Re: [j-nsp] SRX Command
Hi Ben, Thanx! We'll play with it :) Maarten -Oorspronkelijk bericht- Van: Ben Dale [mailto:bd...@comlinx.com.au] Verzonden: dinsdag 24 september 2013 9:16 Aan: Maarten van der Hoek CC: juniper-nsp@puck.nether.net Onderwerp: Re: [j-nsp] SRX Command Just blew the dust off it and it still works ; ) http://pastebin.com/xiszACPf If you're applying this to a chassis cluster, you may need to replace the line: for-each ($policies-list/security-context/policies) { with for-each ($policies-list/multi-routing-engine-item/security-context/policies) { Enjoy, Ben On 24/09/2013, at 4:43 PM, Maarten van der Hoek wrote: > Hi Ben, > > Did you succeed in building that script ? > (e.g. do you have it somewhere ? ;-) ) > > We've been playing with exports and then import in Excel...but still > not very nice.. > A better solution would be nice. > (we can't you Junos-Space / or so because most deployments are in > separate Small / Branch offices) > > Brgds, > > Maarten van der Hoek > > -Oorspronkelijk bericht- > Van: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] Namens > Ben Dale > Verzonden: dinsdag 24 september 2013 6:46 > Aan: Edward Dore > CC: juniper-nsp@puck.nether.net; Harri Makela > Onderwerp: Re: [j-nsp] SRX Command > > After I spent a bit of time building an op script to print policy > matches out in a nicely formatted table, I notice that this feature is > now available for all policies even without the "then count" action from 12.1: > > show security policies hit-count > > Cheers, > > Ben > > On 24/09/2013, at 8:45 AM, Edward Dore > wrote: > >> You'll need to add the "count" action to the "then" statement on each > security policy if you want to track the number of times that the > policy has been matched. >> >> Edward Dore >> Freethought Internet >> >> On 23 Sep 2013, at 23:08, Harri Makela wrote: >> >>> Hi All >>> >>> Is there any command in SRX which I can use to check "number of >>> times FW > policy has been used". Actually I want to clear all FW policies which > are not being used for last 12 months or so. I don`t know much about > scripting but can try to get some help if I can think of a command > which can be rung through different zones combinations. >>> >>> >>> Thanks in Advance ! >>> HM >>> ___ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Harri, As per the link below - add "then count" to all your policies (using the following apply-group will do this quickly for you): set groups COUNT-ALL security policies from-zone <*> to-zone <*> policy <*> then count set apply-groups COUNT-ALL If you install the op-script provided and run it after a month or so, it will show you pretty quickly which policies are being used, but if you don't want to use an op script, try: run show security policies detail | match "Policy:|zone|lookups" Again - the lookups field will only be there if the policy has count enabled. Cheers, Ben On 24/09/2013, at 10:37 PM, Harri Makela wrote: > Thanks for lookup > > We have JUNOS Software Release [10.4R5.5] and it doesn`t look like that we > have the option indictaed in last mail > > admin@SRX-3600-P> show security policies ? > Possible completions: > <[Enter]>Execute this command > detail Show the detailed information > from-zoneShow the policy information matching the given source > zone > policy-name Show the policy information matching the given policy > name > to-zone Show the policy information matching the given > destination zone > |Pipe through a command > {primary:node0} > admin@SRX-3600-P> show security policies hit >^ > > I can capture all duplicate policies and delete which are not required for > same flow but the ones which are not being used and are there for nothing, I > would like to delete them. Not sure how I can accomlpish that with a JUNOS > command which I have to run in parallel with a shell script. > > Looking forward to get some feedback. > > Thanks > HM > > > > From: Ben Dale > To: Edward Dore > Cc: Harri Makela ; "juniper-nsp@puck.nether.net" > > Sent: Tuesday, 24 September 2013, 5:45 > Subject: Re: [j-nsp] SRX Command > > After I spent a bit of time building an op script to print policy matches out > in a nicely formatted table, I notice that this feature is now available for > all policies even without the "then count" action from 12.1: > > show security policies hit-count > > Cheers, > > Ben > > On 24/09/2013, at 8:45 AM, Edward Dore > wrote: > > > You'll need to add the "count" action to the "then" statement on each > > security policy if you want to track the number of times that the policy > > has been matched. > > > > Edward Dore > > Freethought Internet > > > > On 23 Sep 2013, at 23:08, Harri Makela wrote: > > > >> Hi All > >> > >> Is there any command in SRX which I can use to check "number of times FW > >> policy has been used". Actually I want to clear all FW policies which are > >> not being used for last 12 months or so. I don`t know much about > >> scripting but can try to get some help if I can think of a command which > >> can be rung through different zones combinations. > >> > >> > >> Thanks in Advance ! > >> HM > >> ___ > >> juniper-nsp mailing list juniper-nsp@puck.nether.net > >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > ___ > > juniper-nsp mailing list juniper-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/juniper-nsp > > > > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Thanks for lookup We have JUNOS Software Release [10.4R5.5] and it doesn`t look like that we have the option indictaed in last mail admin@SRX-3600-P> show security policies ? Possible completions: <[Enter]> Execute this command detail Show the detailed information from-zone Show the policy information matching the given source zone policy-name Show the policy information matching the given policy name to-zone Show the policy information matching the given destination zone | Pipe through a command {primary:node0} admin@SRX-3600-P> show security policies hit ^ I can capture all duplicate policies and delete which are not required for same flow but the ones which are not being used and are there for nothing, I would like to delete them. Not sure how I can accomlpish that with a JUNOS command which I have to run in parallel with a shell script. Looking forward to get some feedback. Thanks HM From: Ben Dale To: Edward Dore Cc: Harri Makela ; "juniper-nsp@puck.nether.net" Sent: Tuesday, 24 September 2013, 5:45 Subject: Re: [j-nsp] SRX Command After I spent a bit of time building an op script to print policy matches out in a nicely formatted table, I notice that this feature is now available for all policies even without the "then count" action from 12.1: show security policies hit-count Cheers, Ben On 24/09/2013, at 8:45 AM, Edward Dore wrote: > You'll need to add the "count" action to the "then" statement on each > security policy if you want to track the number of times that the policy has > been matched. > > Edward Dore > Freethought Internet > > On 23 Sep 2013, at 23:08, Harri Makela wrote: > >> Hi All >> >> Is there any command in SRX which I can use to check "number of times FW >> policy has been used". Actually I want to clear all FW policies which are >> not being used for last 12 months or so. I don`t know much about scripting >> but can try to get some help if I can think of a command which can be rung >> through different zones combinations. >> >> >> Thanks in Advance ! >> HM >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Hi Ben, Did you succeed in building that script ? (e.g. do you have it somewhere ? ;-) ) We've been playing with exports and then import in Excel...but still not very nice.. A better solution would be nice. (we can't you Junos-Space / or so because most deployments are in separate Small / Branch offices) Brgds, Maarten van der Hoek -Oorspronkelijk bericht- Van: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] Namens Ben Dale Verzonden: dinsdag 24 september 2013 6:46 Aan: Edward Dore CC: juniper-nsp@puck.nether.net; Harri Makela Onderwerp: Re: [j-nsp] SRX Command After I spent a bit of time building an op script to print policy matches out in a nicely formatted table, I notice that this feature is now available for all policies even without the "then count" action from 12.1: show security policies hit-count Cheers, Ben On 24/09/2013, at 8:45 AM, Edward Dore wrote: > You'll need to add the "count" action to the "then" statement on each security policy if you want to track the number of times that the policy has been matched. > > Edward Dore > Freethought Internet > > On 23 Sep 2013, at 23:08, Harri Makela wrote: > >> Hi All >> >> Is there any command in SRX which I can use to check "number of times FW policy has been used". Actually I want to clear all FW policies which are not being used for last 12 months or so. I don`t know much about scripting but can try to get some help if I can think of a command which can be rung through different zones combinations. >> >> >> Thanks in Advance ! >> HM >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Just blew the dust off it and it still works ; ) http://pastebin.com/xiszACPf If you're applying this to a chassis cluster, you may need to replace the line: for-each ($policies-list/security-context/policies) { with for-each ($policies-list/multi-routing-engine-item/security-context/policies) { Enjoy, Ben On 24/09/2013, at 4:43 PM, Maarten van der Hoek wrote: > Hi Ben, > > Did you succeed in building that script ? > (e.g. do you have it somewhere ? ;-) ) > > We've been playing with exports and then import in Excel...but still not > very nice.. > A better solution would be nice. > (we can't you Junos-Space / or so because most deployments are in separate > Small / Branch offices) > > Brgds, > > Maarten van der Hoek > > -Oorspronkelijk bericht- > Van: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] Namens Ben > Dale > Verzonden: dinsdag 24 september 2013 6:46 > Aan: Edward Dore > CC: juniper-nsp@puck.nether.net; Harri Makela > Onderwerp: Re: [j-nsp] SRX Command > > After I spent a bit of time building an op script to print policy matches > out in a nicely formatted table, I notice that this feature is now available > for all policies even without the "then count" action from 12.1: > > show security policies hit-count > > Cheers, > > Ben > > On 24/09/2013, at 8:45 AM, Edward Dore > wrote: > >> You'll need to add the "count" action to the "then" statement on each > security policy if you want to track the number of times that the policy has > been matched. >> >> Edward Dore >> Freethought Internet >> >> On 23 Sep 2013, at 23:08, Harri Makela wrote: >> >>> Hi All >>> >>> Is there any command in SRX which I can use to check "number of times FW > policy has been used". Actually I want to clear all FW policies which are > not being used for last 12 months or so. I don`t know much about scripting > but can try to get some help if I can think of a command which can be rung > through different zones combinations. >>> >>> >>> Thanks in Advance ! >>> HM >>> ___ >>> juniper-nsp mailing list juniper-nsp@puck.nether.net >>> https://puck.nether.net/mailman/listinfo/juniper-nsp >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp >> > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
It is, but looking at it in the lab quickly, the SNMP statistics counters only collect hits against policies that have the count action (even in 12.1). You'll want: show snmp mib walk ascii jnxJsPolicyTable to identify policy and: show snmp mib walk ascii jnxJsPolicyStatsTable to grab the stats. References: http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/general/jnx-security-policy-nm-mib.html http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/general/jnxjspolicystatstable-nm-mib.html http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/mibs/mib-jnx-js-policy.txt Cheers, Ben On 24/09/2013, at 2:52 PM, Gavin Henry wrote: > Hi, > > Is the same info available via SNMP? > > Thanks. > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Hi, Is the same info available via SNMP? Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
After I spent a bit of time building an op script to print policy matches out in a nicely formatted table, I notice that this feature is now available for all policies even without the "then count" action from 12.1: show security policies hit-count Cheers, Ben On 24/09/2013, at 8:45 AM, Edward Dore wrote: > You'll need to add the "count" action to the "then" statement on each > security policy if you want to track the number of times that the policy has > been matched. > > Edward Dore > Freethought Internet > > On 23 Sep 2013, at 23:08, Harri Makela wrote: > >> Hi All >> >> Is there any command in SRX which I can use to check "number of times FW >> policy has been used". Actually I want to clear all FW policies which are >> not being used for last 12 months or so. I don`t know much about scripting >> but can try to get some help if I can think of a command which can be rung >> through different zones combinations. >> >> >> Thanks in Advance ! >> HM >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
You'll need to add the "count" action to the "then" statement on each security policy if you want to track the number of times that the policy has been matched. Edward Dore Freethought Internet On 23 Sep 2013, at 23:08, Harri Makela wrote: > Hi All > > Is there any command in SRX which I can use to check "number of times FW > policy has been used". Actually I want to clear all FW policies which are not > being used for last 12 months or so. I don`t know much about scripting but > can try to get some help if I can think of a command which can be rung > through different zones combinations. > > > Thanks in Advance ! > HM > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX Command
Hi All Is there any command in SRX which I can use to check "number of times FW policy has been used". Actually I want to clear all FW policies which are not being used for last 12 months or so. I don`t know much about scripting but can try to get some help if I can think of a command which can be rung through different zones combinations. Thanks in Advance ! HM ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp