SRX3600防火墻日常檢查命令.doc

SRX3600防火墻日常檢查命令命令描述show version檢查設備的版本是否一致show chassis routing-engineshow system process extensive restart mib-process immediately 檢查系統(tǒng)CPU使用率檢查進程cpu利用率重啟mib2d進程show chassis hardware檢查設備的硬件信息show chassis fpc檢查設備各個板卡的狀態(tài)show chassis environment.檢查設備溫度的狀態(tài)show chassis environment pem檢查設備的電源功率show chassis alarm檢查設備硬件告警信息show system alarm檢查設備系統(tǒng)的告警信息show chassis cluster statusshow chassis cluster information檢查設備的雙機狀態(tài)show security flow session summary.檢查設備的會話數(shù)量show interface fab0檢查防火墻新建會話數(shù)show interface ter檢查接口狀態(tài)信息 也可以通過MIB值查看設備的相關信息SRX36001.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.7（最后一位數(shù)5表示SPC板卡所在的node0槽位號）SPC 板卡cpu利用率，尾數(shù)為7的是主機；尾數(shù)為33的是備機；1.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.33（最后一位數(shù)31表示SPC板卡所在的node1槽位號）1.3.6.1.4.1.2636.3.39.1.12.1.1.1.5.7（最后一位數(shù)5表示SPC板卡所在的node0槽位號）SPC 板卡內存利用率，尾數(shù)為7的是主機；尾數(shù)為33的是備機；1.3.6.1.4.1.2636.3.39.1.12.1.1.1.5.33（最后一位數(shù)31表示SPC板卡所在的node1槽位號）1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6.7（最后一位數(shù)5表示SPC板卡所在的node0槽位號）SPC 板卡并發(fā)會話數(shù)，尾數(shù)為7的是主機；尾數(shù)為33的是備機；1.3.6.1.4.1.2636.3.39.1.12.1.1.1.6.33（最后一位數(shù)31表示SPC板卡所在的node1槽位號）1.3.6.1.4.1.2636.3.1.13.1.8.9.1.0.0路由引擎CPU ，末尾為1.0.0的是主機；末尾為3.0.0的是備機1.3.6.1.4.1.2636.3.1.13.1.8.9.3.0.01. 防火墻的CPU、Session會話數(shù)OID值對應的MIB文件為mib-jnx-js-spu-monitoring.txt NSRP狀態(tài)OID：1.3.6.1.4.1.2636.3.1.14.1.7.9.1.0.0 控制平面的主/備1.3.6.1.4.1.2636.3.1.14.1.7.9.3.0.0 轉發(fā)平面的主/備取得的值：2表示master;3表示backup;4表示disable;對應的MIB文件為mib-jnx-jsrpd.txt 2.使用此命令顯示MIB值的信息：show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.12.1.1.1.4.73.防火墻 公網(wǎng)IP地址NAT轉換使用情況show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5舉例說明如下：1. 查看防火墻當前session會話總數(shù)命令：show security flow session summary adminBJBJ-PS-WAP4-FW01 show security flow session summary node 0 node0:-Flow Sessions on FPC7 PIC0:Unicast-sessions: 189499Multicast-sessions: 0Failed-sessions: 0Sessions-in-use: 193363 Valid sessions: 189196 Pending sessions: 2 Invalidated sessions: 3859 Sessions in other states: 0Maximum-sessions: 524288primary:node0表示防火墻目前的會話總數(shù)為：1933632. 查看防火墻每秒中新建會話數(shù)量命令如下：show interface fab0adminBJBJ-PS-WAP4-FW01 show interfaces fab0 Physical interface: fab0, Enabled, Physical link is Up Interface index: 138, SNMP ifIndex: 520 Link-level type: Ethernet, MTU: 9014, Speed: 2Gbps, BPDU Error: None, MAC-REWRITE Error: None, Loopback: Disabled, Source filtering: Disabled, Flow control: Disabled, Minimum links needed: 1, Minimum bandwidth needed: 0 Device flags : Present Running Interface flags: SNMP-Traps Internal: 0x0 Current address: 84:18:88:43:b0:21, Hardware address: 84:18:88:43:b0:21 Last flapped : 2011-11-22 00:40:55 CST (1w1d 00:00 ago) Input rate : 0 bps (0 pps) Output rate : 7516352 bps (2204 pps) Logical interface fab0.0 (Index 74) (SNMP ifIndex 521) Flags: SNMP-Traps 0x0 Encapsulation: ENET2 Statistics Packets pps Bytes bps Bundle: Input : 0 0 0 0 Output: 1682870581 2204 719123403018 7516352 Security: Zone: Null Protocol inet, MTU: 9000 Addresses, Flags: Is-Preferred Is-Primary Destination: 30.17.0/24, Local: 30.17.0.200, Broadcast: 30.17.0.255表示防火墻每秒中新建會話：22043. 通過查看MIB值，檢查防火墻公網(wǎng)IP地址NAT轉換數(shù)量命令如下：show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5adminBJBJ-PS-WAP4-FW01 show snmp mib walk 1.3.6.1.4.1.2636.3.39.1.7.1.1.4.1.5 jnxJsNatSrcNumPortInuse.13.115.109.115.95.49.48.45.52.45.53.45.51.54.0.10.4.5.36 = 0jnxJsNatSrcNumPortInuse.17.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.57.0.211.136.28.189 = 0jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.180 = 44840jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.181 = 45711jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.182 = 45825jnxJsNatSrcNumPortInuse.19.73.80.95.50.49.49.45.49.51.54.45.50.56.45.49.56.48.95.51.0.211.136.28.183 = 44858primary:node0 表示目前公網(wǎng)IP:211.136.28.180 地址轉換44840條，一個公網(wǎng)地址最多完成200萬NAT地址轉換 公網(wǎng)IP:211.136.28.181 地址轉換45711條 公網(wǎng)IP:211.136.28.182 地址轉換45852條 公網(wǎng)IP:211.136.28.183 地址轉換44858條4. 檢查防火墻板卡狀態(tài)信息命令如下：show chassis fpcadminBJBJ-PS-WAP4-FW01 show chassis fpc node 0 node0:- Temp CPU Utilization (%) Memory Utilization (%)Slot State (C) Total Interrupt DRAM (MB) Heap Buffer 0 Online 39 14 0 1024 2 27 1 Empty 2 Empty 3 Empty 4 Empty 5 Empty 6 Empty 7 Online 49 14 0 1024 2 27 8 Empty 9 Empty 10 Online 33 14 0 1024 2 27 11 Empty 12 Empty 0槽位代表SFB(轉發(fā)板卡)的狀態(tài)信息，7槽位代表NPC板卡的狀態(tài)信息，10槽位代表SPC板卡的狀態(tài)信息。5. 檢查防火墻CPU、內存利用率狀態(tài)命令如下：show chassis routing-engineadminBJBJ-PS-WAP4-FW01 show chassis routing-engine node 0 node0:-Routing Engine status: Slot 0: Current state Master Election priority Master (default) DRAM 1023 MB Memory utilization 32 percent CPU utilization: User 0 percent Background 0 percent Kernel 3 percent Interrupt 0 percent Idle 96 percent Model RE-PPC-1200-A Start time 2011-11-22 00:37:47 CST Uptime 8 days, 15 minutes, 31 seconds Last reboot reason Router rebooted after a normal shutdown. Load averages: 1 minute 5 minute 15 minute 0.01 0.01 0.00目前內存利用率33%，CPU空閑96%，load average顯示CPU 1分鐘、5分鐘、15分鐘的利用率情況6. 檢查防火墻雙機狀態(tài)命令:show chassis cluster statusadminBJBJ-PS-WAP4-FW01 show chassis cluster status Cluster ID: 1 Node Priority Status Preempt Manual failoverRedundancy group: 0 , Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 1 , Failover count: 1 node0 200 primary no no node1 100 secondary no no Redundancy group: 0為控制層面Redundancy group: 1為轉發(fā)層面Redundancy group: 0 目前的主為node0（BJBJ-PS-WAP4-FW01） 備為node1（BJBJ-PS-WAP4-FW02）Redundancy group: 1 目前的主為node0（BJBJ-PS-WAP4-FW01） 備為node1（BJBJ-PS-WAP4-FW02）7. 檢查防火墻硬件告警信息命令：show chassis alarmadminBJBJ-PS-WAP4-FW01 show chassis alarms node0:-No alarms currently activenode1:-No alarms currently activeprimary:node0檢查結果顯示目前主、備防火墻都不存在硬件告警，硬件日志信息，記錄在/var/log目錄下的chassis文