Tuesday, March 19, 2013

Debug Flow ( netscreen )

-->
In these next series of posts, I will go over some of the basic diagnostic  methods for netscreen, fortigate,  and cisco ASA. 

As a firewall admins, we need to know how to aid in the t-shooting step. Blindly changing rules, rebooting, and host of other steps,  are typically a hail mary and accomplish nothing. Don't be scared of the diagnostic or the utilities, that's built right in to HELP YOU !


1st up,

Flow diagnostic netscreen ( legacy ). 


Why we do this,  is mainly to trouble-shoot l3/l4 fwpolicies rules. And to validate what’s being hit and the policy-id that's being matched.


First  check the debug  options , too see if any one left something running or to clear any post debugs sessions;


iscreen:-> get debug
get debug
flow: basic

if anything is set you might want to clear it;

undebug all


2nd, we what to set up the flow filter(s), this I what specify to matches on, & the traffic of interest that we are expecting to  inspection or t-shoot;

iscreen:-> set ff ?
set ff ?
<return>
dst-ip               flow filter dst ip
dst-port             flow filter dst port
ip-proto             flow filter ip proto
src-ip               flow filter src ip
src-port             flow filter src port

note: you can string multiple filters on the cmd line or in one single line, ensure specific filters to drill in on the host/port/proto/etc……

Here I’m going to be very specific,  and place a flow filter for the google dns server
8.8.8.8 and port 53

note: you can remove any pre-existing filters, and should always check the filters b4 starting up a flow diagnostic


iscreen:-> set ff dst-ip 8.8.8.8  dst-port 53
set ff dst-ip 8.8.8.8  dst-port 53
filter added

Now I’m validating my filters;

iscreen:-> get ff
get ff
Flow filter based on:
id:0 dst ip 8.8.8.8 dst port 53
iscreen:->

NOTE: to remove a filter, unset ff  <“filter-id”>



Third, Now that we have the flow filter set. We need to enable the debug type. Here’s a few that my  netscreen  named iscreen supports based on the screen os version

iscreen:-> get sys
get sys
Product Name: NetScreen-NS5GT-WLAN
Serial Number: 0129012006000174, Control Number: 00000000
Hardware Version: 1010(0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.4.0r3a.0, Type: Firewall+VPN
Feature: AV-K
Compiled by build_master at: Wed Feb 7 19:00:24 PST 2007
Base Mac: 0012.1ebe.7b50
File Name: screenos_image, Checksum: 51863a99

( she's old but she still puts out :) )


iscreen:-> debug ?
debug ?
admin                debug admin
adsl                 adsl soc debugging
anti-spam            anti-spam debugging
apppry               Application Proxy debugging
arp                  arp debugging
asp                  ASP debugging
asset-recovery       asset recovery debugging
auth                 user authentication debugging
autocfg              Auto config debugging
av                   anti virus scan debugging
bgp                  bgp debugging
bgroup               bgroup debugging
cav                  cavium debugging
cluster              command propagated to cluster members
cpapi                cpapi debugging
cpu-limit            CPU limit debugging
dhcp                 debug dhcp
dhcp6                dhcpv6 debugging
dialer               dialer debugging
dip                  dip debugging
dlog                 dlog debugging
dns                  dns debugging
dot1x                IEEE802.1X debug
driver               driver debugging
emweb                EmWeb debugging
filesys              Filesys debugging
fips                 fips debugging
flash                flash operating debugging
flow                 Flow level debugging
flow-tunnel          Flow Tunnel debugg

(output shorten)


We are going to do  flow and basic at that;


iscreen:-> debug flow ?
debug flow ?
all                  all flow debug
basic                basic debug
drop                 drop pak debug
dynpol               dynamic policy search debug
illegal              illegal debug
internal             internal debug
mcast                flow multicast debug
mgt                  mgt debug
mpak                 mp pak message debug
mpdiff               mp diff message debug
mperr                mp message error debug
mpgate               mp gate message debug
mpmvpn               mng over vpn message debug
mpsess               mp session message debug
mpvpn                mp vpn message debug
pak-poll             packet polling debug
self                 self debug
session              session debug
sm-skip              No pak passing to SM
spinlock             spinlock
tcp-sequence-check   tcp sequence check debug
tiny-tcp             tiny tcp debug
vlan                 vlan debug


and;


iscreen:-> debug flow basic
basic
iscreen:->


4th, Next we want to flush any existing debug buffer data;

iscreen:-> clear db
clear db


and after we craft traffic,  we review the buffer via a simple get  cmd;


iscreen:-> get db stream
get db stream

iscreen:-> get  db stream
get  db stream
****** 12514.0: <Trust/trust> packet received [62]******
  ipid = 9288(2448), @026ddc70
  packet passed sanity check.
  trust:172.16.10.24/50291->8.8.8.8/53,17<Root>
  no session found
  flow_first_sanity_check: in <trust>, out <N/A>
  chose interface trust as incoming nat if.
  flow_first_routing: in <trust>, out <N/A>
  search route to (trust, 172.16.10.24->8.8.8.8) in vr trust-vr for vsd-0/flag-0/ifp-null
  [ Dest] 12.route 8.8.8.8->192.0.2.1, to untrust
  routed (x_dst_ip 8.8.8.8) from trust (trust in 0) to untrust
  policy search from zone 2-> zone 1
 policy_flow_search  policy search nat_crt from zone 2-> zone 1
  RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 8.8.8.8, port 53, proto 17)
  No SW RPC rule match, search HW rule
  Permitted by policy 1
  dip id = 2, 172.16.10.24/50291->192.0.2.191/2099
  choose interface untrust as outgoing phy if
  no loop on ifp untrust.
  session application type 16, name DNS, nas_id 0, timeout 60sec
ALG vector is attached
  service lookup identified service 16.
--- more ---  
  flow_first_final_check: in <trust>, out <untrust>
  existing vector list 81-3582ba0.
  Session (id:1959) created for first pak 81
  flow_first_install_session======>
  route to 192.0.2.1
  arp entry found for 192.0.2.1
  nsp2 wing prepared, ready
  cache mac in the session
  make_nsp_ready_no_resolve()
  search route to (untrust, 8.8.8.8->172.16.10.24) in vr trust-vr for vsd-0/flag-3000/ifp-trust
  [ Dest] 1.route 172.16.10.24->172.16.10.24, to trust
  route to 172.16.10.24
  flow got session.
  flow session id 1959
 flow_send_vector_, vid = 0, is_layer2_if=0
  send packet to traffic shaping queue.
  flow_ip_send: 2448:192.0.2.191->8.8.8.8,17 => untrust(62) flag 0x20000, vlan 0
 pak has mac
  Send to untrust (76)
Interface <untrust> IPv6 disabled, drop IPv6 packet.
****** 12514.0: <Untrust/untrust> packet received [78]******
  ipid = 16418(4022), @02691970
  packet passed sanity check.
  untrust:8.8.8.8/53->192.0.2.191/2099,17<Root>
  existing session found. sess token 6
  flow got session.
  flow session id 1959
  existing vector list 81-3582ba0.
 flow_send_vector_, vid = 0, is_layer2_if=0
  send packet to traffic shaping queue.
  flow_ip_send: 4022:8.8.8.8->172.16.10.24,17 => trust(78) flag 0x20000, vlan 0
 pak has mac
  Send to trust (


NOTE:  You should always clear your debug information when your done to save on memory and wasted process. Always validate this has been done.


iscreen:-> undebug all
undebug all
iscreen:-> get debug
get debug
iscreen:->


Some of the things to focus on with regards to the debug output;

·      Any Permit/Deny

·      Zone ( trust to untrust or whatever zones )

·      Interfaces involved

·      The Policy-ID # ( that's your fwpolicy or rule )

·      Src/dst-ip ( should match your filter if applied)

·      Src/Dst-Port ( should match your filter if applied )



I hope this post helps you in your on going diagnostics.

Ken Felix Freelance Network/Security Engineer
Kfelix at hyperfeed  <d-o-t> com

No comments:

Post a Comment