apr 13 21:02:48 romney last message repeated 4 times
Apr 13 21:07:04 romney last message repeated 8 times
Apr 13 21:07:13 romney /kernel: so-1/1/0: Clearing SONET alarm(s) RDI-P
Apr 13 21:07:29 romney /kernel: so-1/1/0: Asserting SONET alarm(s) RDI-P
...

Copyright © 2017, Juniper Networks, Inc. 683

Administration Guide for Security Devices

request dhcp client renew

Supported Platforms SRX Series, vSRX

Syntax request dhcp client renew

[all|interface <interface-name>]
routing-instance <routing-instance-name>

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Initiates a renew request for the specified clients if they are in the bound state.

Options all—Initiate renew requests for all DHCP clients. If you specify a routing instance, renew
requests are initiated for all DHCP clients within that routing instance.

interface <interface-name>—Initiate renew requests for DHCP clients on the specified

interface.

routing-instance <routing-instance-name>—Initiate renew requests for DHCP clients in

the specified routing instance. If you do not specify a routing instance, renew requests
are initiated on the default routing instance.

Required Privilege view

Level

Related • request dhcpv6 client renew on page 685

Documentation

Output Fields This command produces no output.

684 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request dhcpv6 client renew

Supported Platforms SRX Series

Syntax request dhcpv6 client renew

[all | interface interface-name]
routing-instance <routing-instance-name>

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Initiate a renew request for the specified DHCPv6 clients if they are in the bound state.

Options all—Initiate renew requests for all DHCPv6 clients. If you specify a routing instance, renew
requests are initiated for all DHCPv6 clients within that routing instance.

interface-name interface-name—Initiate renew requests for DHCPv6 clients on the specified

interface.

routing-instance routing-instance-name—Initiate renew requests for DHCPv6 clients in

the specified routing instance. If you do not specify a routing instance, renew requests
are initiated on the default routing instance.

Required Privilege view

Level

Output Fields This command produces no output.

Copyright © 2017, Juniper Networks, Inc. 685

Administration Guide for Security Devices

request security ssh key-pair-identity generate

Supported Platforms SRX Series, vSRX

Syntax request security ssh key-pair-identity generate <identity-name>

passphrase

Release Information Command introduced in Junos OS Release 15.1X49-D70.

Description Generate the SSH private and public key pair for a specified identity. The private and
public key files are stored in the /var/db directory, which is accessible through root only.
Filenames are based on the identity-name with extensions. The files are similar to the
certificate files that are stored in Junos OS.

Options • passphrase— An SSH identity generated with a passphrase. The passphrase is used
to protect the private key file stored in the file system. This option does not allow the
user to enter a weak passphrase, which ensures stronger security. A Private key is used
to connect to a remote server and is never displayed or transferred between servers,
even if the system is compromised. The private key can be used to connect to a remote
server if the passphrase is not known.

NOTE: By default, the passphrase uses Advanced Encryption Standard

(AES) 128 in cipher block chaining (CBC) mode to encrypt a private key.
All generated keys are stored in the /var/db/ssh_key directory.

• identity-name—Identity name.

Required Privilege maintenance

Level

Related • show security ssh key-pair-identity on page 748

Documentation
• clear security ssh key-pair-identity on page 668

List of Sample Output request security ssh key-pair-identity generate on page 686

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request security ssh key-pair-identity generate

user@host> request security ssh key-pair-identity generate sample passphrase identity-name
Created SSH key sample

686 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request security tpm master-encryption-password set

Supported Platforms SRX300, SRX320, SRX340, SRX345

Syntax request security tpm master-encryption-password set plain-text-password

Release Information Command introduced in Junos OS Release 15.1X49-D80.

Description Use this command to set or replace the password (in plain text).

Options plain-text-password—Set or replace the password (in plain text).

Required Privilege maintenance

Level

Related • show security tpm status on page 749

Documentation

List of Sample Output show security tpm status on page 687

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

show security tpm status

user@host> request security tpm master-encryption-password set plain-text-password
Enter new master encryption password:
Repeat new master encryption password:
Binding password with TPM
Master encryption password is binded to TPM
Encoding master password ..
Successfully encoded master password
Encrypted key-pair files

Copyright © 2017, Juniper Networks, Inc. 687

Administration Guide for Security Devices

request system autorecovery state

Supported Platforms SRX Series, vSRX

Syntax request system autorecovery state (save | recover | clear)

Release Information Command introduced in Junos OS Release 11.2 for SRX300, SRX320, SRX345, and
SRX550M devices.

Description Prepare the system for autorecovery of configuration, licenses, and disk information.

Options save—Save the current state of the disk partitioning, configuration, and licenses for
autorecovery.
The active Junos OS configuration is saved as the Junos rescue configuration, after
which the rescue configuration, licenses, and disk partitioning information is saved
for autorecovery. Autorecovery information must be initially saved using this
command for the autorecovery feature to verify integrity of data on every bootup.

NOTE:
• Any recovery performed at a later stage will restore the data to the
same state as it was when the save command was executed.

• A fresh rescue configuration is generated when the command is

executed. Any existing rescue configuration will be overwritten.

recover—Recover the disk partitioning, configuration, and licenses.

After autorecovery data has been saved, the integrity of saved items is always
checked automatically on every bootup. The recovery command allows you to forcibly
re-run the tests at any time if required.

clear—Clear all saved autorecovery information.

Only the autorecovery information is deleted; the original copies of the data used by
the router are not affected. Clearing the autorecovery information also disables all
autorecovery integrity checks performed during bootup.

Required Privilege maintenance

Level

Related • show system autorecovery state on page 750

Documentation

List of Sample Output request system autorecovery state save on page 689
request system autorecovery state recover on page 689
request system autorecovery state clear on page 689

688 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system autorecovery state save

user@host> request system autorecovery state save
Saving config recovery information
Saving license recovery information
Saving bsdlabel recovery information

Sample Output

request system autorecovery state recover

user@host> request system autorecovery state recover

Configuration:
File Recovery Information Integrity Check Action / Status
rescue.conf.gz Saved Passed None
Licenses:
File Recovery Information Integrity Check Action / Status
JUNOS282736.lic Saved Passed None
JUNOS282737.lic Saved Failed Recovered
BSD Labels:
Slice Recovery Information Integrity Check Action / Status
s1 Saved Passed None
s2 Saved Passed None
s3 Saved Passed None
s4 Saved Passed None

Sample Output

request system autorecovery state clear

user@host> request system autorecovery state clear
Clearing config recovery information
Clearing license recovery information
Clearing bsdlabel recovery information

Copyright © 2017, Juniper Networks, Inc. 689

Administration Guide for Security Devices

request system decrypt password

Supported Platforms SRX Series

Syntax request system decrypt password

Release Information Statement introduced in Junos OS Release 15.1X49-D50.

Description Use to display plain text versions of obfuscated ($9) or encrypted ($8) passwords. If
the password was encrypted using the new $8$ method, you are prompted for the master
password.

Options • decrypt—Decrypt a $8$-encrypted or $9$-encrypted password.

Required Privilege system

Level

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output
// Decrypting a $9 password
user@host> request system decrypt password $9$ABC123
Plaintext password: mysecret

Sample Output
// Decrypting a $8 password
user@host> request system decrypt password $8$ABC123
Master password:
Plaintext password: mysecret
(Simple passwords like "mysecret" are discouraged. This is an example only.)

690 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request system download abort

Supported Platforms EX Series, SRX Series, vSRX

Syntax request system download abort <download-id>

Release Information Command introduced in Junos OS Release 11.2 for SRX300, SRX320, SRX340, SRX345,
and SRX550M devices.
Command introduced in Junos OS Release 13.2X50-D15 for EX Series switches.

Description Abort a download. The download instance is stopped and cannot be resumed. Any
partially downloaded file is automatically deleted to free disk space. Information regarding
the download is retained and can be displayed with the show system download command
until a request system download clear operation is performed.

NOTE: Only downloads in the active, paused, and error states can be aborted.

Options download-id—(Required) The ID number of the download to be aborted.

Required Privilege maintenance

Level

Related • request system download start on page 695

Documentation
• request system download pause on page 693

• request system download resume on page 694

• request system download clear on page 692

List of Sample Output request system download abort on page 691

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system download abort

user@host> request system download abort 1
Aborted download #1

Copyright © 2017, Juniper Networks, Inc. 691

Administration Guide for Security Devices

request system download clear

Supported Platforms EX Series, SRX Series, vSRX

Syntax request system download clear

Release Information Command introduced in Junos OS Release 11.2 for SRX300, SRX320, SRX340, SRX345,
and SRX550M devices.
Command introduced in Junos OS Release 13.2X50-D15 for EX Series switches.

Description Delete the history of completed and aborted downloads.

Required Privilege maintenance

Level

Related • request system download start on page 695

Documentation
• request system download pause on page 693

• request system download resume on page 694

• request system download abort on page 691

List of Sample Output request system download clear on page 692

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system download clear

user@host> request system download clear
Cleared information on completed and aborted downloads

692 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request system download pause

Supported Platforms EX Series, SRX Series, vSRX

Syntax request system download pause <download-id>

Release Information Command introduced in Junos OS Release 11.2 for SRX300, SRX320, SRX340, SRX345,
and SRX550M devices.
Command introduced in Junos OS Release 13.2X50-D15 for EX Series switches.

Description Suspend a particular download instance.

NOTE: Only downloads in the active state can be paused.

Options download-id—(Required) The ID number of the download to be paused.

Required Privilege maintenance

Level

Related • request system download start on page 695

Documentation
• request system download resume on page 694

• request system download abort on page 691

• request system download clear on page 692

List of Sample Output request system download pause on page 693

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system download pause

user@host> request system download pause 1
Paused download #1

Copyright © 2017, Juniper Networks, Inc. 693

Administration Guide for Security Devices

request system download resume

Supported Platforms EX Series, LN Series, SRX Series

Syntax request system download resume download-id <max-rate>

Release Information Command introduced in Junos OS Release 11.2 for SRX300, SRX320, SRX340, SRX345,
and SRX550M devices.
Command introduced in Junos OS Release 13.2X50-D15 for EX Series switches.

Description Resume a download that has been paused. Download instances that are not in progress
because of an error or that have been explicitly paused by the user can be resumed by
the user. The file will continue downloading from the point where it paused. By default,
the download resumes with the same bandwidth specified with the request system
download start command. The user can optionally specify a new (maximum) bandwidth
with the request system download resume command.

NOTE: Only downloads in the paused and error states can be resumed.

Options download-id—(Required) The ID number of the download to be resumed.

max-rate—(Optional) The maximum bandwidth for the download.

Required Privilege maintenance

Level

Related • request system download start on page 695

Documentation
• request system download pause on page 693

• request system download abort on page 691

• request system download clear on page 692

List of Sample Output request system download resume on page 694

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system download resume

user@host> request system download resume 1
Resumed download #1

694 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request system download start

Supported Platforms EX Series, LN Series, SRX Series, vSRX

Syntax request system download start (sftp-url | delay | identity-file | login | max-rate | passphrase
| save as )

Release Information Command introduced in Junos OS Release 11.2 for SRX300, SRX320, SRX340, SRX345,
and SRX550M devices.
Command introduced in Junos OS Release 13.2X50-D15 for EX Series switches.

Description Create a download instance and identify it with a unique integer called the download ID.

Options sftp-url—(Required) The FTP or HTTP URL location of the file to be downloaded securely.

delay—(Optional) The number of hours after which the download should start (range
from 1 through 48 hours).

identity-file—(Required) The name of the file requesting a Secure FTP (SFTP) download.
The SFTP in smart download leverages public key authentication to authenticate a
download request. Users need to generate a private or public key pair before starting a
download, and then upload a public key to an SFTP server.

login—(Optional) The username and password for the server in the format
username:password.

max-rate—(Optional) The maximum average bandwidth for the download. Numbers

with the suffix k or K, m or M, and g or G are interpreted as Kbps, Mbps, or Gbps,
respectively.

passphrase—(Required) The passphrase to protect the private key file stored on the file
system. This option does not allow the user to enter a weak passphrase, which ensures
stronger security.

save-as—(Optional) The filename to be used for saving the file in the /var/tmp location.

Required Privilege maintenance

Level

Related • request system download pause on page 693

Documentation
• request system download resume on page 694

• request system download abort on page 691

• request system download clear on page 692

List of Sample Output request system download start on page 696

Copyright © 2017, Juniper Networks, Inc. 695

Administration Guide for Security Devices

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system download start

user@host> request system download start identity-file mytestkey
sftp://mysftpserver/homes/kelly/test.tgz max-rate 200 save as newfile.tgz
Starting download #8

696 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request system firmware upgrade

Supported Platforms SRX Series, vSRX

Syntax request system firmware upgrade

Release Information Command introduced in Junos OS Release 10.2.

Description Upgrade firmware on a system.

Options fpc—Upgrade FPC ROM monitor.

pic—Upgrade PIC firmware.

re—Upgrade baseboard BIOS/FPGA. There is an active BIOS image and a backup BIOS
image.

vcpu—Upgrade VCPU ROM monitor.

Required Privilege maintenance

Level

Related • request system license update on page 698

Documentation

List of Sample Output request system firmware upgrade on page 697

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system firmware upgrade

user@host> request system firmware upgrade re bios
Part Type Tag Current Available Status
version version
Routing Engine 0 RE BIOS 0 1.5 1.9 OK
Routing Engine 0 RE BIOS Backup 1 1.7 1.9 OK
Perform indicated firmware upgrade ? [yes,no] (no) yes

user@host> request system firmware upgrade re bios backup

Part Type Tag Current Available Status
version version
Routing Engine 0 RE BIOS 0 1.5 1.9 OK
Routing Engine 0 RE BIOS Backup 1 1.7 1.9 OK
Perform indicated firmware upgrade ? [yes,no] (no) yes

Copyright © 2017, Juniper Networks, Inc. 697

Administration Guide for Security Devices

request system license update

Supported Platforms SRX Series, vSRX

Syntax request system license update

Release Information Command introduced in Junos OS Release 9.5.

Description Start autoupdating license keys from the LMS server.

Options trial—Starts autoupdating trial license keys from the LMS server.

Required Privilege maintenance

Level

Related • show system license (View) on page 754

Documentation

List of Sample Output request system license update on page 698

request system license update trial on page 698

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system license update

user@host> request system license update

Trying to update license keys from https://ae1.juniper.net has been sent, use
show system license to check status.

request system license update trial

user@host> request system license update trial

Request to automatically update trial license keys from https://ae1.juniper.net

has been sent, use show system license to check status.

698 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request system power-off fpc

Supported Platforms SRX Series

Syntax request system (halt | power-off | reboot) power-off fpc

Release Information Command introduced in Junos OS Release 11.4.

Description Bring Flexible PIC Concentrators (FPCs) offline before Routing Engines are shut down.

Options • halt—Bring FPC offline and then halt the system.

• power-off—Bring FPC offline and then power off the system.

• reboot—Bring FPC offline and then reboot the system.

Required Privilege maintenance

Level

Related • request system reboot on page 706

Documentation

List of Sample Output request system halt power-off fpc on page 699
request system power-off power-off fpc on page 699
request system reboot power-off fpc on page 699

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system halt power-off fpc

user@host> request system halt power-off fpc
Halt the system ? [yes,no] (no) yes

Offline fpc slot 0

request system power-off power-off fpc

user@host> request system power-off power-off fpc
Power off the system ? [yes,no] (no) yes

Offline fpc slot 0

request system reboot power-off fpc

user@host> request system reboot power-off fpc
Reboot the system ? [yes,no] (no) yes

Offline fpc slot 0

Copyright © 2017, Juniper Networks, Inc. 699

Administration Guide for Security Devices

request system services dhcp

Supported Platforms SRX Series, vSRX

Syntax request system services dhcp (release interface-name | renew interface-name)

Release Information Command introduced in Junos OS Release 8.5.

Description Release or renew the acquired IP address for a specific interface.

To view the status of the Dynamic Host Configuration Protocol (DHCP) clients on the
specified interfaces, enter the show system services dhcp client interface-name command.

Options • release interface-name —Clears other resources received earlier from the server, and
reinitializes the client state to INIT for the particular interface.

• renew interface-name —Reacquires an IP address from the server for the interface.
When you use this option, the command sends a discover message if the client state
is INIT and a renew request message if the client state is BOUND. For all other states
it performs no action.

Required Privilege maintenance

Level

Related • dhcp
Documentation
• show system services dhcp client on page 758

Output Fields This command produces no output.

700 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request system snapshot (Maintenance)

Supported Platforms SRX Series, vSRX

Syntax request system snapshot

<factory>
<media (compact-flash | hard-disk | internal | usb)>
<node (all | local | node-id | primary)>
<partition>
<slice (alternate) >

Release Information Command introduced in Junos OS Release 10.2.

Description Back up the currently running and active file system partitions on the device.

Options • factory— (Optional) Specifies that only the files shipped from the factory are included
in the snapshot.

• media—(Optional) Specify the media to be included in the snapshot:

• compact-flash—Copy the snapshot to the CompactFlash card.

• hard-disk— Copy the snapshot to the hard disk.

• usb— Copy the snapshot to the USB storage device.

• internal— Copies the snapshot to internal media. This is the default.

NOTE: USB option is available on all SRX series devices; hard disk and
compact-flash options are available only on SRX5800, SRX5600, and
SRX5400 devices; media internal option is available only on SRX300,
SRX320, SRX340, SRX345, and SRX550M devices.

• external— Copies the snapshot to an external storage device. This option is available
for the compact flash on the SRX650 Services Gateway.

• node—(Optional) Specify the archive data and executable areas of a specific node.

• node-id—Specify for node (0, 1).

• all—Specify for all nodes.

• local—Specify for local nodes.

• primary— pecify for primary nodes.

• partition—(Default) Specify that the target media should be repartitioned before the
backup is saved to it.

Copyright © 2017, Juniper Networks, Inc. 701

Administration Guide for Security Devices

NOTE: The target media is partitioned whether or not it is specified in the

command, because this is a mandatory option.

Example: request system snapshot media usb partition

Example: request system snapshot media usb partition factory

• slice—(Optional) Take a snapshot of the root partition the system has currently booted
from to another slice in the same media.

• alternate—(Optional) Store the snapshot on the other root partition in the system.

NOTE: The slice option cannot be used along with the other request system
snapshot options, because the options are mutually exclusive. If you use
the factory, media, or partition option, you cannot use the slice option; if
you use the slice option, you cannot use any of the other options.

Required Privilege maintenance

Level

Related • Backing Up the Current Installation (SRX Series Devices)

Documentation

List of Sample Output request system snapshot media hard-disk on page 702
request system snapshot media usb (when usb device is missing on page 702
request system snapshot media compact-flash on page 703
request system snapshot partition on page 703

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system snapshot media hard-disk

user@host> request system snapshot media hard-disk
Verifying compatibility of destination media partitions...
Running newfs (880MB) on hard-disk media / partition (ad2s1a)...
Running newfs (98MB) on hard-disk media /config partition (ad2s1e)...
Copying '/dev/ad0s1a' to '/dev/ad2s1a' .. (this may take a few minutes)
...

request system snapshot media usb (when usb device is missing

user@host> request system snapshot media usb
Verifying compatibility of destination media partitions...
Running newfs (254MB) on usb media / partition (da1s1a)...
Running newfs (47MB) on usb media /config partition (da1s1e)...

702 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Copying '/dev/da0s2a' to '/dev/da1s1a' .. (this may take a few minutes)

Copying '/dev/da0s2e' to '/dev/da1s1e' .. (this may take a few minutes)
The following filesystems were archived: / /config

request system snapshot media compact-flash

user@host> request system snapshot media compact-flash
error: cannot snapshot to current boot device

request system snapshot partition

user@host> request system snapshot partition
Verifying compatibility of destination media partitions...
Running newfs (439MB) on internal media / partition (da0s1a)...
Running newfs (46MB) on internal media /config partition (da0s1e)...
Copying '/dev/da1s1a' to '/dev/da0s1a' .. (this may take a few minutes)
Copying '/dev/da1s1e' to '/dev/da0s1e' .. (this may take a few minutes)
The following filesystems were archived: / /config

Copyright © 2017, Juniper Networks, Inc. 703

Administration Guide for Security Devices

request system software abort in-service-upgrade (ICU)

Supported Platforms SRX Series, vSRX

Syntax request system software abort in-service-upgrade

Release Information Command introduced in Junos OS Release 11.2 for SRX300, SRX320, SRX340, SRX345,
and SRX550M devices.

Description Abort an in-band cluster upgrade (ICU). This command must be issued from a router
session other than the one on which you issued the request system in-service-upgrade
command that launched the ICU. If an ICU is in progress, this command aborts it. If the
node is being upgraded, this command will cancel the upgrade. The command is also
helpful in recovering the node in case of a failed ICU.

Options This command has no options.

Required Privilege view

Level

Related • request system software in-service-upgrade (Maintenance)

Documentation

List of Sample Output request system software abort in-service-upgrade on page 704

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

request system software abort in-service-upgrade

user@host> request system software abort in-service-upgrade
In-Service-Upgrade aborted

704 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request system software add (Maintenance)

Supported Platforms SRX Series, vSRX

Syntax request system software add package-name

Release Information Partition option introduced in the command in Junos OS Release 10.1.

Description Install the new software package on the device, for example: request system software
add junos-srxsme-10.0R2-domestic.tgz no-copy no-validate partition reboot.

Options • delay–restart—Install the software package but does not restart the software process.

• best-effort-load—Activate a partial load and treat parsing errors as warnings instead

of errors.

• no-copy—Install the software package but does not saves the copies of package files.

• no-validate—Do not check the compatibility with current configuration before

installation starts.

• partition—Format and re-partition the media before installation.

• reboot—Reboot the device after installation is completed.

• unlink—Remove the software package after successful installation.

• validate—Check the compatibility with current configuration before installation starts.

Required Privilege maintenance

Level

Related • request system reboot on page 706

Documentation

Copyright © 2017, Juniper Networks, Inc. 705

Administration Guide for Security Devices

request system reboot

Supported Platforms SRX Series, vSRX

Syntax request system reboot <at time> <in minutes><media><message “text”>

Release Information Command introduced in Junos OS Release 10.1.

Command hypervisor option introduced in Junos OS Release 15.1X49-D10 for vSRX.
Command introduced in Junos OS Release 15.1X49-D50 for SRX1500 devices.

Description Reboot the software.

Options • at time (Optional)— Specify the time at which to reboot the device. You can specify
time in one of the following ways:

• now— Reboot the device immediately. This is the default.

• +minutes— Reboot the device in the number of minutes from now that you specify.

• yymmddhhmm— Reboot the device at the absolute time on the date you specify.
Enter the year, month, day, hour (in 24-hour format), and minute.

• hh:mm— Reboot the device at the absolute time you specify, on the current day.
Enter the time in 24-hour format, using a colon (:) to separate hours from minutes.

• in minutes(Optional)— Specify the number of minutes from now to reboot the device.
This option is a synonym for the at +minutes option

• media type(Optional)— Specify the boot device to boot the device from:

• disk/internal— Reboot from the internal media. This is the default.

• usb— Reboot from the USB storage device.

• compact flash— Reboot from the external CompactFlash card.

NOTE: The media command option is not available on vSRX.

• message “text” (Optional)— Provide a message to display to all system users before
the device reboots.

Example: request system reboot at 5 in 50 media internal message stop

Required Privilege maintenance

Level

Related • request system software rollback (SRX Series) on page 707

Documentation

706 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

request system software rollback (SRX Series)

Supported Platforms SRX Series, vSRX

Syntax request system software rollback

<node-id>

Release Information Command introduced in Junos OS Release 10.1.

Command introduced in Junos OS Release 15.1X49-D50 for SRX1500 devices.

Description Revert to the software that was loaded at the last successful request system software
add command. .

Options node-id—Identification number of the chassis cluster node. It can be 0 or 1.

Required Privilege maintenance

Level

Related • request system reboot on page 706

Documentation

Copyright © 2017, Juniper Networks, Inc. 707

Administration Guide for Security Devices

request system zeroize

Supported Platforms SRX Series

Syntax request system zeroize <media>

Description Erases all configuration information and resets all key values. The command removes
all data files, including customized configuration and log files, by unlinking the files from
their directories.

The command removes all user-created files from the system including all plain-text
passwords, secrets, and private keys for SSH, local encryption, local authentication,
IPsec, RADIUS, TACACS+, and SNMP.

This command reboots the device and sets it to the factory default configuration. After
the reboot, you cannot access the device through the management Ethernet interface.
Log in through the console as root and start the Junos OS CLI by typing cli at the prompt.

Options media—(Optional) In addition to removing all configuration and log files, the media option
causes memory and the media to be scrubbed, removing all traces of any user-created
files. Every storage device attached to the system is scrubbed, including disks, flash
drives, removable USBs, and the like. The duration of the scrubbing process is
dependent on the size of the media being erased. As a result, the request system
zeroize media operation can take considerably more time than the request system
zeroize operation. However, the critical security parameters are all removed at the
beginning of the process.

NOTE: The media option is not supported on SRX5000 line devices.

Required Privilege Not applicable.

Level

Related • request system reboot on page 706

Documentation
• request system software rollback (SRX Series) on page 707

List of Sample Output request system zeroize on page 708

Sample Output

request system zeroize

user@host> request system zeroize
warning: System will be rebooted and may not boot without configuration
Erase all data, including configuration and log files? [yes,no] (no) yes

708 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

warning: zeroizing re0

Loading /boot/loader Consoles: serial port

BIOS driver C: is disk0
BIOS 607kB/2087552kB available memory

FreeBSD/i386 bootstrap loader, Revision 1.1

(builder@youcompany.com, Mon Mar 28 20:49:26 UTC 2011)
Loading /boot/defaults/loader.confg
/kernel text-0x837a60 data=0x46a78+0x9d44c syms=[0x4+0x8f38+0x4+0xca1ee]

Hit [Enter[ to boot immediately, or space bar for command prompt.

Booting [/kernel]...
platform_early_bootinit: MAG Series Early Boot Initilaization
GDB: debug ports: sio
GDB: current port: sio
KDB: debugger backends: ddb gdb
KDB: current backend: ddb
Copyright (c) 1996-2011, Juniper Networks, Inc.
All rights resrved.
Copyright (c) 1992-2006 The FreeBSD Project.
Copyright (c) 1979, 1980, 1983, 1986, 1988, 18\989, 1991, 1992, 1993,1994
The Regents of the University of California. All rights reserved.
...
output truncated

Copyright © 2017, Juniper Networks, Inc. 709

Administration Guide for Security Devices

restart (Reset)

Supported Platforms SRX Series, vSRX

Syntax restart
<application-identification |application-security |audit-process |commitd-service
|chassis-control | class-of-service |database-replication |datapath-trace-service |ddns
|dhcp |dhcp-service |dynamic-flow-capture |disk-monitoring |event-processing |
ethernet-connectivity-fault-management |ethernet-link-fault-management
|extensible-subscriber-services |fipsd |firewall |firewall-authentication-service
|general-authentication-service |gracefully |gprs-process |idp-policy |immediately
|interface-control | ipmi |ipsec-key-management |jflow-service |jnu-management
|jnx-wmicd-service |jsrp-service |kernel-replication |l2-learning |l2cpd-service |lacp
|license-service |logical-system-service |mib-process |mountd-service |named-service
|network-security |network-security-trace |nfsd-service |ntpd-service |pgm
|pic-services-logging |profilerd |pki-service |remote-operations |rest-api |routing |sampling
|sampling-route-record |scc-chassisd |secure-neighbor-discovery |security-intelligence
|security-log |services |service-deployment |simple-mail-client-service |soft |snmp
|static-routed |statistics-service |subscriber-management |subscriber-management-helper
|system-log-vital |tunnel-oamd |uac-service |user-ad-authentication |vrrp
|web-management >

Release Information Command introduced before Junos OS Release 9.2

Description Restart a Junos OS process.

CAUTION: Never restart a software process unless instructed to do so by a

customer support engineer. A restart might cause the router to drop calls
and interrupt transmission, resulting in possible loss of data.

Options • application-identification—(Optional) Restart the process that identifies an application

using intrusion detection and prevention (IDP) to allow or deny traffic based on
applications running on standard or nonstandard ports.

• application-security—(Optional) Restart the application security process.

• audit-process—(Optional) Restart the RADIUS accounting process that gathers

statistical data that can be used for general network monitoring, for analyzing and
tracking usage patterns, and for billing a user based upon the amount of time used or
the type of services accessed.

• chassis-control—(Optional) Restart the chassis management process.

• class-of-service—(Optional) Restart the class-of-service (CoS) process, which controls

the router's or switch’s CoS configuration.

• commitd-service—(Optional) Restart the committed services.

• database-replication—(Optional) Restart the database replication process.

710 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

• datapath-trace-service—(Optional) Restart the Restart the packet path tracing process.

• ddns—(Optional) Restart the dynamic domain name system, which dynamically

updates IP addresses for registered domain names.

• dhcp—(Optional) Restart the software process for a Dynamic Host Configuration

Protocol (DHCP) server. A DHCP server allocates network IP addresses and delivers
configuration settings to client hosts without user intervention.

• dhcp-service—(Optional) Restart the Dynamic Host Configuration Protocol process.

• disk-monitoring—(Optional) Restart disk monitoring, which checks the health of the

hard disk drive on the Routing Engine.

• dynamic-flow-capture—(Optional) Restart the dynamic flow capture (DFC) process,

which controls DFC configurations on PIC3 monitoring services cards.

• ethernet-connectivity-fault-management—(Optional) Restart the process that provides

IEEE 802.1ag Operation, Administration, and Maintenance (OAM) connectivity fault
management (CFM) database information for CFM maintenance association end
points (MEPs) in a CFM session.

• ethernet-link-fault-management—(Optional) Restart the process that provides the

OAM link fault management (LFM) information for Ethernet interfaces.

• event-processing—(Optional) Restart the event process (eventd).

• extensible-subscriber-services—(Optional) Restart the extensible subscriber services

process.

• fipsd—(Optional) Restart the fipsd services.

• firewall—(Optional) Restart the firewall management process, which manages the

firewall configuration and accepts or rejects packets that are transiting an interface
on a router or switch.

• firewall-authentication-service—(Optional) Restart the firewall authentication service

process.

• general-authentication-service—(Optional) Restart the general authentication process.

• gprs-process—(Optional) Restart the General Packet Radio Service (GPRS) process.

• gracefully—(Optional) Restart the software process.

• idp-policy—(Optional) Restart the intrusion detection and prevention (IDP) protocol

process.

• immediately—(Optional) Immediately restart the software process.

• interface-control—(Optional) Restart the interface process, which controls the router's

or switch’s physical interface devices and logical interfaces.

• ipmi—(Optional) Restart the intelligent platform management interface process.

• ipsec-key-management—(Optional) Restart the IPsec key management process.

• jflow-service—(Optional) Restart jflow service process.

• jnu-management—(Optional) Restart jnu management process.

Copyright © 2017, Juniper Networks, Inc. 711

Administration Guide for Security Devices

• jnx-wmicd-service—(Optional) Restart jnx wmicd service process.

• jsrp-service—(Optional) Restart the Juniper Services Redundancy Protocol (jsrdp)

process, which controls chassis clustering.

• kernel-replication—(Optional) Restart the kernel replication process, which replicates

the state of the backup Routing Engine when graceful Routing Engine switchover
(GRES) is configured.

• lacp—(Optional) Restart the Link Aggregation Control Protocol (LACP) process. LACP
provides a standardized means for exchanging information between partner systems
on a link. The LACP process allows link aggregation control instances to reach
agreement on the identity of the LAG to which a link belongs, moves the link to that
LAG, and enables the transmission and reception processes for the link to function in
an orderly manner.

• l2cpd-service—(SRX5400, SRX5600, and SRX5800 devices only) (Optional) Restart

the Layer 2 Control Protocol (L2CP) process, which enables features such as L2 protocol
tunneling and nonstop bridging.

• l2-learning—(Optional) Restart the Layer 2 (L2) address flooding and learning process.

• license-service—(Optional) Restart the feature license management process.

• logical-system-service—(Optional) Restart the logical system service process.

• mib-process—(Optional) Restart the MIB version II process, which provides the router's
MIB II agent.

• mountd-service—(Optional) Restart the service for Network File System (NFS) mount
requests.

• named-service—(Optional) Restart the DNS Server process, which is used by a router

or a switch to resolve hostnames into addresses.

• network-security—(Optional) Restart the network security process.

• network-security-trace—(Optional) Restart the network security trace process.

• nfsd-service—(Optional) Restart the remote NFS server process, which provides remote
file access for applications that need NFS-based transport.

• ntpd-service—(Optional) Restart the Network Time Protocol (NTP) process.

• pgm—(Optional) Restart the process that implements the Pragmatic General Multicast
(PGM) protocol for assisting in the reliable delivery of multicast packets.

• pic-services-logging—(Optional) Restart the logging process for some PICs. With this
process, also known as fsad (the file system access daemon), PICs send special logging
information to the Routing Engine for archiving on the hard disk.

• pki-service—(Optional) Restart the public key infrastructure (PKI) service process.

• profilerd—(Optional) Restart the profiler process.

• remote-operations—(Optional) Restart the remote operations process, which provides

the ping and traceroute MIBs.

• rest-api—(Optional) Restart the rest api process.

712 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

• routing—(Optional) Restart the routing protocol process (rpd).

• sampling—(Optional) Restart the sampling process, which performs packet sampling

based on particular input interfaces and various fields in the packet header.

• sampling-route-record—(Optional) Restart the sampling route record process.

• scc-chassisd—(Optional) Restart the scc chassisd process.

• secure-neighbor-discovery—(Optional) Restart the secure Neighbor Discovery Protocol

(NDP) process, which provides support for protecting NDP messages.

• security-intelligence—(Optional) Restart security intelligence process.

• security-log—(Optional) Restart the security log process.

• service-deployment—(Optional) Restart the service deployment process, which enables

Junos OS to work with the Session and Resource Control (SRC) software.

• services—(Optional) Restart a service.

• simple-mail-client-service—(Optional) Restart the simple mail client service process.

• snmp—(Optional) Restart the SNMP process, which enables the monitoring of network
devices from a central location and provides the router's or switch’s SNMP master
agent.

• static-routed—(Optional) Restart the static routed process.

• soft—(Optional) Reread and reactivate the configuration without completely restarting

the software processes. For example, BGP peers stay up and the routing table stays
constant. Omitting this option results in a graceful restart of the software process.

• statistics-service—(Optional) Restart the process that manages the Packet Forwarding

Engine statistics.

• subscriber-management—(Optional) Restart the subscriber management process.

• subscriber-management-helper—(Optional) Restart the subscriber management

helper process.

• system-log-vital—(Optional) Restart system log vital process.

• tunnel-oamd—(Optional) Restart the tunnel OAM process for L2 tunneled networks.

• uac-service—(Optional) Restart the Unified Access Control (UAC) process.

• user-ad-authentication—(Optional) Restart User ad Authentication process

• vrrp—(Optional) Restart the Virtual Router Redundancy Protocol (VRRP) process,

which enables hosts on a LAN to make use of redundant routing platforms on that
LAN without requiring more than the static configuration of a single default route on
the hosts.

• web-management—(Optional) Restart the Web management process.

Required Privilege reset

Level

Copyright © 2017, Juniper Networks, Inc. 713

Administration Guide for Security Devices

Related • Restart Commands Overview on page 714

Documentation

List of Sample Output restart interfaces on page 714

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

restart interfaces
user@host> restart interfaces
interfaces process terminated
interfaces process restarted

Restart Commands Overview

Supported Platforms SRX Series, vSRX

Use the restart operational commands to restart software processes on the device.
Operational commands are organized alphabetically.

Related • restart
Documentation

714 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

show chassis routing-engine (View)

Supported Platforms SRX Series, vSRX

Syntax show chassis routing-engine

Release Information Command introduced in Junos OS Release 9.5.

Description Display the Routing Engine status of the chassis cluster.

Required Privilege view

Level

Related • cluster (Chassis)

Documentation
• request system snapshot (Maintenance) on page 701

List of Sample Output show chassis routing-engine (Sample 1 - SRX550M) on page 716
show chassis routing-engine (Sample 2 - vSRX) on page 716

Output Fields Table 17 on page 715 lists the output fields for the show chassis routing-engine command.
Output fields are listed in the approximate order in which they appear.

Table 17: show chassis routing-engine Output Fields

Field Name Field Description

Temperature Routing Engine temperature. (Not available for vSRX deployments.)

CPU temperature CPU temperature. (Not available for vSRX deployments.)

Total memory Total memory available on the system.

NOTE: Starting with Junos OS Release 15.1x49-D70, there is a change in the method for
calculating the memory utilization by a Routing Engine. The inactive memory is now
subtracted from the total available memory. There is thus, a decrease in the reported
value for used memory; as the inactive memory is now considered as free.

Control plane memory Memory available for the control plane.

Data plane memory Memory reserved for data plane processing.

CPU utilization Current CPU utilization statistics on the control plane core.

User Current CPU utilization in user mode on the control plane core.

Background Current CPU utilization in nice mode on the control plane core.

Kernel Current CPU utilization in kernel mode on the control plane core.

Copyright © 2017, Juniper Networks, Inc. 715

Administration Guide for Security Devices

Table 17: show chassis routing-engine Output Fields (continued)

Field Name Field Description

Interrupt Current CPU utilization in interrupt mode on the control plane core.

Idle Current CPU utilization in idle mode on the control plane core.

Model Routing Engine model.

Start time Routing Engine start time.

Uptime Length of time the Routing Engine has been up (running) since the last start.

Last reboot reason Reason for the last reboot of the Routing Engine.

Load averages The average number of threads waiting in the run queue or currently executing over 1-,
5-, and 15-minute periods.

Sample Output

show chassis routing-engine (Sample 1 - SRX550M)

user@host> show chassis routing-engine
Routing Engine status:
Temperature 38 degrees C / 100 degrees F
CPU temperature 36 degrees C / 96 degrees F
Total memory 512 MB Max 435 MB used ( 85 percent)
Control plane memory 344 MB Max 296 MB used ( 86 percent)
Data plane memory 168 MB Max 138 MB used ( 82 percent)
CPU utilization:
User 8 percent
Background 0 percent
Kernel 4 percent
Interrupt 0 percent
Idle 88 percent
Model RE-SRX5500-LOWMEM
Serial ID AAAP8652
Start time 2009-09-21 00:04:54 PDT
Uptime 52 minutes, 47 seconds
Last reboot reason 0x200:chassis control reset
Load averages: 1 minute 5 minute 15 minute
0.12 0.15 0.10

Sample Output

show chassis routing-engine (Sample 2 - vSRX)

user@host> show chassis routing-engine
Routing Engine status:
Total memory 1024 MB Max 358 MB used ( 35 percent)
Control plane memory 1024 MB Max 358 MB used ( 35 percent)
5 sec CPU utilization:
User 2 percent
Background 0 percent
Kernel 4 percent

716 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Interrupt 6 percent
Idle 88 percent
Model VSRX RE
Start time 2015-03-03 07:04:18 UTC
Uptime 2 days, 11 hours, 51 minutes, 11 seconds
Last reboot reason Router rebooted after a normal shutdown.
Load averages: 1 minute 5 minute 15 minute
0.07 0.04 0.06

Copyright © 2017, Juniper Networks, Inc. 717

Administration Guide for Security Devices

show cli authorization

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series, vSRX

Syntax show cli authorization

Release Information Command introduced before Junos OS Release 7.4.

Description Display the permissions for the current user.

user@host> show cli authorization

Current user: 'root' login: ‘boojum’ class '(root)'
Permissions:
Permissions:
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network info
configure -- Can enter configuration mode
control -- Can modify any config
edit -- Can edit full files
field -- Can use field debug commands
floppy -- Can read and write the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
routing -- Can view routing configuration
routing-control-- Can modify routing configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
system -- Can view system configuration
system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
maintenance -- Can become the super-user
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
secret -- Can view secret statements
secret-control-- Can modify secret statements
rollback -- Can rollback to previous configurations
security -- Can view security configuration
security-control-- Can modify security configuration
access -- Can view access configuration
access-control-- Can modify access configuration
view-configuration-- Can view all configuration (not including secrets)
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can modify flow-tap configuration
idp-profiler-operation-- Can Profiler data
pgcp-session-mirroring-- Can view pgcp session mirroring configuration
pgcp-session-mirroring-control-- Can modify pgcp session mirroring
configuration
storage -- Can view fibre channel storage protocol configuration
storage-control-- Can modify fibre channel storage protocol configuration
all-control -- Can modify any configuration

718 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Required Privilege view

Level

Copyright © 2017, Juniper Networks, Inc. 719

Administration Guide for Security Devices

show dhcp client binding

Supported Platforms SRX Series, vSRX

Syntax show dhcp client binding

[<address> |interface <interface-name>]
routing-instance <routing-instance name>
[brief | detail | summary ]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Display the address bindings in the Dynamic Host Configuration Protocol (DHCP) client
table.

Options address—(Optional) Display DHCP binding information for a specific client identified by
one of the following entries:
• ip-address—The specified IP address.

• mac-address—The specified MAC address.

routing-instance <routing-instance name>—(Optional) Display DHCP binding information

for DHCP clients on the specified routing instance.

interface <interface-name>—(Optional) Perform this operation on the specified interface.

brief—(Optional) Display brief information about the active client bindings.

detail—(Optional) Display detailed client binding information.

summary—(Optional) Display a summary of DHCP client information.

Required Privilege view

Level

Related • clear dhcp client binding on page 658

Documentation

List of Sample Output show dhcp client binding on page 721

Output Fields Table 18 on page 720 lists the output fields for the show dhcp client binding command.
Output fields are listed in the approximate order in which they appear.

Table 18: show dhcp client binding Output Fields

Field Name Field Description

IP address IP address of the DHCP client.

720 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Table 18: show dhcp client binding Output Fields (continued)

Field Name Field Description

Hardware address Hardware address of the DHCP client.

Server IP address of the DHCP server.

Expires Number of seconds in which the lease expires.

State State of the address binding table on the DHCP local server.

Interface Interface on which the request was received.

Lease Expires Date and time at which the client’s IP address lease expires.

Lease Expires in Number of seconds in which the lease expires.

Lease Start Date and time at which the client’s IP address lease started.

Vendor Identifier Vendor identifier.

Server Identifier IP address of the DHCP server.

Client IP Address IP address of the DHCP client.

Sample Output

show dhcp client binding

user@host> show dhcp client binding
2 clients, (2 bound, 0 init, 0 discover, 0 renew, 0 rebind)

IP address Hardware address Server Expires State

Interface
10.1.1.89 00:0a:12:00:12:12 10.1.1.1 348 BOUND
fe-0/0/1.0
20.1.1.90 00:0a:12:00:12:34 20.1.1.1 568 BOUND
fe-0/0/2.0

user@host> show dhcp client binding interface fe-0/0/1.0 detail

Client Interface: fe-0/0/1.0
Hardware address: 00:0a:12:00:12:12
State: BOUND
Lease Expires: 2010-09-16 14:45:41 UTC
Lease Expires in: 528 seconds
Lease Start: 2010-09-16 14:35:41 UTC
Vendor Identifier: ether
Server Identifier: 10.1.1.1
Client IP Address: 10.1.1.89
update server enabled

DHCP Options :
Name: name-server, Value: [ 10.209.194.131, 198.51.110.2, 192.0.2.3

Copyright © 2017, Juniper Networks, Inc. 721

Administration Guide for Security Devices

]
Name: server-identifier, Value: 10.1.1.1
Name: router, Value: [ 10.1.1.80 ]
Name: domain-name, Value: example-50

user@host> show dhcp client binding 10.1.1.89

IP address Hardware address Server Expires State Interface

10.1.1.89 00:0a:12:00:12:12 10.1.1.1 348 BOUND

fe-0/0/1.0

722 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

show dhcp client statistics

Supported Platforms SRX Series, vSRX

Syntax show dhcp client statistics

<routing-instance routing-instance-name >

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Display Dynamic Host Configuration Protocol (DHCP) client statistics.

Options routing-instance routing-instance-name—(Optional) Display the statistics for DHCP clients

on the specified routing instance.

Required Privilege view

Level

Related • clear dhcp client statistics on page 659

Documentation

List of Sample Output show dhcp client statistics on page 724

Output Fields Table 19 on page 723 lists the output fields for the show dhcp client statistics command.
Output fields are listed in the approximate order in which they appear.

Table 19: show dhcp client statistics

Field Name Field Description

Packets dropped Number of packets discarded by the DHCP local server because
of errors. Only nonzero statistics appear in the Packets dropped
output. When all of the Packets dropped statistics are 0 (zero),
only the Total field appears.

Messages received Number of DHCP messages received.

• BOOTREPLY—Number of BOOTP protocol data units

(PDUs) received
• DHCPOFFER—Number of DHCP PDUs of type OFFER
received
• DHCPACK—Number of DHCP PDUs of type ACK received
• DHCPNACK—Number of DHCP PDUs of type NACK received
• DHCPFORCERENEW—Number of DHCP PDUs of type
FORCERENEW received

Copyright © 2017, Juniper Networks, Inc. 723

Administration Guide for Security Devices

Table 19: show dhcp client statistics (continued)

Field Name Field Description

Messages sent Number of DHCP messages sent.

• BOOTREQUEST—Number of BOOTP protocol data units

(PDUs) transmitted
• DHCPDECLINE—Number of DHCP PDUs of type DECLINE
transmitted
• DHCPDISCOVER—Number of DHCP PDUs of type DISCOVER
transmitted
• DHCPREQUEST—Number of DHCP PDUs of type REQUEST
transmitted
• DHCPINFORM—Number of DHCP PDUs of type INFORM
transmitted
• DHCPRELEASE—Number of DHCP PDUs of type RELEASE
transmitted
• DHCPRENEW—Number of DHCP PDUs of type RENEW
transmitted
• DHCPREBIND—Number of DHCP PDUs of type REBIND
transmitted

Sample Output

show dhcp client statistics

user@host> show dhcp client statistics
Packets dropped:
Total 0
Messages received:
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
DHCPFORCERENEW 0
Messages sent:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPREQUEST 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPRENEW 0
DHCPREBIND 0

724 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

show dhcp relay binding

Supported Platforms SRX Series, vSRX

Syntax Show dhcp relay binding

[<address> |interface <interface-name>]
routing-instance <routing-instance name>
[brief | detail | summary]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Display the address bindings in the Dynamic Host Configuration Protocol (DHCP) relay
client table.

Options address—(Optional) Display DHCP binding information for a specific client identified by
one of the following entries:
• ip-address—The specified IP address.

• mac-address—The specified MAC address.

routing-instance <routing-instance name>—(Optional) Display DHCP binding information

on the specified routing instance.

interface <interface-name>—(Optional) Perform this operation on the specified interface.

brief—(Optional) Display brief information about the active client bindings.

detail—(Optional) Display detailed client binding information.

summary—(Optional) Display a summary of DHCP client information.

Required Privilege view

Level

Related • clear dhcp relay binding on page 660

Documentation

List of Sample Output show dhcp relay binding on page 726

Output Fields Table 20 on page 725 lists the output fields for the show dhcp relay binding command.
Output fields are listed in the approximate order in which they appear.

Table 20: show dhcp relay binding Output Fields

Field Name Field Description

IP address IP address of the DHCP client.

Copyright © 2017, Juniper Networks, Inc. 725

Administration Guide for Security Devices

Table 20: show dhcp relay binding Output Fields (continued)

Field Name Field Description

Hardware address Hardware address of the DHCP client.

Request received on Interface on which the request was received.

Type Type of DHCP packet processing performed on the device.

Obtained at Date and time at which the client’s IP address lease started.

Expires at Date and time at which the client’s IP address lease expires.

State State of the address binding table on the DHCP local server.

Sample Output

show dhcp relay binding

user@host> show dhcp relay binding detail
IP address Hardware address Type Lease expires State
100.20.32.1 90:00:00:01:00:01 active 2007-01-17 11:38:47 PST
rebind
100.20.32.3 90:00:00:02:00:01 active 2007-01-17 11:38:41 PST
rebind
100.20.32.4 90:00:00:03:00:01 active 2007-01-17 11:38:01 PST
rebind
100.20.32.5 90:00:00:04:00:01 active 2007-01-17 11:38:07 PST
rebind
100.20.32.6 90:00:00:05:00:01 active 2007-01-17 11:38:47 PST
rebind

user@host> show dhcp relay binding 100.20.32.1

Active binding information:
IP address 100.20.32.1
Hardware address 90:00:00:01:00:01

Lease information:
Type DHCP
Obtained at 2007-01-17 11:28:47 PST
Expires at 2007-01-17 11:38:47 PST

> show dhcp relay binding 100.20.32.1 detail

Active binding information:
IP address 100.20.32.1
Hardware address 90:00:00:01:00:01
Request received on fe-0/0/2.0, relayed by 100.20.32.2

Lease information:
Type DHCP
Obtained at 2007-01-17 11:28:47 PST
Expires at 2007-01-17 11:38:47 PST
State rebind

726 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Copyright © 2017, Juniper Networks, Inc. 727

Administration Guide for Security Devices

show dhcp relay statistics

Supported Platforms SRX Series, vSRX

Syntax show dhcp relay statistics

[<routing-instance>]

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Display Dynamic Host Configuration Protocol (DHCP) relay statistics.

Options routing-instance—(Optional) Display the DHCP relay statistics on the specified routing
instance.

Required Privilege view

Level

Related • clear dhcp relay statistics on page 661

Documentation

List of Sample Output show dhcp relay statistics on page 729

Output Fields Table 21 on page 728 lists the output fields for the show dhcp relay statistics command.
Output fields are listed in the approximate order in which they appear.

Table 21: show dhcp relay statistics

Field Name Field Description

Messages received Number of DHCP messages sent.

• BOOTREQUEST—Number of BOOTP protocol data units (PDUs) received

• DHCPDECLINE—Number of DHCP PDUs of type DECLINE received
• DHCPDISCOVER—Number of DHCP PDUs of type DISCOVER received
• DHCPREQUEST—Number of DHCP PDUs of type REQUEST received
• DHCPINFORM—Number of DHCP PDUs of type INFORM received
• DHCPRELEASE—Number of DHCP PDUs of type RELEASE received

Messages sent Number of DHCP messages received.

• BOOTREPLY—Number of BOOTP PDUs transmitted

• DHCPOFFER—Number of DHCP PDUs of type OFFER transmitted
• DHCPACK—Number of DHCP PDUs of type ACK transmitted
• DHCPNACK—Number of DHCP PDUs of type NACK transmitted
• DHCPFORCERENEW—Number of DHCP PDUs of type FORCERENEW transmitted

728 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Sample Output

show dhcp relay statistics

user@host> show dhcp relay statistics
Messages received:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPREQUEST 0

Messages sent:
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
DHCPFORCERENEW 0

Copyright © 2017, Juniper Networks, Inc. 729

Administration Guide for Security Devices

show dhcp server binding

Supported Platforms SRX Series, vSRX

Syntax show dhcp server binding

[interface <interface name>]
<brief | detail | summary | verbose>
<ip-address | MAC address>
<routing-instance routing-instance-name>

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Display the address bindings in the client table on the Dynamic Host Configuration
Protocol (DHCP) local server.

Options interface <interface name>—(Optional) Display information about active client bindings
on the specified interface.

brief | detail | summary—(Optional) Display the specified level of output about active
client bindings. The default is brief, which produces the same output as show dhcp
server binding.

ip-address—Display DHCP binding information for a specific client identified by the

specified IP address.

MAC address—Display DHCP binding information for a specific client identified by the
specified MAC address.

routing-instance routing-instance-name—(Optional) Display information about active

client bindings for DHCP clients on the specified routing instance.

Required Privilege view

Level

Related • clear dhcp server binding on page 662

Documentation

List of Sample Output show dhcp server binding on page 731

Output Fields Table 22 on page 730 lists the output fields for the show dhcp server binding command.
Output fields are listed in the approximate order in which they appear.

Table 22: show dhcp server binding Output Fields

Field Name Field Description

IP address IP address of the DHCP client.

730 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Table 22: show dhcp server binding Output Fields (continued)

Field Name Field Description

Hardware address Hardware address of the DHCP client.

Request received on Interface on which the request was received.

Type Type of DHCP packet processing performed on the device.

Obtained at Date and time at which the client’s IP address lease started.

Expires at Date and time at which the client’s IP address lease expires.

State State of the address binding table on the DHCP local server.

Sample Output

show dhcp server binding

user@host> show dhcp server binding 100.20.32.1 detail
Active binding information:
IP address 100.20.32.1
Hardware address 90:00:00:01:00:01
Request received on fe-0/0/2.0, relayed by 100.20.32.2

Lease information:
Type DHCP
Obtained at 2007-01-17 11:28:47 PST
Expires at 2007-01-17 11:38:47 PST
State rebind

Copyright © 2017, Juniper Networks, Inc. 731

Administration Guide for Security Devices

show dhcp server statistics

Supported Platforms SRX Series, vSRX

Syntax show dhcp server statistics

<routing-instance>

Release Information Statement introduced in Junos OS Release 12.1X44-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Display Dynamic Host Configuration Protocol (DHCP) local server statistics.

Options routing-instance—(Optional) Display information about DHCP local server statistics on

the specified routing instance. If you do not specify a routing instance, statistics are
displayed for the default routing instance.

Required Privilege view

Level

Related • clear dhcp server statistics on page 663

Documentation

List of Sample Output show dhcp server statistics on page 733

Output Fields Table 23 on page 732 lists the output fields for the show dhcp server statistics command.
Output fields are listed in the approximate order in which they appear.

Table 23: show dhcp server statistics

Field Name Field Description

Packets dropped Number of packets discarded by the DHCP local server because of errors. Only nonzero statistics
appear in the Packets dropped output. When all of the Packets dropped statistics are 0 (zero), only
the Total field appears.

Messages received Number of DHCP messages sent.

• BOOTREQUEST—Number of BOOTP protocol data units (PDUs) received

• DHCPDECLINE—Number of DHCP PDUs of type DECLINE received
• DHCPDISCOVER—Number of DHCP PDUs of type DISCOVER received
• DHCPREQUEST—Number of DHCP PDUs of type REQUEST received
• DHCPINFORM—Number of DHCP PDUs of type INFORM received
• DHCPRELEASE—Number of DHCP PDUs of type RELEASE received

732 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Table 23: show dhcp server statistics (continued)

Field Name Field Description

Messages sent Number of DHCP messages received.

• BOOTREPLY—Number of BOOTP PDUs transmitted

• DHCPOFFER—Number of DHCP PDUs of type OFFER transmitted
• DHCPACK—Number of DHCP PDUs of type ACK transmitted
• DHCPNACK—Number of DHCP PDUs of type NACK transmitted
• DHCPFORCERENEW—Number of DHCP PDUs of type FORCERENEW transmitted

Sample Output

show dhcp server statistics

user@host> show dhcp server statistics
Packets dropped:
Total 0

Messages received:
BOOTREQUEST 0
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPINFORM 0
DHCPRELEASE 0
DHCPREQUEST 0

Messages sent:
BOOTREPLY 0
DHCPOFFER 0
DHCPACK 0
DHCPNAK 0
DHCPFORCERENEW 0

Copyright © 2017, Juniper Networks, Inc. 733

Administration Guide for Security Devices

show dhcpv6 client binding

Supported Platforms SRX Series

Syntax show dhcpv6 client binding

interface interface-name
routing-instance <routing-instance-name>
[brief | detail | summary]

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Display the address bindings in the Dynamic Host Configuration Protocol version 6
(DHCPv6) client table.

Options interface interface-name—(Optional) Perform this operation on the specified interface.

routing-instance routing-instance-name—(Optional) Display DHCPv6 binding information

for DHCPv6 clients on the specified routing instance.

brief—(Optional) Display brief information about the active client bindings.

detail—(Optional) Display detailed client binding information.

summary—(Optional) Display a summary of DHCPv6 client information.

Required Privilege view

Level

Related • clear dhcpv6 client binding on page 664

Documentation

List of Sample Output show dhcpv6 client binding on page 735

Output Fields Table 24 on page 734 lists the output fields for the show dhcpv6 client binding command.
Output fields are listed in the approximate order in which they appear.

Table 24: show dhcpv6 client binding Output Fields

Field Name Field Description

Hardware Address Hardware address of the DHCPv6 client.

State State of the address-binding table on the DHCPv6 local server.

Lease Expires Date and time at which the client’s IP address lease expires.

Lease Expires in Number of seconds until the lease expires.

734 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Table 24: show dhcpv6 client binding Output Fields (continued)

Field Name Field Description

Lease Start Date and time at which the client’s IP address lease started.

Client DUID The DHCPv6 client’s unique identifier.

Bind type The bind type.

Client Type The type of DHCPv6 client. The client type can be autoconfig or stateful.

Rapid Commit Two-message exchange option for address assignment.

Server IP Address IP address of the DHCPv6 server.

Client IP Address IP address of the DHCPv6 client.

Sample Output

show dhcpv6 client binding

user@host> show dhcpv6 client binding
IP prefix Expires ClientType State Interface Client DUID
2001:db8::b2b7:8631:d968:8d5e/128 96 STATEFUL BOUND ge-0/0/1.0
LL_TIME0x3-0x0-2c:6b:f5:62:39:c1

user@host> show dhcpv6 client binding detail

Client Interface: ge-0/0/1.0
Hardware Address: 2c:6b:f5:62:39:c1
State: BOUND(DHCPV6_CLIENT_STATE_BOUND)
Lease Expires: 2012-08-07 15:52:19 UTC
Lease Expires in: 116 seconds
Lease Start: 2012-08-07 15:50:19 UTC
Client DUID VENDOR0x00000583-0x3000103f
Bind Type: IA_NA
ClientType : STATEFUL
Rapid Commit Off
Server Ip Address: fe80::230:48ff:fe5d:5bf7
Client IP Address: 2001:db8::655b:3c80:2deb:1a3/128

DHCP options:
Name: server-identifier, Value: LL_TIME0x1-0x17acddab-00:30:48:5d:5b:f7
Name: vendor-opts, Value: 000005830002aaaa
Name: sip-server-list, Value: 2000::300 2000::302 2000::303 2000::304
Name: dns-recursive-server, Value: 2000::ff2000::fe
Name: domain-search-list, Value: 076578616d706c6503636f6d00

Copyright © 2017, Juniper Networks, Inc. 735

Administration Guide for Security Devices

show dhcpv6 client statistics

Supported Platforms SRX Series

Syntax show dhcpv6 client statistics

routing-instance<routing-instance-name>

Release Information Statement introduced in Junos OS Release 12.1X45-D10 for SRX300, SRX320, SRX340,
SRX345, SRX550M, and SRX1500 devices.

Description Display Dynamic Host Configuration Protocol (DHCPv6) client statistics.

Options routing-instance <routing-instance-name>—(Optional) Display the statistics for DHCPv6

clients on the specified routing instance.

Required Privilege view

Level

Related • clear dhcpv6 client statistics on page 665

Documentation

List of Sample Output show dhcpv6 client statistics on page 737

Output Fields Table 25 on page 736 lists the output fields for the show dhcpv6 client statistics command.
Output fields are listed in the approximate order in which they appear.

Table 25: show dhcpv6 client statistics Output Fields

Field Name Field Description

Dhcpv6 Packets dropped Number of packets discarded by the DHCPv6 local server
because of errors. Only nonzero statistics appear in the DHCPv6
Packets dropped output. When all of the Packets dropped
statistics are 0 (zero), only the Total field appears.

736 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Table 25: show dhcpv6 client statistics Output Fields (continued)

Field Name Field Description

Messages sent Number of DHCPv6 messages sent.

• DHCPV6_DECLINE—Number of DHCPv6 PDUs of type

DECLINE transmitted
• DHCPV6_SOLICIT—Number of DHCPv6 PDUs of type
SOLICIT transmitted
• DHCPV6_INFORMATION_REQUEST—Number of DHCPv6
PDUs of type INFORMATION REQUEST transmitted
• DHCPV6_RELEASE—Number of DHCPv6 PDUs of type
RELEASE transmitted
• DHCPV6_REQUEST—Number of DHCPv6 PDUs of type
REQUEST transmitted
• DHCPV6_CONFIRM—Number of DHCPv6 PDUs of type
CONFIRM transmitted
• DHCPV6_RENEW—Number of DHCPv6 PDUs of type
RENEW transmitted
• DHCPV6_REBIND—Number of DHCPv6 PDUs of type
REBIND transmitted

Messages received Number of DHCPv6 messages received.

• DHCPV6_ADVERTISE—Number of DHCPv6 PDUs of type

ADVERTISE received
• DHCPV6_REPLY—Number of DHCPv6 PDUs of type REPLY
received
• DHCPV6_RECONFIGURE—Number of DHCPv6 PDUs of type
RECONFIGURE received

Sample Output

show dhcpv6 client statistics

user@host> show dhcpv6 client statistics
Dhcpv6 Packets dropped:
Total 0

Messages sent:
DHCPV6_DECLINE 0
DHCPV6_SOLICIT 3
DHCPV6_INFORMATION_REQUEST 6
DHCPV6_RELEASE 1
DHCPV6_REQUEST 2
DHCPV6_CONFIRM 0
DHCPV6_RENEW 0
DHCPV6_REBIND 0

Messages received:
DHCPV6_ADVERTISE 3
DHCPV6_REPLY 3
DHCPV6_RECONFIGURE 0

Copyright © 2017, Juniper Networks, Inc. 737

Administration Guide for Security Devices

show dhcpv6 server binding (View)

Supported Platforms SRX Series

Syntax show dhcpv6 server binding

<brief | detail | summary>
<interface interface-name>
<routing-instance routing-instance-name>

Release Information Command introduced in Junos OS Release 10.4.

Description Display the address bindings in the client table for DCHPv6 local server.

Options • brief | detail | summary—(Optional) Display the specified level of output about active
client bindings. The default is brief, which produces the same output as show dhcpv6
server binding.

• interface interface-name—(Optional) Display information about active client bindings

on the specified interface.

• routing-instance routing-instance-name—(Optional) Display information about active

client bindings for DHCPv6 clients on the specified routing instance.

Required Privilege view

Level

Related • clear dhcpv6 server binding (Local Server) on page 666

Documentation

List of Sample Output show dhcpv6 server binding on page 740

show dhcpv6 server binding detail on page 740
show dhcpv6 server binding interface on page 741
show dhcpv6 server binding interface detail on page 741
show dhcpv6 server binding prefix on page 741
show dhcpv6 server binding session-id on page 741
show dhcpv6 server binding summary on page 741

Output Fields Table 26 on page 739 lists the output fields for the show dhcpv6 server binding command.
Output fields are listed in the approximate order in which they appear.

738 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Table 26: show dhcv6p server binding Output Fields

Field Name Field Description Level of Output

number clients, Summary counts of the total number of DHCPv6 clients and the number of summary
(number init, DHCPv6 clients in each state.
number bound,
number selecting,
number requesting,
number renewing,
number releasing)

Prefix Client’s DHCPv6 prefix. brief

detail

Session Id Session ID of the subscriber session. brief

detail

Expires Number of seconds in which lease expires. brief

detail

State State of the address binding table on the DHCPv6 local server: brief
detail
• BOUND—Client has active IP address lease.
• INIT—Initial state.
• RELEASE—Client is releasing IP address lease.
• RECONFIGURE—Client has received reconfigure message from server.
• RENEWING—Client sending request to renew IP address lease.
• REQUESTING—Client requesting a DHCPv6 server.
• SELECTING—Client receiving offers from DHCPv6 servers.

Interface Interface on which the DHCPv6 request was received. brief

Client DUID Client’s DHCP Unique Identifier (DUID). brief

Lease expires Date and time at which the client’s IP address lease expires. detail

Lease expires in Number of seconds in which lease expires. detail

Lease Start Date and time at which the client’s address lease was obtained. detail

Incoming Client Client’s incoming interface. detail

Interface

Server IP Address IP address of DHCPv6 server. detail

Server Interface Interface of DHCPv6 server. detail

Client Id length Length of the DHCPv6 client ID, in bytes. detail

Client Id ID of the DHCPv6 client. detail

Copyright © 2017, Juniper Networks, Inc. 739

Administration Guide for Security Devices

Table 26: show dhcv6p server binding Output Fields (continued)

Field Name Field Description Level of Output

Server Id ID type and ID of the DHCPv6 server. detail

Sample Output

show dhcpv6 server binding

user@host> show dhcpv6 server binding

Prefix Session Id Expires State Interface Client DUID

2001:bd8:1111:2222::/64 6 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c0-00:10:94:00:00:01
2001:bd8:1111:2222::/64 7 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c0-00:10:94:00:00:02
2001:bd8:1111:2222::/64 8 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c0-00:10:94:00:00:03
2001:bd8:1111:2222::/64 9 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c1-00:10:94:00:00:04
2001:bd8:1111:2222::/64 10 86321 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c1-00:10:94:00:00:05

show dhcpv6 server binding detail

user@host> show dhcpv6 server binding detail
Session Id: 6
Client IPv6 Prefix: 2001:bd8:1111:2222::/64
Client DUID: LL_TIME0x1-0x2e159c0-00:10:94:00:00:01

State: BOUND(bound)
Lease Expires: 2009-07-21 10:41:15 PDT
Lease Expires in: 86308 seconds
Lease Start: 2009-07-20 10:41:15 PDT
Incoming Client Interface: ge-1/0/0.0
Server Ip Address: 0.0.0.0
Server Interface: none
Client Id Length: 14
Client Id:
/0x00010001/0x02e159c0/0x00109400/0x0001 Server Id:
<VENDOR 2198142976/4a4e313132414343374146430000000000000000>

Session Id: 7
Client IPv6 Prefix: 2001:bd8:1111:2222::/64
Client DUID: LL_TIME0x1-0x2e159c0-00:10:94:00:00:02

State: BOUND(bound)
Lease Expires: 2009-07-21 10:41:15 PDT
Lease Expires in: 86308 seconds
Lease Start: 2009-07-20 10:41:15 PDT
Incoming Client Interface: ge-1/0/0.0
Server Ip Address: 0.0.0.0
Server Interface: none
Client Id Length: 14
Client Id:

740 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

/0x00010001/0x02e159c0/0x00109400/0x0002 Server Id:

<VENDOR 2198142976/4a4e313132414343374146430000000000000000>

show dhcpv6 server binding interface

user@host> show dhcp6 server binding interface ge-1/0/0:10-101
Prefix Session Id Expires State Interface Client DUID
2001:bd8:1111:2222::/64 1 86055 BOUND ge-1/0/0.100
LL_TIME0x1-0x4b0a53b9-00:10:94:00:00:01

show dhcpv6 server binding interface detail

user@host> show dhcp6 server binding interface ge-1/0/0:10-101 detail
Session Id: 7
Client IPv6 Prefix: 2001:bd8:1111:2222::/64
Client DUID: LL_TIME0x1-0x2e159c0-00:10:94:00:00:02

State: BOUND(bound)
Lease Expires: 2009-07-21 10:41:15 PDT
Lease Expires in: 86136 seconds
Lease Start: 2009-07-20 10:41:15 PDT
Incoming Client Interface: ge-1/0/0.0
Server Ip Address: 0.0.0.0
Server Interface: none
Client Id Length: 14
Client Id:
/0x00010001/0x02e159c0/0x00109400/0x0002 Server Id:
<VENDOR 2198142976/4a4e313132414343374146430000000000000000>

show dhcpv6 server binding prefix

user@host> show dhcp6 server binding 14/0x00010001/0x02b3be8f/0x00109400/0x0005
detail
Session Id: 7
Client IPv6 Prefix: 2001:bd8:1111:2222::/64
Client DUID: LL_TIME0x1-0x2e159c0-00:10:94:00:00:02

State: BOUND(bound)
Lease Expires: 2009-07-21 10:41:15 PDT
Lease Expires in: 86136 seconds
Lease Start: 2009-07-20 10:41:15 PDT
Incoming Client Interface: ge-1/0/0.0
Server Ip Address: 0.0.0.0
Server Interface: none
Client Id Length: 14
Client Id:
/0x00010001/0x02e159c0/0x00109400/0x0002

show dhcpv6 server binding session-id

user@host> show dhcpv6 server binding 8
Prefix Session Id Expires State Interface Client DUID
2001:bd8:1111:2222::/64 8 86235 BOUND ge-1/0/0.0
LL_TIME0x1-0x2e159c0-00:10:94:00:00:03

show dhcpv6 server binding summary

user@host> show dhcpv6 server binding summary

Copyright © 2017, Juniper Networks, Inc. 741

Administration Guide for Security Devices

5 clients, (0 init, 5 bound, 0 selecting, 0 requesting, 0 renewing, 0 releasing)

742 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

show dhcpv6 server statistics (View)

Supported Platforms SRX Series

Syntax show dhcpv6 server statistics

<logical-system logical-system-name>
<routing-instance routing-instance-name>

Release Information Command introduced in Junos OS Release 10.4.

Description Display DHCPv6 local server statistics.

Options logical-system logical-system-name—(Optional) Display information about extended

DHCPv6 local server statistics on the specified logical system. If you do not specify
a logical system, statistics are displayed for the default logical system.

routing-instance routing-instance-name—(Optional) Display information about DHCPv6

local server statistics on the specified routing instance. If you do not specify a routing
instance, statistics are displayed for the default routing instance.

Required Privilege view

Level

Related • clear dhcpv6 server statistics (Local Server) on page 667

Documentation

List of Sample Output show dhcpv6 server statistics on page 745

Output Fields Table 27 on page 744 lists the output fields for the show dhcpv6 server statistics command.
Output fields are listed in the approximate order in which they appear.

Copyright © 2017, Juniper Networks, Inc. 743

Administration Guide for Security Devices

Table 27: show dhcpv6 server statistics Output Fields

Field Name Field Description

Dhcpv6 Packets Number of packets discarded by the DHCPv6 local server because of errors. Only nonzero statistics
dropped appear in the Packets dropped output. When all of the Packets dropped statistics are 0 (zero), only
the Total field appears.

• Total—Total number of packets discarded by the DHCPv6 local server

• Strict Reconfigure—Number of solicit messages discarded because the client does not support
reconfiguration
• Bad hardware address—Number of packets discarded because an invalid hardware address was
specified
• Bad opcode—Number of packets discarded because an invalid operation code was specified
• Bad options—Number of packets discarded because invalid options were specified
• Invalid server address—Number of packets discarded because an invalid server address was specified
• No available addresses—Number of packets discarded because there were no addresses available
for assignment
• No interface match—Number of packets discarded because they did not belong to a configured
interface
• No routing instance match—Number of packets discarded because they did not belong to a configured
routing instance
• No valid local address—Number of packets discarded because there was no valid local address
• Packet too short—Number of packets discarded because they were too short
• Read error—Number of packets discarded because of a system read error
• Send error—Number of packets that the DHCPv6 local server could not send

Messages received Number of DHCPv6 messages received.

• DHCPV6_CONFIRM—Number of DHCPv6 CONFIRM PDUs received.

• DHCPV6_DECLINE—Number of DHCPv6 DECLINE PDUs received.
• DHCPV6_INFORMATION_REQUEST—Number of DHCPv6 INFORMATION-REQUEST PDUs received.
• DHCPV6_REBIND—Number of DHCPv6 REBIND PDUs received.
• DHCPV6_RELAY_FORW—Number of DHCPv6 RELAY-FORW PDUs received from a relay by the
DHCPv6 server.
• DHCPV6_RELEASE—Number of DHCPv6 RELEASE PDUs received.
• DHCPV6_RENEW—Number of DHCPv6 RENEW PDUs received.
• DHCPV6_REQUEST—Number of DHCPv6 REQUEST PDUs received.
• DHCPV6_SOLICIT—Number of DHCPv6 SOLICIT PDUs received.

Messages sent Number of DHCPv6 messages sent.

• DHCPV6_ADVERTISE—Number of DHCPv6 ADVERTISE PDUs transmitted.

• DHCPV6_REPLY—Number of DHCPv6 ADVERTISE PDUs transmitted.
• DHC6_RECONFIGURE—Number of DHCPv6 RECONFIGURE PDUs transmitted.
• DHCPV6_RELAY_REPL—Number of DHCPv6 RELAY-REPL PDUs sent from DHCPv6 server to
DHCPv6 relay.

744 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Sample Output

show dhcpv6 server statistics

user@host> show dhcpv6 server statistics
Dhcpv6 Packets dropped:
Total 0

Messages received:
DHCPV6_DECLINE 0
DHCPV6_SOLICIT 9
DHCPV6_INFORMATION_REQUEST 0
DHCPV6_RELEASE 0
DHCPV6_REQUEST 5
DHCPV6_CONFIRM 0
DHCPV6_RENEW 0
DHCPV6_REBIND 0
DHCPV6_RELAY_FORW 0
Messages sent:
DHCPV6_ADVERTISE 9
DHCPV6_REPLY 5
DHCPV6_RECONFIGURE 0
DHCPV6_RELAY_REPL 0

Copyright © 2017, Juniper Networks, Inc. 745

Administration Guide for Security Devices

show firewall (View)

Supported Platforms SRX Series, vSRX

Syntax show firewall

<filter filter-name>
<counter counter-name>
<log>
<prefix-action-stats>
<terse>

Release Information Command introduced before Junos OS Release 10.0 .

Description Display statistics about configured firewall filters.

Options none—Display statistics about configured firewall filters.

filter filter-name—Name of a configured filter.

counter counter-name—Name of a filter counter.

log—Display log entries for firewall filters.

prefix-action-stats—Display prefix action statistics for firewall filters.

terse—Display firewall filter names only.

Required Privilege view

Level

Related • firewall on page 162

Documentation

List of Sample Output show firewall on page 747

Output Fields Table 28 on page 746 lists the output fields for the show firewall command. Output fields
are listed in the approximate order in which they appear.

Table 28: show firewall Output Fields

Field Name Field Description

Filter Name of a filter that has been configured with the filter at the [edit firewall] hierarchy level.

When an interface-specific filter is displayed, the name of the filter is followed by the full interface
name and by either -i for an input filter or -o for an output filter.

When dynamic filters are displayed, the name of the filter is followed by the full interface name and
by either -in for an input filter or -out for an output filter. When a logical system–specific filter is
displayed, the name of the filter is prefixed with two underscore (__) characters and the name of the
logical system (for example, __ls1/filter1).

746 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Table 28: show firewall Output Fields (continued)

Field Name Field Description

Counters Display filter counter information:

• Name—Name of a filter counter that has been configured with the counter firewall filter action.
• Bytes—Number of bytes that match the filter term under which the counter action is specified.
• Packets—Number of packets that matched the filter term under which the counter action is specified.

Policers Display policer information:

• Name—Name of policer.
• Bytes—Number of bytes that match the filter term under which the policer action is specified. This
is only the number out-of-specification (out-of-spec) byte counts, not all the bytes in all packets
policed by the policer.
• Packets—Number of packets that matched the filter term under which the policer action is specified.
This is only the number of out-of-specification (out-of-spec) packet counts, not all packets policed
by the policer.

Sample Output

show firewall
user@host> show firewall
Filter: ef_path
Counters:
Name Bytes Packets
def-count 0 0
video-count 0 0
voice-count 0 0

Filter: __default_bpdu_filter__

Filter: deep
Counters:
Name Bytes Packets
deep2 302076 5031

Filter: deep-flood
Counters:
Name Bytes Packets
deep_flood_def 302136 5032
deep1 0 0
Policers:
Name Packets
deep-pol-op-first 0

Copyright © 2017, Juniper Networks, Inc. 747

Administration Guide for Security Devices

show security ssh key-pair-identity

Supported Platforms SRX Series, vSRX

Syntax show security ssh key-pair-identity

brief<identity-name>
public<identity-name>

Release Information Command introduced in Junos OS Release 15.1X49-D70.

Description Display the SSH key pair identity information.

Options • brief identity-name—Display the brief information for a specified identity. If an identity
is not specified, the command will list brief information of all identities.

• public identity-name —Display the public key for a specified identity.

Required Privilege view

Level

Related • request security ssh key-pair-identity generate on page 686

Documentation
• clear security ssh key-pair-identity on page 668

List of Sample Output show security ssh key-pair-identity brief on page 748
show security ssh key-pair-identity brief sample on page 748

Output Fields When you enter this command, you are provided feedback on the status of your request.

Sample Output

show security ssh key-pair-identity brief

user@host> show security ssh key-pair-identity brief
SSH Key Pair Identity Information:
Name Create Time Encrypted
sample Dec 28, 17:40 yes
identity-name Dec 28, 17:26 yes

show security ssh key-pair-identity brief sample

user@host> show security ssh key-pair-identity brief sample
SSH Key Pair Identity Information:
Name Create Time Encrypted
sample Dec 28, 17:34 yes

748 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

show security tpm status

Supported Platforms SRX300, SRX320, SRX340, SRX345

Syntax show security tpm status

Release Information Command introduced in Junos OS Release 15.1X49-D80.

Description Display the current status of the Trusted Platform Module (TPM) such as:

• TPM enabled/disabled

• TPM ownership

• TPM’s Master Binding Key status (created or not created)

• Master Encryption Password status (set or not set)

Options This command has no options.

Required Privilege security

Level

Related • Using Trusted Platform Module to Bind Secrets on SRX Series Devices on page 14
Documentation
• request security tpm master-encryption-password set on page 687

List of Sample Output show security tpm status on page 749

Sample Output

show security tpm status

user@host> show security tpm status
TPM Status:
Enabled: yes
Owned: yes
Master Binding Key: not-created
Master Encryption Key: not-configured

Copyright © 2017, Juniper Networks, Inc. 749

Administration Guide for Security Devices

show system autorecovery state

Supported Platforms SRX Series

Syntax show system autorecovery state

Release Information Command introduced in Junos OS Release 11.2 for SRX300, SRX320, SRX340, SRX345,
and SRX550M devices.

Description Perform checks and show status of all autorecovered items.

Required Privilege view

Level

Related • request system autorecovery state on page 688

Documentation

List of Sample Output show system autorecovery state on page 750

Output Fields Table 29 on page 750 lists the output fields for the show system autorecovery state
command. Output fields are listed in the approximate order in which they appear.

Table 29: show system autorecovery state Output Fields

Field Name Field Description

File The name of the file on which autorecovery checks are performed.

Slice The disk partition on which autorecovery checks are performed.

Recovery Information Indicates whether autorecovery information for the file or slice has been saved.

Integrity Check Displays the status of the file's integrity check (passed or failed).

Action / Status Displays the status of the item, or the action required to be taken for that item.

Sample Output

show system autorecovery state

user@host> show system autorecovery state

Configuration:
File Recovery Information Integrity Check Action / Status
rescue.conf.gz Saved Passed None
Licenses:
File Recovery Information Integrity Check Action / Status
JUNOS282736.lic Saved Passed None
JUNOS282737.lic Not Saved Not checked Requires save
BSD Labels:

750 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Slice Recovery Information Integrity Check Action / Status

s1 Saved Passed None
s2 Saved Passed None
s3 Saved Passed None
s4 Saved Passed None

Copyright © 2017, Juniper Networks, Inc. 751

Administration Guide for Security Devices

show system download

Supported Platforms LN Series, SRX Series, vSRX

Syntax show system download <download-id>

Release Information Command introduced in Junos OS Release 11.2 for SRX300, SRX320, SRX340, SRX345,
and SRX550M devices.

Description Display a brief summary of all the download instances along with their current state and
extent of progress. If a download-id is provided, the command displays a detailed report
of the particular download instance.

Options • download-id—(Optional) The ID number of the download instance.

Required Privilege view

Level

Related • request system download start on page 695

Documentation
• Understanding Download Manager for SRX Series Devices

List of Sample Output show system download on page 752

show system download 1 on page 753

Output Fields Table 30 on page 752 lists the output fields for the show system download command.
Output fields are listed in the approximate order in which they appear.

Table 30: show system download Output Fields

Field Name Field Description

ID Displays the download identification number.

Status Displays the state of a particular download.

Start Time Displays the start time of a particular download.

Progress Displays the percentage of a download that has been completed.

URL Displays the URL from which the file was downloaded.

Sample Output

show system download

user@host> show system download

752 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Download Status Information:

ID Status Start Time Progress URL
1 Active May 4 06:28:36 5% ftp://ftp-server//tftpboot/1m_file
2 Active May 4 06:29:07 3% ftp://ftp-server//tftpboot/5m_file
3 Error May 4 06:29:22 Unknown ftp://ftp-server//tftpboot/badfile
4 Completed May 4 06:29:40 100% ftp://ftp-server//tftpboot/smallfile

show system download 1

user@host> show system download 1

Download ID : 1
Status : Active
Progress : 6%
URL : ftp://ftp-server//tftpboot/1m_file
Local Path : /var/tmp/1m_file
Maximum Rate : 1k
Creation Time : May 4 06:28:36
Scheduled Time : May 4 06:28:36
Start Time : May 4 06:28:37
Error Count : 0

Copyright © 2017, Juniper Networks, Inc. 753

Administration Guide for Security Devices

show system license (View)

Supported Platforms SRX Series, vSRX

Syntax show system license

<installed | keys | status | usage>

Release Information Command introduced in Junos OS Release 9.5. Logical system status option added in
Junos OS Release 11.2.

Description Display licenses and information about how licenses are used.

Options none—Display all license information.

installed—(Optional) Display installed licenses only.

keys—(Optional) Display a list of license keys. Use this information to verify that each
expected license key is present.

status—(Optional) Display license status for a specified logical system or for all logical
systems.

usage—(Optional) Display the state of licensed features.

Required Privilege view

Level

Related • Adding New Licenses (CLI Procedure)

Documentation

List of Sample Output show system license on page 755

show system license installed on page 755
show system license keys on page 756
show system license usage on page 756
show system license status logical-system all on page 756

Output Fields Table 31 on page 754 lists the output fields for the show system license command. Output
fields are listed in the approximate order in which they appear.

Table 31: show system license Output Fields

Field Name Field Description

Feature name Name assigned to the configured feature. You use this information to verify that all the features for
which you installed licenses are present.

Licenses used Number of licenses used by the device. You use this information to verify that the number of licenses
used matches the number configured. If a licensed feature is configured, the feature is considered
used.

754 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Table 31: show system license Output Fields (continued)

Field Name Field Description

Licenses installed Information about the installed license key:

• License identifier—Identifier associated with a license key.

• License version—Version of a license. The version indicates how the license is validated, the type
of signature, and the signer of the license key.
• Valid for device—Device that can use a license key.
• Features—Feature associated with a license.

Licenses needed Number of licenses required for features being used but not yet properly licensed.

Expiry Time remaining in the grace period before a license is required for a feature being used.

Logical system license Displays whether a license is enabled for a logical system.
status

Sample Output

show system license

user@host> show system license

License usage:
Licenses Licenses Licenses Expiry
Feature name used installed needed
av_key_kaspersky_engine 1 1 0 2012-03-30
01:00:00 IST
wf_key_surfcontrol_cpa 0 1 0 2012-03-30
01:00:00 IST
dynamic-vpn 0 1 0 permanent
ax411-wlan-ap 0 2 0 permanent

Licenses installed:
License identifier: JUNOS301998
License version: 2
Valid for device: AG4909AA0080
Features:
av_key_kaspersky_engine - Kaspersky AV
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST

License identifier: JUNOS302000

License version: 2
Valid for device: AG4909AA0080
Features:
wf_key_surfcontrol_cpa - Web Filtering
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST

show system license installed

user@host> show system license installed

License identifier: JUNOS301998

License version: 2
Valid for device: AG4909AA0080

Copyright © 2017, Juniper Networks, Inc. 755

Administration Guide for Security Devices

Features:
av_key_kaspersky_engine - Kaspersky AV
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST

License identifier: JUNOS302000

License version: 2
Valid for device: AG4909AA0080
Features:
wf_key_surfcontrol_cpa - Web Filtering
date-based, 2011-03-30 01:00:00 IST - 2012-03-30 01:00:00 IST

show system license keys

user@host> show system license keys

XXXXXXXXXX xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx

xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx xxxxxx
xxxxxx xxxxxx xxx

show system license usage

user@host> show system license usage

Licenses Licenses Licenses Expiry

Feature name used installed needed
av_key_kaspersky_engine 1 1 0 2012-03-30
01:00:00 IST
wf_key_surfcontrol_cpa 0 1 0 2012-03-30
01:00:00 IST
dynamic-vpn 0 1 0 permanent
ax411-wlan-ap 0 2 0 permanent

show system license status logical-system all

user@host> show system license status logical-system all
Logical system license status:

logical system name license status

root-logical-system enabled
LSYS0 enabled
LSYS1 enabled
LSYS2 enabled

756 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

show system login lockout

Supported Platforms EX Series, M Series, MX Series, PTX Series, SRX Series, T Series

Syntax show system login lockout

Release Information Command introduced in Junos OS Release 11.2.

Description Display the usernames locked after unsuccessful login attempts.

Required Privilege view and system

Level

Related • lockout-period on page 604

Documentation
• clear system login lockout on page 669

List of Sample Output show system login lockout on page 757

Output Fields Table 32 on page 757 lists the output fields for the show system login lockout command.
Output fields are listed in the approximate order in which they appear.

Table 32: show system login lockout

Field Name Field Description Level of Output

User Username All levels

Lockout start Date and time the username was locked All levels

Lockout end Date and time the username was unlocked All levels

Sample Output

show system login lockout

user@host> show system login lockout

User Lockout start Lockout end

root 2011-05-11 09:11:15 UTC 2011-05-11 09:13:15 UTC

Copyright © 2017, Juniper Networks, Inc. 757

Administration Guide for Security Devices

show system services dhcp client

Supported Platforms EX Series, LN Series, SRX Series

Syntax show system services dhcp client

< interface-name >
<statistics>

Release Information Command introduced in Junos OS Release 8.5.

Command introduced in Junos OS Release 9.0 for EX Series switches.

Description Display information about DHCP clients.

Options • none—Display DHCP information for all interfaces.

• interface-name—(Optional) Display DHCP information for the specified interface.

• statistics—(Optional) Display DHCP client statistics.

Required Privilege view and system

Level

Related • dhcp (Interfaces)

Documentation
• request system services dhcp on page 700

• Administration Guide for Security Devices

List of Sample Output show system services dhcp client on page 759
show system services dhcp client ge-0/0/34.0 on page 760
show system services dhcp client statistics on page 760

Output Fields Table 33 on page 758 lists the output fields for the show system services dhcp client
command. Output fields are listed in the approximate order in which they appear.

Table 33: show system services dhcp client Output Fields

Field Name Field Description

Logical Interface Name Name of the logical interface.

Client Status State of the client binding.

Vendor Identifier Vendor ID.

Server Address IP address of the DHCP server.

Address obtained IP address obtained from the DHCP server.

758 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Table 33: show system services dhcp client Output Fields (continued)
Field Name Field Description

Lease Obtained at Date and time the lease was obtained.

Lease Expires in (EX Series switches only) Time the current lease expires in (seconds).

Lease Expires at Date and time the lease expires.

DHCP Options • Name: server-identifier, Value: IP address of the name server.

• Name: device, Value: IP address of the name device.
• Name: domain-name, Value: Name of the domain.

Packets dropped Total packets dropped.

Messages received Number of the following DHCP messages received:

• DHCPOFFER—First packet received on a logical interface when DHCP is enabled.

• DHCPACK—When received from the server, the client sends an ARP request for that
address and adds a (ARP response) timer for 4 seconds and stops the earlier timer
added for DHCPACK.
• DHCPNAK—When a DHCPNAK is received instead of DHCPACK, the logical interface
sends a DHCPDISCOVER packet.

Messages sent Number of the following DHCP messages sent:

• DHCPDECLINE—Packet sent when ARP response is received and there is a conflict.

The logical interface sends a new DHCPDISCOVER packet.
• DHCPDISCOVER—Packet sent on the interface for which the DHCP client is enabled.
• DHCPREQUEST—Packet sent to the DHCP server after accepting the DHCPOFFER.
After sending the DHCPREQUEST, the device adds a retransmission-interval timer.
• DHCPINFORM—Packet sent to the DHCP server for local configuration parameters.
• DHCPRELEASE—Packet sent to the DHCP server to relinquish network address and
cancel remaining lease.
• DHCPRENEW—Packet sent to the DHCP server to renew the address. The next message
to be sent will be a DHCPREQUEST message, which will be unicast directly to the
server.
• DHCPREBIND—Packet sent to any server to renew the address. The next message to
be sent will be a DHCPREQUEST message, which will be broadcast.

Sample Output

show system services dhcp client

user@host> show system services dhcp client
Logical Interface name ge-0/0/34.0
Hardware address 00:1f:12:38:5f:e5
Client status bound
Address obtained 10.0.0.2
Update server disabled
Lease obtained at 2013-12-23 08:11:40 UTC
Lease expires in 93
Lease expires at 2013-12-23 08:13:20 UTC

Copyright © 2017, Juniper Networks, Inc. 759

Administration Guide for Security Devices

DHCP options:
Name: server-identifier, Value: 10.0.0.1
Code: 1, Type: ip-address, Value: 255.255.255.0

Sample Output

show system services dhcp client ge-0/0/34.0

user@host> show system services dhcp client ge-0/0/34.0
Logical Interface name ge-0/0/34.0
Hardware address 00:1f:12:38:5f:e5
Client status bound
Address obtained 10.0.0.2
Update server disabled
Lease obtained at 2013-12-23 08:11:40 UTC
Lease expires in 87
Lease expires at 2013-12-23 08:13:20 UTC

DHCP options:
Name: server-identifier, Value: 10.0.0.1
Code: 1, Type: ip-address, Value: 255.255.255.0

Sample Output

show system services dhcp client statistics

user@host> show system services dhcp client statistics
Packets dropped:
Total 0
Messages received:
DHCPOFFER 0
DHCPACK 8
DHCPNAK 0
Messages sent:
DHCPDECLINE 0
DHCPDISCOVER 0
DHCPREQUEST 1
DHCPINFORM 0
DHCPRELEASE 0
DHCPRENEW 7
DHCPREBIND 0

760 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

show system services dhcp relay-statistics

Supported Platforms SRX Series, vSRX

Syntax show system services dhcp relay-statistics

Release Information Command introduced in Junos OS Release 8.5 .

Description Display information about the DHCP relay.

Required Privilege view and system

Level

Related • dhcp
Documentation

List of Sample Output show system services dhcp relay-statistics on page 762

Output Fields Table 34 on page 761 lists the output fields for the show system services dhcp
relay-statistics command. Output fields are listed in the approximate order in which they
appear.

Table 34: show system services dhcp relay-statistics Output Fields

Field Name Field Description

Received packets Total DHCP packets received.

Forwarded packets Total DHCP packet forwarded.

Dropped packets Total DHCP packets dropped for the following reasons:

• Due to a missing interface in the relay database—Number of packets discarded because

they did not belong to a configured interface.
• Due to a missing matching routing instance—Number of packets discarded because
they did not belong to a configured routing instance.
• Due to an error during packet read—Number of packets discarded because of a system
read error.
• Due to an error during packet send—Number of packets that the DHCP relay application
could not send.
• Due to an invalid server address—Number of packets discarded because an invalid
server address was specified.
• Due to a missing valid local address—Number of packets discarded because there was
no valid local address.
• Due to a missing route to the server or client—Number of packets discarded because
there were no addresses available for assignment.

Copyright © 2017, Juniper Networks, Inc. 761

Administration Guide for Security Devices

Sample Output

show system services dhcp relay-statistics

user@host> show system services dhcp relay-statistics
Received packets: 4
Forwarded packets: 4
Dropped packets: 4
Due to missing interface in relay database: 4
Due to missing matching routing instance: 0
Due to an error during packet read: 0
Due to an error during packet send: 0
Due to invalid server address: 0
Due to missing valid local address: 0
Due to missing route to server/client: 0

762 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

show system snapshot media

Supported Platforms SRX Series, vSRX

Syntax show system snapshot media media-type

Release Information Command introduced in Junos OS Release 10.2 .

Description Display the snapshot information for both root partitions on SRX Series devices

Options • internal— Show snapshot information from internal media.

• usb— Show snapshot information from device connected to USB port.

• external— Show snapshot information from the external CompactFlash card.

Required Privilege View

Level

Related • Example: Creating a Snapshot and Using It to Boot an SRX Series Device
Documentation

List of Sample Output show system snapshot media internal on page 763
show system snapshot media usb on page 763

Sample Output

show system snapshot media internal

show system snapshot media internal
Information for snapshot on internal (/dev/da0s1a) (primary)
Creation date: Jan 15 10:43:26 2010
JUNOS version on snapshot:
junos : 10.1B3-domestic
Information for snapshot on internal (/dev/da0s2a) (backup)
Creation date: Jan 15 10:15:32 2010
JUNOS version on snapshot:
junos : 10.2-20100112.0-domestic

show system snapshot media usb

show system snapshot media usb
Information for snapshot on usb (/dev/da1s1a) (primary)
Creation date: Jul 24 16:16:01 2009
JUNOS version on snapshot:
junos : 10.0I20090723_1017-domestic
Information for snapshot on usb (/dev/da1s2a) (backup)
Creation date: Jul 24 16:17:13 2009
JUNOS version on snapshot:
junos : 10.0I20090724_0719-domestic

Copyright © 2017, Juniper Networks, Inc. 763

Administration Guide for Security Devices

show system storage partitions (View SRX Series)

Supported Platforms SRX Series, vSRX

Syntax show system storage partitions

Release Information Command introduced in Junos OS Release 10.2 .

Description Display the partitioning scheme details on SRX300, SRX320, SRX340, SRX345, and
SRX550HM devices.

Required Privilege View

Level

Related • Example: Installing Junos OS on SRX Series Devices Using the Partition Option
Documentation

List of Sample Output show system storage partitions (single root partitioning) on page 764
show system storage partitions (USB) on page 764

show system storage partitions (dual root partitioning)

show system storage partitions

Boot Media: internal (da0)
Active Partition: da0s2a
Backup Partition: da0s1a
Currently booted from: active (da0s2a)

Partitions Information:
Partition Size Mountpoint
s1a 293M altroot
s2a 293M /
s3e 24M /config
s3f 342M /var
s4a 30M recovery

show system storage partitions (single root partitioning)

show system storage partitions
Boot Media: internal (da0)
Partitions Information:
Partition Size Mountpoint
s1a 898M /
s1e 24M /config
s1f 61M /var

show system storage partitions (USB)

show system storage partitions
Boot Media: usb (da1)
Active Partition: da1s1a
Backup Partition: da1s2a
Currently booted from: active (da1s1a)

764 Copyright © 2017, Juniper Networks, Inc.

 Chapter 20: Operational Commands

Partitions Information:
Partition Size Mountpoint
s1a 293M /
s2a 293M altroot
s3e 24M /config
s3f 342M /var
s4a 30M recovery

Copyright © 2017, Juniper Networks, Inc. 765

Administration Guide for Security Devices

766 Copyright © 2017, Juniper Networks, Inc.