Packet Capture on System Firewall (ISGs)

There are two classes of Juniper/Netscreen Firewalls:  Appliances and Systems.  Appliances only have CPUs for processing.  Systems are high end devices that incorporate ASICs as well as CPUs for processing.  Packet capturing tools, like Snoop and Debugs only run in CPU.  When a system receives and initial packet, it inspects it in CPU, if it is permitted it is passed to ASIC.  This provides better performance but you can not capture traffic once it is in ASIC.  Starting in 6.1, Juniper incorporated a new feature that will enable you to prevent certain traffic to be sent to the ASIC.  The traffic will stay in CPU, enabling you to perform packet captures. The option is available on a per policy basis.

Instructions for preventing traffic from being delivered to ASIC:

set policy
set no-hw-sessexit

Note:  It is best practice to configure a policy that is specific to interesting traffic and placed in the appropriate order to be processed prior to a more general policy.  Once you are done capturing, remove the option, then the policy.

Notes on Captures on Netscreens

Please note that captures on a Netscreen system will usually result in just the initial SYN packet where as a Netscreen appliance will result in all packets.  The reason for this is, systems have ASICs, the initial packet goes to CPU then to the ASIC.  Debugs and Snoop only work in CPU.  The following is a break down of which Netscreens are systems and which are appliances.

Old line:

Systems:  Netscreens above 500 (I.E. NS-500, NS-5200)
Appliance:  Netscreens below 500 (I.E. NS-5, NS-204)

Current line:

Systems:  ISG (I.E. ISG-1000, ISG-2000)
Appliance:  SSG (I.E. SSG-5, SSG-520)
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s