Archive for the ‘Juniper ScreenOS’ Category

It may be necessary to failover a high availability firewall pair for troubleshooting or maintenance purposes. To do this on a Juniper SSG# login to the master firewall through SSH and issue the following command:
exec nsrp vsd-group 0 mode backup

To confirm this was successful check the logs on the new master firewall. There should be an entry that looks similar to this:
Peer device 5303936 in the Virtual Security Device group 0 changed state from primary backup to master.

It may be necessary to adjust the arp cache timeout in your Juniper firewall, otherwise know as the arp age. Login through SSH and search the config to see if an arp age is already set:

get config | inc arp

If nothing is returned then the arp age is set to the default of 20 minutes. To set this timeout value use the “set arp age” command followed by the number of seconds. For example the following command will set the arp cache timeout to 60 seconds:

set arp age 60

Make sure to save this change by using the “save” command or else it will be reverted next time the firewall is rebooted: