话不多说,直接上命令:
get session
dst-ip destination ip address
dst-mac destination mac address
dst-port destination port number or range
id show sessions with id
ike-nat show ike-nat ALG info
info show sessions summary info
policy-id policy id
protocol protocol number or range
rm show sessions for resource management
service show sessions with service type
src-ip source ip address
src-mac source mac address
src-port source port number or range
tunnel show tunnel sessions
vsd-id get vsd-id specified sessions
例如 get session dst-ip 172.16.0.14
id 2064/s**,vsys 0,flag 08000040/0000/0001,policy 44,time 29, dip 0 module 0
if 0(nspflag 801801):106.2.184.211/50786->172.16.0.14/80,6,0025909c129a,sess token 4,vlan 0,tun 0,vsd 0,route 28,wsf 0
if 6(nspflag 801800):106.2.184.211/50786<-172.16.0.14/80,6,0050568c05db,sess token 13,vlan 0,tun 0,vsd 0,route 5,wsf 0
id 2620/s**,vsys 0,flag 08000040/0000/0001,policy 44,time 30, dip 0 module 0
if 0(nspflag 801801):119.57.134.202/4098->172.16.0.14/80,6,0025909c129a,sess token 4,vlan 0,tun 0,vsd 0,route 28,wsf 0
if 6(nspflag 801800):119.57.134.202/4098<-172.16.0.14/80,6,0050568c05db,sess token 13,vlan 0,tun 0,vsd 0,route 5,wsf 0
id 19591/s**,vsys 0,flag 08000040/0000/0001,policy 6,time 180, dip 0 module 0
if 5(nspflag 801801):10.9.58.216/4552->172.16.0.14/80,6,00000c9ff3e8,sess token 3,vlan 0,tun 0,vsd 0,route 20,wsf 8
if 6(nspflag 801800):10.9.58.216/4552<-172.16.0.14/80,6,0050568c05db,sess token 13,vlan 0,tun 0,vsd 0,route 5,wsf 0
这里显示,以172.16.0.14为目的的所有会话,其中命中的policy iD显示如上。如果有取名字的话,这里显示就是你所取的名字。
Juniper防火墙查看session命中的那个policy
原文地址:http://9573747.blog.51cto.com/9563747/1768184
