Monitoring Security Policies
SUMMARY This section describes monitoring security policies and recording the permitted or denied traffic.
Monitoring Security Policy Statistics
Purpose
Monitor and record traffic that Junos OS permits or denies based on previously configured policies.
Action
To monitor traffic, enable the count and log options.
Count—Configurable in an individual policy. If count is enabled, statistics are collected for sessions that enter the device for a given policy, and for the number of packets and bytes that pass through the device in both directions for a given policy. For counts (only for packets and bytes), you can specify that alarms be generated whenever the traffic exceeds specified thresholds. See count (Security Policies).
Log—Logging capability can be enabled with security policies during session initialization (session-init) or session close (session-close) stage. See log (Security Policies).
To view logs from denied connections, enable log on session-init.
To log sessions after their conclusion/tear-down, enable log on session-close.
Session log is enabled at real time in the flow code which impacts the user performance. If both session-close and session-init are enabled, performance is further degraded as compared to enabling session-init only.
For details about information collected for session logs, see Information Provided in Session Log Entries for SRX Series Services Gateways.
Monitoring Routing Information
- Monitoring Route Information
- Monitoring RIP Routing Information
- Monitoring OSPF Routing Information
- Monitoring BGP Routing Information
Monitoring Route Information
Purpose
View information about the routes in a routing table, including destination, protocol, state, and parameter information.
Action
Select Monitor>Routing>Route Information in the J-Web user interface, or enter the following CLI commands:
show route terseshow route detail
When you use an HTTPS connection in the Microsoft Internet Explorer browser to save a report from this page in the J-Web interface, the error message "Internet Explorer was not able to open the Internet site" is displayed. This problem occurs because the Cache-Control: no cache HTTP header is added on the server side and Internet Explorer does not allow you to download the encrypted file with the Cache-Control: no cache HTTP header set in the response from the server.
As a workaround, refer to Microsoft Knowledge Base article 323308, which is available at this URL: http://support.microsoft.com/kb/323308. Also, you can alternatively use HTTP in the Internet Explorer browser or use HTTPS in the Mozilla Firefox browser to save a file from this page.
Table 1 describes the different filters, their functions, and the associated actions.
Table 2 summarizes key output fields in the routing information display.
Field |
Function |
Your Action |
|---|---|---|
Destination Address |
Specifies the destination address of the route. |
Enter the destination address. |
Protocol |
Specifies the protocol from which the route was learned. |
Enter the protocol name. |
Next hop address |
Specifies the network layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it. |
Enter the next hop address. |
Receive protocol |
Specifies the dynamic routing protocol using which the routing information was received through a particular neighbor. |
Enter the routing protocol. |
Best route |
Specifies only the best route available. |
Select the view details of the best route. |
Inactive routes |
Specifies the inactive routes. |
Select the view details of inactive routes. |
Exact route |
Specifies the exact route. |
Select the view details of the exact route. |
Hidden routes |
Specifies the hidden routes. |
Select the view details of hidden routes. |
Search |
Applies the specified filter and displays the matching messages. |
To apply the filter and display messages, click Search. |
Reset |
Resets selected options to default |
To reset the filter, click Reset. |
Field |
Values |
Additional Information |
|---|---|---|
Static Route Addresses |
The list of static route addresses. |
– |
Protocol |
Protocol from which the route was learned: Static, Direct, Local, or the name of a particular protocol. |
– |
Preference |
The preference is the individual preference value for the route. |
The route preference is used as one of the route selection criteria. |
Next-Hop |
Network Layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it. |
If a next hop is listed as Discard, all traffic with that destination address is discarded rather than routed. This value generally means that the route is a static route for which the discard attribute has been set. If a next hop is listed as Reject, all traffic with that destination address is rejected. This value generally means that the address is unreachable. For example, if the address is a configured interface address and the interface is unavailable, traffic bound for that address is rejected. If a next hop is listed as Local, the destination is an address on the host (either the loopback address or Ethernet management port 0 address, for example). |
Age |
How long the route has been active. |
– |
State |
Flags for this route. |
There are many possible flags. |
AS Path |
AS path through which the route was learned. The letters of the AS path indicate the path origin:
|
– |
Monitoring RIP Routing Information
Purpose
View RIP routing information, including a summary of RIP neighbors and statistics.
Action
Select Monitor>Routing>RIP Information in the J-Web user interface, or enter the following CLI commands:
show rip statisticsshow rip neighbors
Table 3 summarizes key output fields in the RIP routing display in the J-Web user interface.
Field |
Values |
Additional Information |
|---|---|---|
| RIP Statistics | ||
Protocol Name |
The RIP protocol name. |
– |
Port number |
The port on which RIP is enabled. |
– |
Hold down time |
The interval during which routes are neither advertised nor updated. |
– |
Global routes learned |
Number of RIP routes learned on the logical interface. |
– |
Global routes held down |
Number of RIP routes that are not advertised or updated during the hold-down interval. |
– |
Global request dropped |
Number of requests dropped. |
– |
Global responses dropped |
Number of responses dropped. |
– |
| RIP Neighbors | ||
Details |
Tab used to view the details of the interface on which RIP is enabled. |
– |
Neighbor |
Name of the RIP neighbor. |
This value is the name of the interface on which RIP is enabled. Click the name to see the details for this neighbor. |
State |
State of the RIP connection: Up or Dn (Down). |
– |
Source Address |
Local source address. |
This value is the configured address of the interface on which RIP is enabled. |
Destination Address |
Destination address. |
This value is the configured address of the immediate RIP adjacency. |
Send Mode |
The mode of sending RIP messages. |
– |
Receive Mode |
The mode in which messages are received. |
– |
In Metric |
Value of the incoming metric configured for the RIP neighbor. |
– |
Monitoring OSPF Routing Information
Purpose
View OSPF routing information, including a summary of OSPF neighbors, interfaces, and statistics.
Action
Select Monitor>Routing>OSPF Information in the J-Web user interface, or enter the following CLI commands:
show ospf neighborsshow ospf interfacesshow ospf statistics
Table 4 summarizes key output fields in the OSPF routing display in the J-Web user interface.
Field |
Values |
Additional Information |
|---|---|---|
| OSPF Interfaces | ||
Details |
Tab used to view the details of the selected OSPF. |
– |
Interface |
Name of the interface running OSPF. |
– |
State |
State of the interface: BDR, Down, DR, DRother, Loop, PtToPt, or Waiting. |
The Down state, indicating that the interface is not functioning, and PtToPt state, indicating that a point-to-point connection has been established, are the most common states. |
Area |
Number of the area that the interface is in. |
– |
DR ID |
ID of the area's designated device. |
– |
BDR ID |
ID of the area's backup designated device. |
– |
Neighbors |
Number of neighbors on this interface. |
– |
| OSPF Statistics | ||
| Packets tab | ||
Sent |
Displays the total number of packets sent. |
– |
Received |
Displays the total number of packets received. |
– |
| Details tab | ||
Flood Queue Depth |
Number of entries in the extended queue. |
– |
Total Retransmits |
Number of retransmission entries enqueued. |
– |
Total Database Summaries |
Total number of database description packets. |
– |
| OSPF Neighbors | ||
Address |
Address of the neighbor. |
– |
Interface |
Interface through which the neighbor is reachable. |
– |
State |
State of the neighbor: Attempt, Down, Exchange, ExStart, Full, Init, Loading, or 2way. |
Generally, only the Down state, indicating a failed OSPF adjacency, and the Full state, indicating a functional adjacency, are maintained for more than a few seconds. The other states are transitional states that a neighbor is in only briefly while an OSPF adjacency is being established. |
ID |
ID of the neighbor. |
– |
Priority |
Priority of the neighbor to become the designated router. |
– |
Activity Time |
The activity time. |
– |
Area |
Area that the neighbor is in. |
– |
Options |
Option bits received in the hello packets from the neighbor. |
– |
DR Address |
Address of the designated router. |
– |
BDR Address |
Address of the backup designated router. |
– |
Uptime |
Length of time since the neighbor came up. |
– |
Adjacency |
Length of time since the adjacency with the neighbor was established. |
– |
Monitoring BGP Routing Information
Purpose
Monitor BGP routing information on the routing device, including a summary of BGP routing and neighbor information.
Action
Select Monitor>Routing>BGP Information in the J-Web user interface, or enter the following CLI commands:
show bgp summaryshow bgp neighbor
Table 5 summarizes key output fields in the BGP routing display in the J-Web user interface.
Field |
Values |
Additional Information |
|---|---|---|
| BGP Peer Summary | ||
Total Groups |
Number of BGP groups. |
– |
Total Peers |
Number of BGP peers. |
– |
Down Peers |
Number of unavailable BGP peers. |
– |
Unconfigured Peers |
Address of each BGP peer. |
– |
| RIB Summary tab | ||
RIB Name |
Name of the RIB group. |
– |
Total Prefixes |
Total number of prefixes from the peer, both active and inactive, that are in the routing table. |
– |
Active Prefixes |
Number of prefixes received from the EBGP peers that are active in the routing table. |
– |
Suppressed Prefixes |
Number of routes received from EBGP peers currently inactive because of damping or other reasons. |
– |
History Prefixes |
History of the routes received or suppressed. |
– |
Dumped Prefixes |
Number of routes currently inactive because of damping or other reasons. These routes do not appear in the forwarding table and are not exported by routing protocols. |
– |
Pending Prefixes |
Number of pending routes. |
– |
State |
Status of the graceful restart process for this routing table: BGP restart is complete, BGP restart in progress, VPN restart in progress, or VPN restart is complete. |
– |
| BGP Neighbors | ||
Details |
Click this button to view the selected BGP neighbor details. |
– |
Peer Address |
Address of the BGP neighbor. |
– |
Autonomous System |
AS number of the peer. |
– |
Peer State |
Current state of the BGP session:
|
Generally, the most common states are Active, which indicates a problem establishing the BGP connection, and Established, which indicates a successful session setup. The other states are transition states, and BGP sessions normally do not stay in those states for extended periods of time. |
Elapsed Time |
Elapsed time since the peering session was last reset. |
– |
Description |
Description of the BGP session. |
– |
Monitoring Security Events by Policy
Purpose
Monitor security events by policy and display logged event details with the J-Web user interface.
Action
To monitor security events by policy:
Select one of the following in the J-Web user interface:
If you are using SRX5400, SRX5600, or SRX5800 platforms, select Monitor>Events and Alarms>Security Events.
Select Monitor>Alarms>Policy Log.
The View Policy Log pane appears. Table 6 describes the content of this pane.
Table 6: View Policy Log Fields Field
Value
Log file name
Name of the event log files to search.
Policy name
Name of the policy of the events to be retrieved.
Source address
Source address of the traffic that triggered the event.
Destination address
Destination address of the traffic that triggered the event.
Event type
Type of event that was triggered by the traffic.
Application
Application of the traffic that triggered the event.
Source port
Source port of the traffic that triggered the event.
Destination port
Destination port of the traffic that triggered the event.
Source zone
Source zone of the traffic that triggered the event.
Destination zone
Destination zone of the traffic that triggered the event.
Source NAT rule
Source NAT rule of the traffic that triggered the event.
Destination NAT rule
Destination NAT rule of the traffic that triggered the event.
Is global policy
Specifies that the policy is a global policy.
If your device is not configured to store session log files locally, the Create log configuration button is displayed in the lower-right portion of the View Policy Log pane.
To store session log files locally, click Create log configuration.
If session logs are being sent to an external log collector (stream mode has been configured for log files), a message appears indicating that event mode must be configured to view policy logs.
Note:Reverting to event mode will discontinue event logging to the external log collector.
To reset the mode option to event, enter the set security log command.
Enter one or more search fields in the View Policy Log pane and click Search to display events matching your criteria.
For example, enter the event type Session Close and the policy pol1 to display event details from all Session Close logs that contain the specified policy. To reduce search results further, add more criteria about the particular event or group of events that you want displayed.
The Policy Events Detail pane displays information from each matching session log. Table 7 describes the contents of this pane.
Field |
Value |
|---|---|
Timestamp |
Time when the event occurred. |
Policy name |
Policy that triggered the event. |
Record type |
Type of event log providing the data. |
Source IP/Port |
Source address (and port, if applicable) of the event traffic. |
Destination IP/Port |
Destination address (and port, if applicable) of the event traffic. |
Service name |
Service name of the event traffic. |
NAT source IP/Port |
NAT source address (and port, if applicable) of the event traffic. |
NAT destination IP/Port |
NAT destination address (and port, if applicable) of the event traffic. |
Monitoring Security Features
- Monitoring Policies
- Checking Policies
- Monitoring Screen Counters
- Monitoring IDP Status
- Monitoring Flow Gate Information
- Monitoring Firewall Authentication Table
- Monitoring Firewall Authentication History
- Monitoring 802.1x
Monitoring Policies
Purpose
Display, sort, and review policy activity for every activated policy configured on the device. Policies are grouped by Zone Context (the from and to zones of the traffic) to control the volume of data displayed at one time. From the policy list, select a policy to display statistics and current network activity.
Action
To review policy activity:
Select Monitor>Security>Policy>Activities in the J-Web user interface. The Security Policies Monitoring page appears and lists the policies from the first Zone Context. See Table 8 for field descriptions.
Select the
Zone Contextof the policy you want to monitor, and clickFilter. All policies within the zone context appear in match sequence.Select a policy, and click Clear Statistics to set all counters to zero for the selected policy.
Field |
Value |
Additional Information |
|---|---|---|
Zone Context (Total #) |
Displays a list of all from and to zone combinations for the configured policies. The total number of active policies for each context is specified in the Total # field. By default, the policies from the first Zone Context are displayed. |
To display policies for a different context,
select a zone context and click |
Default Policy action |
Specifies the action to take for traffic that does not match any of the policies in the context:
|
– |
From Zone |
Displays the source zone to be used as match criteria for the policy. |
– |
To Zone |
Displays the destination zone to be used as match criteria for the policy. |
– |
Name |
Displays the name of the policy. |
– |
Source Address |
Displays the source addresses to be used as match criteria for the policy. Address sets are resolved to their individual names. (In this case, only the names are given, not the IP addresses). |
– |
Destination Address |
Displays the destination addresses (or address sets) to be used as match criteria for the policy. Addresses are entered as specified in the destination zone’s address book. |
– |
Source Identity |
Displays the name of the source identities set for the policy. |
To display the value of the source identities, hover the mouse on this field. Unknown source identities are also displayed. |
Application |
Displays the name of a predefined or custom application signature to be used as match criteria for the policy. |
– |
Dynamic App |
Displays the dynamic application signatures to be used as match criteria if an application firewall rule set is configured for the policy. For a network firewall, a dynamic application is not defined. |
The rule set appears in two lines. The first line displays the configured dynamic application signatures in the rule set. The second line displays the default dynamic application signature. If more than two dynamic application signatures are specified for the rule set, hover over the output field to display the full list in a tooltip. |
Action |
Displays the action portion of the rule set if an application firewall rule set is configured for the policy.
|
The action portion of the rule set appears in two lines. The first line identifies the action to be taken when the traffic matches a dynamic application signature. The second line displays the default action when traffic does not match a dynamic application signature. |
NW Services |
Displays the network services permitted or denied by the policy if an application firewall rule set is configured. Network services include:
|
– |
Policy Hit Counters Graph |
Provides a representation of the value over time for a specified counter. The graph is blank if Policy Counters indicates no data. As a selected counter accumulates data, the graph is updated at each refresh interval. |
To toggle a graph on and off, click the counter name below the graph. |
Policy Counters |
Lists statistical counters for the selected policy if Count is enabled. The following counters are available for each policy:
|
To graph or to remove a counter from the Policy Hit Counters Graph, toggle the counter name. The names of enabled counters appear below the graph. |
Checking Policies
Purpose
Enter match criteria and conduct a policy search. The search results include all policies that match the traffic criteria in the sequence in which they will be encountered.
Because policy matches are listed in the sequence in which they would be encountered, you can determine whether a specific policy is being applied correctly or not. The first policy in the list is applied to all matching traffic. Policies listed after this one remain in the “shadow” of the first policy and are never encountered by this traffic.
By manipulating the traffic criteria and policy sequence, you can tune policy application to suit your needs. During policy development, you can use this feature to establish the appropriate sequence of policies for optimum traffic matches. When troubleshooting, use this feature to determine if specific traffic is encountering the appropriate policy.
Action
Select Monitor>Security>Policy>Shadow Policies in the J-Web user interface. The Check Policies page appears. Table 9 explains the content of this page.
In the top pane, enter the From Zone and To Zone to supply the context for the search.
Enter match criteria for the traffic, including the source address and port, the destination address and port, and the protocol of the traffic.
Enter the number of matching policies to display.
Click
Searchto find policies matching your criteria. The lower pane displays all policies matching the criteria up to the number of policies you specified.The first policy will be applied to all traffic with this match criteria.
Remaining policies will not be encountered by any traffic with this match criteria.
To manipulate the position and activation of a policy, select the policy and click the appropriate button:
Move—Moves the selected policy up or down to position it at a more appropriate point in the search sequence.
Move to—Moves the selected policy by allowing you to drag and drop it to a different location on the same page.
Field |
Function |
||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Check Policies Search Input Pane | |||||||||||||||||||||||||||||||||||||
From Zone |
Name or ID of the source zone. If a From Zone is specified by name, the name is translated to its ID internally. |
||||||||||||||||||||||||||||||||||||
To Zone |
Name or ID of the destination zone. If a To Zone is specified by name, the name is translated to its ID internally. |
||||||||||||||||||||||||||||||||||||
Source Address |
Address of the source in IP notation. |
||||||||||||||||||||||||||||||||||||
Source Port |
Port number of the source. |
||||||||||||||||||||||||||||||||||||
Destination Address |
Address of the destination in IP notation. |
||||||||||||||||||||||||||||||||||||
Destination Port |
Port number of the destination. |
||||||||||||||||||||||||||||||||||||
Source Identity |
Name of the source identity. |
||||||||||||||||||||||||||||||||||||
Protocol |
Name or equivalent value of the protocol to be matched.
|
||||||||||||||||||||||||||||||||||||
Result Count |
(Optional) Number of policies to display. Default value is 1. Maximum value is 16. |
||||||||||||||||||||||||||||||||||||
| Check Policies List | |||||||||||||||||||||||||||||||||||||
From Zone |
Name of the source zone. |
||||||||||||||||||||||||||||||||||||
To Zone |
Name of the destination zone. |
||||||||||||||||||||||||||||||||||||
Total Policies |
Number of policies retrieved. |
||||||||||||||||||||||||||||||||||||
Default Policy action |
The action to be taken if no match occurs. |
||||||||||||||||||||||||||||||||||||
Name |
Policy name |
||||||||||||||||||||||||||||||||||||
Source Address |
Name of the source address (not the IP address) of a policy. Address sets are resolved to their individual names. |
||||||||||||||||||||||||||||||||||||
Destination Address |
Name of the destination address or address set. A packet’s destination address must match this value for the policy to apply to it. |
||||||||||||||||||||||||||||||||||||
Source Identity |
Name of the source identity for the policy. |
||||||||||||||||||||||||||||||||||||
Application |
Name of a preconfigured or custom application of the policy match. |
||||||||||||||||||||||||||||||||||||
Action |
Action taken when a match occurs as specified in the policy. |
||||||||||||||||||||||||||||||||||||
Hit Counts |
Number of matches for this policy. This value is the same as the Policy Lookups in a policy statistics report. |
||||||||||||||||||||||||||||||||||||
Active Sessions |
Number of active sessions matching this policy. |
||||||||||||||||||||||||||||||||||||
Alternatively, to list matching policies using the CLI, enter
the show security match-policies command and include your
match criteria and the number of matching policies to display.
Monitoring Screen Counters
Purpose
View screen statistics for a specified security zone.
Action
Select Monitor>Security>Screen Counters in the J-Web user interface, or enter the following CLI command:
show security screen statistics zone zone-name
Table 10 summarizes key output fields in the screen counters display.
Field |
Values |
Additional Information |
|---|---|---|
| Zones | ||
ICMP Flood |
Internet Control Message Protocol (ICMP) flood counter. |
An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed. |
UDP Flood |
User Datagram Protocol (UDP) flood counter. |
UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled. |
TCP Winnuke |
Number of Transport Control Protocol (TCP) WinNuke attacks. |
WinNuke is a denial-of-service (DoS) attack targeting any computer on the Internet running Windows. |
TCP Port Scan |
Number of TCP port scans. |
The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target. |
ICMP Address Sweep |
Number of ICMP address sweeps. |
An IP address sweep can occur with the intent of triggering responses from active hosts. |
IP Tear Drop |
Number of teardrop attacks. |
Teardrop attacks exploit the reassembly of fragmented IP packets. |
TCP SYN Attack |
Number of TCP SYN attacks. |
– |
IP Spoofing |
Number of IP spoofs. |
IP spoofing occurs when an invalid source address is inserted in the packet header to make the packet appear to come from a trusted source. |
ICMP Ping of Death |
ICMP ping of death counter. |
Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes). |
IP Source Route |
Number of IP source route attacks. |
– |
TCP Land Attack |
Number of land attacks. |
Land attacks occur when attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address. |
TCP SYN Fragment |
Number of TCP SYN fragments. |
– |
TCP No Flag |
Number of TCP headers without flags set. |
A normal TCP segment header has at least one control flag set. |
IP Unknown Protocol |
Number of unknown Internet protocols. |
– |
IP Bad Options |
Number of invalid options. |
– |
IP Record Route Option |
Number of packets with the IP record route option enabled. |
This option records the IP addresses of the network devices along the path that the IP packet travels. |
IP Timestamp Option |
Number of IP timestamp option attacks. |
This option records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination. |
IP Security Option |
Number of IP security option attacks. |
– |
IP Loose route Option |
Number of IP loose route option attacks. |
This option specifies a partial route list for a packet to take on its journey from source to destination. |
IP Strict Source Route Option |
Number of IP strict source route option attacks. |
This option specifies the complete route list for a packet to take on its journey from source to destination. |
IP Stream Option |
Number of stream option attacks. |
This option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support streams. |
ICMP Fragment |
Number of ICMP fragments. |
Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss. |
ICMP Large Packet |
Number of large ICMP packets. |
– |
TCP SYN FIN Packet |
Number of TCP SYN FIN packets. |
– |
TCP FIN without ACK |
Number of TCP FIN flags without the acknowledge (ACK) flag. |
– |
TCP SYN-ACK-ACK Proxy |
Number of TCP flags enabled with SYN-ACK-ACK. |
To prevent flooding with SYN-ACK-ACK sessions, you can enable the SYN-ACK-ACK proxy protection screen option. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, Junos OS rejects further connection requests from that IP address. |
IP Block Fragment |
Number of IP block fragments. |
– |
Monitoring IDP Status
Purpose
View detailed information about the IDP Status, Memory, Counters, Policy Rulebase Statistics, and Attack table statistics.
Action
To view Intrusion Detection and Prevention (IDP) table information, do one of the following:
If you are using SRX5400, SRX5600, or SRX5800 platforms, select Monitor>Security>IDP>Status in the J-Web user interface, or enter the following CLI commands:
show security idp statusshow security idp memory
Select Monitor>Security>IPS>Status in the J-Web user interface.
Table 11 summarizes key output fields in the IDP display.
Field |
Values |
Additional Information |
|---|---|---|
| IDP Status | ||
Status of IDP |
Displays the status of the current IDP policy. |
– |
Up Since |
Displays the time from when the IDP policy first began running on the system. |
– |
Packets/Second |
Displays the number of packets received and returned per second. |
– |
Peak |
Displays the maximum number of packets received per second and the time when the maximum was reached. |
– |
Kbits/Second |
Displays the aggregated throughput (kilobits per second) for the system. |
– |
Peak Kbits |
Displays the maximum kilobits per second and the time when the maximum was reached. |
– |
Latency (Microseconds) |
Displays the delay, in microseconds, for a packet to receive and return by a node . |
– |
Current Policy |
Displays the name of the current installed IDP policy. |
– |
| IDP Memory Status | ||
IDP Memory Statistics |
Displays the status of all IDP data plane memory. |
– |
PIC Name |
Displays the name of the PIC. |
– |
Total IDP Data Plane Memory (MB) |
Displays the total memory space, in megabytes, allocated for the IDP data plane. |
– |
Used (MB) |
Displays the used memory space, in megabytes, for the data plane. |
– |
Available (MB) |
Displays the available memory space, in megabytes, for the data plane. |
– |
Monitoring Flow Gate Information
Purpose
View information about temporary openings known as pinholes or gates in the security firewall.
Action
Select Monitor>Security>Flow Gate in the
J-Web user interface, or enter the show security flow gate command.
Table 12 summarizes key output fields in the flow gate display.
Field |
Values |
Additional Information |
|---|---|---|
| Flow Gate Information | ||
Hole |
Range of flows permitted by the pinhole. |
– |
Translated |
Tuples used to create the session if it matches the pinhole:
|
– |
Protocol |
Application protocol, such as UDP or TCP. |
– |
Application |
Name of the application. |
– |
Age |
Idle timeout for the pinhole. |
– |
Flags |
Internal debug flags for pinhole. |
– |
Zone |
Incoming zone. |
– |
Reference count |
Number of resource manager references to the pinhole. |
– |
Resource |
Resource manager information about the pinhole. |
– |
Monitoring Firewall Authentication Table
Purpose
View information about the authentication table, which divides firewall authentication user information into multiple parts.
Action
Select Monitor>Security>Firewall Authentication>Authentication
Table in the J-Web user interface. To view detailed information
about the user with a particular identifier, select the ID on the
Authentication Table page. To view detailed information about the
user at a particular source IP address, select the Source IP on the
Authentication Table page.
Alternatively, enter the following CLI show commands:
show security firewall-authentication usersshow security firewall-authentication users address ip-addressshow security firewall-authentication users identifier identifier
Table 13 summarizes key output fields in firewall authentication table display.
Field |
Values |
Additional Information |
|---|---|---|
| Firewall authentication users | ||
Total users in table |
Number of users in the authentication table. |
– |
| Authentication table | ||
ID |
Authentication identification number. |
– |
Source Ip |
IP address of the authentication source. |
– |
Age |
Idle timeout for the user. |
– |
Status |
Status of authentication ( |
– |
user |
Name of the user. |
– |
| Detailed report per ID selected: ID | ||
Source Zone |
Name of the source zone. |
– |
Destination Zone |
Name of the destination zone. |
– |
profile |
Name of the profile. |
Users information. |
Authentication method |
Path chosen for authentication. |
– |
Policy Id |
Policy Identifier. |
– |
Interface name |
Name of the interface. |
– |
Bytes sent by this user |
Number of packets in bytes sent by this user. |
– |
Bytes received by this user |
Number of packets in bytes received by this user. |
– |
Client-groups |
Name of the client group. |
– |
| Detailed report per Source Ip selected | ||
Entries from Source IP |
IP address of the authentication source. |
– |
Source Zone |
Name of the source zone. |
– |
Destination Zone |
Name of the destination zone. |
– |
profile |
Name of the profile. |
– |
Age |
Idle timeout for the user. |
– |
Status |
Status of authentication ( |
– |
user |
Name of the user. |
– |
Authentication method |
Path chosen for authentication. |
– |
Policy Id |
Policy Identifier. |
– |
Interface name |
Name of the interface. |
– |
Bytes sent by this user |
Number of packets in bytes sent by this user. |
– |
Bytes received by this user |
Number of packets in bytes received by this user. |
– |
Client-groups |
Name of the client group. |
– |
Monitoring Firewall Authentication History
Purpose
View information about the authentication history, which is divided into multiple parts.
Action
Select Monitor>Security>Firewall Authentication>Authentication
History in the J-Web user interface. To view the detailed history
of the authentication with this identifier, select the ID on the Firewall
Authentication History page. To view a detailed authentication history
of this source IP address, select the Source IP on the Firewall Authentication
History page.
Alternatively, enter the following CLI show commands:
show security firewall-authentication historyshow security firewall-authentication history address ip-addressshow security firewall-authentication history identifier identifier
Table 14 summarizes key output fields in firewall authentication history display.
Field |
Values |
Additional Information |
|---|---|---|
| History of Firewall Authentication Data | ||
Total authentications |
Number of authentication. |
– |
| History Table | ||
ID |
Identification number. |
– |
Source Ip |
IP address of the authentication source. |
– |
Start Date |
Authentication date. |
– |
Start Time |
Authentication time. |
– |
Duration |
Authentication duration. |
– |
Status |
Status of authentication ( |
– |
User |
Name of the user. |
– |
| Detail history of selected Id: ID | ||
Authentication method |
Path chosen for authentication. |
– |
Policy Id |
Security policy identifier. |
– |
Source zone |
Name of the source zone. |
– |
Destination Zone |
Name of the destination zone. |
– |
Interface name |
Name of the interface. |
– |
Bytes sent by this user |
Number of packets in bytes sent by this user. |
– |
Bytes received by this user |
Number of packets in bytes received by this user. |
– |
Client-groups |
Name of the client group. |
– |
| Detail history of selected Source Ip:Source Ip | ||
User |
Name of the user. |
– |
Start Date |
Authentication date. |
– |
Start Time |
Authentication time. |
– |
Duration |
Authentication duration. |
– |
Status |
Status of authentication ( |
– |
Profile |
Name of the profile. |
– |
Authentication method |
Path chosen for authentication. |
– |
Policy Id |
Security policy identifier. |
– |
Source zone |
Name of the source zone. |
– |
Destination Zone |
Name of the destination zone. |
– |
Interface name |
Name of the interface. |
– |
Bytes sent by this user |
Number of packets in bytes sent by this user. |
– |
Bytes received by this user |
Number of packets in bytes received by this user. |
– |
Client-groups |
Name of the client group. |
– |
Monitoring 802.1x
Purpose
View information about 802.1X properties.
Action
Select Monitor>Security>802.1x in the J-Web
user interface, or enter the following CLI commands:
show dot1x interfaces interface-nameshow dot1x authentication-failed-users
Table 15 summarizes the Dot1X output fields.
Field |
Values |
Additional Information |
|---|---|---|
Select Port |
List of ports for selection. |
– |
Number of connected hosts |
Total number of hosts connected to the port. |
– |
Number of authentication bypassed hosts |
Total number of authentication-bypassed hosts with respect to the port. |
– |
| Authenticated Users Summary | ||
MAC Address |
MAC address of the connected host. |
– |
User Name |
Name of the user. |
– |
Status |
Information about the host connection status. |
– |
Authentication Due |
Information about host authentication. |
– |
| Authentication Failed Users Summary | ||
MAC Address |
MAC address of the authentication-failed host. |
– |
User Name |
Name of the authentication-failed user. |
– |