juniper日常維護(hù)和故障響應(yīng)

1、防火墻日常維護(hù)和故障響應(yīng),常規(guī)維護(hù),獲得基本信息 檢查NSRP狀態(tài) 提高預(yù)警水平 策略配置與優(yōu)化 攻擊防御 特殊應(yīng)用處理 整理業(yè)務(wù)拓?fù)浜陀涗?搭建模擬環(huán)境,常規(guī)維護(hù)獲得系統(tǒng)基本信息,Get sys-cfg：了解系統(tǒng)的各種缺省參數(shù)設(shè)置 Get clock：確定系統(tǒng)時(shí)間 get session info：查看session細(xì)節(jié) get performance cpu：50% get performance cpu detail：查看CPU歷史記錄 get performance cpu all detail,常規(guī)維護(hù)獲得系統(tǒng)基本信息,Get memory：采用“預(yù)分配”機(jī)制 ，90 Get int

2、erface：查看端口細(xì)節(jié) Get route：查看路由表 Get log event：查看普通事件記錄 Get alarm event：查看告警事件記錄 可以通過Netscreen防火墻日志信息速查表.pdf檢索所關(guān)心的日志信息的具體含義。 Get chassis：查看防火墻硬件板卡狀態(tài)和溫度等,常規(guī)維護(hù)檢查NSRP狀態(tài),exec nsrp sync global-config check-sum 檢查雙機(jī)配置命令是否同步 exec nsrp sync global-config save 如雙機(jī)配置信息沒有自動(dòng)同步，請(qǐng)手動(dòng)執(zhí)行此同步命令，需要重啟系統(tǒng)。 get nsrp 查看NSRP集群中

3、設(shè)備狀態(tài)、主備關(guān)系、會(huì)話同步以及參數(shù)開關(guān)信息。 Exec nsrp sync rto all from peer 手動(dòng)執(zhí)行RTO信息同步，使雙機(jī)保持會(huì)話信息一致 get alarm event 檢查設(shè)備告警信息，其中將包含NSRP狀態(tài)切換信息,常規(guī)維護(hù)檢查NSRP狀態(tài),exec nsrp vsd-group 0 mode backup 手動(dòng)進(jìn)行主備狀態(tài)切換時(shí)，在主用設(shè)備上執(zhí)行該切換命令，此時(shí)該主用設(shè)備沒有啟用搶占模式。 exec nsrp vsd-group 0 mode ineligible 手動(dòng)進(jìn)行主備狀態(tài)切換時(shí)，在主用設(shè)備上執(zhí)行該切換命令，此時(shí)該主用設(shè)備已啟用搶占模式。 set fail

4、over on/set failover auto啟用并容許冗余接口自動(dòng)切換 exec failover force 手動(dòng)執(zhí)行將主用端口切換為備用端口。 exec failover revert 手動(dòng)執(zhí)行將備用端口切換為主用端口。,常規(guī)維護(hù)提高預(yù)警水平,以CPU監(jiān)控為例，在SNMP網(wǎng)管中可以實(shí)時(shí)監(jiān)控獲得CPU負(fù)載性能曲線，在此基礎(chǔ)上可以設(shè)置多個(gè)報(bào)警閾值，如設(shè)置五級(jí)報(bào)警，分別在CPU負(fù)載50%、60%、70%、80%、90%時(shí)報(bào)警，這樣可以實(shí)現(xiàn)一種“預(yù)報(bào)警”的功能，在對(duì)網(wǎng)絡(luò)通訊產(chǎn)生嚴(yán)重影響之前就能主動(dòng)進(jìn)行響應(yīng)，提高系統(tǒng)的可靠性。,常規(guī)維護(hù)提高預(yù)警水平,nsResCpuAvg：當(dāng)前CPU利用率（1

5、..1.3） nsResCpuLast1Min：最后1分鐘CPU利用率（.4.1.3） nsResSessAllocate：當(dāng)前session數(shù)（.4.1.3） IfEntry：RFC1213端口屬性表（..1）。其中重點(diǎn)監(jiān)控表中的ifOperStatus、ifInOctets、ifInUcastPkts、ifInNUcastPkts、ifInDiscards、ifInErrors、ifInUnknownProtos、ifOutOctets、ifOutUcastPk

6、ts、ifOutNUcastPkts、ifOutDiscards、ifOutErrors、ifOutQLen nsrpRtoCounterEntry ：NSRP雙機(jī)冗余協(xié)議RTO對(duì)象計(jì)數(shù)統(tǒng)計(jì)（.4.1.3.3.1），其中重點(diǎn)監(jiān)控表中的session的建立、清除和變化性能曲線（nsrpRtoCounterName中的SESS_CR、SESS_CL和SESS_CH三項(xiàng)的變化速率曲線） nsrpVsdMemberStatus：NSRP雙機(jī)冗余協(xié)議成員狀態(tài)（.4.1.3.1.3）,常規(guī)維護(hù)提高預(yù)警水平,追蹤處理流程： 安全事件預(yù)告警（CP

7、U、Session） 檢查各條策略的流量或者session數(shù)增長是否異常 確定對(duì)應(yīng)的異常流量的地址范圍 Debug或者Sniffer分析,常規(guī)維護(hù)策略配置與優(yōu)化,Log(記錄日志) Count(流量統(tǒng)計(jì)) 地址組和服務(wù)組 策略和對(duì)象的刪除 區(qū)段間策略、區(qū)段內(nèi)策略和全局策略 MIP/VIP地址屬于全局區(qū)段地址 策略變更控制 exec policy verify exec policy verify global,常規(guī)維護(hù)攻擊防御（Screen）,抵御攻擊的功能會(huì)占用防火墻部分CPU資源； 自行開發(fā)的一些應(yīng)用程序中，可能存在部分不規(guī)范的數(shù)據(jù)包格式； 網(wǎng)絡(luò)環(huán)境中可能存在非常規(guī)性設(shè)計(jì) 防攻擊選項(xiàng)的啟用

8、需要采用逐步逼近的方式 Generate Alarms without Dropping Packet選項(xiàng),常規(guī)維護(hù)特殊應(yīng)用處理,Set service timeout unset flow tcp-syn-check set alg h323 disable Set policy id X from trust to untrust any any h.323 permit Set policy id X application ignore,常規(guī)維護(hù)整理業(yè)務(wù)拓?fù)浜陀涗?深入理解網(wǎng)絡(luò)中業(yè)務(wù)類型和流量特征，持續(xù)優(yōu)化防火墻策略。整理出完整網(wǎng)絡(luò)環(huán)境視圖（網(wǎng)絡(luò)端口、互聯(lián)地址、防護(hù)網(wǎng)段、網(wǎng)絡(luò)流向、策略

9、表、應(yīng)用類型等），以便網(wǎng)絡(luò)異常時(shí)快速定位故障。 整理一份上下行交換機(jī)配置備份文檔（調(diào)整其中的端口地址和路由指向），提供備用網(wǎng)絡(luò)連線。防止防火墻發(fā)生硬件故障時(shí)能夠快速旁路防火墻，保證業(yè)務(wù)正常使用。 在日常維護(hù)中建立防火墻資源使用參考基線，為判斷網(wǎng)絡(luò)異常提供參考依據(jù)。,常規(guī)維護(hù)整理業(yè)務(wù)拓?fù)浜陀涗?重視并了解防火墻產(chǎn)生的每一個(gè)故障告警信息，在第一時(shí)間修復(fù)故障隱患。 建立設(shè)備運(yùn)行檔案，為配置變更、事件處理提供完整的維護(hù)記錄，定期評(píng)估配置、策略和路由是否優(yōu)化。 故障設(shè)想和故障處理演練：日常維護(hù)工作中需考慮到網(wǎng)絡(luò)各環(huán)節(jié)可能出現(xiàn)的問題和應(yīng)對(duì)措施，條件允許情況下，可以結(jié)合網(wǎng)絡(luò)環(huán)境演練發(fā)生各類故障時(shí)的處理流程，

10、如：NSRP集群中設(shè)備出現(xiàn)故障，網(wǎng)線故障及交換機(jī)故障時(shí)的路徑保護(hù)切換。,常規(guī)維護(hù)搭建模擬環(huán)境,通過實(shí)驗(yàn)來學(xué)習(xí)、理解和驗(yàn)證,應(yīng)急響應(yīng),數(shù)據(jù)包處理流程 快速檢查和保留故障信息 NSRP應(yīng)急操作 防火墻旁路 Debug Snoop Sniffer,應(yīng)急響應(yīng)數(shù)據(jù)包處理流程,應(yīng)急響應(yīng)快速檢查和保留故障信息,get clock：獲得分析記錄的時(shí)間點(diǎn) get tech：獲得基本信息，尋求TAC支持 get log system：檢查系統(tǒng)模塊日志 get log sys saved：檢查系統(tǒng)模塊存儲(chǔ)的日志，用于系統(tǒng)crash情況下的dumped數(shù)據(jù)分析 get session info：檢查session數(shù)

11、get performance session detail：檢查session生成的歷史記錄 get performance cpu all detail：檢查雙cpu負(fù)載的歷史記錄 get memory：檢查free內(nèi)存容量 get memory chunk：檢查內(nèi)存分配情況,應(yīng)急響應(yīng)快速檢查和保留故障信息,get os task：檢查系統(tǒng)進(jìn)程 get net-pak stats：數(shù)據(jù)包統(tǒng)計(jì)分析 get socket：檢查防火墻開放端口 get pport：檢查端口地址轉(zhuǎn)換 get gate：檢查網(wǎng)關(guān)應(yīng)用 get tcp：檢查TCP連接 get interface：檢查端口狀態(tài) get e

12、vent：get alarm eventget log event,應(yīng)急響應(yīng)NSRP應(yīng)急操作,應(yīng)急響應(yīng)NSRP應(yīng)急操作,get nsrp exec nsrp vsd-group 0 mode backup,應(yīng)急處理防火墻旁路,通過備份的路由器或三層交換機(jī)進(jìn)行旁路處理，但是不要關(guān)閉防火墻。,應(yīng)急處理Debug,跟蹤防火墻對(duì)指定包的處理 Traffic Not Passing - debug flow basic VPN Not Working - debug ike detail Everything Else! - debug ?,應(yīng)急處理Debug,Set ffilter src-ip x.

13、x.x.x dst-ip x.x.x.x dst-port xx 設(shè)置過濾列表,定義捕獲包的范圍 clear dbuf ： 清除防火墻內(nèi)存中緩存的分析包 debug flow basic： 開啟debug數(shù)據(jù)流跟蹤功能 發(fā)送測(cè)試數(shù)據(jù)包或讓小部分流量穿越防火墻 undebug all： 關(guān)閉所有debug功能 get dbuf stream： 檢查防火墻對(duì)符合過濾條件數(shù)據(jù)包的分析結(jié)果 unset ffilter： 清除防火墻debug過濾列表 clear dbuf： 清除防火墻緩存的debug信息 get debug： 查看當(dāng)前debug設(shè)置,應(yīng)急處理Debug,* 997629.0: pack

14、et received 60* ipid = 5359(14ef), 03c9f550 packet passed sanity check. trust:05/4608-51/512,1(8/0) chose interface trust as incoming nat if. search route to (trust, 05-51) in vr trust-vr for vsd-0/flag-0/ifp-null Dest 2.route 51-, to

15、 untrust routed (51, ) from trust (trust in 0) to untrust policy search from zone 2- zone 1 No SW RPC rule match, search HW rule Permitted by policy 9 No src xlate choose interface untrust as outgoing phy if no loop on ifp untrust. session application type 0, name None, timeout 60s

16、ec service lookup identified service 0. Session (id:818) created for first pak 1 route to 51 arp entry found for 51 nsp2 wing prepared, ready cache mac in the session flow got session. flow session id 818 post addr xlation: 05-51.,應(yīng)急處理Debug,* 997629.0: p

17、acket received 60* ipid = 29278(725e), 03c391d0 packet passed sanity check. untrust:51/512-05/4608,1(0/0) existing session found. sess token 3 flow got session. flow session id 818 post addr xlation: 51-05.,IKE Debugger Basics,For simplicity, try to on

18、ly initiate only 1 IKE tunnel at a time. To turn the debugger ON/OFF debug ike basic/debug ike detail Try to run the debug during a scheduled downtime,IKE Debug Example, P1 :Initiate,IKE * Recv kernel msg IDX-0, TYPE-5 * IKE Phase 1: Initiated negotiation in main mode. 08 IKE Construct IS

19、AKMP header. IKE Construct SA for ISAKMP IKE Construct NetScreen VID IKE Construct custom VID IKE Xmit : SA VID VID IKE * Recv packet if of vsys * IKE Recv : SA VID VID IKE Process VID: IKE Process VID: IKE Process SA: IKE Construct ISAKMP header. IKE Construct KE for ISAKMP IKE Construct NONCE IKE

20、Xmit : KE NONCE IKE * Recv packet if of vsys * IKE Recv : KE NONCE IKE Process KE: IKE Process NONCE: IKE Construct ISAKMP header. IKE Construct ID for ISAKMP IKE Construct HASH IKE Xmit*: ID HASH IKE * Recv packet if of vsys * IKE Recv*: ID HASH IKE Process ID: IKE Process HASH: IKE Phase 1: Comple

21、ted Main mode negotiation with a -second lifetime.,IKE Debug Example, P2 :Initiate,IKE Phase 2: Initiated Quick Mode negotiation. IKE Construct ISAKMP header. IKE Construct HASH IKE Construct SA for IPSEC IKE Construct NONCE for IPSec IKE Construct KE for PFS IKE Construct ID for Phase 2 IKE Constru

22、ct ID for Phase 2 IKE Xmit*: HASH SA NONCE KE ID ID IKE * Recv packet if of vsys * IKE Recv*: HASH SA NONCE KE ID ID IKE Process SA: IKE Process KE: IKE Process NONCE: IKE Process ID: IKE Process ID: IKE Phase 2 msg-id : Completed Quick Mode negotiation with SPI , tunnel ID , and lifetime seconds/ K

23、B. IKE Construct ISAKMP header. IKE Construct HASH in QM IKE Xmit*: HASH,IKE Debug Example, P1 :Responser,IKE * Recv packet if of vsys * IKE Recv : SA VID VID IKE Process VID: IKE Process VID: IKE Process SA: IKE Construct ISAKMP header. IKE Construct SA for ISAKMP IKE Construct NetScreen VID IKE Co

24、nstruct custom VID IKE Xmit : SA VID VID IKE * Recv packet if of vsys * IKE Recv : KE NONCE IKE Process KE: IKE Process NONCE: IKE Construct ISAKMP header. IKE Construct KE for ISAKMP IKE Construct NONCE IKE Xmit : KE NONCE IKE * Recv packet if of vsys * IKE Recv*: ID HASH IKE Process ID: IKE Proces

25、s HASH: IKE Construct ISAKMP header. IKE Construct ID for ISAKMP IKE Construct HASH IKE Xmit*: ID HASH IKE Phase 1: Completed Main mode negotiation with a -second lifetime.,IKE Debug Example, P2 :Responser,IKE * Recv packet if of vsys * IKE Recv*: HASH SA NONCE KE ID ID IKE Process SA: IKE Process K

26、E: IKE Process NONCE: IKE Process ID: IKE Process ID: IKE Construct ISAKMP header. IKE Construct HASH IKE Construct SA for IPSEC IKE Construct NONCE for IPSec IKE Construct KE for PFS IKE Construct ID for Phase 2 IKE Construct ID for Phase 2 IKE Xmit*: HASH SA NONCE KE ID ID IKE * Recv packet if of

27、vsys * IKE Recv*: HASH IKE Phase 2 msg-id : Completed Quick Mode negotiation with SPI , tunnel ID , and lifetime seconds/ KB.,Debug ?,admin debug admin arp arp debugging asp ASP debugging asset-recovery asset recovery debugging auth user authentication debugging autocfg Auto config debugging av Anti

28、Virus debugging bgp bgp debugging cluster command propagated to cluster members cpapi cpapi debugging dhcp debug dhcp dip dip debugging dlog dlog debugging dns dns debugging driver driver debugging emweb EmWeb debugging filesys Filesys debugging flash flash operating debugging flow Flow level debugg

29、ing flow-tunnel Flow Tunnel debugging fs file system debugging,gc gc receive and transmit debug gdb GDB debugging global-pro global-pro debugging gt generic tunnel debugging gtmac gtmac debug h323 h323 debugging httpfx http-fx debugging icmp icmp debugging idp set idp debug parameters ids ids debugg

30、ing igmp igmp debugging ike ike debugging interface interface debugging intfe Intfe debugging ip ip debugging ixf ixf debug l2tp L2TP debugging lance Lance debugging ldap ldap debug menu logging logging debugging memory Memory debugging mip mip debugging modem Moden debugging,Debug ?,nasa nasa debug

31、ging nat nat debugging netif netif debugging npak npak debugging nrtp Reliable Xfer Protocol debugging nsgp debug nsgp nsmgmt debug nsmgmt nsp NSM NSP message content nsrd NSRD debugging nsrp debug nsrp obj-id obj id debugging ospf ospf debugging pccard Pccard debugging pim pim debugging pki pki deb

32、ug menu pluto Pluto debugging policy policy debugging portnum portnum debugging ppcdrv driver debugging ppp ppp debugging pppoe pppoe debugging proxy tcp proxy debugging,rd rd debug info report report debugging rip rip debugging rm rm debugging rms rms debug info rpc rpc debugging rs rs debug info s

33、a-mon sa monitor debugging scan-mgr scan manager debugging sendmail sendmail debugging session session debugging shaper debug shaper sip sip debugging snmp snmpnew debugging socket socket debug ssh debug ssh ssl ssl debugging stflow saturn flow debug info sw-key software key debugging syslog syslog

34、debugging,Debug ?,tag tag info task Task debugging tcp tcp debug telnet debug telnet time device clock time debugging timer Timer debugging trackip debug trackip traffic traffic control debugging udp udp debugging uf UF debugging url-blk url filtering debugging user user/group database debugging vip

35、 vip debugging vr vritual router debugging vsys vsys debugging vwire VWIRE debugging web WebUI debugging webtrends webtrends debugging zone zone debugging,Debug Flow vs. Snoop,Debug Flow Sampled at higher flow level Provides information about how the NetScreen processes a packet Can be used to debug

36、 higher level flow problems,Snoop Sampled at lower driver level Provides information as to whether a packet reached the NetScreens interface Can be used to debug very basic IP/Ethernet level problems.,The snoop tool should be used when the debug tool is showing that no packets are being processed, yet you are certain that data is reaching the NetScreen.,應(yīng)急響應(yīng)Snoop,1. Snoop filter ip src-ip x.x.x.x dst-ip x.x.x.x dst-port xx 設(shè)置過濾列表,定義捕獲包的范圍 2、clear dbuf： 清除防火墻內(nèi)存中緩存的分析包 3、snoop： 開啟snoop功能捕獲數(shù)據(jù)