主题:经验技巧：Juniper防火墙命令行查错工具

相对于其他防火墙而言,Juniper防火墙提供许多有效的查错工具,其中之一就是debug flow basic, 应用方式举例如下: Hyfqx`^
fm9NJ; JE
1. 先设置过滤列表,使得防火墙只对需要的数据包进行分析. 即set ffilter命令: 'LHa38
ns208-> set ffilter ?
<return>
dst-ip flow filter dst ip
dst-port flow filter dst port
ip-proto flow filter ip proto
src-ip flow filter src ip
src-port flow filter src port
=DBtZ|~4f@
ns208-> set ffilter src-ip 192.168.1.10
filter added
ns208-> get ff
Flow filter based on:
id:0 src ip 192.168.1.10
ns208-> set ffilter src-ip 192.168.1.11
filter added
ns208-> get ff
Flow filter based on:
id:0 src ip 192.168.1.10
id:1 src ip 192.168.1.11
看出来了吗? 设置两次ffilter的结果是两个过滤列表之间是OR的关系. 如果直接设

set ffilter src-ip 192.168.1.11 dst-ip 194.73.82.242 就是AND的关系了.
2. 开启debug
ns208-> debug flow basic
3. 发送测试数据包或让小部分流量穿越防火墙
4. 停止debug
ns208-> undebug all
5. 检查防火墙对所转发的符合过滤条件的数据包的分析结果: }
ns208-> get db stream
****** 12553.0: <Trust/ethernet1> packet received [60]****** Packet arrived on the eth1 interface tF(UJOxk
ipid = 29503(733f), @d7806910 IP id
packet passed sanity check. IrbyB6. 
ethernet1:192.168.1.10/1280->194.73.82.242/512,1(8/0)<Root> Src IP, Port, Dst IP, port incl Protocol 1
chose interface ethernet1 as incoming nat if. Int eth1 is placed in NAT mode s<[email=`Nxz@0]`Nxz@0[/email]
search route to (192.168.1.10->194.73.82.242) in vr trust-vr for vsd-0/flag-0/ifp-null Route lookup in trust-vr
route 194.73.82.242->1.1.1.2, to ethernet3 route found to gateway 1.1.1.2 exiting interface int eth3
routed (194.73.82.242, 0.0.0.0) from ethernet1 (ethernet1 in 0) to ethernet3 packet routed
policy search from zone 2-> zone 1 Policy lookup performed from Trust (2) to Untrust (1)
Permitted by policy 3 matched policy ID 3
choose interface ethernet3 as outgoing phy if choose physical interface eth3
no loop on ifp ethernet3. r4Ok(8f6D
session application type 0, name None, timeout 60sec session time created as 60 seconds for ICMP
service lookup identified service 0. service lookup performed
existing vector list 1-559ef00.
Session (id:76) created for first pak 1 Create session with ID 76
route to 1.1.1.2 Routed packet to 1.1.1.2
arp entry found for 1.1.1.2 Already had ARP entry for 1.1.1.2
nsp2 wing prepared, ready
cache mac in the session Cached MAC address in the session
flow got session.
flow session id 76
post addr xlation: 1.1.1.1->194.73.82.242. Translate src address to egress interface IP
packet send out to 0010db103041 through ethernet3 Packet sent out on the wire
6. 清除防火墙缓存的debug结果:
ns208-> clear db
7. 清除防火墙的过滤设置
ns208->unset ffilter 0
ns208->get ffilter　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　转自：杜松之家

好漂亮的头像