《juniper日常维护和故障响应.ppt》由会员分享,可在线阅读,更多相关《juniper日常维护和故障响应.ppt(40页珍藏版)》请在三一办公上搜索。
1、防火墙日常维护和故障响应,常规维护,获得基本信息检查NSRP状态提高预警水平策略配置与优化攻击防御特殊应用处理整理业务拓扑和记录搭建模拟环境,常规维护获得系统基本信息,Get sys-cfg:了解系统的各种缺省参数设置Get clock:确定系统时间get session info:查看session细节get performance cpu:50%get performance cpu detail:查看CPU历史记录get performance cpu all detail,常规维护获得系统基本信息,Get memory:采用“预分配”机制,90 Get interface:查看端口细节
2、Get route:查看路由表Get log event:查看普通事件记录Get alarm event:查看告警事件记录 可以通过Netscreen防火墙日志信息速查表.pdf检索所关心的日志信息的具体含义。Get chassis:查看防火墙硬件板卡状态和温度等,常规维护检查NSRP状态,exec nsrp sync global-config check-sum 检查双机配置命令是否同步exec nsrp sync global-config save 如双机配置信息没有自动同步,请手动执行此同步命令,需要重启系统。get nsrp 查看NSRP集群中设备状态、主备关系、会话同步以及参数开
3、关信息。Exec nsrp sync rto all from peer 手动执行RTO信息同步,使双机保持会话信息一致get alarm event 检查设备告警信息,其中将包含NSRP状态切换信息,常规维护检查NSRP状态,exec nsrp vsd-group 0 mode backup 手动进行主备状态切换时,在主用设备上执行该切换命令,此时该主用设备没有启用抢占模式。exec nsrp vsd-group 0 mode ineligible 手动进行主备状态切换时,在主用设备上执行该切换命令,此时该主用设备已启用抢占模式。set failover on/set failover au
4、to启用并容许冗余接口自动切换exec failover force 手动执行将主用端口切换为备用端口。exec failover revert 手动执行将备用端口切换为主用端口。,常规维护提高预警水平,以CPU监控为例,在SNMP网管中可以实时监控获得CPU负载性能曲线,在此基础上可以设置多个报警阈值,如设置五级报警,分别在CPU负载50%、60%、70%、80%、90%时报警,这样可以实现一种“预报警”的功能,在对网络通讯产生严重影响之前就能主动进行响应,提高系统的可靠性。,常规维护提高预警水平,nsResCpuAvg:当前CPU利用率(1.3.6.1.4.1.3224.16.1.1)ns
5、ResCpuLast1Min:最后1分钟CPU利用率(1.3.6.1.4.1.3224.16.1.2)nsResSessAllocate:当前session数(1.3.6.1.4.1.3224.16.3.2)IfEntry:RFC1213端口属性表(1.3.6.1.2.1.2.2.1)。其中重点监控表中的ifOperStatus、ifInOctets、ifInUcastPkts、ifInNUcastPkts、ifInDiscards、ifInErrors、ifInUnknownProtos、ifOutOctets、ifOutUcastPkts、ifOutNUcastPkts、ifOutDisc
6、ards、ifOutErrors、ifOutQLennsrpRtoCounterEntry:NSRP双机冗余协议RTO对象计数统计(1.3.6.1.4.1.3224.6.3.3.3.1),其中重点监控表中的session的建立、清除和变化性能曲线(nsrpRtoCounterName中的SESS_CR、SESS_CL和SESS_CH三项的变化速率曲线)nsrpVsdMemberStatus:NSRP双机冗余协议成员状态(1.3.6.1.4.1.3224.6.2.2.1.3),常规维护提高预警水平,追踪处理流程:安全事件预告警(CPU、Session)检查各条策略的流量或者session数增长是
7、否异常确定对应的异常流量的地址范围Debug或者Sniffer分析,常规维护策略配置与优化,Log(记录日志)Count(流量统计)地址组和服务组策略和对象的删除区段间策略、区段内策略和全局策略 MIP/VIP地址属于全局区段地址策略变更控制exec policy verifyexec policy verify global,常规维护攻击防御(Screen),抵御攻击的功能会占用防火墙部分CPU资源;自行开发的一些应用程序中,可能存在部分不规范的数据包格式;网络环境中可能存在非常规性设计 防攻击选项的启用需要采用逐步逼近的方式 Generate Alarms without Dropping
8、 Packet选项,常规维护特殊应用处理,Set service timeout unset flow tcp-syn-checkset alg h323 disable Set policy id X from trust to untrust any any h.323 permit Set policy id X application ignore,常规维护整理业务拓扑和记录,深入理解网络中业务类型和流量特征,持续优化防火墙策略。整理出完整网络环境视图(网络端口、互联地址、防护网段、网络流向、策略表、应用类型等),以便网络异常时快速定位故障。整理一份上下行交换机配置备份文档(调整其中的
9、端口地址和路由指向),提供备用网络连线。防止防火墙发生硬件故障时能够快速旁路防火墙,保证业务正常使用。在日常维护中建立防火墙资源使用参考基线,为判断网络异常提供参考依据。,常规维护整理业务拓扑和记录,重视并了解防火墙产生的每一个故障告警信息,在第一时间修复故障隐患。建立设备运行档案,为配置变更、事件处理提供完整的维护记录,定期评估配置、策略和路由是否优化。故障设想和故障处理演练:日常维护工作中需考虑到网络各环节可能出现的问题和应对措施,条件允许情况下,可以结合网络环境演练发生各类故障时的处理流程,如:NSRP集群中设备出现故障,网线故障及交换机故障时的路径保护切换。,常规维护搭建模拟环境,通过
10、实验来学习、理解和验证,应急响应,数据包处理流程快速检查和保留故障信息NSRP应急操作防火墙旁路DebugSnoopSniffer,应急响应数据包处理流程,应急响应快速检查和保留故障信息,get clock:获得分析记录的时间点get tech:获得基本信息,寻求TAC支持get log system:检查系统模块日志get log sys saved:检查系统模块存储的日志,用于系统crash情况下的dumped数据分析get session info:检查session数get performance session detail:检查session生成的历史记录get performan
11、ce cpu all detail:检查双cpu负载的历史记录get memory:检查free内存容量get memory chunk:检查内存分配情况,应急响应快速检查和保留故障信息,get os task:检查系统进程get net-pak stats:数据包统计分析get socket:检查防火墙开放端口get pport:检查端口地址转换get gate:检查网关应用get tcp:检查TCP连接get interface:检查端口状态get event:get alarm eventget log event,应急响应NSRP应急操作,应急响应NSRP应急操作,get nsrp e
12、xec nsrp vsd-group 0 mode backup,应急处理防火墙旁路,通过备份的路由器或三层交换机进行旁路处理,但是不要关闭防火墙。,应急处理Debug,跟踪防火墙对指定包的处理Traffic Not Passing-debug flow basic VPN Not Working-debug ike detailEverything Else!-debug?,应急处理Debug,Set ffilter src-ip dst-ip dst-port xx 设置过滤列表,定义捕获包的范围clear dbuf:清除防火墙内存中缓存的分析包debug flow basic:开启deb
13、ug数据流跟踪功能发送测试数据包或让小部分流量穿越防火墙undebug all:关闭所有debug功能get dbuf stream:检查防火墙对符合过滤条件数据包的分析结果 unset ffilter:清除防火墙debug过滤列表 clear dbuf:清除防火墙缓存的debug信息 get debug:查看当前debug设置,应急处理Debug,*997629.0:packet received 60*ipid=5359(14ef),03c9f550 packet passed sanity check.trust:192.168.100.205/4608-172.27.10.251/51
14、2,1(8/0)chose interface trust as incoming nat if.search route to(trust,192.168.100.205-172.27.10.251)in vr trust-vr for vsd-0/flag-0/ifp-null Dest 2.route 172.27.10.251-0.0.0.0,to untrust routed(172.27.10.251,0.0.0.0)from trust(trust in 0)to untrust policy search from zone 2-zone 1 No SW RPC rule ma
15、tch,search HW rule Permitted by policy 9 No src xlate choose interface untrust as outgoing phy if no loop on ifp untrust.session application type 0,name None,timeout 60sec service lookup identified service 0.Session(id:818)created for first pak 1 arp nsp2 wing prepared,readycache mac in the session
16、flow got session.flow session id 818 post addr xlation:192.168.100.205-172.27.10.251.,应急处理Debug,*997629.0:packet received 60*ipid=29278(725e),03c391d0 packet passed sanity check.untrust:172.27.10.251/512-192.168.100.205/4608,1(0/0)existing session found.sess token 3 flow got session.flow session id
17、818 post addr xlation:172.27.10.251-192.168.100.205.,IKE Debugger Basics,For simplicity,try to only initiate only 1 IKE tunnel at a time.To turn the debugger ON/OFFdebug ike basic/debug ike detailTry to run the debug during a scheduled downtime,IKE Debug Example,P1:Initiate,IKE*Recv kernel msg IDX-0
18、,TYPE-5*IKE Phase 1:Initiated negotiation in main mode.172.27.10.208IKE Construct ISAKMP header.IKE Construct SA for ISAKMPIKE Construct NetScreen VIDIKE Construct custom VIDIKE Xmit:SA VID VID IKE*Recv packet if of vsys*IKE Recv:SA VID VID IKE Process VID:IKE Process VID:IKE Process SA:IKE Construc
19、t ISAKMP header.IKE Construct KE for ISAKMPIKE Construct NONCEIKE Xmit:KE NONCE IKE*Recv packet if of vsys*IKE Recv:KE NONCE IKE Process KE:IKE Process NONCE:IKE Construct ISAKMP header.IKE Construct ID for ISAKMPIKE Construct HASHIKE Xmit*:ID HASH IKE*Recv packet if of vsys*IKE Recv*:ID HASH IKE Pr
20、ocess ID:IKE Process HASH:IKE Phase 1:Completed Main mode negotiation with a-second lifetime.,IKE Debug Example,P2:Initiate,IKE Phase 2:Initiated Quick Mode negotiation.IKE Construct ISAKMP header.IKE Construct HASHIKE Construct SA for IPSECIKE Construct NONCE for IPSecIKE Construct KE for PFSIKE Co
21、nstruct ID for Phase 2IKE Construct ID for Phase 2IKE Xmit*:HASH SA NONCE KE ID ID IKE*Recv packet if of vsys*IKE Recv*:HASH SA NONCE KE ID ID IKE Process SA:IKE Process KE:IKE Process NONCE:IKE Process ID:IKE Process ID:IKE Phase 2 msg-id:Completed Quick Mode negotiation with SPI,tunnel ID,and life
22、time seconds/KB.IKE Construct ISAKMP header.IKE Construct HASH in QMIKE Xmit*:HASH,IKE Debug Example,P1:Responser,IKE*Recv packet if of vsys*IKE Recv:SA VID VID IKE Process VID:IKE Process VID:IKE Process SA:IKE Construct ISAKMP header.IKE Construct SA for ISAKMPIKE Construct NetScreen VIDIKE Constr
23、uct custom VIDIKE Xmit:SA VID VID IKE*Recv packet if of vsys*IKE Recv:KE NONCE IKE Process KE:IKE Process NONCE:IKE Construct ISAKMP header.IKE Construct KE for ISAKMPIKE Construct NONCEIKE Xmit:KE NONCE IKE*Recv packet if of vsys*IKE Recv*:ID HASH IKE Process ID:IKE Process HASH:IKE Construct ISAKM
24、P header.IKE Construct ID for ISAKMPIKE Construct HASHIKE Xmit*:ID HASH IKE Phase 1:Completed Main mode negotiation with a-second lifetime.,IKE Debug Example,P2:Responser,IKE*Recv packet if of vsys*IKE Recv*:HASH SA NONCE KE ID ID IKE Process SA:IKE Process KE:IKE Process NONCE:IKE Process ID:IKE Pr
25、ocess ID:IKE Construct ISAKMP header.IKE Construct HASHIKE Construct SA for IPSECIKE Construct NONCE for IPSecIKE Construct KE for PFSIKE Construct ID for Phase 2IKE Construct ID for Phase 2IKE Xmit*:HASH SA NONCE KE ID ID IKE*Recv packet if of vsys*IKE Recv*:HASH IKE Phase 2 msg-id:Completed Quick
26、Mode negotiation with SPI,tunnel ID,and lifetime seconds/KB.,Debug?,admin debug adminarp arp debuggingasp ASP debuggingasset-recovery asset recovery debuggingauth user authentication debuggingautocfg Auto config debuggingav AntiVirus debuggingbgp bgp debuggingcluster command propagated to cluster me
27、mberscpapi cpapi debuggingdhcp debug dhcpdip dip debuggingdlog dlog debuggingdns dns debuggingdriver driver debuggingemweb EmWeb debuggingfilesys Filesys debuggingflash flash operating debuggingflow Flow level debuggingflow-tunnel Flow Tunnel debuggingfs file system debugging,gc gc receive and trans
28、mit debuggdb GDB debuggingglobal-pro global-pro debugginggt generic tunnel debugginggtmac gtmac debugh323 h323 debugginghttpfx http-fx debuggingicmp icmp debuggingidp set idp debug parametersids ids debuggingigmp igmp debuggingike ike debugginginterface interface debuggingintfe Intfe debuggingip ip
29、debuggingixf ixf debugl2tp L2TP debugginglance Lance debuggingldap ldap debug menulogging logging debuggingmemory Memory debuggingmip mip debuggingmodem Moden debugging,Debug?,nasa nasa debuggingnat nat debuggingnetif netif debuggingnpak npak debuggingnrtp Reliable Xfer Protocol debuggingnsgp debug
30、nsgpnsmgmt debug nsmgmtnsp NSM NSP message contentnsrd NSRD debuggingnsrp debug nsrpobj-id obj id debuggingospf ospf debuggingpccard Pccard debuggingpim pim debuggingpki pki debug menupluto Pluto debuggingpolicy policy debuggingportnum portnum debuggingppcdrv driver debuggingppp ppp debuggingpppoe p
31、ppoe debuggingproxy tcp proxy debugging,rd rd debug inforeport report debuggingrip rip debuggingrm rm debuggingrms rms debug inforpc rpc debuggingrs rs debug infosa-mon sa monitor debuggingscan-mgr scan manager debuggingsendmail sendmail debuggingsession session debuggingshaper debug shapersip sip d
32、ebuggingsnmp snmpnew debuggingsocket socket debugssh debug sshssl ssl debuggingstflow saturn flow debug infosw-key software key debuggingsyslog syslog debugging,Debug?,tag tag infotask Task debuggingtcp tcp debugtelnet debug telnettime device clock time debuggingtimer Timer debuggingtrackip debug tr
33、ackiptraffic traffic control debuggingudp udp debugginguf UF debuggingurl-blk url filtering debugginguser user/group database debuggingvip vip debuggingvr vritual router debuggingvsys vsys debuggingvwire VWIRE debuggingweb WebUI debuggingwebtrends webtrends debuggingzone zone debugging,Debug Flow vs
34、.Snoop,Debug FlowSampled at higher flow levelProvides information about how the NetScreen processes a packetCan be used to debug higher level flow problems,SnoopSampled at lower driver levelProvides information as to whether a packet reached the NetScreens interfaceCan be used to debug very basic IP
35、/Ethernet level problems.,The snoop tool should be used when the debug tool is showingthat no packets are being processed,yet you are certain that datais reaching the NetScreen.,应急响应Snoop,1.Snoop filter ip src-ip dst-ip dst-port xx 设置过滤列表,定义捕获包的范围2、clear dbuf:清除防火墙内存中缓存的分析包3、snoop:开启snoop功能捕获数据包4、发送
36、测试数据包或让小部分流量穿越防火墙5、snoop off:停止snoop6、get db stream:检查防火墙对符合过滤条件数据包的分析结果 7、snoop filter delete:清除防火墙snoop过滤列表 8、clear dbuf:清除防火墙缓存的debug信息 9、snoop info:查看snoop设置,Snoop Example,ns5gt-get db s999437.0:2(i):000ae6f2ad4f-0010db3b84e2/0800 192.168.100.205-172.27.10.251/1,tlen=60 vhl=45,tos=00,id=15610,fr
37、ag=0000,ttl=128 icmp:type=8,code=0999437.0:1(o):0010db3b84e1-080020fdb2e7/0800 192.168.100.205-172.27.10.251/1,tlen=60 vhl=45,tos=00,id=15610,frag=0000,ttl=127 icmp:type=8,code=0999437.0:1(i):080020fdb2e7-0010db3b84e1/0800 172.27.10.251-192.168.100.205/1,tlen=60 vhl=45,tos=00,id=49050,frag=4000,ttl=
38、255 icmp:type=0,code=0999437.0:2(o):0010db3b84e2-000ae6f2ad4f/0800 172.27.10.251-192.168.100.205/1,tlen=60 vhl=45,tos=00,id=49050,frag=4000,ttl=254 icmp:type=0,code=0 1=untrust interface 2=trust interface(i)=incoming(o)=outgoing,Snoop Example,1002463.0:1(o):0010db3b84e1-ffffffffffff/08061002463.0:1(i):00121e033420-0010db3b84e1/0806 1=untrust interface 2=trust interface(i)=incoming(o)=outgoing,应急响应sniffer,根据日志记录,确定故障范围,使用Sniffer定义filter进行抓包分析,Thanks!,Questions?,
