Juniper防火墙日常维护

更新时间：2024-03-30 05:57:01 阅读量：综合文库文档下载

说明：文章内容仅供预览，部分内容可能不全。下载后的文档，内容与下面显示的完全一致。下载之前请确认下面内容是否您想要的，是否完整无缺。

Juniper防火墙日常维护手册

（v 20131112）

作者分类关键字 Juniper、NetScreen、防火墙、日常维护、ScreenOS、JunOS、NS、ISG、SSG、SRX 苏毅审核子类指导手册其他更新时间 2013-11-12 摘要此手册用于指导Juniper防火墙驻场工程师常规操作，驻场工程师可以按照日常工作内容从文档中选取相应的命令。此手册基本涵盖了常规操作、巡检操作等驻场维护工作所需要的操作指导，各工程师也可根据自身驻场项目特点确定日常巡检的内容。 Juniper防火墙运维工作 Juniper ScreenOS防火墙包括产品型号有：主要适NS系列、ISG系列、SSG系列用环境 Juniper JunOS防火墙包括产品型号有： SRX系列（SRX Branch系列包含SRX650及以下型号，SRX High-end系列包含SRX1K、3K和SRX5K）

《Juniper防火墙日常维护手册-v20131112》第 1页共59页

版本说明

版本号 V20131112

拟制/修改责任人苏毅

拟制/修改日期 2013-11-12 修改内容/理由新建《Juniper防火墙日常维护手册-v20131112》第 2页共59页

版本说明 ......................................................................................................................................................................... 2 目录 ............................................................................................................................................................................. 3 1. 日常操作 .................................................................................................................................................................... 5

1.1 查看硬件信息 .................................................................................................................................................. 5 1.2 查看OS信息 .................................................................................................................................................... 6 1.3 查看CPU/SPU使用率信息.............................................................................................................................. 7

1.3.1 查看CPU/SPU使用率信息................................................................................................................... 7 1.3.2 查看每秒CPU使用率 .......................................................................................................................... 9 1.4 查看内存使用率 ............................................................................................................................................ 12 1.5 SRX RE CPU使用率/内存使用率信息（仅JunOS适用） ............................................................................ 14 1.6 查看Session会话信息 .................................................................................................................................. 16

1.6.1 查看会话总数 ..................................................................................................................................... 16 1.6.2 查看每秒新建会话数量 ..................................................................................................................... 18 1.6.3 查看防火墙所有会话条目 ................................................................................................................. 20 1.6.4 按过滤条件查看会话 ......................................................................................................................... 21 1.6.5 查看会话详细内容 ............................................................................................................................. 23 1.6.6 保存防火墙所有会话条目 ................................................................................................................. 25 1.7 查看警告日志 ................................................................................................................................................ 26 1.8 查看事件日志 —— ScreenOS ....................................................................................................................... 27

1.8.1 查看所有事件日志（仅ScreenOS适用） ........................................................................................ 27 1.8.2 按事件级别过滤查看事件日志（仅ScreenOS适用） .................................................................... 27 1.8.3 按时间过滤查看事件日志（仅ScreenOS适用） ............................................................................ 28 1.9 查看事件日志 —— JunOS ............................................................................................................................ 29 1.10 查看策略流量日志 ...................................................................................................................................... 30 1.11 查看/备份配置 ............................................................................................................................................. 32 1.12 查看接口状态 .............................................................................................................................................. 34

1.12.1 查看所有接口状态 ........................................................................................................................... 34 1.12.2 查看单一接口详情 ........................................................................................................................... 36 1.13 查看ARP表 .................................................................................................................................................. 38 1.14 查看路由 ...................................................................................................................................................... 39

1.14.1 查看全部路由 ................................................................................................................................... 39 1.14.2 查看特定目标地址的路由 ............................................................................................................... 40 1.15 查看策略 ...................................................................................................................................................... 41

1.15.1 查看所有策略 ................................................................................................................................... 41 1.15.2 查看单条策略的详细内容 ............................................................................................................... 42 1.16 查看防火墙主备状态 .................................................................................................................................. 43 1.17 查看集群接口状态（仅JunOS适用） ...................................................................................................... 44 1.18 查看配置同步状态（仅ScreenOS适用） ................................................................................................. 45 1.19 常用排错命令 .............................................................................................................................................. 46

1.19.1 ping ..................................................................................................................................................... 46 1.19.2 telnet ................................................................................................................................................... 48 1.19.3 trace route .......................................................................................................................................... 49

《Juniper防火墙日常维护手册-v20131112》第 3页共59页

1.19.4 收集support信息............................................................................................................................. 50 1.20 按过滤条件查看各类信息 .......................................................................................................................... 52 2. 应急操作 .................................................................................................................................................................. 53

2.1 清除指定IP的ARP记录 ............................................................................................................................... 53 2.2 清除指定源IP/目的IP的会话记录 .............................................................................................................. 53 2.3 关闭和开启端口 ............................................................................................................................................ 54

2.3.1 关闭端口 ............................................................................................................................................. 54 2.3.2 开启端口 ............................................................................................................................................. 54 2.4 防火墙主备状态切换 .................................................................................................................................... 55 2.5 同步会话（仅ScreenOS适用） ................................................................................................................... 56 2.6 重启设备 ........................................................................................................................................................ 56 3. 日常维护周期策略 .................................................................................................................................................. 57

3.1 日巡检维护建议 ............................................................................................................................................ 57 3.2 周巡检维护建议 ............................................................................................................................................ 58 3.3 月巡检维护建议 ............................................................................................................................................ 58 3.4 不定期维护建议 ............................................................................................................................................ 59

《Juniper防火墙日常维护手册-v20131112》第 4页共59页

1. 日常操作

1.1 查看硬件信息

（1）ScreenOS

在CLI下命令为：get chassis 示例：

JP1000A-> get chassis Chassis Environment: Power Supply: Good Fan Status: Good

CPU Temperature: 98'F ( 37'C) Slot Information:

Slot Type S/N Assembly-No Version Temperature

0 System Board 0993072011000999 0066-004 F01 86'F (30'C), 87'F (31'C) 4 Management 0099082011000999 0049-004 D19 98'F (37'C) 5 ASIC Board 002079351g110017 0065-002 B00 Marin FPGA version 9, Jupiter ASIC version 1, Fresno FPGA version 110 I/O Board

Slot Type S/N Version FPGA version 2 4 port miniGBIC (0x3) 0994092011000999 B02 26 1 4 port 10/100/1000T 38 Alarm Control Information:

Power failure audible alarm: disabled Fan failure audible alarm: disabled Low battery audible alarm: disabled Temperature audible alarm: disabled Normal alarm temperature is 132'F (56'C)

Severe alarm temperature is 150'F (66'C)

《Juniper防火墙日常维护手册-v20131112》第 5页共59页

（2）JunOS

在CLI - 操作模式下命令为：show chassis hardware 示例：

syro@JP650A> show chassis hardware Hardware inventory:

Item Version Part number Serial number Description Chassis AJ4309AA0999 SRX650 Midplane REV 08 710-023875 AAAS7310

System IO REV 08 710-023209 AAAS9446 SRXSME System IO Routing Engine REV 14 750-023223 AAAW4729 RE-SRXSME-SRE6 FPC 0 FPC

PIC 0 4x GE Base PIC FPC 2 REV 07 750-026182 AAAS7999 FPC

PIC 0 16x GE gPIM Power Supply 0 Rev 03 740-024283 TH01999 PS 645W AC Power Supply 1 Rev 03 740-024283 TH01099 PS 645W AC

1.2 查看OS信息

（1）ScreenOS

在CLI下命令为：get system 示例：

JP1000A-> get system

Product Name: NetScreen-ISG1000

Serial Number: 0993072011000999, Control Number: 00000000

Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0) Software Version: 6.1.0r7-cu12.0, Type: Firewall+VPN OS Loader Version: 1.0.2

Compiled by build_master at: Wed Apr 28 23:08:24 PDT 2010 Base Mac: 0026.889b.fa80

File Name: default (screenos_image), Checksum: de317771 , Total Memory: 1024MB

Date 01/01/2013 11:50:43, Daylight Saving Time disabled The Network Time Protocol is Enabled

Up 3286 hours 23 minutes 35 seconds Since 17Aug2012:13:27:08 Total Device Resets: 0

《Juniper防火墙日常维护手册-v20131112》第 6页共59页

（2）JunOS

在CLI - 操作模式下命令为：show system software 示例：

syro@JP650A> show system software Information for junos:

Comment:

JUNOS Software Release [10.4R10.7]

1.3 查看CPU/SPU使用率信息 1.3.1 查看CPU/SPU使用率信息

（1）ScreenOS —— CPU

在CLI下命令为：get performance cpu 示例：

JP1000A-> get performance cpu Average System Utilization: 1%

Last 1 minute: 2%, Last 5 minutes: 2%, Last 15 minutes: 2%

（2）JunOS —— SPU

当SPU使用率达到60%就要引起关注，可能网络或设备有异常。

在CLI - 操作模式下查看SRX Branch防火墙的SPU使用率命令为：show security monitoring fpc 0

示例：

syro@JP650A> show security monitoring fpc 0 FPC 0 PIC 0

CPU utilization : 0 % Memory utilization : 67 % Current flow session : 16

Max flow session : 524288

《Juniper防火墙日常维护手册-v20131112》第 7页共59页

SRX Hign-end防火墙为分布式架构，需要根据SPC卡的槽位来确定查看命令。例如SRX3600配备2块SPC，分别插在7槽和 8槽中，需要分别查看其SPU使用率。另，SRX3600的双机采用虚拟机箱技术后，node0为主墙、node1为备墙。

在CLI - 操作模式下查看SRX3600防火墙的spu命令为：show security monitoring fpc 7 和 show security monitoring fpc 8

示例：

syro@JP3600A > show security monitoring fpc 7 node0:

--------------------------------------------------------------------------

FPC 7 PIC 0

CPU utilization : 2 % Memory utilization : 64 % Current flow session : 5265 Max flow session : 524288 Current CP session : 16401 Max CP session : 2359296

node1:

-------------------------------------------------------------------------- FPC 7 PIC 0

CPU utilization : 0 % Memory utilization : 64 % Current flow session : 5582 Max flow session : 524288 Current CP session : 17131 Max CP session : 2359296

{primary:node0}

syro@JP3600A> show security monitoring fpc 8 node0:

-------------------------------------------------------------------------- FPC 8 PIC 0

CPU utilization : 3 % Memory utilization : 66 % Current flow session : 10977 Max flow session : 1048576 Current CP session : 0

《Juniper防火墙日常维护手册-v20131112》第 8页共59页

Max CP session : 0

node1:

-------------------------------------------------------------------------- FPC 8 PIC 0

CPU utilization : 0 % Memory utilization : 66 % Current flow session : 11382 Max flow session : 1048576 Current CP session : 0 Max CP session : 0

{primary:node0}

1.3.2 查看每秒CPU使用率

（1）ScreenOS

在CLI下命令为：get performance cpu all detail 示例：

JP1000A.GL-IT.SDA(M)-> get performance cpu all detail Average System Utilization: 1% (flow 1 task 1) Last 60 seconds:

59: 2( 1 1) 58: 2( 1 1) 57: 2( 1 1) 56: 2( 1 1) 55: 2( 1 1) 54: 2( 1 1) 53: 2( 1 1) 52: 2( 1 1) 51: 2( 1 1) 50: 2( 1 1) 49: 2( 1 1) 48: 2( 1 1) 47: 2( 1 1) 46: 2( 1 1) 45: 2( 1 1) 44: 2( 1 1) 43: 2( 1 1) 42: 2( 1 1) 41: 2( 1 1) 40: 2( 1 1) 39: 2( 1 1) 38: 2( 1 1) 37: 2( 1 1) 36: 2( 1 1) 35: 2( 1 1) 34: 2( 1 1) 33: 2( 1 1) 32: 2( 1 1) 31: 2( 1 1) 30: 2( 1 1) 29: 2( 1 1) 28: 2( 1 1) 27: 2( 1 1) 26: 2( 1 1) 25: 2( 1 1) 24: 2( 1 1) 23: 2( 1 1) 22: 2( 1 1) 21: 2( 1 1) 20: 2( 1 1) 19: 2( 1 1) 18: 2( 1 1) 17: 2( 1 1) 16: 2( 1 1) 15: 2( 1 1) 14: 2( 1 1) 13: 2( 1 1) 12: 2( 1 1) 11: 2( 1 1) 10: 2( 1 1) 9: 2( 1 1) 8: 2( 1 1) 7: 2( 1 1) 6: 2( 1 1) 5: 2( 1 1) 4: 2( 1 1) 3: 2( 1 1) 2: 2( 1 1) 1: 2( 1 1) 0: 2( 1 1)

Last 60 minutes:

《Juniper防火墙日常维护手册-v20131112》第 9页共59页

Last 24 hours:

23: 2( 1 1) 22: 2( 1 1) 21: 2( 1 1) 20: 2( 1 1) 19: 2( 1 1) 18: 2( 1 1) 17: 1( 1 1) 16: 2( 1 1) 15: 1( 1 1) 14: 2( 1 1) 13: 1( 1 1) 12: 1( 1 1) 11: 2( 1 1) 10: 2( 1 1) 9: 2( 1 1) 8: 2( 1 1) 7: 2( 1 1) 6: 1( 1 1) 5: 1( 1 1) 4: 2( 1 1) 3: 2( 1 1) 2: 2( 1 1) 1: 2( 1 1) 0: 2( 1 1)

（2）JunOS

在CLI - 操作模式下命令为：show security monitoring performance spu 示例：

syro@JP650A > show security monitoring performance spu fpc 0 pic 0 Last 60 seconds:

0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 0 41: 0 42: 0 43: 0 44: 0 45: 0 46: 0 47: 0 48: 0 49: 0 50: 0 51: 0 52: 0 53: 0 54: 0 55: 0 56: 0 57: 0 58: 0 59: 0

syro@JP3600A> show security monitoring performance spu

《Juniper防火墙日常维护手册-v20131112》第 10页共59页

node0:

-------------------------------------------------------------------------- fpc 7 pic 0 Last 60 seconds:

node1:

-------------------------------------------------------------------------- fpc 7 pic 0 Last 60 seconds:

0: 0 1: 0 2: 0 3: 0 4: 0 5: 0

《Juniper防火墙日常维护手册-v20131112》第 11页共59页

6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 0 41: 0 42: 0 43: 0 44: 0 45: 0 46: 0 47: 0 48: 0 49: 0 50: 0 51: 0 52: 0 53: 0 54: 0 55: 0 56: 0 57: 0 58: 0 59: 0

{primary:node0}

1.4 查看内存使用率

（1）ScreenOS

ScreenOS平台的内存使用率一般不会变化。在CLI下命令为：get memory 示例：

JP1000A-> get memory

Memory: allocated 536091296, left 238802224, frag 68, fail 0

（2）JunOS

当SPU内存使用率达到70%就要引起关注，可能网络或设备有异常。

在CLI - 操作模式下查看SRX Branch防火墙的spc内存使用率命令为：show security monitoring fpc 0

示例：

syro@JP650A> show security monitoring fpc 0 FPC 0 PIC 0

CPU utilization : 0 % Memory utilization : 67 % Current flow session : 16

Max flow session : 524288

SRX Hign-end防火墙为分布式架构，，需要根据SPC卡的槽位来确定查看命令。例如SRX3600配备2块SPC，插在7槽和 8槽中，需要分别查看其SPU内存使用率。另，SRX3600的双机采

《Juniper防火墙日常维护手册-v20131112》第 12页共59页

用虚拟机箱技术，node0为主墙、node1为备墙。

在CLI - 操作模式下查看SRX3600防火墙的SPU内存使用率命令为：show security monitoring fpc 7 和 show security monitoring fpc 8

示例：

syro@JP3600A > show security monitoring fpc 7 node0:

--------------------------------------------------------------------------

FPC 7 PIC 0

CPU utilization : 2 % Memory utilization : 64 % Current flow session : 5265 Max flow session : 524288 Current CP session : 16401 Max CP session : 2359296

node1:

-------------------------------------------------------------------------- FPC 7 PIC 0

CPU utilization : 0 % Memory utilization : 64 % Current flow session : 5582 Max flow session : 524288 Current CP session : 17131 Max CP session : 2359296

{primary:node0}

syro@JP3600A> show security monitoring fpc 8 node0:

-------------------------------------------------------------------------- FPC 8 PIC 0

CPU utilization : 3 % Memory utilization : 66 % Current flow session : 10977 Max flow session : 1048576 Current CP session : 0 Max CP session : 0

node1:

《Juniper防火墙日常维护手册-v20131112》第 13页共59页

-------------------------------------------------------------------------- FPC 8 PIC 0

CPU utilization : 0 % Memory utilization : 66 % Current flow session : 11382 Max flow session : 1048576 Current CP session : 0 Max CP session : 0

1.5 SRX RE CPU使用率/内存使用率信息（仅JunOS适用）

SRX系列防火墙RE的CPU主要做管理设备用，其CPU波动会比较大，出现瞬时100%也是正常的。当RE的CPU使用率长时间都在45%以上时，引起关注；当RE的内存使用率长时间都在60%以上时，注意查看当前的RE运行负载。

在CLI - 操作模式下命令为：show chassis routing-engine 示例：

syro@JP650A > show chassis routing-engine Routing Engine status:

Temperature 31 degrees C / 87 degrees F CPU temperature 31 degrees C / 87 degrees F

Total memory 2048 MB Max 1065 MB used ( 52 percent) Control plane memory 1104 MB Max 442 MB used ( 40 percent) Data plane memory 944 MB Max 632 MB used ( 67 percent) CPU utilization:

User 6 percent Background 0 percent Kernel 1 percent Interrupt 0 percent Idle 93 percent

Model RE-SRXSME-SRE6 Serial ID AAAW4729

Start time 2012-07-12 17:54:51 CST

Uptime 177 days, 15 hours, 50 minutes, 35 seconds Last reboot reason 0x200:chassis control reset

Load averages: 1 minute 5 minute 15 minute 0.41 0.26 0.19

syro@JP3600A > show chassis routing-engine node0:

《Juniper防火墙日常维护手册-v20131112》第 14页共59页

-------------------------------------------------------------------------- Routing Engine status: Slot 0:

Current state Master

Election priority Master (default) DRAM 1023 MB Memory utilization 39 percent CPU utilization:

User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 94 percent

Model RE-PPC-1200-A

Start time 2012-07-13 10:06:41 CST

Uptime 176 days, 23 hours, 40 minutes, 35 seconds Last reboot reason 0x1:power cycle/failure

Load averages: 1 minute 5 minute 15 minute 0.12 0.10 0.08

node1:

-------------------------------------------------------------------------- Routing Engine status: Slot 0:

Current state Master

Election priority Master (default) DRAM 1023 MB Memory utilization 34 percent CPU utilization:

User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 95 percent

Model RE-PPC-1200-A

Start time 2012-07-16 14:39:07 CST

Uptime 173 days, 19 hours, 6 minutes, 11 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.14 0.06 0.01

《Juniper防火墙日常维护手册-v20131112》第 15页共59页

1.6 查看Session会话信息 1.6.1 查看会话总数

（1）ScreenOS

当前会话总数达到平时峰值的2倍或设备最大会话数的70%，需要关注、报警。在CLI下命令为：get session info 示例：

JP1000A-> get session info

alloc 730/max 524288, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 523558 slot 2: hw0 alloc 730/max 524287

（2）JunOS

当前会话总数达到平时峰值的2倍或设备最大会话数的70%，需要关注、报警。在CLI - 操作模式下命令为：show security flow session summary 示例：

syro@JP650A> show security flow session summary Unicast-sessions: 14 Multicast-sessions: 0 Failed-sessions: 0 Sessions-in-use: 17 Valid sessions: 14 Pending sessions: 0 Invalidated sessions: 3 Sessions in other states: 0 Maximum-sessions: 524288

syro@JP3600A > show security flow session summary node0:

--------------------------------------------------------------------------

Flow Sessions on FPC7 PIC0: Unicast-sessions: 0 Multicast-sessions: 0

《Juniper防火墙日常维护手册-v20131112》第 16页共59页

Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 524288

Flow Sessions on FPC8 PIC0: Unicast-sessions: 0 Multicast-sessions: 0 Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 1048576

node1:

--------------------------------------------------------------------------

Flow Sessions on FPC7 PIC0: Unicast-sessions: 0 Multicast-sessions: 0

Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 524288

《Juniper防火墙日常维护手册-v20131112》第 17页共59页

1.6.2 查看每秒新建会话数量

（1）ScreenOS

在CLI下命令为：get performance session detail 示例：

JP1000A-> get performance session detail Last 60 seconds:

0: 26 1: 12 2: 19 3: 21 4: 23 5: 20 6: 27 7: 20 8: 32 9: 30 10: 36 11: 29 12: 35 13: 34 14: 13 15: 26 16: 31 17: 34 18: 20 19: 25 20: 24 21: 19 22: 20 23: 24 24: 21 25: 22 26: 24 27: 23 28: 34 29: 24 30: 35 31: 35 32: 34 33: 21 34: 15 35: 26 36: 37 37: 32 38: 36 39: 27 40: 20 41: 32 42: 24 43: 25 44: 21 45: 19 46: 17 47: 16 48: 15 49: 14 50: 17 51: 19 52: 26 53: 38 54: 32 55: 41 56: 11 57: 13 58: 15 59: 11

（2）JunOS

对于JunOS11.4及其以后版本，可以直接查看每秒新建会话数，在CLI - 操作模式下查看SRX Branch防火墙的每秒新建命令为：show security monitoring fpc 0

示例：

root> show security monitoring fpc 0 FPC 0 PIC 0

CPU utilization : 0 % Memory utilization : 69 % Current flow session : 6 Current flow session IPv4: 0 Current flow session IPv6: 0 Max flow session : 262144

Total Session Creation Per Second (for last 96 seconds on average): 0 IPv4 Session Creation Per Second (for last 96 seconds on average): 0 IPv6 Session Creation Per Second (for last 96 seconds on average): 0

对于JunOS11.4之前的版本，只能查看每秒会话数，在CLI - 操作模式下命令为：security monitoring performance session

《Juniper防火墙日常维护手册-v20131112》第 18页共59页

示例：

syro@JP650A > show security monitoring performance session fpc 0 pic 0 Last 60 seconds:

0: 18 1: 18 2: 17 3: 18 4: 17 5: 14 6: 14 7: 17 8: 16 9: 17 10: 16 11: 17 12: 17 13: 18 14: 16 15: 16 16: 15 17: 15 18: 14 19: 15 20: 13 21: 14 22: 12 23: 27 24: 27 25: 56 26: 55 27: 78 28: 61 29: 79 30: 59 31: 75 32: 59 33: 81 34: 64 35: 78 36: 61 37: 75 38: 60 39: 51 40: 40 41: 50 42: 47 43: 69 44: 60 45: 69 46: 56 47: 76 48: 67 49: 78 50: 57 51: 74 52: 55 53: 78 54: 60 55: 70 56: 51 57: 62 58: 48 59: 29

syro@JP3600A > show security monitoring performance session node0:

-------------------------------------------------------------------------- fpc 7 pic 0 Last 60 seconds:

0: 9761 1: 9987 2: 9713 3: 9965 4: 9692 5: 9989 6: 9703 7: 9958 8: 9653 9: 9878 10: 9616 11: 9940 12: 9691 13: 10065 14: 9814 15: 10010 16: 9731 17: 9887 18: 9610 19: 9857 20: 9636 21: 9910 22: 9649 23: 9938 24: 9686 25: 9952 26: 9704 27: 9988 28: 9735 29: 9984 30: 9723 31: 10009 32: 9758 33: 10105 34: 9878 35: 10155 36: 9881 37: 10107 38: 9798 39: 10032 40: 9795 41: 10068 42: 9792 43: 10073 44: 9829 45: 10082 46: 9813 47: 10060 48: 9775 49: 10061 50: 9791 51: 10008 52: 9732 53: 9963 54: 9721 55: 9935 56: 9668 57: 9938 58: 9696 59: 9993 fpc 8 pic 0 Last 60 seconds:

0: 20252 1: 19658 2: 20188 3: 19608 4: 20185 5: 19660 6: 20164 7: 19591 8: 20039 9: 19492 10: 19938 11: 19433 12: 20098 13: 19642 14: 20275 15: 19714 16: 20013 17: 19445 18: 19841 19: 19325 20: 19824 21: 19358 22: 19880 23: 19371 24: 19936 25: 19429 26: 19876 27: 19396 28: 19938 29: 19459 30: 19911 31: 19369 32: 20068 33: 19565 34: 20332 35: 19645 36: 20309 37: 19657 38: 20128 39: 19471 40: 20010 41: 19493 42: 20049 43: 19536 44: 20163 45: 19644 46: 20132 47: 19624 48: 20154 49: 19575 50: 20097 51: 19529 52: 20041 53: 19525 54: 19978 55: 19488 56: 19899 57: 19372 58: 19984 59: 19500

《Juniper防火墙日常维护手册-v20131112》第 19页共59页

node1:

-------------------------------------------------------------------------- fpc 7 pic 0 Last 60 seconds:

0: 10213 1: 10447 2: 10172 3: 10424 4: 10150 5: 10432 6: 10153 7: 10362 8: 10078 9: 10394 10: 10134 11: 10472 12: 10219 13: 10530 14: 10279 15: 10450 16: 10134 17: 10347 18: 10066 19: 10312 20: 10093 21: 10400 22: 10137 23: 10384 24: 10147 25: 10456 26: 10193 27: 10437 28: 10184 29: 10507 30: 10265 31: 10570 32: 10314 33: 10694 34: 10467 35: 10659 36: 10407 37: 10618 38: 10315 39: 10519 40: 10293 41: 10561 42: 10285 43: 10555 44: 10300 45: 10540 46: 10256 47: 10573 48: 10296 49: 10496 50: 10234 51: 10447 52: 10169 53: 10364 54: 10115 55: 10406 56: 10140 57: 10385 58: 10155 59: 10445 fpc 8 pic 0 Last 60 seconds:

0: 21893 1: 21280 2: 21813 3: 21250 4: 21759 5: 21230 6: 21668 7: 21122 8: 21685 9: 21176 10: 21775 11: 21254 12: 21735 13: 21272 14: 21791 15: 21155 16: 21508 17: 20933 18: 21439 19: 20944 20: 21514 21: 21026 22: 21461 23: 20970 24: 21540 25: 21045 26: 21494 27: 20991 28: 21684 29: 21223 30: 21909 31: 21367 32: 22025 33: 21539 34: 22163 35: 21480 36: 21933 37: 21282 38: 21790 39: 21194 40: 21827 41: 21311 42: 21793 43: 21264 44: 21860 45: 21300 46: 21830 47: 21292 48: 21762 49: 21222 50: 21607 51: 21063 52: 21449 53: 20899 54: 21527 55: 21041 56: 21509 57: 21017 58: 21527 59: 21033

{primary:node0}

1.6.3 查看防火墙所有会话条目

（1）ScreenOS

在CLI下命令为：get session 示例：

JP1000A-> get session

alloc 2976/max 524288, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 521312 slot 2: hw0 alloc 2976/max 524287

id 482707/s0*,vsys 0,flag 10200400/4000/0003,policy 20036,time 1302, dip 36 module 0

if 130(nspflag 0805):192.168.12.101/4795->10.1.131.244/8000,6,000000000000,sess token 4,vlan 32,tun 0,vsd

《Juniper防火墙日常维护手册-v20131112》第 20页共59页

0,route 17,wsf 0

if 128(nspflag 10000800):10.1.94.104/43422<-10.1.131.244/8000,6,000000000000,sess token 3,vlan 0,tun 0,vsd 0,route 29,wsf 0

id 482709/s0*,vsys 0,flag 10200400/4000/0003,policy 20040,time 1419, dip 36 module 0

if 130(nspflag 0805):192.168.11.202/1170->10.195.4.41/6002,6,000000000000,sess token 4,vlan 32,tun 0,vsd 0,route 17,wsf 0

if 128(nspflag 10000800):10.1.94.104/60242<-10.195.4.41/6002,6,000000000000,sess token 3,vlan 0,tun 0,vsd 0,route 29,wsf 0

（2）JunOS

在CLI - 操作模式下命令为：show security flow session 示例：

syro@JP650A> show security flow session

Session ID: 15176, Policy name: self-traffic-policy/1, Timeout: 60, Valid

In: 192.168.117.2/514 --> 10.1.35.11/514;udp, If: .local..0, Pkts: 2668507, Bytes: 659764260 Out: 10.1.35.11/514 --> 192.168.117.2/514;udp, If: ae0.0, Pkts: 0, Bytes: 0

Session ID: 15264, Policy name: self-traffic-policy/1, Timeout: 60, Valid

In: 192.168.117.2/514 --> 10.1.88.166/514;udp, If: .local..0, Pkts: 2769763, Bytes: 668172183 Out: 10.1.88.166/514 --> 192.168.117.2/514;udp, If: ae0.0, Pkts: 0, Bytes: 0

Session ID: 15267, Policy name: self-traffic-policy/1, Timeout: 60, Valid

In: 192.168.117.2/514 --> 10.1.35.12/514;udp, If: .local..0, Pkts: 2668508, Bytes: 659764488 Out: 10.1.35.12/514 --> 192.168.117.2/514;udp, If: ae0.0, Pkts: 0, Bytes: 0

1.6.4 按过滤条件查看会话

（1）ScreenOS

在CLI下使用get session命令可以按过滤条件查看会话，有以下命令选项：命令帮助：

JP1000A -> get session

> redirect output | match output

dst-ip destination ip address dst-mac destination mac address

dst-port destination port number or range hardware show hardware sessions only

《Juniper防火墙日常维护手册-v20131112》第 21页共59页

id show sessions with id ike-nat show ike-nat ALG info policy-id policy id

protocol protocol number or range

rm show sessions for resource management service show sessions with service type src-ip source ip address src-mac source mac address

src-port source port number or range tunnel show tunnel sessions

vsd-id get vsd-id specified sessions

示例：

JP1000A-> get session src-ip 10.1.3.32

alloc 1366/max 524288, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 522922 slot 2: hw0 alloc 1363/max 524287

Total 448 sessions according filtering criteria.

id 517142/s0*,vsys 0,flag 00200450/0000/0081,policy 20026,time 0, dip 0 module 0

if 46(nspflag 800901):10.1.3.32/51602->10.1.8.130/8300,6,00000c07ac21,sess token 4,vlan 0,tun 0,vsd 0,route 8,wsf 0

if 45(nspflag 800900):10.1.3.32/51602<-10.1.8.130/8300,6,00000c07ac5f,sess token 3,vlan 0,tun 0,vsd 0,route 6,wsf 0

id 517222/s0*,vsys 0,flag 00200440/0000/0003,policy 20028,time 2, dip 0 module 0

（2）JunOS

在CLI - 操作模式下使用show security flow session命令可以按过滤条件查看会话，有以下命令选项：

syro@JP650A > show security flow session Possible completions:

<[Enter]> Execute this command application Application protocol name brief Show brief output (default) destination-port Destination port (1..65535) destination-prefix Destination IP prefix or address extensive Show detailed output family Show session by family idp Show idp sessions

interface Name of incoming or outgoing interface

nat Show sessions with network address translation protocol IP protocol number

《Juniper防火墙日常维护手册-v20131112》第 22页共59页

resource-manager Show sessions with resource manager session-identifier Show session with specified session identifier source-port Source port (1..65535) source-prefix Source IP prefix or address summary Show output summary tunnel Show tunnel sessions | Pipe through a command

示例：

syro@JP650A > show security flow session source-prefix 10.1.35.11 Session ID: 168247, Policy name: self-traffic-policy/1, Timeout: 1800, Valid

In: 10.1.35.11/58624 --> 192.168.117.2/22;tcp, If: ae0.0, Pkts: 512, Bytes: 40342 Out: 192.168.117.2/22 --> 10.1.35.11/58624;tcp, If: .local..0, Pkts: 352, Bytes: 43885 Total sessions: 1

1.6.5 查看会话详细内容

（1）ScreenOS

ScreenOS防火墙按session id查看会话详细信息。在CLI下命令为：get session id id数值示例：

JP1000A-> get session id 490591

id 490591(00077c5f), flag 10200400/4000/0003, vsys id 0(Root) policy id 20113, application id 0, dip id 36, state 0 current timeout 2250, max timeout 300 (second) status normal, start time 12185013, duration 0 session id mask 0, app value 0

redundant3.2(vsd 0): 192.168.16.24/1807->10.1.48.7/80, protocol 6 session token 4 route 17 gtwy 192.168.250.253, mac 000000000000, nsptn info 0, pmtu 1500 flag 805, diff 0/0

port seq 0, subif 2, cookie 0, fin seq 0, fin state 0

redundant1(vsd 0): 10.1.94.104/4186<-10.1.48.7/80, protocol 6 session token 3 route 29 gtwy 10.1.94.254, mac 000000000000, nsptn info 0, pmtu 1500 mac 000000000000, nsptn info 0 flag 10000800, diff 0/0

port seq 0, subif 0, cookie 0, fin seq 0, fin state 0 Saturn hardware session:

chip 0,slot 2,idx 237169,flag 0x40,diff (0/0),pid 20113,time (12185013/30/225),ssid 490591 130(1):192.168.16.24/1807->10.1.48.7/80,6,token:4,l2:(b:0:65533),vl:0,sa:0,vsd:0,L2 xl:1

《Juniper防火墙日常维护手册-v20131112》第 23页共59页

bcnt:0, vect:0, fin_seq:0x00000000, fst:0, flag:11,wsf 14

128(1):10.1.94.104/4186<-10.1.48.7/80,6,token:3,l2:(d:2:65533),vl:1,sa:0,vsd:0,L2 xl:1 bcnt:0, vect:0, fin_seq:0x00000000, fst:0, flag:11,wsf 14 hw sess:0x8b9e7100, ext hw sess:0x8b9e7180, cnt:1125

shadow sess:0x059ee938, hash:001c0ca0, hash1:001452b0, shadow flag:0x10

nat_flag:0x40, next id:00000000(0), next id1:00000000(0), prev id:00000000(0), prev id1:00000000(0) twin 0x0, forw1 0x0, forw2 0x0, sw sess:0x164a3a30, policy 0x2462e980

（2）JunOS

JunOS防火墙使用extensive参数即可查看会话详细信息

在CLI - 操作模式下命令为：show security flow session extensive 示例：

syro@JP650A > show security flow session extensive destination-port 80 Session ID: 168239, Status: Normal Flag: 0x0

Policy name: 10024/41

Source NAT pool: interface, Application: junos-http/6 Maximum timeout: 1800, Current timeout: 542 Session State: Valid

Start time: 9230725, Duration: 1457

In: 192.168.129.18/3977 --> 220.181.111.238/80;tcp, Interface: ae0.0,

Session token: 0x6, Flag: 0x0x21

Route: 0x4f1b02, Gateway: 192.168.129.18, Tunnel: 0 Port sequence: 0, FIN sequence: 3377815844, FIN state: 1,

Pkts: 11, Bytes: 455

Out: 220.181.111.238/80 --> 219.143.234.205/38704;tcp, Interface: ge-2/0/2.0,

Session token: 0x7, Flag: 0x0x20

Route: 0xc0010, Gateway: 219.143.234.193, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 1, Bytes: 52 Total sessions: 1

《Juniper防火墙日常维护手册-v20131112》第 24页共59页

1.6.6 保存防火墙所有会话条目

（1）ScreenOS

方法一：对get session命令的输出内容做拷屏。注意调整SSH 客户端软件的缓冲区大小或记录LOG相关配置。

在CLI下命令为：get session

方法二：将get session命令的输出保存到 TFTP Server 。注意确认TFTP Server服务正常。

在CLI下命令为：get session > tftp 服务器IP 文件名

示例：

JP1000A-> get session > tftp 10.1.35.11 session.log

（2）JunOS

方法一：对show security flow session命令的输出内容做拷屏。注意调整SSH 客户端软件的缓冲区大小或记录LOG相关配置。

在CLI - 操作模式下命令为：show security flow session

方法二：将show security flow session命令的输出内容保存到RE磁盘上，并用file list查看文件保存目录。

在CLI - 操作模式下命令为：show security flow session | save 文件名 file list 示例：

syro@JP650A > show security flow session | save session.log Wrote 52 lines of output to 'session.log' syro@JP650A.KF-HL.OUT.JXA> file list /cf/var/home/jpro/: .ssh/

《Juniper防火墙日常维护手册-v20131112》第 25页共59页

session.log

方法三（高阶）：在SHELL下保存所有会话条目。在CLI - 操作模式下，

? 先进入shell下 —— start shell ? 再进入/tmp目录 —— cd /tmp

? 最后保存会话 —— cli -c \

1.7 查看警告日志

（1）ScreenOS

在CLI下命令为：get alarm event 示例：

JP1000A-> get alarm event

Date Time Module Level Type Description

2012-08-24 23:25:22 system crit 00072 The local device 10222208 in the

Virtual Security Device group (0)

changed state from backup to primary backup, missing primary backup. 2012-08-24 23:25:22 system crit 00015 Peer device 10670336 in the Virtual

Security Device group 0 changed state from primary backup to master.

（2）JunOS

SRX防火墙可以分别查看机箱和系统的警告信息。

在CLI - 操作模式下命令为：show chassis alarms 和 show system alarms 示例：

syro@JP3600A> show chassis alarms node0:

-------------------------------------------------------------------------- No alarms currently active node1:

-------------------------------------------------------------------------- No alarms currently active

《Juniper防火墙日常维护手册-v20131112》第 26页共59页

{primary:node0}

syro@JP3600A> show system alarms node0:

-------------------------------------------------------------------------- No alarms currently active node1:

show system alarms

syro@JP3600A> show system alarms node0:

-------------------------------------------------------------------------- No alarms currently active node1:

1.8 查看事件日志 —— ScreenOS

1.8.1 查看所有事件日志（仅ScreenOS适用）

在CLI下命令为：get event 该命名输出结果包含警告日志。示例：

JP1000A-> get event

Total event entries = 25174

Date Time Module Level Type Description

2013-01-01 15:35:12 system notif 00767 Event log was reviewed by admin syro. 2013-01-01 15:34:40 system warn 00515 Admin user syro has logged on via SSH from 10.1.35.11:45656 2013-01-01 15:34:40 system warn 00528 SSH: Password authentication

successful for admin user 'syro' at host 10.1.35.11.

1.8.2 按事件级别过滤查看事件日志（仅ScreenOS适用）

ScreenOS防火墙事件有八个级别。

在CLI下使用get event命令可以按事件级别查看会话，有以下命令选项：

JP1000A -> get event level ?

alert level 1: immediate action is required critical level 2: functionality is affected

《Juniper防火墙日常维护手册-v20131112》第 27页共59页

debug level 7: detailed information for troubleshooting emergency level 0: system is unusable error level 3: error condition

information level 6: general information about operation notification level 5: normal events

warning level 4: functionality may be affected

示例：

JP1000A -> get event level alert

Date Time Module Level Type Description

2013-01-04 23:47:40 system alert 00012 UDP flood! From 172.18.1.60:10008 to

10.1.188.48:8011, proto UDP (zone DMZ, int ethernet1/2). Occurred 1 times. 2013-01-04 16:40:44 system alert 00016 Port scan! From 10.254.254.87:83 to

10.19.10.232:2221, proto TCP (zone DMZ, int ethernet1/2). Occurred 1 times. 2012-12-21 14:47:54 system alert 00012 UDP flood! From 172.18.1.64:10042 to

10.1.188.48:8011, proto UDP (zone DMZ, int ethernet1/2). Occurred 1 times. 2012-12-18 09:36:23 system alert 00012 UDP flood! From 172.18.1.65:10028 to

10.1.188.48:8011, proto UDP (zone DMZ, int ethernet1/2). Occurred 1 times. Total entries matched = 4

1.8.3 按时间过滤查看事件日志（仅ScreenOS适用）

在CLI下使用get event命令可以按时间查看会话，有以下命令选项：

JP1000A.HL-JR.SC-VPN.JXA-> get event start-date ?

start date(mm/dd[/yyyy-hh:mm:ss]): 1996 < yyyy < 2045

示例：

JP1000A.HL-JR.SC-VPN.JXA-> get event start-date 01/05/2013 Total event entries = 3813

Date Time Module Level Type Description

2013-01-05 15:03:27 system crit 00040 VPN 'SAP-connection' from 194.39.131.166 is up.

2013-01-05 15:03:17 system info 00536 IKE 194.39.131.166 Phase 2 msg ID

a6000770: Completed negotiations with SPI bfc9b510, tunnel ID 3, and lifetime 7200 seconds/4194303 KB. 2013-01-05 15:03:17 system info 00536 IKE 194.39.131.166 phase 2:The

《Juniper防火墙日常维护手册-v20131112》第 28页共59页

symmetric crypto key has been generated successfully.

2013-01-05 15:03:17 system info 00536 IKE 194.39.131.166: Phase 2 msg ID

a6000770: Received responder lifetime 2.2.4

1.9 查看事件日志 —— JunOS

在默认配置下SRX防火墙的日志文件名称为：messages 。查看该日志文件的命令为：show log messages

示例：

root> show log messages

Nov 11 15:25:03 cron[1174]: (root) CMD ( /usr/libexec/atrun)

Nov 11 15:27:26 rpd[1098]: Decode ifd sp-0/0/0 index 135: ifdm_flags 0xc010

Nov 11 15:27:26 rpd[1098]: krt_inherit_ifd_aps_flags sp-0/0/0 index 135: <> from self Nov 11 15:30:03 cron[1179]: (root) CMD ( /usr/libexec/atrun) Nov 11 15:30:03 cron[1180]: (root) CMD (newsyslog)

Nov 11 15:35:02 cron[1185]: (root) CMD ( /usr/libexec/atrun)

Nov 11 15:36:49 mgd[1160]: UI_CMDLINE_READ_LINE: User 'root', command 'show configuration ' Nov 11 15:37:28 rpd[1098]: Decode ifd ge-0/0/0 index 133: ifdm_flags 0xc001

Nov 11 15:37:28 rpd[1098]: krt_inherit_ifd_aps_flags ge-0/0/0 index 133: <> from self

Nov 11 15:37:28 rpd[1098]: EVENT ge-0/0/0.0 index 69 address #0 0.c.29.77.62.ac

Nov 11 15:37:28 rpd[1098]: EVENT UpDown ge-0/0/0.0 index 69 192.168.36.154/24 -> 192.168.36.255

Nov 11 15:37:28 rpd[1098]: EVENT ge-0/0/0 index 133 address #0 0.c.29.77.62.ac

Nov 11 15:37:28 mib2d[1097]: SNMP_TRAP_LINK_DOWN: ifIndex 506, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/0/0

Nov 11 15:37:30 rpd[1098]: Cancelling deferral ge-0/0/0 index 133 -> ge-0/0/0 index 133 Nov 11 15:37:30 /kernel: if_msg_ifl_addr_del 69 0xc570f856 0xc570f86a 24 0x3

Nov 11 15:37:30 rpd[1098]: EVENT Delete ge-0/0/0.0 index 69 192.168.36.154/24 -> 192.168.36.255

Nov 11 15:37:30 rpd[1098]: Decode ifd sp-0/0/0 index 135: ifdm_flags 0xc010

Nov 11 15:37:30 rpd[1098]: krt_inherit_ifd_aps_flags sp-0/0/0 index 135: <> from self

Nov 11 15:37:30 USP_IF_TOOLKIT: DETACH: ifl_index 69, flags 0, localaddr 0x66f64b17 local_plen 32

Nov 11 15:37:30 IFP trace> ifp_ifa_add_del_event: ifp_ifa_add_del_event: ge-0/0/0, op 3, msg->ifl_index 69, msg->proto 2

Nov 11 15:37:30 IFP trace> ifp_ifa_del: ifp_ifa_del : ge-0/0/0, msg->ifl_index 69 local prefix 2586093760/32, dest prefix 2402496/24

《Juniper防火墙日常维护手册-v20131112》第 29页共59页

1.10 查看策略流量日志

（1）ScreenOS

在CLI下命令为：get log traffic

在CLI下使用get log traffic命令可以按策略、时间、IP、端口等查看流量日志，有以下命令选项：

JP1000A -> get log traffic

> redirect output | match output

detail log detail level

dst-ip show traffic to destination IPs dst-port show traffic to destination ports end-date stop date end-time stop time

in-interface show traffic according to in interface max-duration max duration min-duration min duration no-rule-displayed not show rule info

out-interface show traffic according to out interface policy show traffic under policies protocol show traffic to protocol

service show traffic under any service sort-by show sorted traffic log

src-ip show traffic from source IPs src-port show traffic from source ports start-date start date start-time start time

示例：

JP1000A-> get log traffic policy 30003

PID 30003, from Trust to DMZ, src MFT-GW-G, dst MFT-SR-G, service TCP-6810 TCP-6811, action Permit Total traffic entries matched under this policy = 249

============================================================================================== Date Time Duration Source IP Port Destination IP Port Service SessionID Reason Xlated Src IP Port Xlated Dst IP Port ID

============================================================================================== 2012-10-04 12:08:38 973:12:41 10.1.44.72 7039 10.254.253.11 6811 TCP PORT 6811 524020

《Juniper防火墙日常维护手册-v20131112》第 30页共59页

ge-0/0/7 up down ge-0/0/8 up down ge-0/0/9 up down ge-0/0/10 up up

ge-0/0/10.0 up up aenet --> fab0.0 ge-0/0/11 up up

ge-0/0/11.0 up up aenet --> fab0.0 xe-1/0/0 up up

xe-1/0/0.0 up up aenet --> reth0.0 xe-1/0/1 up up

xe-1/0/1.0 up up aenet --> reth0.0 xe-4/0/0 up up

xe-4/0/0.0 up up aenet --> reth1.0 xe-4/0/1 up up

xe-4/0/1.0 up up aenet --> reth1.0 mt-7/0/0 up up ge-13/0/0 up down ge-13/0/1 up down ge-13/0/2 up down ge-13/0/3 up down ge-13/0/4 up down ge-13/0/5 up down ge-13/0/6 up down ge-13/0/7 up down ge-13/0/8 up down ge-13/0/9 up down ge-13/0/10 up up

ge-13/0/10.0 up up aenet --> fab1.0 ge-13/0/11 up up

ge-13/0/11.0 up up aenet --> fab1.0 xe-14/0/0 up up

xe-14/0/0.0 up up aenet --> reth0.0 xe-14/0/1 up up

xe-14/0/1.0 up up aenet --> reth0.0 ---(more)---

1.12.2 查看单一接口详情

（1）ScreenOS

在CLI下命令为：get interface interface名称示例：

《Juniper防火墙日常维护手册-v20131112》第 36页共59页

JP1000A-> get interface eth1/1 Interface ethernet1/1(VSI): description ethernet1/1

number 7, if_info 229320, if_index 0 link down, phy-link down status change:0

vsys Root, zone Null, vr untrust-vr, vsd 0 *ip 0.0.0.0/0 mac 0010.dbff.8070 pmtu-v4 disabled

ping disabled, telnet disabled, SSH disabled, SNMP disabled web disabled, ident-reset disabled, SSL disabled

NHRP disabled

bandwidth: physical 0Mbps, configured 0Mbps

（2）JunOS

在CLI - 操作模式下命令为：show interface interface名称示例：

syro@JP3600A > show interfaces ge-0/0/0

Physical interface: ge-0/0/0, Enabled, Physical link is Down Interface index: 142, SNMP ifIndex: 509

Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: Unspecified, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online

Device flags : Present Running Down

Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Link flags : None

CoS queues : 8 supported, 4 maximum usable queues Schedulers : 0

Current address: 78:fe:3d:25:a8:00, Hardware address: 78:fe:3d:25:a8:00 Last flapped : 2012-08-22 09:45:58 CST (19w3d 05:35 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : LINK Active defects : LINK

Interface transmit statistics: Disabled

《Juniper防火墙日常维护手册-v20131112》第 37页共59页

1.13 查看ARP表

（1）ScreenOS

在CLI下命令为：get arp 示例：

JP1000A-> get arp

usage: 27/8192 miss: 0 always-on-dest: enabled

-----------------------------------------------------------------------------------------

IP Mac VR/Interface State Age Retry PakQue Sess_cnt -----------------------------------------------------------------------------------------

192.168.25.25 405539d752bf trust-vr/red3.2 VLD 4 0 0 0 192.168.25.23 002304c2747f trust-vr/red3.2 VLD 4 0 0 0 192.168.25.24 5057a89f5e7f trust-vr/red3.2 VLD 4 0 0 0

（2）JunOS

在CLI - 操作模式下命令为：show arp 示例：

syro@JP3600A> show arp

MAC Address Address Name Interface Flags 64:a0:e7:43:01:c1 10.1.56.245 10.10.56.25 reth0.0 none 64:a0:e7:40:7d:c1 10.1.56.246 10.10.56.26 reth0.0 none 6c:9c:ed:41:50:41 10.1.56.247 10.10.56.27 reth0.0 none 6c:9c:ed:41:62:c1 10.1.56.248 10.10.56.28 reth0.0 none 00:00:0c:07:ac:38 10.1.56.254 10.10.56.254 reth0.0 none

《Juniper防火墙日常维护手册-v20131112》第 38页共59页

1.14 查看路由 1.14.1 查看全部路由

（1）ScreenOS

在CLI下命令为：get route 示例：

JP1000A-> get route

IPv4 Dest-Routes for (0 entries)

-------------------------------------------------------------------------------------- H: Host C: Connected S: Static A: Auto-Exported I: Imported R: RIP P: Permanent D: Auto-Discovered N: NHRP

iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1 E2: OSPF external type 2 trailing B: backup route IPv4 Dest-Routes for (154 entries)

--------------------------------------------------------------------------------------

ID IP-Prefix Interface Gateway P Pref Mtr Vsys --------------------------------------------------------------------------------------

* 17 0.0.0.0/0 red3.2 192.168.25.25 S 20 1 Root * 41 10.94.102.50/32 red3.2 192.168.25.25 S 20 1 Root * 56 10.1.94.81/32 red3.2 192.168.25.25 S 20 1 Root * 22 19.1.1.22/32 red3.1 9.9.32.190 S 20 1 Root * 9 10.254.253.1/32 red2.20 0.0.0.0 H 0 0 Root

（2）JunOS

在CLI - 操作模式下命令为：show route 示例：

syro@JP3600A> show route

inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both

10.1.35.0/24 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0 10.1.37.120/32 *[Static/5] 11w0d 19:59:35

《Juniper防火墙日常维护手册-v20131112》第 39页共59页

> to 10.1.66.254 via fxp0.0 10.1.37.122/32 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0 10.1.66.0/24 *[Direct/0] 11w0d 19:59:35 > via fxp0.0

10.1.66.7/32 *[Local/0] 11w0d 19:59:35 Local via fxp0.0

10.1.68.0/24 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0 10.1.88.166/32 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0 10.1.112.0/24 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0

1.14.2 查看特定目标地址的路由

（1）ScreenOS

在CLI下命令为：get route ip ip_address 示例：

JP1000A-> get route ip 10.1.1.1 Dest for 10.1.1.1

-------------------------------------------------------------------------------------- trust-vr : => 10.0.0.0/8 (id=29) via 10.1.94.254 (vr: trust-vr) Interface redundant1 , metric 1

（2）JunOS

在CLI - 操作模式下命令为：show route ip ip_address 示例：

syro@JP3600A> show route 1.1.1.1

inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both

0.0.0.0/0 *[Static/5] 2w3d 17:12:49 > to 10.1.57.254 via reth1.0

《Juniper防火墙日常维护手册-v20131112》第 40页共59页

1.15 查看策略 1.15.1 查看所有策略

（1）ScreenOS

在CLI下命令为：get policy 示例：

JP1000A-> get policy

Total regular policies 560, Default deny.

ID From To Src-address Dst-address Service Action State ASTLCB 10138 Trust Untrust 10.0.0.0/8 100.1.95.12~ HTTP Permit enabled ---X-X 10137 Trust Untrust 10.0.0.0/8 100.1.95.11~ HTTP Permit enabled ---X-X TCP-8080

10136 Trust Untrust 10.0.0.0/8 100.1.95.1/~ TCP-9101 Permit enabled ---X-X

（2）JunOS

在CLI - 操作模式下命令为：show security policies 示例：

syro@JP650A> show security policies Default policy: deny-all

From zone: untrust, To zone: trust

Policy: 20027, State: enabled, Index: 23, Scope Policy: 0, Sequence number: 1

Source addresses: 218.56.32.70/32, 219.239.105.29/32, 111.166.162.169/32, 113.58.244.143/32, 110.53.148.130/32, 222.34.19.11/32, 61.137.152.152/32, 65.55.208.91/32, 210.53.203.215/32, 211.137.41.203/32, 218.71.239.115/32, 218.107.16.170/32, 113.4.247.77/32, 119.249.206.73/32, 120.128.2.40/32 Destination addresses: any Applications: any Action: deny

Policy: 19000, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 2 Source addresses: deny-123.232.122.34 Destination addresses: any Applications: any

Action: deny, log

《Juniper防火墙日常维护手册-v20131112》第 41页共59页

1.15.2 查看单条策略的详细内容

（1）ScreenOS

注：ScreenOS防火墙以id为过滤条件查看单条策略的详细内容在CLI下命令为：get policy id id 示例：

JP1000A -> get policy id 1

name:\

src \Rules on this VPN policy: 0 nat off, Web filtering : disabled

vpn unknown vpn, policy flag 00010200, session backup: on traffic shaping off, scheduler n/a, serv flag 00

log close, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet) 0/0/0 No Authentication

No User, User Group or Group expression set

（2）JunOS

注：JunOS防火墙以policy-name为过滤条件查看单条策略的详细内容在CLI - 操作模式下命令为：show security policies policy-name 名称示例：

syro@JP3600A > show security policies policy-name 10000 node0:

-------------------------------------------------------------------------- From zone: trust, To zone: untrust

Policy: 10000, State: enabled, Index: 11, Scope Policy: 0, Sequence number: 2 Source addresses: 10.1.96.28/32

Destination addresses: 10.3.94.205/32 Applications: ftp-alg-no Action: permit, log

《Juniper防火墙日常维护手册-v20131112》第 42页共59页

1.16 查看防火墙主备状态

（1）ScreenOS

注：ScreenOSS防火墙的集群中，主机状态为Master，备机状态为Backup。在CLI下命令为：get nsrp 示例：

JP1000A(M)-> get nsrp nsrp version: 2.0 cluster info:

cluster id: 5, no name local unit id: 10222208 active units discovered:

index: 0, unit id: 10222208, ctrl mac: 0026889bfa8a, data mac: 0026889bfa98 index: 1, unit id: 10670336, ctrl mac: 002283a2d10a, data mac: 002283a2d118 total number of units: 2 VSD group info: init hold time: 5

heartbeat lost threshold: 3 heartbeat interval: 1000(ms) master always exist: disabled

group priority preempt holddown inelig master PB other members 0 150 no 3 no 10670336 myself total number of vsd groups: 1

Total iteration=11847161,time=2038032204,max=389626,min=246,average=172 RTO mirror info:

run time object sync: enabled route synchronization: disabled coldstart sync done

nsrp data packet forwarding is enabled nsrp link info:

control channel: ethernet1/4 (ifnum: 10) mac: 0026889bfa8a state: up(probe) data channel: ethernet2/4 (ifnum: 24) mac: 0026889bfa98 state: up(probe)

secondary path channel: redundant1 (ifnum: 128) mac: 0026889bfa87 state: up(probe) NSRP encryption: disabled

NSRP authentication: disabled

device based nsrp monitoring threshold: 255, weighted sum: 0, not failed

device based nsrp monitor interface: redundant1(weight 255, UP) redundant2(weight 255, UP) redundant3(weight 255, UP)

device based nsrp monitor zone:

《Juniper防火墙日常维护手册-v20131112》第 43页共59页

device based nsrp track ip: (weight: 255, disabled) number of gratuitous arps: 4 (default) config sync: enabled

（2）JunOS

注：JunOS防火墙的主备机分别为集群中的node0和node1，主机状态为primary，备机状态为secondary

在CLI - 操作模式下命令为：show chassis cluster status 示例：

syro@JP3600A> show chassis cluster status Cluster ID: 1

Node Priority Status Preempt Manual failover

Redundancy group: 0 , Failover count: 0

node0 200 primary no no node1 50 secondary no no

Redundancy group: 1 , Failover count: 0

node0 200 primary no no

node1 50 secondary no no

1.17 查看集群接口状态（仅JunOS适用）

在CLI - 操作模式下命令为：show chassis cluster interfaces 示例：

syro@JP3600A> show chassis cluster interfaces Control link 0 name: em0 Control link 1 name: em1 Control link status: Up

Fabric interfaces:

Name Child-interface Status fab0 ge-0/0/10 up fab0 ge-0/0/11 up fab1 ge-13/0/10 up fab1 ge-13/0/11 up Fabric link status: Up

《Juniper防火墙日常维护手册-v20131112》第 44页共59页

Redundant-ethernet Information:

Name Status Redundancy-group reth0 Up 1 reth1 Up 1 reth2 Down Not configured reth3 Down Not configured

Interface Monitoring:

Interface Weight Status Redundancy-group xe-17/0/1 200 Up 1 xe-17/0/0 200 Up 1 xe-14/0/1 200 Up 1 xe-14/0/0 200 Up 1 xe-4/0/1 200 Up 1 xe-4/0/0 200 Up 1 xe-1/0/1 200 Up 1 xe-1/0/0 200 Up 1

1.18 查看配置同步状态（仅ScreenOS适用）

在CLI下命令为：exec nsrp sync global-config check-sum 注：对于6.2版本以下的系统需要使用get db s命令来查看检查结果。

示例：

JP1000A(B)-> exec nsrp sync global-config check-sum JP1000A(B)-> get db s configuration in sync

《Juniper防火墙日常维护手册-v20131112》第 45页共59页

1.19 常用排错命令 1.19.1 ping

（1）ScreenOS

方法一：直接ping目的IP 在CLI下命令为：ping IP地址示例：

JP1000A -> ping 8.8.8.8 Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 1 seconds !!!!!

Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/4 ms

方法二：带接口ping目的IP

在CLI下命令为：ping IP地址 from 接口示例：

JP1000A -> ping 8.8.8.8 from eth1/3 Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 1 seconds !!!!!

Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/4 ms

方法三：扩展ping 在CLI下命令为：ping 示例：

JP1000A -> ping

Target IPv4 address:8.8.8.8 Repeat count [5]: Datagram size [100]: Timeout in seconds[1]: Source interface:eth1/3

Type escape sequence to abort

Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 1 seconds !!!!!

Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/3/6 ms

《Juniper防火墙日常维护手册-v20131112》第 46页共59页

（2）JunOS

ping命令支持很多参数的，包大小、个数、源IP、源接口、快速ping等。常用命令示例：

syro@JP650A > ping 8.8.8.8

syro@JP650A > ping 8.8.8.8 size 1400 syro@JP650A > ping 8.8.8.8 count 100

syro@JP650A > ping 8.8.8.8 source 202.99.20.144 syro@JP650A > ping 8.8.8.8 interface ge-2/0/2.0 syro@JP650A > ping 8.8.8.8 count 10000 rapid

ping命令有以下命令选项：

syro@JP650A > ping ? Possible completions:

Hostname or IP address of remote host

atm Ping remote Asynchronous Transfer Mode node bypass-routing Bypass routing table, use specified interface clns Ping ISO node

count Number of ping requests to send (1..2000000000 packets) detail Display incoming interface of received packet do-not-fragment Don't fragment echo request packets (IPv4) inet Force ping to IPv4 destination inet6 Force ping to IPv6 destination

interface Source interface (multicast, all-ones, unrouted packets) interval Delay between ping requests (seconds) + loose-source Intermediate loose source route entry (IPv4) mpls Ping label-switched path

no-resolve Don't attempt to print addresses symbolically pattern Hexadecimal fill pattern

rapid Send requests rapidly (default count of 5) record-route Record and report packet's path (IPv4) routing-instance Routing instance for ping attempt

size Size of request packets (0..65468 bytes) source Source address of echo request strict Use strict source route option (IPv4)

+ strict-source Intermediate strict source route entry (IPv4) tos IP type-of-service value (0..255)

ttl IP time-to-live value (IPv6 hop-limit value) (1..255 hops) verbose Display detailed output vpls Ping VPLS MAC address

wait Maximum wait time after sending final packet (seconds)

《Juniper防火墙日常维护手册-v20131112》第 47页共59页

1.19.2 telnet

（1）ScreenOS（ScreenOS 6.2版本以上支持）

在CLI下常用命令为：telnet IP地址 port 端口号或 telnet IP地址 port 端口号 src-interface 接口名称

示例：

JP1000A -> telnet 8.8.8.8 port 80 src-interface eth1/3

（2）JunOS

在CLI - 操作模式下常用命令为：telnet IP地址 port 端口号 telnet命令有以下命令选项：

syro@JP650A > telnet ? Possible completions:

Hostname or address or remote host 8bit Use 8-bit data path

bypass-routing Bypass routing table, use specified interface inet Force telnet to IPv4 destination inet6 Force telnet to IPv6 destination interface Name of interface for outgoing traffic

no-resolve Don't attempt to print addresses symbolically port Port number or service name on remote host routing-instance Name of routing instance for telnet session source Source address to use in telnet connection

示例：

syro@JP650A > telnet 8.8.8.8 port 80

《Juniper防火墙日常维护手册-v20131112》第 48页共59页

1.19.3 trace route

（1）ScreenOS

在CLI下常用命令为：trace-route IP地址示例：

JP1000A -> trace-route 8.8.8.8 Type escape sequence to escape

Send ICMP echos to 8.8.8.8, timeout is 2 seconds, maximum hops are 32, 1 2ms 0ms 0ms 11.14.2.12 2 1ms 0ms 1ms 12.20.1.13 3 1ms 1ms 2ms 124.202.11.33 4 2ms 2ms 4ms 124.202.11.9 5 2ms 1ms 1ms 124.205.97.134 6 2ms 1ms 1ms 124.205.97.166 7 2ms 1ms 1ms 8.8.8.8 Trace complete

（2）JunOS

在CLI - 操作模式下常用命令为：traceroute IP地址 traceroute命令有以下命令选项：

syro@JP650A > traceroute ? Possible completions:

Hostname or address of remote host as-number-lookup Look up AS numbers for each hop

bypass-routing Bypass routing table, use specified interface clns Trace route to CLNS remote host

gateway Address of router gateway to route through inet Force traceroute to IPv4 destination inet6 Force traceroute to IPv6 destination

interface Name of interface to use for outgoing traffic monitor Monitor network connection to remote host mpls Trace MPLS paths

no-resolve Don't attempt to print addresses symbolically routing-instance Name of routing instance for traceroute attempt

source Source address to use in outgoing traceroute packets tos IP type-of-service field (IPv4) (0..255)

ttl IP maximum time-to-live value (or IPv6 maximum hop-limit value) wait Number of seconds to wait for response (seconds)

《Juniper防火墙日常维护手册-v20131112》第 49页共59页

示例：

syro@JP650A > traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 40 byte packets 1 20.9.2.12 (20.9.2.12) 2.091 ms 1.654 ms 1.499 ms 2 20.10.5.14 (20.10.5.14) 3.467 ms 1.743 ms 1.536 ms 3 61.148.155.77 (61.148.155.77) 9.567 ms 8.245 ms 2.784 ms 4 124.65.59.1 (124.65.59.1) 11.292 ms 3.542 ms 3.454 ms 5 202.96.12.157 (202.96.12.157) 5.854 ms 5.401 ms 6.029 ms 6 219.158.101.122 (219.158.101.122) 38.560 ms 38.521 ms 38.798 ms 7 219.158.11.154 (219.158.11.154) 42.585 ms 48.427 ms 48.088 ms 8 219.158.97.6 (219.158.97.6) 64.899 ms 51.967 ms 43.864 ms 9 219.158.3.238 (219.158.3.238) 43.207 ms 49.144 ms 209.947 ms 10 72.14.215.130 (72.14.215.130) 125.258 ms 46.544 ms 46.714 ms 11 209.85.248.60 (209.85.248.60) 46.752 ms 46.828 ms 46.709 ms

1.19.4 收集support信息

（1）ScreenOS —— 需要使用读写权限或Root权限用户

方法一：对get tech-support命令的输出内容做拷屏。注意调整SSH 客户端软件的缓冲区大小或记录LOG相关配置。

在CLI下命令为：get tech-support

方法二：将get tech-support命令的输出保存到 TFTP Server 。注意确认TFTP Server服务正常。

在CLI下命令为：get tech-support > tftp 服务器IP 文件名示例：

JP1000A->get tech-support > tftp 10.1.35.11 session.log

《Juniper防火墙日常维护手册-v20131112》第 50页共59页

本文来源：https://www.bwwdw.com/article/ufqr.html

相关文章：