Screen OS

Is there an equivalent tool in ScreenOS that compares to Cisco's packet-tracer tool. Basically this allows you to put in the parameters such as source, destination, protocol etc and it will tell you if that connection will be permitted or denied. If not, is there an easy way to tell if a certain traffic flow will be permitted or denied?

I know you can set flow filters but that way you have to initiate the actual traffic to see if it will be permitted or denied.

Thanks

Hi,

There is not a similar tool but "debug flow" is even better than the packet-tracer. Unlike Cisco ASA you can initiate traffic directly from the device using "ping ... from ethx/y", "trace  ... from ethx/y" and "telnet ... port xxx src-int ethx/y". "Debug flow basic" saves very detailed and, what is more, very good readable information.

You can also use the snoop utility to capture data and interpret them with Wireshark or a similar SW.

Thank you for your response. I currently use those features and agree they are quite good and provide a high level of detail. The problem with that is that it is that the connections are initiated from the firewall interface IP so it's not a tru endication of whether or not a rule for a specific host will work.

I wasn't aware of any feature like that but just thought I would check anyway.

Thank you

Hi,

I use a trick if I want to initiate traffic from e.g. zone Trust to zone Untrust and source IP does not belong to the Trust interface's nework. I create a loopback interface in zone Trust, assign an IP and initiate traffic from the loopback interface. This is an usefull trick if the test system is located behind a router or a FW but is not yet reachable or installed.

That's is a very good idea, I will be sure to give that a try. Thank you