Thursday, June 2, 2011

Troubleshooting tips in NetScreen firewall !!!

There are many ways to troubleshoot in NetScreen Firewall when some one reports a Incident, that they are unable to access a Server / Application.

Understand the Packet flow
Packet flow tell the order in which the packet is processed by the firewall, when it reaches the firewall.

Packet flow in NetScreen Firewall

Looking @ Session
It is always a good idea to start the troubleshooting with a session, check if traffic is passing through the firewalls.> get session src-ip dst-ip

You should  see matching session output similar to this:

id 1454/s**,vsys 0,flag 00000050/0080/20,policy 320002,time 1, dip 0
 1(0001):>,1,000d60765d03,3,vlan 0,tun 0,vsd 0,route 2
 3(0010):<-,1,000000000000,4,vlan 0,tun 0,vsd 0,route 10

The Source IP Address has source port as 60185 and destionation ip has destination port as 512, the Source port here is the ICMP Sequence Number, the destination port is the ICMP Identifier, is sending the ping packet (echo request) to the destination and the destination sends back the reply to the ping echo reply.

The below is the output of the partial packet capture using sniffer for the above sessions:

Internet Control Message Protocol
    Type: 8 (Echo (ping) request)
    Code: 0
    Checksum: 0x6042 (correct)
    Identifier: 0x0200
    Sequence number: 0xeb19
    Data (32 bytes)

Internet Control Message Protocol
    Type: 0 (Echo (ping) reply)
    Code: 0
    Checksum: 0x6842 (correct)
    Identifier: 0x0200
    Sequence number: 0xeb19
    Data (32 bytes)

Debug flow basic
Shows the flow of traffic through the firewall, allowing for troubleshooting route selection, policy selection, any address translation and whether the packet is recieved or dropped by the firewall.

    1)   get ffilter - see if an filters have been set already, if they have you use 'unset ffilter' to remove, repeat the steps until you remove all the filters
    2)   set ffilter src-ip dst-ip - allows you to limit the traffic that you capture using src-ip, src-port, dst-ip, dst-port & etc... Recommeded as debug flow basic can be intensive on the firewall especially if it is under heavy load.
    3)   debug flow basic - turns on flow debuging with a level of basic logging
    4)   clear db - make sure there is nothing in the debug buffer from previous debugs
    5)   Begin the test, do a ping or try to access the resource that you are having problems with.
    6)   undebug all or press Esc key - turns off debug
    7)   get db str - reads the debug buffer and outputs.
    8)   unset ffilter - remove ffilters when finished
    9)   clear db - make sure there is nothing in the debug buffer from previous debugs

debug flow basic

Snoop is a powerful troubleshooting tool that gives the user the ability to view packet information from Layer 2 to Layer 4, as it comes into and out of the firewall interfaces. (Bi-directional traffic) Here is the typical procedure when using snoop:> snoop filter ip - set a filter to limit the traffic that you capture.> snoop info - check whether the filter is applied properly.> snoop - "switch on" the snoop and initiate the traffic.> snoop off - "Turn off" the snoop> get dbuf stream - check the output of the snoop> clear db - clear the buffer
Traffic details

Buffer commands:
     get dbuf info       - Displays debug buffer size in bytes
     set dbuf size       - Allocates system memory for the debug buffer
     get dbuf stream  - Displays the contents of the debug buffer
     clear dbuf          - Clears the contents of the debug buffer

Leave your comment below


  1. Awesome post! It's very simple to understand. thx so much :)

  2. Great post and defined in very simple way. Nice work.

  3. Great information, thanks for sharing this valuable information.

  4. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    oracle training in bangalore

  5. This article gives the light in which we can watch the truth. This is exceptionally decent one and gives indepth data. A debt of gratitude is in order for this decent article.  visit website

  6. When a blind man bears the standard pity those who follow…. Where ignorance is bliss ‘tis folly to be wise…. prywatnoscwsieci

  7. My friend mentioned to me your blog, so I thought I’d read it for myself. Very interesting insights, will be back for more!

  8. I needed to thank you for this phenomenal read!! I unquestionably adored each and every piece of it. I have you bookmarked your site to look at the new stuff you post.

  9. I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well. In fact your creative writing abilities has inspired me to start my own BlogEngine blog now. Really the blogging is spreading its wings rapidly. Your write up is a fine example of it. Klik hier

  10. This is an incredible high goals screen which you have shared for the clients. Making a site isn't a simple undertaking however dealing with a decent site is extremely a diligent work. To the extent this site is concerned, I am extremely glad. 먹튀사이트

  11. Many homework on the continual hunt along with offstage on the road to winning. Definitely not attached, simple to-fall as a result of wayside; And not investigation, afterward into a path travel toward the black. Low-Cost Health Insurance

  12. wonderful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. สล็อตออนไลน์

  13. I was reading some of your content on this website and I conceive this internet site is really informative ! Keep on putting up.slotxo