2 Juniper Netscreen Firewall Metrics

This chapter provides descriptions for all Juniper Netscreen Firewall metric categories, and tables list and describe associated metrics for each category. The tables also provide user actions if any of the metrics for a particular category support user actions. Shaded rows represent key columns for a particular category.

Address Resolution Protocol (ARP) Configuration Metrics

The metrics in this category provide general information about the configuration of ARP protocol on the firewall instance.

Default Collection Interval — Every 24 hours

Table 2-1 ARP Configuration Metrics

Metric	Description
ARP Always on Destination	Directs a Netscreen device to always perform a lookup to learn a destination MAC address.
ARP Cache Update	Defines whether ARP cache will be updated in a predefined time interval.

Address Resolution Protocol (ARP) Mappings Metrics

The metrics in this category provide information about all the ARP entries existing in a NetScreen device.

Default Collection Interval — Every hour

Table 2-2 ARP Mappings Metrics

Metric	Description
Index (key column)	Unique value for the ARP table. Its value ranges between 0 and 65535 and cannot be continuous.
Entry ARP Queue	ARP entry package queue.
Entry Age	Age of an ARP entry.
Entry Retry Time	Time after which an entry in the cache should be updated.
Entry State	Possible values are: 1 — Pending 2 — Valid 3 — Delete 4 — Static
IP Address	Unique address used by devices to identify and communicate with each other on the network.
Interface Location	Interface location on the firewall.
MAC Address	MAC address of the interface. This address is permanently assigned to the interface.
Virtual System Name	Virtual system name to which this entry belongs.

Division of Attacks Metrics

The metrics in this category provide information about the firewall protection configuration on each physical interface related to various possible attacks.

Default Collection Interval — Every 15 minutes

Table 2-3 Division of Attacks Metrics

Metric	Description
Zone Name (key column)	Unique zone ID.
Rate of Address Sweep Attack	Rate of address sweep attack on the zone.
Rate of Attacks on Interface	Rate of total attacks on the selected zone.
Rate of ICMP Flood Attack	Rate of ICMP flood attack on the zone.
Rate of IP Spoof Attack	Rate of IP spoof attack on the zone.
Rate of IP Src Route Attack	Rate of IP source route attack on the zone.
Rate of Land Attack	Rate of land attack on the zone.
Rate of Ping of Death Attack	Rate of ping of death attack on the zone.
Rate of Port Scan Attack	Rate of port scan attack on the zone.
Rate of SYN Attack	Rate of SYN attack on the zone.
Rate of Tear Drop Attack	Rate of teardrop attack on the zone.
Rate of UDP Flood Attack	Rate of UDP flood attack on the zone.
Rate of Win Nuke Attack	Rate of Win nuke attack on the zone.
Virtual System	Virtual system name that the zone belongs to.

Dropped Packets Division on the Firewall Metrics

The metrics in this category provide information about dropped packet counters of the interface.

Default Collection Interval — Every 30 minutes

Table 2-4 Dropped Packets Division on the Firewall Metrics

Metric	Description and User Action
Index (key column)	Interface index.
Name (key column)	Interface name.
IP Address (key column)	Interface IP address.
Rate of Packet Drops Due to Authentication Failure	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Packet Drops Due to Denial by Policy	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Packet Drops Due to Denial by SA Policy	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Packet Drops Due to IPSec Encryption Failure	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Packet Drops Due to Inactive SA	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Packet Drops Due to No Policy with SA	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Packet Drops Due to No SA Found for Incoming Policy	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Packet Drops Due to Traffic Management	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Packet Drops Due to Traffic Management Queue	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Packet Drops Due to URL Blocking	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Rate of Total Packet Drops on Interface	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Virtual System ID	Virtual system name that the interface belongs to.

Firewall CPU Utilization Metrics

The metrics in this category provide information about the average percentage of CPU utilized in the last 5 minutes.

Default Collection Interval — Every 5 minutes

Table 2-5 Firewall CPU Utilization Metrics

Metric	Description and User Action
Avg. Firewall CPU Utilization (%)	Percentage of CPU utilization in the last five minutes. The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on the load on the firewall and your network conditions.

Firewall Memory Utilization Metrics

The metrics in this category provide information about the percentage of memory being used by the firewall processes.

Default Collection Interval — Every 5 minutes

Table 2-6 Firewall Memory Utilization Metrics

Metric	Description and User Action
Allocated Memory	Memory on the host dedicated to the firewall.
Firewall Memory Utilization (%)	A large memory consumption causes the entire system to slow down. To analyze what is causing the problem, use the Solaris "top" system command and observe any firewall processes that appear to be consuming an excessive percentage of memory.
Memory Fragment	Amount of fragmented firewall memory.
Memory Left	Amount of memory available for use on the firewall.
Overall Memory (Physical + Swap)	Total memory on the firewall.

Interface Traffic Metrics

The metrics in the this category provide information about the rate at which traffic flows into and out of the firewall.

Default Collection Interval — Every 35 minutes

Table 2-7 Interface Traffic Metrics

Metric	Description and User Action
Index (key column)	Interface index.
Name (key column)	Interface name.
IP Address (key column)	Interface IP address.
Rate of Total KiloBytes In	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on the bandwidth of the interfaces.
Rate of Total KiloBytes Out	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on the bandwidth of the interfaces.
Rate of Total Packets In	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on the bandwidth of the interfaces.
Rate of Total Packets Out	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on the bandwidth of the interfaces.
Rate of Total VLAN Packets In	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on the bandwidth of the interfaces.
Rate of Total VLAN Packets Out	The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on the bandwidth of the interfaces.
Virtual System ID	Virtual system ID that the interface belongs to.

Netscreen Firewall Traffic Information Per Policy Metrics

The metrics in this category provide information about the traffic counters of a specific policy.

Default Collection Interval — Every hour

Table 2-8 Netscreen Firewall Traffic Information Per Policy Metrics

Metric	Description and User Action
Policy ID	Each policy is identified by a unique policy ID.
Total Bytes Per Sec	Rate of bytes crossing the policy per second. The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Total Packets Per Sec	Rate of packets crossing the policy per second. The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.
Total Sessions Per Sec	Rate of sessions crossing the policy per second. The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on your network conditions.

Network Interfaces Configuration Metrics

The metrics in the Network Interfaces Configuration category provide information about the operational status of the interface.

Default Collection Interval — Every 30 minutes

Table 2-9 Network Interfaces Configuration Metrics

Metric	Description and User Action
Index (key column)	Interface index.
Name (key column)	Interface name.
IP Address (key column)	Interface IP address.
Interface Internal ID	Internal ID assigned to this interface. It remains persistent across resets.
Interface Status	If the value of this metric is Down, no data is currently passing through this interface.

Policy Settings Metrics

The metrics in this category collect all the policy configuration information that exists in the Juniper Network device.

Default Collection Interval — Every 12 hours

Table 2-10 Policy Settings Metrics

Metric	Description
Differentiated Services	System for tagging traffic at a position within a hierarchy of priority.
Schedule	By associating a schedule to an access policy, you can determine when the access policy is in effect.
Status	Shows the status of one policy entry.
Traffic Priority	Traffic priority for this policy.
Traffic Shape	You can set parameters for the control and shaping of traffic for each access policy.

Response Metrics

The metrics in the Response category provide information about that status of the firewall host.

Table 2-11 Response Metrics

Metric	Description
Firewall Status	Has a value of 1 if the Management Agent is up and running. If the value is not 1, the managed target is down, and you may need to start the managed firewall.
TCP Ping, Milliseconds	Amount of time in milliseconds to ping the firewall. The threshold values for this metric are set for low network load conditions. You can provide a higher value for the warning and critical thresholds based on the load on your network.

Session Information Metrics

The metrics in this category provide information about the number of allocated and failed sessions on the firewall. The sessions are related to TELNET, FTP, HTTP, and so forth.

Default Collection Interval — Every 15 minutes

Table 2-12 Session Information Metrics

Metric	Description and User Action
Allocated Sessions	Number of allocated sessions.
Failed Sessions	Number of failed sessions. The default warning and critical threshold values for this metric are not set. You can set values for these thresholds based on the load on the firewall and your network conditions.
Max. Sessions	Maximum number of sessions.

URL Filter Configuration Metrics

The metrics in this category provide information about URL filtering parameters on the firewall, which block or permit access to different sites based on their URLs, domain names, and IP address.

Default Collection Interval — Every 24 hours

Table 2-13 URL Filter Configuration Metrics

Metric	Description
Communication Timeout	Communication timeout threshold of URL filtering.
Block Message Type	URL filter block message type.
Blocked Message	NetScreen device blocked message.
Current Server Status	Status of the current server.
URL Filtering	When URL filtering is enabled on a policy, the NetScreen device buffers all HTTP GET requests (in traffic to which the policy applies) and sends the URL to the Websense server.
Way of Handling Requests	Method of handling HTTP requests if connectivity to the Websense server is lost.
Websense Server Name	Name of the Websense server.
Websense Server Port	Port for the Websense server.

NSRP Virtual Security Device Group Configuration Metrics

The metrics in this category provide information about the list of Virtual Security Device (VSD) groups on the device. A Virtual Security Device (VSD) group is a pair of physical NetScreen devices that collectively comprise a single VSD.

These metrics are used to monitor the VSD groups configured based on NetScreen Redundancy Protocol (NSRP). NSRP is a proprietary protocol that is supported on select NetScreen devices to provide high availability (HA) services.

Default Collection Interval — Every five minutes.

Table 2-14 NSRP Virtual Security Device Group Configuration Metrics

Metric	Description
Cluster ID	Cluster ID of the device. Before two NetScreen devices can provide redundant network connectivity, they are grouped in the same NSRP cluster by assigning a cluster ID between 1 and 7.
Group Hold Down Time	Hold down time for the VSD group. To determine the initial state hold-down time, multiply init-hold value by the VSD heartbeat-interval (init-hold x hb-interval = initial state hold-down time).
Group ID	Identifier of the group to which the device belongs.
Group Priority	Local unit in current group's priority.
Number of state transition into backup state	Number of times a VSD group member changes status to backup. This is the state of a VSD group member that monitors the status of the primary backup and elects one of the backup devices to primary backup if the current one steps down.
Number of state transition into ineligible state	Number of times a VSD group member changes status to ineligible. This is the state that an administrator purposefully assigns to a VSD group member so that it cannot participate in the election process.
Number of state transition into inoperable state	Number of times a VSD group member changes status to inoperable. This is the state of a VSD group member after a system check determines that the device has an internal problem (such as no processing boards) or a network connection problem.
Number of state transition into master state	Number of times a VSD group member changes status to master. This is the state of a VSD group member that processes traffic sent to the Virtual Security Interface (VSI).
Number of state transition into primary backup state	Number of times a VSD group member changes status to primary backup state. This is the state of a VSD group member that becomes the master should the current master steps down.
Number of times multiple masters exist	Number of times multiple masters exist while the local unit is in master state.
Number of times multiple primary backups exist	Number of times multiple primary backups exist while the local unit is in primary backup state.
Number of Units in Group	Number of units in the VSD group.
Total number of state transition events	Number of events that led to change in status of VSD group members.

NSRP Virtual Security Device Interface Configuration Metrics

The metrics in this category provide information about the list of VSD interfaces on the device.

Default Collection Interval — Every five minutes.

Table 2-15 NSRP Virtual Security Device Interface Configuration Metrics

Metric	Description
Interface Group	Group of the VSD interface.
Interface IP Address	IP address of the VSD interface.
NSRP Device Interface Status	Indicates the status of the interface (down, inactive, active).

NSRP Virtual Security Device Member Configuration Metrics

The metrics in this category provide information about the list of devices within the VSD group. These metrics provides details about each member such as status and ID.

Default Collection Interval — Every five minutes.

Table 2-16 NSRP Virtual Security Device Member Configuration Metrics

Metric	Description
Member status	Status of VSD group members such as: Init - The transient state of a VSD group member while it joins a VSD group, either when the device boots up or when it is added via a command. Master - The state of a VSD group member that processes traffic sent to the VSI. Primary Backup - The state of a VSD group member that becomes the master should the current master step down. Backup - The state of a VSD group member that monitors the status of the primary backup and elects one of the backup devices to primary backup if the current one steps down. Ineligible - The state that an administrator purposefully assigns to a VSD group member so that it cannot participate in the election process. Inoperable - The state of a VSD group member after a system check determines that the device has an internal problem (such as no processing boards) or a network connection problem (such as when an interface link fails).
Member Group ID	Group ID of the VSD member.
Member Priority in Group	Priority of a VSD unit in the group.

Metric

Description

Member status

Status of VSD group members such as:

Init - The transient state of a VSD group member while it joins a VSD group, either when the device boots up or when it is added via a command.
Master - The state of a VSD group member that processes traffic sent to the VSI.
Primary Backup - The state of a VSD group member that becomes the master should the current master step down.
Backup - The state of a VSD group member that monitors the status of the primary backup and elects one of the backup devices to primary backup if the current one steps down.
Ineligible - The state that an administrator purposefully assigns to a VSD group member so that it cannot participate in the election process.
Inoperable - The state of a VSD group member after a system check determines that the device has an internal problem (such as no processing boards) or a network connection problem (such as when an interface link fails).

Member Group ID

Group ID of the VSD member.

Member Priority in Group

Priority of a VSD unit in the group.

NSRP Virtual Security Device Status Metrics

The metrics in this category provide information about the member status of the target type.

Default Collection Interval — Every five minutes.

Table 2-17 NSRP Virtual Security Device Interface Configuration Metrics

Metric	Description
Member Status	Status of the target (init, Master, Primary Backup, Backup, ineligible, inoperable).