Juniper SSG セッション関連

Network

Firewall使ってると、ちゃんとトラフィックが流れているか見たくなるのでメモ。

コマンドメモ

get session ?
 >                    redirect output
 |                    match output
 
 dst-ip               destination ip address
 dst-mac              destination mac address
 dst-port             destination port number or range
 id                   show sessions with id
 ike-nat              show ike-nat ALG info
 info                 show sessions summary info
 ipsec-nat            show ipsec pinhole ALG info
 policy-id            policy id
 protocol             protocol number or range
 rm                   show sessions for resource management
 service              show sessions with service type
 src-ip               source ip address
 src-mac              source mac address
 src-port             source port number or range
 tunnel               show tunnel sessions
 vsd-id               get vsd-id specified sessions

get session

alloc 15432/max 256064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 240632
id 127878/s**,vsys 0,flag 00000000/0000/0001/0000,policy 20,time 6, dip 10 module 0
 if 0(nspflag 800801):xx.xx.xx.xx/59269->xx.xx.xx.xx/161,17,02e052fe4664,sess token 16,vlan 0,tun 0,vsd 0,route 8
 if 5(nspflag 10800800):xx.xx.xx.xx/50328<-xx.xx.xx.xx/161,17,00005e000104,sess token 17,vlan 0,tun 0,vsd 0,route 11
(以下略)

Src/DstなどでFilter

Filterして必要な物だけ見る。

get session src-ip xx.xx.xx.xx dst-ip xx.xx.xx.xx dst-port 23
alloc 15801/max 256064, alloc failed 0, mcast alloc 0, di alloc failed 0
total reserved 0, free sessions in shared pool 240263
Total 1 sessions according filtering criteria.
id 232969/s**,vsys 0,flag 0c000000/0000/0001/0000,policy 92,time 4320, dip 0 module 0
 if 0(nspflag 801801):xx.xx.xx.xx/53168->xx.xx.xx.xx/23,6,02e052fe4664,sess token 16,vlan 0,tun 0,vsd 0,route 8,wsf 0
 if 5(nspflag 801800):xx.xx.xx.xx/53168<-xx.xx.xx.xx/23,6,00005e000104,sess token 17,vlan 0,tun 0,vsd 0,route 11,wsf 7