Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Monitoring Security Policies

SUMMARY This section describes monitoring security policies and recording the permitted or denied traffic.

Monitoring Security Policy Statistics

Purpose

Monitor and record traffic that Junos OS permits or denies based on previously configured policies.

Action

To monitor traffic, enable the count and log options.

Count—Configurable in an individual policy. If count is enabled, statistics are collected for sessions that enter the device for a given policy, and for the number of packets and bytes that pass through the device in both directions for a given policy. For counts (only for packets and bytes), you can specify that alarms be generated whenever the traffic exceeds specified thresholds. See count (Security Policies).

Log—Logging capability can be enabled with security policies during session initialization (session-init) or session close (session-close) stage. See log (Security Policies).

  • To view logs from denied connections, enable log on session-init.

  • To log sessions after their conclusion/tear-down, enable log on session-close.

Note:

Session log is enabled at real time in the flow code which impacts the user performance. If both session-close and session-init are enabled, performance is further degraded as compared to enabling session-init only.

For details about information collected for session logs, see Information Provided in Session Log Entries for SRX Series Services Gateways.

Monitoring Routing Information

Monitoring Route Information

Purpose

View information about the routes in a routing table, including destination, protocol, state, and parameter information.

Action

Select Monitor>Routing>Route Information in the J-Web user interface, or enter the following CLI commands:

  • show route terse

  • show route detail

Note:

When you use an HTTPS connection in the Microsoft Internet Explorer browser to save a report from this page in the J-Web interface, the error message "Internet Explorer was not able to open the Internet site" is displayed. This problem occurs because the Cache-Control: no cache HTTP header is added on the server side and Internet Explorer does not allow you to download the encrypted file with the Cache-Control: no cache HTTP header set in the response from the server.

As a workaround, refer to Microsoft Knowledge Base article 323308, which is available at this URL: http://support.microsoft.com/kb/323308. Also, you can alternatively use HTTP in the Internet Explorer browser or use HTTPS in the Mozilla Firefox browser to save a file from this page.

Table 1 describes the different filters, their functions, and the associated actions.

Table 2 summarizes key output fields in the routing information display.

Table 1: Filtering Route Messages

Field

Function

Your Action

Destination Address

Specifies the destination address of the route.

Enter the destination address.

Protocol

Specifies the protocol from which the route was learned.

Enter the protocol name.

Next hop address

Specifies the network layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it.

Enter the next hop address.

Receive protocol

Specifies the dynamic routing protocol using which the routing information was received through a particular neighbor.

Enter the routing protocol.

Best route

Specifies only the best route available.

Select the view details of the best route.

Inactive routes

Specifies the inactive routes.

Select the view details of inactive routes.

Exact route

Specifies the exact route.

Select the view details of the exact route.

Hidden routes

Specifies the hidden routes.

Select the view details of hidden routes.

Search

Applies the specified filter and displays the matching messages.

To apply the filter and display messages, click Search.

Reset

Resets selected options to default

To reset the filter, click Reset.

Table 2: Summary of Key Routing Information Output Fields

Field

Values

Additional Information

Static Route Addresses

The list of static route addresses.

Protocol

Protocol from which the route was learned: Static, Direct, Local, or the name of a particular protocol.

Preference

The preference is the individual preference value for the route.

The route preference is used as one of the route selection criteria.

Next-Hop

Network Layer address of the directly reachable neighboring system (if applicable) and the interface used to reach it.

If a next hop is listed as Discard, all traffic with that destination address is discarded rather than routed. This value generally means that the route is a static route for which the discard attribute has been set.

If a next hop is listed as Reject, all traffic with that destination address is rejected. This value generally means that the address is unreachable. For example, if the address is a configured interface address and the interface is unavailable, traffic bound for that address is rejected.

If a next hop is listed as Local, the destination is an address on the host (either the loopback address or Ethernet management port 0 address, for example).

Age

How long the route has been active.

State

Flags for this route.

There are many possible flags.

AS Path

AS path through which the route was learned. The letters of the AS path indicate the path origin:

  • I—IGP.

  • E—EGP.

  • ?—Incomplete. Typically, the AS path was aggregated.

Monitoring RIP Routing Information

Purpose

View RIP routing information, including a summary of RIP neighbors and statistics.

Action

Select Monitor>Routing>RIP Information in the J-Web user interface, or enter the following CLI commands:

  • show rip statistics

  • show rip neighbors

Table 3 summarizes key output fields in the RIP routing display in the J-Web user interface.

Table 3: Summary of Key RIP Routing Output Fields

Field

Values

Additional Information

RIP Statistics

Protocol Name

The RIP protocol name.

Port number

The port on which RIP is enabled.

Hold down time

The interval during which routes are neither advertised nor updated.

Global routes learned

Number of RIP routes learned on the logical interface.

Global routes held down

Number of RIP routes that are not advertised or updated during the hold-down interval.

Global request dropped

Number of requests dropped.

Global responses dropped

Number of responses dropped.

RIP Neighbors  

Details

Tab used to view the details of the interface on which RIP is enabled.

Neighbor

Name of the RIP neighbor.

This value is the name of the interface on which RIP is enabled. Click the name to see the details for this neighbor.

State

State of the RIP connection: Up or Dn (Down).

Source Address

Local source address.

This value is the configured address of the interface on which RIP is enabled.

Destination Address

Destination address.

This value is the configured address of the immediate RIP adjacency.

Send Mode

The mode of sending RIP messages.

Receive Mode

The mode in which messages are received.

In Metric

Value of the incoming metric configured for the RIP neighbor.

Monitoring OSPF Routing Information

Purpose

View OSPF routing information, including a summary of OSPF neighbors, interfaces, and statistics.

Action

Select Monitor>Routing>OSPF Information in the J-Web user interface, or enter the following CLI commands:

  • show ospf neighbors

  • show ospf interfaces

  • show ospf statistics

Table 4 summarizes key output fields in the OSPF routing display in the J-Web user interface.

Table 4: Summary of Key OSPF Routing Output Fields

Field

Values

Additional Information

OSPF Interfaces  

Details

Tab used to view the details of the selected OSPF.

Interface

Name of the interface running OSPF.

State

State of the interface: BDR, Down, DR, DRother, Loop, PtToPt, or Waiting.

The Down state, indicating that the interface is not functioning, and PtToPt state, indicating that a point-to-point connection has been established, are the most common states.

Area

Number of the area that the interface is in.

DR ID

ID of the area's designated device.

BDR ID

ID of the area's backup designated device.

Neighbors

Number of neighbors on this interface.

OSPF Statistics  
Packets tab

Sent

Displays the total number of packets sent.

Received

Displays the total number of packets received.

Details tab

Flood Queue Depth

Number of entries in the extended queue.

Total Retransmits

Number of retransmission entries enqueued.

Total Database Summaries

Total number of database description packets.

OSPF Neighbors

Address

Address of the neighbor.

Interface

Interface through which the neighbor is reachable.

State

State of the neighbor: Attempt, Down, Exchange, ExStart, Full, Init, Loading, or 2way.

Generally, only the Down state, indicating a failed OSPF adjacency, and the Full state, indicating a functional adjacency, are maintained for more than a few seconds. The other states are transitional states that a neighbor is in only briefly while an OSPF adjacency is being established.

ID

ID of the neighbor.

Priority

Priority of the neighbor to become the designated router.

Activity Time

The activity time.

Area

Area that the neighbor is in.

Options

Option bits received in the hello packets from the neighbor.

DR Address

Address of the designated router.

BDR Address

Address of the backup designated router.

Uptime

Length of time since the neighbor came up.

Adjacency

Length of time since the adjacency with the neighbor was established.

Monitoring BGP Routing Information

Purpose

Monitor BGP routing information on the routing device, including a summary of BGP routing and neighbor information.

Action

Select Monitor>Routing>BGP Information in the J-Web user interface, or enter the following CLI commands:

  • show bgp summary

  • show bgp neighbor

Table 5 summarizes key output fields in the BGP routing display in the J-Web user interface.

Table 5: Summary of Key BGP Routing Output Fields

Field

Values

Additional Information

BGP Peer Summary

Total Groups

Number of BGP groups.

Total Peers

Number of BGP peers.

Down Peers

Number of unavailable BGP peers.

Unconfigured Peers

Address of each BGP peer.

RIB Summary tab

RIB Name

Name of the RIB group.

Total Prefixes

Total number of prefixes from the peer, both active and inactive, that are in the routing table.

Active Prefixes

Number of prefixes received from the EBGP peers that are active in the routing table.

Suppressed Prefixes

Number of routes received from EBGP peers currently inactive because of damping or other reasons.

History Prefixes

History of the routes received or suppressed.

Dumped Prefixes

Number of routes currently inactive because of damping or other reasons. These routes do not appear in the forwarding table and are not exported by routing protocols.

Pending Prefixes

Number of pending routes.

State

Status of the graceful restart process for this routing table: BGP restart is complete, BGP restart in progress, VPN restart in progress, or VPN restart is complete.

BGP Neighbors  

Details

Click this button to view the selected BGP neighbor details.

Peer Address

Address of the BGP neighbor.

Autonomous System

AS number of the peer.

Peer State

Current state of the BGP session:

  • Active—BGP is initiating a TCP connection in an attempt to connect to a peer. If the connection is successful, BGP sends an open message.

  • Connect—BGP is waiting for the TCP connection to become complete.

  • Established—The BGP session has been established, and the peers are exchanging BGP update messages.

  • Idle—This is the first stage of a connection. BGP is waiting for a Start event.

  • OpenConfirm—BGP has acknowledged receipt of an open message from the peer and is waiting to receive a keepalive or notification message.

  • OpenSent—BGP has sent an open message and is waiting to receive an open message from the peer.

Generally, the most common states are Active, which indicates a problem establishing the BGP connection, and Established, which indicates a successful session setup. The other states are transition states, and BGP sessions normally do not stay in those states for extended periods of time.

Elapsed Time

Elapsed time since the peering session was last reset.

Description

Description of the BGP session.

Monitoring Security Events by Policy

Purpose

Monitor security events by policy and display logged event details with the J-Web user interface.

Action

To monitor security events by policy:

  1. Select one of the following in the J-Web user interface:

    • If you are using SRX5400, SRX5600, or SRX5800 platforms, select Monitor>Events and Alarms>Security Events.

    • Select Monitor>Alarms>Policy Log.

    The View Policy Log pane appears. Table 6 describes the content of this pane.

    Table 6: View Policy Log Fields

    Field

    Value

    Log file name

    Name of the event log files to search.

    Policy name

    Name of the policy of the events to be retrieved.

    Source address

    Source address of the traffic that triggered the event.

    Destination address

    Destination address of the traffic that triggered the event.

    Event type

    Type of event that was triggered by the traffic.

    Application

    Application of the traffic that triggered the event.

    Source port

    Source port of the traffic that triggered the event.

    Destination port

    Destination port of the traffic that triggered the event.

    Source zone

    Source zone of the traffic that triggered the event.

    Destination zone

    Destination zone of the traffic that triggered the event.

    Source NAT rule

    Source NAT rule of the traffic that triggered the event.

    Destination NAT rule

    Destination NAT rule of the traffic that triggered the event.

    Is global policy

    Specifies that the policy is a global policy.

    If your device is not configured to store session log files locally, the Create log configuration button is displayed in the lower-right portion of the View Policy Log pane.

    • To store session log files locally, click Create log configuration.

    If session logs are being sent to an external log collector (stream mode has been configured for log files), a message appears indicating that event mode must be configured to view policy logs.

    Note:

    Reverting to event mode will discontinue event logging to the external log collector.

    • To reset the mode option to event, enter the set security log command.

  2. Enter one or more search fields in the View Policy Log pane and click Search to display events matching your criteria.

    For example, enter the event type Session Close and the policy pol1 to display event details from all Session Close logs that contain the specified policy. To reduce search results further, add more criteria about the particular event or group of events that you want displayed.

    The Policy Events Detail pane displays information from each matching session log. Table 7 describes the contents of this pane.

Table 7: Policy Events Detail Fields

Field

Value

Timestamp

Time when the event occurred.

Policy name

Policy that triggered the event.

Record type

Type of event log providing the data.

Source IP/Port

Source address (and port, if applicable) of the event traffic.

Destination IP/Port

Destination address (and port, if applicable) of the event traffic.

Service name

Service name of the event traffic.

NAT source IP/Port

NAT source address (and port, if applicable) of the event traffic.

NAT destination IP/Port

NAT destination address (and port, if applicable) of the event traffic.

Monitoring Security Features

Monitoring Policies

Purpose

Display, sort, and review policy activity for every activated policy configured on the device. Policies are grouped by Zone Context (the from and to zones of the traffic) to control the volume of data displayed at one time. From the policy list, select a policy to display statistics and current network activity.

Action

To review policy activity:

  1. Select Monitor>Security>Policy>Activities in the J-Web user interface. The Security Policies Monitoring page appears and lists the policies from the first Zone Context. See Table 8 for field descriptions.

  2. Select the Zone Context of the policy you want to monitor, and click Filter. All policies within the zone context appear in match sequence.

  3. Select a policy, and click Clear Statistics to set all counters to zero for the selected policy.

Table 8: Security Policies Monitoring Output Fields

Field

Value

Additional Information

Zone Context (Total #)

Displays a list of all from and to zone combinations for the configured policies. The total number of active policies for each context is specified in the Total # field. By default, the policies from the first Zone Context are displayed.

To display policies for a different context, select a zone context and click Filter. Both inactive and active policies appear for each context. However, the Total # field for a context specifies the number of active policies only.

Default Policy action

Specifies the action to take for traffic that does not match any of the policies in the context:

  • permit-all—Permit all traffic that does not match a policy.

  • deny-all—Deny all traffic that does not match a policy.

From Zone

Displays the source zone to be used as match criteria for the policy.

To Zone

Displays the destination zone to be used as match criteria for the policy.

Name

Displays the name of the policy.

Source Address

Displays the source addresses to be used as match criteria for the policy. Address sets are resolved to their individual names. (In this case, only the names are given, not the IP addresses).

Destination Address

Displays the destination addresses (or address sets) to be used as match criteria for the policy. Addresses are entered as specified in the destination zone’s address book.

Source Identity

Displays the name of the source identities set for the policy.

To display the value of the source identities, hover the mouse on this field. Unknown source identities are also displayed.

Application

Displays the name of a predefined or custom application signature to be used as match criteria for the policy.

Dynamic App

Displays the dynamic application signatures to be used as match criteria if an application firewall rule set is configured for the policy.

For a network firewall, a dynamic application is not defined.

The rule set appears in two lines. The first line displays the configured dynamic application signatures in the rule set. The second line displays the default dynamic application signature.

If more than two dynamic application signatures are specified for the rule set, hover over the output field to display the full list in a tooltip.

Action

Displays the action portion of the rule set if an application firewall rule set is configured for the policy.

  • permit—Permits access to the network services controlled by the policy. A green background signifies permission.

  • deny—Denies access to the network services controlled by the policy. A red background signifies denial.

The action portion of the rule set appears in two lines. The first line identifies the action to be taken when the traffic matches a dynamic application signature. The second line displays the default action when traffic does not match a dynamic application signature.

NW Services

Displays the network services permitted or denied by the policy if an application firewall rule set is configured. Network services include:

  • gprs-gtp-profile—Specify a GPRS Tunneling Protocol profile name.

  • idp—Perform intrusion detection and prevention.

  • redirect-wx—Set WX redirection.

  • reverse-redirect-wx—Set WX reverse redirection.

  • uac-policy—Enable unified access control enforcement of the policy.

Policy Hit Counters Graph

Provides a representation of the value over time for a specified counter. The graph is blank if Policy Counters indicates no data. As a selected counter accumulates data, the graph is updated at each refresh interval.

To toggle a graph on and off, click the counter name below the graph.

Policy Counters

Lists statistical counters for the selected policy if Count is enabled. The following counters are available for each policy:

  • input-bytes

  • input-byte-rate

  • output-bytes

  • output-byte-rate

  • input-packets

  • input-packet-rate

  • output-packets

  • output-packet-rate

  • session-creations

  • session-creation-rate

  • active-sessions

To graph or to remove a counter from the Policy Hit Counters Graph, toggle the counter name. The names of enabled counters appear below the graph.

Checking Policies

Purpose

Enter match criteria and conduct a policy search. The search results include all policies that match the traffic criteria in the sequence in which they will be encountered.

Because policy matches are listed in the sequence in which they would be encountered, you can determine whether a specific policy is being applied correctly or not. The first policy in the list is applied to all matching traffic. Policies listed after this one remain in the “shadow” of the first policy and are never encountered by this traffic.

By manipulating the traffic criteria and policy sequence, you can tune policy application to suit your needs. During policy development, you can use this feature to establish the appropriate sequence of policies for optimum traffic matches. When troubleshooting, use this feature to determine if specific traffic is encountering the appropriate policy.

Action

  1. Select Monitor>Security>Policy>Shadow Policies in the J-Web user interface. The Check Policies page appears. Table 9 explains the content of this page.

  2. In the top pane, enter the From Zone and To Zone to supply the context for the search.

  3. Enter match criteria for the traffic, including the source address and port, the destination address and port, and the protocol of the traffic.

  4. Enter the number of matching policies to display.

  5. Click Search to find policies matching your criteria. The lower pane displays all policies matching the criteria up to the number of policies you specified.

    • The first policy will be applied to all traffic with this match criteria.

    • Remaining policies will not be encountered by any traffic with this match criteria.

  6. To manipulate the position and activation of a policy, select the policy and click the appropriate button:

    • Move—Moves the selected policy up or down to position it at a more appropriate point in the search sequence.

    • Move to—Moves the selected policy by allowing you to drag and drop it to a different location on the same page.

Table 9: Check Policies Output

Field

Function

Check Policies Search Input Pane

From Zone

Name or ID of the source zone. If a From Zone is specified by name, the name is translated to its ID internally.

To Zone

Name or ID of the destination zone. If a To Zone is specified by name, the name is translated to its ID internally.

Source Address

Address of the source in IP notation.

Source Port

Port number of the source.

Destination Address

Address of the destination in IP notation.

Destination Port

Port number of the destination.

Source Identity

Name of the source identity.

Protocol

Name or equivalent value of the protocol to be matched.

ah

51

egp

8

esp

50

gre

47

icmp

1

igmp

2

igp

9

ipip

94

ipv6

41

ospf

89

pgm

113

pim

103

rdp

27

rsvp

46

sctp

132

tcp

6

udp

17

vrrp

112

Result Count

(Optional) Number of policies to display. Default value is 1. Maximum value is 16.

Check Policies List

From Zone

Name of the source zone.

To Zone

Name of the destination zone.

Total Policies

Number of policies retrieved.

Default Policy action

The action to be taken if no match occurs.

Name

Policy name

Source Address

Name of the source address (not the IP address) of a policy. Address sets are resolved to their individual names.

Destination Address

Name of the destination address or address set. A packet’s destination address must match this value for the policy to apply to it.

Source Identity

Name of the source identity for the policy.

Application

Name of a preconfigured or custom application of the policy match.

Action

Action taken when a match occurs as specified in the policy.

Hit Counts

Number of matches for this policy. This value is the same as the Policy Lookups in a policy statistics report.

Active Sessions

Number of active sessions matching this policy.

Alternatively, to list matching policies using the CLI, enter the show security match-policies command and include your match criteria and the number of matching policies to display.

Monitoring Screen Counters

Purpose

View screen statistics for a specified security zone.

Action

Select Monitor>Security>Screen Counters in the J-Web user interface, or enter the following CLI command:

show security screen statistics zone zone-name

Table 10 summarizes key output fields in the screen counters display.

Table 10: Summary of Key Screen Counters Output Fields

Field

Values

Additional Information

Zones    

ICMP Flood

Internet Control Message Protocol (ICMP) flood counter.

An ICMP flood typically occurs when ICMP echo requests use all resources in responding, such that valid network traffic can no longer be processed.

UDP Flood

User Datagram Protocol (UDP) flood counter.

UDP flooding occurs when an attacker sends IP packets containing UDP datagrams with the purpose of slowing down the resources, such that valid connections can no longer be handled.

TCP Winnuke

Number of Transport Control Protocol (TCP) WinNuke attacks.

WinNuke is a denial-of-service (DoS) attack targeting any computer on the Internet running Windows.

TCP Port Scan

Number of TCP port scans.

The purpose of this attack is to scan the available services in the hopes that at least one port will respond, thus identifying a service to target.

ICMP Address Sweep

Number of ICMP address sweeps.

An IP address sweep can occur with the intent of triggering responses from active hosts.

IP Tear Drop

Number of teardrop attacks.

Teardrop attacks exploit the reassembly of fragmented IP packets.

TCP SYN Attack

Number of TCP SYN attacks.

IP Spoofing

Number of IP spoofs.

IP spoofing occurs when an invalid source address is inserted in the packet header to make the packet appear to come from a trusted source.

ICMP Ping of Death

ICMP ping of death counter.

Ping of death occurs when IP packets are sent that exceed the maximum legal length (65,535 bytes).

IP Source Route

Number of IP source route attacks.

TCP Land Attack

Number of land attacks.

Land attacks occur when attacker sends spoofed SYN packets containing the IP address of the victim as both the destination and source IP address.

TCP SYN Fragment

Number of TCP SYN fragments.

TCP No Flag

Number of TCP headers without flags set.

A normal TCP segment header has at least one control flag set.

IP Unknown Protocol

Number of unknown Internet protocols.

IP Bad Options

Number of invalid options.

IP Record Route Option

Number of packets with the IP record route option enabled.

This option records the IP addresses of the network devices along the path that the IP packet travels.

IP Timestamp Option

Number of IP timestamp option attacks.

This option records the time (in Universal Time) when each network device receives the packet during its trip from the point of origin to its destination.

IP Security Option

Number of IP security option attacks.

IP Loose route Option

Number of IP loose route option attacks.

This option specifies a partial route list for a packet to take on its journey from source to destination.

IP Strict Source Route Option

Number of IP strict source route option attacks.

This option specifies the complete route list for a packet to take on its journey from source to destination.

IP Stream Option

Number of stream option attacks.

This option provides a way for the 16-bit SATNET stream identifier to be carried through networks that do not support streams.

ICMP Fragment

Number of ICMP fragments.

Because ICMP packets contain very short messages, there is no legitimate reason for ICMP packets to be fragmented. If an ICMP packet is so large that it must be fragmented, something is amiss.

ICMP Large Packet

Number of large ICMP packets.

TCP SYN FIN Packet

Number of TCP SYN FIN packets.

TCP FIN without ACK

Number of TCP FIN flags without the acknowledge (ACK) flag.

TCP SYN-ACK-ACK Proxy

Number of TCP flags enabled with SYN-ACK-ACK.

To prevent flooding with SYN-ACK-ACK sessions, you can enable the SYN-ACK-ACK proxy protection screen option. After the number of connections from the same IP address reaches the SYN-ACK-ACK proxy threshold, Junos OS rejects further connection requests from that IP address.

IP Block Fragment

Number of IP block fragments.

Monitoring IDP Status

Purpose

View detailed information about the IDP Status, Memory, Counters, Policy Rulebase Statistics, and Attack table statistics.

Action

To view Intrusion Detection and Prevention (IDP) table information, do one of the following:

  • If you are using SRX5400, SRX5600, or SRX5800 platforms, select Monitor>Security>IDP>Status in the J-Web user interface, or enter the following CLI commands:

    1. show security idp status

    2. show security idp memory

  • Select Monitor>Security>IPS>Status in the J-Web user interface.

Table 11 summarizes key output fields in the IDP display.

Table 11: Summary of IDP Status Output Fields

Field

Values

Additional Information

IDP Status    

Status of IDP

Displays the status of the current IDP policy.

Up Since

Displays the time from when the IDP policy first began running on the system.

Packets/Second

Displays the number of packets received and returned per second.

Peak

Displays the maximum number of packets received per second and the time when the maximum was reached.

Kbits/Second

Displays the aggregated throughput (kilobits per second) for the system.

Peak Kbits

Displays the maximum kilobits per second and the time when the maximum was reached.

Latency (Microseconds)

Displays the delay, in microseconds, for a packet to receive and return by a node .

Current Policy

Displays the name of the current installed IDP policy.

IDP Memory Status    

IDP Memory Statistics

Displays the status of all IDP data plane memory.

PIC Name

Displays the name of the PIC.

Total IDP Data Plane Memory (MB)

Displays the total memory space, in megabytes, allocated for the IDP data plane.

Used (MB)

Displays the used memory space, in megabytes, for the data plane.

Available (MB)

Displays the available memory space, in megabytes, for the data plane.

Monitoring Flow Gate Information

Purpose

View information about temporary openings known as pinholes or gates in the security firewall.

Action

Select Monitor>Security>Flow Gate in the J-Web user interface, or enter the show security flow gate command.

Table 12 summarizes key output fields in the flow gate display.

Table 12: Summary of Key Flow Gate Output Fields

Field

Values

Additional Information

Flow Gate Information

Hole

Range of flows permitted by the pinhole.

Translated

Tuples used to create the session if it matches the pinhole:

  • Source address and port

  • Destination address and port

Protocol

Application protocol, such as UDP or TCP.

Application

Name of the application.

Age

Idle timeout for the pinhole.

Flags

Internal debug flags for pinhole.

Zone

Incoming zone.

Reference count

Number of resource manager references to the pinhole.

Resource

Resource manager information about the pinhole.

Monitoring Firewall Authentication Table

Purpose

View information about the authentication table, which divides firewall authentication user information into multiple parts.

Action

Select Monitor>Security>Firewall Authentication>Authentication Table in the J-Web user interface. To view detailed information about the user with a particular identifier, select the ID on the Authentication Table page. To view detailed information about the user at a particular source IP address, select the Source IP on the Authentication Table page.

Alternatively, enter the following CLI show commands:

  • show security firewall-authentication users

  • show security firewall-authentication users address ip-address

  • show security firewall-authentication users identifier identifier

Table 13 summarizes key output fields in firewall authentication table display.

Table 13: Summary of Key Firewall Authentication Table Output Fields

Field

Values

Additional Information

Firewall authentication users

Total users in table

Number of users in the authentication table.

Authentication table

ID

Authentication identification number.

Source Ip

IP address of the authentication source.

Age

Idle timeout for the user.

Status

Status of authentication (success or failure).

user

Name of the user.

Detailed report per ID selected: ID

Source Zone

Name of the source zone.

Destination Zone

Name of the destination zone.

profile

Name of the profile.

Users information.

Authentication method

Path chosen for authentication.

Policy Id

Policy Identifier.

Interface name

Name of the interface.

Bytes sent by this user

Number of packets in bytes sent by this user.

Bytes received by this user

Number of packets in bytes received by this user.

Client-groups

Name of the client group.

Detailed report per Source Ip selected

Entries from Source IP

IP address of the authentication source.

Source Zone

Name of the source zone.

Destination Zone

Name of the destination zone.

profile

Name of the profile.

Age

Idle timeout for the user.

Status

Status of authentication (success or failure).

user

Name of the user.

Authentication method

Path chosen for authentication.

Policy Id

Policy Identifier.

Interface name

Name of the interface.

Bytes sent by this user

Number of packets in bytes sent by this user.

Bytes received by this user

Number of packets in bytes received by this user.

Client-groups

Name of the client group.

Monitoring Firewall Authentication History

Purpose

View information about the authentication history, which is divided into multiple parts.

Action

Select Monitor>Security>Firewall Authentication>Authentication History in the J-Web user interface. To view the detailed history of the authentication with this identifier, select the ID on the Firewall Authentication History page. To view a detailed authentication history of this source IP address, select the Source IP on the Firewall Authentication History page.

Alternatively, enter the following CLI show commands:

  • show security firewall-authentication history

  • show security firewall-authentication history address ip-address

  • show security firewall-authentication history identifier identifier

Table 14 summarizes key output fields in firewall authentication history display.

Table 14: Summary of Key Firewall Authentication History Output Fields

Field

Values

Additional Information

History of Firewall Authentication Data

Total authentications

Number of authentication.

History Table

ID

Identification number.

Source Ip

IP address of the authentication source.

Start Date

Authentication date.

Start Time

Authentication time.

Duration

Authentication duration.

Status

Status of authentication (success or failure).

User

Name of the user.

Detail history of selected Id: ID

Authentication method

Path chosen for authentication.

Policy Id

Security policy identifier.

Source zone

Name of the source zone.

Destination Zone

Name of the destination zone.

Interface name

Name of the interface.

Bytes sent by this user

Number of packets in bytes sent by this user.

Bytes received by this user

Number of packets in bytes received by this user.

Client-groups

Name of the client group.

Detail history of selected Source Ip:Source Ip

User

Name of the user.

Start Date

Authentication date.

Start Time

Authentication time.

Duration

Authentication duration.

Status

Status of authentication (success or failure).

Profile

Name of the profile.

Authentication method

Path chosen for authentication.

Policy Id

Security policy identifier.

Source zone

Name of the source zone.

Destination Zone

Name of the destination zone.

Interface name

Name of the interface.

Bytes sent by this user

Number of packets in bytes sent by this user.

Bytes received by this user

Number of packets in bytes received by this user.

Client-groups

Name of the client group.

Monitoring 802.1x

Purpose

View information about 802.1X properties.

Action

Select Monitor>Security>802.1x in the J-Web user interface, or enter the following CLI commands:

  • show dot1x interfaces interface-name

  • show dot1x authentication-failed-users

Table 15 summarizes the Dot1X output fields.

Table 15: Summary of Dot1X Output Fields

Field

Values

Additional Information

Select Port

List of ports for selection.

Number of connected hosts

Total number of hosts connected to the port.

Number of authentication bypassed hosts

Total number of authentication-bypassed hosts with respect to the port.

Authenticated Users Summary

MAC Address

MAC address of the connected host.

User Name

Name of the user.

Status

Information about the host connection status.

Authentication Due

Information about host authentication.

Authentication Failed Users Summary

MAC Address

MAC address of the authentication-failed host.

User Name

Name of the authentication-failed user.