In these next series of posts, I
will go over some basic diagnostic
methods for netscreen, fortigate and cisco ASA. As firewall admins, we
need to know how to aid in t-shooting. Blindly changing rules, rebooting, and
host of other steps are typically a hail mary and accomplish nothing.
1st up,
Flow diagnostic on the Fortigates series are simple.
Why we do this is
mainly to trouble-shoot L3/L4 fwpolicies rules. And to validate what’s being
hit and the policy-id involved, any nat'ing or if encryption is taking place.
First check the debug options , too see if any one left something
running or to clear any post debugs sessions;
SomeFWFGT01 # diag debug info
debug output: disable
console timestamp: disable
console no user log message: disable
CLI debug level: 3
if anything is set you might want to clear it;
diag debug reset
2nd,
we what to set up debug to be enabled before we start;
SomeFWFGT01 # diag debug enable
SomeFWFGT01 #
Third, we want to
set up the flow diagnostic and similar to my flow diag with netscreens, we have
filters options in the FortiOS;
SomeFWFGT01 # diag debug flow
filter trace packet with filter
filter6 trace packet with ipv6 filter
show whether to display trace on console
trace start/stop trace
SomeFWFGT01 # diag debug flow filter
addr ip address
clear clear filter
daddr dest ip address
dport destination port
negate inverse filter
port port
proto protocol number
saddr source ip address
sport source port
vd
index of virtual domain
note: filter6 are for ipv6 filters
Here I’m going to be very specific, and place a flow filter for the google dns
server
8.8.8.8 and port 53
diag debug flow filter
daddr 8.8.8.8
diag debug flow filter dport 53
Third, Now that
we have the flow filter-set. We need to tell the firewall to display the traces
on the console
SomeFWFGT01 # diag debug flow show
console enable
show trace messages on console
And lastly, we start the trace;
SomeFWFGT01 # diag debug flow trace start 1000
NOTE: The above says
to start , and display the 1st
1K traces
Now when interesting traffic matches
our filter we will get a trace;
SomeFWFGT01 # id=36871 trace_id=217
msg="vd-root received a packet(proto=17, 10.10.100.9:46883->8.8.8.8:53)
from WEB_NET01."
id=36871 trace_id=217
msg="allocate a new session-301981cb"
id=36871 trace_id=217 msg="find
a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=217 msg="find
SNAT: IP-192.0.2.2, port-30639"
id=36871 trace_id=217
msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=217 msg="SNAT
10.10.100.9->192.0.2.2:30639"
id=36871 trace_id=217 msg="run
helper-dns-udp(dir=original)"
id=36871 trace_id=218
msg="vd-root received a packet(proto=17, 10.10.100.9:52631->8.8.8.8:53)
from WEB_NET01."
id=36871 trace_id=218
msg="allocate a new session-30198221"
id=36871 trace_id=218 msg="find
a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=218 msg="find
SNAT: IP-192.0.2.2, port-40219"
id=36871 trace_id=218
msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=218 msg="SNAT
10.10.100.9->192.0.2.2:40219"
id=36871 trace_id=218 msg="run
helper-dns-udp(dir=original)"
id=36871 trace_id=219
msg="vd-root received a packet(proto=17, 10.10.100.9:51360->8.8.8.8:53)
from WEB_NET01."
id=36871 trace_id=219
msg="allocate a new session-3019827d"
id=36871 trace_id=219 msg="find
a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=219 msg="find
SNAT: IP-192.0.2.2, port-26668"
id=36871 trace_id=219
msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=219 msg="SNAT
10.10.100.9->192.0.2.2:26668"
id=36871 trace_id=219 msg="run
helper-dns-udp(dir=original)"
id=36871 trace_id=220
msg="vd-root received a packet(proto=17, 10.10.100.9:45227->8.8.8.8:53)
from WEB_NET01."
id=36871 trace_id=220
msg="allocate a new session-3019ab4d"
id=36871 trace_id=220 msg="find
a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=220 msg="find
SNAT: IP-192.0.2.2, port-45095"
id=36871 trace_id=220
msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=220 msg="SNAT
10.10.100.9->192.0.2.2:45095"
id=36871 trace_id=220 msg="run
helper-dns-udp(dir=original)"
id=36871 trace_id=221
msg="vd-root received a packet(proto=17, 10.10.100.9:59618->8.8.8.8:53)
from WEB_NET01."
id=36871 trace_id=221
msg="allocate a new session-3019ab63"
id=36871 trace_id=221 msg="find
a route: gw-192.0.2.1 via EXT_NET01"
id=36871 trace_id=221 msg="find
SNAT: IP-192.0.2.2, port-47214"
id=36871 trace_id=221
msg="Allowed by Policy-10: SNAT"
id=36871 trace_id=221 msg="SNAT
10.10.100.9->192.0.2.2:47214"
id=36871 trace_id=221 msg="run
helper-dns-udp(dir=original)"
Each trace is marked with a trace_id, and the key take aways
are the following;
- Interface dst/src ( directionality )
- Fwpolicy ID
- Session allocation
- is SNAT/DNAT ( NAT )
- Allowed or Denied ( action )
As with the netscreen, we need to remind our selves to reset the diag debug fuction to conserve on memory.
diag debug reset
Next post will be cisco ASA and then I will wrapped up with PaloAlto series. With these last three, we have the means to capture data and run pcaps for exporting. I will cover that in unique post.
Ken Felix
Freelance Network/Security Engineer
Kfelix at
hyperfeed <d-o-t> com
No comments:
Post a Comment