您好,欢迎访问三七文档
当前位置:首页 > 商业/管理/HR > 信息化管理 > Juniper设备-防火墙运维要点
Copyright©2008JuniperNetworks,Inc.‹#›防火墙运维要点Copyright©2008JuniperNetworks,Inc.‹#›设备管理访问控制ManagementrequeststerminateontheunitAsasecuritydevice,theNetScreenmustqualifyallmanagementrequests•Matchthemanagementaddressofthearrivinginterface•MatchtheIPaddressofa‘trusted’source•Matchanallowedservicetype•Matchusername/passwordSrcDstMgt.RequestAddrAddr(ie.Ping)ManagementServiceFilterInterfacemanage-ipMgt.AddressAllowedservicesAuthenticationUsername/passwordmanager-ipTrustedSourceCopyright©2008JuniperNetworks,Inc.‹#›管理地址数据接口地址专用管理端口数据接口管理地址HA配置下管理可管理主/备机主/备地址不同数据接口地址可管理数据接口管理地址Copyright©2008JuniperNetworks,Inc.‹#›检查接口配置NetworkInterfacesns208-getinterfaceA-Active,I-Inactive,U-Up,D-Down,R-ReadyInterfacesinvsysRoot:NameIPAddressZoneMACVLANStateVSDeth110.1.1.1/24Private0010.db1d.1be0-U-eth20.0.0.0/0V1-DMZ0010.db1d.1be4-D-eth30.0.0.0/0V1-Untrust0010.db1d.1be5-D-eth40.0.0.0/0Private0010.db1d.1be6-D-eth50.0.0.0/0Untrust0010.db1d.1be7-D-eth60.0.0.0/0Null0010.db1d.1be8-D-eth71.1.7.1/24Public0010.db1d.1be9-U-eth81.1.8.1/24External0010.db1d.1bea-U-vlan10.0.0.0/0VLAN0010.db1d.1bef1D-Copyright©2008JuniperNetworks,Inc.‹#›检查路由-CLI•查看路由ns208-getrouteC-Connected,S-Static,A-Auto-Exported,I-ImportediB-IBGP,eB-EBGP,R-RIP,O-OSPF,E1-OSPFexternaltype1E2-OSPFexternaltype2trust-vr(8entries)======================IDIP-PrefixInterfaceGatewayPPrefMtrVsys------------------------------------------------------------------------------•90.0.0.0/0eth81.1.8.254S201Root•*81.1.70.0/24eth71.1.7.254S201Root•710.1.20.0/24eth210.1.2.254S201Root•*210.1.1.0/24eth10.0.0.0C00Root*310.1.2.0/24eth20.0.0.0C00Rootoutputomitted•查看去某个IP路由•getrouteipxxxxxCopyright©2008JuniperNetworks,Inc.‹#›CPU利用率系统管理(task)会话管理(flow)DI,ALG(flow)getpercpuCNZUHFW01-getpercpuAverageSystemUtilization:1%Last1minute:2%,Last5minutes:2%,Last15minutes:2%CNZUHFW01-getpercpualldetailAverageSystemUtilization:1%(flow1task1)Last60seconds:59:2(11)58:2(11)57:2(11)56:2(11)55:2(11)54:2(11)53:2(11)52:2(11)51:2(11)50:2(11)49:2(11)48:2(11)47:2(11)46:2(11)45:2(11)44:2(11)Copyright©2008JuniperNetworks,Inc.‹#›内存利用率内存在系统启动时已预分配.每个模块会占用相对固定的内存空间.内存占用率不会发生太大的变化.数据转发在ASIC芯片完成,不影响内存利用率Copyright©2008JuniperNetworks,Inc.‹#›当前会话数web介面显示当前在线会话数命令行模式下当前会话数alloc443最大支持会话数max64064会话创建失败统计.,allocfailed0CNZUHFW01-getsessinfalloc443/max64064,allocfailed0,mcastalloc0,diallocfailed0totalreserved0,freesessionsinsharedpool63621Copyright©2008JuniperNetworks,Inc.‹#›会话数性能每秒新建会话getpersessionCNZUHFW01-getpersessdeLast60seconds:0:41:42:283:74:55:66:357:48:59:410:2911:412:413:414:2815:516:517:518:3019:820:621:722:3023:524:525:526:2827:828:429:330:2831:432:733:434:3035:436:837:638:3039:640:541:442:3143:644:845:446:3047:548:449:550:2951:552:553:654:3155:556:457:558:2859:5Copyright©2008JuniperNetworks,Inc.‹#›日志管理事件、配置、流量日志日志分级-unsetlogmodulesystemlevelwarningdestinationsyslogSyslog/NSM外发存储可通过MGT或业务接口外传日志,源地址为MGTIP或manage-ipCopyright©2008JuniperNetworks,Inc.‹#›NSRPpriority-优先级(default100低值主用)Preempt-抢占模式(defaultdisable,非同步配置)HA心跳线-twointerface(低接口号主用)状态监控-monitorinterface(非同步配置)NSRPSwitch-主备切换(主用设备上执行)execnsrpvsd-group0modebackupConfigSyn-主备配置同步(备用设备上执行)execnsrpsynglobal-configsave/reset/ignoresaveaction/confirmresetexecnsrpsynglobal-configchecksumGetconfig|innsrpGetnsrpCopyright©2008JuniperNetworks,Inc.‹#›运维监控Getperformancecpudetail-CPU负载Getsessioninfo-并发会话Getperformancesessiondetail-每秒新建Getmemory-内存使用Getalarmevent-告警日志Getconfig|in“XXXX”-配置过滤Getchassis-机箱温度与硬件模块Getclock|indate-设备时钟Getinterface-接口状态Getroute-路由状态Getarp-ARP表Copyright©2008JuniperNetworks,Inc.‹#›故障信息补充获取GettechGetsessiontftpx.x.x.xfilenameSnoop软件抓包-防火墙内外接口
本文标题:Juniper设备-防火墙运维要点
链接地址:https://www.777doc.com/doc-4295146 .html