[Contents] [Prev] [Next] [Index] [Report an Error]

Monitoring Firewalls

Firewall information is divided into multiple parts:

To view stateful firewall filter statistics in the J-Web interface, select Monitor>Firewall>Statistics Summary. Alternatively, enter the CLI command show services stateful-firewall statistics.
To view stateful firewall filter information in the J-Web interface, select Monitor>Firewall>Stateful Firewall. To display stateful firewall filter information for a particular address prefix, port, or other characteristic, type or select information in one or more of the Narrow Search boxes, and click OK.
Alternatively, enter the following CLI show commands:
- show services stateful-firewall conversations
- show services stateful-firewall flows

To view intrusion detection service (IDS) information, select Monitor>Firewall>IDS Information. Click one of the following criteria to order the display accordingly:

Bytes (received bytes)
Packets (received packets)
Flows
Anomalies

To limit the display of IDS information, type or select information in one or more of the Narrow Search boxes listed in Table 52, and click OK.

Table 52: IDS Search-Narrowing Characteristics

Destination Address	Type a destination address prefix to display IDS information for only that prefix.
IDS Table	Select one of the following: Destination—Displays information for an address under attack. Pair—Displays information for a suspected attack source and destination pair. Source—Displays information for an address that is a suspected attacker.
Number of IDS Entries to Display	Select a number between 25 and 500 to display only a particular number of entries.
Threshold	Type a number to display events with only that number of bytes, packets, flows, or anomalies—whichever you selected to order the display. For example, to display all events with more than 100 flows, click Flows and then type 100 in the Threshold box.
Service Set	Select a service set to display information for only the set.

Alternatively, enter the following CLI show commands:

show services ids destination-table
show services ids source-table
show services ids pair-table

Table 53 summarizes key output fields in firewall and IDS displays.

Table 53: Summary of Key Firewall and IDS Output Fields

Statistics Summary
Interface	Name of the services interface on which the service set is applied.
Service Set	Name of the service set.
Accept	Number of packets accepted by all rules defined in the service set.
Discard	Number of packets discarded by all rules defined in the service set.
Reject	Number of packets rejected by all rules defined in the service set.
New flows	Number of packets matching rules defined in new flows: Accept—Number of packets accepted. Discards—Number of packets discarded. Rejects—Number of packets rejected.
Existing flows	Number of packets matching rules defined in existing flows: Accept—Number of packets accepted. Discards—Number of packets discarded. Rejects—Number of packets rejected.
Drops	Number of packets dropped due to the following match conditions: IP Option—Number of packets dropped due to the inspection of the IP options field of the packet. TCP SYN Defense—Number of packets dropped due to the SYN defender, which prevents denial-of-service (DoS) attacks. NAT Ports Exhausted—Number of packets dropped because the router has no available NAT ports to assign for a given source address. For more information about these match conditions, see the J-series Services Router Advanced WAN Access Configuration Guide and the JUNOS Services Interfaces Configuration Guide.
Errors	Number of protocol errors detected: IP—Number of IPv4 errors (for example, Minimum IP header length check failures). TCP—Number of TCP errors (for example, Source or destination port number is zero). UDP—Number of UDP errors (for example, IP data length less than minimum UDP header length (8 bytes)). ICMP—Number of ICMP errors (for example, Duplicate ping sequence number). Non-IP Packets—Number of errors in packets that are not IPv4 packets. ALG—Number of application-level gateway (ALG) errors. For a complete list of protocol errors that are counted, see the description of the show services stateful-firewall statistics command in the JUNOS System Basics and Services Command Reference.
Stateful Firewall
Protocol	Protocol used for the specified stateful firewall flow.
Source IP	Source prefix of the stateful firewall flow.
Source Port	Source port number of stateful firewall flow.
Destination IP	Destination prefix of the stateful firewall flow.
Destination Port	Destination port number of the stateful firewall flow.
Flow State	Status of the stateful firewall flow: Drop—Drop all packets in the flow without response. Forward—Forward the packet in the flow without inspecting it. Reject—Drop all packets in the flow with response. Watch—Inspect packets in the flow.
Direction	Direction of the flow: I (input) or O (output).
Frames	Number of frames in the flow.
IDS Information
Source Address	Source address for the event.
Destination address	Destination address for the event.
Time	Total time the information has been in the IDS table.
Bytes	Total number of bytes sent from the source to the destination address, in thousands (k) or millions (m).
Packets	Total number of packets sent from the source to the destination address, in thousands (k) or millions (m).
Flows	Total number of flows of packets sent from the source to the destination address, in thousands (k) or millions (m).
Anomalies	Total number of anomalies in the anomaly table, in thousands (k) or millions (m).
Application	Configured application, such as FTP or telnet.

[Contents] [Prev] [Next] [Index] [Report an Error]