Troubleshooting: Unterschied zwischen den Versionen

Aus Fortinet Wiki
Zur Navigation springen Zur Suche springen
Markierung: Manuelle Zurücksetzung
 
(2 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
(kein Unterschied)

Aktuelle Version vom 24. November 2023, 17:02 Uhr

Checkpoint FAQ - Troubleshooting

Vorwort


Datenschutz

        *********************************************************************
        *                                                                   *
        *  THIS FILE MAY CONTAIN CONFIDENTIAL, PRIVILEGED OR OTHER LEGALLY  *
        *      PROTECTED INFORMATION. YOU ARE PROHIBITED FROM COPYING,      *
        *    DISTRIBUTING OR OTHERWISE USING IT WITHOUT PERMISSION FROM     *
        *                   ALSO SCHWEIZ SWITZERLAND.                       *
        *                                                                   *
        *********************************************************************

"Die in diesen Artikeln enthaltenen Informationen sind vertraulich und dürfen ohne
  schriftliche Zustimmung der ALSO Schweiz AG gegenüber Dritt-Unternehmen nicht 
                         bekannt gemacht werden"

FW Monitor

For specific flow:
fw monitor -e 'accept (src=10.1.1.1 and dst=20.2.2.2) or (src=20.2.2.2 and dst=10.1.1.1);' -m iIoO
OR
For specific IP:
fw monitor -e 'accept (src=10.1.1.1 or dst=10.1.1.1);' -m iIoO

https://networkology.net/2014/06/30/using-fw-monitor-to-capture-traffic-flows-in-check-point-cheat-sheet/

DHCP

test

https://meta.wikimedia.org/wiki/Help:Displaying_a_formula

Wie finde ich heraus ob meine Checkpoint die DHCP Requests blockiert?

Der fw ctl zdebug drop listet alle verworfenen Pakete in Echtzeit auf und gibt eine Erklärung, wiese das Paket verworfen wurde. Wenn man Probleme hat zu verfizieren ob Pakete von der Firewall verworfen werden (d.h. man kann die verworfenen Pakete in SmartView Tracker nicht sehen oder es gibt keinen Zugriff auf den SmartView Tracker), können Sie dies als Alternative verwenden. Wenn man immer noch keinen Traffic sieht, treffen die Pakete höchstwahrscheinlich nicht auf die Firewall. Um dies aber genau zu verifzieren, kann man dies mit tcpdump zum überprüfen nutzen.


[Expert@CP_Test:0]# fw ctl zdebug + drop | grep :67
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped b y fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped b y fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped b y fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped by fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped by fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 192.168.1.117:68 -> 255.255.255.255:67 dropped by fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 192.168.1.1:67 -> 255.255.255.255:68 dropped by fw_handle_first_packet Reason: Rulebase reject - rule 29;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped by fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped by fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped by fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped by fw_handle_first_packet Reason: Rulebase reject - rule 28;
;[cpu_1];[fw4_0];fw_log_drop_ex: Packet proto=17 0.0.0.0:68 -> 255.255.255.255:67 dropped by

[Expert@CP_Test:0]# tcpdump -nnnei eth7 port 67 or 68
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth7, link-type EN10MB (Ethernet), capture size 96 bytes
11:36:12.842806 d0:d3:e0:c8:41:bc > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 526: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:d3:e0:c 8:41:bc, length: 484
11:36:14.552714 d0:d3:e0:c8:41:bc > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 526: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:d3:e0:c 8:41:bc, length: 484
11:36:16.192722 d0:d3:e0:c8:41:bc > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 526: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:d3:e0:c 8:41:bc, length: 484
11:36:17.488312 90:fb:5b:8e:32:c0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 90:fb:5b:8 e:32:c0, length: 316
11:36:19.500903 90:fb:5b:8e:32:c0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 90:fb:5b:8 e:32:c0, length: 316
11:36:23.525974 90:fb:5b:8e:32:c0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 90:fb:5b:8 e:32:c0, length: 316
11:36:31.576122 90:fb:5b:8e:32:c0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 90:fb:5b:8 e:32:c0, length: 316
11:36:38.428793 d0:d3:e0:c8:41:bc > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 526: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:d3:e0:c 8:41:bc, length: 484
11:36:40.402802 d0:d3:e0:c8:41:bc > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 526: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:d3:e0:c 8:41:bc, length: 484
11:36:42.408770 d0:d3:e0:c8:41:bc > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 526: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from d0:d3:e0:c 8:41:bc, length: 484
11:36:48.703262 90:fb:5b:8e:32:c0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 90:fb:5b:8e:32:c0, length: 316
11:36:50.715754 90:fb:5b:8e:32:c0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 90:fb:5b:8e:32:c0, length: 316
11:36:54.740823 90:fb:5b:8e:32:c0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 90:fb:5b:8e:32:c0, length: 316
11:37:02.791062 90:fb:5b:8e:32:c0 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 90:fb:5b:8e:32:c0, length: 316
fw_handle_first_packet Reason: Rulebase reject - rule 28;