Screen OS

I have an SSG-520M that I'm going to be using to replace a pair of OpenBSD firewalls, and I'm running into some conceptual difficulties as I try to configure it.

My first question is: How do I watch traffic to see what is being dropped? For example, I have a new application and it's not talking to a server in a different zone. I don't know what ports or traffic type it uses, so I need to see what it's trying to send. On my OpenBSD firewall I could use tcpdump on the pflog0 interface to see packets that were being blocked along with the rule that was blocking them; is there an equivalent function on the SSG firewall?

I see that I could log traffic if I used a DENY policy, but since denying traffic is the default I'm primarily setting up PERMIT policies instead, so my problem is that I need to know what type of traffic to permit.

Hi,

Some people use the "deny" policy method and others use debug with flow filters.  For example, if you wanted to see what's being denied between client A in trust and server A in the DMZ, you could try:

set ff src-ip x.x.x.x dst-ip x.x.x.x

debug flow basic

clear db

<test>

undebug all

get db str

I typically like to set the console page to 0 and then dump the debug to a text file (so you can find "denied").  This is done using "set console page 0", then you can use putty to log or SecureCRT to copy, etc.

I hope this helps.

-John

Thanks, that's a big help. All I needed was a pointer in the right direction.