Monitoring Stateful Firewall

[Contents] [Prev] [Next] [Index] [Report an Error]

Monitoring Stateful Firewall
This section shows how to set a stateful firewall statistics baseline, lists the system event logs associated with the stateful firewall feature, and describes the show commands you can use to view inspection lists, inspection parameters, current sessions, firewall configuration, and firewall-related statistics.

System Event Logs

To troubleshoot and monitor your firewall, use the following system event logs:

flowInspection

flowServicesFirewallAudit

flowServicesFirewallAlert

For more information about using event logs, see JUNOSe System Basics Configuration Guide, Chapter 13, Logging System Events.

Baselining Firewall Statistics

You can establish a baseline for firewall statistics by setting a group of reference counters to zero.

baseline ip inspection global
Sets a statistics baseline for global firewall statistics.

The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved.

Use the delta keyword with IP show commands to specify that baselined statistics are to be shown.

Example
host1#baseline ip inspection global
There is no no version.
baseline ip inspection name
Sets a statistics baseline for the specified inspection list.

The router implements the baseline by reading and storing the statistics at the time the baseline is set and then subtracting this baseline whenever baseline-relative statistics are retrieved.

Use the delta keyword with IP show commands to specify that baselined statistics are to be shown.

Example
host1#baseline ip inspection list1
There is no no version.
Viewing Firewall Information

You can monitor the following aspects of IP by using show ip commands:
 To Display
 Command

 Firewall inspection lists

 show ip inspect


 All inspection parameters

 show ip inspect config


 Information for a specified inspection list

 show ip inspect name


 Current sessions being tracked by the stateful firewall

 show ip inspect session


 All firewall-related statistics

 show ip inspect statistics


 Firewall license information

 show license firewall



 
To set a statistics baseline for stateful firewall, use the baseline ip inspection global and baseline ip inspection name commands. Use the delta keyword with firewall show commands to specify that baselined statistics are to be shown.

You can use the output filtering feature of the show command to include or exclude lines of output based on a text string that you specify. See JUNOSe System Basics Configuration Guide, Chapter 2, Command-Line Interface, for details.

show ip inspect

Use to display firewall configuration and sessions.

Field descriptions

Inspection List—Name of the inspection list

Time since counters last reset—Mount of time since the statistical counters were last reset

Number of connections permitted—Number of sessions allowed for any interface with which this inspection list is associated

Number of current connections—Number of current sessions

Number of interfaces using—Number of interfaces using this inspection list

Application [ application ]—Audit trail control state, alert control state, and idle timeout value for each application configured in the inspection list

Referenced by profiles—Name of any profile that references this inspection list and the interface direction (ingress or egress) for which the inspection list applies
Example
host1#show ip inspect
Inspection Lists:
    (Inspection List Information Spans all virtual routers)
    Inspection List     listin
            Time since counters last reset: 04:44:07
            Number of connections permitted 1
 
            Number of current connections 1
            Number of interfaces using 1
        Application TCP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3000
        Application UDP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 30
        Application ICMP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 10
        Application Ftp
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3600
 
        Referenced by Profile(s):
            foo (ingress)
 
    Inspection List     listout
            Time since counters last reset: 00:01:33
            Number of connections permitted 0
 
            Number of current connections 0
            Number of interfaces using 0
        Application TCP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3000
        Application Http
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3600
 
        Referenced by Profile(s):
            foo (egress)
show ip inspect config

Use to display all inspection parameters.

Field descriptions

Global Firewall Parameters

Alert—Status of alert logging at the router level

Audit trail—Status of audit trail logging at the router level

Syn-Wait Time—Amount of time the software waits for a TCP session

Fin-Wait Time—Amount of time a TCP session is managed after the firewall detects a FIN-exchange

Tcp Idle Time—TCP idle timer value

Udp Idle Time—UDP idle timer value

Icmp Idle Time—ICMP idle timer value

Dns Time—DNS timer value

Max Incomplete High—Max-incomplete high value

Max Incomplete Low—Max-incomplete low value

One Minute High—One-minute high value

One Minute Low—One-minute low value

Max Host Number—Maximum number of half-complete TCP sessions that the router allows to the same destination before it begins removing sessions

Max Host Block Time—Amount of time that the router disallows connection to affected hosts after removing sessions to those hosts

Inspection List—Name of the inspection list

Application [ application ]—Audit trail control state, alert control state, and idle timeout value for each application configured in the inspection list

Referenced by Profiles—Name of any profile that references this inspection list and the interface direction (ingress or egress) to which the inspection list applies

Interface Attachments—Interfaces with which the inspection lists are associated
Example
host1#show ip inspect config
Global Firewall Parameters
 
Alert is on
Audit trail is off
Syn-Wait Time:          30
Fin-Wait Time:          5
Tcp Idle Time:          3000
Udp Idle Time:          30
Icmp Idle Time:         10
Dns Time:               5
Max Incomplete High:    500
Max Incomplete Low:     400
One Minute High:        500
One Minute Low:         400
Max Host Number:        250
Max Host Block Time:    0
 
Inspection Lists:
    (Inspection List Information Spans all virtual routers)
    Inspection List     listin
        Application TCP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3000
        Application UDP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 30
        Application ICMP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 10
        Application Ftp
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3600
 
        Referenced by Profile(s):
            foo (ingress)
 
    Inspection List     listout
        Application TCP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3000
        Application Http
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3600
 
        Referenced by Profile(s):
            foo (egress)
 
Interface Attachments
 
Interface: ATM10/0.1  (ingress) listin
show ip inspect name

Use to display information about a specified inspection list.

Field descriptions

Inspection List—Name of the inspection list

Time since counters last reset—Amount of time since the statistical counters were last reset

Number of connections permitted—Number of sessions allowed for any interface with which this inspection list is associated

Number of current connections—Number of current sessions

Number of interfaces using—Number of interfaces using this inspection list

Application [ application ]—Audit trail control state, alert control state, and idle timeout value for each application configured in the inspection list

Referenced by Profiles—Name of any profile that references this inspection list and the interface direction (ingress or egress) to which the inspection list applies
Example
host1#show ip inspect name listin
    Inspection List     list1
        (Information spans all virtual routers)
 
            Time since counters last reset: 04:44:04
            Number of connections permitted 1
 
            Number of current connections 1
            Number of interfaces using 1
        Application TCP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3000
        Application UDP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 30
        Application ICMP
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 10
        Application Ftp
            Auditing follows router state
            Alerting follows router state
            Timeout set to: 3600
 
        Referenced by Profile(s):
            foo (ingress)
show ip inspect session

Use to display the current sessions being tracked by the state-full firewall.

Field descriptions

Entry—Table entry number

Source—Source address

Destination—Destination address

Prot—Protocol operating over this session (TCP, UDP, or ICMP)

Time since Creation—Amount of time elapsed since this session was created

Time since last use—Amount of time elapsed since this session was last used

Inspection Name—Name of the inspection list used to allow this session

Application Used—Configured application in the inspection list that was used to allow this session

Example
host1#show ip inspect session
                                                 Time       Time
                                                since      since    Inspection
Entry       Source        Destination    Prot  Creation   last use     Name
------ ---------------- ---------------- ---- ---------- ---------- ----------
1      10.1.1.1:1038    13.1.1.1:23      TCP  00:00:49   00:00:07   listin
       Application
Entry     Used
------ -----------
1      TCP
show ip inspect statistics

Use to display the current statistics being tracked by the stateful firewall.

Field descriptions

Current Information

Number of blocked destinations—Number of destinations blocked by the firewall

Size of the half open table—Number of half-open connections in the half-open table

Statistics

Time since last reset—Amount of time elapsed since last statistics were reset

Evaluations—Total number of evaluations performed

Permits—Total number of permits allowed

Denies by rule—Total number of denials based on inspection list rules

Denies due to blocked destinations—Total number of denials due to blocked destinations

Evaluate permitted but no resources—Total number of evaluations permitted but not performed due to resource constraints

Denies for other reasons—Total number of denials that occurred for reasons not mentioned above

Packets forwarded through firewall—Total number of packets forwarded through the firewall

Bytes forwarded through firewall—Total number of bytes forwarded through the firewall

Packets discarded (flow control error)—Total number of packets discarded for flow control errors

Packets discarded (packet error)—Total number of packets discarded for packet errors

Packets discarded (reassembly)—Total number of packets discarded for reassembly errors

Packets discarded (other)—Total number of packets discarded for packet errors other than those mentioned above

Deleted half open connections—Total number of deleted half-open connections

Total blocked destinations—Total number of blocked destinations

Transitions into rate flood protection—Total number of times the firewall has entered into rate flood protection because the number of half-open sessions exceeded the configured maximum value

Transitions out of rate flood protection—Total number of times the firewall has ceased rate flood protection because the number of half-open sessions returned to below the configured maximum value

Transitions into size flood protection—Total number of times the firewall has entered into SYN flood protection because the number of half-open sessions exceeded the configured maximum value

Transitions out of size flood protection—Total number of times the firewall has ceased SYN flood protection because the number of half-open sessions returned to below the configured maximum value

Dynamic Translation Type—Always reads "fully extended" to indicate a 5-tuple entry

Current—Number of current sessions

Peak—Number of peak concurrent sessions

Accumulated—Total number of sessions

Failed—Number of times the router could not create a session

Example
host1#show ip inspect statistics
Virtual Router Statistics
Current Information
        Number of blocked destinations: 0
        Size of the half open table:    0
 
Statistics
Time since last reset 04:41:27
Evaluations                             : 3
Permits                                 : 3
Denies by rule                          : 0
Denies due to blocked destinations      : 0
Evaluate permitted but no resources     : 0
Denies for other reasons                : 0
 
Packets forwarded through firewall      : 28
Bytes forwarded through firewall        : 1770
 
Packets discarded (flow control error)  : 0
Packets discarded (packet error)        : 0
Packets discarded (reassembly)          : 0
Packets discarded (other)               : 2
 
Deleted half open connections           : 0
Total blocked destinations              : 0
Transitions into rate flood protection  : 0
Transitions out of rate flood protection: 0
Transitions into size flood protection  : 0
Transitions out of size flood protection: 0
 
 
  Dynamic Translation Type     Current       Peak     Accumulated    Failed
----------------------------  ----------  ----------  -----------  ----------
Fully Extended                         1           1            3           0
show license firewall
Use to display the firewall license key configured on the router.

Example
host1#show license firewall
Ipv6 license is firewall_licence

To Display	Command
Firewall inspection lists	show ip inspect
All inspection parameters	show ip inspect config
Information for a specified inspection list	show ip inspect name
Current sessions being tracked by the stateful firewall	show ip inspect session
All firewall-related statistics	show ip inspect statistics
Firewall license information	show license firewall

[Contents] [Prev] [Next] [Index] [Report an Error]