Wednesday, January 12, 2011

Reason for Firewall Drop : fw ctl zdebug drop

One of my favorite troubleshooting command is "fw ctl zdebug drop"

This will show the realtime logs.. No need of worrying where is my Tracker for a real time log..

The output is very nice, shows the reason for the drop and can easily be filtered with the grep command for IP addresses:

fw_log_drop: Packet proto=17 10.255.253.21:20031 -> 10.255.253.255:20031 dropped by fw_antispoof_log Reason: Address spoofing

fw_log_drop: Packet proto=17 192.243.100.205:58999 -> 224.0.0.1:9996 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 243

fw_log_drop: Packet proto=1 10.68.111.2:1281 -> 10.68.111.5:1669 dropped by fw_icmp_stateless_checks Reason: ICMP redirect packets are not allowed

fw_log_drop: Packet proto=6 192.243.119.238:80 -> 91.96.46.174:49543 dropped by fw_first_packet_state_checks Reason: First packet isn't SYN

Since this is realtime debug output, you need to have live traffic through the firewall to see if a packet is dropped. When you try to investigate the reason for a drop of an older connection, you have to go the SmartView Tracker.

One more example....
[Expert@FW-1]# fw ctl zdebug drop | grep 3.212.227.23
;[cpu_2];[fw_1];fw_log_drop: Packet proto=6 3.212.227.23:51459 -> 3.245.237.213:443 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 38;
;[cpu_2];[fw_1];fw_log_drop: Packet proto=6 3.212.227.23:51459 -> 3.245.237.213:443 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 38;
;[cpu_2];[fw_1];fw_log_drop: Packet proto=6 3.212.227.23:51459 -> 3.245.237.213:443 dropped by fw_handle_first_packet Reason: Rulebase drop - rule 38;


=======================================================

To check why traffic is being silently dropped by a firewall, simultaneously run the following:

1. FW MONITOR to gather all traffic between Host A and Host B. The syntax would be:

fw monitor -e "accept src=n.n.n.n or dst=x.x.x.x or src=y.y.y.y or dst=y.y.y.y;" -o fwmon.cap &

where n.n.n.n is the IP address of Host A, and y.y.y.y is the IP address of Host B. The '&' sign will put fw monitor in the background.

2. Start the kernel debugging for drop activities:

fw ctl zdebug drop > fwctl.txt

Now replicate the problem to gather the debugs.

When finished, press Ctrl+C to break the 'fw ctl zdebug' command and then type 'fg' to bring back the 'fw monitor' to the foreground.

Enter Ctrl+C again to cancel the fw monitor.

Analyse the output files fwmon.cap and fwctl.txt to determine what is being dropped and why it is being dropped

============================================================

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.