Juniper防火墙日常维护
更新时间:2024-03-30 05:57:01 阅读量: 综合文库 文档下载
Juniper防火墙日常维护手册
(v 20131112)
作者 分类 关键字 Juniper、NetScreen、防火墙、日常维护、ScreenOS、JunOS、NS、ISG、SSG、SRX 苏毅 审核 子类 指导手册 其他 更新时间 2013-11-12 摘要 此手册用于指导Juniper防火墙驻场工程师常规操作,驻场工程师可以按照日常工作内容从文档中选取相应的命令。此手册基本涵盖了常规操作、巡检操作等驻场维护工作所需要的操作指导,各工程师也可根据自身驻场项目特点确定日常巡检的内容。 Juniper防火墙运维工作 Juniper ScreenOS防火墙包括产品型号有: 主要适NS系列、ISG系列、SSG系列 用环境 Juniper JunOS防火墙包括产品型号有: SRX系列(SRX Branch系列包含SRX650及以下型号,SRX High-end系列包含SRX1K、3K和SRX5K)
《Juniper防火墙日常维护手册-v20131112》 第 1页 共59页
版本说明
版本号 V20131112
拟制/修改责任人 苏毅
拟制/修改日期 2013-11-12 修改内容/理由 新建 《Juniper防火墙日常维护手册-v20131112》 第 2页 共59页
目 录
版本说明 ......................................................................................................................................................................... 2 目 录 ............................................................................................................................................................................. 3 1. 日常操作 .................................................................................................................................................................... 5
1.1 查看硬件信息 .................................................................................................................................................. 5 1.2 查看OS信息 .................................................................................................................................................... 6 1.3 查看CPU/SPU使用率信息.............................................................................................................................. 7
1.3.1 查看CPU/SPU使用率信息................................................................................................................... 7 1.3.2 查看每秒CPU使用率 .......................................................................................................................... 9 1.4 查看内存使用率 ............................................................................................................................................ 12 1.5 SRX RE CPU使用率/内存使用率信息(仅JunOS适用) ............................................................................ 14 1.6 查看Session会话信息 .................................................................................................................................. 16
1.6.1 查看会话总数 ..................................................................................................................................... 16 1.6.2 查看每秒新建会话数量 ..................................................................................................................... 18 1.6.3 查看防火墙所有会话条目 ................................................................................................................. 20 1.6.4 按过滤条件查看会话 ......................................................................................................................... 21 1.6.5 查看会话详细内容 ............................................................................................................................. 23 1.6.6 保存防火墙所有会话条目 ................................................................................................................. 25 1.7 查看警告日志 ................................................................................................................................................ 26 1.8 查看事件日志 —— ScreenOS ....................................................................................................................... 27
1.8.1 查看所有事件日志(仅ScreenOS适用) ........................................................................................ 27 1.8.2 按事件级别过滤查看事件日志(仅ScreenOS适用) .................................................................... 27 1.8.3 按时间过滤查看事件日志(仅ScreenOS适用) ............................................................................ 28 1.9 查看事件日志 —— JunOS ............................................................................................................................ 29 1.10 查看策略流量日志 ...................................................................................................................................... 30 1.11 查看/备份配置 ............................................................................................................................................. 32 1.12 查看接口状态 .............................................................................................................................................. 34
1.12.1 查看所有接口状态 ........................................................................................................................... 34 1.12.2 查看单一接口详情 ........................................................................................................................... 36 1.13 查看ARP表 .................................................................................................................................................. 38 1.14 查看路由 ...................................................................................................................................................... 39
1.14.1 查看全部路由 ................................................................................................................................... 39 1.14.2 查看特定目标地址的路由 ............................................................................................................... 40 1.15 查看策略 ...................................................................................................................................................... 41
1.15.1 查看所有策略 ................................................................................................................................... 41 1.15.2 查看单条策略的详细内容 ............................................................................................................... 42 1.16 查看防火墙主备状态 .................................................................................................................................. 43 1.17 查看集群接口状态(仅JunOS适用) ...................................................................................................... 44 1.18 查看配置同步状态(仅ScreenOS适用) ................................................................................................. 45 1.19 常用排错命令 .............................................................................................................................................. 46
1.19.1 ping ..................................................................................................................................................... 46 1.19.2 telnet ................................................................................................................................................... 48 1.19.3 trace route .......................................................................................................................................... 49
《Juniper防火墙日常维护手册-v20131112》 第 3页 共59页
1.19.4 收集support信息............................................................................................................................. 50 1.20 按过滤条件查看各类信息 .......................................................................................................................... 52 2. 应急操作 .................................................................................................................................................................. 53
2.1 清除指定IP的ARP记录 ............................................................................................................................... 53 2.2 清除指定源IP/目的IP的会话记录 .............................................................................................................. 53 2.3 关闭和开启端口 ............................................................................................................................................ 54
2.3.1 关闭端口 ............................................................................................................................................. 54 2.3.2 开启端口 ............................................................................................................................................. 54 2.4 防火墙主备状态切换 .................................................................................................................................... 55 2.5 同步会话(仅ScreenOS适用) ................................................................................................................... 56 2.6 重启设备 ........................................................................................................................................................ 56 3. 日常维护周期策略 .................................................................................................................................................. 57
3.1 日巡检维护建议 ............................................................................................................................................ 57 3.2 周巡检维护建议 ............................................................................................................................................ 58 3.3 月巡检维护建议 ............................................................................................................................................ 58 3.4 不定期维护建议 ............................................................................................................................................ 59
《Juniper防火墙日常维护手册-v20131112》 第 4页 共59页
1. 日常操作
1.1 查看硬件信息
(1)ScreenOS
在CLI下命令为:get chassis 示例:
JP1000A-> get chassis Chassis Environment: Power Supply: Good Fan Status: Good
CPU Temperature: 98'F ( 37'C) Slot Information:
Slot Type S/N Assembly-No Version Temperature
0 System Board 0993072011000999 0066-004 F01 86'F (30'C), 87'F (31'C) 4 Management 0099082011000999 0049-004 D19 98'F (37'C) 5 ASIC Board 002079351g110017 0065-002 B00 Marin FPGA version 9, Jupiter ASIC version 1, Fresno FPGA version 110 I/O Board
Slot Type S/N Version FPGA version 2 4 port miniGBIC (0x3) 0994092011000999 B02 26 1 4 port 10/100/1000T 38 Alarm Control Information:
Power failure audible alarm: disabled Fan failure audible alarm: disabled Low battery audible alarm: disabled Temperature audible alarm: disabled Normal alarm temperature is 132'F (56'C)
Severe alarm temperature is 150'F (66'C)
《Juniper防火墙日常维护手册-v20131112》 第 5页 共59页
(2)JunOS
在CLI - 操作模式下命令为:show chassis hardware 示例:
syro@JP650A> show chassis hardware Hardware inventory:
Item Version Part number Serial number Description Chassis AJ4309AA0999 SRX650 Midplane REV 08 710-023875 AAAS7310
System IO REV 08 710-023209 AAAS9446 SRXSME System IO Routing Engine REV 14 750-023223 AAAW4729 RE-SRXSME-SRE6 FPC 0 FPC
PIC 0 4x GE Base PIC FPC 2 REV 07 750-026182 AAAS7999 FPC
PIC 0 16x GE gPIM Power Supply 0 Rev 03 740-024283 TH01999 PS 645W AC Power Supply 1 Rev 03 740-024283 TH01099 PS 645W AC
1.2 查看OS信息
(1)ScreenOS
在CLI下命令为:get system 示例:
JP1000A-> get system
Product Name: NetScreen-ISG1000
Serial Number: 0993072011000999, Control Number: 00000000
Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0) Software Version: 6.1.0r7-cu12.0, Type: Firewall+VPN OS Loader Version: 1.0.2
Compiled by build_master at: Wed Apr 28 23:08:24 PDT 2010 Base Mac: 0026.889b.fa80
File Name: default (screenos_image), Checksum: de317771 , Total Memory: 1024MB
Date 01/01/2013 11:50:43, Daylight Saving Time disabled The Network Time Protocol is Enabled
Up 3286 hours 23 minutes 35 seconds Since 17Aug2012:13:27:08 Total Device Resets: 0
《Juniper防火墙日常维护手册-v20131112》 第 6页 共59页
(2)JunOS
在CLI - 操作模式下命令为:show system software 示例:
syro@JP650A> show system software Information for junos:
Comment:
JUNOS Software Release [10.4R10.7]
1.3 查看CPU/SPU使用率信息 1.3.1 查看CPU/SPU使用率信息
(1)ScreenOS —— CPU
在CLI下命令为:get performance cpu 示例:
JP1000A-> get performance cpu Average System Utilization: 1%
Last 1 minute: 2%, Last 5 minutes: 2%, Last 15 minutes: 2%
(2)JunOS —— SPU
当SPU使用率达到60%就要引起关注,可能网络或设备有异常。
在CLI - 操作模式下查看SRX Branch防火墙的SPU使用率命令为:show security monitoring fpc 0
示例:
syro@JP650A> show security monitoring fpc 0 FPC 0 PIC 0
CPU utilization : 0 % Memory utilization : 67 % Current flow session : 16
Max flow session : 524288
《Juniper防火墙日常维护手册-v20131112》 第 7页 共59页
SRX Hign-end防火墙为分布式架构,需要根据SPC卡的槽位来确定查看命令。例如SRX3600配备2块SPC,分别插在7槽 和 8槽中,需要分别查看其SPU使用率。另,SRX3600的双机采用虚拟机箱技术后,node0为主墙、node1为备墙。
在CLI - 操作模式下查看SRX3600防火墙的spu命令为:show security monitoring fpc 7 和 show security monitoring fpc 8
示例:
syro@JP3600A > show security monitoring fpc 7 node0:
--------------------------------------------------------------------------
FPC 7 PIC 0
CPU utilization : 2 % Memory utilization : 64 % Current flow session : 5265 Max flow session : 524288 Current CP session : 16401 Max CP session : 2359296
node1:
-------------------------------------------------------------------------- FPC 7 PIC 0
CPU utilization : 0 % Memory utilization : 64 % Current flow session : 5582 Max flow session : 524288 Current CP session : 17131 Max CP session : 2359296
{primary:node0}
syro@JP3600A> show security monitoring fpc 8 node0:
-------------------------------------------------------------------------- FPC 8 PIC 0
CPU utilization : 3 % Memory utilization : 66 % Current flow session : 10977 Max flow session : 1048576 Current CP session : 0
《Juniper防火墙日常维护手册-v20131112》 第 8页 共59页
Max CP session : 0
node1:
-------------------------------------------------------------------------- FPC 8 PIC 0
CPU utilization : 0 % Memory utilization : 66 % Current flow session : 11382 Max flow session : 1048576 Current CP session : 0 Max CP session : 0
{primary:node0}
1.3.2 查看每秒CPU使用率
(1)ScreenOS
在CLI下命令为:get performance cpu all detail 示例:
JP1000A.GL-IT.SDA(M)-> get performance cpu all detail Average System Utilization: 1% (flow 1 task 1) Last 60 seconds:
59: 2( 1 1) 58: 2( 1 1) 57: 2( 1 1) 56: 2( 1 1) 55: 2( 1 1) 54: 2( 1 1) 53: 2( 1 1) 52: 2( 1 1) 51: 2( 1 1) 50: 2( 1 1) 49: 2( 1 1) 48: 2( 1 1) 47: 2( 1 1) 46: 2( 1 1) 45: 2( 1 1) 44: 2( 1 1) 43: 2( 1 1) 42: 2( 1 1) 41: 2( 1 1) 40: 2( 1 1) 39: 2( 1 1) 38: 2( 1 1) 37: 2( 1 1) 36: 2( 1 1) 35: 2( 1 1) 34: 2( 1 1) 33: 2( 1 1) 32: 2( 1 1) 31: 2( 1 1) 30: 2( 1 1) 29: 2( 1 1) 28: 2( 1 1) 27: 2( 1 1) 26: 2( 1 1) 25: 2( 1 1) 24: 2( 1 1) 23: 2( 1 1) 22: 2( 1 1) 21: 2( 1 1) 20: 2( 1 1) 19: 2( 1 1) 18: 2( 1 1) 17: 2( 1 1) 16: 2( 1 1) 15: 2( 1 1) 14: 2( 1 1) 13: 2( 1 1) 12: 2( 1 1) 11: 2( 1 1) 10: 2( 1 1) 9: 2( 1 1) 8: 2( 1 1) 7: 2( 1 1) 6: 2( 1 1) 5: 2( 1 1) 4: 2( 1 1) 3: 2( 1 1) 2: 2( 1 1) 1: 2( 1 1) 0: 2( 1 1)
Last 60 minutes:
《Juniper防火墙日常维护手册-v20131112》 第 9页 共59页
59: 2( 1 1) 58: 2( 1 1) 57: 2( 1 1) 56: 2( 1 1) 55: 2( 1 1) 54: 2( 1 1) 53: 2( 1 1) 52: 2( 1 1) 51: 2( 1 1) 50: 2( 1 1) 49: 2( 1 1) 48: 2( 1 1) 47: 2( 1 1) 46: 2( 1 1) 45: 2( 1 1) 44: 2( 1 1) 43: 2( 1 1) 42: 2( 1 1) 41: 2( 1 1) 40: 2( 1 1) 39: 2( 1 1) 38: 2( 1 1) 37: 2( 1 1) 36: 2( 1 1) 35: 2( 1 1) 34: 2( 1 1) 33: 2( 1 1) 32: 2( 1 1) 31: 2( 1 1) 30: 2( 1 1) 29: 2( 1 1) 28: 2( 1 1) 27: 2( 1 1) 26: 2( 1 1) 25: 2( 1 1) 24: 2( 1 1) 23: 2( 1 1) 22: 2( 1 1) 21: 2( 1 1) 20: 2( 1 1) 19: 2( 1 1) 18: 2( 1 1) 17: 2( 1 1) 16: 2( 1 1) 15: 2( 1 1) 14: 2( 1 1) 13: 2( 1 1) 12: 2( 1 1) 11: 2( 1 1) 10: 2( 1 1) 9: 2( 1 1) 8: 2( 1 1) 7: 2( 1 1) 6: 2( 1 1) 5: 2( 1 1) 4: 2( 1 1) 3: 2( 1 1) 2: 2( 1 1) 1: 2( 1 1) 0: 2( 1 1)
Last 24 hours:
23: 2( 1 1) 22: 2( 1 1) 21: 2( 1 1) 20: 2( 1 1) 19: 2( 1 1) 18: 2( 1 1) 17: 1( 1 1) 16: 2( 1 1) 15: 1( 1 1) 14: 2( 1 1) 13: 1( 1 1) 12: 1( 1 1) 11: 2( 1 1) 10: 2( 1 1) 9: 2( 1 1) 8: 2( 1 1) 7: 2( 1 1) 6: 1( 1 1) 5: 1( 1 1) 4: 2( 1 1) 3: 2( 1 1) 2: 2( 1 1) 1: 2( 1 1) 0: 2( 1 1)
(2)JunOS
在CLI - 操作模式下命令为:show security monitoring performance spu 示例:
syro@JP650A > show security monitoring performance spu fpc 0 pic 0 Last 60 seconds:
0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 0 41: 0 42: 0 43: 0 44: 0 45: 0 46: 0 47: 0 48: 0 49: 0 50: 0 51: 0 52: 0 53: 0 54: 0 55: 0 56: 0 57: 0 58: 0 59: 0
syro@JP3600A> show security monitoring performance spu
《Juniper防火墙日常维护手册-v20131112》 第 10页 共59页
node0:
-------------------------------------------------------------------------- fpc 7 pic 0 Last 60 seconds:
0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 0 41: 0 42: 0 43: 0 44: 0 45: 0 46: 0 47: 0 48: 0 49: 0 50: 0 51: 0 52: 0 53: 0 54: 0 55: 0 56: 0 57: 0 58: 0 59: 0 fpc 8 pic 0 Last 60 seconds:
0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 0 41: 0 42: 0 43: 0 44: 0 45: 0 46: 0 47: 0 48: 0 49: 0 50: 0 51: 0 52: 0 53: 0 54: 0 55: 0 56: 0 57: 0 58: 0 59: 0
node1:
-------------------------------------------------------------------------- fpc 7 pic 0 Last 60 seconds:
0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 0 41: 0 42: 0 43: 0 44: 0 45: 0 46: 0 47: 0 48: 0 49: 0 50: 0 51: 0 52: 0 53: 0 54: 0 55: 0 56: 0 57: 0 58: 0 59: 0 fpc 8 pic 0 Last 60 seconds:
0: 0 1: 0 2: 0 3: 0 4: 0 5: 0
《Juniper防火墙日常维护手册-v20131112》 第 11页 共59页
6: 0 7: 0 8: 0 9: 0 10: 0 11: 0 12: 0 13: 0 14: 0 15: 0 16: 0 17: 0 18: 0 19: 0 20: 0 21: 0 22: 0 23: 0 24: 0 25: 0 26: 0 27: 0 28: 0 29: 0 30: 0 31: 0 32: 0 33: 0 34: 0 35: 0 36: 0 37: 0 38: 0 39: 0 40: 0 41: 0 42: 0 43: 0 44: 0 45: 0 46: 0 47: 0 48: 0 49: 0 50: 0 51: 0 52: 0 53: 0 54: 0 55: 0 56: 0 57: 0 58: 0 59: 0
{primary:node0}
1.4 查看内存使用率
(1)ScreenOS
ScreenOS平台的内存使用率一般不会变化。 在CLI下命令为:get memory 示例:
JP1000A-> get memory
Memory: allocated 536091296, left 238802224, frag 68, fail 0
(2)JunOS
当SPU内存使用率达到70%就要引起关注,可能网络或设备有异常。
在CLI - 操作模式下查看SRX Branch防火墙的spc内存使用率命令为:show security monitoring fpc 0
示例:
syro@JP650A> show security monitoring fpc 0 FPC 0 PIC 0
CPU utilization : 0 % Memory utilization : 67 % Current flow session : 16
Max flow session : 524288
SRX Hign-end防火墙为分布式架构,,需要根据SPC卡的槽位来确定查看命令。例如SRX3600配备2块SPC,插在7槽 和 8槽中,需要分别查看其SPU内存使用率。另,SRX3600的双机采
《Juniper防火墙日常维护手册-v20131112》 第 12页 共59页
用虚拟机箱技术,node0为主墙、node1为备墙。
在CLI - 操作模式下查看SRX3600防火墙的SPU内存使用率命令为:show security monitoring fpc 7 和 show security monitoring fpc 8
示例:
syro@JP3600A > show security monitoring fpc 7 node0:
--------------------------------------------------------------------------
FPC 7 PIC 0
CPU utilization : 2 % Memory utilization : 64 % Current flow session : 5265 Max flow session : 524288 Current CP session : 16401 Max CP session : 2359296
node1:
-------------------------------------------------------------------------- FPC 7 PIC 0
CPU utilization : 0 % Memory utilization : 64 % Current flow session : 5582 Max flow session : 524288 Current CP session : 17131 Max CP session : 2359296
{primary:node0}
syro@JP3600A> show security monitoring fpc 8 node0:
-------------------------------------------------------------------------- FPC 8 PIC 0
CPU utilization : 3 % Memory utilization : 66 % Current flow session : 10977 Max flow session : 1048576 Current CP session : 0 Max CP session : 0
node1:
《Juniper防火墙日常维护手册-v20131112》 第 13页 共59页
-------------------------------------------------------------------------- FPC 8 PIC 0
CPU utilization : 0 % Memory utilization : 66 % Current flow session : 11382 Max flow session : 1048576 Current CP session : 0 Max CP session : 0
1.5 SRX RE CPU使用率/内存使用率信息(仅JunOS适用)
SRX系列防火墙RE的CPU主要做管理设备用,其CPU波动会比较大,出现瞬时100%也是正常的。当RE的CPU使用率长时间都在45%以上时,引起关注;当RE的内存使用率长时间都在60%以上时,注意查看当前的RE运行负载。
在CLI - 操作模式下命令为:show chassis routing-engine 示例:
syro@JP650A > show chassis routing-engine Routing Engine status:
Temperature 31 degrees C / 87 degrees F CPU temperature 31 degrees C / 87 degrees F
Total memory 2048 MB Max 1065 MB used ( 52 percent) Control plane memory 1104 MB Max 442 MB used ( 40 percent) Data plane memory 944 MB Max 632 MB used ( 67 percent) CPU utilization:
User 6 percent Background 0 percent Kernel 1 percent Interrupt 0 percent Idle 93 percent
Model RE-SRXSME-SRE6 Serial ID AAAW4729
Start time 2012-07-12 17:54:51 CST
Uptime 177 days, 15 hours, 50 minutes, 35 seconds Last reboot reason 0x200:chassis control reset
Load averages: 1 minute 5 minute 15 minute 0.41 0.26 0.19
syro@JP3600A > show chassis routing-engine node0:
《Juniper防火墙日常维护手册-v20131112》 第 14页 共59页
-------------------------------------------------------------------------- Routing Engine status: Slot 0:
Current state Master
Election priority Master (default) DRAM 1023 MB Memory utilization 39 percent CPU utilization:
User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 94 percent
Model RE-PPC-1200-A
Start time 2012-07-13 10:06:41 CST
Uptime 176 days, 23 hours, 40 minutes, 35 seconds Last reboot reason 0x1:power cycle/failure
Load averages: 1 minute 5 minute 15 minute 0.12 0.10 0.08
node1:
-------------------------------------------------------------------------- Routing Engine status: Slot 0:
Current state Master
Election priority Master (default) DRAM 1023 MB Memory utilization 34 percent CPU utilization:
User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 95 percent
Model RE-PPC-1200-A
Start time 2012-07-16 14:39:07 CST
Uptime 173 days, 19 hours, 6 minutes, 11 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.14 0.06 0.01
《Juniper防火墙日常维护手册-v20131112》 第 15页 共59页
1.6 查看Session会话信息 1.6.1 查看会话总数
(1)ScreenOS
当前会话总数达到平时峰值的2倍 或 设备最大会话数的70%,需要关注、报警。 在CLI下命令为:get session info 示例:
JP1000A-> get session info
alloc 730/max 524288, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 523558 slot 2: hw0 alloc 730/max 524287
(2)JunOS
当前会话总数达到平时峰值的2倍 或 设备最大会话数的70%,需要关注、报警。 在CLI - 操作模式下命令为:show security flow session summary 示例:
syro@JP650A> show security flow session summary Unicast-sessions: 14 Multicast-sessions: 0 Failed-sessions: 0 Sessions-in-use: 17 Valid sessions: 14 Pending sessions: 0 Invalidated sessions: 3 Sessions in other states: 0 Maximum-sessions: 524288
syro@JP3600A > show security flow session summary node0:
--------------------------------------------------------------------------
Flow Sessions on FPC7 PIC0: Unicast-sessions: 0 Multicast-sessions: 0
《Juniper防火墙日常维护手册-v20131112》 第 16页 共59页
Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 524288
Flow Sessions on FPC8 PIC0: Unicast-sessions: 0 Multicast-sessions: 0 Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 1048576
node1:
--------------------------------------------------------------------------
Flow Sessions on FPC7 PIC0: Unicast-sessions: 0 Multicast-sessions: 0
Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 524288
Flow Sessions on FPC8 PIC0: Unicast-sessions: 0 Multicast-sessions: 0 Failed-sessions: 0 Sessions-in-use: 0 Valid sessions: 0 Pending sessions: 0 Invalidated sessions: 0 Sessions in other states: 0 Maximum-sessions: 1048576
《Juniper防火墙日常维护手册-v20131112》 第 17页 共59页
1.6.2 查看每秒新建会话数量
(1)ScreenOS
在CLI下命令为:get performance session detail 示例:
JP1000A-> get performance session detail Last 60 seconds:
0: 26 1: 12 2: 19 3: 21 4: 23 5: 20 6: 27 7: 20 8: 32 9: 30 10: 36 11: 29 12: 35 13: 34 14: 13 15: 26 16: 31 17: 34 18: 20 19: 25 20: 24 21: 19 22: 20 23: 24 24: 21 25: 22 26: 24 27: 23 28: 34 29: 24 30: 35 31: 35 32: 34 33: 21 34: 15 35: 26 36: 37 37: 32 38: 36 39: 27 40: 20 41: 32 42: 24 43: 25 44: 21 45: 19 46: 17 47: 16 48: 15 49: 14 50: 17 51: 19 52: 26 53: 38 54: 32 55: 41 56: 11 57: 13 58: 15 59: 11
(2)JunOS
对于JunOS11.4及其以后版本,可以直接查看每秒新建会话数,在CLI - 操作模式下查看SRX Branch防火墙的每秒新建命令为:show security monitoring fpc 0
示例:
root> show security monitoring fpc 0 FPC 0 PIC 0
CPU utilization : 0 % Memory utilization : 69 % Current flow session : 6 Current flow session IPv4: 0 Current flow session IPv6: 0 Max flow session : 262144
Total Session Creation Per Second (for last 96 seconds on average): 0 IPv4 Session Creation Per Second (for last 96 seconds on average): 0 IPv6 Session Creation Per Second (for last 96 seconds on average): 0
对于JunOS11.4之前的版本,只能查看每秒会话数,在CLI - 操作模式下命令为:security monitoring performance session
《Juniper防火墙日常维护手册-v20131112》 第 18页 共59页
示例:
syro@JP650A > show security monitoring performance session fpc 0 pic 0 Last 60 seconds:
0: 18 1: 18 2: 17 3: 18 4: 17 5: 14 6: 14 7: 17 8: 16 9: 17 10: 16 11: 17 12: 17 13: 18 14: 16 15: 16 16: 15 17: 15 18: 14 19: 15 20: 13 21: 14 22: 12 23: 27 24: 27 25: 56 26: 55 27: 78 28: 61 29: 79 30: 59 31: 75 32: 59 33: 81 34: 64 35: 78 36: 61 37: 75 38: 60 39: 51 40: 40 41: 50 42: 47 43: 69 44: 60 45: 69 46: 56 47: 76 48: 67 49: 78 50: 57 51: 74 52: 55 53: 78 54: 60 55: 70 56: 51 57: 62 58: 48 59: 29
syro@JP3600A > show security monitoring performance session node0:
-------------------------------------------------------------------------- fpc 7 pic 0 Last 60 seconds:
0: 9761 1: 9987 2: 9713 3: 9965 4: 9692 5: 9989 6: 9703 7: 9958 8: 9653 9: 9878 10: 9616 11: 9940 12: 9691 13: 10065 14: 9814 15: 10010 16: 9731 17: 9887 18: 9610 19: 9857 20: 9636 21: 9910 22: 9649 23: 9938 24: 9686 25: 9952 26: 9704 27: 9988 28: 9735 29: 9984 30: 9723 31: 10009 32: 9758 33: 10105 34: 9878 35: 10155 36: 9881 37: 10107 38: 9798 39: 10032 40: 9795 41: 10068 42: 9792 43: 10073 44: 9829 45: 10082 46: 9813 47: 10060 48: 9775 49: 10061 50: 9791 51: 10008 52: 9732 53: 9963 54: 9721 55: 9935 56: 9668 57: 9938 58: 9696 59: 9993 fpc 8 pic 0 Last 60 seconds:
0: 20252 1: 19658 2: 20188 3: 19608 4: 20185 5: 19660 6: 20164 7: 19591 8: 20039 9: 19492 10: 19938 11: 19433 12: 20098 13: 19642 14: 20275 15: 19714 16: 20013 17: 19445 18: 19841 19: 19325 20: 19824 21: 19358 22: 19880 23: 19371 24: 19936 25: 19429 26: 19876 27: 19396 28: 19938 29: 19459 30: 19911 31: 19369 32: 20068 33: 19565 34: 20332 35: 19645 36: 20309 37: 19657 38: 20128 39: 19471 40: 20010 41: 19493 42: 20049 43: 19536 44: 20163 45: 19644 46: 20132 47: 19624 48: 20154 49: 19575 50: 20097 51: 19529 52: 20041 53: 19525 54: 19978 55: 19488 56: 19899 57: 19372 58: 19984 59: 19500
《Juniper防火墙日常维护手册-v20131112》 第 19页 共59页
node1:
-------------------------------------------------------------------------- fpc 7 pic 0 Last 60 seconds:
0: 10213 1: 10447 2: 10172 3: 10424 4: 10150 5: 10432 6: 10153 7: 10362 8: 10078 9: 10394 10: 10134 11: 10472 12: 10219 13: 10530 14: 10279 15: 10450 16: 10134 17: 10347 18: 10066 19: 10312 20: 10093 21: 10400 22: 10137 23: 10384 24: 10147 25: 10456 26: 10193 27: 10437 28: 10184 29: 10507 30: 10265 31: 10570 32: 10314 33: 10694 34: 10467 35: 10659 36: 10407 37: 10618 38: 10315 39: 10519 40: 10293 41: 10561 42: 10285 43: 10555 44: 10300 45: 10540 46: 10256 47: 10573 48: 10296 49: 10496 50: 10234 51: 10447 52: 10169 53: 10364 54: 10115 55: 10406 56: 10140 57: 10385 58: 10155 59: 10445 fpc 8 pic 0 Last 60 seconds:
0: 21893 1: 21280 2: 21813 3: 21250 4: 21759 5: 21230 6: 21668 7: 21122 8: 21685 9: 21176 10: 21775 11: 21254 12: 21735 13: 21272 14: 21791 15: 21155 16: 21508 17: 20933 18: 21439 19: 20944 20: 21514 21: 21026 22: 21461 23: 20970 24: 21540 25: 21045 26: 21494 27: 20991 28: 21684 29: 21223 30: 21909 31: 21367 32: 22025 33: 21539 34: 22163 35: 21480 36: 21933 37: 21282 38: 21790 39: 21194 40: 21827 41: 21311 42: 21793 43: 21264 44: 21860 45: 21300 46: 21830 47: 21292 48: 21762 49: 21222 50: 21607 51: 21063 52: 21449 53: 20899 54: 21527 55: 21041 56: 21509 57: 21017 58: 21527 59: 21033
{primary:node0}
1.6.3 查看防火墙所有会话条目
(1)ScreenOS
在CLI下命令为:get session 示例:
JP1000A-> get session
alloc 2976/max 524288, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 521312 slot 2: hw0 alloc 2976/max 524287
id 482707/s0*,vsys 0,flag 10200400/4000/0003,policy 20036,time 1302, dip 36 module 0
if 130(nspflag 0805):192.168.12.101/4795->10.1.131.244/8000,6,000000000000,sess token 4,vlan 32,tun 0,vsd
《Juniper防火墙日常维护手册-v20131112》 第 20页 共59页
0,route 17,wsf 0
if 128(nspflag 10000800):10.1.94.104/43422<-10.1.131.244/8000,6,000000000000,sess token 3,vlan 0,tun 0,vsd 0,route 29,wsf 0
id 482709/s0*,vsys 0,flag 10200400/4000/0003,policy 20040,time 1419, dip 36 module 0
if 130(nspflag 0805):192.168.11.202/1170->10.195.4.41/6002,6,000000000000,sess token 4,vlan 32,tun 0,vsd 0,route 17,wsf 0
if 128(nspflag 10000800):10.1.94.104/60242<-10.195.4.41/6002,6,000000000000,sess token 3,vlan 0,tun 0,vsd 0,route 29,wsf 0
(2)JunOS
在CLI - 操作模式下命令为:show security flow session 示例:
syro@JP650A> show security flow session
Session ID: 15176, Policy name: self-traffic-policy/1, Timeout: 60, Valid
In: 192.168.117.2/514 --> 10.1.35.11/514;udp, If: .local..0, Pkts: 2668507, Bytes: 659764260 Out: 10.1.35.11/514 --> 192.168.117.2/514;udp, If: ae0.0, Pkts: 0, Bytes: 0
Session ID: 15264, Policy name: self-traffic-policy/1, Timeout: 60, Valid
In: 192.168.117.2/514 --> 10.1.88.166/514;udp, If: .local..0, Pkts: 2769763, Bytes: 668172183 Out: 10.1.88.166/514 --> 192.168.117.2/514;udp, If: ae0.0, Pkts: 0, Bytes: 0
Session ID: 15267, Policy name: self-traffic-policy/1, Timeout: 60, Valid
In: 192.168.117.2/514 --> 10.1.35.12/514;udp, If: .local..0, Pkts: 2668508, Bytes: 659764488 Out: 10.1.35.12/514 --> 192.168.117.2/514;udp, If: ae0.0, Pkts: 0, Bytes: 0
1.6.4 按过滤条件查看会话
(1)ScreenOS
在CLI下使用get session命令可以按过滤条件查看会话,有以下命令选项: 命令帮助:
JP1000A -> get session
> redirect output | match output
dst-ip destination ip address dst-mac destination mac address
dst-port destination port number or range hardware show hardware sessions only
《Juniper防火墙日常维护手册-v20131112》 第 21页 共59页
id show sessions with id ike-nat show ike-nat ALG info policy-id policy id
protocol protocol number or range
rm show sessions for resource management service show sessions with service type src-ip source ip address src-mac source mac address
src-port source port number or range tunnel show tunnel sessions
vsd-id get vsd-id specified sessions
示例:
JP1000A-> get session src-ip 10.1.3.32
alloc 1366/max 524288, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 522922 slot 2: hw0 alloc 1363/max 524287
Total 448 sessions according filtering criteria.
id 517142/s0*,vsys 0,flag 00200450/0000/0081,policy 20026,time 0, dip 0 module 0
if 46(nspflag 800901):10.1.3.32/51602->10.1.8.130/8300,6,00000c07ac21,sess token 4,vlan 0,tun 0,vsd 0,route 8,wsf 0
if 45(nspflag 800900):10.1.3.32/51602<-10.1.8.130/8300,6,00000c07ac5f,sess token 3,vlan 0,tun 0,vsd 0,route 6,wsf 0
id 517222/s0*,vsys 0,flag 00200440/0000/0003,policy 20028,time 2, dip 0 module 0
(2)JunOS
在CLI - 操作模式下使用show security flow session命令可以按过滤条件查看会话,有以下命令选项:
syro@JP650A > show security flow session Possible completions:
<[Enter]> Execute this command application Application protocol name brief Show brief output (default) destination-port Destination port (1..65535) destination-prefix Destination IP prefix or address extensive Show detailed output family Show session by family idp Show idp sessions
interface Name of incoming or outgoing interface
nat Show sessions with network address translation protocol IP protocol number
《Juniper防火墙日常维护手册-v20131112》 第 22页 共59页
resource-manager Show sessions with resource manager session-identifier Show session with specified session identifier source-port Source port (1..65535) source-prefix Source IP prefix or address summary Show output summary tunnel Show tunnel sessions | Pipe through a command
示例:
syro@JP650A > show security flow session source-prefix 10.1.35.11 Session ID: 168247, Policy name: self-traffic-policy/1, Timeout: 1800, Valid
In: 10.1.35.11/58624 --> 192.168.117.2/22;tcp, If: ae0.0, Pkts: 512, Bytes: 40342 Out: 192.168.117.2/22 --> 10.1.35.11/58624;tcp, If: .local..0, Pkts: 352, Bytes: 43885 Total sessions: 1
1.6.5 查看会话详细内容
(1)ScreenOS
ScreenOS防火墙按session id查看会话详细信息。 在CLI下命令为:get session id id数值 示例:
JP1000A-> get session id 490591
id 490591(00077c5f), flag 10200400/4000/0003, vsys id 0(Root) policy id 20113, application id 0, dip id 36, state 0 current timeout 2250, max timeout 300 (second) status normal, start time 12185013, duration 0 session id mask 0, app value 0
redundant3.2(vsd 0): 192.168.16.24/1807->10.1.48.7/80, protocol 6 session token 4 route 17 gtwy 192.168.250.253, mac 000000000000, nsptn info 0, pmtu 1500 flag 805, diff 0/0
port seq 0, subif 2, cookie 0, fin seq 0, fin state 0
redundant1(vsd 0): 10.1.94.104/4186<-10.1.48.7/80, protocol 6 session token 3 route 29 gtwy 10.1.94.254, mac 000000000000, nsptn info 0, pmtu 1500 mac 000000000000, nsptn info 0 flag 10000800, diff 0/0
port seq 0, subif 0, cookie 0, fin seq 0, fin state 0 Saturn hardware session:
chip 0,slot 2,idx 237169,flag 0x40,diff (0/0),pid 20113,time (12185013/30/225),ssid 490591 130(1):192.168.16.24/1807->10.1.48.7/80,6,token:4,l2:(b:0:65533),vl:0,sa:0,vsd:0,L2 xl:1
《Juniper防火墙日常维护手册-v20131112》 第 23页 共59页
bcnt:0, vect:0, fin_seq:0x00000000, fst:0, flag:11,wsf 14
128(1):10.1.94.104/4186<-10.1.48.7/80,6,token:3,l2:(d:2:65533),vl:1,sa:0,vsd:0,L2 xl:1 bcnt:0, vect:0, fin_seq:0x00000000, fst:0, flag:11,wsf 14 hw sess:0x8b9e7100, ext hw sess:0x8b9e7180, cnt:1125
shadow sess:0x059ee938, hash:001c0ca0, hash1:001452b0, shadow flag:0x10
nat_flag:0x40, next id:00000000(0), next id1:00000000(0), prev id:00000000(0), prev id1:00000000(0) twin 0x0, forw1 0x0, forw2 0x0, sw sess:0x164a3a30, policy 0x2462e980
(2)JunOS
JunOS防火墙使用extensive参数即可查看会话详细信息
在CLI - 操作模式下命令为:show security flow session extensive 示例:
syro@JP650A > show security flow session extensive destination-port 80 Session ID: 168239, Status: Normal Flag: 0x0
Policy name: 10024/41
Source NAT pool: interface, Application: junos-http/6 Maximum timeout: 1800, Current timeout: 542 Session State: Valid
Start time: 9230725, Duration: 1457
In: 192.168.129.18/3977 --> 220.181.111.238/80;tcp, Interface: ae0.0,
Session token: 0x6, Flag: 0x0x21
Route: 0x4f1b02, Gateway: 192.168.129.18, Tunnel: 0 Port sequence: 0, FIN sequence: 3377815844, FIN state: 1,
Pkts: 11, Bytes: 455
Out: 220.181.111.238/80 --> 219.143.234.205/38704;tcp, Interface: ge-2/0/2.0,
Session token: 0x7, Flag: 0x0x20
Route: 0xc0010, Gateway: 219.143.234.193, Tunnel: 0 Port sequence: 0, FIN sequence: 0, FIN state: 0, Pkts: 1, Bytes: 52 Total sessions: 1
《Juniper防火墙日常维护手册-v20131112》 第 24页 共59页
1.6.6 保存防火墙所有会话条目
(1)ScreenOS
方法一:对get session命令的输出内容做拷屏。 注意调整SSH 客户端软件的缓冲区大小或记录LOG相关配置。
在CLI下命令为:get session
方法二:将get session命令的输出保存到 TFTP Server 。 注意确认TFTP Server服务正常。
在CLI下命令为:get session > tftp 服务器IP 文件名
示例:
JP1000A-> get session > tftp 10.1.35.11 session.log
(2)JunOS
方法一:对show security flow session命令的输出内容做拷屏。 注意调整SSH 客户端软件的缓冲区大小或记录LOG相关配置。
在CLI - 操作模式下命令为:show security flow session
方法二:将show security flow session命令的输出内容保存到RE磁盘上,并用file list查看文件保存目录。
在CLI - 操作模式下命令为:show security flow session | save 文件名 file list 示例:
syro@JP650A > show security flow session | save session.log Wrote 52 lines of output to 'session.log' syro@JP650A.KF-HL.OUT.JXA> file list /cf/var/home/jpro/: .ssh/
《Juniper防火墙日常维护手册-v20131112》 第 25页 共59页
session.log
方法三(高阶):在SHELL下保存所有会话条目。 在CLI - 操作模式下,
? 先进入shell下 —— start shell ? 再进入/tmp目录 —— cd /tmp
? 最后保存会话 —— cli -c \
1.7 查看警告日志
(1)ScreenOS
在CLI下命令为:get alarm event 示例:
JP1000A-> get alarm event
Date Time Module Level Type Description
2012-08-24 23:25:22 system crit 00072 The local device 10222208 in the
Virtual Security Device group (0)
changed state from backup to primary backup, missing primary backup. 2012-08-24 23:25:22 system crit 00015 Peer device 10670336 in the Virtual
Security Device group 0 changed state from primary backup to master.
(2)JunOS
SRX防火墙可以分别查看机箱和系统的警告信息。
在CLI - 操作模式下命令为:show chassis alarms 和 show system alarms 示例:
syro@JP3600A> show chassis alarms node0:
-------------------------------------------------------------------------- No alarms currently active node1:
-------------------------------------------------------------------------- No alarms currently active
《Juniper防火墙日常维护手册-v20131112》 第 26页 共59页
{primary:node0}
syro@JP3600A> show system alarms node0:
-------------------------------------------------------------------------- No alarms currently active node1:
show system alarms
syro@JP3600A> show system alarms node0:
-------------------------------------------------------------------------- No alarms currently active node1:
1.8 查看事件日志 —— ScreenOS
1.8.1 查看所有事件日志(仅ScreenOS适用)
在CLI下命令为:get event 该命名输出结果包含警告日志。 示例:
JP1000A-> get event
Total event entries = 25174
Date Time Module Level Type Description
2013-01-01 15:35:12 system notif 00767 Event log was reviewed by admin syro. 2013-01-01 15:34:40 system warn 00515 Admin user syro has logged on via SSH from 10.1.35.11:45656 2013-01-01 15:34:40 system warn 00528 SSH: Password authentication
successful for admin user 'syro' at host 10.1.35.11.
1.8.2 按事件级别过滤查看事件日志(仅ScreenOS适用)
ScreenOS防火墙事件有八个级别。
在CLI下使用get event命令可以按事件级别查看会话,有以下命令选项:
JP1000A -> get event level ?
alert level 1: immediate action is required critical level 2: functionality is affected
《Juniper防火墙日常维护手册-v20131112》 第 27页 共59页
debug level 7: detailed information for troubleshooting emergency level 0: system is unusable error level 3: error condition
information level 6: general information about operation notification level 5: normal events
warning level 4: functionality may be affected
示例:
JP1000A -> get event level alert
Date Time Module Level Type Description
2013-01-04 23:47:40 system alert 00012 UDP flood! From 172.18.1.60:10008 to
10.1.188.48:8011, proto UDP (zone DMZ, int ethernet1/2). Occurred 1 times. 2013-01-04 16:40:44 system alert 00016 Port scan! From 10.254.254.87:83 to
10.19.10.232:2221, proto TCP (zone DMZ, int ethernet1/2). Occurred 1 times. 2012-12-21 14:47:54 system alert 00012 UDP flood! From 172.18.1.64:10042 to
10.1.188.48:8011, proto UDP (zone DMZ, int ethernet1/2). Occurred 1 times. 2012-12-18 09:36:23 system alert 00012 UDP flood! From 172.18.1.65:10028 to
10.1.188.48:8011, proto UDP (zone DMZ, int ethernet1/2). Occurred 1 times. Total entries matched = 4
1.8.3 按时间过滤查看事件日志(仅ScreenOS适用)
在CLI下使用get event命令可以按时间查看会话,有以下命令选项:
JP1000A.HL-JR.SC-VPN.JXA-> get event start-date ?
示例:
JP1000A.HL-JR.SC-VPN.JXA-> get event start-date 01/05/2013 Total event entries = 3813
Date Time Module Level Type Description
2013-01-05 15:03:27 system crit 00040 VPN 'SAP-connection' from 194.39.131.166 is up.
2013-01-05 15:03:17 system info 00536 IKE 194.39.131.166 Phase 2 msg ID
a6000770: Completed negotiations with SPI bfc9b510, tunnel ID 3, and lifetime 7200 seconds/4194303 KB. 2013-01-05 15:03:17 system info 00536 IKE 194.39.131.166 phase 2:The
《Juniper防火墙日常维护手册-v20131112》 第 28页 共59页
symmetric crypto key has been generated successfully.
2013-01-05 15:03:17 system info 00536 IKE 194.39.131.166: Phase 2 msg ID
a6000770: Received responder lifetime 2.2.4
1.9 查看事件日志 —— JunOS
在默认配置下SRX防火墙的日志文件名称为:messages 。查看该日志文件的命令为:show log messages
示例:
root> show log messages
Nov 11 15:25:03 cron[1174]: (root) CMD ( /usr/libexec/atrun)
Nov 11 15:27:26 rpd[1098]: Decode ifd sp-0/0/0 index 135: ifdm_flags 0xc010
Nov 11 15:27:26 rpd[1098]: krt_inherit_ifd_aps_flags sp-0/0/0 index 135: <> from self Nov 11 15:30:03 cron[1179]: (root) CMD ( /usr/libexec/atrun) Nov 11 15:30:03 cron[1180]: (root) CMD (newsyslog)
Nov 11 15:35:02 cron[1185]: (root) CMD ( /usr/libexec/atrun)
Nov 11 15:36:49 mgd[1160]: UI_CMDLINE_READ_LINE: User 'root', command 'show configuration ' Nov 11 15:37:28 rpd[1098]: Decode ifd ge-0/0/0 index 133: ifdm_flags 0xc001
Nov 11 15:37:28 rpd[1098]: krt_inherit_ifd_aps_flags ge-0/0/0 index 133: <> from self
Nov 11 15:37:28 rpd[1098]: EVENT
Nov 11 15:37:28 rpd[1098]: EVENT UpDown ge-0/0/0.0 index 69 192.168.36.154/24 -> 192.168.36.255
Nov 11 15:37:28 rpd[1098]: EVENT
Nov 11 15:37:28 mib2d[1097]: SNMP_TRAP_LINK_DOWN: ifIndex 506, ifAdminStatus up(1), ifOperStatus down(2), ifName ge-0/0/0
Nov 11 15:37:30 rpd[1098]: Cancelling deferral ge-0/0/0 index 133 -> ge-0/0/0 index 133 Nov 11 15:37:30 /kernel: if_msg_ifl_addr_del 69 0xc570f856 0xc570f86a 24 0x3
Nov 11 15:37:30 rpd[1098]: EVENT Delete ge-0/0/0.0 index 69 192.168.36.154/24 -> 192.168.36.255
Nov 11 15:37:30 rpd[1098]: Decode ifd sp-0/0/0 index 135: ifdm_flags 0xc010
Nov 11 15:37:30 rpd[1098]: krt_inherit_ifd_aps_flags sp-0/0/0 index 135: <> from self
Nov 11 15:37:30 USP_IF_TOOLKIT: DETACH: ifl_index 69, flags 0, localaddr 0x66f64b17 local_plen 32
Nov 11 15:37:30 IFP trace> ifp_ifa_add_del_event: ifp_ifa_add_del_event: ge-0/0/0, op 3, msg->ifl_index 69, msg->proto 2
Nov 11 15:37:30 IFP trace> ifp_ifa_del: ifp_ifa_del : ge-0/0/0, msg->ifl_index 69 local prefix 2586093760/32, dest prefix 2402496/24
《Juniper防火墙日常维护手册-v20131112》 第 29页 共59页
1.10 查看策略流量日志
(1)ScreenOS
在CLI下命令为:get log traffic
在CLI下使用get log traffic命令可以按策略、时间、IP、端口等查看流量日志,有以下命令选项:
JP1000A -> get log traffic
> redirect output | match output
detail log detail level
dst-ip show traffic to destination IPs dst-port show traffic to destination ports end-date stop date end-time stop time
in-interface show traffic according to in interface max-duration max duration min-duration min duration no-rule-displayed not show rule info
out-interface show traffic according to out interface policy show traffic under policies protocol show traffic to protocol
service show traffic under any service sort-by show sorted traffic log
src-ip show traffic from source IPs src-port show traffic from source ports start-date start date start-time start time
示例:
JP1000A-> get log traffic policy 30003
PID 30003, from Trust to DMZ, src MFT-GW-G, dst MFT-SR-G, service TCP-6810 TCP-6811, action Permit Total traffic entries matched under this policy = 249
============================================================================================== Date Time Duration Source IP Port Destination IP Port Service SessionID Reason Xlated Src IP Port Xlated Dst IP Port ID
============================================================================================== 2012-10-04 12:08:38 973:12:41 10.1.44.72 7039 10.254.253.11 6811 TCP PORT 6811 524020
《Juniper防火墙日常维护手册-v20131112》 第 30页 共59页
ge-0/0/7 up down ge-0/0/8 up down ge-0/0/9 up down ge-0/0/10 up up
ge-0/0/10.0 up up aenet --> fab0.0 ge-0/0/11 up up
ge-0/0/11.0 up up aenet --> fab0.0 xe-1/0/0 up up
xe-1/0/0.0 up up aenet --> reth0.0 xe-1/0/1 up up
xe-1/0/1.0 up up aenet --> reth0.0 xe-4/0/0 up up
xe-4/0/0.0 up up aenet --> reth1.0 xe-4/0/1 up up
xe-4/0/1.0 up up aenet --> reth1.0 mt-7/0/0 up up ge-13/0/0 up down ge-13/0/1 up down ge-13/0/2 up down ge-13/0/3 up down ge-13/0/4 up down ge-13/0/5 up down ge-13/0/6 up down ge-13/0/7 up down ge-13/0/8 up down ge-13/0/9 up down ge-13/0/10 up up
ge-13/0/10.0 up up aenet --> fab1.0 ge-13/0/11 up up
ge-13/0/11.0 up up aenet --> fab1.0 xe-14/0/0 up up
xe-14/0/0.0 up up aenet --> reth0.0 xe-14/0/1 up up
xe-14/0/1.0 up up aenet --> reth0.0 ---(more)---
1.12.2 查看单一接口详情
(1)ScreenOS
在CLI下命令为:get interface interface名称 示例:
《Juniper防火墙日常维护手册-v20131112》 第 36页 共59页
JP1000A-> get interface eth1/1 Interface ethernet1/1(VSI): description ethernet1/1
number 7, if_info 229320, if_index 0 link down, phy-link down status change:0
vsys Root, zone Null, vr untrust-vr, vsd 0 *ip 0.0.0.0/0 mac 0010.dbff.8070 pmtu-v4 disabled
ping disabled, telnet disabled, SSH disabled, SNMP disabled web disabled, ident-reset disabled, SSL disabled
NHRP disabled
bandwidth: physical 0Mbps, configured 0Mbps
(2)JunOS
在CLI - 操作模式下命令为:show interface interface名称 示例:
syro@JP3600A > show interfaces ge-0/0/0
Physical interface: ge-0/0/0, Enabled, Physical link is Down Interface index: 142, SNMP ifIndex: 509
Link-level type: Ethernet, MTU: 1514, Link-mode: Half-duplex, Speed: Unspecified, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Enabled, Auto-negotiation: Enabled, Remote fault: Online
Device flags : Present Running Down
Interface flags: Hardware-Down SNMP-Traps Internal: 0x0 Link flags : None
CoS queues : 8 supported, 4 maximum usable queues Schedulers : 0
Current address: 78:fe:3d:25:a8:00, Hardware address: 78:fe:3d:25:a8:00 Last flapped : 2012-08-22 09:45:58 CST (19w3d 05:35 ago) Input rate : 0 bps (0 pps) Output rate : 0 bps (0 pps) Active alarms : LINK Active defects : LINK
Interface transmit statistics: Disabled
《Juniper防火墙日常维护手册-v20131112》 第 37页 共59页
1.13 查看ARP表
(1)ScreenOS
在CLI下命令为:get arp 示例:
JP1000A-> get arp
usage: 27/8192 miss: 0 always-on-dest: enabled
-----------------------------------------------------------------------------------------
IP Mac VR/Interface State Age Retry PakQue Sess_cnt -----------------------------------------------------------------------------------------
192.168.25.25 405539d752bf trust-vr/red3.2 VLD 4 0 0 0 192.168.25.23 002304c2747f trust-vr/red3.2 VLD 4 0 0 0 192.168.25.24 5057a89f5e7f trust-vr/red3.2 VLD 4 0 0 0
(2)JunOS
在CLI - 操作模式下命令为:show arp 示例:
syro@JP3600A> show arp
MAC Address Address Name Interface Flags 64:a0:e7:43:01:c1 10.1.56.245 10.10.56.25 reth0.0 none 64:a0:e7:40:7d:c1 10.1.56.246 10.10.56.26 reth0.0 none 6c:9c:ed:41:50:41 10.1.56.247 10.10.56.27 reth0.0 none 6c:9c:ed:41:62:c1 10.1.56.248 10.10.56.28 reth0.0 none 00:00:0c:07:ac:38 10.1.56.254 10.10.56.254 reth0.0 none
《Juniper防火墙日常维护手册-v20131112》 第 38页 共59页
1.14 查看路由 1.14.1 查看全部路由
(1)ScreenOS
在CLI下命令为:get route 示例:
JP1000A-> get route
IPv4 Dest-Routes for
-------------------------------------------------------------------------------------- H: Host C: Connected S: Static A: Auto-Exported I: Imported R: RIP P: Permanent D: Auto-Discovered N: NHRP
iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1 E2: OSPF external type 2 trailing B: backup route IPv4 Dest-Routes for (154 entries)
--------------------------------------------------------------------------------------
ID IP-Prefix Interface Gateway P Pref Mtr Vsys --------------------------------------------------------------------------------------
* 17 0.0.0.0/0 red3.2 192.168.25.25 S 20 1 Root * 41 10.94.102.50/32 red3.2 192.168.25.25 S 20 1 Root * 56 10.1.94.81/32 red3.2 192.168.25.25 S 20 1 Root * 22 19.1.1.22/32 red3.1 9.9.32.190 S 20 1 Root * 9 10.254.253.1/32 red2.20 0.0.0.0 H 0 0 Root
(2)JunOS
在CLI - 操作模式下命令为:show route 示例:
syro@JP3600A> show route
inet.0: 8 destinations, 8 routes (8 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
10.1.35.0/24 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0 10.1.37.120/32 *[Static/5] 11w0d 19:59:35
《Juniper防火墙日常维护手册-v20131112》 第 39页 共59页
> to 10.1.66.254 via fxp0.0 10.1.37.122/32 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0 10.1.66.0/24 *[Direct/0] 11w0d 19:59:35 > via fxp0.0
10.1.66.7/32 *[Local/0] 11w0d 19:59:35 Local via fxp0.0
10.1.68.0/24 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0 10.1.88.166/32 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0 10.1.112.0/24 *[Static/5] 11w0d 19:59:35 > to 10.1.66.254 via fxp0.0
1.14.2 查看特定目标地址的路由
(1)ScreenOS
在CLI下命令为:get route ip ip_address 示例:
JP1000A-> get route ip 10.1.1.1 Dest for 10.1.1.1
-------------------------------------------------------------------------------------- trust-vr : => 10.0.0.0/8 (id=29) via 10.1.94.254 (vr: trust-vr) Interface redundant1 , metric 1
(2)JunOS
在CLI - 操作模式下命令为:show route ip ip_address 示例:
syro@JP3600A> show route 1.1.1.1
inet.0: 28 destinations, 28 routes (28 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both
0.0.0.0/0 *[Static/5] 2w3d 17:12:49 > to 10.1.57.254 via reth1.0
《Juniper防火墙日常维护手册-v20131112》 第 40页 共59页
1.15 查看策略 1.15.1 查看所有策略
(1)ScreenOS
在CLI下命令为:get policy 示例:
JP1000A-> get policy
Total regular policies 560, Default deny.
ID From To Src-address Dst-address Service Action State ASTLCB 10138 Trust Untrust 10.0.0.0/8 100.1.95.12~ HTTP Permit enabled ---X-X 10137 Trust Untrust 10.0.0.0/8 100.1.95.11~ HTTP Permit enabled ---X-X TCP-8080
10136 Trust Untrust 10.0.0.0/8 100.1.95.1/~ TCP-9101 Permit enabled ---X-X
(2)JunOS
在CLI - 操作模式下命令为:show security policies 示例:
syro@JP650A> show security policies Default policy: deny-all
From zone: untrust, To zone: trust
Policy: 20027, State: enabled, Index: 23, Scope Policy: 0, Sequence number: 1
Source addresses: 218.56.32.70/32, 219.239.105.29/32, 111.166.162.169/32, 113.58.244.143/32, 110.53.148.130/32, 222.34.19.11/32, 61.137.152.152/32, 65.55.208.91/32, 210.53.203.215/32, 211.137.41.203/32, 218.71.239.115/32, 218.107.16.170/32, 113.4.247.77/32, 119.249.206.73/32, 120.128.2.40/32 Destination addresses: any Applications: any Action: deny
Policy: 19000, State: enabled, Index: 4, Scope Policy: 0, Sequence number: 2 Source addresses: deny-123.232.122.34 Destination addresses: any Applications: any
Action: deny, log
《Juniper防火墙日常维护手册-v20131112》 第 41页 共59页
1.15.2 查看单条策略的详细内容
(1)ScreenOS
注:ScreenOS防火墙以id为过滤条件查看单条策略的详细内容 在CLI下命令为:get policy id id 示例:
JP1000A -> get policy id 1
name:\
src \Rules on this VPN policy: 0 nat off, Web filtering : disabled
vpn unknown vpn, policy flag 00010200, session backup: on traffic shaping off, scheduler n/a, serv flag 00
log close, log count 0, alert no, counter no(0) byte rate(sec/min) 0/0 total octets 0, counter(session/packet/octet) 0/0/0 No Authentication
No User, User Group or Group expression set
(2)JunOS
注:JunOS防火墙以policy-name为过滤条件查看单条策略的详细内容 在CLI - 操作模式下命令为:show security policies policy-name 名称 示例:
syro@JP3600A > show security policies policy-name 10000 node0:
-------------------------------------------------------------------------- From zone: trust, To zone: untrust
Policy: 10000, State: enabled, Index: 11, Scope Policy: 0, Sequence number: 2 Source addresses: 10.1.96.28/32
Destination addresses: 10.3.94.205/32 Applications: ftp-alg-no Action: permit, log
《Juniper防火墙日常维护手册-v20131112》 第 42页 共59页
1.16 查看防火墙主备状态
(1)ScreenOS
注:ScreenOSS防火墙的集群中,主机状态为Master,备机状态为Backup。 在CLI下命令为:get nsrp 示例:
JP1000A(M)-> get nsrp nsrp version: 2.0 cluster info:
cluster id: 5, no name local unit id: 10222208 active units discovered:
index: 0, unit id: 10222208, ctrl mac: 0026889bfa8a, data mac: 0026889bfa98 index: 1, unit id: 10670336, ctrl mac: 002283a2d10a, data mac: 002283a2d118 total number of units: 2 VSD group info: init hold time: 5
heartbeat lost threshold: 3 heartbeat interval: 1000(ms) master always exist: disabled
group priority preempt holddown inelig master PB other members 0 150 no 3 no 10670336 myself total number of vsd groups: 1
Total iteration=11847161,time=2038032204,max=389626,min=246,average=172 RTO mirror info:
run time object sync: enabled route synchronization: disabled coldstart sync done
nsrp data packet forwarding is enabled nsrp link info:
control channel: ethernet1/4 (ifnum: 10) mac: 0026889bfa8a state: up(probe) data channel: ethernet2/4 (ifnum: 24) mac: 0026889bfa98 state: up(probe)
secondary path channel: redundant1 (ifnum: 128) mac: 0026889bfa87 state: up(probe) NSRP encryption: disabled
NSRP authentication: disabled
device based nsrp monitoring threshold: 255, weighted sum: 0, not failed
device based nsrp monitor interface: redundant1(weight 255, UP) redundant2(weight 255, UP) redundant3(weight 255, UP)
device based nsrp monitor zone:
《Juniper防火墙日常维护手册-v20131112》 第 43页 共59页
device based nsrp track ip: (weight: 255, disabled) number of gratuitous arps: 4 (default) config sync: enabled
(2)JunOS
注:JunOS防火墙的主备机分别为集群中的node0和node1,主机状态为primary,备机状态为secondary
在CLI - 操作模式下命令为:show chassis cluster status 示例:
syro@JP3600A> show chassis cluster status Cluster ID: 1
Node Priority Status Preempt Manual failover
Redundancy group: 0 , Failover count: 0
node0 200 primary no no node1 50 secondary no no
Redundancy group: 1 , Failover count: 0
node0 200 primary no no
node1 50 secondary no no
1.17 查看集群接口状态(仅JunOS适用)
在CLI - 操作模式下命令为:show chassis cluster interfaces 示例:
syro@JP3600A> show chassis cluster interfaces Control link 0 name: em0 Control link 1 name: em1 Control link status: Up
Fabric interfaces:
Name Child-interface Status fab0 ge-0/0/10 up fab0 ge-0/0/11 up fab1 ge-13/0/10 up fab1 ge-13/0/11 up Fabric link status: Up
《Juniper防火墙日常维护手册-v20131112》 第 44页 共59页
Redundant-ethernet Information:
Name Status Redundancy-group reth0 Up 1 reth1 Up 1 reth2 Down Not configured reth3 Down Not configured
Interface Monitoring:
Interface Weight Status Redundancy-group xe-17/0/1 200 Up 1 xe-17/0/0 200 Up 1 xe-14/0/1 200 Up 1 xe-14/0/0 200 Up 1 xe-4/0/1 200 Up 1 xe-4/0/0 200 Up 1 xe-1/0/1 200 Up 1 xe-1/0/0 200 Up 1
1.18 查看配置同步状态(仅ScreenOS适用)
在CLI下命令为:exec nsrp sync global-config check-sum 注:对于6.2版本以下的系统需要使用get db s命令来查看检查结果。
示例:
JP1000A(B)-> exec nsrp sync global-config check-sum JP1000A(B)-> get db s configuration in sync
《Juniper防火墙日常维护手册-v20131112》 第 45页 共59页
1.19 常用排错命令 1.19.1 ping
(1)ScreenOS
方法一:直接ping目的IP 在CLI下命令为:ping IP地址 示例:
JP1000A -> ping 8.8.8.8 Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 1 seconds !!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/4 ms
方法二:带接口ping目的IP
在CLI下命令为:ping IP地址 from 接口 示例:
JP1000A -> ping 8.8.8.8 from eth1/3 Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 1 seconds !!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/2/4 ms
方法三:扩展ping 在CLI下命令为:ping 示例:
JP1000A -> ping
Target IPv4 address:8.8.8.8 Repeat count [5]: Datagram size [100]: Timeout in seconds[1]: Source interface:eth1/3
Type escape sequence to abort
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 1 seconds !!!!!
Success Rate is 100 percent (5/5), round-trip time min/avg/max=2/3/6 ms
《Juniper防火墙日常维护手册-v20131112》 第 46页 共59页
(2)JunOS
ping命令支持很多参数的,包大小、个数、源IP、源接口、快速ping等。 常用命令示例:
syro@JP650A > ping 8.8.8.8
syro@JP650A > ping 8.8.8.8 size 1400 syro@JP650A > ping 8.8.8.8 count 100
syro@JP650A > ping 8.8.8.8 source 202.99.20.144 syro@JP650A > ping 8.8.8.8 interface ge-2/0/2.0 syro@JP650A > ping 8.8.8.8 count 10000 rapid
ping命令有以下命令选项:
syro@JP650A > ping ? Possible completions:
atm Ping remote Asynchronous Transfer Mode node bypass-routing Bypass routing table, use specified interface clns Ping ISO node
count Number of ping requests to send (1..2000000000 packets) detail Display incoming interface of received packet do-not-fragment Don't fragment echo request packets (IPv4) inet Force ping to IPv4 destination inet6 Force ping to IPv6 destination
interface Source interface (multicast, all-ones, unrouted packets) interval Delay between ping requests (seconds) + loose-source Intermediate loose source route entry (IPv4) mpls Ping label-switched path
no-resolve Don't attempt to print addresses symbolically pattern Hexadecimal fill pattern
rapid Send requests rapidly (default count of 5) record-route Record and report packet's path (IPv4) routing-instance Routing instance for ping attempt
size Size of request packets (0..65468 bytes) source Source address of echo request strict Use strict source route option (IPv4)
+ strict-source Intermediate strict source route entry (IPv4) tos IP type-of-service value (0..255)
ttl IP time-to-live value (IPv6 hop-limit value) (1..255 hops) verbose Display detailed output vpls Ping VPLS MAC address
wait Maximum wait time after sending final packet (seconds)
《Juniper防火墙日常维护手册-v20131112》 第 47页 共59页
1.19.2 telnet
(1)ScreenOS(ScreenOS 6.2版本以上支持)
在CLI下常用命令为:telnet IP地址 port 端口号 或 telnet IP地址 port 端口号 src-interface 接口名称
示例:
JP1000A -> telnet 8.8.8.8 port 80 src-interface eth1/3
(2)JunOS
在CLI - 操作模式下常用命令为:telnet IP地址 port 端口号 telnet命令有以下命令选项:
syro@JP650A > telnet ? Possible completions:
bypass-routing Bypass routing table, use specified interface inet Force telnet to IPv4 destination inet6 Force telnet to IPv6 destination interface Name of interface for outgoing traffic
no-resolve Don't attempt to print addresses symbolically port Port number or service name on remote host routing-instance Name of routing instance for telnet session source Source address to use in telnet connection
示例:
syro@JP650A > telnet 8.8.8.8 port 80
《Juniper防火墙日常维护手册-v20131112》 第 48页 共59页
1.19.3 trace route
(1)ScreenOS
在CLI下常用命令为:trace-route IP地址 示例:
JP1000A -> trace-route 8.8.8.8 Type escape sequence to escape
Send ICMP echos to 8.8.8.8, timeout is 2 seconds, maximum hops are 32, 1 2ms 0ms 0ms 11.14.2.12 2 1ms 0ms 1ms 12.20.1.13 3 1ms 1ms 2ms 124.202.11.33 4 2ms 2ms 4ms 124.202.11.9 5 2ms 1ms 1ms 124.205.97.134 6 2ms 1ms 1ms 124.205.97.166 7 2ms 1ms 1ms 8.8.8.8 Trace complete
(2)JunOS
在CLI - 操作模式下常用命令为:traceroute IP地址 traceroute命令有以下命令选项:
syro@JP650A > traceroute ? Possible completions:
bypass-routing Bypass routing table, use specified interface clns Trace route to CLNS remote host
gateway Address of router gateway to route through inet Force traceroute to IPv4 destination inet6 Force traceroute to IPv6 destination
interface Name of interface to use for outgoing traffic monitor Monitor network connection to remote host mpls Trace MPLS paths
no-resolve Don't attempt to print addresses symbolically routing-instance Name of routing instance for traceroute attempt
source Source address to use in outgoing traceroute packets tos IP type-of-service field (IPv4) (0..255)
ttl IP maximum time-to-live value (or IPv6 maximum hop-limit value) wait Number of seconds to wait for response (seconds)
《Juniper防火墙日常维护手册-v20131112》 第 49页 共59页
示例:
syro@JP650A > traceroute 8.8.8.8 traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 40 byte packets 1 20.9.2.12 (20.9.2.12) 2.091 ms 1.654 ms 1.499 ms 2 20.10.5.14 (20.10.5.14) 3.467 ms 1.743 ms 1.536 ms 3 61.148.155.77 (61.148.155.77) 9.567 ms 8.245 ms 2.784 ms 4 124.65.59.1 (124.65.59.1) 11.292 ms 3.542 ms 3.454 ms 5 202.96.12.157 (202.96.12.157) 5.854 ms 5.401 ms 6.029 ms 6 219.158.101.122 (219.158.101.122) 38.560 ms 38.521 ms 38.798 ms 7 219.158.11.154 (219.158.11.154) 42.585 ms 48.427 ms 48.088 ms 8 219.158.97.6 (219.158.97.6) 64.899 ms 51.967 ms 43.864 ms 9 219.158.3.238 (219.158.3.238) 43.207 ms 49.144 ms 209.947 ms 10 72.14.215.130 (72.14.215.130) 125.258 ms 46.544 ms 46.714 ms 11 209.85.248.60 (209.85.248.60) 46.752 ms 46.828 ms 46.709 ms
1.19.4 收集support信息
(1)ScreenOS —— 需要使用读写权限或Root权限用户
方法一:对get tech-support命令的输出内容做拷屏。 注意调整SSH 客户端软件的缓冲区大小或记录LOG相关配置。
在CLI下命令为:get tech-support
方法二:将get tech-support命令的输出保存到 TFTP Server 。 注意确认TFTP Server服务正常。
在CLI下命令为:get tech-support > tftp 服务器IP 文件名 示例:
JP1000A->get tech-support > tftp 10.1.35.11 session.log
《Juniper防火墙日常维护手册-v20131112》 第 50页 共59页
正在阅读:
Juniper防火墙日常维护03-30
神奇的纸巾作文500字07-10
2021年河北省中考数学一轮复习课时训练(四) 分式06-11
四川省金阳中学2013-2014学年高一3月月考数学试卷(带解析)12-25
今天我最大作文700字06-26
个人对照检查材料02-22
人物肖像描写02-16
梦想与行动作文600字06-22
新年的作文300字【9篇】03-22
- Win7 安装MySql图示
- 计算器课程设计报告
- 部编版八年下语文第三单元第六单元古诗文理解默写练习及答案
- 13质量通病防治方案和施工措施
- 土力学试题~~~~
- 公务员打印资料
- 传热膜系数测定实验报告 - 图文
- 新时期煤矿协管安全工作的创新与实践
- 第五章 习题及参考答案
- 220kV架空线路强条执行记录表
- 音乐欣赏读后感
- 高炉
- 劳动教育需要新的时代内涵
- 10建筑地面工程施工质量验收规范GB50209-20021
- 银行会计练习题2答案
- 2013年七年级地理上册知识点复习提纲湘教版
- 人教版三年级语文上册第四单元测试题(A卷)(有答案)
- 营养师第九章练习题
- 湖北省武汉市2018届高三毕业生二月调研 理综化学
- 行业分析2018-2023年中国男性护肤品行业市场发展分析及投资前景
- 防火墙
- 日常
- 维护
- Juniper
- 人工挖孔桩施工方案
- 小升初分班考试数学试卷含答案
- 2017常州市高三一模英语试题及答案 - 图文
- 如何编制2013版知识产权布局研究项目商业计划书(符合VC风投+甲
- XX县农村“三资”管理和财务管理规范化建设自查报告
- (3)市场营销环境与竞争分析部分复习题
- 学校体育学复习题1-6思考题
- 电缆桥架安装专项施工方案 - 图文
- 杨凌示范区义务教育标准化学校建设项目规划
- 电力调度员实操题(一级)
- 广告合作协议书模板
- 政府综合财务报告-试编指南
- 山东省日照市2017届高三下学期第一次模拟考试理科综合试题(1)
- 南邮信息
- 预备班班主任学习计划
- ch01-Solutions
- 反风演习方案、措施、报告
- 波特的五力模型分析福特公司的竞争策略1
- 传染病管理各项制度总汇
- 《课堂语言及板书设计》第02章在线测试