Technical Tip: Record of central NAT and DNAT hit count

lohk · ‎06-02-2021

Description
This article describes how to view the record of central NAT and DNAT hit count.

Solution
Daily hit counts for central NAT and DNAT can be displayed in the CLI for IPv4 and IPv6.

To view the central SNAT counter:

# diagnose firewall iprope show 10000d <id>
# diagnose firewall iprope6 show 10000d <id>

To view the DNAT counter:

# diagnose firewall iprope show 100000 <id>
# diagnose firewall iprope6 show 100000 <id>

To clear the counters:

# diagnose firewall iprope clear 10000d <id>
# diagnose firewall iprope clear 100000 <id>
# diagnose firewall iprope6 clear 10000d <id>
# diagnose firewall iprope6 clear 100000 <id>

Sample output:

# diagnose firewall iprope show 10000d 1
idx=1 hit count:6 (2 4 0 0 0 0 0 0)
first:2021-01-23 12:10:37 last:2021-01-24 12:12:24

For entry ID 1, there are a total of six counts since the last time the counter was cleared. There are six times where the traffic matches the central SNAT entry.
The hit count of the present day and last seven days is displayed in parentheses.

# diagnose firewall iprope show 100000 1
idx=1 hit count:3 (1 2 0 0 0 0 0 0)
first:2021-01-23 12:10:37 last:2021-01-24 12:12:23

For entry ID 1, there are a total of three counts since the last time the counter was cleared.
There are three times where the traffic matches the DNAT (VIP) entry.
The hit count of the present day and last seven days is displayed in parentheses.