Juniper防火墙日常维护

-.z.Juniper防火墙日常维护手册〔v20131112〕作者毅审核分类其他子类指导手册更新时间2013-11-12关键字Juniper、NetScreen、防火墙、日常维护、ScreenOS、JunOS、NS、ISG、SSG、SR*摘要此手册用于指导Juniper防火墙驻场工程师常规操作，驻场工程师可以按照日常工作容从文档中选取相应的命令。此手册根本涵盖了常规操作、巡检操作等驻场维护工作所需要的操作指导，各工程师也可根据自身驻场工程特点确定日常巡检的容。主要适用环境Juniper防火墙运维工作JuniperScreenOS防火墙包括产品型号有：NS系列、ISG系列、SSG系列JuniperJunOS防火墙包括产品型号有：SR*系列〔SR*Branch系列包含SR*650及以下型号，SR*High-end系列包含SR*1K、3K和SR*5K〕版本说明版本号拟制/修改责任人拟制/修改日期修改容/理由V20131112毅2013-11-12新建目录版本说明2目录31.日常操作31.1查看硬件信息31.2查看OS信息31.3查看CPU/SPU使用率信息3查看CPU/SPU使用率信息31.3.2查看每秒CPU使用率31.4查看存使用率31.5SR*RECPU使用率/存使用率信息〔仅JunOS适用〕31.6查看Session会话信息31.6.1查看会话总数31.6.2查看每秒新建会话数量31.6.3查看防火墙所有会话条目31.6.4按过滤条件查看会话31.6.5查看会话详细容31.6.6保存防火墙所有会话条目31.7查看警告日志31.8查看事件日志——ScreenOS31.8.1查看所有事件日志〔仅ScreenOS适用〕31.8.2按事件级别过滤查看事件日志〔仅ScreenOS适用〕31.8.3按时间过滤查看事件日志〔仅ScreenOS适用〕31.9查看事件日志——JunOS31.10查看策略流量日志31.11查看/备份配置31.12查看接口状态31.12.1查看所有接口状态31.12.2查看单一接口详情31.13查看ARP表31.14查看路由31.14.1查看全部路由31.14.2查看特定目标地址的路由31.15查看策略31.15.1查看所有策略31.15.2查看单条策略的详细容31.16查看防火墙主备状态31.17查看集群接口状态〔仅JunOS适用〕31.18查看配置同步状态〔仅ScreenOS适用〕31.19常用排错命令31.19.1ping31.19.2telnet31.19.3traceroute31.19.4收集support信息31.20按过滤条件查看各类信息32.应急操作32.1去除指定IP的ARP记录32.2去除指定源IP/目的IP的会话记录32.3关闭和开启端口32.3.1关闭端口32.3.2开启端口32.4防火墙主备状态切换32.5同步会话〔仅ScreenOS适用〕32.6重启设备33.日常维护周期策略33.1日巡检维护建议33.2周巡检维护建议33.3月巡检维护建议33.4不定期维护建议31.日常操作1.1查看硬件信息〔1〕ScreenOS在CLI下命令为：getchassis例如：JP1000A->getchassisChassisEnvironment:PowerSupply:GoodFanStatus:GoodCPUTemperature:98'F(37'C)SlotInformation:SlotTypeS/NAssembly-NoVersionTemperature0SystemBoard009990066-004F0186'F(30'C),87'F(31'C)4Management009990049-004D1998'F(37'C)5ASICBoard002079351g1100170065-002B00MarinFPGAversion9,JupiterASICversion1,FresnoFPGAversion110I/OBoardSlotTypeS/NVersionFPGAversion24portminiGBIC(0*3)00999B022614port10/100/1000T38AlarmControlInformation:Powerfailureaudiblealarm:disabledFanfailureaudiblealarm:disabledLowbatteryaudiblealarm:disabledTemperatureaudiblealarm:disabledNormalalarmtemperatureis132'F(56'C)Severealarmtemperatureis150'F(66'C)〔2〕JunOS在CLI-操作模式下命令为：showchassishardware例如：syroJP650A>showchassishardwareHardwareinventory:ItemVersionPartnumberSerialnumberDescriptionChassisAJ4309AA0999SR*650MidplaneREV08710-023875AAAS7310SystemIOREV08710-023209AAAS9446SR*SMESystemIORoutingEngineREV14750-023223AAAW4729RE-SR*SME-SRE6FPC0FPCPIC04*GEBasePICFPC2REV07750-026182AAAS7999FPCPIC016*GEgPIMPowerSupply0Rev03740-024283TH01999PS645WACPowerSupply1Rev03740-024283TH01099PS645WAC1.2查看OS信息〔1〕ScreenOS在CLI下命令为：getsystem例如：JP1000A->getsystemProductName:NetScreen-ISG1000SerialNumber:00999,ControlNumber:00000000HardwareVersion:3010(0)-(04),FPGAchecksum:00000000,VLAN1IP(),Type:Firewall+VPNpiledbybuild_masterat:WedApr2823:08:24PDT2010FileName:default(screenos_image),Checksum:de317771,TotalMemory:1024MBDate01/01/201311:50:43,DaylightSavingTimedisabledTheNetworkTimeProtocolisEnabledUp3286hours23minutes35secondsSince17Aug2012:13:27:08TotalDeviceResets:0

〔2〕JunOS在CLI-操作模式下命令为：showsystemsoftware例如：syroJP650A>showsystemsoftwareInformationforjunos:ment:JUNOSSoftwareRelease[]1.3查看CPU/SPU使用率信息1.3.1查看CPU/SPU使用率信息〔1〕ScreenOS——CPU在CLI下命令为：getperformancecpu例如：JP1000A->getperformancecpuAverageSystemUtilization:1%Last1minute:2%,Last5minutes:2%,Last15minutes:2%〔2〕JunOS——SPU当SPU使用率到达60%就要引起关注，可能网络或设备有异常。在CLI-操作模式下查看SR*Branch防火墙的SPU使用率命令为：showsecuritymonitoringfpc0例如：syroJP650A>showsecuritymonitoringfpc0FPC0PIC0CPUutilization:0%Memoryutilization:67%Currentflowsession:16Ma*flowsession:524288SR*Hign-end防火墙为分布式架构，需要根据SPC卡的槽位来确定查看命令。例如SR*3600配备2块SPC，分别插在7槽和8槽中，需要分别查看其SPU使用率。另，SR*3600的双机采用虚拟机箱技术后，node0为主墙、node1为备墙。在CLI-操作模式下查看SR*3600防火墙的spu命令为：showsecuritymonitoringfpc7和showsecuritymonitoringfpc8例如：syroJP3600A>showsecuritymonitoringfpc7node0:FPC7PIC0CPUutilization:2%Memoryutilization:64%Currentflowsession:5265Ma*flowsession:524288CurrentCPsession:16401Ma*CPsession:2359296node1:FPC7PIC0CPUutilization:0%Memoryutilization:64%Currentflowsession:5582Ma*flowsession:524288CurrentCPsession:17131Ma*CPsession:2359296{primary:node0}syroJP3600A>showsecuritymonitoringfpc8node0:FPC8PIC0CPUutilization:3%Memoryutilization:66%Currentflowsession:10977Ma*flowsession:1048576CurrentCPsession:0Ma*CPsession:0node1:FPC8PIC0CPUutilization:0%Memoryutilization:66%Currentflowsession:11382Ma*flowsession:1048576CurrentCPsession:0Ma*CPsession:0{primary:node0}1.3.2查看每秒CPU使用率〔1〕ScreenOS在CLI下命令为：getperformancecpualldetail例如：JP1000A.GL-IT.SDA(M)->getperformancecpualldetailAverageSystemUtilization:1%(flow1task1)Last60seconds:59:2(11)58:2(11)57:2(11)56:2(11)55:2(11)54:2(11)53:2(11)52:2(11)51:2(11)50:2(11)49:2(11)48:2(11)47:2(11)46:2(11)45:2(11)44:2(11)43:2(11)42:2(11)41:2(11)40:2(11)39:2(11)38:2(11)37:2(11)36:2(11)35:2(11)34:2(11)33:2(11)32:2(11)31:2(11)30:2(11)29:2(11)28:2(11)27:2(11)26:2(11)25:2(11)24:2(11)23:2(11)22:2(11)21:2(11)20:2(11)19:2(11)18:2(11)17:2(11)16:2(11)15:2(11)14:2(11)13:2(11)12:2(11)11:2(11)10:2(11)9:2(11)8:2(11)7:2(11)6:2(11)5:2(11)4:2(11)3:2(11)2:2(11)1:2(11)0:2(11)Last60minutes:59:2(11)58:2(11)57:2(11)56:2(11)55:2(11)54:2(11)53:2(11)52:2(11)51:2(11)50:2(11)49:2(11)48:2(11)47:2(11)46:2(11)45:2(11)44:2(11)43:2(11)42:2(11)41:2(11)40:2(11)39:2(11)38:2(11)37:2(11)36:2(11)35:2(11)34:2(11)33:2(11)32:2(11)31:2(11)30:2(11)29:2(11)28:2(11)27:2(11)26:2(11)25:2(11)24:2(11)23:2(11)22:2(11)21:2(11)20:2(11)19:2(11)18:2(11)17:2(11)16:2(11)15:2(11)14:2(11)13:2(11)12:2(11)11:2(11)10:2(11)9:2(11)8:2(11)7:2(11)6:2(11)5:2(11)4:2(11)3:2(11)2:2(11)1:2(11)0:2(11)Last24hours:23:2(11)22:2(11)21:2(11)20:2(11)19:2(11)18:2(11)17:1(11)16:2(11)15:1(11)14:2(11)13:1(11)12:1(11)11:2(11)10:2(11)9:2(11)8:2(11)7:2(11)6:1(11)5:1(11)4:2(11)3:2(11)2:2(11)1:2(11)0:2(11)〔2〕JunOS在CLI-操作模式下命令为：showsecuritymonitoringperformancespu例如：syroJP650A>showsecuritymonitoringperformancespufpc0pic0Last60seconds:0:01:02:03:04:05:06:07:08:09:010:011:012:013:014:015:016:017:018:019:020:021:022:023:024:025:026:027:028:029:030:031:032:033:034:035:036:037:038:039:040:041:042:043:044:045:046:047:048:049:050:051:052:053:054:055:056:057:058:059:0syroJP3600A>showsecuritymonitoringperformancespunode0:fpc7pic0Last60seconds:0:01:02:03:04:05:06:07:08:09:010:011:012:013:014:015:016:017:018:019:020:021:022:023:024:025:026:027:028:029:030:031:032:033:034:035:036:037:038:039:040:041:042:043:044:045:046:047:048:049:050:051:052:053:054:055:056:057:058:059:0fpc8pic0Last60seconds:0:01:02:03:04:05:06:07:08:09:010:011:012:013:014:015:016:017:018:019:020:021:022:023:024:025:026:027:028:029:030:031:032:033:034:035:036:037:038:039:040:041:042:043:044:045:046:047:048:049:050:051:052:053:054:055:056:057:058:059:0node1:fpc7pic0Last60seconds:0:01:02:03:04:05:06:07:08:09:010:011:012:013:014:015:016:017:018:019:020:021:022:023:024:025:026:027:028:029:030:031:032:033:034:035:036:037:038:039:040:041:042:043:044:045:046:047:048:049:050:051:052:053:054:055:056:057:058:059:0fpc8pic0Last60seconds:0:01:02:03:04:05:06:07:08:09:010:011:012:013:014:015:016:017:018:019:020:021:022:023:024:025:026:027:028:029:030:031:032:033:034:035:036:037:038:039:040:041:042:043:044:045:046:047:048:049:050:051:052:053:054:055:056:057:058:059:0{primary:node0}1.4查看存使用率〔1〕ScreenOSScreenOS平台的存使用率一般不会变化。在CLI下命令为：getmemory例如：JP1000A->getmemoryMemory:allocated536091296,left238802224,frag68,fail0〔2〕JunOS当SPU存使用率到达70%就要引起关注，可能网络或设备有异常。在CLI-操作模式下查看SR*Branch防火墙的spc存使用率命令为：showsecuritymonitoringfpc0例如：syroJP650A>showsecuritymonitoringfpc0FPC0PIC0CPUutilization:0%Memoryutilization:67%Currentflowsession:16Ma*flowsession:524288SR*Hign-end防火墙为分布式架构，，需要根据SPC卡的槽位来确定查看命令。例如SR*3600配备2块SPC，插在7槽和8槽中，需要分别查看其SPU存使用率。另，SR*3600的双机采用虚拟机箱技术，node0为主墙、node1为备墙。在CLI-操作模式下查看SR*3600防火墙的SPU存使用率命令为：showsecuritymonitoringfpc7和showsecuritymonitoringfpc8例如：syroJP3600A>showsecuritymonitoringfpc7node0:FPC7PIC0CPUutilization:2%Memoryutilization:64%Currentflowsession:5265Ma*flowsession:524288CurrentCPsession:16401Ma*CPsession:2359296node1:FPC7PIC0CPUutilization:0%Memoryutilization:64%Currentflowsession:5582Ma*flowsession:524288CurrentCPsession:17131Ma*CPsession:2359296{primary:node0}syroJP3600A>showsecuritymonitoringfpc8node0:FPC8PIC0CPUutilization:3%Memoryutilization:66%Currentflowsession:10977Ma*flowsession:1048576CurrentCPsession:0Ma*CPsession:0node1:FPC8PIC0CPUutilization:0%Memoryutilization:66%Currentflowsession:11382Ma*flowsession:1048576CurrentCPsession:0Ma*CPsession:01.5SR*RECPU使用率/存使用率信息〔仅JunOS适用〕SR*系列防火墙RE的CPU主要做管理设备用，其CPU波动会比拟大，出现瞬时100%也是正常的。当RE的CPU使用率长时间都在45%以上时，引起关注；当RE的存使用率长时间都在60%以上时，注意查看当前的RE运行负载。在CLI-操作模式下命令为：showchassisrouting-engine例如：syroJP650A>showchassisrouting-engineRoutingEnginestatus:Temperature31degreesC/87degreesFCPUtemperature31degreesC/87degreesFTotalmemory2048MBMa*1065MBused(52percent)Controlplanememory1104MBMa*442MBused(40percent)Dataplanememory944MBMa*632MBused(67percent)CPUutilization:User6percentBackground0percentKernel1percentInterrupt0percentIdle93percentModelRE-SR*SME-SRE6SerialIDAAAW4729Starttime2012-07-1217:54:51CSTUptime177days,15hours,50minutes,35secondsLastrebootreason0*200:chassiscontrolresetLoadaverages:1minute5minute15minute0.410.260.19syroJP3600A>showchassisrouting-enginenode0:RoutingEnginestatus:Slot0:CurrentstateMasterElectionpriorityMaster(default)DRAM1023MBMemoryutilization39percentCPUutilization:User0percentBackground0percentKernel5percentInterrupt0percentIdle94percentModelRE-PPC-1200-AStarttime2012-07-1310:06:41CSTUptime176days,23hours,40minutes,35secondsLastrebootreason0*1:powercycle/failureLoadaverages:1minute5minute15minute0.120.100.08node1:RoutingEnginestatus:Slot0:CurrentstateMasterElectionpriorityMaster(default)DRAM1023MBMemoryutilization34percentCPUutilization:User0percentBackground0percentKernel5percentInterrupt0percentIdle95percentModelRE-PPC-1200-AStarttime2012-07-1614:39:07CSTUptime173days,19hours,6minutes,11secondsLastrebootreasonRouterrebootedafteranormalshutdown.Loadaverages:1minute5minute15minute0.140.060.011.6查看Session会话信息1.6.1查看会话总数〔1〕ScreenOS当前会话总数到达平时峰值的2倍或设备最大会话数的70%，需要关注、报警。在CLI下命令为：getsessioninfo例如：JP1000A->getsessioninfoalloc730/ma*524288,allocfailed0,mcastalloc0,diallocfailed0totalreserved0,freesessionsinsharedpool523558slot2:hw0alloc730/ma*524287〔2〕JunOS当前会话总数到达平时峰值的2倍或设备最大会话数的70%，需要关注、报警。在CLI-操作模式下命令为：showsecurityflowsessionsummary例如：syroJP650A>showsecurityflowsessionsummaryUnicast-sessions:14Multicast-sessions:0Failed-sessions:0Sessions-in-use:17Validsessions:14Pendingsessions:0Invalidatedsessions:3Sessionsinotherstates:0Ma*imum-sessions:524288syroJP3600A>showsecurityflowsessionsummarynode0:FlowSessionsonFPC7PIC0:Unicast-sessions:0Multicast-sessions:0Failed-sessions:0Sessions-in-use:0Validsessions:0Pendingsessions:0Invalidatedsessions:0Sessionsinotherstates:0Ma*imum-sessions:524288FlowSessionsonFPC8PIC0:Unicast-sessions:0Multicast-sessions:0Failed-sessions:0Sessions-in-use:0Validsessions:0Pendingsessions:0Invalidatedsessions:0Sessionsinotherstates:0Ma*imum-sessions:1048576node1:FlowSessionsonFPC7PIC0:Unicast-sessions:0Multicast-sessions:0Failed-sessions:0Sessions-in-use:0Validsessions:0Pendingsessions:0Invalidatedsessions:0Sessionsinotherstates:0Ma*imum-sessions:524288FlowSessionsonFPC8PIC0:Unicast-sessions:0Multicast-sessions:0Failed-sessions:0Sessions-in-use:0Validsessions:0Pendingsessions:0Invalidatedsessions:0Sessionsinotherstates:0Ma*imum-sessions:10485761.6.2查看每秒新建会话数量〔1〕ScreenOS在CLI下命令为：getperformancesessiondetail例如：JP1000A->getperformancesessiondetailLast60seconds:0:261:122:193:214:235:206:277:208:329:3010:3611:2912:3513:3414:1315:2616:3117:3418:2019:2520:2421:1922:2023:2424:2125:2226:2427:2328:3429:2430:3531:3532:3433:2134:1535:2636:3737:3238:3639:2740:2041:3242:2443:2544:2145:1946:1747:1648:1549:1450:1751:1952:2653:3854:3255:4156:1157:1358:1559:11〔2〕JunOS对于JunOS11.4及其以后版本，可以直接查看每秒新建会话数，在CLI-操作模式下查看SR*Branch防火墙的每秒新建命令为：showsecuritymonitoringfpc0例如：root>showsecuritymonitoringfpc0FPC0PIC0CPUutilization:0%Memoryutilization:69%Currentflowsession:6CurrentflowsessionIPv4:0CurrentflowsessionIPv6:0Ma*flowsession:262144TotalSessionCreationPerSecond(forlast96secondsonaverage):0IPv4SessionCreationPerSecond(forlast96secondsonaverage):0IPv6SessionCreationPerSecond(forlast96secondsonaverage):0对于JunOS11.4之前的版本，只能查看每秒会话数，在CLI-操作模式下命令为：securitymonitoringperformancesession例如：syroJP650A>showsecuritymonitoringperformancesessionfpc0pic0Last60seconds:0:181:182:173:184:175:146:147:178:169:1710:1611:1712:1713:1814:1615:1616:1517:1518:1419:1520:1321:1422:1223:2724:2725:5626:5527:7828:6129:7930:5931:7532:5933:8134:6435:7836:6137:7538:6039:5140:4041:5042:4743:6944:6045:6946:5647:7648:6749:7850:5751:7452:5553:7854:6055:7056:5157:6258:4859:29syroJP3600A>showsecuritymonitoringperformancesessionnode0:fpc7pic0Last60seconds:0:97611:99872:97133:99654:96925:99896:97037:99588:96539:987810:961611:994012:969113:1006514:981415:1001016:973117:988718:961019:985720:963621:991022:964923:993824:968625:995226:970427:998828:973529:998430:972331:1000932:975833:1010534:987835:1015536:988137:1010738:979839:1003240:979541:1006842:979243:1007344:982945:1008246:981347:1006048:977549:1006150:979151:1000852:973253:996354:972155:993556:966857:993858:969659:9993fpc8pic0Last60seconds:0:202521:196582:201883:196084:201855:196606:201647:195918:200399:1949210:1993811:1943312:2009813:1964214:2027515:1971416:2001317:1944518:1984119:1932520:1982421:1935822:1988023:1937124:1993625:1942926:1987627:1939628:1993829:1945930:1991131:1936932:2006833:1956534:2033235:1964536:2030937:1965738:2012839:1947140:2001041:1949342:2004943:1953644:2016345:1964446:2013247:1962448:2015449:1957550:2009751:1952952:2004153:1952554:1997855:1948856:1989957:1937258:1998459:19500node1:fpc7pic0Last60seconds:0:102131:104472:101723:104244:101505:104326:101537:103628:100789:1039410:1013411:1047212:1021913:1053014:1027915:1045016:1013417:1034718:1006619:1031220:1009321:1040022:1013723:1038424:1014725:1045626:1019327:1043728:1018429:1050730:1026531:1057032:1031433:1069434:1046735:1065936:1040737:1061838:1031539:1051940:1029341:1056142:1028543:1055544:1030045:1054046:1025647:1057348:1029649:1049650:1023451:1044752:1016953:1036454:1011555:1040656:1014057:1038558:1015559:10445fpc8pic0Last60seconds:0:218931:212802:218133:212504:217595:212306:216687:211228:216859:2117610:2177511:2125412:2173513:2127214:2179115:2115516:2150817:2093318:2143919:2094420:2151421:2102622:2146123:2097024:2154025:2104526:2149427:2099128:2168429:2122330:2190931:2136732:2202533:2153934:2216335:2148036:2193337:2128238:2179039:2119440:2182741:2131142:2179343:2126444:2186045:2130046:2183047:2129248:2176249:2122250:2160751:2106352:2144953:2089954:2152755:2104156:2150957:2101758:2152759:21033{primary:node0}1.6.3查看防火墙所有会话条目〔1〕ScreenOS在CLI下命令为：getsession例如：JP1000A->getsessionalloc2976/ma*524288,allocfailed0,mcastalloc0,diallocfailed0totalreserved0,freesessionsinsharedpool521312slot2:hw0alloc2976/ma*524287id482707/s0*,vsys0,flag10200400/4000/0003,policy20036,time1302,dip36module0if130(nspflag0805):01/4795->44/8000,6,0,sesstoken4,vlan32,tun0,vsd0,route17,wsf0if128(nspflag10000800):04/43422<-44/8000,6,0,sesstoken3,vlan0,tun0,vsd0,route29,wsf0id482709/s0*,vsys0,flag10200400/4000/0003,policy20040,time1419,dip36module0if130(nspflag0805):02/1170->1/6002,6,0,sesstoken4,vlan32,tun0,vsd0,route17,wsf0if128(nspflag10000800):04/60242<-1/6002,6,0,sesstoken3,vlan0,tun0,vsd0,route29,wsf0〔2〕JunOS在CLI-操作模式下命令为：showsecurityflowsession例如：syroJP650A>showsecurityflowsessionSessionID:15176,Policyname:self-traffic-policy/1,Timeout:60,ValidIn:/514-->1/514;udp,If:.local..0,Pkts:2668507,Bytes:659764260Out:1/514-->/514;udp,If:ae0.0,Pkts:0,Bytes:0SessionID:15264,Policyname:self-traffic-policy/1,Timeout:60,ValidIn:/514-->66/514;udp,If:.local..0,Pkts:2769763,Bytes:668172183Out:66/514-->/514;udp,If:ae0.0,Pkts:0,Bytes:0SessionID:15267,Policyname:self-traffic-policy/1,Timeout:60,ValidIn:/514-->2/514;udp,If:.local..0,Pkts:2668508,Bytes:659764488Out:2/514-->/514;udp,If:ae0.0,Pkts:0,Bytes:01.6.4按过滤条件查看会话〔1〕ScreenOS在CLI下使用getsession命令可以按过滤条件查看会话，有以下命令选项：命令帮助：JP1000A->getsession>redirectoutput|matchoutput<return>dst-ipdestinationipaddressdst-macdestinationmacaddressdst-portdestinationportnumberorrangehardwareshowhardwaresessionsonlyidshowsessionswithidike-natshowike-natALGinfopolicy-idpolicyidprotocolprotocolnumberorrangermshowsessionsforresourcemanagementserviceshowsessionswithservicetypesrc-ipsourceipaddresssrc-macsourcemacaddresssrc-portsourceportnumberorrangetunnelshowtunnelsessionsvsd-idgetvsd-idspecifiedsessions例如：alloc1366/ma*524288,allocfailed0,mcastalloc0,diallocfailed0totalreserved0,freesessionsinsharedpool522922slot2:hw0alloc1363/ma*524287Total448sessionsaccordingfilteringcriteria.id517142/s0*,vsys0,flag00200450/0000/0081,policy20026,time0,dip0module0if46(nspflag800901):2/51602->30/8300,6,00000c07ac21,sesstoken4,vlan0,tun0,vsd0,route8,wsf0if45(nspflag800900):2/51602<-30/8300,6,00000c07ac5f,sesstoken3,vlan0,tun0,vsd0,route6,wsf0id517222/s0*,vsys0,flag00200440/0000/0003,policy20028,time2,dip0module0〔2〕JunOS在CLI-操作模式下使用showsecurityflowsession命令可以按过滤条件查看会话，有以下命令选项：syroJP650A>showsecurityflowsessionPossiblepletions:<[Enter]>E*ecutethismandapplicationApplicationprotocolnamebriefShowbriefoutput(default)destination-portDestinationport(1..65535)destination-prefi*DestinationIPprefi*oraddresse*tensiveShowdetailedoutputfamilyShowsessionbyfamilyidpShowidpsessionsinterfaceNameofiningoroutgoinginterfacenatShowsessionswithnetworkaddresstranslationprotocolIPprotocolnumberresource-managerShowsessionswithresourcemanagersession-identifierShowsessionwithspecifiedsessionidentifiersource-portSourceport(1..65535)source-prefi*SourceIPprefi*oraddresssummaryShowoutputsummarytunnelShowtunnelsessions|Pipethroughamand例如：syroJP650A>showsecurityflowsessionsource-prefi*1