Getting started
The
following three commands are crucial to successful examination of firewall issues. Using
these commands, along with the policy goals and network map, you can compare the current
configuration and check for obvious issues.
show ip interfaces brief
show firewall interfaces all
show firewall policy <zoneName> [detail]
The <zoneName> variable represents the zone you are interested in debugging. Adding the
[detail] parameter provides a detailed version of the policy listing.
Getting details
After
comparing the configured policy to the goals and map, view the events with debug show
commands:
debug firewall all
debug firewall packet
The `debug firewall packet` command is stunningly verbose as it prints at least two lines (IN
and OUT) for every packet. Keep in mind that it severely degrades system performance and
may even degrade the stability of the system. The console printing simply cannot keep up with
packet rates on network interfaces. Thus, Avaya has implemented a feature within the debug
firewall all command will, somewhat counter intuitively disable debug firewall
packet. This leaves a firewall system with debug firewall all enabled still in a stable
and moderately performing state.
If you need to debug firewall packets on a busy network, you may limit what it prints with packet
filters. See the debug firewall packet command description for details.
When firewall connections are made, you may see the list and their associated byte counts
and remaining lifetime using the command show firewall connection all.
Firewall connections are cached after the first few packets. The connection entry in the cache
table has a lifetime. You may clear firewall connections with clear firewall
connections <all | ip-address>. This will force all client/server sessions through the
firewall to break and need to restart.
Troubleshooting security
198 Troubleshooting August 2013
Comments? infodev@avaya.com
To Next Page
Loading...
