Juniper防火墙日常维护.doc_第1页
Juniper防火墙日常维护.doc_第2页
Juniper防火墙日常维护.doc_第3页
Juniper防火墙日常维护.doc_第4页
Juniper防火墙日常维护.doc_第5页
已阅读5页,还剩54页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

Juniper防火墙日常维护手册(v 20131112)作者苏毅审核分类其他子类指导手册更新时间2013-11-12关键字Juniper、NetScreen、防火墙、日常维护、ScreenOS、JunOS、NS、ISG、SSG、SRX摘要此手册用于指导Juniper防火墙驻场工程师常规操作,驻场工程师可以按照日常工作内容从文档中选取相应的命令。此手册基本涵盖了常规操作、巡检操作等驻场维护工作所需要的操作指导,各工程师也可根据自身驻场项目特点确定日常巡检的内容。主要适用环境Juniper防火墙运维工作Juniper ScreenOS防火墙包括产品型号有:NS系列、ISG系列、SSG系列Juniper JunOS防火墙包括产品型号有:SRX系列(SRX Branch系列包含SRX650及以下型号,SRX High-end系列包含SRX1K、3K和SRX5K)版本说明版本号拟制/修改责任人拟制/修改日期修改内容/理由V20131112苏毅2013-11-12新建目 录版本说明2目 录31. 日常操作51.1 查看硬件信息51.2 查看OS信息61.3 查看CPU/SPU使用率信息71.3.1 查看CPU/SPU使用率信息71.3.2 查看每秒CPU使用率91.4 查看内存使用率121.5 SRX RE CPU使用率/内存使用率信息(仅JunOS适用)141.6 查看Session会话信息161.6.1 查看会话总数161.6.2 查看每秒新建会话数量181.6.3 查看防火墙所有会话条目201.6.4 按过滤条件查看会话211.6.5 查看会话详细内容231.6.6 保存防火墙所有会话条目251.7 查看警告日志261.8 查看事件日志 ScreenOS271.8.1 查看所有事件日志(仅ScreenOS适用)271.8.2 按事件级别过滤查看事件日志(仅ScreenOS适用)271.8.3 按时间过滤查看事件日志(仅ScreenOS适用)281.9 查看事件日志 JunOS291.10 查看策略流量日志301.11 查看/备份配置321.12 查看接口状态341.12.1 查看所有接口状态341.12.2 查看单一接口详情361.13 查看ARP表381.14 查看路由391.14.1 查看全部路由391.14.2 查看特定目标地址的路由401.15 查看策略411.15.1 查看所有策略411.15.2 查看单条策略的详细内容421.16 查看防火墙主备状态431.17 查看集群接口状态(仅JunOS适用)441.18 查看配置同步状态(仅ScreenOS适用)451.19 常用排错命令461.19.1 ping461.19.2 telnet481.19.3 trace route491.19.4 收集support信息501.20 按过滤条件查看各类信息522. 应急操作532.1 清除指定IP的ARP记录532.2 清除指定源IP/目的IP的会话记录532.3 关闭和开启端口542.3.1 关闭端口542.3.2 开启端口542.4 防火墙主备状态切换552.5 同步会话(仅ScreenOS适用)562.6 重启设备563. 日常维护周期策略573.1 日巡检维护建议573.2 周巡检维护建议583.3 月巡检维护建议583.4 不定期维护建议591. 日常操作1.1 查看硬件信息(1)ScreenOS在CLI下命令为:get chassis示例:JP1000A- get chassis Chassis Environment: Power Supply: Good Fan Status: GoodCPU Temperature: 98F ( 37C)Slot Information:Slot Type S/N Assembly-No Version Temperature 0 System Board 0993072011000999 0066-004 F01 86F (30C), 87F (31C) 4 Management 0099082011000999 0049-004 D19 98F (37C) 5 ASIC Board 002079351g110017 0065-002 B00 Marin FPGA version 9, Jupiter ASIC version 1, Fresno FPGA version 110 I/O Board Slot Type S/N Version FPGA version 2 4 port miniGBIC (0x3) 0994092011000999 B02 26 1 4 port 10/100/1000T 38Alarm Control Information: Power failure audible alarm: disabled Fan failure audible alarm: disabled Low battery audible alarm: disabled Temperature audible alarm: disabled Normal alarm temperature is 132F (56C)Severe alarm temperature is 150F (66C)(2)JunOS在CLI - 操作模式下命令为:show chassis hardware示例:syroJP650A show chassis hardware Hardware inventory:Item Version Part number Serial number DescriptionChassis AJ4309AA0999 SRX650Midplane REV 08 710-023875 AAAS7310 System IO REV 08 710-023209 AAAS9446 SRXSME System IORouting Engine REV 14 750-023223 AAAW4729 RE-SRXSME-SRE6FPC 0 FPC PIC 0 4x GE Base PICFPC 2 REV 07 750-026182 AAAS7999 FPC PIC 0 16x GE gPIMPower Supply 0 Rev 03 740-024283 TH01999 PS 645W ACPower Supply 1 Rev 03 740-024283 TH01099 PS 645W AC1.2 查看OS信息(1)ScreenOS在CLI下命令为:get system示例:JP1000A- get systemProduct Name: NetScreen-ISG1000Serial Number: 0993072011000999, Control Number: 00000000Hardware Version: 3010(0)-(04), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)Software Version: 6.1.0r7-cu12.0, Type: Firewall+VPNOS Loader Version: 1.0.2Compiled by build_master at: Wed Apr 28 23:08:24 PDT 2010Base Mac: 0026.889b.fa80File Name: default (screenos_image), Checksum: de317771, Total Memory: 1024MBDate 01/01/2013 11:50:43, Daylight Saving Time disabledThe Network Time Protocol is EnabledUp 3286 hours 23 minutes 35 seconds Since 17Aug2012:13:27:08Total Device Resets: 0(2)JunOS在CLI - 操作模式下命令为:show system software示例:syroJP650A show system software Information for junos:Comment:JUNOS Software Release 10.4R10.71.3 查看CPU/SPU使用率信息1.3.1 查看CPU/SPU使用率信息(1)ScreenOS CPU在CLI下命令为:get performance cpu 示例:JP1000A- get performance cpuAverage System Utilization: 1%Last 1 minute: 2%, Last 5 minutes: 2%, Last 15 minutes: 2%(2)JunOS SPU当SPU使用率达到60%就要引起关注,可能网络或设备有异常。在CLI - 操作模式下查看SRX Branch防火墙的SPU使用率命令为:show security monitoring fpc 0示例:syroJP650A show security monitoring fpc 0 FPC 0 PIC 0 CPU utilization : 0 % Memory utilization : 67 % Current flow session : 16Max flow session : 524288SRX Hign-end防火墙为分布式架构,需要根据SPC卡的槽位来确定查看命令。例如SRX3600配备2块SPC,分别插在7槽 和 8槽中,需要分别查看其SPU使用率。另,SRX3600的双机采用虚拟机箱技术后,node0为主墙、node1为备墙。在CLI - 操作模式下查看SRX3600防火墙的spu命令为:show security monitoring fpc 7 和 show security monitoring fpc 8示例:syroJP3600A show security monitoring fpc 7 node0:-FPC 7 PIC 0 CPU utilization : 2 % Memory utilization : 64 % Current flow session : 5265 Max flow session : 524288 Current CP session : 16401 Max CP session : 2359296node1:-FPC 7 PIC 0 CPU utilization : 0 % Memory utilization : 64 % Current flow session : 5582 Max flow session : 524288 Current CP session : 17131 Max CP session : 2359296primary:node0syroJP3600A show security monitoring fpc 8 node0:-FPC 8 PIC 0 CPU utilization : 3 % Memory utilization : 66 % Current flow session : 10977 Max flow session : 1048576 Current CP session : 0 Max CP session : 0node1:-FPC 8 PIC 0 CPU utilization : 0 % Memory utilization : 66 % Current flow session : 11382 Max flow session : 1048576 Current CP session : 0 Max CP session : 0primary:node01.3.2 查看每秒CPU使用率(1)ScreenOS 在CLI下命令为:get performance cpu all detail示例:JP1000A.GL-IT.SDA(M)- get performance cpu all detail Average System Utilization: 1% (flow 1 task 1)Last 60 seconds:59: 2( 1 1) 58: 2( 1 1) 57: 2( 1 1) 56: 2( 1 1) 55: 2( 1 1) 54: 2( 1 1) 53: 2( 1 1) 52: 2( 1 1) 51: 2( 1 1) 50: 2( 1 1) 49: 2( 1 1) 48: 2( 1 1) 47: 2( 1 1) 46: 2( 1 1) 45: 2( 1 1) 44: 2( 1 1) 43: 2( 1 1) 42: 2( 1 1) 41: 2( 1 1) 40: 2( 1 1) 39: 2( 1 1) 38: 2( 1 1) 37: 2( 1 1) 36: 2( 1 1) 35: 2( 1 1) 34: 2( 1 1) 33: 2( 1 1) 32: 2( 1 1) 31: 2( 1 1) 30: 2( 1 1) 29: 2( 1 1) 28: 2( 1 1) 27: 2( 1 1) 26: 2( 1 1) 25: 2( 1 1) 24: 2( 1 1) 23: 2( 1 1) 22: 2( 1 1) 21: 2( 1 1) 20: 2( 1 1) 19: 2( 1 1) 18: 2( 1 1) 17: 2( 1 1) 16: 2( 1 1) 15: 2( 1 1) 14: 2( 1 1) 13: 2( 1 1) 12: 2( 1 1) 11: 2( 1 1) 10: 2( 1 1) 9: 2( 1 1) 8: 2( 1 1) 7: 2( 1 1) 6: 2( 1 1) 5: 2( 1 1) 4: 2( 1 1) 3: 2( 1 1) 2: 2( 1 1) 1: 2( 1 1) 0: 2( 1 1) Last 60 minutes:59: 2( 1 1) 58: 2( 1 1) 57: 2( 1 1) 56: 2( 1 1) 55: 2( 1 1) 54: 2( 1 1) 53: 2( 1 1) 52: 2( 1 1) 51: 2( 1 1) 50: 2( 1 1) 49: 2( 1 1) 48: 2( 1 1) 47: 2( 1 1) 46: 2( 1 1) 45: 2( 1 1) 44: 2( 1 1) 43: 2( 1 1) 42: 2( 1 1) 41: 2( 1 1) 40: 2( 1 1) 39: 2( 1 1) 38: 2( 1 1) 37: 2( 1 1) 36: 2( 1 1) 35: 2( 1 1) 34: 2( 1 1) 33: 2( 1 1) 32: 2( 1 1) 31: 2( 1 1) 30: 2( 1 1) 29: 2( 1 1) 28: 2( 1 1) 27: 2( 1 1) 26: 2( 1 1) 25: 2( 1 1) 24: 2( 1 1) 23: 2( 1 1) 22: 2( 1 1) 21: 2( 1 1) 20: 2( 1 1) 19: 2( 1 1) 18: 2( 1 1) 17: 2( 1 1) 16: 2( 1 1) 15: 2( 1 1) 14: 2( 1 1) 13: 2( 1 1) 12: 2( 1 1) 11: 2( 1 1) 10: 2( 1 1) 9: 2( 1 1) 8: 2( 1 1) 7: 2( 1 1) 6: 2( 1 1) 5: 2( 1 1) 4: 2( 1 1) 3: 2( 1 1) 2: 2( 1 1) 1: 2( 1 1) 0: 2( 1 1) Last 24 hours:23: 2( 1 1) 22: 2( 1 1) 21: 2( 1 1) 20: 2( 1 1) 19: 2( 1 1) 18: 2( 1 1) 17: 1( 1 1) 16: 2( 1 1) 15: 1( 1 1) 14: 2( 1 1) 13: 1( 1 1) 12: 1( 1 1) 11: 2( 1 1) 10: 2( 1 1) 9: 2( 1 1) 8: 2( 1 1) 7: 2( 1 1) 6: 1( 1 1) 5: 1( 1 1) 4: 2( 1 1) 3: 2( 1 1) 2: 2( 1 1) 1: 2( 1 1) 0: 2( 1 1) (2)JunOS在CLI - 操作模式下命令为:show security monitoring performance spu示例:syroJP650A show security monitoring performance spu fpc 0 pic 0Last 60 seconds: 0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 012: 0 13: 0 14: 0 15: 0 16: 0 17: 018: 0 19: 0 20: 0 21: 0 22: 0 23: 024: 0 25: 0 26: 0 27: 0 28: 0 29: 030: 0 31: 0 32: 0 33: 0 34: 0 35: 036: 0 37: 0 38: 0 39: 0 40: 0 41: 042: 0 43: 0 44: 0 45: 0 46: 0 47: 048: 0 49: 0 50: 0 51: 0 52: 0 53: 054: 0 55: 0 56: 0 57: 0 58: 0 59: 0syroJP3600A show security monitoring performance spu node0:-fpc 7 pic 0Last 60 seconds: 0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 012: 0 13: 0 14: 0 15: 0 16: 0 17: 018: 0 19: 0 20: 0 21: 0 22: 0 23: 024: 0 25: 0 26: 0 27: 0 28: 0 29: 030: 0 31: 0 32: 0 33: 0 34: 0 35: 036: 0 37: 0 38: 0 39: 0 40: 0 41: 042: 0 43: 0 44: 0 45: 0 46: 0 47: 048: 0 49: 0 50: 0 51: 0 52: 0 53: 054: 0 55: 0 56: 0 57: 0 58: 0 59: 0fpc 8 pic 0Last 60 seconds: 0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 012: 0 13: 0 14: 0 15: 0 16: 0 17: 018: 0 19: 0 20: 0 21: 0 22: 0 23: 024: 0 25: 0 26: 0 27: 0 28: 0 29: 030: 0 31: 0 32: 0 33: 0 34: 0 35: 036: 0 37: 0 38: 0 39: 0 40: 0 41: 042: 0 43: 0 44: 0 45: 0 46: 0 47: 048: 0 49: 0 50: 0 51: 0 52: 0 53: 054: 0 55: 0 56: 0 57: 0 58: 0 59: 0node1:-fpc 7 pic 0Last 60 seconds: 0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 012: 0 13: 0 14: 0 15: 0 16: 0 17: 018: 0 19: 0 20: 0 21: 0 22: 0 23: 024: 0 25: 0 26: 0 27: 0 28: 0 29: 030: 0 31: 0 32: 0 33: 0 34: 0 35: 036: 0 37: 0 38: 0 39: 0 40: 0 41: 042: 0 43: 0 44: 0 45: 0 46: 0 47: 048: 0 49: 0 50: 0 51: 0 52: 0 53: 054: 0 55: 0 56: 0 57: 0 58: 0 59: 0fpc 8 pic 0Last 60 seconds: 0: 0 1: 0 2: 0 3: 0 4: 0 5: 0 6: 0 7: 0 8: 0 9: 0 10: 0 11: 012: 0 13: 0 14: 0 15: 0 16: 0 17: 018: 0 19: 0 20: 0 21: 0 22: 0 23: 024: 0 25: 0 26: 0 27: 0 28: 0 29: 030: 0 31: 0 32: 0 33: 0 34: 0 35: 036: 0 37: 0 38: 0 39: 0 40: 0 41: 042: 0 43: 0 44: 0 45: 0 46: 0 47: 048: 0 49: 0 50: 0 51: 0 52: 0 53: 054: 0 55: 0 56: 0 57: 0 58: 0 59: 0primary:node01.4 查看内存使用率(1)ScreenOSScreenOS平台的内存使用率一般不会变化。在CLI下命令为:get memory示例:JP1000A- get memoryMemory: allocated 536091296, left 238802224, frag 68, fail 0(2)JunOS当SPU内存使用率达到70%就要引起关注,可能网络或设备有异常。在CLI - 操作模式下查看SRX Branch防火墙的spc内存使用率命令为:show security monitoring fpc 0示例:syroJP650A show security monitoring fpc 0 FPC 0 PIC 0 CPU utilization : 0 % Memory utilization : 67 % Current flow session : 16Max flow session : 524288SRX Hign-end防火墙为分布式架构,需要根据SPC卡的槽位来确定查看命令。例如SRX3600配备2块SPC,插在7槽 和 8槽中,需要分别查看其SPU内存使用率。另,SRX3600的双机采用虚拟机箱技术,node0为主墙、node1为备墙。在CLI - 操作模式下查看SRX3600防火墙的SPU内存使用率命令为:show security monitoring fpc 7 和 show security monitoring fpc 8示例:syroJP3600A show security monitoring fpc 7 node0:-FPC 7 PIC 0 CPU utilization : 2 % Memory utilization : 64 % Current flow session : 5265 Max flow session : 524288 Current CP session : 16401 Max CP session : 2359296node1:-FPC 7 PIC 0 CPU utilization : 0 % Memory utilization : 64 % Current flow session : 5582 Max flow session : 524288 Current CP session : 17131 Max CP session : 2359296primary:node0syroJP3600A show security monitoring fpc 8 node0:-FPC 8 PIC 0 CPU utilization : 3 % Memory utilization : 66 % Current flow session : 10977 Max flow session : 1048576 Current CP session : 0 Max CP session : 0node1:-FPC 8 PIC 0 CPU utilization : 0 % Memory utilization : 66 % Current flow session : 11382 Max flow session : 1048576 Current CP session : 0 Max CP session : 01.5 SRX RE CPU使用率/内存使用率信息(仅JunOS适用)SRX系列防火墙RE的CPU主要做管理设备用,其CPU波动会比较大,出现瞬时100%也是正常的。当RE的CPU使用率长时间都在45%以上时,引起关注;当RE的内存使用率长时间都在60%以上时,注意查看当前的RE运行负载。在CLI - 操作模式下命令为:show chassis routing-engine示例:syroJP650A show chassis routing-engine Routing Engine status: Temperature 31 degrees C / 87 degrees F CPU temperature 31 degrees C / 87 degrees F Total memory 2048 MB Max 1065 MB used ( 52 percent) Control plane memory 1104 MB Max 442 MB used ( 40 percent) Data plane memory 944 MB Max 632 MB used ( 67 percent) CPU utilization: User 6 percent Background 0 percent Kernel 1 percent Interrupt 0 percent Idle 93 percent Model RE-SRXSME-SRE6 Serial ID AAAW4729 Start time 2012-07-12 17:54:51 CST Uptime 177 days, 15 hours, 50 minutes, 35 seconds Last reboot reason 0x200:chassis control reset Load averages: 1 minute 5 minute 15 minute 0.41 0.26 0.19syroJP3600A show chassis routing-engine node0:-Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 39 percent CPU utilization: User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 94 percent Model RE-PPC-1200-A Start time 2012-07-13 10:06:41 CST Uptime 176 days, 23 hours, 40 minutes, 35 seconds Last reboot reason 0x1:power cycle/failure Load averages: 1 minute 5 minute 15 minute 0.12 0.10 0.08node1:-Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 34 percent CPU utilization: User 0 percent Background 0 percent Kernel 5 percent Interrupt 0 percent Idle 95 percent Model RE-PPC-1200-A Start time 2012-07-16 14:39:07 CST Uptime 173 days, 19 hours, 6 minutes, 11 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.14 0.06 0.011.6 查看Session会话信息1.6.1 查看会话总数(1)ScreenOS当前会话总数达到平时峰值的2倍 或 设备最大会话数的70%,需要关注、报警。在CLI下命令为:get session info示例:JP1000A- get session infoalloc 730/max 524288, alloc failed 0, mcast alloc 0, di alloc failed 0total reserved 0, free sessions in shared pool 523558slot 2: hw0 alloc 730/max 524287(2)JunOS当前会话总数达
人人文库> 全部分类> 行业资料 > 管理策划

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论