Monitoring Firewall Filter Traffic
You can use operational mode commands to monitor firewall filter traffic.
Monitoring Traffic for All Firewall Filters and Policers That Are Configured
Purpose
Monitor the number of packets and bytes that matched the firewall filters and monitor the number of packets that exceeded policer rate limits:
Action
Use the show firewall
operational mode command:
user@switch> show firewall Filter: egress-vlan-watch-employee Counters: Name Bytes Packets counter-employee-web 3348 27 Filter: ingress-port-limit-tcp-icmp Counters: Name Bytes Packets icmp-counter 560 10 Policers: Name Packets icmp-connection-policer 10 tcp-connection-policer 0 Filter: ingress-vlan-rogue-block Filter: ingress-vlan-limit-guest
Meaning
The show firewall
command displays the names of all firewall filters,
counters, and policers that are configured. For each counter that is specified in a filter
configuration, the output field shows the byte count and packet count for the term in which
the counter is specified. For each policer that is specified in a filter configuration, the
output field shows the packet count for packets that exceed the specified rate limits.
Monitoring Traffic for a Specific Firewall Filter
Purpose
Monitor the number of packets and bytes that matched a firewall filter and monitor the number of packets that exceeded policer rate limits.
Action
Use the show firewall filter filter-name
operational
mode command:
user@switch> show firewall filter ingress-port-limit-tcp-icmp Filter: ingress-port-limit-tcp-icmp Counters: Name Bytes Packets icmp-counter 560 10
Meaning
The show firewall filter filter-name
command
limits the display information to the counters and policers that are defined for the specified
filter.
Monitoring Traffic for a Specific Policer
Purpose
Monitor the number of packets that exceeded the rate limits of a policer:
Action
Use the show firewall policer policer-name
operational
mode command:
user@switch> show firewall policer icmp-connection-policer Filter: ingress-port-limit-tcp-icmp Policers: Name Packets icmp-connection-policer 10
Meaning
The show firewall policer policer-name
command
displays the number of packets that exceeded the rate limits for the specified policer.