Re: [j-nsp] SRX Command
Hi Ben,
Thanx!
We'll play with it :)
Maarten
-Oorspronkelijk bericht-
Van: Ben Dale [mailto:bd...@comlinx.com.au]
Verzonden: dinsdag 24 september 2013 9:16
Aan: Maarten van der Hoek
CC: juniper-nsp@puck.nether.net
Onderwerp: Re: [j-nsp] SRX Command
Just blew the dust off it and it still works ; )
http://pastebin.com/xiszACPf
If you're applying this to a chassis cluster, you may need to replace the
line:
for-each ($policies-list/security-context/policies) {
with
for-each
($policies-list/multi-routing-engine-item/security-context/policies) {
Enjoy,
Ben
On 24/09/2013, at 4:43 PM, Maarten van der Hoek
wrote:
> Hi Ben,
>
> Did you succeed in building that script ?
> (e.g. do you have it somewhere ? ;-) )
>
> We've been playing with exports and then import in Excel...but still
> not very nice..
> A better solution would be nice.
> (we can't you Junos-Space / or so because most deployments are in
> separate Small / Branch offices)
>
> Brgds,
>
> Maarten van der Hoek
>
> -Oorspronkelijk bericht-
> Van: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] Namens
> Ben Dale
> Verzonden: dinsdag 24 september 2013 6:46
> Aan: Edward Dore
> CC: juniper-nsp@puck.nether.net; Harri Makela
> Onderwerp: Re: [j-nsp] SRX Command
>
> After I spent a bit of time building an op script to print policy
> matches out in a nicely formatted table, I notice that this feature is
> now available for all policies even without the "then count" action from
12.1:
>
> show security policies hit-count
>
> Cheers,
>
> Ben
>
> On 24/09/2013, at 8:45 AM, Edward Dore
> wrote:
>
>> You'll need to add the "count" action to the "then" statement on each
> security policy if you want to track the number of times that the
> policy has been matched.
>>
>> Edward Dore
>> Freethought Internet
>>
>> On 23 Sep 2013, at 23:08, Harri Makela wrote:
>>
>>> Hi All
>>>
>>> Is there any command in SRX which I can use to check "number of
>>> times FW
> policy has been used". Actually I want to clear all FW policies which
> are not being used for last 12 months or so. I don`t know much about
> scripting but can try to get some help if I can think of a command
> which can be rung through different zones combinations.
>>>
>>>
>>> Thanks in Advance !
>>> HM
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Harri,
As per the link below - add "then count" to all your policies (using the
following apply-group will do this quickly for you):
set groups COUNT-ALL security policies from-zone <*> to-zone <*> policy <*>
then count
set apply-groups COUNT-ALL
If you install the op-script provided and run it after a month or so, it will
show you pretty quickly which policies are being used, but if you don't want to
use an op script, try:
run show security policies detail | match "Policy:|zone|lookups"
Again - the lookups field will only be there if the policy has count enabled.
Cheers,
Ben
On 24/09/2013, at 10:37 PM, Harri Makela wrote:
> Thanks for lookup
>
> We have JUNOS Software Release [10.4R5.5] and it doesn`t look like that we
> have the option indictaed in last mail
>
> admin@SRX-3600-P> show security policies ?
> Possible completions:
> <[Enter]>Execute this command
> detail Show the detailed information
> from-zoneShow the policy information matching the given source
> zone
> policy-name Show the policy information matching the given policy
> name
> to-zone Show the policy information matching the given
> destination zone
> |Pipe through a command
> {primary:node0}
> admin@SRX-3600-P> show security policies hit
>^
>
> I can capture all duplicate policies and delete which are not required for
> same flow but the ones which are not being used and are there for nothing, I
> would like to delete them. Not sure how I can accomlpish that with a JUNOS
> command which I have to run in parallel with a shell script.
>
> Looking forward to get some feedback.
>
> Thanks
> HM
>
>
>
> From: Ben Dale
> To: Edward Dore
> Cc: Harri Makela ; "juniper-nsp@puck.nether.net"
>
> Sent: Tuesday, 24 September 2013, 5:45
> Subject: Re: [j-nsp] SRX Command
>
> After I spent a bit of time building an op script to print policy matches out
> in a nicely formatted table, I notice that this feature is now available for
> all policies even without the "then count" action from 12.1:
>
> show security policies hit-count
>
> Cheers,
>
> Ben
>
> On 24/09/2013, at 8:45 AM, Edward Dore
> wrote:
>
> > You'll need to add the "count" action to the "then" statement on each
> > security policy if you want to track the number of times that the policy
> > has been matched.
> >
> > Edward Dore
> > Freethought Internet
> >
> > On 23 Sep 2013, at 23:08, Harri Makela wrote:
> >
> >> Hi All
> >>
> >> Is there any command in SRX which I can use to check "number of times FW
> >> policy has been used". Actually I want to clear all FW policies which are
> >> not being used for last 12 months or so. I don`t know much about
> >> scripting but can try to get some help if I can think of a command which
> >> can be rung through different zones combinations.
> >>
> >>
> >> Thanks in Advance !
> >> HM
> >> ___
> >> juniper-nsp mailing list juniper-nsp@puck.nether.net
> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
> > ___
> > juniper-nsp mailing list juniper-nsp@puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Thanks for lookup
We have JUNOS Software Release [10.4R5.5] and it doesn`t look like that we have
the option indictaed in last mail
admin@SRX-3600-P> show security policies ?
Possible completions:
<[Enter]> Execute this command
detail Show the detailed information
from-zone Show the policy information matching the given source
zone
policy-name Show the policy information matching the given policy
name
to-zone Show the policy information matching the given
destination zone
| Pipe through a command
{primary:node0}
admin@SRX-3600-P> show security policies hit
^
I can capture all duplicate policies and delete which are not required for same
flow but the ones which are not being used and are there for nothing, I would
like to delete them. Not sure how I can accomlpish that with a JUNOS command
which I have to run in parallel with a shell script.
Looking forward to get some feedback.
Thanks
HM
From: Ben Dale
To: Edward Dore
Cc: Harri Makela ; "juniper-nsp@puck.nether.net"
Sent: Tuesday, 24 September 2013, 5:45
Subject: Re: [j-nsp] SRX Command
After I spent a bit of time building an op script to print policy matches out
in a nicely formatted table, I notice that this feature is now available for
all policies even without the "then count" action from 12.1:
show security policies hit-count
Cheers,
Ben
On 24/09/2013, at 8:45 AM, Edward Dore
wrote:
> You'll need to add the "count" action to the "then" statement on each
> security policy if you want to track the number of times that the policy has
> been matched.
>
> Edward Dore
> Freethought Internet
>
> On 23 Sep 2013, at 23:08, Harri Makela wrote:
>
>> Hi All
>>
>> Is there any command in SRX which I can use to check "number of times FW
>> policy has been used". Actually I want to clear all FW policies which are
>> not being used for last 12 months or so. I don`t know much about scripting
>> but can try to get some help if I can think of a command which can be rung
>> through different zones combinations.
>>
>>
>> Thanks in Advance !
>> HM
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Hi Ben, Did you succeed in building that script ? (e.g. do you have it somewhere ? ;-) ) We've been playing with exports and then import in Excel...but still not very nice.. A better solution would be nice. (we can't you Junos-Space / or so because most deployments are in separate Small / Branch offices) Brgds, Maarten van der Hoek -Oorspronkelijk bericht- Van: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] Namens Ben Dale Verzonden: dinsdag 24 september 2013 6:46 Aan: Edward Dore CC: juniper-nsp@puck.nether.net; Harri Makela Onderwerp: Re: [j-nsp] SRX Command After I spent a bit of time building an op script to print policy matches out in a nicely formatted table, I notice that this feature is now available for all policies even without the "then count" action from 12.1: show security policies hit-count Cheers, Ben On 24/09/2013, at 8:45 AM, Edward Dore wrote: > You'll need to add the "count" action to the "then" statement on each security policy if you want to track the number of times that the policy has been matched. > > Edward Dore > Freethought Internet > > On 23 Sep 2013, at 23:08, Harri Makela wrote: > >> Hi All >> >> Is there any command in SRX which I can use to check "number of times FW policy has been used". Actually I want to clear all FW policies which are not being used for last 12 months or so. I don`t know much about scripting but can try to get some help if I can think of a command which can be rung through different zones combinations. >> >> >> Thanks in Advance ! >> HM >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Just blew the dust off it and it still works ; )
http://pastebin.com/xiszACPf
If you're applying this to a chassis cluster, you may need to replace the line:
for-each ($policies-list/security-context/policies) {
with
for-each ($policies-list/multi-routing-engine-item/security-context/policies) {
Enjoy,
Ben
On 24/09/2013, at 4:43 PM, Maarten van der Hoek wrote:
> Hi Ben,
>
> Did you succeed in building that script ?
> (e.g. do you have it somewhere ? ;-) )
>
> We've been playing with exports and then import in Excel...but still not
> very nice..
> A better solution would be nice.
> (we can't you Junos-Space / or so because most deployments are in separate
> Small / Branch offices)
>
> Brgds,
>
> Maarten van der Hoek
>
> -Oorspronkelijk bericht-
> Van: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] Namens Ben
> Dale
> Verzonden: dinsdag 24 september 2013 6:46
> Aan: Edward Dore
> CC: juniper-nsp@puck.nether.net; Harri Makela
> Onderwerp: Re: [j-nsp] SRX Command
>
> After I spent a bit of time building an op script to print policy matches
> out in a nicely formatted table, I notice that this feature is now available
> for all policies even without the "then count" action from 12.1:
>
> show security policies hit-count
>
> Cheers,
>
> Ben
>
> On 24/09/2013, at 8:45 AM, Edward Dore
> wrote:
>
>> You'll need to add the "count" action to the "then" statement on each
> security policy if you want to track the number of times that the policy has
> been matched.
>>
>> Edward Dore
>> Freethought Internet
>>
>> On 23 Sep 2013, at 23:08, Harri Makela wrote:
>>
>>> Hi All
>>>
>>> Is there any command in SRX which I can use to check "number of times FW
> policy has been used". Actually I want to clear all FW policies which are
> not being used for last 12 months or so. I don`t know much about scripting
> but can try to get some help if I can think of a command which can be rung
> through different zones combinations.
>>>
>>>
>>> Thanks in Advance !
>>> HM
>>> ___
>>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>> ___
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>
>
>
> ___
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
___
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
It is, but looking at it in the lab quickly, the SNMP statistics counters only collect hits against policies that have the count action (even in 12.1). You'll want: show snmp mib walk ascii jnxJsPolicyTable to identify policy and: show snmp mib walk ascii jnxJsPolicyStatsTable to grab the stats. References: http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/general/jnx-security-policy-nm-mib.html http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/general/jnxjspolicystatstable-nm-mib.html http://www.juniper.net/techpubs/en_US/junos11.4/topics/reference/mibs/mib-jnx-js-policy.txt Cheers, Ben On 24/09/2013, at 2:52 PM, Gavin Henry wrote: > Hi, > > Is the same info available via SNMP? > > Thanks. > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
Hi, Is the same info available via SNMP? Thanks. ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
After I spent a bit of time building an op script to print policy matches out in a nicely formatted table, I notice that this feature is now available for all policies even without the "then count" action from 12.1: show security policies hit-count Cheers, Ben On 24/09/2013, at 8:45 AM, Edward Dore wrote: > You'll need to add the "count" action to the "then" statement on each > security policy if you want to track the number of times that the policy has > been matched. > > Edward Dore > Freethought Internet > > On 23 Sep 2013, at 23:08, Harri Makela wrote: > >> Hi All >> >> Is there any command in SRX which I can use to check "number of times FW >> policy has been used". Actually I want to clear all FW policies which are >> not being used for last 12 months or so. I don`t know much about scripting >> but can try to get some help if I can think of a command which can be rung >> through different zones combinations. >> >> >> Thanks in Advance ! >> HM >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] SRX Command
You'll need to add the "count" action to the "then" statement on each security policy if you want to track the number of times that the policy has been matched. Edward Dore Freethought Internet On 23 Sep 2013, at 23:08, Harri Makela wrote: > Hi All > > Is there any command in SRX which I can use to check "number of times FW > policy has been used". Actually I want to clear all FW policies which are not > being used for last 12 months or so. I don`t know much about scripting but > can try to get some help if I can think of a command which can be rung > through different zones combinations. > > > Thanks in Advance ! > HM > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] SRX Command
Hi All Is there any command in SRX which I can use to check "number of times FW policy has been used". Actually I want to clear all FW policies which are not being used for last 12 months or so. I don`t know much about scripting but can try to get some help if I can think of a command which can be rung through different zones combinations. Thanks in Advance ! HM ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
