Firewall Training

Troubleshooting Enablement

 

Basic Troubleshooting Methodologies

 

Options for Information and Support

 

Status Monitoring Tools

 

Maintenance Mode

 

Lab – Tech Support Files

• Validate the basic functionality of your lab environment
• Use the web interface to get a Tech Support File
• Decompress the Tech Support File
• Explore the Tech Support File

Lab – Use the CLI to Export a Tech Support File Lab

• Use the CLI to generate a Tech Support File
• Use the CLI to export a Tech Support File
• Validate the exported Tech Support File

Scope and Structure of the CLI

• Operational vs Configuration Mode
• Network discovery use case
• Configuration Mode
• Data Displayed Through less
• Syntax and feedback for invalid commands

Displaying and navigating command output

 

Using the CLI as a troubleshooting tool

 

Lab – CLI Fundamentals

• Import, Load, and Commit a Configuration File
• Confirm the Current Device Configuration
• Explore Options for Changing Other Device Settings
• Change the Current Device Setting

Lab – Use the CLI to Modify Policy Objects

• Review the Existing Policy Configuration
• Examine a Configuration and Discover Options for How to Modify It
• Modify Object Parameters
• Review Changes and Commit the Configuration
• Test URL Filtering Profile Changes

Session Flow and App-ID

 

Flow Logic Overview

 

TCP Sessions and States

 

Flow Logic Details

• Key terms
• Data flows per processing stage

Lab – Tracing Packet Flow

• Open an existing packet-diagnostics file
• Trace the first packet through the firewall
• Trace the second packet
• Trace the content inspection of a packet
• Identify firewall-generated packets
• Identify dropped packets and the session end

Packet Capture Concepts

 

Configuring Packet Captures

• Using the web interface
• Using the CLI

Lab

• Test baseline functionality
• Configure a packet filter
• Test session marking
• Configure capture stages
• Turn on packet capture and capture packets
• Analyze the pcaps
• Add a Security policy configuration to drop traffic
• Reconfigure the filter
• Capture and analyze the pcaps

Debug-level Diagnostic Log Features

 

Usage Best Practices

 

Interpreting flow-basic output

 

Hardware assistance and offloading

 

Lab

• Start-up and verify external connectivity to the FTP server
• Verify the problem with the internal client
• Examine firewall Traffic logs and Threat logs
• Configure the packet filter
• Check global counters
• Configure and run packet capture and flow basic
• Interpret the flow-basic log and pcaps
• Implement a solution and verify it
• Check logs and enable logging for increased visibility

Troubleshoot Transit Traffic

• Re-create the issue
• Discover the network – check interface IPs, routing, ARP
• Traffic logs
• Session table
• Set filter and check global counter
• Debug flow basic and packet captures

Lab – App-ID and Torrents

• Apply a baseline configuration to the firewall
• Torrent sites
• Traffic log: Application data
• Enable traffic
• Test policy rule “deny”
• Policy rule to block torrents
• Add a File Blocking Profile

Lab – Blocking Tor

• Lab challenge and checklist
• Solution: Security policy to block Tor App-ID
• Solution: Use application filters
• Solution: Block risky URL categories
• Solution: Deny unknown applications
• Solution: Block untrusted and expired certificates with a Decryption Profile
• Solution: Turn on SSL decryption
• Solution: Implement an External Dynamic List (EDL)

Host-Inbound Traffic

 

Management Services

 

Lab – Host-Inbound Traffic NTP Example 

• Apply a baseline configuration to the firewall
• Review the System log
• Use CLI commands to get more information
• Use tcpdump to capture packets
• Diagnose the problem
• Questions for discussion

VPN Concept

 

VPN Troubleshooting

 

Lab – VPN Traffic Case A 

• Review the network topology and verify the problem
• Check routing and security policy rules
• Change strategy: Try a top-down approach instead
• Check the health of the VPN tunnel
• Initiate VPN connection from the remote network
• Troubleshoot as the responder
• Check proxy ID settings and correct the problem

Lab – VPN Traffic Case B

• Verify a problem with SFTP access to a web server
• Review the Traffic logs and System logs
• Check the high-level health indicators for the tunnel
• Troubleshoot as the responder
• Fix the problem and verify functionality

Identifying performance issues

 

Baseline service performance

 

Performance Troubleshooting use cases

 

System Services Daemons

 

Gathering more data

 

Lab

• Check running services
• Review the logs for a specific service
• Change the debug log level for a service
• Restart a service
• Restart a service and monitor a data-plane session
• Investigate the event

Verify that SSL decryption is applied via certificate chain

 

Accessing site via its IP vs FQDN

 

Intermediate CA missing

• SSL Labs
• Session end reason
• Show session flag | count yes
• Show counter global filter category proxy

Exclude URLs / certificates without pinching holes into the FireWall

 

Client authentication and SSL Decryption Exclusion

 

External factors that complicate SSL decryption

 

Lab

• Apply a baseline configuration to the firewall
• Verify the functionality of SSL decryption
• Create a tag and a dynamic address group
• Create a Decryption policy rule
• Create custom Vulnerability signatures
• Configure a Log Forwarding profile
• Configure a Vulnerability Protection profile to generate alerts
• Add the Log Forwarding profile to a Security policy rule
• Test the configuration and confirm results

User-ID Mapping Flow

 

User-ID Troubleshooting

• Recreate the issue, no users showing log
• System log, verify and fix user mapping issue
• show user ip-user-mapping all
• Event log
• Verify ldap connectivity
• Show user user-ids match-user xxx
• Verify group mapping in security policy incl. ldap browser
• Verify group users matches IP user

Lab

• Apply a baseline configuration to the firewall
• Diagnose and fix the problem
• Review reference information
• Solution: Enable User-ID on the correct zone
• Solution: Fix the LDAP Server Profile
• Solution: Fix the Authentication Profile Server type
• Solution: Add the correct IP for server monitoring

Connection Sequence

 

GlobalProtect Troubleshooting

• system log – check and fix group mapping
• Verify certificate
• Check internal host detection
• Review support file

Lab

• Apply a baseline configuration
• Download the GlobalProtect agent
• Connect to the external gateway
• Disconnect the connected user
• Advanced scenario: Pre-logon and certificates

Case management

 

Hardware failure and return merchandise authorizations (RMAs)

 

Escalation and support events