juniper日常维护和故障响应PPT课件VIP

1、防火墙 日常维护和故障响应,常规维护,获得基本信息 检查NSRP状态 提高预警水平 策略配置与优化 攻击防御 特殊应用处理 整理业务拓扑和记录 搭建模拟环境,常规维护获得系统基本信息,Get sys-cfg：了解系统的各种缺省参数设置 Get clock：确定系统时间 get session info：查看session细节 get performance cpu：51) in vr trust-vr for vsd-0/flag-0/ifp-null Dest 2.route 51-, to untrust routed (172.2

2、7.10.251, ) from trust (trust in 0) to untrust policy search from zone 2- zone 1 No SW RPC rule match, search HW rule Permitted by policy 9 No src xlate choose interface untrust as outgoing phy if no loop on ifp untrust. session application type 0, name None, timeout 60sec service lookup iden

3、tified service 0. Session (id:818) created for first pak 1 route to 51 arp entry found for 51 nsp2 wing prepared, ready cache mac in the session flow got session. flow session id 818 post addr xlation: 05-51.,应急处理Debug,* 997629.0: packet received 60* ipi

4、d = 29278(725e), 03c391d0 packet passed sanity check. untrust:51/512-05/4608,1(0/0) existing session found. sess token 3 flow got session. flow session id 818 post addr xlation: 51-05.,IKE Debugger Basics,For simplicity, try to only initiate only 1 IKE

5、 tunnel at a time. To turn the debugger ON/OFF debug ike basic/debug ike detail Try to run the debug during a scheduled downtime,IKE Debug Example, P1 :Initiate,IKE * Recv kernel msg IDX-0, TYPE-5 * IKE Phase 1: Initiated negotiation in main mode. 08 IKE Construct ISAKMP header. IKE Const

6、ruct SA for ISAKMP IKE Construct NetScreen VID IKE Construct custom VID IKE Xmit : SA VID VID IKE * Recv packet if of vsys * IKE Recv : SA VID VID IKE Process VID: IKE Process VID: IKE Process SA: IKE Construct ISAKMP header. IKE Construct KE for ISAKMP IKE Construct NONCE IKE Xmit : KE NONCE IKE *

7、Recv packet if of vsys * IKE Recv : KE NONCE IKE Process KE: IKE Process NONCE: IKE Construct ISAKMP header. IKE Construct ID for ISAKMP IKE Construct HASH IKE Xmit*: ID HASH IKE * Recv packet if of vsys * IKE Recv*: ID HASH IKE Process ID: IKE Process HASH: IKE Phase 1: Completed Main mode negotiat

8、ion with a -second lifetime.,IKE Debug Example, P2 :Initiate,IKE Phase 2: Initiated Quick Mode negotiation. IKE Construct ISAKMP header. IKE Construct HASH IKE Construct SA for IPSEC IKE Construct NONCE for IPSec IKE Construct KE for PFS IKE Construct ID for Phase 2 IKE Construct ID for Phase 2 IKE

9、Xmit*: HASH SA NONCE KE ID ID IKE * Recv packet if of vsys * IKE Recv*: HASH SA NONCE KE ID ID IKE Process SA: IKE Process KE: IKE Process NONCE: IKE Process ID: IKE Process ID: IKE Phase 2 msg-id : Completed Quick Mode negotiation with SPI , tunnel ID , and lifetime seconds/ KB. IKE Construct ISAKM

10、P header. IKE Construct HASH in QM IKE Xmit*: HASH,IKE Debug Example, P1 :Responser,IKE * Recv packet if of vsys * IKE Recv : SA VID VID IKE Process VID: IKE Process VID: IKE Process SA: IKE Construct ISAKMP header. IKE Construct SA for ISAKMP IKE Construct NetScreen VID IKE Construct custom VID IKE

11、 Xmit : SA VID VID IKE * Recv packet if of vsys * IKE Recv : KE NONCE IKE Process KE: IKE Process NONCE: IKE Construct ISAKMP header. IKE Construct KE for ISAKMP IKE Construct NONCE IKE Xmit : KE NONCE IKE * Recv packet if of vsys * IKE Recv*: ID HASH IKE Process ID: IKE Process HASH: IKE Construct

12、ISAKMP header. IKE Construct ID for ISAKMP IKE Construct HASH IKE Xmit*: ID HASH IKE Phase 1: Completed Main mode negotiation with a -second lifetime.,IKE Debug Example, P2 :Responser,IKE * Recv packet if of vsys * IKE Recv*: HASH SA NONCE KE ID ID IKE Process SA: IKE Process KE: IKE Process NONCE:

13、IKE Process ID: IKE Process ID: IKE Construct ISAKMP header. IKE Construct HASH IKE Construct SA for IPSEC IKE Construct NONCE for IPSec IKE Construct KE for PFS IKE Construct ID for Phase 2 IKE Construct ID for Phase 2 IKE Xmit*: HASH SA NONCE KE ID ID IKE * Recv packet if of vsys * IKE Recv*: HASH

14、 IKE Phase 2 msg-id : Completed Quick Mode negotiation with SPI , tunnel ID , and lifetime seconds/ KB.,Debug ?,admin debug admin arp arp debugging asp ASP debugging asset-recovery asset recovery debugging auth user authentication debugging autocfg Auto config debugging av AntiVirus debugging bgp bg

15、p debugging cluster command propagated to cluster members cpapi cpapi debugging dhcp debug dhcp dip dip debugging dlog dlog debugging dns dns debugging driver driver debugging emweb EmWeb debugging filesys Filesys debugging flash flash operating debugging flow Flow level debugging flow-tunnel Flow T

16、unnel debugging fs file system debugging,gc gc receive and transmit debug gdb GDB debugging global-pro global-pro debugging gt generic tunnel debugging gtmac gtmac debug h323 h323 debugging httpfx http-fx debugging icmp icmp debugging idp set idp debug parameters ids ids debugging igmp igmp debuggin

17、g ike ike debugging interface interface debugging intfe Intfe debugging ip ip debugging ixf ixf debug l2tp L2TP debugging lance Lance debugging ldap ldap debug menu logging logging debugging memory Memory debugging mip mip debugging modem Moden debugging,Debug ?,nasa nasa debugging nat nat debugging

18、 netif netif debugging npak npak debugging nrtp Reliable Xfer Protocol debugging nsgp debug nsgp nsmgmt debug nsmgmt nsp NSM NSP message content nsrd NSRD debugging nsrp debug nsrp obj-id obj id debugging ospf ospf debugging pccard Pccard debugging pim pim debugging pki pki debug menu pluto Pluto de

19、bugging policy policy debugging portnum portnum debugging ppcdrv driver debugging ppp ppp debugging pppoe pppoe debugging proxy tcp proxy debugging,rd rd debug info report report debugging rip rip debugging rm rm debugging rms rms debug info rpc rpc debugging rs rs debug info sa-mon sa monitor debug

20、ging scan-mgr scan manager debugging sendmail sendmail debugging session session debugging shaper debug shaper sip sip debugging snmp snmpnew debugging socket socket debug ssh debug ssh ssl ssl debugging stflow saturn flow debug info sw-key software key debugging syslog syslog debugging,Debug ?,tag

21、tag info task Task debugging tcp tcp debug telnet debug telnet time device clock time debugging timer Timer debugging trackip debug trackip traffic traffic control debugging udp udp debugging uf UF debugging url-blk url filtering debugging user user/group database debugging vip vip debugging vr vrit

22、ual router debugging vsys vsys debugging vwire VWIRE debugging web WebUI debugging webtrends webtrends debugging zone zone debugging,Debug Flow vs. Snoop,Debug Flow Sampled at higher flow level Provides information about how the NetScreen processes a packet Can be used to debug higher level flow pro

23、blems,Snoop Sampled at lower driver level Provides information as to whether a packet reached the NetScreens interface Can be used to debug very basic IP/Ethernet level problems.,The snoop tool should be used when the debug tool is showing that no packets are being processed, yet you are certain tha

24、t data is reaching the NetScreen.,应急响应Snoop,1. Snoop filter ip src-ip x.x.x.x dst-ip x.x.x.x dst-port xx 设置过滤列表,定义捕获包的范围 2、clear dbuf： 清除防火墙内存中缓存的分析包 3、snoop： 开启snoop功能捕获数据包 4、发送测试数据包或让小部分流量穿越防火墙 5、snoop off： 停止snoop 6、get db stream： 检查防火墙对符合过滤条件数据包的分析结果 7、snoop filter delete： 清除防火墙snoop过滤列表 8、clear dbuf： 清除防火墙缓存的debug信息 9、snoop info： 查看snoop设置,Snoop Example,ns5gt- get db s 999437.0: 2(i):000ae6f2ad4f-0010db3b84e2/0800 05-51/1, tlen=60 vhl=45, tos=00, id=15610, frag=0000, ttl=128 icmp:type=8, code=0 999437.0: 1(o):0010db3b84e1-080020f