Checkpoint Troubleshooting

Troubleshooting
Check Point
Firewalls
A structured approach
Christian Halbe / September 12, 2012
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Troubleshooting Check Point Firewalls

A structured approach
Agenda
Data collection
General health parameters
OS parameters to check
fw status and tables
Cluster state
Analysis flow
A journey to the center of the firewall
Packet travel through the firewall

Acceleration and side effects of SecureXL
Fw monitor
i-I-o-O : What exactly does it mean

Filtering
Interaction with Acceleration
Advanced analysis with Wireshark
Not covered here: VSX, VPN

2
Collect information
is it really the firewall
to blame?
Data collection
... Is it really the firewall?
Get the facts together
Understand the environment
Source
Destination
Port
Traceroute from both ends
Any NAT involved?
Get a network diagram

Identify all components in the path
Check for recent changes
Check for history of earlier
problems
Understand the problem
What symptoms are observed?

When did it start?
How can it be reproduced?
Is there a pattern?
Consider time of day, other regular

events, network and machine load
Does it affect only particular users

or hosts?
Checks for general

firewall health
Firewall health checks

Especially when issues are reported in general, reports are fuzzy
(multiple reports of different issues) or if the problem is intermittent,
check some basics first.
top example of a moderately loaded system
top - 12:34:47 up 204 days, 18:30,
Tasks:
92 total,
2 running,
1 user,
load average: 0.82, 1.00, 0.90
90 sleeping,
0 stopped,
0 zombie
Cpu0
1.7%us,
2.0%sy,
0.0%ni, 80.0%id,
0.0%wa,
3.7%hi, 12.7%si,
Cpu1
0.0%us,
0.3%sy,
0.0%ni, 81.0%id,
0.0%wa,
4.3%hi, 14.3%si,
Cpu2
0.0%us,
0.0%sy,
0.0%ni, 83.9%id,
0.0%wa,
1.7%hi, 14.4%si,
Cpu3
0.0%us,
0.7%sy,
0.0%ni, 23.3%id,
0.0%wa,
0.0%hi, 76.0%si,
Mem:
2073884k total,
1709532k used,
364352k free,
Swap:
4192956k total,
563280k used,
3629676k free,
SHR S %CPU %MEM
1 for
0.0%st
average
0.0%st
0.0%st
225088k buffers
62776k cached
PID USER
PR
NI
VIRT
RES
TIME+
COMMAND
2111 root
15
0 S
77
0.0
3477 root
15
432m
76m
13m R
3.8
2248 root
15
0 S
0.0
3844 root
15
0 13488 5484 5168 S
0.3 150:03.05 dtls
1 root
15
1600
472
448 S
0.0
0:11.64 init
2 root
RT
-5
0 S
0.0
0:10.34 migration/0
22898:41 fw_worker_0
8632:24 fw
40:00.79 fw_worker_2
[...]
6
0.0%st
Press
P, M to
sort

Interface status
cpstat os -f ifconfig
Interface configuration table
---------------------------------------------------------------------------------|Name|Address
|Mask
|MTU
|State|Mac Address
|Description
---------------------------------------------------------------------------------|lo
127.0.0.1|
|s0p1|
255.0.0.0|16436|
1|
|Not supported|
172.16.1.2|255.255.255.252| 1500|
1|44-1e-a1-47-1e-98|Not supported|
|s0p0|207.169.218.181|255.255.255.248| 1500|
1|44-1e-a1-47-1e-9a|Not supported|
|s2p1| 192.238.41.110|255.255.255.240| 1500|
1|a0-36-9f-00-48-04|Not supported|
----------------------------------------------------------------------------------
Interface counters
netstat -i
Kernel Interface table
Iface
lo
MTU Met
RX-OK RX-ERR RX-DRP RX-OVR
TX-OK TX-ERR TX-DRP TX-OVR Flg
16436
4001875
4001875
0 LRU
s0p0
1500
7562334
7744992
0 BMRU
s0p1
1500
0 87522045
0 87252894
0 BMRU
s2p1
1500
0 BMRU
7222468
7127176

Interface settings
When an interface shows errors, check details, especially duplex:
ethtool <interface>
Settings for s0p0:
Supported ports: [ TP ]
Supported link modes:
10baseT/Half 10baseT/Full
1000baseT/Full
Supports auto-negotiation: Yes

Advertised link modes:
1000baseT/Full
Advertised auto-negotiation: Yes

Speed: 1000Mb/s
Duplex: Full
Port: Twisted Pair
PHYAD: 1
Transceiver: internal
Auto-negotiation: on
Supports Wake-on: g
Wake-on: g
Link detected: yes
8

Current connections
[Expert@datgwy04a]# fw tab -s -t connections
HOST
NAME
ID #VALS #PEAK #SLINKS
localhost
connections
8158 69747 119421
258651
[Expert@datgwy04a]# fw ctl pstat | grep Connections

Concurrent Connections: 46% (70344 out of 149900) - below low watermark
NAT table
[Expert@datgwy04a]# fw tab -s -t fwx_alloc
HOST
NAME
ID #VALS #PEAK #SLINKS
localhost
fwx_alloc
8187 96380 145115
Which policy is installed, when was it changed

fw stat -l
HOST
IF
POLICY
DATE
TOTAL REJECT
DROP ACCEPT
LOG
localhost >s0p1 GM_C2SSN_EMEA 22Aug2012 13:27:39
localhost <s0p1 GM_C2SSN_EMEA 22Aug2012 13:27:39
localhost >s0p0 GM_C2SSN_EMEA 22Aug2012 13:27:39 245744
18 245726
localhost <s0p0 GM_C2SSN_EMEA 22Aug2012 13:27:39 429989
30 429959
30
localhost <s2p1 GM_C2SSN_EMEA 22Aug2012 13:27:39
Firewall health checks Cluster XL

Cluster status information
[Expert@DEEDCDFGMNA001]# cphaprob state
Cluster Mode:
New High Availability (Primary Up)
Number
Unique Address
Assigned Load
State
172.16.1.1
100%
Active
2 (local)
172.16.1.2
0%
Standby
Display ClusterXL Devices health status

cphaprob ia list
Display physical and cluster interfaces
cphaprob a if
Statistics of ClusterXL sync
fw ctl pstat
cphaprob syncstat
Messages
Always browse through the latest entries in /var/log/messages
10
Analysis flow
Analysis flow initial

Basic steps to follow when a failed connection is reported
Be sure that implied rules are logged.
Is it in the
firewall
log?
Also check
the log with
src/dst
swapped
(asymmetric
routing? Only
return traffic
on the
firewall?)
If you get a
log, follow the
accept or
drop flow.
Is it seen
on the
inbound IF?
Check with
tcpdump
while the
connection is
being tested.
When you
find packets,
continue with
the deep flow
and fw
monitor
Upstream
gateway
reachable?
Check routing
for the source
and ping the
gateway.
If theres no
echo reply, is
there at least
an ARP reply?
Check
arp -a
Proxy ARP
needed?
Is a NAT IP in
the connected
inbound
network
used?
Check proxy
arp fw ctl
arp
Cluster: Is
the cluster
IP up?
Check that
the firewall is
listening on
the cluster IP
by cphaprob
a if
When you reached the end of this chain: Most likely routing is not okay or there
might be another firewall on the upstream?
12
Analysis flow red

When you find a drop in the log the red path
Spoofing?
Is the packet
arriving on
the correct
interface?
Check return
routing and
related antispoofing
records.
Drop for
return
packet
only?
Points to
asymmetric
routing
condition.
The initial
packet took
another path.
Accept
followed by
spoofing
drop?
Check the
interface on
the drop. Is it
coming from
the outbound
interface?
Then the
downstream
router is
bouncing the
packet back.
Accept
followed by
other drop?
Typically
caused by
protocol
anomalies.
Example: FTP
session not
adhering to
Check Points
RFC
interpretation
Check the
rulebase for
ordering
issues. Try
recreating the
rule in
another
position.
Migh require
full tcpdump
capture for
further
analysis
just
a rule change
When you reached the end of this chain: Perhaps

required... Or you have might just have discovered a bug...
13
Ordinary
drop?
is
Analysis flow green

When you find an accept in the log the green path
Check for
NAT
Check the log
entry. Is NAT
required? Is it
properly
applied?
Check
destination
routing
Downstrea
m gateway
reachable?
Is the packet
forwarded to
the right
interface and
gateway?
Check routing
for the
destination
and ping the
gateway.
On historic
policies: Is
the NAT
destination
route in
place?
If theres no
echo reply, is
there at least
an ARP reply?
Check
arp a
Proxy ARP
needed?
Is a source
NAT IP in the
connected
oztbound
network
used?
Check proxy
arp fw ctl
arp
Cluster: Is
the cluster
IP up?
Check that
the firewall is
listening on
the cluster IP
on the
outbound
interface by
cphaprob a
if
When you reached the end of this chain: Most likely routing is not okay to the
destination or back. There might also be another firewall on the downstream...
Is the target up and listening?
14
Analysis flow deep

Applying fw monitor deep dive
Run fw
monitor
Try to apply a
reasonable
inspect filter
to limit the
volume of
data
Is the
packet
making it
through?
When you
see the
packet
disappearing
within the
firewall
chains, check
for silent
drops with fw
ctl zdebug
drop
Is there
return
traffic?
Check for
return traffic.
Is it going
back to the
correct
interface? Is
any NAT
properly
undone?
Is the
source
reachable?
Time for a
full packet
capture
There may be
a problem
with the
upstream
return route.
If it looks all
correct up to
here, capture
a full session,
reproducing
the problem
for offline
analysis.
Can you ping

the source
from the
firewall?
When you reached the end of this chain the issue most likely is beyond what
can be easily fixed.
15
A journey to the center of

the firewall
fw monitor in detail
Packet travel through the firewall
OS IP Stack L3
Check Point
in chain
Check Point
out chain
Optional: Secure XL
17
OS NIC driver
OS NIC driver
eth0
eth1
Firewall chain principle

OS IP Stack L3
in chain
Virtual Reassembly
Accounting
IP side accounting
NAT / VM
VPN Policy
NAT / VM
FloodGate
VPN verify
VPN Enc
VPN Dec
IQ
Accounting
Wire side accounting

Virtual Reassembly
RTM
NIC
18
out chain
RTM
FloodGate / IQ
VPN Policy
The firewall chains in real life

[Expert@datgwy04a]# fw ctl chain
[Expert@DEEDCDFGMNA001]# fw ctl chain
in chain (19):
in chain (12):
0: -7f800000 (f1a10ee0) (ffffffff) IP Options Strip (in) (ipopt_strip)
0: -7f800000 (e2590ee0) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -7d000000 (f14b6bc0) (00000003) vpn multik forward in
1: - 1fffff6 (e2592190) (00000001) Stateless verifications (in) (asm)
2: - 2000000 (f149fa90) (00000003) vpn decrypt (vpn)
2: - 1fffff5 (e28e3fe0) (00000001) fw multik VoIP Forwarding
3: - 1fffff8 (f14aa8c0) (00000001) l2tp inbound (l2tp)
3: - 1000000 (e25db410) (00000003) SecureXL conn sync (secxl_sync)
4: - 1fffff6 (f1a12190) (00000001) Stateless verifications (in) (asm)
4:
0 (e254b7f0) (00000001) fw VM inbound
5: - 1fffff5 (f1d63fe0) (00000001) fw multik VoIP Forwarding
5:
1 (e25a7f00) (00000002) wire VM inbound
6: - 1fffff2 (f14bedb0) (00000003) vpn tagging inbound (tagging)
6:
10000000 (e25e0a00) (00000003) SecureXL inbound (secxl)
7: - 1fffff0 (f14a08a0) (00000003) vpn decrypt verify (vpn_ver)
7:
7f600000 (e2587ed0) (00000001) fw SCV inbound (scv)
8: - 1000000 (f1a5b410) (00000003) SecureXL conn sync (secxl_sync)
8:
7f730000 (e26acba0) (00000001) passive streaming (in) (pass_str)
9:
9:
7f750000 (e276d4c0) (00000001) TCP streaming (in) (cpas)
0 (f19cb7f0) (00000001) fw VM inbound
10:
11:
(fw)
1 (f1a27f00) (00000002) wire VM inbound
(wire_vm)
2000000 (f14a29e0) (00000003) vpn policy inbound (vpn_pol)
(wire_vm)
10:
7f800000 (e2591260) (ffffffff) IP Options Restore (in) (ipopt_res)
11:
7fb00000 (e273cc70) (00000001) HA Forwarding (ha_for)
12:
10000000 (f1a60a00) (00000003) SecureXL inbound (secxl)
13:
21500000 (f0e5a8c0) (00000001) RTM packet in (rtm)
0: -7f800000 (e2590ee0) (ffffffff) IP Options Strip (out) (ipopt_strip)
14:
7f600000 (f1a07ed0) (00000001) fw SCV inbound (scv)
1: - 1fffff0 (e276d340) (00000001) TCP streaming (out) (cpas)
15:
7f730000 (f1b2cba0) (00000001) passive streaming (in) (pass_str)
2: - 1ffff50 (e26acba0) (00000001) passive streaming (out) (pass_str)
16:
7f750000 (f1bed4c0) (00000001) TCP streaming (in) (cpas)
3: - 1f00000 (e2592190) (00000001) Stateless verifications (out) (asm)
17:
7f800000 (f1a11260) (ffffffff) IP Options Restore (in) (ipopt_res)
4:
18:
7fb00000 (f1bbcc70) (00000001) HA Forwarding (ha_for)
5:
out chain (16):
out chain (9):
0 (e254b7f0) (00000001) fw VM outbound (fw)

1 (e25a7f00) (00000002) wire VM outbound
(wire_vm)
6:
10000000 (e25e0a00) (00000003) SecureXL outbound (secxl)
0: -7f800000 (f1a10ee0) (ffffffff) IP Options Strip (out) (ipopt_strip)
7:
7f700000 (e276d0e0) (00000001) TCP streaming post VM (cpas)
1: -78000000 (f14b6ba0) (00000003) vpn multik forward out
8:
7f800000 (e2591260) (ffffffff) IP Options Restore (out) (ipopt_res)
2: - 1ffffff (f14a1630) (00000003) vpn nat outbound (vpn_nat)

3: - 1fffff0 (f1bed340) (00000001) TCP streaming (out) (cpas)
4: - 1ffff50 (f1b2cba0) (00000001) passive streaming (out) (pass_str)
5: - 1ff0000 (f14bedb0) (00000003) vpn tagging outbound (tagging)
6: - 1f00000 (f1a12190) (00000001) Stateless verifications (out) (asm)
7:
8:
19
(fw)
0 (f19cb7f0) (00000001) fw VM outbound (fw)

1 (f1a27f00) (00000002) wire VM outbound
(wire_vm)
9:
2000000 (f14a2490) (00000003) vpn policy outbound (vpn_pol)
10:
10000000 (f1a60a00) (00000003) SecureXL outbound (secxl)
11:
1ffffff0 (f14aa550) (00000001) l2tp outbound (l2tp)
12:
20000000 (f14a1870) (00000003) vpn encrypt (vpn)
13:
24000000 (f0e5a8c0) (00000001) RTM packet out (rtm)
14:
7f700000 (f1bed0e0) (00000001) TCP streaming post VM (cpas)
15:
7f800000 (f1a11260) (ffffffff) IP Options Restore (out) (ipopt_res)
VPN disabled
VPN enabled
fw monitor
Captures network traffic at different locations within the firewall chain
by inserting monitor modules into the firewall chain
Uses a INSPECT filter to capture the interesting traffic
Syntax (simplyfied)
fw monitor [e expr][-l len][-ci num][-co num][-m mask][-o
file]
Packets are inspected on 4 points by default, unless a mask is specified
-m option, example m iI
-e specifies an INSPECT code line
-l limits the number of bytes per packet to keep (default: all)
-o specifies an output file. The content can viewed later e.g. with
Wireshark.
-ci ond co: Stop after num packtes have been captured helpful on a
loaded machine with huge traffic
20
fw monitor (cont.)
Simple Examples
Track all traffic to or from a host that also relates to port 22 (sport or
dport):
fw monitor e accept host(168.185.163.124) and port(22);
Track everything, but stop after 1000 packets inbound or outbound

(whatever happens first)
fw monitor ci 1000
-co1000
Follow bidirectional communication between a pair of hosts, also

accounting for NAT. Keep only the first 128 Bytes per packet and save to
a capture file
fw monitor e accept ((src=10.10.5.1 or src=192.109.1.1) and dst=128.30.52.37)
or ((dst=10.10.5.1 or dst=192.109.1.1) and src=128.30.52.37); l 128 o
/var/tmp/test.cap
Dont save on parentheses, precedence can be surprising!

Too complex? Theres help available:
21
fw monitor (cont.)
INSPECT code generator http://decock.org/ginspect/
((ip_p=6) and (dport=21 or sport=21))and((src=192.168.10.10 and

dst=10.10.8.6) or (dst=192.168.10.10 and src=10.10.8.6)), accept;
22
fw monitor (cont.)
[Expert@datgwy04a]# fw monitor -e "accept host(128.30.52.37);"
monitor: getting filter (from command line)
monitor: compiling
monitorfilter:
Compiled OK.
monitor: loading
monitor: monitoring (control-C to stop)
[fw_0] Lan1:i[60]: 163.157.6.68 -> 128.30.52.37 (TCP) len=60 id=57528
TCP: 53170 -> 80 .S.... seq=36a3fd54 ack=00000000
[fw_0] Lan1:I[60]: 163.157.6.68 -> 128.30.52.37 (TCP) len=60 id=57528
TCP: 53170 -> 80 .S.... seq=36a3fd54 ack=00000000
[fw_0] Lan5:o[60]: 163.157.6.68 -> 128.30.52.37 (TCP) len=60 id=57528
TCP: 53170 -> 80 .S.... seq=36a3fd54 ack=00000000
[fw_0] Lan5:O[60]: 163.157.6.68 -> 128.30.52.37 (TCP) len=60 id=57528
TCP: 53170 -> 80 .S.... seq=36a3fd54 ack=00000000
[fw_0] Lan5:i[56]: 128.30.52.37 -> 163.157.6.68 (TCP) len=56 id=0
TCP: 80 -> 53170 .S..A. seq=e480fe4d ack=36a3fd55
[fw_0] Lan5:I[56]: 128.30.52.37 -> 163.157.6.68 (TCP) len=56 id=0
[fw_0] Lan1:o[56]: 128.30.52.37 -> 163.157.6.68 (TCP) len=56 id=0
[fw_0] Lan1:O[56]: 128.30.52.37 -> 163.157.6.68 (TCP) len=56 id=0
[fw_0] Lan1:i[52]: 163.157.6.68 -> 128.30.52.37 (TCP) len=52 id=62103
TCP: 53170 -> 80 ....A. seq=36a3fd55 ack=e480fe4e
[fw_0] Lan1:I[52]: 163.157.6.68 -> 128.30.52.37 (TCP) len=52 id=62103
[fw_0] Lan5:o[52]: 163.157.6.68 -> 128.30.52.37 (TCP) len=52 id=62103
[fw_0] Lan5:O[52]: 163.157.6.68 -> 128.30.52.37 (TCP) len=52 id=62103
23
fw monitor (cont.)
[Expert@DEEDCDFGMNA001]# fw ctl chain
in chain (14):
0: -7f800000 (e2590ee0) (ffffffff) IP Options Strip (in) (ipopt_strip)
1: -70000000 (e2571c90) (ffffffff) fwmonitor (i/f side)
<- this is i
2: - 1fffff6 (e2592190) (00000001) Stateless verifications (in) (asm)

3: - 1fffff5 (e28e3fe0) (00000001) fw multik VoIP Forwarding
4: - 1000000 (e25db410) (00000003) SecureXL conn sync (secxl_sync)
5:
0 (e254b7f0) (00000001) fw VM inbound
6:
(fw)
1 (e25a7f00) (00000002) wire VM inbound
(wire_vm)
7:
10000000 (e25e0a00) (00000003) SecureXL inbound (secxl)
8:
70000000 (e2571c90) (ffffffff) fwmonitor (IP
9:
7f600000 (e2587ed0) (00000001) fw SCV inbound (scv)
side)
10:
7f730000 (e26acba0) (00000001) passive streaming (in) (pass_str)
11:
7f750000 (e276d4c0) (00000001) TCP streaming (in) (cpas)
12:
7f800000 (e2591260) (ffffffff) IP Options Restore (in) (ipopt_res)
13:
7fb00000 (e273cc70) (00000001) HA Forwarding (ha_for)
<- this is I
out chain (11):

0: -7f800000 (e2590ee0) (ffffffff) IP Options Strip (out) (ipopt_strip)
1: -70000000 (e2571c90) (ffffffff) fwmonitor (IP
side)
<- this is o
2: - 1fffff0 (e276d340) (00000001) TCP streaming (out) (cpas)

3: - 1ffff50 (e26acba0) (00000001) passive streaming (out) (pass_str)
4: - 1f00000 (e2592190) (00000001) Stateless verifications (out) (asm)
5:
6:
0 (e254b7f0) (00000001) fw VM outbound (fw)

1 (e25a7f00) (00000002) wire VM outbound
(wire_vm)
7:
10000000 (e25e0a00) (00000003) SecureXL outbound (secxl)
8:
70000000 (e2571c90) (ffffffff) fwmonitor (i/f side)
9:
7f700000 (e276d0e0) (00000001) TCP streaming post VM (cpas)
10:
<- this is O
7f800000 (e2591260) (ffffffff) IP Options Restore (out) (ipopt_res)
[Expert@DEEDCDFGMNA001]#
24
Where we actually watch the traffic
OS IP Stack L3
o
Check Point
in chain
Check Point
out chain
Optional: Secure XL
OS NIC driver
eth0
25
tcpdum
p
OS NIC driver
eth1
fwaccel control SecureXL

Acceleration status
Get acceleration status or show statistics:
fwaccel stat
fwaccel stats
Enabling and disabling

Beware: Disabling can have a severe performance impact. Dont do it on
a firewall under high load
fwaccel on | off
Show the Acceleration connection table

Fwaccel conns
26
fw monitor and Wireshark

Wireshark can interpret the special info that fw monitor logs instead
of the MAC address.
27
fw monitor and Wireshark (cont.)

The following setting is needed in Edit -> Preferences -> Protocols -> Ethernet
Then you van add the Interface column.

28
cpeval Firewall load analysis

New tool provided by checkpoint runs in the background and collects statistsics
e.g. for 24 hours.
Measured Data
=============
* Maximum gateway throughput: 438.720801 Mbps
* Maximum packet rate: 82312 Packets/sec
* Maximum CPU: 52%
* Maximum CPU core #0: 61%
* Maximum kernel CPU: 39%
* Maximum kernel CPU core #0: 29%
Number of unique IPs behind gateway: 3039
Maximum concurrent connections: 50419
Maximum memory utilization: 1476 MB
Accelerated packets: 52.99%
VPN traffic: 0.00%
Detected interface packet drops: yes
Detected install policy: no
===================================
29
cpeval Firewall load analysis (cont.)

Find it at
https://supportcenter.checkpoint.com/supportcenter/portal?action=portlets.D
CFileAction&eventSubmit_doGetdcdetails=&
fileid=13711
Copy to fw und run the shell script with
./cpeval
Hint: Many installations dont have (cp)openssl in the path which is only
needed if you wish to upload the results to Check Point. Just comment it out in
the shell script.
It runs in the background and will end automatically.
30
Questions?
Thank you
References
Helpful documents
Check Point fw monitor manual
http://
www.checkpoint.com/techsupport/downloads/html/ethereal/fw_monitor_rev1_01.pdf
Extensive Troubleshooting guide from Tobias Lachmann
http://
blog.lachmann.org/wp-content/uploads/2010/09/2010-CPUG-CON-Tobias-Lachmann-Check-P
oint-Troubleshooting.pdf
Very nice KB article about performance related analysis
https
://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutionde
tails=&solutionid=sk33781
33

Checkpoint Troubleshooting

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Checkpoint Troubleshooting

Uploaded by

Copyright:

Available Formats

Troubleshooting

Troubleshooting Check Point Firewalls

Packet travel through the firewall

i-I-o-O : What exactly does it mean

Not covered here: VSX, VPN

Understand the environment

Get a network diagram

Understand the problem

What symptoms are observed?

Consider time of day, other regular

Does it affect only particular users

Checks for general

Firewall health checks

load average: 0.82, 1.00, 0.90

SHR S %CPU %MEM

0 13488 5484 5168 S

0.3 150:03.05 dtls

Firewall health checks

|s2p1| 192.238.41.110|255.255.255.240| 1500|

RX-OK RX-ERR RX-DRP RX-OVR

TX-OK TX-ERR TX-DRP TX-OVR Flg

Firewall health checks

Supports auto-negotiation: Yes

Advertised auto-negotiation: Yes

Firewall health checks

ID #VALS #PEAK #SLINKS

8158 69747 119421

[Expert@datgwy04a]# fw ctl pstat | grep Connections

ID #VALS #PEAK #SLINKS

8187 96380 145115

Which policy is installed, when was it changed

localhost >s0p1 GM_C2SSN_EMEA 22Aug2012 13:27:39

localhost <s0p1 GM_C2SSN_EMEA 22Aug2012 13:27:39

localhost >s0p0 GM_C2SSN_EMEA 22Aug2012 13:27:39 245744

localhost <s0p0 GM_C2SSN_EMEA 22Aug2012 13:27:39 429989

localhost <s2p1 GM_C2SSN_EMEA 22Aug2012 13:27:39

Firewall health checks Cluster XL

New High Availability (Primary Up)

Display ClusterXL Devices health status

Analysis flow initial

Analysis flow red

When you reached the end of this chain: Perhaps

Analysis flow green

Analysis flow deep

Can you ping

A journey to the center of

Packet travel through the firewall

Firewall chain principle

Wire side accounting

The firewall chains in real life

[Expert@DEEDCDFGMNA001]# fw ctl chain

0: -7f800000 (f1a10ee0) (ffffffff) IP Options Strip (in) (ipopt_strip)

0: -7f800000 (e2590ee0) (ffffffff) IP Options Strip (in) (ipopt_strip)

1: -7d000000 (f14b6bc0) (00000003) vpn multik forward in

1: - 1fffff6 (e2592190) (00000001) Stateless verifications (in) (asm)

2: - 2000000 (f149fa90) (00000003) vpn decrypt (vpn)

2: - 1fffff5 (e28e3fe0) (00000001) fw multik VoIP Forwarding

3: - 1fffff8 (f14aa8c0) (00000001) l2tp inbound (l2tp)

3: - 1000000 (e25db410) (00000003) SecureXL conn sync (secxl_sync)

4: - 1fffff6 (f1a12190) (00000001) Stateless verifications (in) (asm)

0 (e254b7f0) (00000001) fw VM inbound

5: - 1fffff5 (f1d63fe0) (00000001) fw multik VoIP Forwarding

1 (e25a7f00) (00000002) wire VM inbound