How to take trace of pack in Juniper ISG 2000 firewall

There are many debug commands that you can run to troubleshoot problems on Juniper firewalls. The most common debugs used are:

Debug flow basic
shows the flow of traffic through the firewall, allowing for troubleshooting route selection, policy selection, any address translation and whether the packet is recieved or dropped by the firewall.

Debug ike detail
show all of the vpn messages between two devices when setting up the vpn. Useful to see problems between Juniper and 3rd party firewalls or configuration porblems.

Other debugs are ones allowing troubleshooting of routing protocols, av, deep inspection, higher availability, NAT and loads of others. You can find out what others there are by typing ‘debug ?’ on the cli.

Debug captures are sent to a buffer by default but can be sent the console.

Buffer commands:
get dbuf info – Displays debug buffer size in bytes

get dbuf stream – Displays the contents of the debug buffer

set dbuf size – Allocates system memory for the debug buffer

clear dbuf – Clears the contents of the debug buffer

Here are best practices when debug flow basic and how to read the output.

Debug Flow basic

1) get ffilter – see if an filters have been set already, if they have you use ‘unset ffilter’ to remove

2) set ffilter – allows you to limit the traffic that you capture using src-ip, src-port, dst-ip, dst-port, ip-proto Recommeded as debug flow basic can be intensive on the firewall especially if it is under heavy load.

filters that are written on one line are and ‘AND’ statement. eg set ffilter scr-ip 10.1.1.1 dst-ip 2.2.2.2 will match 10.1.1.1 AND 2.2.2.2

filters that are on seperate lines are ‘OR’ statements. eg set ffilter scr-ip 10.1.1.1, set ffilter dst-ip 2.2.2.2 will match 10.1.1.1 OR 2.2.2.2

3) debug flow basic – turns on flow debuging with a level of basic logging

4) clear db – make sure there is nothing in the debug buffer from previous debugs

5) Begin the test, do a ping or try to access the resource that you are having problems with.

6) undebug all or press Esc key – turns off debug

7) get db str – reads the debug buffer and outputs it to the screen for reading.

8) unset ffilter – remove ffilters when finished

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s