If you have a Juniper device that needs to be sent to RMA or you are just putting it to some other use on your network, you will probably want to completely clear the configuration on it.
There are different ways to do it for different purpose.
If you want to securely wipe all data from this device and make it completely like when you received it from the store then next command is the right one to use:
root@RSRX> request system zeroize
This one will completely wipe your Juniper device and clear configuration together with all data from flash.
If you want to just load a clean config but you want to keep previous log files, configurations and other stuff written on device flash, you should run this one:
root@host# load factory-default
It will just load clean config file without any user config on it and you are ready to create new configuration on your device.
Example on how would “request system zeroize” process look like on Juniper SRX300:
root@RSRX> request system zeroize warning: System will be rebooted and may not boot without configuration Erase all data, including configuration and log files? [yes,no] (no) yes warning: zeroizing re0 Apr 13 07:25:37 init: network-security (PID 1778) terminate signal 15 sent Apr 13 07:25:37 init: ftp-inet-process (PID 1779) terminate signal 15 sent Apr 13 07:25:37 init: pki-service (PID 1780) terminate signal 15 sent Apr 13 07:25:37 init: web-management (PID 1781) terminate signal 15 sent Apr 13 07:25:37 init: application-identification (PID 1783) terminate signal 15 sent Apr 13 07:25:37 init: application-security (PID 1784) terminate signal 15 sent Apr 13 07:25:37 init: idp-policy (PID 1785) terminate signal 15 sent Apr 13 07:25:37 init: security-intelligence (PID 1786) terminate signal 15 sent Apr 13 07:25:37 init: advanced-anti-malware (PID 1787) terminate signal 15 sent Apr 13 07:25:37 init: network-security-trace (PID 1788) terminate signal 15 sent Apr 13 07:25:37 init: security-log (PID 1789) terminate signal 15 sent Apr 13 07:25:37 init: utmd (PID 1790) terminate signal 15 sent Apr 13 07:25:37 init: system-health-management (PID 1792) terminate signal 15 sent Apr 13 07:25:37 init: simple-mail-client-service (PID 1793) terminate signal 15 sent Apr 13 07:25:37 init: jnx-wmicd-service (PID 1794) terminate signal 15 sent Apr 13 07:25:37 init: webapi-service (PID 1795) terminate signal 15 sent Apr 13 07:25:37 init: license-service (PID 1796) terminate signal 15 sent Apr 13 07:25:37 init: service-deployment (PID 1797) terminate signal 15 sentApr 13 07:25:41 init: jnx-wmicd-service (PID 1794) exited with status=0 Normal Exit Apr 13 07:25:41 init: bslockd (PID 1738) exited with status=0 Normal Exit Apr 13 07:25:41 init: watchdog (PID 1737) exited with status=0 Normal Exit AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAWaiting (max 60 seconds) for system process `vnlru' to stop...done Waiting (max 60 seconds) for system process `vnlru_mem' to stop...done Waiting (max 60 seconds) for system process `bufdaemon' to stop...done Waiting (max 60 seconds) for system process `syncer' to stop... Syncing disks, vnodes remaining...0 0 0 0 done syncing disks... All buffers synced. Uptime: 20m55s Rebooting... cpu_reset: Stopping other CPUs SPI stage 1 bootloader (Build time: May 3 2016 - 23:48:30) early_board_init: Board type: SRX_300 U-Boot 2013.07-JNPR-3.1 (Build time: May 03 2016 - 23:48:31) SRX_300 board revision major:1, minor:6, serial #: CV2016AF0767 OCTEON CN7020-AAP pass 1.2, Core clock: 1200 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR) Base DRAM address used by u-boot: 0x10fc00000, size: 0x400000 DRAM: 4 GiB Clearing DRAM...... done Using default environment SF: Detected MX25L6405D with page size 256 Bytes, erase size 64 KiB, total 8 MiB Found valid SPI bootloader at offset: 0x90000, size: 1481840 bytes U-Boot 2013.07-JNPR-3.1 (Build time: May 03 2016 - 23:50:19) Using DRAM size from environment: 4096 MBytes checkboard siege SATA0: not available SATA1: not available SATA BIST STATUS = 0x0 SRX_300 board revision major:1, minor:6, serial #: CV2016AF0767 OCTEON CN7020-AAP pass 1.2, Core clock: 1200 MHz, IO clock: 600 MHz, DDR clock: 667 MHz (1334 Mhz DDR) Base DRAM address used by u-boot: 0x10f000000, size: 0x1000000 DRAM: 4 GiB
Is “request system zeroize” delete license on device?
“This one will completely wipe your Juniper device and clear configuration together with all data from flash.”
Not if you’re wiping it for the sake of security. This statement is demonstrably false, and the Juniper documentation does not make any such claim. Juniper says that the “request system zeroize” command merely deletes “by unlinking the files from their directories.” All the log files and configuration files are still there, accessible through the raw eUSB device. (It’s easy do do if you boot from an external USB drive, and it’s easy to grep for logs and gzip file headers.)
Instead, Juniper has provided the “media” option for this purpose. “media—(Optional) In addition to removing all configuration and log files, the media option causes memory and the media to be scrubbed, removing all traces of any user-created files. Every storage device attached to the system is scrubbed, including disks, flash drives, removable USBs, and the like. The duration of the scrubbing process is dependent on the size of the media being erased. As a result, the request system zeroize media operation can take considerably more time than the request system zeroize operation. However, the critical security parameters are all removed at the beginning of the process.” Someone would have to desolder and read out the flash chip to get chunks of your log files from mapped out sectors.
Bottom line: if you’re selling or scrapping your router use:
request system zeroize media