《Juniper设备-防火墙运维要点》由会员分享,可在线阅读,更多相关《Juniper设备-防火墙运维要点(13页珍藏版)》请在金锄头文库上搜索。
1、防火墙运维要点,设备管理访问控制,Management requests terminate on the unit As a security device, the NetScreen must qualify all management requests Match the management address of the arriving interface Match the IP address of a trusted source Match an allowed service type Match username/password,Management Service
2、 Filter,I n t e r f a c e,manage-ip Mgt. Address,Allowed services,A u t h e n t i c a t i o n,Username/ password,manager-ip Trusted Source,管理地址,数据接口地址 专用管理端口 数据接口管理地址 HA配置下管理可管理主/备机 主/备地址不同,数据接口地址可管理,数据接口管理地址,检查接口配置,Network Interfaces,ns208- get interface A - Active, I - Inactive, U - Up, D - Down,
3、R - Ready Interfaces in vsys Root: Name IP Address Zone MAC VLAN State VSD eth1 10.1.1.1/24 Private 0010.db1d.1be0 - U - eth2 0.0.0.0/0 V1-DMZ 0010.db1d.1be4 - D - eth3 0.0.0.0/0 V1-Untrust 0010.db1d.1be5 - D - eth4 0.0.0.0/0 Private 0010.db1d.1be6 - D - eth5 0.0.0.0/0 Untrust 0010.db1d.1be7 - D - e
4、th6 0.0.0.0/0 Null 0010.db1d.1be8 - D - eth7 1.1.7.1/24 Public 0010.db1d.1be9 - U - eth8 1.1.8.1/24 External 0010.db1d.1bea - U - vlan1 0.0.0.0/0 VLAN 0010.db1d.1bef 1 D -,检查路由 - CLI,查看路由 ns208- get route C - Connected, S - Static, A - Auto-Exported, I - Imported iB - IBGP, eB - EBGP, R - RIP, O - O
5、SPF, E1 - OSPF external type 1 E2 - OSPF external type 2 trust-vr (8 entries) = ID IP-Prefix Interface Gateway P Pref Mtr Vsys - 9 0.0.0.0/0 eth8 1.1.8.254 S 20 1 Root * 8 1.1.70.0/24 eth7 1.1.7.254 S 20 1 Root 7 10.1.20.0/24 eth2 10.1.2.254 S 20 1 Root * 2 10.1.1.0/24 eth1 0.0.0.0 C 0 0 Root * 3 10
6、.1.2.0/24 eth2 0.0.0.0 C 0 0 Root 查看去某个IP路由 get route ip xxxxx,CPU利用率,系统管理( task) 会话管理(flow) DI,ALG(flow) get per cpu,CNZUHFW01- get per cpu Average System Utilization: 1% Last 1 minute: 2%, Last 5 minutes: 2%, Last 15 minutes: 2% CNZUHFW01- get per cpu all detail Average System Utilization: 1% (flo
7、w 1 task 1) Last 60 seconds: 59: 2( 1 1) 58: 2( 1 1) 57: 2( 1 1) 56: 2( 1 1) 55: 2( 1 1) 54: 2( 1 1) 53: 2( 1 1) 52: 2( 1 1) 51: 2( 1 1) 50: 2( 1 1) 49: 2( 1 1) 48: 2( 1 1) 47: 2( 1 1) 46: 2( 1 1) 45: 2( 1 1) 44: 2( 1 1),内存利用率,内存在系统启动时已预分配. 每个模块会占用相对固定的内存空间. 内存占用率不会发生太大的变化. 数据转发在ASIC芯片完成,不影响内存利用率,当前
8、会话数,web介面显示当前在线会话数 命令行模式下 当前会话数 alloc 443 最大支持会话数 max 64064 会话创建失败统计. , alloc failed 0,CNZUHFW01- get sess inf alloc 443/max 64064, alloc failed 0, mcast alloc 0, di alloc failed 0 total reserved 0, free sessions in shared pool 63621,会话数性能,每秒新建会话 get per session,CNZUHFW01- get per sess de Last 60 se
9、conds: 0: 4 1: 4 2: 28 3: 7 4: 5 5: 6 6: 35 7: 4 8: 5 9: 4 10: 29 11: 4 12: 4 13: 4 14: 28 15: 5 16: 5 17: 5 18: 30 19: 8 20: 6 21: 7 22: 30 23: 5 24: 5 25: 5 26: 28 27: 8 28: 4 29: 3 30: 28 31: 4 32: 7 33: 4 34: 30 35: 4 36: 8 37: 6 38: 30 39: 6 40: 5 41: 4 42: 31 43: 6 44: 8 45: 4 46: 30 47: 5 48:
10、 4 49: 5 50: 29 51: 5 52: 5 53: 6 54: 31 55: 5 56: 4 57: 5 58: 28 59: 5,日志管理,事件、配置、流量日志 日志分级-unset log module system level warning destination syslog Syslog/NSM外发存储 可通过MGT或业务接口外传日志,源地址为MGT IP或manage-ip,NSRP,riority优先级 (default 100 低值主用) Preempt抢占模式 (default disable,非同步配置) HA心跳线two interface (低接口号主用)
11、 状态监控monitor interface (非同步配置) NSRP Switch主备切换(主用设备上执行) exec nsrp vsd-group 0 mode backup Config Syn主备配置同步(备用设备上执行) exec nsrp syn global-config save/reset/ignore save action/confirm reset exec nsrp syn global-config checksum Get config | in nsrp Get nsrp,运维监控,Get performance cpu detailCPU负载 Get session info并发会话 Get performance session detail每秒新建 Get memory 内存使用 Get alarm event告警日志 Get config | in “XXXX” 配置过滤 Get chassis 机箱温度与硬件模块 Get clock | in date 设备时钟 Get interface 接口状态 Get route 路由状态 Get arp ARP表,故障信息补充获取,Get tech Get session tftp x.x.x.x filename Snoop 软件抓包防火墙内外接口,
