| 防火墙常用维护操作 | 您所在的位置:网站首页 › 防火墙名称 › 防火墙常用维护操作 |
|
执行以下命令查看IPv4会话表信息。display firewall session table [ verbose ] [ vsys vsys-name ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | application application-name | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | uniderection ] *display firewall session tableverbose [ vsys vsys-name ] [ source-zone source-zone | destination-zone destination-zone | { default-policy | policy policy-name } | source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpestart-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpucpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | application application-name | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | user user-name | { local | remote } | uniderection | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] *display firewall session table [ verbose ] all-systems [ source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpu cpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | serviceservice-type | vlanvlan-id | created-intime | long-link | { local | remote } ] *display firewall session tableverboseall-systems [ source-cpe start-ipv6-address [ to end-ipv6-address ] | source { inside start-ip-address [ toend-ip-address ] | global start-ip-address [ to end-ip-address ] } | destination-cpe start-ipv6-address [ to end-ipv6-address ] | destination { inside start-ip-address [ to end-ip-address ] | global start-ip-address [ to end-ip-address ] } | slot slot-id cpucpu-id | protocol { id | tcp | udp | sctp | icmp | ah | esp | gre } | source-port { inside port-number | global port-number } | destination-port { inside port-number | global port-number } | interface { interface-name | interface-type interface-number } | service service-type | vlan vlan-id | created-in time | long-link | { local | remote } | { reverse-packet | forward-packet | total-packet } { over | below | equal } packet-value ] *display firewall session table [ verbose ] slb [ destination { vip start-vip-address [ to end-vip-address ] | rip start-rip-address [ to end-rip-address ] } | source start-source-address [ to end-source-address ] | destination-port { vport vport-number | rport rport-number } | source-port source-port-number | slot slot-idcpucpu-id ] *display firewall session table [ verbose ] session-id session-id
在双机热备的组网环境中,可以通过选择local或remote参数,按需要查看本端设备或对端设备的会话表信息。 由于通常情况下设备上的会话表数目很大,逐条查看非常困难。所以该条命令中提供多个参数可以选择需要查看的会话表的类型,有效利用这些参数可以减少查看会话表时显示的条目,缩短定位问题的时间。 对于NAT64会话,基于源/目的地址或端口查询会话时,只能基于NAT转换前的地址/端口查询,不能基于NAT转换后的地址/端口查询。 如果NAT转换前为IPv4地址,则使用display firewall session table [ verbose ]命令结合以下一个或多个参数组合查询:source inside start-ip-address [ to end-ip-address ]、destination global start-ip-address [ to end-ip-address ]、source-port inside port-number、destination-port global port-number。 在不使用verbose的情况下,会显示简要会话表项,格式如下: Current Total Sessions : NUM TYPE VPN:SRCVPN --> DSTVPNSRCIP --> DSTIP在使用verbose的情况下,会显示详细会话表项,以USG6000E/USG6000为例,格式如下: Current Total Sessions : NUM TYPE VPN:SRCVPN --> DSTVPN ID: ID-NUMBER Zone: SRCZONE--> DSTZONE Remote TTL: TOTALTIME Left: LEFTTIME Interface: OUTINTERFACE Nexthop: IP-ADDRESS MAC: MACADDRESS packets:NUMBER bytes:BYTES SRCIP --> DSTIP PolicyName: POLICYNAME各个参数含义如表1所示。其中斜体参数会根据实际情况显示不同内容。 表1-6 会话表项参数含义参数 含义 TYPE 该会话的协议类型,可能出现的情况与display firewall session table命令中的protocol参数的取值范围相同。 VPN:SRCVPN --> DSTVPN 该会话的源VPN实例名称和目的VPN实例名称。 ID: ID-NUMBER 该会话的ID号。 Zone: SRCZONE--> DSTZONE 该会话的源安全区域名称和目的安全区域名称。 Remote 双机热备场景下,Remote说明当前会话是备份会话,该会话是从对端设备备份过来的。对于USG9500,CPU备份场景下,Remote说明该会话是从主CPU上备份过来的。TTL: TOTALTIME 会话表项总的存活时间。 Left: LEFTTIME 会话表项剩余的存活时间。 Interface: OUTINTERFACE 报文出接口的接口号。 Nexthop: IP-ADDRESS 报文下一跳的IP地址。 MAC: MACADDRESS 报文下一跳的MAC地址。 packets:NUMBER bytes:BYTES 正向报文数统计以及字节数统计。正常情况下应该与收到的报文数以及字节数相同,如果变少,说明存在丢包的情况。 SRCIP --> DSTIP 该会话的源IP地址、源端口号、目的IP地址、目的端口号。 地址的格式是x.x.x.x:portx[y.y.y.y:porty],其中portx和porty分别是源和目的端口号。括号内为NAT转换后地址。如果没有进行NAT转换,则不显示括号内的内容。 PolicyName: POLICYNAME 报文匹配的策略名称。 TCP State:TCPState TCP连接状态,仅TCP会话显示此字段。 connecting:表示设备收到SYN首包,TCP连接正在建立。established:表示设备收到ACK包,TCP连接已经建立完成。fin-1:表示设备收到第一个FIN包,TCP连接正在断开。close:表示设备收到第二个FIN包,TCP连接已经断开。 |
| CopyRight 2018-2019 实验室设备网 版权所有 |