In these next series of posts, I
will go over some of the basic diagnostic
methods for netscreen, fortigate, and cisco ASA.
As a firewall admins, we
need to know how to aid in the t-shooting step. Blindly changing rules, rebooting, and
host of other steps, are typically a hail mary and accomplish nothing. Don't be scared of the diagnostic or the utilities, that's built right in to HELP YOU !
1st up,
Flow diagnostic netscreen (
legacy ).
Why we do this, is mainly to trouble-shoot l3/l4 fwpolicies rules. And
to validate what’s being hit and the policy-id that's being matched.
First check the debug options , too see if any one left something
running or to clear any post debugs sessions;
iscreen:-> get debug
get debug
flow: basic
if anything is set you might want to clear it;
undebug all
2nd,
we what to set up the flow filter(s), this I what specify to matches on, & the traffic of interest that we
are expecting to inspection or t-shoot;
iscreen:-> set ff ?
set ff ?
<return>
dst-ip flow filter dst ip
dst-port flow filter dst port
ip-proto flow filter ip proto
src-ip flow filter src ip
src-port flow filter src port
note: you can string multiple filters
on the cmd line or in one single line, ensure specific filters to drill in on
the host/port/proto/etc……
Here I’m going to be very specific, and place a flow filter for the google dns
server
8.8.8.8 and port 53
note: you can remove
any pre-existing filters, and should always check the filters b4 starting up a
flow diagnostic
iscreen:-> set ff dst-ip
8.8.8.8 dst-port 53
set ff dst-ip 8.8.8.8 dst-port 53
filter added
Now I’m
validating my filters;
iscreen:-> get ff
get ff
Flow filter based on:
id:0 dst ip 8.8.8.8 dst port 53
iscreen:->
NOTE: to remove a
filter, unset ff
<“filter-id”>
Third, Now that
we have the flow filter set. We need to enable the debug type. Here’s a few
that my netscreen named iscreen
supports based on the screen os version
iscreen:-> get sys
get sys
Product Name: NetScreen-NS5GT-WLAN
Serial Number: 0129012006000174, Control Number: 00000000
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r3a.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Wed Feb 7 19:00:24 PST 2007
Base Mac: 0012.1ebe.7b50
File Name: screenos_image, Checksum: 51863a99
get sys
Product Name: NetScreen-NS5GT-WLAN
Serial Number: 0129012006000174, Control Number: 00000000
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r3a.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Wed Feb 7 19:00:24 PST 2007
Base Mac: 0012.1ebe.7b50
File Name: screenos_image, Checksum: 51863a99
( she's old but she still puts out :) )
iscreen:-> debug ?
debug ?
admin debug admin
adsl adsl soc debugging
anti-spam anti-spam debugging
apppry Application Proxy debugging
arp arp debugging
asp ASP debugging
asset-recovery asset recovery debugging
auth user authentication debugging
autocfg Auto config debugging
av anti virus scan debugging
bgp bgp debugging
bgroup bgroup debugging
cav cavium debugging
cluster command propagated to cluster
members
cpapi cpapi debugging
cpu-limit CPU limit debugging
dhcp debug dhcp
dhcp6 dhcpv6 debugging
dialer dialer debugging
dip dip debugging
dlog dlog debugging
dns dns debugging
dot1x IEEE802.1X debug
driver driver debugging
emweb EmWeb debugging
filesys Filesys debugging
fips fips debugging
flash flash operating debugging
flow Flow level debugging
flow-tunnel Flow Tunnel debugg
(output shorten)
We are going to do flow and basic at that;
iscreen:-> debug flow ?
debug flow ?
all all flow debug
basic basic debug
drop drop pak debug
dynpol dynamic policy search debug
illegal illegal debug
internal internal debug
mcast flow multicast debug
mgt mgt debug
mpak mp pak message debug
mpdiff mp diff message debug
mperr mp message error debug
mpgate mp gate message debug
mpmvpn mng over vpn message debug
mpsess mp session message debug
mpvpn mp vpn message debug
pak-poll packet polling debug
self self debug
session session debug
sm-skip No pak passing to SM
spinlock spinlock
tcp-sequence-check tcp sequence check debug
tiny-tcp tiny tcp debug
vlan vlan debug
and;
iscreen:-> debug flow basic
basic
iscreen:->
4th, Next
we want to flush any existing debug buffer data;
iscreen:-> clear db
clear db
and after we craft traffic, we review the buffer via a simple
get cmd;
iscreen:-> get db stream
get db stream
iscreen:-> get db stream
get
db stream
****** 12514.0: <Trust/trust>
packet received [62]******
ipid = 9288(2448), @026ddc70
packet passed sanity check.
trust:172.16.10.24/50291->8.8.8.8/53,17<Root>
no session found
flow_first_sanity_check: in <trust>, out <N/A>
chose interface trust as incoming nat if.
flow_first_routing: in <trust>, out <N/A>
search route to (trust, 172.16.10.24->8.8.8.8) in vr trust-vr for
vsd-0/flag-0/ifp-null
[ Dest] 12.route 8.8.8.8->192.0.2.1, to
untrust
routed (x_dst_ip 8.8.8.8) from trust (trust in 0) to untrust
policy search from zone 2-> zone 1
policy_flow_search policy search nat_crt from zone 2-> zone 1
RPC Mapping Table search returned 0 matched service(s) for (vsys Root,
ip 8.8.8.8, port 53, proto 17)
No SW RPC rule match, search HW rule
Permitted by policy 1
dip id = 2, 172.16.10.24/50291->192.0.2.191/2099
choose interface untrust as outgoing phy if
no loop on ifp untrust.
session application type 16, name DNS, nas_id 0, timeout 60sec
ALG vector is attached
service lookup identified service 16.
--- more ---
flow_first_final_check: in
<trust>, out <untrust>
existing vector list 81-3582ba0.
Session (id:1959) created for first pak 81
flow_first_install_session======>
route to 192.0.2.1
arp entry found for 192.0.2.1
nsp2 wing prepared, ready
cache mac in the session
make_nsp_ready_no_resolve()
search route to (untrust, 8.8.8.8->172.16.10.24) in vr trust-vr for
vsd-0/flag-3000/ifp-trust
[ Dest] 1.route
172.16.10.24->172.16.10.24, to trust
route to 172.16.10.24
flow got session.
flow session id 1959
flow_send_vector_, vid = 0, is_layer2_if=0
send packet to traffic shaping queue.
flow_ip_send: 2448:192.0.2.191->8.8.8.8,17 => untrust(62) flag
0x20000, vlan 0
pak has mac
Send to untrust (76)
Interface <untrust> IPv6
disabled, drop IPv6 packet.
******
12514.0: <Untrust/untrust> packet received [78]******
ipid = 16418(4022), @02691970
packet passed sanity check.
untrust:8.8.8.8/53->192.0.2.191/2099,17<Root>
existing session found. sess token 6
flow got session.
flow session id 1959
existing vector list 81-3582ba0.
flow_send_vector_, vid = 0, is_layer2_if=0
send packet to traffic shaping queue.
flow_ip_send: 4022:8.8.8.8->172.16.10.24,17 => trust(78) flag
0x20000, vlan 0
pak has mac
Send to trust (
NOTE: You should always clear
your debug information when your done to save on memory and wasted process.
Always validate this has been done.
iscreen:-> undebug all
undebug all
iscreen:-> get debug
get debug
iscreen:->
Some of the
things to focus on with regards to the debug output;
· Any Permit/Deny
· Zone ( trust to untrust or whatever zones )
· Interfaces involved
· The Policy-ID # ( that's your fwpolicy or rule )
· Src/dst-ip ( should match your filter
if applied)
· Src/Dst-Port ( should match your
filter if applied )
I hope this post helps you in your on going diagnostics.
Ken Felix
Freelance Network/Security Engineer
Kfelix at
hyperfeed <d-o-t> com
No comments:
Post a Comment