Thursday, June 2, 2011

Troubleshooting tips in NetScreen firewall !!!


There are many ways to troubleshoot in NetScreen Firewall when some one reports a Incident, that they are unable to access a Server / Application.

Understand the Packet flow
Packet flow tell the order in which the packet is processed by the firewall, when it reaches the firewall.

Packet flow in NetScreen Firewall


Looking @ Session
It is always a good idea to start the troubleshooting with a session, check if traffic is passing through the firewalls.

spiceup.net.in_FW-> get session src-ip 1.1.1.1 dst-ip 2.2.2.2

You should  see matching session output similar to this:

id 1454/s**,vsys 0,flag 00000050/0080/20,policy 320002,time 1, dip 0
 1(0001):1.1.1.1/60185->2.2.2.2/512,1,000d60765d03,3,vlan 0,tun 0,vsd 0,route 2
 3(0010):1.1.1.1/60185<-2.2.2.2/512,1,000000000000,4,vlan 0,tun 0,vsd 0,route 10

The Source IP Address 1.1.1.1 has source port as 60185 and destionation ip 2.2.2.2 has destination port as 512, the Source port here is the ICMP Sequence Number, the destination port is the ICMP Identifier, is sending the ping packet (echo request) to the destination and the destination sends back the reply to the ping echo reply.

The below is the output of the partial packet capture using sniffer for the above sessions:

ECHO REQUEST:
Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0
    Checksum: 0x6042 (correct)
    Identifier: 0x0200
    Sequence number: 0xeb19
    Data (32 bytes)

ECHO REPLY:
Internet Control Message Protocol
    Type: 0 (Echo (ping) reply)
    Code: 0
    Checksum: 0x6842 (correct)
    Identifier: 0x0200
    Sequence number: 0xeb19
    Data (32 bytes)



Debug flow basic
Shows the flow of traffic through the firewall, allowing for troubleshooting route selection, policy selection, any address translation and whether the packet is recieved or dropped by the firewall.

    1)   get ffilter - see if an filters have been set already, if they have you use 'unset ffilter' to remove, repeat the steps until you remove all the filters
    2)   set ffilter src-ip 10.1.1.5 dst-ip 1.1.70.250 - allows you to limit the traffic that you capture using src-ip, src-port, dst-ip, dst-port & etc... Recommeded as debug flow basic can be intensive on the firewall especially if it is under heavy load.
    3)   debug flow basic - turns on flow debuging with a level of basic logging
    4)   clear db - make sure there is nothing in the debug buffer from previous debugs
    5)   Begin the test, do a ping or try to access the resource that you are having problems with.
    6)   undebug all or press Esc key - turns off debug
    7)   get db str - reads the debug buffer and outputs.
    8)   unset ffilter - remove ffilters when finished
    9)   clear db - make sure there is nothing in the debug buffer from previous debugs

debug flow basic



Snoop
Snoop is a powerful troubleshooting tool that gives the user the ability to view packet information from Layer 2 to Layer 4, as it comes into and out of the firewall interfaces. (Bi-directional traffic) Here is the typical procedure when using snoop:

spiceup.net.in_FW-> snoop filter ip 2.2.2.222 - set a filter to limit the traffic that you capture.
spiceup.net.in_FW-> snoop info - check whether the filter is applied properly.
spiceup.net.in_FW-> snoop - "switch on" the snoop and initiate the traffic.
spiceup.net.in_FW-> snoop off - "Turn off" the snoop
spiceup.net.in_FW-> get dbuf stream - check the output of the snoop
spiceup.net.in_FW-> clear db - clear the buffer
Traffic details



Buffer commands:
     get dbuf info       - Displays debug buffer size in bytes
     set dbuf size       - Allocates system memory for the debug buffer
     get dbuf stream  - Displays the contents of the debug buffer
     clear dbuf          - Clears the contents of the debug buffer




Leave your comment below

23 comments:

  1. Awesome post! It's very simple to understand. thx so much :)

    ReplyDelete
  2. Great post and defined in very simple way. Nice work.

    ReplyDelete
  3. Great information, thanks for sharing this valuable information.

    ReplyDelete
  4. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    oracle training in bangalore

    ReplyDelete


  5. App Cloner Free is an application that will allow you to make exact copies of any app on your smartphone or tablet.

    ReplyDelete
  6. This article gives the light in which we can watch the truth. This is exceptionally decent one and gives indepth data. A debt of gratitude is in order for this decent article.  visit website

    ReplyDelete
  7. When a blind man bears the standard pity those who follow…. Where ignorance is bliss ‘tis folly to be wise…. prywatnoscwsieci

    ReplyDelete
  8. My friend mentioned to me your blog, so I thought I’d read it for myself. Very interesting insights, will be back for more! https://weneedprivacy.com

    ReplyDelete
  9. I needed to thank you for this phenomenal read!! I unquestionably adored each and every piece of it. I have you bookmarked your site to look at the new stuff you post. lemigliorivpn.com

    ReplyDelete
  10. Want to make a big and interesting profit? best casino cities then come quickly to us.

    ReplyDelete
  11. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. Klik hier

    ReplyDelete