[Dr.WoW] [No.7] Precautions for Configuration and Troubleshooting Guides Highlighted

Latest reply: Apr 25, 2015 03:02:44 2838 3 1 0

1 Security Zones

For a new security zone on a firewall, a priority (security level) has to be specified; otherwise, the associated ports cannot be added into the security zone. The following provides an example of failing to add ports to a security zone.

[FW] firewall zone name abc
[FW-zone-abc] add interface GigabitEthernet 0/0/1
Error: Please set the priority on this zone at first.

The following command can be used to specify a priority, which is unique and cannot repeat that of any existing security zone.

[FW-zone-abc] set priority 10

A user may tend to forget to add ports to security zones. If no ports are added to a security zone, the firewall cannot determine the path for forwarding packets as well as inter-zone associations. Consequently, the firewall discards the packets and the service will be unavailable.

In this case, you can use the command to check security zone configurations on the firewall and the ports that have been added to the security zone.

[FW] display zone
local
priority is 100
#
trust
priority is 85
interface of the zone is (1):
    GigabitEthernet0/0/1
#
untrust
priority is 5
interface of the zone is (1):
GigabitEthernet0/0/2
GigabitEthernet0/0/3
#
dmz
priority is 50
interface of the zone is (0):
#
abc
priority is 10
interface of the zone is (0):
#

When a service is unavailable, there may be packet loss. You can use the display firewall statistic system discard command to check packet statistics on the firewall. If the following command output is displayed, the firewall cannot determine inter-zone associations and have to discard packets.

[FW] display firewall statistic system discard
Packets discarded statistic
                            Total packets discarded:          5
                   Interzone miss packets discarded:          5

The root cause of packet loss is that the ports have not been added to the security zone. Then you can see how the packet loss information on the firewall helps in locating faults.

2 Stateful Inspection and Session Mechanism

The core technology inside the stateful inspection firewall is to ***yze status of connection between communication peers, and establish sessions for forwarding packets. If a service is unavailable, a session may not be established on the firewall. This inference is helpful for troubleshooting.

You can use the display firewall session table command to check for a session for the unavailable service.

 

If there is no service session on the firewall

There are two probable causes:

  • The service packets do not reach the firewall.
  • The service packets are discarded by the firewall.

For the first probable cause, the service packets may be discarded by other network devices before they reach the firewall. If the other network devices do not discard the service packets, it is the firewall that discards them.

In this case, run the display firewall statistic system discard command to check packet loss statistics on the firewall. If the following information is displayed, the firewall fails to determine inter-zone associations or find an ARP entry.

[FW] display firewall statistic system discard
Packets discarded statistic
                            Total packets discarded:          2
                         ARP miss packets discarded:          2

If the firewall fails to obtain ARP entries, check the ARP function on its upstream and downstream devices.

If the following information is displayed, the firewall discards packets because it cannot find a route for them.

[FW] display firewall statistic system discard
Packets discarded statistic
                            Total packets discarded:          2
                         FIB miss packets discarded:          2

Then the firewall has an issue with route configurations. In this case, check for routes to the destinations on the firewall.

If the following information is displayed, the firewall discards packets because it cannot find a session for them.

[FW] display firewall statistic system discard
Packets discarded statistic
                            Total packets discarded: 2
                    Session miss packets discarded:  2

The firewall may receive the packets following the head packet but not the head packet. In this case, check whether the request and reply packets are forwarded over different paths. If required, use the undo firewall session link-state check command to disable stateful inspection for verification.

If the following information is displayed, the firewall discards packets because it fails to establish a session.

[FW] display firewall statistic system discard
Packets discarded statistic
                            Total packets discarded: 2
            Session create fail packets discarded:   2

The sessions on the firewall may reach the limit and no more session can be established. In this case, check for the sessions that are live over a long time. For example, there are a large number of DNS sessions, for which there are few packets. Then the DNS session aging time can be changed to 3s to speed up aging, using the following command:

[FW] firewall session aging-time dns 3

 

If there is a service session on the firewall

Use the display firewall session table verbose command to check the session details. If the following information is displayed, there are packet statistics in the forward session direction but none in the reverse session direction.

[FW] display firewall session table verbose
Current Total Sessions : 1
  icmp  VPN:public --> public
  Zone: trust--> untrust  TTL: 00:00:10  Left: 00:00:04
  Interface: GigabitEthernet0/0/1  NextHop: 172.16.0.1  MAC: 54-89-98-fc-36-96
  <--packets:0 bytes:0   -->packets:5 bytes:45
  192.168.0.1: 54187-->172.16.0.1:2048

Regarding the probable causes, the reply packets may not reach the firewall or be discarded by the firewall. Then check whether the packets are discarded by other network devices before they reach the firewall. And also check packet loss statistics on the firewall.

 

Then Dr. WoW has a few questions for you:

1. How do firewalls differ from routers and switches?
2. What features do the first, second, and third generations of firewalls have?
3. Which Huawei firewall was tested by NSS Labs as the ever-fastest firewall?
4. Please name the default priorities (security levels) of local, trust, DMZ, and untrust security zones.
5. Please tell the 5-tuple from the following session.
telnet  VPN:public --> public 192.168.0.2:51870-->172.16.0.2:23
6. How does a firewall with stateful inspection disabled process the received SYN+ACK TCP packets given that the firewall rule allows them to pass?

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

yogesh
Created Apr 24, 2015 10:24:21 Helpful(0) Helpful(0)

this is very basic knowledge . now more and more people are moving towards UTM features.

 

KIndly mention some URL filtering , DPI functionality

  • x
  • convention:

dr.wow
Official Created Apr 25, 2015 03:02:44 Helpful(0) Helpful(0)

Reply 3 #

We are going to introduce the features you have mentioned in some of the following chapters. Thank you for your attention and please continue to care about our articles.
  • x
  • convention:

user_2790689
Created Apr 2, 2015 02:45:28 Helpful(0) Helpful(0)

Thank you for sharing.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login