SRX3600防火墻日常檢查命令.doc

SRX3600防火墻日常檢查命令命令描述show version檢查設(shè)備的版本是否一致show chassis routing-engineshow system process extensive restart mib-process immediately 檢查系統(tǒng)CPU使用率檢查進(jìn)程cpu利用率重啟mib2d進(jìn)程show chassis hardware檢查設(shè)備的硬件信息show chassis fpc檢查設(shè)備各個(gè)板卡的狀態(tài)show chassis environment.檢查設(shè)備溫度的狀態(tài)show chassis environment pem檢查設(shè)備的電源功率show chassis alarm檢查設(shè)備硬件告警信息show system alarm檢查設(shè)備系統(tǒng)的告警信息show chassis cluster statusshow chassis cluster information檢查設(shè)備的雙機(jī)狀態(tài)show security flow session summary.檢查設(shè)備的會(huì)話數(shù)量show interface fab0檢查防火墻新建會(huì)話數(shù)show interface ter檢查接口狀態(tài)信息 也可以通過(guò)MIB值查看設(shè)備的相關(guān)信息SRX36001.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.7（最后一位數(shù)5表示SPC板卡所在的node0槽位號(hào)）SPC 板卡cpu利用率，尾數(shù)為7的是主機(jī)；尾數(shù)為33的是備機(jī)；1.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.33（最后一位數(shù)31表示SPC板卡所在的node1槽位號(hào)）1.3.6.1.4.1.2636.3.39.1.12.1.1.1.5.7（最后一位數(shù)5表示SPC板卡所在的node0槽位號(hào)）SPC 板卡內(nèi)存利用率，尾數(shù)為7的是主機(jī)；尾數(shù)為33的是備機(jī)；1.3.6.1.4.1.2636.3.39.1.12.1.1.1.5.33（最后一位數(shù)31表示SPC板卡所在的node1槽位號(hào)）1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6.7（最后一位數(shù)5表示SPC板卡所在的node0槽位號(hào)）SPC 板卡并發(fā)會(huì)話數(shù)，尾數(shù)為7的是主機(jī)；尾數(shù)為33的是備機(jī)；1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6.33（最后一位數(shù)31表示SPC板卡所在的node1槽位號(hào)）1.3.6.1.4.1.2636.3.1.13.1.8.9.1.0.0路由引擎CPU ，末尾為1.0.0的是主機(jī)；末尾為3.0.0的是備機(jī)1.3.6.1.4.1.2636.3.1.13.1.8.9.3.0.01. 防火墻的CPU、Session會(huì)話數(shù)OID值對(duì)應(yīng)的MIB文件為mib-jnx-js-spu-monitoring.txt NSRP狀態(tài)OID：1.3.6.1.4.1.2636.3.1.14.1.7.9.1.0.0 控制平面的主/備1.3.6.1.4.1.2636.3.1.14.1.7.9.3.0.0 轉(zhuǎn)發(fā)平面的主/備取得的值：2表示master;3表示backup;4表示disable;對(duì)應(yīng)的MIB文件為mib-jnx-jsrpd.txt 2.使用此命令顯示MIB值的信息：show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.73.防火墻 公網(wǎng)IP地址NAT轉(zhuǎn)換使用情況show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5舉例說(shuō)明如下：1. 查看防火墻當(dāng)前session會(huì)話總數(shù)命令：show security flow session summary adminBJBJ-PS-WAP4-FW01 show security flow session summary node 0 node0:-Flow Sessions on FPC7 PIC0:Unicast-sessions: 189499Multicast-sessions: 0Failed-sessions: 0Sessions-in-use: 193363 Valid sessions: 189196 Pending sessions: 2 Invalidated sessions: 3859 Sessions in other states: 0Maximum-sessions: 524288primary:node0表示防火墻目前的會(huì)話總數(shù)為：1933632. 查看防火墻每秒中新建會(huì)話數(shù)量命令如下：show interface fab0adminBJBJ-PS-WAP4-FW01 show interfaces fab0 Physical interface: fab0, Enabled, Physical link is Up Interface index: 138, SNMP ifIndex: 520 Link-level type: Ethernet, MTU: 9014, Speed: 2Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Current address: 84:18:88:43:b0:21, Hardware address: 84:18:88:43:b0:21 Last flapped : 2011-11-22 00:40:55 CST (1w1d 00:00 ago) Input rate : 0 bps (0 pps) Output rate : 7516352 bps (2204 pps) Logical interface fab0.0 (Index 74) (SNMP ifIndex 521) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 1682870581 2204 719123403018 7516352 Security: Zone: Null Protocol inet, MTU: 9000 Addresses, Flags: Is-Preferred Is-Primary Destination: 30.17.0/24, Local: 30.17.0.200, Broadcast: 30.17.0.255表示防火墻每秒中新建會(huì)話：22043. 通過(guò)查看MIB值，檢查防火墻公網(wǎng)IP地址NAT轉(zhuǎn)換數(shù)量命令如下：show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5adminBJBJ-PS-WAP4-FW01 show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5 jnxJsNatSrcNumPortInuse.13.115.109.115.95.49.48.45.52.45.53.45.51.54.0.10.4.5.36 = 0jnxJsNatSrcNumPortInuse.17.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.57.0.211.136.28.189 = 0jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.180 = 44840jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.181 = 45711jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.182 = 45825jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.183 = 44858primary:node0 表示目前公網(wǎng)IP:211.136.28.180 地址轉(zhuǎn)換44840條，一個(gè)公網(wǎng)地址最多完成200萬(wàn)NAT地址轉(zhuǎn)換 公網(wǎng)IP:211.136.28.181 地址轉(zhuǎn)換45711條 公網(wǎng)IP:211.136.28.182 地址轉(zhuǎn)換45852條 公網(wǎng)IP:211.136.28.183 地址轉(zhuǎn)換44858條4. 檢查防火墻板卡狀態(tài)信息命令如下：show chassis fpcadminBJBJ-PS-WAP4-FW01 show chassis fpc node 0 node0:- Temp CPU Utilization (%) Memory Utilization (%)Slot State (C) Total Interrupt DRAM (MB) Heap Buffer 0 Online 39 14 0 1024 2 27 1 Empty 2 Empty 3 Empty 4 Empty 5 Empty 6 Empty 7 Online 49 14 0 1024 2 27 8 Empty 9 Empty 10 Online 33 14 0 1024 2 27 11 Empty 12 Empty 0槽位代表SFB(轉(zhuǎn)發(fā)板卡)的狀態(tài)信息，7槽位代表NPC板卡的狀態(tài)信息，10槽位代表SPC板卡的狀態(tài)信息。5. 檢查防火墻CPU、內(nèi)存利用率狀態(tài)命令如下：show chassis routing-engineadminBJBJ-PS-WAP4-FW01 show chassis routing-engine node 0 node0:-Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 32 percent CPU utilization: User 0 percent Background 0 percent Kernel 3 percent Interrupt 0 percent Idle 96 percent Model RE-PPC-1200-A Start time 2011-11-22 00:37:47 CST Uptime 8 days, 15 minutes, 31 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.01 0.01 0.00目前內(nèi)存利用率33%，CPU空閑96%，load average顯示CPU 1分鐘、5分鐘、15分鐘的利用率情況6. 檢查防火墻雙機(jī)狀態(tài)命令:show chassis cluster statusadminBJBJ-PS-WAP4-FW01 show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failoverRedundancy group: 0 , Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 0為控制層面Redundancy group: 1為轉(zhuǎn)發(fā)層面Redundancy group: 0 目前的主為node0（BJBJ-PS-WAP4-FW01） 備為node1（BJBJ-PS-WAP4-FW02）Redundancy group: 1 目前的主為node0（BJBJ-PS-WAP4-FW01） 備為node1（BJBJ-PS-WAP4-FW02）7. 檢查防火墻硬件告警信息命令：show chassis alarmadminBJBJ-PS-WAP4-FW01 show chassis alarms node0:-No alarms currently activenode1:-No alarms currently activeprimary:node0檢查結(jié)果顯示目前主、備防火墻都不存在硬件告警，硬件日志信息，記錄在/var/log目錄下的chassis文