Title: Firewall Typical Networking and Troubleshooting Common Faults
1Firewall Typical Networking and Troubleshooting
Common Faults
2Objectives
Upon completion of this course, you will be able
to
- Master the typical networking of SecPath
firewall. - Master the skills of troubleshooting common
faults of SecPath firewall.
3Contents
- Common Firewall Networking
- Troubleshooting Common Faults of Firewall
4Cases of Common Firewall Networking
- Applications at the egress of government and
enterprise vertical networks - Applications in the networking of financial and
security industries - Applications with carrier-class reliability
5Applications at the Egress of Government and
Enterprise Vertical Networks
Trust domain
SecPath firewall
Enterprise users
Untrust domain
Server cluster
DMZ domain
6Applications in the Networking of Financial and
Security Industries
Intranet
DMZ domain 1
Browse web page
Authentication server
Server
DMZ domain 2
Data center
E-commerce
Enterprise user
SecPath A
SecPath B
Trust domain
Enterprise user
untrust domain
Online banking
7Applications with carrier-class reliability
Enterprise user
Intranet
Internet
Public network server
Branch
8Contents
- Common Firewall Networking
- Troubleshooting Common Faults of Firewall
9Troubleshooting Process
- Check the physical link status.
- Check the firewall default action (interception
or release). - Check whether the interface is added into the
correct domain. - Check whether the ARP table items are correct.
- Check the matching status of the ACL rules.
- Check whether the NAT table items are correct.
- Check whether ASPF is activated in the correct
interface and direction. - Check whether the domain statistics function is
activated.
10Symptom of Common Faults (1)
- Symptom After the firewall interface is
configured with an IP address, the execution of
the ping command of the IP address is not
successful. - Diagnosis Ping failure may be caused by the
following factors. Rule out the possibilities one
by one. - 1) Ensure the up status of the firewall
physical link. - 2) Ensure that the physical interface is
added into one of the domains. - 3) Check the default rules and ACL rules of
the firewall. - 4) Check whether the ARP table items
contain the MAC address of the peer equipment. - 5) Query the receiving/transmitting of the
ICMP packets with the debug command.
11Symptom of Common Faults (2)
- Symptom After the port scanning and address
scanning intrusion protection and the dynamic
blacklist, the firewall cannot view the intrusion
log. In addition, the scanning source addresses
are not added dynamically into the blacklist. - Diagnosis
- 1) Check whether the scanning speed of the
scanning tool exceeds the max-rate value per
second set by the configuration file. - 2) Check whether the blacklist function is
activated. - 3) Check whether IP statistics function for
the connection with the outgoing direction of the
domain of the initiator is activated or not.
12Symptom of Common Faults (3)
- Symptom After the filtering based on key words
of the web page content is set, it is not valid. - Diagnosis
- 1) Check whether the ASPF is configured to
detect HTTP. - 2) Check whether the ASPF is applied to the
interface or between the domains. - 3) Query the filtering record with the
display firewall web-filter command. - (Precaution When the web page filtering and
mail filtering are configured, the ASPF detection
function must be enabled.)
13Symptom of Common Faults (4)
- Symptom The system cannot detect the 2FE card.
- Diagnosis
- 1) Query whether the 2FE card has been
registered with the display version command. - 2) Check the type of the 2FE card. There are
two types of 2FE cards. - secpath supports only the 2fe of the 82559
chip. It does not support the 2fe of the 21143
chip. - Differentiation method of two types of
boards - (Note Differentiation is achieved through
eye observation of the physical chips of the
boards. For the 2FE of the 21143 chip, there is a
4 square centimeters chip the near the pci
socket, with the 21143 identification. For the
2FE of the 82559 chip, there is only a 1 square
centimeter chip in the middle of the board, with
the 82559 identification.)
14Symptom of Common Faults (5)
- Symptom The transparent mode of the firewall is
set to transparent. The routers on both sides
of the firewall cannot establish the OSPF
neighbor relationship. - Diagnosis
- 1)Check whether the flood or broadcast
function is activated for the unknow-mac. - 2)Check with the ping command whether both
ends of the physical link is connected. - 3)Check whether the area No., network No.,
hello interval, and dead interval of the hello
packets of both ends are consistent. - 4) For others, please refer to the debugging
of the OSPF protocol.
15Symptom of Common Faults (6)
- Symptom After the setting of the GRE tunnel is
completed, the ping command of the peer tunnel
interface is not successful. - Diagnosis Rule out the possible causes one by
one - 1)Ensure that the tunnel interface has been
added into the residing domain of the public
network. - 2)Check whether the tunnel interface has been
in the up status with the display interface
tunnel command. - 2)Check whether the tunnel has been
configured with correct source and destination
addresses. - 3)Check whether the router table contains the
route to the tunnel destination address, or check
whether the tunnel destination address is
reachable with the ping command. - (Precaution All interfaces, either physical
interface or virtual interface, must be added
into a certain domain.)
16Symptom of Common Faults (7)
- Symptom When the browser is applied to log in to
the firewall, The page cannot be found is
prompted. - Diagnosis
- 1) Check whether the physical link from the PC
to the firewall is faulty. - 2) Check whether flash contains the http.zip
file with the dir command. - 3) If the file does not exist, separate the
file from the system software with the detach
command.
17Summary
- The course is summarized as follows
- Common networking modes of the firewall
- Troubleshooting common faults of the SecPath
firewall
18Thank you