Firewall Typical Networking and Troubleshooting Common Faults

ObjectivesUpon completion of this course, you will be able to:

Master the typical networking of

SecPath firewall.

Master the skills of troubleshooting

common faults of SecPath firewall.

3Com Confidential.

3

Contents

Common Firewall Networking

Troubleshooting Common Faults of Firewall

Cases of Common Firewall Networking

• Applications at the egress of government and enterprise vertical networks

• Applications in the networking of financial and security industries

• Applications with carrier-class reliability

Applications at the Egress of Government and Enterprise Vertical Networks

Internet

SecPath firewall

Enterprise users

Trust domain

Untrust domain

DMZ domain

Server cluster

Applications in the Networking of Financial and Security Industries

Authentication server

Data center

Internet

Online banking

E-commerce

Browse web page

Intranet

Server

SecPath A SecPath B

Enterprise user

Enterprise user

untrust domain

DMZ domain 1

DMZ domain 2

Trust domain

Applications with carrier-class reliability

Internet

Branch

Enterprise user

Intranet

Public network server

3Com Confidential.

8

Contents

Common Firewall Networking

Troubleshooting Common Faults of Firewall

Troubleshooting Process

• Check the physical link status.

• Check the firewall default action (interception or release).

• Check whether the interface is added into the correct domain.

• Check whether the ARP table items are correct.

• Check the matching status of the ACL rules.

• Check whether the NAT table items are correct.

• Check whether ASPF is activated in the correct interface and direction.

• Check whether the domain statistics function is activated.

Symptom of Common Faults (1)

• Symptom: After the firewall interface is configured with an IP address, the execution of the ping

command of the IP address is not successful.

• Diagnosis: Ping failure may be caused by the following factors. Rule out the possibilities one by

one.

1) Ensure the up status of the firewall physical link.

2) Ensure that the physical interface is added into one of the domains.

3) Check the default rules and ACL rules of the firewall.

4) Check whether the ARP table items contain the MAC address of the peer equipment.

5) Query the receiving/transmitting of the ICMP packets with the debug command.

Symptom of Common Faults (2)

• Symptom: After the port scanning and address scanning intrusion protection and the

dynamic blacklist, the firewall cannot view the intrusion log. In addition, the scanning

source addresses are not added dynamically into the blacklist.

• Diagnosis:

1) Check whether the scanning speed of the scanning tool exceeds the max-rate

value per second set by the configuration file.

2) Check whether the blacklist function is activated.

3) Check whether IP statistics function for the connection with the outgoing direction of

the domain of the initiator is activated or not.

Symptom of Common Faults (3)

• Symptom: After the filtering based on key words of the web page content is set, it is not valid.

• Diagnosis:

1) Check whether the ASPF is configured to detect HTTP.

2) Check whether the ASPF is applied to the interface or between the domains.

3) Query the filtering record with the display firewall web-filter command.

(Precaution: When the web page filtering and mail filtering are configured, the ASPF detection function must be enabled.)

Symptom of Common Faults (4)

• Symptom: The system cannot detect the 2FE card. • Diagnosis:

1) Query whether the 2FE card has been registered with the display version command.

2) Check the type of the 2FE card. There are two types of 2FE cards.

secpath supports only the 2fe of the 82559 chip. It does not support the 2fe of the 21143 chip.

Differentiation method of two types of boards:

(Note: Differentiation is achieved through eye observation of the physical chips of the boards. For the 2FE of the 21143 chip, there is a 4 square centimeters chip the near the pci socket, with the 21143 identification. For the 2FE of the 82559 chip, there is only a 1 square centimeter chip in the middle of the board, with the 82559 identification.)

Symptom of Common Faults (5)

• Symptom: The transparent mode of the firewall is set to “transparent”. The routers

on both sides of the firewall cannot establish the OSPF neighbor relationship.

• Diagnosis:

1)Check whether the flood or broadcast function is activated for the unknow-mac.

2)Check with the ping command whether both ends of the physical link is

connected.

3)Check whether the area No., network No., hello interval, and dead interval of the

hello packets of both ends are consistent.

4) For others, please refer to the debugging of the OSPF protocol.

Symptom of Common Faults (6)

• Symptom: After the setting of the GRE tunnel is completed, the ping command of the peer tunnel interface is not successful.

• Diagnosis: Rule out the possible causes one by one:

1)Ensure that the tunnel interface has been added into the residing domain of the public network.

2)Check whether the tunnel interface has been in the up status with the display interface tunnel command.

2)Check whether the tunnel has been configured with correct source and destination addresses.

3)Check whether the router table contains the route to the tunnel destination address, or check whether the tunnel destination address is reachable with the ping command.

(Precaution: All interfaces, either physical interface or virtual interface, must be added into a certain domain.)

Symptom of Common Faults (7)

• Symptom: When the browser is applied to log in to the firewall, “The page cannot be found” is prompted.

• Diagnosis:

1) Check whether the physical link from the PC to the firewall is faulty.

2) Check whether flash contains the http.zip file with the dir command.

3) If the file does not exist, separate the file from the system software with the detach command.

Summary

The course is summarized as follows:

Common networking modes of the firewall

Troubleshooting common faults of the

SecPath firewall

Thank you