05-03-2009 09:08 PM
At the moment I am looking for a way to get payload level information on a packet trace from around 40 remote sites that each run an SSG20 or SSG140.
I know I can run "snoop detail" then "snoop" then get db stream to view the packets.
What i want to do is this.
1:- Set the output of snoop to be saved in a format readable by wireshark. i.e. in a .dmp format. Preferably on a NFS or SMB share so the flash on the unit is not consumed for long duration snooping.
2:- I also want to be able to turn the snoop command on and off based on a schedule.
I need to avoid having PC's on each site running wireshark as this would be difficult and costly to achieve.
Any advice would be appreciated.
07-28-2009 02:40 AM - edited 07-28-2009 05:58 AM
Hey, I'd like to point a very useful thing about the output of the debug, how to interpret the protocol and the header of the packet. In the output of the Andy's debug we can see this line:
RPC Mapping Table search returned 0 matched service(s) for (vsys Root, ip 184.108.40.206, port 2396, proto 1)
The packet protocol is 1, that is, ICMP. Now, we can see the Type and Code of the packet:
Type 8: Echo
Code 0: No Code
Result:10.1.1.5 is sending an ping to 220.127.116.11
A real case occured me yesterday. A customer complaint me the SSG is dropping communications between a router and his syslog server. With a debug I saw the next:
I saw in the packet the protocol was 1, ICMP. The (3/3) means:
Type 3: Destination Unreachable
Code 3: Port Unreachable
That is, the syslog server is sending a ICMP Unreachable with code 3 to the SSG notifying the port 514 was not opened. From this way, I could prove to the customer the problem was not the SSG but the port's server wasn't opened.
Hope it helps for future issues,
10-17-2009 08:34 PM - edited 10-17-2009 08:36 PM
I came accross this the other day and it helped with a problem we were trying to diagnose. This is only uselful on the ASIC based firewalls.
On a per policy basis you can have traffic that match's the policy NOT processes in hardware. This way you get a lot more information in the debugs as the CPU will process all traffic. Just need to watch how this effects the CPU performance.
Firewall (VSYS) # set policy id 71 <cr>
Firewall (VSYS/policy:71)(M)-> set no-hw-session
04-22-2010 04:23 AM
This is really helpful to diagnose the problem. In high end platforms once the sessions are created all further packets will be processed in the ASIC in most of the cases and we will not be able to see any packets in debug.
When we set no hardware session then session will not be installed in the asic.
We need to be very careful when doing it because if lot of traffic hits the particular policy then all the packets hitting that policy will be processed by CPU and which can cause a network outage.
So what we need to keep in mind that we create a specific policy which allows only specific host and then test it.
03-08-2011 10:58 AM
Thanks for this link. It;s very useful for VPN .
I want to prepare for the exam JNCIS FWV exam. Can you please guide me.
I have good experience with Juniper FW's and also with NSM.
If you can help me with any reading document then it will be very helpful as I can not afford to take the training.
03-08-2011 02:46 PM
See this previous thread for study material on the ScreenOS firewall certifications.