Skip to end of metadata
Go to start of metadata
|
|
|---|
| status | show services ssl proxy status
jcluser@JCL-NGFW-30> show services ssl proxy status
PIC:fpc0 fpc[0] pic[0] ------
One-Crypto : Enable
Async Crypto : disable
Proxy-activation : Only if interested svcs configured
Local Logging : disable
SSLFP-PKID Link : UP
Certificate cache : -
Certificate Cache activated : yes
Invalidate certificate cache on CRL update : Disabled
Max cert cache nodes : 4000
Cert cache node in use : 6
Session cache : -
Session cache activated : Activated
Max session cache node : 19660
Session cache node in use : 33
|
| statistics | show services ssl proxy statistics
jcluser@JCL-NGFW-30> show services ssl proxy statistics
PIC:fpc0 fpc[0] pic[0] ------
sessions matched 1031
sessions bypassed:non-ssl 0
sessions bypassed:mem overflow 0
sessions bypassed:low memory 0
sessions created 1031
sessions ignored 92
sessions active 6
sessions dropped 160
sessions whitelisted 0
whitelisted url category match 0
default profile hit 0
session dropped no default profile 0
policy hit no profile configured 0
|
| counters | show services ssl proxy counters all
jcluser@JCL-NGFW-30> show services ssl proxy counters all
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
session create failed 0
non SSL sessions recieved 130
Memory failures 0
session dropped 1273
sessions matched 7474
sessions created 7474
sessions destroyed 7474
sessions ignored 130
sessions ignored : backup only 0
sessions whitelisted : IP based 0
sessions whitelisted : url based 0
crl : data added 152
crl : certificate revoked 0
crl : no crl info present 119
crl : no CA certificate 643
SSL sessions 7293
SMTP over STARTTLS 0
IMAP over STARTTLS 0
POP3 over STARTTLS 0
SMTP sessions 0
IMAP sessions 0
POP3 sessions 0
Server not supporting STARTTLS 0
Client not supporting STARTTLS 0
Unified policy : default profile hit 0
Unified policy : no default profile 0
|
| clear services ssl proxy session-cache
show services ssl proxy session-cache
|
| show services ssl proxy session-cache statistics
|
| show services ssl proxy session-cache entries
|
| show services ssl proxy session-cache entries summary
|
| nslookup orbitz.com | PS C:\Users\pepper> nslookup www.orbitz.com
Server: UnKnown
Address: 10.0.0.10
Non-authoritative answer:
Name: e6766.x.akamaiedge.net
Address: 104.92.184.182
Aliases: www.orbitz.com
www.orbitz.com.edgekey.net
IP adress >> 104.92.184.182
|
| show services ssl proxy session-cache entries detail
jcluser@JCL-NGFW-99> show services ssl proxy session-cache entries detail | find 104.92.184.182
show services ssl proxy session-cache entries detail | find www.orbitz.com
Dest IP : 104.92.184.182
Dest Port : 443
SSL_T Profile ID : 1
SSL_I Profile ID : 1
Session Info :
Interdicted cert type : [0x1]: CA issued, Authentication Successful
Server cert verification result : ok [0x0]
Server name extn len : 14 name : www.orbitz.com
Server cert chain hash : 08 98 ee d3 1f f2 30 8f 89 c3 5f 89 d8 2b 58 ee
SSL-TERM Session :
SSL ver : 0x303
Compression method : 0
Cipher ID : 0x300c02f
Master key length : 48
SSL-INIT Session :
SSL ver : 0x303
Compression method : 0
Cipher ID : 0x300c030
Master key length : 48
Hash Entry : 79 >>>>>>>>>>>>>>>>>>>>>>>>>>> this one is the next
Status : Active: Time to expire 80 seconds
Session ID length : 32
jcluser@JCL-NGFW-99> ...n-cache entries detail | find "Hash Entry : 78"
Hash Entry : 78
Status : Already Expired
=================================================================================
Hash Entry : 35
Status : Active: Time to expire 291 seconds
Session ID length : 32
Session ID : c0 04 78 c7 81 d6 f0 13 8e 45 bb 2f 91 e6 d9 ad d5 3f 44 4e 74 a5 ee 64 96 29 97 24 6b f9 4
d 3c
Dest IP : 104.92.183.188
Dest Port : 443
SSL_T Profile ID : 1
SSL_I Profile ID : 1
Session Info :
Interdicted cert type : [0x1]: CA issued, Authentication Successful
Server cert verification result : ok [0x0]
Server name extn len : 15 name : vap.expedia.com
Server cert chain hash : 97 b4 4b d5 9f c7 eb 40 47 8c 25 b5 38 6e 4a 6a
SSL-TERM Session :
SSL ver : 0x303
Compression method : 0
Cipher ID : 0x300c02f
Master key length : 48
SSL-INIT Session :
SSL ver : 0x303
Compression method : 0
Cipher ID : 0x300c030
Master key length : 48
|
|
|
| Certificates | https://www.juniper.net/documentation/en_US/junos/topics/task/troubleshooting/security-ssl-proxy-troubleshooting.html |
|---|
| show services ssl certificate brief certificate-id ssl-fp2
jcluser@JCL-NGFW-30> show services ssl certificate brief certificate-id ssl-fp2
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
CertID : ssl-fp2
Certificate Type : LOCAL-CERT
Issuer : /C=US/ST=CA/L=Sunnyvale/O=Juniper POC/OU=LAB/CN=SRX POC/emailAddress=admi
n@jnpr.net
Subject : /C=US/ST=CA/L=Sunnyvale/O=Juniper POC/OU=LAB/CN=SRX POC/emailAddress=admi
n@jnpr.net
Validity :
Not before : Tue 07/21/2015 12:49:35 AM
Not after : Mon 07/16/2035 12:49:35 AM
Public Key algorithm : rsaEncryption
show services ssl certificate detail certificate-id ssl-fp2
jcluser@JCL-NGFW-30> show services ssl certificate detail certificate-id ssl-fp2
Lsys Name : root-logical-system
PIC:fpc0 fpc[0] pic[0] ------
CertID : ssl-fp2
Certificate Type : LOCAL-CERT
cert modify time : Fri 06/28/2019 02:13:17 PM
key modify time : Fri 06/28/2019 02:13:17 PM
certificate version : 3
serial number : e2 b9 52 41 26 46 c2 90
Issuer : /C=US/ST=CA/L=Sunnyvale/O=Juniper POC/OU=LAB/CN=SRX POC/emailAddress=admi
n@jnpr.net
Subject : /C=US/ST=CA/L=Sunnyvale/O=Juniper POC/OU=LAB/CN=SRX POC/emailAddress=admi
n@jnpr.net
Validity :
Not before : Tue 07/21/2015 12:49:35 AM
Not after : Mon 07/16/2035 12:49:35 AM
Public Key algorithm : rsaEncryption
Signature Algorithm : sha256WithRSAEncryption
|
|
|