2

I've got a Juniper Netscreen SSG-5 that occasionally gets a high session count. I've got 4096 licensed sessions, and there are times I see 3000+ for a small office (a dozen or so people). This is higher than I would like, and it makes me a bit more than curious about the sessions that are open.

Ideally, I'd throw the output of the "get session" command into a text file, but that's not something that ScreenOS has support for. At least, that I know of. Please let me know if that's the case.

Barring the ability to save the output to a file, if I could somehow obtain the session list via SNMP, I'd be content to wr/m-angle it that way, but all I've managed to find is the number of active sessions (enterprises.3224.16.3.2.0).

I could write a script using 'nc' to connect to the netscreen and hit enter repeatedly to page through the several thousand lines, but that seems less fun than doing it the "right way", if such a way exists.

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114

3 Answers3

3

I got it!

Unbeknownst to me, ScreenOS has the ability to pipe the output from any command to a tftp server!

The usage is: 

 <command> > tftp <tftp ip address> <filename>

Now that it's a text file, I can grep, sed, and awk my weaselly little guts out.

Matt Simmons
  • 20,218
  • 10
  • 67
  • 114
2

This is better as a comment to your answer but posting it as a new answer so I can format my code for you -- you can use SSH to script this for yourself (or any other command, I use it to flush DNS cache every 5mins for DynDNS users).

  1. create a passwordless ssh keyfile pair of DSA type
  2. create a Netscreen user that has the appropriate level of access to run your commands, and put the public keypart into their account

  3. on your local linux box set up the below

    #!/bin/sh
    DATFILE=/opt/etc/fwcommands.dat
    KEYFILE=/root/.ssh/id_dsa_fw
    /usr/bin/ssh -T -i ${KEYFILE} USER@FIREWALL < ${DATFILE}

...and then in your fwcommands.dat file is what you want to run; so something like:

exec get sessions > tftp ip file
exit

You could then cron that to run every hour or whatnot and set it up to email you the output, whatever you personally need. (formatting kinda screwed up, serverfault hates bash scripts inline).

  • That's a good idea, thanks! I think I'm more likely to have it triggered by a Nagios check whenever it gets above a certain threshold, but definitely handy. – Matt Simmons Jan 08 '10 at 19:41
  • I do the same thing (Nagios) and have reached the limits now and again, it works great (as in the SNMP data is valid/real). Nothing says you can't do both methods. :) –  Jan 09 '10 at 20:26
2

If you would like to make some stats on get session output, there is a little tool called "Firewall Session Analyser" to do that. If you have a Juniper account, you can access it at www.juniper.net/fsa. If not, you can use a good tool developed by Tim Eberhard, you can download it at : http://performanceclassifieds.net/NSSA.zip

Hope it can help you!