Troubleshoot NetScreen Policy

To check for traffic being permitted /denied by the firewall based on policy, setup a Flow Filter and analyze the packet captures.  To setup a flow filter based on source and/or destination IPs, issue the following commands:

Make sure any previous flow filters and/or debugs are removed:

Get Debug (disable any existing debugs by issuing “undebug all”)

Get ff (run this command to verify no other flow filter exist, if previous ff exist, remove them by issuing “unset ff”)

Set ff src-ip 10.255.7.123 dst-ip 10.247.199.155

Clear db (this will clear any previous capture saved in the memory buffers)

Debug flow basic (this will start to capture packets into buffers based on the flow filter)

Get db stream ( this will show the details of packet captures saved in memory buffers)

 

After the flow filter and debugs have been enabled, have the user attempt a connection.  After attempted connection, analyze captures.

Example: (note that this output is truncated for sake of brevity, the complete output contains detailed information on NAT, routing, source/destination interfaces etc.)

 

policy search from zone 32-> zone 1

policy_flow_search  policy search nat_crt from zone 32-> zone 1

RPC Mapping Table search returned 0 matched service(s) for (vsys testf1, ip 10.12.11.41, port 8476, proto 6)

No SW RPC rule match, search HW rule

rs_search_ip: policy matched id/idx/action = 1/168/0x1

Permitted by policy 1    ß----------indicates that the connection is being permitted by policy id

No src xlate   choose interface ethernet1/1.499 as outgoing phy if

flow session id 395618

transfer packet to hardware.  ß-------indicates that the packet was forwarded by the firewall

 

After you are done with packet capture, remember to disabled debugs and remove the flow filter:

Undebug all
Unset ff
Clear db
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s