Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Adaptive Services Interfaces User Guide for Routing Devices Network Address Translation Monitoring NAT

Adaptive Services Interfaces User Guide for Routing Devices

keyboard_arrow_up
close
keyboard_arrow_left
Adaptive Services Interfaces User Guide for Routing Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Monitoring NAT

date_range 24-Nov-23
arrow_backward
arrow_forward

Configuring NAT Session Logs

You can configure session logs for NAT from the CLI. By default, session open and close logs are produced. However, you can request that only one type of log be produced.

To configure NAT session logs:

  1. Go to the [edit services service-set service-set-name syslog host class classname] hierarchy level.
    content_copy zoom_out_map
    user@host# edit services service-set service-set-name syslog host class classname
  2. Configure NAT logging using the nat-logs configuration statement.
    content_copy zoom_out_map
    [edit services service-set service-set-name syslog host class classname]
user@host# set nat-logs
  3. Configure session logging using the session-logs statement. Open and close logs are produced by default. Specify open or close to produce only one type of log.
    content_copy zoom_out_map
    [edit services service-set service-set-name syslog host class classname]
user@host# set session-logs

    Or

    content_copy zoom_out_map
    [edit services service-set service-set-name syslog host class classname]
user@host# set session-logs open

    Or

    content_copy zoom_out_map
    [edit services service-set service-set-name syslog host class classname]
user@host# set session-logs close
  4. For NAT sessions that use secured port block allocation (PBA), enter the pba-interim-logging interval option.
    content_copy zoom_out_map
    [edit services service-set service-set-name syslog host class classname]
user@host# top
[edit]
user@host# set interfaces interface-name service-options pba-interim-logging-interval
  5. Configure a /32 IP address under unit 0 of the service interface that is assigned to the service set. This is the source IP address for all syslog messages generated by the service set for the NAT session logs. If you do not configure the IP address, syslog messages are not generated.
    content_copy zoom_out_map
    [edit]
user@host# set interfaces interface-name unit 0 family inet address address
    Note:

    If you use anything other than a /32 IP address, unwanted traffic might be sent to the service interface, which can eat up valuable CPU time on the service PIC.

See Also

Monitoring NAT Pool Usage

Purpose

Use the show services nat pool detail command to find global NAT statistics related to pool usage. This command is frequently used in conjunction with the show services stateful-firewall statistics command.

Action

content_copy zoom_out_map
user@host# show services nat pool detail

Interface: ms-1/0/0, Service set: s1
  NAT pool: dest-pool, Translation type: DNAT-44
    Address range: 10.10.10.2-10.10.10.2
  NAT pool: napt-pool, Translation type: NAPT-44
    Address range: 50.50.50.1-50.50.50.254
    Port range: 1024-63487, Ports in use: 0, Out of port errors: 0, Max ports used: 0
  NAT pool: source-dynamic-pool, Translation type: DYNAMIC NAT44
    Address range: 40.40.40.1-40.40.40.254
    Out of address errors: 0, Addresses in use: 0
  NAT pool: source-static-pool, Translation type: BASIC NAT44
    Address range: 30.30.30.1-30.30.30.254

See Also

Using the Enterprise-Specific Utility MIB

Using the Enterprise-Specific Utility MIB

The enterprise-specific Utility MIB enables you to add SNMP-compliant applications information to the enterprise-specific Utility MIB. The application information includes:

  • NAT mappings

  • Carrier-grade NAT (CGNAT) pools

  • Service set CPU utilization

  • Service set memory usage

  • Service set summary information

  • Service set packet drop information

  • Service set memory zone information

  • Multiservices PIC CPU and memory utilization

  • Stateful firewall flow counters

  • Session application connection information

  • Session analysis information

  • Subscriber analysis information

  • Traffic Load Balancer information

You use a delivered Stylesheet Language Alternative Syntax (SLAX) script to place applications information into the enterprise-specific Utility MIB. The script is invoked based on event policies (such as reboot of the router or switchover of Routing Engines) defined in an event script. The script can also be invoked from the command line as an op script. The script only runs on the primary Routing Engine. After the script is invoked, it polls data from the specified components at regular intervals using the XML-RPC API and writes the converted data to the Utility MIB as SNMP variables. The script automatically restarts after a configured polling cycle elapses.

Populating the Enterprise-Specific Utility MIB with Information

To use a SLAX script to populate the enterprise-specific Utility MIB with information:

  1. Enable the services-oids-slax script.

    content_copy zoom_out_map
    user@host# set system scripts op file services-oids.slax

  2. Configure the maximum amount of memory for the data segment during the execution of the script.

    content_copy zoom_out_map
    user@host# set event-options event-script max-database 512m

  3. Enable the script.

    content_copy zoom_out_map
    user@host# set event-options event-script file services-oids-ev-policy.slax

  4. (Optional) Enable the log-stats argument to allow sys logging of stateful firewall rate statistics when the event-script is run.

    1. Display the event policies and the arguments that can be used.

      content_copy zoom_out_map
      user@host> show event-options event-scripts polices
      content_copy zoom_out_map
      event-options {
    policy services-oids-done {
        events system;
        attributes-match {
            system.message matches "Completed polling cycle normally. Exiting";
        }
        then {
            event-script services-oids.slax {
                arguments {
                    max-polls 30;
                    interval 120;
                }
            }
        }
    }
    policy system-started {
        events system;
        attributes-match {
            system.message matches "Starting of initial processes complete";
        }
        then {
            event-script services-oids.slax {
                arguments {
                    max-polls 30;
                    interval 120;
                }
            }
        }
    }
}
event-options {
    policy services-oids-done {
        events system;
        attributes-match {
            system.message matches "Completed polling cycle normally. Exiting";
        }
        then {
            event-script services-oids.slax {
                arguments {
                    max-polls 30;
                    interval 120;
                }
            }
        }
    }
    policy system-started {
        events system;
        attributes-match {
            system.message matches "Starting of initial processes complete";
        }
        then {
            event-script services-oids.slax {
                arguments {
                    max-polls 30;
                    interval 120;
                }
            }
        }
    }
}

      The log-stats argument does not appear, so you must enable it.

    2. Start the Linux shell.

      content_copy zoom_out_map
      user@host>  start shell
      content_copy zoom_out_map
      %

    3. Open the /var/db/scripts/event/services-oids-eve-policy.slax file for editing.

      content_copy zoom_out_map
      <event-options> {
        /*
         * This policy detects when the services-oids.slax script ends, then restarts it.
         */
        <policy> {
            <name> "services-oids-done";
            <events> "system";
            <attributes-match> {
                <from-event-attribute> "system.message";
                <condition> "matches";
                <to-event-attribute-value> "Completed polling cycle normally. Exiting";
            }
            <then> {
                <event-script> {
                    <name> "services-oids.slax";
                    <arguments> {
                        <name>"max-polls";
                        <value>"30";
                    }
                    <arguments> {
                        <name>"interval";
                        <value>"120";
                    }
                    /*
                    <arguments> {
                        <name>"log-stats";
                        <value>"yes";
                    }
                    */
                }
            }
        }

        /*
         * This policy detects when the system has booted and kicks off the services-oids.slax script.
         * This policy hooks the 'system started' event
         */
        <policy> {
            <name> "system-started";
            <events> "system";
            <attributes-match> {
                <from-event-attribute> "system.message";
                <condition> "matches";
                <to-event-attribute-value> "Starting of initial processes complete";
            }
            <then> {
                <event-script> {
                    <name> "services-oids.slax";
                    <arguments> {
                        <name>"max-polls";
                        <value>"30";
                    }
                    <arguments> {
                        <name>"interval";
                        <value>"120";
                    }
                    /*
                    <arguments> {
                        <name>"log-stats";
                        <value>"yes";
                    }
                    */
                }
            }
        }
         
}

    4. Remove the comment enclosures (/* and */) surrounding the <arguments> tags containing “log-stats”.

    5. Exit the Linux shell and return to the CLI.

      content_copy zoom_out_map
      % exit

    6. Load the changes you made to the event script file.

      content_copy zoom_out_map
      user@host>request system scripts event-scripts reload

      The log-stats argument is available the next time the event script restarts.

  5. Set up the script logging file services-oids.log.

    content_copy zoom_out_map
    user@host# set system syslog file services-oids.log any info 
user@host# set system syslog file services-oids.log match cscript

  6. Synchronize scripts between Routing Engines so that when a switchover of Routing Engine occurs, the event policy starts on the new primary.

    • To synchronize on a per-commit basis:

      content_copy zoom_out_map
      user@host# commit synchronize scripts

    • To synchronize scripts every time you execute a commit synchronize:

      content_copy zoom_out_map
      [edit system scripts]
user@host# set synchronize
user@host# commit synchronize

  7. The script starts automatically at system boot, but you can manually start it with the CLI.

    content_copy zoom_out_map
    user@host> op services-oids arguments

    Table 1 describes the arguments that you can use.

    Table 1: Arguments for services-oids.slax Script

    Argument

    Description

    clean

    A value of 1 clears all Utility MIB OIDs. Use this only to clean OID tables.

    clear-semaphore

    A value of 1 resets the semaphore in the Utility MIB to recover from an abnormal script exit or from a manual script exit.

    debug

    Prints debug messages on console.

    detail

    Displays detailed output.

    interval

    Sets the number of seconds between poll cycles (default is 120).

    invoke-debugger

    Invokes script in debugger mode.

    log-stats

    Yes value enables sys logging of stateful firewall rate statistics (default is no).

    max-polls

    Sets the number of poll cycles before exiting the script (default is 30).

    one-cycle-only

    Value of 1 quits after one cycle of polling. Event policy does not restart the script. Use this option for testing only. The default is 0.

    signal-stop

    A value of 1 stops the script and sets the semaphore, which causes the next iteration to exit.

    silent

    Prints trace messages on console if it is unset. Set it to zero-length string (“ ”) to unset it. Default is 1.

    |

    Pipes through a command.

  8. Check the status of the script from the log file.

    content_copy zoom_out_map
    router> show /var/log/services-oids.log | no-more
    content_copy zoom_out_map
    Jun 27 19:51:47  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info] Beginning polling cycle.
Jun 27 19:51:47  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing traffic load-balance statistics
Jun 27 19:51:48  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing cgnat pool detail
Jun 27 19:51:48  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing cgnat mappings summary
Jun 27 19:51:48  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing service-sets summary
Jun 27 19:51:48  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing service-sets cpu-usage
Jun 27 19:51:48  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing service-sets mem-usage
Jun 27 19:51:49  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing stateful firewall statistics
Jun 27 19:51:49  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing stateful firewall flow-analysis
Jun 27 19:51:49  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing stateful firewall flows counts
Jun 27 19:51:49  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing FW policy connections/second
Jun 27 19:51:49  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing FW/NAT app connections
Jun 27 19:51:51  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing service-set packet-drops
Jun 27 19:51:51  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing service-set memory-usage zone
Jun 27 19:51:51  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing service-set policy throughput stats
Jun 27 19:51:52  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info]  processing ms-pic CPU amd Memory utilization stats
Jun 27 19:51:52  wf-cheesypoofs cscript: services-oids.slax(v0.14):[info] 1/30 Sleeping for 110 seconds.

  9. Verify that you are getting Utility MIB OID updates.

    content_copy zoom_out_map
    router> show snmp mib walk jnxUtil ascii
    content_copy zoom_out_map
    . . .
jnxUtilCounter64Value."services10tcp-errors09CGN-SET-1" = 0
jnxUtilCounter64Value."services10tcp-errors09CGN-SET-2" = 0
jnxUtilCounter64Value."services10tcp-errors09CGN-SET-3" = 0
jnxUtilCounter64Value."services10udp-errors09CGN-SET-1" = 1119
jnxUtilCounter64Value."services10udp-errors09CGN-SET-2" = 0
. . .

    To exclude the timestamp information, use

    content_copy zoom_out_map
    router> show snmp mib walk jnxUtil ascii | match Value

Stopping the SLAX Script with the CLI

To stop the SLAX script from the CLI:

Issue the stop argument.
content_copy zoom_out_map
user@host> op services-oids signal-stop 1

Clearing the Utility MIB

To clear all the utility MIB OIDs:

Issue the clean argument.
content_copy zoom_out_map
user@host> op services-oids clean 1

Recovering from an Abnormal SLAX Script Exit or a SLAX Script Exit with the CLI

To recover from an abnormal SLAX script exit or an SLAX script exit with the CLI:

Issue the clear semaphore argument.
content_copy zoom_out_map
user@host> op services-oids clear-semaphore 1

See Also

arrow_backward PREVIOUS Stateless Source Network Prefix Translation for IPv6
NEXT arrow_forward Packet Translation and GRE Tunneling
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top