培训资料Juniper网络安全防火墙设备售前培训v

V1.0, 02/15/08 -----------------------------------------------------------Lab 7-1 TroubleshootingObjectivesThe objective of this lab it to provide you with a series of outputs you can use to troubleshoot and diagnose issues that may arise from the configuration of policies, protocols, firewalls, and enhanced services. This module is not intended to be an all inclusive document but rather a reference to help you ensure that your configurations meet the assignments in the previous labs. It is understood that time may not permit you to use all of these commands. As mentioned in module one, however, it is imperative that you verify correct operation of your configuration therefore we are including some of the more common outputs used. Assignment:Use the command line interface to issue commands that verify the correct operation of your configurations from all labs done in this course. Specifically, verify correct operation of the following:-Interfaces-Protocols-OSPF-RIP-Policy-Firewall-Stateful firewall-Screen OptionsV1.0, 02/15/08 -----------------------------------------------------------Lab 7-2 InterfacesUse the show interfaces terse command to display a terse listing of all interfaces installed in the router along with their administrative and link-layer status.Above we can see the status of all the interfaces on our router. It helps to have an understanding of what the different Admin and Link status may indicate.When an interface is administratively disabled, the physical interface has an Admin status of down and a Link status of up, and the logical interface has an admin status of up and a link status of down. The physical interface has a link status of up because the physical link is healthy (no alarms). The logical interface has a link status of down because the data link layer cannot be established end to end.V1.0, 02/15/08 -----------------------------------------------------------When an interface is not administratively disabled and the data-link layer between the local router and the remote router is not functioning, the physical interface has an Admin status of up and a Link status of up while the logical interface has an admin status of up and a link status of down. The physical interface has a link status of up because the physical link is healthy (no alarms). The logical interface has a link status of down because the data-link layer cannot be established end to end.If we see that our interface is not listed as UP/UP, but rather Admin Up but Link down, we can troubleshoot inconsistencies in the configuration or settings on both sides of the link. The show interfaces (interface name) <extensive, brief, detail, statistics> output will show us specific information about settings on the interface as well as drops, errors, alarms, flags, and hardware specific media alarms. The following are some examples of these outputs.V1.0, 02/15/08 -----------------------------------------------------------The output of a show interfaces command displays the device-level configuration and provides additional information about the device’s operation through various flags. These flags include the following:-Down: Device was administratively disabled.-Hear-Own-Xmit: Device will hear its own transmissions.-Link-Layer-Down: The link-layer protocol failed to successfully connect with the remote endpoint.-Loopback: Device is in physical loopback.-Loop-Detected: The link layer received frames that it sent and suspects a physical loopback.-No-Carrier: Where the media supports carrier recognition, this indicates that no carrier is currently seen.-No-Multicast: Device does not support multicast traffic.-Present: Device is physically present and recognized.-Promiscuous: Device is in promiscuous mode and sees frames addressed to all physical addresses on the medium.V1.0, 02/15/08 ------------------------------------------------------------Quench: Device is quenched because it overran its output buffer.-Recv-All-Multicasts: No multicast filtering (multicast promiscuous).-Running: Device is active and enabled.The status of the interface is communicated with one or more flags. These flags include the following:-Admin-Test: Interface is in test mode, which means that some sanity checking, such as loop detection, is disabled.-Disabled: Interface is administratively disabled.-Hardware-Down: Interface is nonfunctional or incorrectly connected.-Link-Layer-Down: Interface keepalives indicate that the link is incomplete.-No-Multicast: Interface does not support multicast traffic.-Point-To-Point: Interface is point to point.-Promiscuous: Interface is in promiscuous mode and sees frames addressed to all physical addresses.-Recv-All-Multicasts: No multicast filtering (multicast promiscuous).-SNMP-Traps: SNMP traps are enabled.-Up: Interface is enabled and operational.The operational status of the device’s link layer protocol is also indicated with flags. These flags include the following:-Give-Up: Link protocol does not continue to retry to connect after repeated failures.-Keepalives: Link protocol keepalives are enabled.-Loose-LCP: PPP does not use LCP to indicate whether the link protocol is up.-Loose-LMI: Frame Relay will not use LMI to indicate whether the link protocol is up.-Loose-NCP: PPP does not use NCP to indicate whether the device is up.-No-Keepalives: Link protocol keepalives are disabled.The output also summarizes the device-level traffic load, which is displayed in both bits and packets per second, as well as any alarms that might be active. The final portion of the command output displays the configuration and status of each logical unit defined on that deviceV1.0, 02/15/08 -----------------------------------------------------------V1.0, 02/15/08 -----------------------------------------------------------V1.0, 02/15/08 -----------------------------------------------------------Now we look at the show interfaces extensive command. In the output above we have narrowed our output to show the section for traffic statistics, and input and output errors. The following is a list of some of the fields displayed here and a brief explanation of what some of the non-obvious ones mean.Input-Errors: Displays the sum of the incoming frame aborts and frame check sequence (FCS) errors.-Policed discards: Displays the frames that the incoming packet match code discarded because they were not recognized or of interest. Usually, this field reports protocolsthat JUNOS software does not handle, such as Cisco Discovery Protocol(CDP)/Spanning Tree Protocol (STP), or any protocol type JUNOS software does notunderstand. (On an Ethernet network, numerous possibilities exist.) -L3 incompletes: This counter increments when the incoming packet fails Layer 3 (usually IPv4) checks of the header. For example, a frame with less than 20 bytes ofavailable IP header would be discarded, and this counter would increment.-L2 channel errors: This counter increments when the software cannot find a valid logical interface (such as e3-1/2/3.0) for an incoming frame.-L2 mismatch timeouts: Displays the count of malformed or short packets that cause the incoming packet handler to discard the frame as unreadable.-SRAM errors: This counter increments when a hardware error occurs in the SRAM on the PIC. The value in this field should always be 0. If it increments, the PIC ismalfunctioning.Output-HS link CRC errors: Displays the count of errors on the high-speed links between the ASICs responsible for handling the router interfaces.-Carrier transitions: Displays the number of times the interface has gone from down to up. This number should not increment quickly, increasing only when the cable isunplugged, the far-end system is powered down and up, or a similar problem occurs.If it does increment quickly (perhaps every 10 seconds), then either the transmission line, the far-end system, or the PIC is broken.-Errors: Displays the sum of the outgoing frame aborts and FCS errors.-Drops: Displays the number of packets dropped by the output queue of the I/O Manager ASIC. If the interface is saturated, this number increments once for everypacket that is dropped by the ASIC’s RED mechanism.-Aged packets: Displays the number of packets that remained in shared packet SDRAM for so long that the system automatically purged them. The value in this field shouldnever increment. If it does, it is most likely a software bug or possibly malfunctioning hardware.V1.0, 02/15/08 -----------------------------------------------------------Lab 7-3 ProtocolsThe first protocol that we configured in our labs was OSPF. Lets take a look at some outputs that will help us determine the overall health of OSPF. In doing this we will look to see if the interfaces are configured for OSPF, if we are seeing adjacencies, and if we are learning our routes.V1.0, 02/15/08 -----------------------------------------------------------The show ospf route command display those routes in the unicast routing table, inet.0, that were installed by OSPF. The use of additional keywords allows you to display only OSPF routes learned by specific LSA types. The output fields of the show ospf route command are the following:-Prefix: Displays the destination of the route.-Route/Path Type: Displays how the route was learned:-ABR: Route to area border router;-ASBR: Route to AS border router;-Ext: External router;-Inter: Interarea route;-Intra: Intra-area route; or-Network: Network router.-Metric: Displays the route's metric value.-Next hop i/f: Displays the interface through which the route's next hop is reachable.-Next hop addr: Displays the address of the next hop.-area: (detail output only) Displays the area ID of the route.-options: (detail output only) Displays the option bits from the LSA.-origin: (detail output only) Displays the router from which the route was learned.V1.0, 02/15/08 -----------------------------------------------------------The show ospf interface command displays information relating to the interfaces on which the respective protocol is configured to run. In the case of OSPF, the output fields are the following:-Interface: Displays the name of the interface running OSPF.-State: Displays the state of the interface. It can be BDR, Down, DR, DRother, Loop, PtToPt, or Waiting.-Area: Displays the number of the area in which the interface is located.-DR ID: Displays the address of the area's DR.-BDR ID: Displays the BDR for a particular subnet.-Nbrs: Displays the number of neighbors on this interface.V1.0, 02/15/08 ------------------------------------------------------------Type (detail and extensive output only): Displays the type of interface. It can be LAN, NBMA, P2MP, P2P, or Virtual.-Address (detail and extensive output only): Displays the IP address of the neighbor.-Mask (detail and extensive output only): Displays the mask of the interface.-MTU (detail and extensive output only): Displays the interface's MTU.-Cost (detail and extensive output only): Displays the interface's cost (metric).-DR addr (detail and extensive output only): Displays the address of the DR.-BDR addr: Displays the address of the BDR.-Adj count (detail and extensive output only): Displays the number of adjacent neighbors.-Flood list (extensive output only): Displays the list of LSAs pending flood on this interface.-Ack list (extensive output only): Displays the list of pending acknowledgments on this interface.-Descriptor list (extensive output only): Displays the list of packet descriptors.-Dead (detail and extensive output only): Displays the configured value for the dead timer.-Hello (detail and extensive output only): Displays the configured value for the hello timer.-ReXmit (detail and extensive output only): Displays the configured value for the retransmit timer.-OSPF area type (detail and extensive output only): Displays the type of OSPF area, which can be Stub, Not Stub, or NSSA.V1.0, 02/15/08 -----------------------------------------------------------Next we can check to see if the interfaces we have configured for OSPF are forming adjacencies. The show ospf neighbor command displays adjacency status for their respective protocols. In the case of OSPF, the output fields include the following: -Address: Displays the address of the neighbor.-Intf: Displays the interface through which the neighbor is reachable.-State: Displays the state of the neighbor, which can be Attempt, Down, Exchange, ExStart, Full, Init, Loading, or 2Way.-ID: Displays the RID of the neighbor.-Pri: Displays the priority of the neighbor to become the DR.-Dead: Displays the number of seconds until the neighbor becomes unreachable.-area (detail and extensive output only): Displays the area in which the neighbor is located.-opt (detail and extensive output only): Displays the option bits from the neighbor.-DR (detail and extensive output only): Displays the address of the DR.-BDR (detail and extensive output only): Displays the address of the BDR.-Up (detail and extensive output only): Displays the length of time since the neighbor came up.-adjacent (detail and extensive output only): Displays the length of time since the adjacency with the neighbor was established.V1.0, 02/15/08 -----------------------------------------------------------Now that we have taken a look at OSPF, let’s take a brief look at some of the commands we can use to verify operation of the RIP protocol.This output displays information about RIP neighbors. This is a list of the fields and what they mean.-Neighbor: Name of RIP neighbor.-State: State of the connection: Up or Dn (Down).-Source Address: Source Address.-Destination Address: Destination Address.-Send Mode: Send options: broadcast, multicast, none, or version 1.-Receive Mode: Type of packets to accept: both, none, version1 or version2.-In Met: Metric added to incoming routes when advertising into RIP routes that were learned from other protocols.V1.0, 02/15/08 -----------------------------------------------------------This output above displays the route entries in the routing table that were learned from protocols RIP. A description of some of the fields follows.-active: Number of routes that are active.-holddown: Number of routes that are in the hold-down state prior to being declared inactive.-hidden: Number of routes not used because of routing policy.-+: A plus sign before [protocol/preference] indicates the active route, which is the route installed from the routing table into the forwarding table.--: A hyphen before [protocol/preference] indicates the last active route.-*: An asterisk before [protocol/preference] indicates that the route is both the active and the last active route. An asterisk before a ‘to’ line indicates the best subpath to the route.V1.0, 02/15/08 -----------------------------------------------------------To see what RIP routes are being sent or received on the router issue the show route advertising-protocol rip<egress interface address> and show route receive-protocol rip<remote advertising interface address> commands. The field definitions follow:-active: Number of routes that are active.-holddown: Number of routes that are in the hold-down state prior to being declared inactive.-hidden: Number of routes not used because of routing policy.-+: A plus sign before [protocol/preference] indicates the active route, which is the route installed from the routing table into the forwarding table.--: A hyphen before [protocol/preference] indicates the last active route.-*: An asterisk before [protocol/preference] indicates that the route is both the active and the last active route. An asterisk before a ‘to’ line indicates the best subpath to theroute.V1.0, 02/15/08 -----------------------------------------------------------Lab 7-4 PolicyWhen troubleshooting policy two of the most common commands are show route receive-protocol and show route advertising-protocol. When issuing these commands it’s important to understand where we are getting the outputs from. The commands on the slide show routing updates received before import policy processing and the routing updates sent after export policy processing.Use the show route receive-protocol protocol neighbor command to show the specified protocol-type route advertisements that a particular neighbor is advertising to your router before import policy is applied. Use the show route advertising-protocol protocolneighbor command to show the protocol-type route advertisements that you are advertising to a particular neighbor after export policy is applied.The use of route filters marks an exception to the behavior documented previously. JUNOS software evaluates route filters before the output of a show route receive-protocol command is generated. Thus, you must specify the hidden switch to the show routereceive-protocol command to display received routes filtered by your import policy.If you want to monitor the effects of an import policy, use the show route protocol protocol command to monitor the effects of your import policy. This command shows all routes from the protocol type specified that are installed in the routing table.Another way we can troubleshoot policy is to use the function test policy <policy name><prefix>. By using this command you can test policies that are created (and committed) on the router for a specific prefix to see if the policy will have the desired effect on the prefix being tested.V1.0, 02/15/08 -----------------------------------------------------------V1.0, 02/15/08 -----------------------------------------------------------It is important to keep in mind that the default action of ‘test’ is to accept. Note the difference in behavior once we add a second term catch-all to reject any remaining routes.V1.0, 02/15/08 -----------------------------------------------------------Lab 7-5 Stateless Firewall Filters (Packet Filters)One of the more common ways to test firewall filters is to set up counters to capture discarded and accepted packets. If we see packets increment in the discard counter then we can at least be assured that our filter is applied and that packets are matching. Please recall that in a previous lab we used a firewall filter to match on ICMP and a counter to show that it was working correctly. The following command, show firewall, shows the counter we created and the amount of traffic that has been matched it.-----------------------------------------------------------V1.0, 02/15/08 -----------------------------------------------------------Another method for troubleshooting is to look at the firewall log created specially for dropped packets due to firewall match criteria. The log modifier writes packet header information to a memory resident buffer in the PFEV1.0, 02/15/08 -----------------------------------------------------------The following chart shows the output field definitions:Time of Log Time that the event occurred. to be providedFilter Name of a filter that has been configured with the filterstatement at the [edit firewall] hierarchy level.• A hyphen (-) indicates that the packet was handled bythe Packet Forwarding Engine.• A space (no hyphen) indicates the packet was handledby the Routing Engine.•The notation pfe indicates packets logged by thePacket Forwarding Engine hardware filters.to beprovidedFilter Action Filter action:•A—Accept•D—Discard•R—Rejectto beprovidedName of Interface Ingress interface for the packet.to beprovidedName of protocol Packet's protocol name: egp, gre, ipip, ospf, pim, rsvp, tcp, orudp.to beprovidedPacket length Length of the packet. to be providedSource address Packet's source address. to be providedDestination address Packet's destination address and port.to beprovidedV1.0, 02/15/08 -----------------------------------------------------------Finally one more way to look at the results of our firewall filters is to create a system log file that matches on the packets that have been dropped as a result of the firewall applied to the router. First of all, take a look at the system syslog settings that allow us to analyze the log filesThen as part of the firewall filter, we include the action of syslog:V1.0, 02/15/08 -----------------------------------------------------------Finally, we can now take a look at the log files created as a result of our work:In this section we will see a couple outputs that give us useful information on stateful firewalls, zones, and interfaces that participate. One thing to keep in mind is that the output for flows shows up only if traffic has passed within a certain amount of time. This means that even though your configuration may be correct, the output may not show incrementing valueswithout traffic.V1.0, 02/15/08 -----------------------------------------------------------This output is shown to let you see that with JES configured on your router, a showinterfaces output references the zones assigned to the logical portion of your interface. This can be helpful when determining if your zones have been applied correctly and give you some basic information as to the amount and type of traffic being allowed to traverse your interface.V1.0, 02/15/08 -----------------------------------------------------------Conversely, if you would rather take a look at the zones configured on your router, the show security zones output will show you the zones configured as well as the interfaces associated with these zones. Additional information can be found here that let’s us know any settings we have for the return traffic. For instance, if we have decided to send a reset for non-SYN session TCP packets, this information would be shown under the security zone section of this output.V1.0, 02/15/08 -----------------------------------------------------------The output above summarizes all of the active sessions that have been created.V1.0, 02/15/08 -----------------------------------------------------------From time to time it may become necessary to clear flows on your router, the output above shows this. You also have the ability to clear specific sessions with the session identifier.V1.0, 02/15/08 -----------------------------------------------------------Lab 7-7 Screen OptionsFor the lab and objective assignments, sending ping packets that are obviously too large and then monitoring the command show security screen statistics zone <zone name> should give us an indication of whether or not our configuration will account for the specific type of attack we are mitigating. Because this output has all ready been seen in module 6, the output above may look a bit familiar. ☺。