No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Capture Packet statistics on Firewall

Publication Date:  2017-11-11 Views:  173 Downloads:  0
Issue Description

Capture packets is a basic process in TShooting to find the root cause of an issue reported.

When it becomes difficult to deploy a sniffer to capture packets at the inbound or outbound interfaces of Firewall, but is necessary to confirm if packets are coming to Firewall or outgoing from it.

The next information shows a process can be followed to capture packets on Firewalls. This process can be modified based on the kind of packets that wants to analyze the behavior

Handling Process

The next example is used to discard if ICMP packets has been received by Firewall and how has been process (Discard | Forward)

 

1.       Configure an ACL. If a specific type of packet is reported filter it by and Advance-ACL.

NOTE: The ACL can be modified based on the kind of packet to be captured (IP, UDP, TCP, ICMP, etc.), as well as SOURCE-IP, DESTINATION-IP, SOURCE-PORT, DESTINATION-PORT.

 

[R3ROUTER-1]acl 3999                                                                                    

[R3ROUTER-1-acl-adv-3999]rule 5 permit icmp source 172.16.100.50 0  destination 10.20.30.1 0                                                                   

[R3ROUTER-1-acl-adv-3999]rule 10 permit icmp source 10.20.30.1 0 destination 172.16.100.50 0                                                                    

[R3ROUTER-1-acl-adv-3999]display this                                          

[V200R007C00SPCb00]                                                            

#                                                                               

acl number 3999                                                                

 rule 5 permit icmp source 172.16.100.50 0 destination 10.20.30.1 0            

 rule 10 permit icmp source 10.20.30.1 0 destination 172.16.100.50 0           

#           

       

2.       Go to diagnose view

[RACK-3-USG6370-AC]diagnose                                                    

11:19:15  2017/08/30                                                            

Now you enter a diagnose command view for developer's testing, some commands   

may affect operation by wrong use, please carefully use it with HUAWEI         

engineer's direction.                                                          

[RACK-3-USG6370-AC-diagnose]  


3.       Enable the statistics of ACL defined in step (1).

[RACK-3-USG6370-AC-diagnose]firewall statistic acl 3999 enable                 

11:19:59  2017/08/30                                                           

 Start the ACL statistic.                                                       

[RACK-3-USG6370-AC-diagnose] 


4.       Display statistics.

[RACK-3-USG6370-AC-diagnose]display firewall statistic acl                     

11:20:42  2017/08/30                                                           

                                                                                

 Current Show sessions count: 1                                                

                                                                                

 Protocol(UDP) SourceIp(10.124.188.200) DestinationIp(192.168.251.71)          

 SourcePort(49213) DestinationPort(162) VpnIndex(public)                       

                 RcvnFrag    RcvFrag     Forward     DisnFrag    DisFrag       

 Obverse(pkts) : 1           0           1           0           0             

 Reverse(pkts) : 0           0           0           0           0             

                                                                                

 Discard detail information:                                                   

                                                                                

                                                                                

                                                                                

[RACK-3-USG6370-AC-diagnose] 


5.       To clear the statistics and test it again use the next command.

[RACK-3-USG6370-AC-diagnose]undo firewall statistic                            

11:22:04  2017/08/30                                                           

 Stop the ACL statistic                                                        

[RACK-3-USG6370-AC-diagnose]reset firewall statistic acl all                   

11:22:10  2017/08/30                                                           

  will reset all ACL statistic! Continue?[Y/N]:y                               

[RACK-3-USG6370-AC-diagnose]                                                   

[RACK-3-USG6370-AC-diagnose]    

Root Cause

At the moment to display the statistics from Diagnose-View, it shows the way the packets has been process.

This can be:

 

     RcvnFrag= Amount of frames received by Firewall.

     Forward= Frames forwarded to the destination by Firewall.

     DisnFrag= Frames discarded by Firewall (because a policy).

     Discard detail information= If a frame was discarded by Firewall, in this section is showed the main reason of it. It could show the policy-name that discard the frame.                     

Solution

After to be analyzed the statistics of ACL from Diagnose-View, can be taken actions on it.

Suggestions

Do not forget to disable statistics, due to this waste resources of USG.


[RACK-3-USG6370-AC-diagnose]undo firewall statistic                            

11:22:04  2017/08/30                                                           

                                Stop the ACL statistic   


END