Juniper_CPU利用率高

Juniper case 库有四篇介绍怎么排查防火墙CPU利用率高的文档，
文档一：Troubleshooting High CPU on a firewall device_1
文档二：What is causing High FLOW CPU Utilization (ScreenOS 5.x and later)
文档三：Determining Which Task is Using Most Resources on the CPU
文档四：How to run Packet Profiling on firewall to determine cause of High FLOW CPU (ScreenOS 6.x)
当出现故障时，远程ssh登陆防火墙
登陆后执行以下命令：
set fprofile packet enable
set fprofile packet start
抓包一分钟左右，再执行以下命令，并把命令输出记录下来：
get fprofile packet
get fprofile packet ip
get fprofile packet none-ip
get fprofile packet ip proto

上周安装一台Juniper SSG550M防火墙，正常安装完后，安全考虑，我在Untrst区域启用了一些screening选项，第二天用户反应防火墙利用率不定时过高，最高能到88%，查看日志，反应是外网Address sweep攻击，通过一些机制，解决了Address sweep攻击。
SSG550-> get perf cpu
Average System Utilization: 9%
Last 1 minute: 57%, Last 5 minutes: 40%, Last 15 minutes: 42%
SSG550-> get perf cpu det
Average System Utilization: 9%
Last 60 seconds:
59: 2 58: 2 57: 2 56: 2 55: 2 54: 2
53: 2 52: 2 51: 2 50: 2 49: 2 48: 2
47: 25 46: 88*** 45: 88*** 44: 88*** 43: 88*** 42: 88***
41: 88*** 40: 88*** 39: 88*** 38: 88*** 37: 88*** 36: 88***
35: 88*** 34: 88*** 33: 88*** 32: 88*** 31: 88*** 30: 88***
29: 88*** 28: 88*** 27: 88*** 26: 88*** 25: 88*** 24: 88***
23: 88*** 22: 88*** 21: 88*** 20: 88*** 19: 88*** 18: 88***
17: 88*** 16: 88*** 15: 88*** 14: 88*** 13: 88*** 12: 88***
11: 88*** 10: 88*** 9: 88*** 8: 52* 7: 2 6: 2
5: 2 4: 2 3: 2 2: 2 1: 2 0: 2

第二天用户反应还是CPU利用率高，纳闷了，日志没有记录！
想起Juniper自带的fprofile工具，抓包分析，0X0806协议占用大量cpu 资源，
SSG550-> get fprofile packet ip proto
total entries: 4
total time(usec): 134690
Id Protocol Time Percentage
1 0x06 134096 99.55%
2 0x01 344 0.00%
3 0x11 191 0.00%
4 0x02 59 0.00%
SSG550-> get fprofile packet none-ip
total entries: 3
total time(usec): 139
Id Protocol Source Destination Time Percentage
1 0x0806 90:e2:ba:0d:47:72 ff:ff:ff:ff:ff 128 92.08%
再通过debug flow basic，debug arp all ，发现一台主机在本网段不定时发送arp请求，哈哈，问题终于找到了！



SSG140-> get fprofile packet ip
total entries: 980
total time(usec): 373472
Id Protocol Source Destination Sport Dport Time Percentage
1 0x06

58.217.200.14 124.42.38.66 80 9635 108802 29.13%
2 0x06 58.217.200.14 192.168.232.177 80 53164 42426 11.35%
3 0x06 192.168.232.177 58.217.200.14 53164 80 22062 5.90%
4 0x32 58.83.233.36 124.42.38.66 58396 5411 19721 5.28%
5 0x06 192.168.232.111 192.168.50.30 57271 5432 16085 4.30%
6 0x06 123.125.19.28 124.42.38.66 80 13868 8634 2.31%
7 0x06 124.42.38.66 58.217.200.14 9635 80 5552 1.48%
8 0x06 180.149.132.99 124.42.38.66 80 19676 3748 1.00%
9 0x06 123.125.19.28 192.168.232.85 80 53297 3349 0.00%
10 0x06 219.239.95.61 124.42.38.66 80 7874 3239 0.00%
SSG140-> get fprofile packet ip
total entries: 980
total time(usec): 373472
Id Protocol Source Destination Sport Dport Time Percentage
1 0x06 58.217.200.14 124.42.38.66 80 9635 108802 29.13%
2 0x06 58.217.200.14 192.168.232.177 80 53164 42426 11.35%
3 0x06 192.168.232.177 58.217.200.14 53164 80 22062 5.90%
4 0x32 58.83.233.36 124.42.38.66 58396 5411 19721 5.28%
5 0x06 192.168.232.111 192.168.50.30 57271 5432 16085 4.30%
6 0x06 123.125.19.28 124.42.38.66 80 13868 8634 2.31%
7 0x06 124.42.38.66 58.217.200.14 9635 80 5552 1.48%
8 0x06 180.149.132.99 124.42.38.66 80 19676 3748 1.00%
9 0x06 123.125.19.28 192.168.232.85 80 53297 3349 0.00%
10 0x06 219.239.95.61 124.42.38.66 80 7874 3239 0.00%
SSG140->
38 Trust Untrust 192.168.232~ 58.217.200.~ ANY Deny enabled -----X
39 Untrust Trust 58.217.200.~ Any ANY Deny enabled -----X