To check for traffic being permitted /denied by the firewall based on policy, setup a Flow Filter and analyze the packet captures. To setup a flow filter based on source and/or destination IPs, issue the following commands:
Make sure any previous flow filters and/or debugs are removed:
Get Debug (disable any existing debugs by issuing “undebug all”) Get ff (run this command to verify no other flow filter exist, if previous ff exist, remove them by issuing “unset ff”) Set ff src-ip 10.255.7.123 dst-ip 10.247.199.155 Clear db (this will clear any previous capture saved in the memory buffers) Debug flow basic (this will start to capture packets into buffers based on the flow filter) Get db stream ( this will show the details of packet captures saved in memory buffers)
After the flow filter and debugs have been enabled, have the user attempt a connection. After attempted connection, analyze captures.
Example: (note that this output is truncated for sake of brevity, the complete output contains detailed information on NAT, routing, source/destination interfaces etc.)
policy search from zone 32-> zone 1 policy_flow_search policy search nat_crt from zone 32-> zone 1 RPC Mapping Table search returned 0 matched service(s) for (vsys testf1, ip 10.12.11.41, port 8476, proto 6) No SW RPC rule match, search HW rule rs_search_ip: policy matched id/idx/action = 1/168/0x1 Permitted by policy 1 ß----------indicates that the connection is being permitted by policy id No src xlate choose interface ethernet1/1.499 as outgoing phy if flow session id 395618 transfer packet to hardware. ß-------indicates that the packet was forwarded by the firewall
After you are done with packet capture, remember to disabled debugs and remove the flow filter:
Undebug all Unset ff Clear db