Versions Compared

Old Version 8

changes.mady.by.user Jean-luc KRIKER

Saved on

compared with

New Version Current

changes.mady.by.user Jean-luc KRIKER

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...



status

show services ssl proxy status


Code Block
titlestatus
jcluser@JCL-NGFW-30> show services ssl proxy status  
PIC:fpc0 fpc[0] pic[0] ------
        One-Crypto       :  Enable
        Async Crypto     :  disable
Proxy-activation :  Only if interested svcs configured
        Local Logging    :  disable
SSLFP-PKID Link  :  UP
Certificate cache : -
Certificate Cache activated                : yes
Invalidate certificate cache on CRL update : Disabled
Max cert cache nodes  :       4000
Cert cache node in use :          6
Session cache : -
Session cache activated : Activated
Max session cache node  :      19660
Session cache node in use     :         33


statistics

show services ssl proxy statistics


Code Block
titlestatistics
collapsetrue
jcluser@JCL-NGFW-30> show services ssl proxy statistics     
PIC:fpc0 fpc[0] pic[0] ------
        sessions matched                                1031
        sessions bypassed:non-ssl                          0
        sessions bypassed:mem overflow                     0
        sessions bypassed:low memory                       0
        sessions created                                1031
        sessions ignored                                  92
        sessions active                                    6
        sessions dropped                                 160
        sessions whitelisted                               0
        whitelisted url category match                     0
        default profile hit                                0
        session dropped no default profile                 0
        policy hit no profile configured                   0


counters

show services ssl proxy counters all


Code Block
titlecounters
collapsetrue
jcluser@JCL-NGFW-30> show services ssl proxy counters all 
Lsys Name : root-logical-system

PIC:fpc0 fpc[0] pic[0] ------

session create failed                 0
non SSL sessions recieved             130
Memory failures                       0
session dropped                       1273
sessions matched                      7474
sessions created                      7474
sessions destroyed                    7474
sessions ignored                      130
sessions ignored : backup only        0
sessions whitelisted : IP based       0
sessions whitelisted : url based      0
crl : data added                      152
crl : certificate revoked             0
crl : no crl info present             119
crl : no CA certificate               643
SSL sessions                          7293
SMTP over STARTTLS                    0
IMAP over STARTTLS                    0
POP3 over STARTTLS                    0
SMTP  sessions                        0
IMAP  sessions                        0
POP3  sessions                        0
Server not supporting STARTTLS        0
Client not supporting STARTTLS        0
Unified policy : default profile hit  0
Unified policy : no default profile   0



clear services ssl proxy session-cache


show services ssl proxy session-cache




show services ssl proxy session-cache statistics


show services ssl proxy session-cache entries


show services ssl proxy session-cache entries summary



nslookup orbitz.comPS C:\Users\pepper> nslookup www.orbitz.com
Server: UnKnown
Address: 10.0.0.10
Non-authoritative answer:
Name: e6766.x.akamaiedge.net
Address: 104.92.184.182
Aliases: www.orbitz.com
www.orbitz.com.edgekey.net

IP adress >> 104.92.184.182

show services ssl proxy session-cache entries detail | refresh




show services ssl proxy session-cache entries detail

Code Block
titlessl session
collapsetrue
jcluser@JCL-NGFW-99>
show services ssl proxy session-cache entries detail | find 104.92.184.182 
 show services ssl proxy session-cache entries detail | find www.orbitz.com

Dest IP           : 104.92.184.182
Dest Port         :        443
SSL_T Profile ID  :          1
SSL_I Profile ID  :          1
Session Info :
 Interdicted cert type           : [0x1]: CA issued, Authentication Successful
         Server cert verification result : ok [0x0]
         Server name extn len            :         14 name  : www.orbitz.com
         Server cert chain hash          : 08 98 ee d3 1f f2 30 8f 89 c3 5f 89 d8 2b 58 ee 
SSL-TERM Session :
                 SSL ver            : 0x303
                 Compression method : 0
                 Cipher ID          : 0x300c02f
                 Master key length  :         48
SSL-INIT Session :
                 SSL ver            : 0x303
                 Compression method : 0
                 Cipher ID          : 0x300c030
                 Master key length  :         48

Hash Entry        :         79  >>>>>>>>>>>>>>>>>>>>>>>>>>> this one is the next 
Status            : Active: Time to expire 80 seconds
Session ID length :         32




                                        
jcluser@JCL-NGFW-99> ...n-cache entries detail | find "Hash Entry        :         78"                       
Hash Entry        :         78
Status            : Already Expired


=================================================================================

Hash Entry        :         35
Status            : Active: Time to expire 291 seconds
Session ID length :         32
Session ID        : c0 04 78 c7 81 d6 f0 13 8e 45 bb 2f 91 e6 d9 ad d5 3f 44 4e 74 a5 ee 64 96 29 97 24 6b f9 4
d 3c 
Dest IP           : 104.92.183.188
Dest Port         :        443
SSL_T Profile ID  :          1
SSL_I Profile ID  :          1
Session Info :
 Interdicted cert type           : [0x1]: CA issued, Authentication Successful
         Server cert verification result : ok [0x0]
         Server name extn len            :         15 name  : vap.expedia.com
         Server cert chain hash          : 97 b4 4b d5 9f c7 eb 40 47 8c 25 b5 38 6e 4a 6a 
SSL-TERM Session :
                 SSL ver            : 0x303
                 Compression method : 0
                 Cipher ID          : 0x300c02f
                 Master key length  :         48
SSL-INIT Session :
                 SSL ver            : 0x303
                 Compression method : 0
                 Cipher ID          : 0x300c030
                 Master key length  :         48





Certificateshttps://www.juniper.net/documentation/en_US/junos/topics/task/troubleshooting/security-ssl-proxy-troubleshooting.html

show services ssl certificate brief certificate-id ssl-fp2

Code Block
titlecertificates
collapsetrue
           
jcluser@JCL-NGFW-30> show services ssl certificate brief certificate-id ssl-fp2 


Lsys Name : root-logical-system

PIC:fpc0 fpc[0] pic[0] ------

CertID                : ssl-fp2
Certificate Type      : LOCAL-CERT
Issuer                : /C=US/ST=CA/L=Sunnyvale/O=Juniper POC/OU=LAB/CN=SRX POC/emailAddress=admi
n@jnpr.net
Subject               : /C=US/ST=CA/L=Sunnyvale/O=Juniper POC/OU=LAB/CN=SRX POC/emailAddress=admi
n@jnpr.net
Validity :
    Not before        : Tue 07/21/2015 12:49:35 AM
    Not after         : Mon 07/16/2035 12:49:35 AM
Public Key algorithm  : rsaEncryption


show services ssl certificate detail certificate-id ssl-fp2


Code Block
titledetails
collapsetrue
jcluser@JCL-NGFW-30> show services ssl certificate detail certificate-id ssl-fp2 


Lsys Name : root-logical-system

PIC:fpc0 fpc[0] pic[0] ------

CertID                : ssl-fp2
Certificate Type      : LOCAL-CERT
cert modify time      : Fri 06/28/2019 02:13:17 PM
key modify time       : Fri 06/28/2019 02:13:17 PM
certificate version   : 3
serial number         : e2 b9 52 41 26 46 c2 90 
Issuer                : /C=US/ST=CA/L=Sunnyvale/O=Juniper POC/OU=LAB/CN=SRX POC/emailAddress=admi
n@jnpr.net
Subject               : /C=US/ST=CA/L=Sunnyvale/O=Juniper POC/OU=LAB/CN=SRX POC/emailAddress=admi
n@jnpr.net
Validity :
    Not before        : Tue 07/21/2015 12:49:35 AM
    Not after         : Mon 07/16/2035 12:49:35 AM
Public Key algorithm  : rsaEncryption
Signature Algorithm   : sha256WithRSAEncryption




...