Juniper防火墙日常维护

1.6.6 保存防火墙所有会话条目

（1）ScreenOS

方法一：对get session命令的输出内容做拷屏。 注意调整SSH 客户端软件的缓冲区大小或记录LOG相关配置。

在CLI下命令为：get session

方法二：将get session命令的输出保存到 TFTP Server 。 注意确认TFTP Server服务正常。

在CLI下命令为：get session > tftp 服务器IP 文件名

示例：

JP1000A-> get session > tftp 10.1.35.11 session.log

（2）JunOS

方法一：对show security flow session命令的输出内容做拷屏。 注意调整SSH 客户端软件的缓冲区大小或记录LOG相关配置。

在CLI - 操作模式下命令为：show security flow session

方法二：将show security flow session命令的输出内容保存到RE磁盘上，并用file list查看文件保存目录。

在CLI - 操作模式下命令为：show security flow session | save 文件名 file list 示例：

syro@JP650A > show security flow session | save session.log Wrote 52 lines of output to 'session.log' syro@JP650A.KF-HL.OUT.JXA> file list /cf/var/home/jpro/: .ssh/

《Juniper防火墙日常维护手册-v20131112》 第 25页 共59页

session.log

方法三（高阶）：在SHELL下保存所有会话条目。 在CLI - 操作模式下，

? 先进入shell下 —— start shell ? 再进入/tmp目录 —— cd /tmp

? 最后保存会话 —— cli -c \

1.7 查看警告日志

（1）ScreenOS

在CLI下命令为：get alarm event 示例：

JP1000A-> get alarm event

Date Time Module Level Type Description

2012-08-24 23:25:22 system crit 00072 The local device 10222208 in the

Virtual Security Device group (0)

changed state from backup to primary backup, missing primary backup. 2012-08-24 23:25:22 system crit 00015 Peer device 10670336 in the Virtual

Security Device group 0 changed state from primary backup to master.

（2）JunOS

SRX防火墙可以分别查看机箱和系统的警告信息。

在CLI - 操作模式下命令为：show chassis alarms 和 show system alarms 示例：

syro@JP3600A> show chassis alarms node0:

-------------------------------------------------------------------------- No alarms currently active node1:

-------------------------------------------------------------------------- No alarms currently active

《Juniper防火墙日常维护手册-v20131112》 第 26页 共59页

{primary:node0}

syro@JP3600A> show system alarms node0:

-------------------------------------------------------------------------- No alarms currently active node1:

show system alarms

syro@JP3600A> show system alarms node0:

-------------------------------------------------------------------------- No alarms currently active node1:

1.8 查看事件日志 —— ScreenOS

1.8.1 查看所有事件日志（仅ScreenOS适用）

在CLI下命令为：get event 该命名输出结果包含警告日志。 示例：

JP1000A-> get event

Total event entries = 25174

Date Time Module Level Type Description

2013-01-01 15:35:12 system notif 00767 Event log was reviewed by admin syro. 2013-01-01 15:34:40 system warn 00515 Admin user syro has logged on via SSH from 10.1.35.11:45656 2013-01-01 15:34:40 system warn 00528 SSH: Password authentication

successful for admin user 'syro' at host 10.1.35.11.

1.8.2 按事件级别过滤查看事件日志（仅ScreenOS适用）

ScreenOS防火墙事件有八个级别。

在CLI下使用get event命令可以按事件级别查看会话，有以下命令选项：

JP1000A -> get event level ?

alert level 1: immediate action is required critical level 2: functionality is affected

《Juniper防火墙日常维护手册-v20131112》 第 27页 共59页

debug level 7: detailed information for troubleshooting emergency level 0: system is unusable error level 3: error condition

information level 6: general information about operation notification level 5: normal events

warning level 4: functionality may be affected

示例：

JP1000A -> get event level alert

Date Time Module Level Type Description

2013-01-04 23:47:40 system alert 00012 UDP flood! From 172.18.1.60:10008 to

10.1.188.48:8011, proto UDP (zone DMZ, int ethernet1/2). Occurred 1 times. 2013-01-04 16:40:44 system alert 00016 Port scan! From 10.254.254.87:83 to

10.19.10.232:2221, proto TCP (zone DMZ, int ethernet1/2). Occurred 1 times. 2012-12-21 14:47:54 system alert 00012 UDP flood! From 172.18.1.64:10042 to

10.1.188.48:8011, proto UDP (zone DMZ, int ethernet1/2). Occurred 1 times. 2012-12-18 09:36:23 system alert 00012 UDP flood! From 172.18.1.65:10028 to

10.1.188.48:8011, proto UDP (zone DMZ, int ethernet1/2). Occurred 1 times. Total entries matched = 4

1.8.3 按时间过滤查看事件日志（仅ScreenOS适用）

在CLI下使用get event命令可以按时间查看会话，有以下命令选项：

JP1000A.HL-JR.SC-VPN.JXA-> get event start-date ?

start date(mm/dd[/yyyy-hh:mm:ss]): 1996 < yyyy < 2045

示例：

JP1000A.HL-JR.SC-VPN.JXA-> get event start-date 01/05/2013 Total event entries = 3813

Date Time Module Level Type Description

2013-01-05 15:03:27 system crit 00040 VPN 'SAP-connection' from 194.39.131.166 is up.

2013-01-05 15:03:17 system info 00536 IKE 194.39.131.166 Phase 2 msg ID

a6000770: Completed negotiations with SPI bfc9b510, tunnel ID 3, and lifetime 7200 seconds/4194303 KB. 2013-01-05 15:03:17 system info 00536 IKE 194.39.131.166 phase 2:The

《Juniper防火墙日常维护手册-v20131112》 第 28页 共59页