SRX3600防火墙日常检查命令.doc

SRX3600防火墙日常检查命令命令描述show version检查设备的版本是否一致show chassis routing-engineshow system process extensive restart mib-process immediately 检查系统CPU使用率检查进程cpu利用率重启mib2d进程show chassis hardware检查设备的硬件信息show chassis fpc检查设备各个板卡的状态show chassis environment.检查设备温度的状态show chassis environment pem检查设备的电源功率show chassis alarm检查设备硬件告警信息show system alarm检查设备系统的告警信息show chassis cluster statusshow chassis cluster information检查设备的双机状态show security flow session summary.检查设备的会话数量show interface fab0检查防火墙新建会话数show interface ter检查接口状态信息 也可以通过MIB值查看设备的相关信息SRX36001.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.7（最后一位数5表示SPC板卡所在的node0槽位号）SPC 板卡cpu利用率，尾数为7的是主机；尾数为33的是备机；1.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.33（最后一位数31表示SPC板卡所在的node1槽位号）1.3.6.1.4.1.2636.3.39.1.12.1.1.1.5.7（最后一位数5表示SPC板卡所在的node0槽位号）SPC 板卡内存利用率，尾数为7的是主机；尾数为33的是备机；1.3.6.1.4.1.2636.3.39.1.12.1.1.1.5.33（最后一位数31表示SPC板卡所在的node1槽位号）1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6.7（最后一位数5表示SPC板卡所在的node0槽位号）SPC 板卡并发会话数，尾数为7的是主机；尾数为33的是备机；1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6.33（最后一位数31表示SPC板卡所在的node1槽位号）1.3.6.1.4.1.2636.3.1.13.1.8.9.1.0.0路由引擎CPU ，末尾为1.0.0的是主机；末尾为3.0.0的是备机1.3.6.1.4.1.2636.3.1.13.1.8.9.3.0.01. 防火墙的CPU、Session会话数OID值对应的MIB文件为mib-jnx-js-spu-monitoring.txt NSRP状态OID：1.3.6.1.4.1.2636.3.1.14.1.7.9.1.0.0 控制平面的主/备1.3.6.1.4.1.2636.3.1.14.1.7.9.3.0.0 转发平面的主/备取得的值：2表示master;3表示backup;4表示disable;对应的MIB文件为mib-jnx-jsrpd.txt 2.使用此命令显示MIB值的信息：show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.73.防火墙 公网IP地址NAT转换使用情况show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5举例说明如下：1. 查看防火墙当前session会话总数命令：show security flow session summary adminBJBJ-PS-WAP4-FW01 show security flow session summary node 0 node0:-Flow Sessions on FPC7 PIC0:Unicast-sessions: 189499Multicast-sessions: 0Failed-sessions: 0Sessions-in-use: 193363 Valid sessions: 189196 Pending sessions: 2 Invalidated sessions: 3859 Sessions in other states: 0Maximum-sessions: 524288primary:node0表示防火墙目前的会话总数为：1933632. 查看防火墙每秒中新建会话数量命令如下：show interface fab0adminBJBJ-PS-WAP4-FW01 show interfaces fab0 Physical interface: fab0, Enabled, Physical link is Up Interface index: 138, SNMP ifIndex: 520 Link-level type: Ethernet, MTU: 9014, Speed: 2Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Current address: 84:18:88:43:b0:21, Hardware address: 84:18:88:43:b0:21 Last flapped : 2011-11-22 00:40:55 CST (1w1d 00:00 ago) Input rate : 0 bps (0 pps) Output rate : 7516352 bps (2204 pps) Logical interface fab0.0 (Index 74) (SNMP ifIndex 521) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 1682870581 2204 719123403018 7516352 Security: Zone: Null Protocol inet, MTU: 9000 Addresses, Flags: Is-Preferred Is-Primary Destination: 30.17.0/24, Local: 30.17.0.200, Broadcast: 30.17.0.255表示防火墙每秒中新建会话：22043. 通过查看MIB值，检查防火墙公网IP地址NAT转换数量命令如下：show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5adminBJBJ-PS-WAP4-FW01 show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5 jnxJsNatSrcNumPortInuse.13.115.109.115.95.49.48.45.52.45.53.45.51.54.0.10.4.5.36 = 0jnxJsNatSrcNumPortInuse.17.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.57.0.211.136.28.189 = 0jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.180 = 44840jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.181 = 45711jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.182 = 45825jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.183 = 44858primary:node0 表示目前公网IP:211.136.28.180 地址转换44840条，一个公网地址最多完成200万NAT地址转换 公网IP:211.136.28.181 地址转换45711条 公网IP:211.136.28.182 地址转换45852条 公网IP:211.136.28.183 地址转换44858条4. 检查防火墙板卡状态信息命令如下：show chassis fpcadminBJBJ-PS-WAP4-FW01 show chassis fpc node 0 node0:- Temp CPU Utilization (%) Memory Utilization (%)Slot State (C) Total Interrupt DRAM (MB) Heap Buffer 0 Online 39 14 0 1024 2 27 1 Empty 2 Empty 3 Empty 4 Empty 5 Empty 6 Empty 7 Online 49 14 0 1024 2 27 8 Empty 9 Empty 10 Online 33 14 0 1024 2 27 11 Empty 12 Empty 0槽位代表SFB(转发板卡)的状态信息，7槽位代表NPC板卡的状态信息，10槽位代表SPC板卡的状态信息。5. 检查防火墙CPU、内存利用率状态命令如下：show chassis routing-engineadminBJBJ-PS-WAP4-FW01 show chassis routing-engine node 0 node0:-Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 32 percent CPU utilization: User 0 percent Background 0 percent Kernel 3 percent Interrupt 0 percent Idle 96 percent Model RE-PPC-1200-A Start time 2011-11-22 00:37:47 CST Uptime 8 days, 15 minutes, 31 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.01 0.01 0.00目前内存利用率33%，CPU空闲96%，load average显示CPU 1分钟、5分钟、15分钟的利用率情况6. 检查防火墙双机状态命令:show chassis cluster statusadminBJBJ-PS-WAP4-FW01 show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failoverRedundancy group: 0 , Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 0为控制层面Redundancy group: 1为转发层面Redundancy group: 0 目前的主为node0（BJBJ-PS-WAP4-FW01） 备为node1（BJBJ-PS-WAP4-FW02）Redundancy group: 1 目前的主为node0（BJBJ-PS-WAP4-FW01） 备为node1（BJBJ-PS-WAP4-FW02）7. 检查防火墙硬件告警信息命令：show chassis alarmadminBJBJ-PS-WAP4-FW01 show chassis alarms node0:-No alarms currently activenode1:-No alarms currently activeprimary:node0检查结果显示目前主、备防火墙都不存在硬件告警，硬件日志信息，记录在/var/log目录下的chassis文