1. 调试/故障定位
1.1. 常用命令
1.1.1. 基础命令
1.1.1.1. Show product 查看设备详情
firewall> show product 查看起机时间、起机时长、序列号、硬件版本、MAC地址、软件版本、BOOT版本
firewall> show product
show-product
start-time "2022-03-01 14:54:29"
uptime "40 minutes"
productname Z5100
hardwarever 1.00
serialnum H1QPB2F000163
ethaddr 30:0D:9E:41:D8:36
softwarever "NGFW_NTOS 1.0R1, Release(02150112)"
softwarenum M12461503012022
boot-version 1.1.0.f6bea6f3
..
1.1.1.2. Show config 查看设备配置
Show config 查看配置
firewall> show config
vrf main
arp
proxy-enabled false
gratuitous-send
enabled true
interval 30
..
..
routing
static
ipv4-route 192.168.23.0/24
next-hop 172.18.22.1 enable true
..
ipv4-route 192.168.21.0/24
next-hop 172.18.22.1 enable true
..
1.1.1.3. Show config vrf main interface 查看所有接口配置
show config vrf main interface 查看所有接口配置
firewall> show config vrf main interface
interface
physical Ge0/0
mtu 1500
description ""
enabled true
wanlan lan
working-mode route
ipv4
address 172.18.22.114/24
enabled true
..
ipv6
enabled true
..
reverse-path true
ethernet
mac-address 30:0d:9e:41:d8:36
..
access-control
https true
ping true
ssh true
..
..
physical Ge0/1
enabled true
working-mode route
ipv4
enabled true
..
ipv6
enabled true
..
reverse-path true
access-control
https false
:
1.1.1.4. Show config vrf main interface physical name(接口名称如Ge0/0)查看某个接口配置
show config vrf main interface 查看某个特定接口配置
firewall> show config vrf main interface physical Ge0/0
physical Ge0/0
mtu 1500
description ""
enabled true
wanlan lan
working-mode route
ipv4
address 172.18.22.114/24
enabled true
..
ipv6
enabled true
..
reverse-path true
ethernet
mac-address 30:0d:9e:41:d8:36
..
access-control
https true
ping true
ssh true
..
..
firewall>
1.1.1.5. Show interface 查看接口
show interface 查看接口状态如接口名称,接口ip及接口状态(up/down)等
firewall> show interface
Name State IP Addresses
---- ----- ------------
lo UNKNOWN 127.0.0.1/8
::1/128
tunl0@NONE DOWN
sit0@NONE DOWN
ip6tnl0@NONE DOWN
Ge0/0 UP 172.18.22.114/24
fe80::320d:9eff:fe41:d836/64
Ge0/1 LOWERLAYERDOWN
Ge0/2 LOWERLAYERDOWN
Ge0/3 LOWERLAYERDOWN
Ge0/4 DOWN
Ge0/5 LOWERLAYERDOWN
Ge0/6 UP fe80::320d:9eff:fe41:d83c/64
Ge0/7 LOWERLAYERDOWN 9.0.0.10/25
TenGe0/0 LOWERLAYERDOWN 13.0.0.1/16
TenGe0/1 LOWERLAYERDOWN 130.0.0.1/24
TenGe0/2 UP 12.0.0.1/16
fe80::320d:9eff:fe41:d842/64
TenGe0/3 UP 120.0.0.1/24
fe80::320d:9eff:fe41:d843/64
eth0 UNKNOWN fe80::251:82ff:fe11:2200/64
1.1.1.6. Show interface throughput 查看接口收发流量
show config vrf main interface 查看所有接口收发流量
Ge—千兆,TenGe—万兆,PPP—拨号
firewall> show interface throughput
IFNAME IN pkt/s (IN bit/s) OUT pkt/s (OUT bit/s)
---
Ge0/0 3.9 (2.6K) 1.9 (3.2K)
Ge0/1 0 (0) 0 (0)
Ge0/2 0 (0) 0 (0)
Ge0/3 0 (0) 0 (0)
Ge0/4 0 (0) 0 (0)
Ge0/5 0 (0) 0 (0)
Ge0/6 0 (0) 0 (0)
Ge0/7 0 (0) 0 (0)
TenGe0/0 0 (0) 0 (0)
TenGe0/1 0 (0) 0 (0)
TenGe0/2 0 (0) 0 (0)
TenGe0/3 0 (0) 0 (0)
eth0 6.0 (4.5K) 2.0 (2.8K)
eth1 0 (0) 0 (0)
eth2 0 (0) 0 (0)
1.1.1.7. Show interface statistics 查看接口收发统计
show interface statistics 查看接口收发统计
firewall> show interface statistics
Ge0/0
rx.packets: 16737
rx.bytes: 1814717
rx.errors: 0
rx.multicast: 0
rx.dropped: 106
rx.overrun: 0
tx.packets: 5641
tx.bytes: 2686220
tx.errors: 0
tx.dropped: 0
tx.fifo_errors: 0
tx.carrier_errors: 0
tx.collisions: 0
Ge0/1
1.1.1.8. show interface port state vrf main name (接口名称如Ge0/0) 查看接口工作模式
show interface port state vrf main name 查看接口工作模式,接口协商双工速率等
firewall> show interface port state vrf main name Ge0/0
show-physical-interface-state
interface-total 1
interface
name Ge0/0
mtu 1500
promiscuous false
description ""
enabled true
wanlan lan
working-mode route
ifindex 8
oper-status UP
ipv4
origin STATIC
address 172.18.22.114/24
enabled true
dhcp
enabled false
timeout 60
retry 30
select-timeout 0
reboot 10
initial-interval 10
:...skipping...
show-physical-interface-state
interface-total 1
interface
name Ge0/0
mtu 1500
promiscuous false
description ""
enabled true
wanlan lan
working-mode route
ifindex 8
oper-status UP
ipv4
origin STATIC
address 172.18.22.114/24
enabled true
dhcp
enabled false
timeout 60
retry 30
select-timeout 0
reboot 10
initial-interval 10
dhcp-lease-time 7200
..
..
ipv6
address fe80::320d:9eff:fe41:d836/64
enabled true
..
ethernet
mac-address 30:0d:9e:41:d8:36
auto-negotiate true
duplex-mode full
port-speed 1000M
1.1.1.9. show ipv4-routes 查看路由表
show ipv4-routes 查看路由
firewall> show ipv4-routes
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued route, r - rejected route
S>* 0.0.0.0/0 [5/0] via 172.18.22.1, Ge0/0, 01:07:17
C>* 12.0.0.0/16 is directly connected, TenGe0/2, 01:07:13
C>* 120.0.0.0/24 is directly connected, TenGe0/3, 01:07:13
C>* 172.18.22.0/24 is directly connected, Ge0/0, 01:07:17
S>* 172.18.141.0/24 [5/0] via 172.18.22.1, Ge0/0, 01:07:17
S>* 192.168.21.0/24 [5/0] via 172.18.22.1, Ge0/0, 01:07:17
S>* 192.168.23.0/24 [5/0] via 172.18.22.1, Ge0/0, 01:07:17
firewall>
1.1.1.10. show arp all 查看arp表
show arp all 查看arp表
firewall> show arp all
Address HWtype HWaddress Flags Mask Iface
172.18.22.1 ether 00:ff:00:ff:01:02 C Ge0/0
Entries: 1 Skipped: 0 Found: 1
firewall>
1.1.1.11. cmd ping/tracert 网络ping、trracer检测
show interface port state vrf main name 查看接口工作模式,接口协商双工速率等
firewall> cmd ping www.baidu.com
PING www.a.shifen.com (14.215.177.38) 56(84) bytes of data.
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=1 ttl=50 time=20.4 ms
64 bytes from 14.215.177.38 (14.215.177.38): icmp_seq=2 ttl=50 time=20.3 ms
^CNetconf RPC interrupted.
firewall> cmd traceroute www.baidu.com
traceroute to www.baidu.com (14.215.177.39), 30 hops max, 60 byte packets
1 172.18.22.1 (172.18.22.1) 3.177 ms 3.292 ms 3.371 ms
2 192.168.59.81 (192.168.59.81) 0.823 ms 0.958 ms 1.078 ms
3 192.168.198.105 (192.168.198.105) 1.178 ms 1.216 ms 1.252 ms
4 192.168.59.50 (192.168.59.50) 0.435 ms 0.430 ms 0.448 ms
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
1.1.2. 系统相关
1.1.2.1. 内存
NTOS的总内存使用分为非转发平面内存和转发平面内存。在设备启动的时候,根据设备的性能分配,会预先分隔非转发平面内存和转发平面内存数量,各个业务根据所处的位置从非转发平面或者转发平面内存中进行内存申请。
Z51的R1版本内存情况分布如下:
总内存 |
非转发平面内存 |
转发平面内存 |
4G |
1.7G |
2.3G |
1.1.2.1.1. show memory
显示系统内存:
MemTotal: 4029480 kB
MemFree: 858308 kB
MemAvailable: 982896 kB
Buffers: 40312 kB
Cached: 232640 kB
SwapCached: 0 kB
Active: 408576 kB
Inactive: 168064 kB
Active(anon): 314944 kB
Inactive(anon): 30716 kB
Active(file): 93632 kB
Inactive(file): 137348 kB
Unevictable: 8488 kB
Mlocked: 8488 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 196 kB
Writeback: 0 kB
AnonPages: 301412 kB
Mapped: 90044 kB
Shmem: 41984 kB
Slab: 77732 kB
SReclaimable: 42648 kB
SUnreclaim: 35084 kB
KernelStack: 4064 kB
PageTables: 3328 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 803348 kB
Committed_AS: 1212048 kB
VmallocTotal: 135290290112 kB
VmallocUsed: 0 kB
VmallocChunk: 0 kB
AnonHugePages: 67584 kB
ShmemHugePages: 0 kB
ShmemPmdMapped: 0 kB
CmaTotal: 262144 kB
CmaFree: 218996 kB
HugePages_Total: 1183
HugePages_Free: 0
HugePages_Rsvd: 0
HugePages_Surp: 0
Hugepagesize: 2048 kB
需要关注如下字段:
n MemTotal
系统总内存
n MemFree
非转发平面的空闲内存。
转发平面的空闲内存通过cmd debug-support fp exec dpdk-debug-memory 查看
1.1.2.1.2. cmd debug-support fp exec dpdk-debug-memory
shell命令:fp-cli dpdk-debug-memory
查看转发平面内存的使用
firewall> cmd debug-support fp exec dpdk-debug-memory
Heap id:0
Heap name:socket_0
Heap_size:2415919104,
Free_size:1762858944,
Alloc_size:653060160,
Greatest_free_size:1746879232,
Alloc_count:336940,
Free_count:23197,
Heap id:1
Heap name:
Heap_size:0,
Free_size:0,
Alloc_size:0,
Greatest_free_size:0,
Alloc_count:0,
Free_count:0,
.....
显示的内容较多,只需要关注上图Heap id:0中的红色部分即可。
n Heap_size
转发平面总内存
n Free_size
转发平面空闲内存
当Free_size降到100M以下时就需要关注,如果持续在100M以下,可能存在转发业务申请不到内存的情况而导致转发不通或部分断流。此时需要收集后文中提到动态mempool的使用情况。
1.1.2.1.3. fp-rte中mempool内存查看
fp-rte中的mempool是指转发内存中使用pool方式进行管理的内存。
mempool分为静态pool和动态pool, 静态pool的内存是预申请的,动态pool随着业务需要进行申请。
1.1.2.1.4. cmd debug-support fp exec “dump-mempool [all | name]”
静态mempool查看命令。
cmd debug-support fp exec "dump-mempool all"可以查看所有的pool使用。
cmd debug-support fp exec “dump-mempool name” 查看指定pool的使用
注:预定义部分随着指标变化可能出现变动。通常不需要关注这部分内存使用
1.1.2.1.5. cmd debug-support fp exec “dump-mempool-dynamic [all | name]”
动态mempool查看命令。
打印所有的动态pool。
cmd debug-support fp exec “dump-mempool-dynamic 查看所有的pool名称
firewall> cmd debug-support fp exec dump-mempool-dynamic
Please specify mempool name among:
<hybrid_mem_64>@0x18802e240
<hybrid_mem_128>@0x1880137c0
<hybrid_mem_192>@0x187ff8d40
<hybrid_mem_256>@0x187fc62c0
<hybrid_mem_320>@0x187f93840
<hybrid_mem_384>@0x187f30dc0
<hybrid_mem_448>@0x187ece340
<hybrid_mem_512>@0x187e6b8c0
<hybrid_mem_576>@0x187e08e40
<hybrid_mem_640>@0x187d463c0
<hybrid_mem_704>@0x187c83940
<hybrid_mem_768>@0x187bc0ec0
<hybrid_mem_832>@0x187afe440
<hybrid_mem_896>@0x187a3b9c0
<hybrid_mem_960>@0x187978f40
<hybrid_mem_1024>@0x1878b64c0
<plugin_pool>@0x1877956c0
<appid_cookies_pool>@0x18777ac40
<app_parser_cookies_pool>@0x184cc0d80
<app_parser_ai_buf_pool>@0x184c8e300
<app_parser_parser_state_pool>@0x184c73880
<app_parser_parser_dns_state>@0x184c58e00
<app_parser_parser_dns_tx>@0x184c3e380
<app_parser_parser_htp_decompres>@0x184c23900
<app_parser_parser_htp_size_64_p>@0x184bc0e80
<app_parser_parser_htp_size_128_>@0x184ba6400
<app_parser_parser_htp_size_192_>@0x184b8b980
<app_parser_parser_htp_size_256_>@0x184b58f00
<app_parser_parser_htp_size_384_>@0x184b26480
<app_parser_parser_htp_size_512_>@0x184ac3a00
<app_parser_parser_htp_size_640_>@0x184a60f80
<app_parser_parser_htp_size_768_>@0x18499e500
<app_parser_parser_htp_size_896_>@0x1848dba80
<app_parser_parser_htp_size_1024>@0x184819000
<app_parser_parser_htp_size_1536>@0x184756580
<app_parser_parser_htp_size_2048>@0x1845d3b00
<app_parser_parser_htp_size_4096>@0x184451080
<npf_conn_pool>@0x18405a900
<npf_nat_pool>@0x184052340
<npf_tcbpl>@0x17fd25880
<npf_tcpipqepl>@0x17fd0ae00
<ld-sess-cookie>@0x17fb44c40
<ld-host>@0x17fadbd80
<ld-suspect>@0x17fa90d00
<ld-monitor>@0x17fa76280
<sd-dynfltr>@0x17f84b440
<ips_cookies_pool>@0x17deddc40
firewall>
cmd debug-support fp exec “dump-mempool-dynamic name查看指定pool的使用情况:
firewall> cmd debug-support fp exec “dump-mempool-dynamic appid_cookies_pool
mempool <appid_cookies_pool>@0x187f92840
limit mem count: 0
limit obj num: 0
used obj num: 0
chunk_size: 31KB
obj num: 234
ring size: 2304
obj_size: 128
cache infos:
cache_size = 64
cache_obj[1] = 64
cache_mem[1] = 1/1
recycle_water[1] = 0
cache_obj[2] = 64
cache_mem[2] = 1/1
recycle_water[2] = 0
cache_obj[3] = 64
cache_mem[3] = 1/1
recycle_water[3] = 0
total_cache_obj = 192
total_cache_mem = 3
total_alloc_mem = 3 (94KB)
stats:
put=0
put recycle=0
put switch=0
get success=0
get fail=0
alloc=3
empty=0
recycle=0
free=0
total_alloc_mem后的括号中表示了占用的内存总大小。
cmd debug-support fp exec “dump-mempool-dynamic 打印所有的动态pool。
1.1.2.2. CPU/进程/线程
1.1.2.2.1. show cpu
该命令可以查看非fp的进程的内存使用情况。当前该命令将会以滚屏形式持续动态输出,按ctrl+c暂停。
RES列表示该进程的内存占用大小, %MEM列表示该进程在总内存中的占比。
该命令将会以滚屏形式持续动态输出,按ctrl+c暂停。
1.1.2.3. socket(监听端口)
1.1.2.3.1. show tcp connnect 或show ip udp detail
查看tcp或udp监听的端口
1.1.3. 报文统计/跟踪
1.1.3.1. 报文统计
1.1.3.1.1. cmd debug-support fp exec stats
该命令统计报文在接口上的收发以及在转发路径上的处理概要。红色字段需要了解:
firewall> cmd debug-support fp exec stats
==== interface stats:
lo-vr0 port:65534
_eth0-vr0 port:65534
_eth1-vr0 port:65534
_eth2-vr0 port:65534
Ge0_0-vr0 port:65534
ifs_ipackets:124720 --->接口下的收报文数
ifs_ibytes:14454713 --->接口下的收报文字节
ifs_opackets:23430 --->接口下的发报文数
ifs_obytes:29152694 --->接口下的发报文字节
TenGe0_0-vr0 port:65534
ifs_opackets:739
ifs_obytes:33994
….
br0-vr0 port:65534
ifs_ipackets:306
ifs_ibytes:18360
==== global stats:
fp_dropped:11053053
fp_dropped_excp:14155
fp_dropped_ether:326
fp_dropped_bridge:2
fp_dropped_npf:11038563 --->在流平台业务中的丢包总数。结合后文流平台的统计计数分析
fp_dropped_system:6
==== exception stats:
LocalFPTunExceptions:253437
ExceptionByModule:
fp_exception_ether:199272
fp_exception_bridge:734
fp_exception_ip:37548
fp_exception_ipv6:15883
LocalExceptionClass:
FPTUN_EXC_SP_FUNC:206764
FPTUN_EXC_ETHER_DST:28299
FPTUN_EXC_IP_DST:15196
FPTUN_EXC_ICMP_NEEDED:687
FPTUN_EXC_NDISC_NEEDED:2491
LocalExceptionType:
FPTUN_IPV4_OUTPUT_EXCEPT:2491
FPTUN_ETH_INPUT_EXCEPT:250946
FPTUN_ETH_SP_OUTPUT_REQ:2444
ExcpDroppedFpToLinuxUserExcSendtoFailure:102
==== IPv4 stats:
IpForwDatagrams:1648056613
IpInReceives:1648056613
==== arp stats:
arp_unhandled:168695
==== IPv6 stats:
==== TCP stats:
total packets received:6758
# of packets not managed by MCORE_SOCKET:6758
==== UDP stats:
==== vlan stats:
==== dsa stats:
DsaDroppedInOperative:1
==== bridge stats:
L2ForwFrames:251334551
BridgeDroppedNoOutputPort:2
==== ebtables stats:
==== pppoe stats:
1.1.3.1.2. cmd debug-support npf exec stats
该命令显示在流平台业务的各个统计计数。
firewall> cmd debug-support npf exec stats
Policy action: --->安全策略统计概要
1008 Policy permit ---> 匹配安全策略放行的流数
0 Policy deny ---> 匹配安全策略被阻断的流数
Packets dropped: --->在流平台业务中的丢包的流数
0 RPF check drop
0 Connection create failed drop
0 Connection install failed drop
0 Connection threshold drop
0 Connection invalid state drop
0 Invalid connection drop
0 Do SNAT drop
0 Do DNAT drop
0 NAT transition drop
0 Do ALG drop
624879 Route error drop
0 thd-event mlist full drop
0 thd-event error drop
0 Prepend failed drop
0 Header too short drop
0 Fragment failure drop
0 Invalid IP drop
Wrong packets dropped:
0 Interface error
0 Ip header error
0 Frament packet
0 IP header hl error
0 TCP header error
0 UDP header error
0 ICMP header error
0 ICMP packet error
0 ICMP6 header error
0 ICMP6 packet error
0 checksum error
0 Ipv6 header error
0 Ipv6 extension header error
Connection entries:
625887 Connection allocations
0 Connection reverse
625886 Connection release
625884 Connection destructions
0 Connection refresh conflict
0 Connection allocation failures
0 Connection ID limit
0 Connection ID invalid
0 Connection ID no entry
NAT entries:
0 NAT entry allocations
0 NAT entry destructions
0 NAT entry allocation failures
0 NAT port allocation failures
Invalid packet state cases:
0 cases in total
0 TCP case invalid first packet
0 TCP case RST
0 TCP case invalid transition
0 TCP case REOPEN
0 TCP case Out of window range
0 TCP case Invalid seq
0 TCP case Invalid ack
TCP Reass:
0 TCP Reass present
0 TCP Reass present cover
0 TCP Reass present overlap
0 TCP Reass present cut
0 TCP Reass cache
0 TCP Reass cache head
0 TCP Reass cache tail
0 TCP Reass cache head overlap
0 TCP Reass cache tail overlap
0 TCP Reass cache new drop
0 TCP Reass cache old drop
0 TCP Reass cache overflow
0 TCP Reass cache timeout
0 TCP Reass cache release
0 TCP Reass error
Packets reentrant:
0 reentrant
0 reentrant drop
Packet race cases:
0 NAT association race
0 duplicate state race
1.1.3.2. 流状态
? show nfp flows stats 查看流表统计信息
? show nfp flows 查看系统所有的流表项
? show nfp flows filter {app appid | addr address | dport port | dstif interface | policy policy-id | proto protocol-id | saddr address | session-id id | sport port | srcif interface }
根据过滤条件查看流表,如果流表是通过预期创建(主要是ALG场景的数据流)则要通过查看预期流表命令进行查看。
firewall> show nfp flows
38:
proto:17 tsdiff:7 timeout:120 State:established
FORW 20.0.0.2:39304 -> 114.114.114.114:53
BACK 114.114.114.114:53 -> 20.0.0.2:39304
Srcif:lo Dstif:Ge0/0 alg:none flags:0x2000000
vrf:0 Appid:0-0-0-0 Policy:local action:permit
Send packets:2 bytes:136
Recv packets:2 bytes:622
firewall> show nfp flows filter dport 9209
1191:
proto:6 tsdiff:1 timeout:1800 State:established
FORW 172.16.33.5:9404 -> 172.18.142.16:9209
BACK 172.18.142.16:9209 -> 20.0.0.2:52438
snat id: 0
Srcif:Ge0/1 Dstif:Ge0/0 alg:none flags:0x804a000
vrf:0 Appid:0-0-0-0 Policy:8192 action:permit
Send packets:16572 bytes:2435798
Recv packets:8331 bytes:2114493
firewall>
firewall> show nfp flows stats
The capacity of the flow: 1000000
Allocated flows num: 63
Active flows num: 63
firewall>
注:流表字段说明
1191:
proto:6 tsdiff:1 timeout:1800 State:established
FORW 172.16.33.5:9404 -> 172.18.142.16:9209
BACK 172.18.142.16:9209 -> 20.0.0.2:52438
snat id: 0
Srcif:Ge0/1 Dstif:Ge0/0 alg:none flags:0x804a000
vrf:0 Appid:0-0-0-0 Policy:8192 action:permit --->安全策略匹配结果。如显示local表示访问本机或本机主动访问,不进行限制。如显示default,表示匹配默认的阻断策略。 如显示bypass,表示匹配白名单。其他显示数字表示具体的策略id,通过后文安全策略章节查看id.
Action:security-defend(1) Reason:flood detect(11) -->本条流非安全策略丢包才会显示,显示模块及原因
Send packets:16572 bytes:2435798
Recv packets:8331 bytes:2114493
1191:流id/session id
proto:协议号(1:icmp 6:tcp 17:udp)
tsdiff: 会话空闲时间(会话老化剩余时间)
timeout:会话老化时间
State:会话状态
FORW:会话正向流四元组
BACK:会话反向流四元组
snat id: 本条流匹配中的nat策略id号
Srcif:正向流源接口
Dstif:正向流目的接口
alg:本条流的alg类型
flags:流表状态
vrf:vrf id
Appid:应用识别id
Policy:本条流匹配中的安全策略id号
action:策略行为(permit/deny)
Action:丢包模块
n security-defend:DDOS
丢包原因(Reason):
?
n XXX
Send packets:发报统计
Recv packets:收包统计
1.1.3.3. 报文跟踪
使用命令1配置过滤条件 |
使用命令2配置需要打开的模块[命令2中的type-on字段],一般使用推荐命令即可 |
配置命令流程:
1) cmd trace-filter enabled true [proto protocol-id] [saddr address] [sport port] [daddr address] [dport port] [ifid1 interface-id] [ifid2 interface-id]
firewall>cmd trace level DEBUG max-number 0 timeout 0 type-off "all" type-on "NFP BASIC"
firewall>cmd trace-filter enabled true proto 1 saddr 10.1.1.10
firewall> show log max-lines 2000
…
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fp_ether_input(ifp=Ge0_6 port=65534)
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fp_ether_input_one(ifp=Ge0_6 port=65534)
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fp_ip_input_bulk_check: mbuf=0x18ad669c0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: npf_packet_handler: mbuf=0x18ad669c0, npf_mode=0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: npf: mbuf 0x18ad669c0 find connection 662, dir=back
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: vrfid 0 flags 0x804a000 alg none policy 8192 action permit
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: forw proto 1 5.0.64.53:1-> 172.18.25.214:1
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: back proto 1 172.18.25.214:458-> 192.168.101.2:458
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fast path: security_defend returns 0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fast path: conn_reroute returns 0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fast path: conn_update returns 0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fast path: policy_rematch returns 0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fast path: service_chain returns 0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fast path: alg returns 0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fast path: do_nat returns 0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fast path: security_defend returns 0
[2022/02/17 11:24:39]rns 0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fp_fast_ip_input_pre_routing: mbuf=0x18ad669c0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fp_fast_ip_output_post_routing: mbuf=0x18ad669c0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fp_ether_output: mbuf=0x18ad669c0, ifp=Ge0_1 port=65534
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall fp-rte[1339]: fp_if_output: mbuf=0x18ad669c0, ifp=eth0, port=0
[2022/02/17 11:24:39]Feb 17 11:23:51 firewall uwsgi[2445]: <190>1 2022-02-17T03:23:51.525503Z firewall web 2445 - [operationLog@4881 ip="192.168.1.100" operator="<E7><AB><AF><E5><8F<8F><A3><E6><98><A0><E5><B0><84>" operate="<E5><90><AF><E7><94><A8>/<E7><A6><81><E7><94><A8><E7><AB><AF><E5><8F><A3><E6><98><A0><E5><B0><84>" description="<E7><<AB><AF><E5><8F><A3><E6><98><A0><E5><B0><84> <E5><90><AF><E7><94><A8>/<E7><A6><8<81><E7><94><A8><E7><AB><AF><E5><8F><A3><E6><98><A0><E5><B0><84><E6><88><90><E5><8A><9F>" timestamp="1645068231" admin="admin"]
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]:
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: fp_ether_input(ifp=eth0 port=0)
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: sbuf data at [0x18e60ab82], len=78
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: 00000000 30 0D 9E 41 D8 D1 22 22 22 22 22 24 C0 10 00 00
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: 00000010 08 00 45 00 00 3C 3E 34 00 00 40 01 31 70 05 00
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: 00000020 40 35 AC 12 19 D6 08 00 19 14 00 01 34 47 61 62
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: 00000030 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70 71 72
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: 00000040 73 74 75 76 77 61 62 63 64 65 66 67 68 69
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: fp_ether_input(ifp=Ge0_1 port=65534)
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: fp_ether_input_one(ifp=Ge0_1 port=65534)
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: fp_ip_input_bulk_check: mbuf=0x18e60a900
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: npf_packet_handler: mbuf=0x18e60a900, npf_mode=0
[2022/02/17 11:24:39]Feb 17 11:23:52 firewall fp-rte[1339]: npf_packet_handler, 1029: conn 662 is expired, drop the mbuf 0x18e60a900!packet m=0x18e60a900 dropped at npf_packet_handler():1030
[2022/02/17 11:24:39]Feb 17 11:23:53 firewall fp-rte[1339]: flow-log 1230 send: src 83902517 sport 16374 dst 1964509311 dport 80 natsrc 3232261378 natsport 9278 natdst 1964509311 natdport 80 proto 6 direct 1 sendbytes 415 recvbytes 410 sendpkts 8 recvpkts 2 srcif Ge0_1 dstif Ge0_6 appid 0-0-0-0 policy allow_all action 0 module reason time 1645068232
[2022/02/17 11:24:39]Feb 17 11:23:53 firewall fp-rte[1339]: flow-log 662 send: src 83902517 sport 1 dst 2886867414 dport 1 natsrc 3232261378 natsport 458 natdst 2886867414 natdport 458 proto 1 direct 1 sendbytes 54068232
[2022/02/17 11:24:39]Feb 17 11:23:53 firewall fp-rte[1339]: flow-log 710 send: src 83902517 sport 12345 dst 660748687 dport 8000 natsrc 3232261378 natsport 8959 natdst 660748687 natdport 8000 proto 17 direct 1 sendbytes 205 recvbytes 0 sendpkts 1 recvpkts 0 srcif Ge0_1 dstif Ge0_6 appid 0-0-0-0 policy allow_all action 0 module reason time 1645068232
[2022/02/17 11:24:39]Feb 17 11:23:53 firewall fp-rte[1339]: flow-log 138 send: src 83902517 sport 61509 dst 2567170222 dport 8000 natsrc 3232241498 natsport 8326 natdst 2567170222 natdport 8000 proto 17 direct 1 sendbytes 1170 recvbytes 70 sendpkts 6 recvpkts 1 srcif Ge0_1 dstif Ge0_7 appid 0-0-0-0 policy allow_all action 0 module reason time 1645068233
[2022/02/17 11:24:39]Feb 17 11:23:53 firewall fp-rte[1339]: Connection 662 is destroyed
2) cmd trace [level EMERG | ALERT | CRIT | ERR | WARNING | NOTICE | INFO | DEBUG] [max-number line] [timeout seconds] [type-off "all"] [type-on "NFP BASIC "] 设置debug日志的输出等级、最大记录日志行数、最大记录超时时间秒数、开启/关闭模块的日志
max-number:输出的日志打印行数
timeout:日志打印时间
注:命令格式中,等级的严重程度由高到低排序,默认为ERR,设置等级后,高于或等于设置级别的日志都将打印
查看转发丢包主要流程推荐的命令如下:
cmd trace level DEBUG max-number 0 timeout 180 type-off "all" type-on " NFP BASIC "
注意:该命令将max-number 0, 3分钟自动关闭。如将max-number和timeout都设为0,搜集完成后一定要手动关闭.
关闭日志(恢复成默认值):
cmd trace level ERR max-number 5000 timeout 60 type-off "all"
1.1.4. 日志相关
1.1.4.1. 日志查看
1.1.4.1.1. show log
show log默认打印最新的50条日志。
show log max-lines number打印最新的前number条日志,如show log max-line 100将打印最新的100条日志。
show log max-line number | match string 通过使用”| match”可以对输出进行过滤,只显示含有指定内容的日志。
1.1.1. NAT相关
1.1.1.1. show state vrf main cg-nat
查看NAT策略配置状态
1.1.1.2. show nat-policy
查看NAT策略在管理面中的记录
1.1.1.3. show nat-pool
查看NAT地址池在管理面中的记录
1.1.1.4. cmd debug-support npf exec "vrf-exec 0 nat-rule all"
查看NAT策略在数据面的配置记录
1.1.1.5. cmd debug-support npf exec "vrf-exec 0 nat-pool all"
查看NAT地址池在数据面的配置记录
1.1.1.6. 打开NAT debug开关
cmd debug-support fp exec "log-type-set all off"
cmd debug-support fp exec "log-maxnum-set 0"
cmd debug-support fp exec "log-timeout-set 0"
cmd debug-support fp exec "log-level-set 7"
cmd debug-support fp exec "log-type-set NAT on"
cmd debug-support fp exec "log-filter-set enable"
cmd debug-support fp exec "log-filter-set daddr 10.1.1.1"
1.1.2. 安全策略
1.1.2.1. policy id查看
policy id可以用于查看流表中具体匹配的策略或用于流表的过滤条件。
firewall> show security-policy content type policy
security-policy
policy-total 3
policy test1
policy-id 8192
position-id 1
enabled true
time-range-enabled true
description ""
group-name def-group
source-zone any
..
dest-zone any
..
source-network any
..
dest-network any
..
service any
..
app any
..
time-range default
action permit
match-count 1256383
session-timeout 0
config-source manual
create-time "2022-02-10 10:06:18"
first-match-time "2022-02-10 14:23:57"
..
policy allow_all
policy-id 16385
position-id 2
enabled true
time-range-enabled true
description ""
group-name def-group
source-zone trust
..
dest-zone untrust
1.1.3. 硬件相关
1.1.3.1. show state system linux 查看硬盘识别,挂载等
执行show state system linux 查看disk-usage sda x下,显示的容量是否为实际硬盘的容量,
若显示信息正确,那么硬盘挂载正常,文件系统正常;
若显示容量信息不对,那么硬盘文件系统损坏。若显示信息正确,那么硬盘无坏扇区或者逻辑坏道;若显示容量信息不对,那么硬盘可能有有坏扇区或者逻辑坏道。