Firewall Typical Networking and Troubleshooting Common Faults

Objectives Upon completion of this course, you will be able to: Master the typical networking of SecPath firewall. Master the skills of troubleshooting common faults of SecPath firewall.

3Com Confidential. 3 Contents Common Firewall Networking Troubleshooting Common Faults of Firewall

Cases of Common Firewall Networking Applications at the egress of government and enterprise vertical networks Applications in the networking of financial and security industries Applications with carrier-class reliability

Applications at the Egress of Government and Enterprise Vertical Networks Internet SecPath firewall Enterprise users Trust domain Untrust domain DMZ domain Server cluster

Applications in the Networking of Financial and Security Industries Authentication server Data center Internet Online banking E-commerce Browse web page Intranet Server SecPath ASecPath B Enterprise user untrust domain DMZ domain 1 DMZ domain 2 Trust domain

Applications with carrier-class reliability Internet Branch Enterprise user Intranet Public network server

3Com Confidential. 8 Contents Common Firewall Networking Troubleshooting Common Faults of Firewall

Troubleshooting Process Check the physical link status. Check the firewall default action (interception or release). Check whether the interface is added into the correct domain. Check whether the ARP table items are correct. Check the matching status of the ACL rules. Check whether the NAT table items are correct. Check whether ASPF is activated in the correct interface and direction. Check whether the domain statistics function is activated.

Symptom of Common Faults (1) Symptom: After the firewall interface is configured with an IP address, the execution of the ping command of the IP address is not successful. Diagnosis: Ping failure may be caused by the following factors. Rule out the possibilities one by one. 1) Ensure the up status of the firewall physical link. 2) Ensure that the physical interface is added into one of the domains. 3) Check the default rules and ACL rules of the firewall. 4) Check whether the ARP table items contain the MAC address of the peer equipment. 5) Query the receiving/transmitting of the ICMP packets with the debug command.

Symptom of Common Faults (2) Symptom: After the port scanning and address scanning intrusion protection and the dynamic blacklist, the firewall cannot view the intrusion log. In addition, the scanning source addresses are not added dynamically into the blacklist. Diagnosis: 1) Check whether the scanning speed of the scanning tool exceeds the max- rate value per second set by the configuration file. 2) Check whether the blacklist function is activated. 3) Check whether IP statistics function for the connection with the outgoing direction of the domain of the initiator is activated or not.

Symptom of Common Faults (3) Symptom: After the filtering based on key words of the web page content is set, it is not valid. Diagnosis: 1) Check whether the ASPF is configured to detect HTTP. 2) Check whether the ASPF is applied to the interface or between the domains. 3) Query the filtering record with the display firewall web-filter command. (Precaution: When the web page filtering and mail filtering are configured, the ASPF detection function must be enabled.)

Symptom of Common Faults (4) Symptom: The system cannot detect the 2FE card. Diagnosis: 1) Query whether the 2FE card has been registered with the display version command. 2) Check the type of the 2FE card. There are two types of 2FE cards. secpath supports only the 2fe of the chip. It does not support the 2fe of the chip. Differentiation method of two types of boards: (Note: Differentiation is achieved through eye observation of the physical chips of the boards. For the 2FE of the chip, there is a 4 square centimeters chip the near the pci socket, with the identification. For the 2FE of the chip, there is only a 1 square centimeter chip in the middle of the board, with the identification.)

Symptom of Common Faults (5) Symptom: The transparent mode of the firewall is set to “transparent”. The routers on both sides of the firewall cannot establish the OSPF neighbor relationship. Diagnosis: 1)Check whether the flood or broadcast function is activated for the unknow-mac. 2)Check with the ping command whether both ends of the physical link is connected. 3)Check whether the area No., network No., hello interval, and dead interval of the hello packets of both ends are consistent. 4) For others, please refer to the debugging of the OSPF protocol.

Symptom of Common Faults (6) Symptom: After the setting of the GRE tunnel is completed, the ping command of the peer tunnel interface is not successful. Diagnosis: Rule out the possible causes one by one: 1)Ensure that the tunnel interface has been added into the residing domain of the public network. 2)Check whether the tunnel interface has been in the up status with the display interface tunnel command. 2)Check whether the tunnel has been configured with correct source and destination addresses. 3)Check whether the router table contains the route to the tunnel destination address, or check whether the tunnel destination address is reachable with the ping command. (Precaution: All interfaces, either physical interface or virtual interface, must be added into a certain domain.)

Symptom of Common Faults (7) Symptom: When the browser is applied to log in to the firewall, “The page cannot be found” is prompted. Diagnosis: 1) Check whether the physical link from the PC to the firewall is faulty. 2) Check whether flash contains the http.zip file with the dir command. 3) If the file does not exist, separate the file from the system software with the detach command.

Summary The course is summarized as follows: Common networking modes of the firewall Troubleshooting common faults of the SecPath firewall

Thank you