h3c防火墙巡检报告.docx

H3C防火墙巡检报告 巡检人员： 巡检日期：2016-05-31巡检项目一、 网络带宽、链路类型、链路信息二、 网络设备信息、设备品牌、设备型号、设备放置、设备性能参数、设备内存大小、设备槽位、设备序列号、设备购买年限、设备保修状态、设备备件状况、设备标签完善程度三、 网络设备软件版本信息、当前版本信息、最新版本信息、设备持续运行时间、设备备份情况、设备CPU利用率、设备内存利用率、设备模块运行状态、设备风扇及电源状况、设备端口数量、设备端口类别、设备端口类型、设备运行机箱温度四、 设备连通性、冗余协议运行状态、VLAN信息、以太通道信息、路由协议、邻居关系、交换协议、生成树STP协议、NAT连接数状态、FLASH信息、设备配置信息分析、多余配置信息分析、配置精简建议、安全建议、防火墙信息、防火墙策略、防火墙DMZ区检查、防火墙连接数、应用业务、IP地址使用状况五、 简单机房环境检查检查指导一、 检查设备软件版本PPC_fs1编号：ppc_fs1检查项目：H3C设备软件版本、运行时间、Memory大小等检查命令：display version备注：主要显示VRP的版本、路由器持续运行的时间、路由器主存的大小、共享存储器的大小、闪存的大小、VRP映像的文件名，以及路由器VRP从何处启动等信息。Dis version命令显示了路由器的许多非常有用的信息display version=H3C Comware Platform SoftwareComware Software, Version 5.20, Feature 5123P18Copyright (c) 2004-2013 Hangzhou H3C Tech. Co., Ltd. All rights reserved.H3C SecPath U200-CS uptime is 163 weeks, 1 day, 23 hours, 24 minutes CPU type: RMI XLS404 800MHz CPU 512M bytes DDR2 SDRAM Memory 32M bytes Flash Memory PCB Version:Ver.B Logic Version: 3.0 Basic BootWare Version: 1.33 Extend BootWare Version: 1.33 FIXED PORT CON (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/0 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/1 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/2 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/3 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/4 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 SUBCARD 1 The SubCard is not present检查结果：R正常 不正常ppc_fs2编号：ppc_fs2检查项目：H3C设备软件版本、运行时间、Memory大小等检查命令：display version备注：主要显示VRP的版本、路由器持续运行的时间约、路由器主存的大小、共享存储器的大小、闪存的大小、VRP映像的文件名，以及路由器VRP从何处启动等信息。Dis version命令显示了路由器的许多非常有用的信息=_display version=H3C Comware Platform SoftwareComware Software, Version 5.20, Feature 5123P18Comware Platform Software Version COMWAREV500R002B83D219H3C SecPath U200-CS Software Version V500R001B01D318SP05Copyright (c) 2004-2013 Hangzhou H3C Tech. Co., Ltd. All rights reserved.Compiled Jan 6 2013 12:56:02, RELEASE SOFTWAREH3C SecPath U200-CS uptime is 163 weeks, 1 day, 22 hours, 58 minutes CPU type: RMI XLS404 800MHz CPU 512M bytes DDR2 SDRAM Memory 32M bytes Flash Memory PCB Version:Ver.B Logic Version: 3.0 Basic BootWare Version: 1.33 Extend BootWare Version: 1.33 FIXED PORT CON (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/0 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/1 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/2 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/3 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 FIXED PORT GE0/4 (Hardware)Ver.B, (Driver)1.0, (Cpld)3.0 SUBCARD 1 The SubCard is not present检查结果：R正常 不正常二、 设备CPU利用率情况检查编号：ppc_fs1检查项目：H3C设备CPU利用率情况检查 检查命令：H3Cdisplay cpu H3Cdis cpu history备注：使用dis cpu命令检查设备短时间内（60秒）的CPU利用率。该命令将以百分比的形式给出路由器CPU的利用率，同时显示路由器中不同进程的CPU占用率。在通常情况下，看VIDL这个进程，这个进程是空闲进程，用100%减去这个进程所占的百分比即为设备目前CPU所占比率。通过dis cpu history可以看60分钟内的平均CPU占用率，一般情况下平均值小于50%是可以接受的，当然要根据这个设备所处位置和所跑协议。 检查范例：（由于现实内容过多，这里只截取部分）= Current CPU usage info =CPU Usage Stat. Cycle: 43 (Second)CPU Usage : 4%CPU Usage Stat. Time : 2016-06-01 14:51:34CPU Usage Stat. Tick : 0x1763b1(CPU Tick High) 0x787bd230(CPU Tick Low)Actual Stat. Cycle : 0x0(CPU Tick High) 0xae6014a8(CPU Tick Low)TaskName CPU Runtime(CPU Tick High/CPU Tick Low)IPFF 0% 0/ 16988VIDL 96% 0/a7c31313TICK 0% 0/ 10ba299STMR 0% 0/ 1472f81DRVT 0% 0/ 66c596TMSG 0% 0/ 851d36 VP 0% 0/ 89cIPCB 0% 0/ 1599cfRPCQ 0% 0/ 6e9704ADJ6 0% 0/ c67aIPCM 0% 0/ 1834bINFO 0% 0/ 7bdb OMS 0% 0/ 24b48 DEV 0% 0/ 50203SOCK 0% 0/ 41a2dADJ4 0% 0/ 275e7 ACL 0% 0/ 48dc1LAGG 0% 0/ 23432MSTP 0% 0/ 193e1PTMT 0% 0/ 1c8c8PTTP 0% 0/ 2c08f ARP 0% 0/ 2fdf47 IP 0% 0/ 74bad6FSLH 0% 0/ 11450FSLR 0% 0/ ce131NTPT 0% 0/ 1b838VTYD 0% 0/ 1271edVRRP 0% 0/ 31e108FIB6 0% 0/ 178dd ND 0% 0/ 12b5cfCWMP 0% 0/ 40565DT1X 0% 0/ 1362c ACM 0% 0/ ac957 LS 0% 0/ d9527RDSO 0% 0/ 7c8ee RDS 0% 0/ 2fdb8 SC 0% 0/ 573ec IKE 0% 0/ 5f4bIPSP 0% 0/ 52406L2TP 0% 0/ cc1b4MACA 0% 0/ 1961dPSEC 0% 0/ 182a7ULOG 0% 0/ bd352MFIB 0% 0/ 6824STND 0% 0/ 4c1caROUT 0% 0/ c2d864WIDS 0% 0/ bd689IFNT 0% 0/ 1c665 vt0 0% 0/ 89b91b检查结果：R正常 不正常编号：ppc_fs2检查项目：H3C设备CPU利用率情况检查 检查命令：H3Cdisplay cpu H3Cdis cpu history备注：使用dis cpu命令检查设备短时间内（60秒）的CPU利用率。该命令将以百分比的形式给出路由器CPU的利用率，同时显示路由器中不同进程的CPU占用率。在通常情况下，看VIDL这个进程，这个进程是空闲进程，用100%减去这个进程所占的百分比即为设备目前CPU所占比率。通过dis cpu history可以看60分钟内的平均CPU占用率，一般情况下平均值小于50%是可以接受的，当然要根据这个设备所处位置和所跑协议。 检查范例：（由于现实内容过多，这里只截取部分） =running CPU usage information= Current CPU usage info =CPU Usage Stat. Cycle: 24 (Second)CPU Usage : 4%CPU Usage Stat. Time : 2016-06-01 14:47:40CPU Usage Stat. Tick : 0x176399(CPU Tick High) 0x28104223(CPU Tick Low)Actual Stat. Cycle : 0x0(CPU Tick High) 0x612f02ab(CPU Tick Low)TaskName CPU Runtime(CPU Tick High/CPU Tick Low)IPFF 0% 0/ d33eVIDL 96% 0/5d94f361TICK 0% 0/ 7d943aSTMR 0% 0/ b9a604DRVT 0% 0/ 371baaTMSG 0% 0/ 3db147IPCB 0% 0/ 9fd14RPCQ 0% 0/ 392a8bADJ6 0% 0/ 6d00IPCM 0% 0/ cfabINFO 0% 0/ 73ee OMS 0% 0/ 14013 DEV 0% 0/ 27c0fSOCK 0% 0/ 1ce79ADJ4 0% 0/ 16208 ACL 0% 0/ 2996aLAGG 0% 0/ 11bb4MSTP 0% 0/ dde7PTMT 0% 0/ fe2cPTTP 0% 0/ 17fee ARP 0% 0/ 18d7b2 IP 0% 0/ 3da0eeFSLH 0% 0/ a1f0FSLR 0% 0/ 65c7eNTPT 0% 0/ f054VTYD 0% 0/ a11dcVRRP 0% 0/ 1af7e9FIB6 0% 0/ d42b ND 0% 0/ 99f12CWMP 0% 0/ 1d5c8DT1X 0% 0/ b039 ACM 0% 0/ 6272f LS 0% 0/ 65aa9RDSO 0% 0/ 391a2 RDS 0% 0/ 1a046 SC 0% 0/ 30898 IKE 0% 0/ 30dcIPSP 0% 0/ 24e00L2TP 0% 0/ 6ba70MACA 0% 0/ e211PSEC 0% 0/ d4e6ULOG 0% 0/ 62a43MFIB 0% 0/ 37b3STND 0% 0/ 27de2ROUT 0% 0/ 625293WIDS 0% 0/ 6b521IFNT 0% 0/ f699 vt0 0% 0/ 7769be检查结果：R正常 不正常三、 设备memory利用状况检查编号：ppc_fs1检查项目：H3C设备memory利用状况检查 检查命令：H3C#dis memory备注：dis memory显示了存储器的一般信息，它表明系统可用的内存和使用内存，注意使用的百分比数。检查范例：（由于现实内容过多，这里只截取部分） =display memory=System Total Memory(bytes): 467646560Total Used Memory(bytes): 147300240Used Rate: 31%检查结果：R正常 不正常编号：ppc_fs2检查项目：H3C设备memory利用状况检查 检查命令：H3C#dis memory备注：dis memory显示了存储器的一般信息，它表明系统可用的内存和使用内存，注意使用的百分比数。检查范例：（由于现实内容过多，这里只截取部分） =display memory=System Total Memory(bytes): 467646560Total Used Memory(bytes): 143296884Used Rate: 30%检查结果：R正常 不正常四、 设备系统模块运行状况检查编号：ppc_fs1检查项目：H3C设备模块运行状况检查 检查命令：H3Cdis device备注：此命令能看到电源及风扇状态。检查范例：（由于现实内容过多，这里只截取部分） =display device= Status :OK Type :RPU Hardware :B Driver :1.0 CPLD :3.0 SubCard Num :2 CFCard Num :1 Usb Num :1检查结果：R正常 不正常编号：ppc_fs2检查项目：H3C设备模块运行状况检查 检查命令：H3Cdis device备注：此命令能看到电源及风扇状态。检查范例：（由于现实内容过多，这里只截取部分） =display device= Status :OK Type :RPU Hardware :B Driver :1.0 CPLD :3.0 SubCard Num :2 CFCard Num :1 Usb Num :1检查结果：R正常 不正常五、 设备系统LOG日志检查编号：ppc_fs1检查项目：H3C设备系统LOG日志检查 检查命令：H3Cdis log备注: 最好使用dis clock看下设备时间，正常情况下设备日期时间与实际日期时间小于10分钟。日期正确的话，可以更好的分析日志。检查范例：（由于现实内容过多，这里只截取部分） =display logbuffer=Logging buffer configuration and contents:enabledAllowed max buffer size : 1024Actual buffer size : 512Channel number : 4 , Channel name : logbufferDropped messages : 0Overwritten messages : 532848Current messages : 512%May 31 16:03:22:637 2016 ppc_fs1 SHELL/5/SHELL_LOGIN: nxdxppc logged in from 36.%May 31 16:03:42:569 2016 ppc_fs1 SHELL/6/SHELL_CMD: -Task=vt0-IPAddr=36-User=nxdxppc; Command is dis cur%May 31 16:06:08:697 2016 ppc_fs1 SHELL/6/SHELL_CMD: -Task=vt0-IPAddr=36-User=nxdxppc; Command is quit%May 31 16:06:08:697 2016 ppc_fs1 SHELL/5/SHELL_LOGOUT: nxdxppc logged out from 36.%May 31 16:06:08:699 2016 ppc_fs1 SSH/6/SSH_CONNECTION_CLOSE: STEL user nxdxppc (IP: 36) logged out because the SSH client closed the connection.%May 31 16:06:14:200 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user nxdxppc failed to log in from 36 on VTY0.%May 31 16:22:46:789 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 7 on VTY0 due to IP restriction.%May 31 16:22:47:028 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 7 on VTY0 due to IP restriction.%May 31 16:48:55:583 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 42 on VTY0 due to IP restriction.%May 31 16:48:55:637 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 42 on VTY0 due to IP restriction.%May 31 17:04:02:386 2016 ppc_fs1 SC/6/SC_AAA_LAUNCH: -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=patrolsystem; AAA launched.%May 31 17:04:02:386 2016 ppc_fs1 SC/6/SC_AAA_SUCCESS: -AAAType=AUTHEN-AAAScheme= local-Service=login-UserName=patrolsystem; AAA is successful.%May 31 17:04:02:386 2016 ppc_fs1 SC/6/SC_AAA_LAUNCH: -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=patrolsystem; AAA launched.%May 31 17:04:02:387 2016 ppc_fs1 SC/6/SC_AAA_SUCCESS: -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=patrolsystem; AAA is successful.%May 31 17:04:02:387 2016 ppc_fs1 SC/6/SC_AAA_LAUNCH: -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=patrolsystem; AAA launched.%May 31 17:04:02:387 2016 ppc_fs1 SC/6/SC_AAA_SUCCESS: -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=patrolsystem; AAA is successful.%May 31 17:04:02:395 2016 ppc_fs1 SSH/6/SSH_LOGIN: STEL user patrol (IP: 36) logged in successfully.%May 31 17:04:02:498 2016 ppc_fs1 SHELL/5/SHELL_LOGIN: patrol logged in from 36.%May 31 17:04:03:184 2016 ppc_fs1 SHELL/6/SHELL_CMD: -Task=vt0-IPAddr=36-User=patrol; Command is dis vrrp%May 31 17:04:04:203 2016 ppc_fs1 SHELL/6/SHELL_CMD: -Task=vt0-IPAddr=36-User=patrol; Command is dis ip inter br%May 31 17:04:05:198 2016 ppc_fs1 SHELL/6/SHELL_CMD: -Task=vt0-IPAddr=36-User=patrol; Command is display cpu-usage%May 31 17:04:06:199 2016 ppc_fs1 SHELL/6/SHELL_CMD: -Task=vt0-IPAddr=36-User=patrol; Command is dis memory%May 31 17:09:07:626 2016 ppc_fs1 SSH/6/SSH_LOGOUT: STEL user patrol (IP: 36) logged out.%May 31 17:09:07:642 2016 ppc_fs1 SHELL/5/SHELL_LOGOUT: patrol logged out from 36.%May 31 17:16:39:896 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 35 on VTY0 due to IP restriction.%May 31 17:54:28:857 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 00 on VTY0 due to IP restriction.%May 31 17:54:32:231 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 00 on VTY0 due to IP restriction.%May 31 18:58:31:848 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 9 on VTY0 due to IP restriction.%May 31 18:58:32:541 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 9 on VTY0 due to IP restriction.%May 31 19:50:26:214 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 00 on VTY0 due to IP restriction.%May 31 19:53:16:168 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 6 on VTY0 due to IP restriction.%May 31 19:55:17:679 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 4 on VTY0 due to IP restriction.%May 31 20:01:29:367 2016 ppc_fs1 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 29 on VTY0 due to IP restriction.有无异常日志：R有 没有编号：ppc_fs2检查项目：H3C设备系统LOG日志检查 检查命令：H3Cdis log备注: 最好使用dis clock看下设备时间，正常情况下设备日期时间与实际日期时间小于10分钟。日期正确的话，可以更好的分析日志。检查范例：（由于现实内容过多，这里只截取部分） =display logbuffer=Logging buffer configuration and contents:enabledAllowed max buffer size : 1024Actual buffer size : 512Channel number : 4 , Channel name : logbufferDropped messages : 0Overwritten messages : 368853Current messages : 512%May 31 01:03:27:307 2016 ppc_fs2 SC/6/SC_AAA_SUCCESS: -AAAType=AUTHOR-AAAScheme= local-Service=login-UserName=patrolsystem; AAA is successful.%May 31 01:03:27:308 2016 ppc_fs2 SC/6/SC_AAA_LAUNCH: -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=patrolsystem; AAA launched.%May 31 01:03:27:308 2016 ppc_fs2 SC/6/SC_AAA_SUCCESS: -AAAType=ACCOUNT-AAAScheme= local-Service=login-UserName=patrolsystem; AAA is successful.%May 31 01:03:27:315 2016 ppc_fs2 SSH/6/SSH_LOGIN: STEL user patrol (IP: 36) logged in successfully.%May 31 01:03:27:417 2016 ppc_fs2 SHELL/5/SHELL_LOGIN: patrol logged in from 36.%May 31 01:03:28:128 2016 ppc_fs2 SHELL/6/SHELL_CMD: -Task=vt0-IPAddr=36-User=patrol; Command is dis memory%May 31 01:03:29:156 2016 ppc_fs2 SHELL/6/SHELL_CMD: -Task=vt0-IPAddr=36-User=patrol; Command is dis ip inter br%May 31 01:03:30:143 2016 ppc_fs2 SHELL/6/SHELL_CMD: -Task=vt0-IPAddr=36-User=patrol; Command is display cpu-usage%May 31 01:08:31:405 2016 ppc_fs2 SSH/6/SSH_LOGOUT: STEL user patrol (IP: 36) logged out.%May 31 01:08:31:574 2016 ppc_fs2 SHELL/5/SHELL_LOGOUT: patrol logged out from 36.%May 31 01:19:45:482 2016 ppc_fs2 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 64 on VTY0 due to IP restriction.%May 31 01:23:57:437 2016 ppc_fs2 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 95 on VTY0 due to IP restriction.%May 31 01:29:53:817 2016 ppc_fs2 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 64 on VTY0 due to IP restriction.%May 31 01:36:17:059 2016 ppc_fs2 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 41 on VTY0 due to IP restriction.%May 31 02:11:16:735 2016 ppc_fs2 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 94 on VTY0 due to IP restriction.%May 31 02:43:34:013 2016 ppc_fs2 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 01 on VTY0 due to IP restriction.%May 31 02:43:34:310 2016 ppc_fs2 SHELL/5/SHELL_LOGINFAIL: SSH user failed to log in from 01 on VTY0 due to IP restriction.%May 31 02:43:37:555 2016 ppc_fs2 SHELL/5/SHELL_