날짜: 04-18-2023 09:17 AM
안녕하세요! 커뮤니티 여러분?
오늘은 Secure Firewall 에서 제공하는 다양한 Troubleshooting Commands 에 대해 알아보겠습니다.
pigtail
> expert
admin@ftd01:~$ sudo su
Password:
root@ftd01:~#
root@ftd01:~# pigtail all
system support firewall-engine-debug
> system support firewall-engine-debug
Please specify an IP protocol: icmp
Please specify a client IP address: 10.0.1.100
Please specify a server IP address: 8.8.8.8
Monitoring firewall engine debug messages
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 Deleting session
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 deleting firewall session flags = 0x10001, fwFlags = 0x100, session->logFlags = 0516008c0
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 Logging EOF as part of session delete with rule_id = 268434433 ruleAction = 2 ruleReason = 0
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 new firewall session
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 using HW or preset rule order 2, 'All-Allow', action Allow and prefilter rule 0
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 HitCount data sent for rule id: 268434433,
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 allow action
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 Deleting session
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 deleting firewall session flags = 0x10001, fwFlags = 0x100, session->logFlags = 0516008c0
system support trace
> system support trace
Enable firewall-engine-debug too? [n]: n
Please specify an IP protocol: tcp
Please specify a client IP address: 10.0.1.100
Please specify a client port:
Please specify a server IP address: 0.0.0.0
Please specify a server port:
WARNING: Running trace with generic filters might cause CPU spike !
Monitoring packet tracer and firewall debug messages
10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 Packet: TCP, SYN, seq 2465640909
10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 Session: new snort session
10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 AppID: service unknown (0), application unknown (0)
10.0.1.100-15382 > 20.54.25.4-443 6 AS 1-1 I 1 new firewall session
10.0.1.100-15382 > 20.54.25.4-443 6 AS 1-1 I 1 using HW or preset rule order 2, 'All-Allow', action Allow and prefilter rule 0
10.0.1.100-15382 > 20.54.25.4-443 6 AS 1-1 I 1 HitCount data sent for rule id: 268434433,
10.0.1.100-15382 > 20.54.25.4-443 6 AS 1-1 I 1 allow action
10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 Firewall: allow rule, 'All-Allow', allow
10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 Snort id 1, NAP id 2, IPS id 1, Verdict PASS
20.54.25.4-443 - 10.0.1.100-15382 6 AS 1-1 CID 0 Packet: TCP, SYN, ACK, seq 3167416656, ack 2465640910
20.54.25.4-443 - 10.0.1.100-15382 6 AS 1-1 CID 0 AppID: service unknown (0), application unknown (0)
20.54.25.4-443 - 10.0.1.100-15382 6 AS 1-1 CID 0 Firewall: allow rule, 'All-Allow', allow
20.54.25.4-443 - 10.0.1.100-15382 6 AS 1-1 CID 0 Snort id 1, NAP id 2, IPS id 1, Verdict PASS
packet-tracer
> packet-tracer input outside tcp 10.1.1.1 5555 10.1.10.10 3389 detailed
Phase: 1
Type: CAPTURE
Subtype:
Result: ALLOW
Config:
Additional Information:
MAC Access list
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list
Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,dmz) source dynamic any interface destination static interface Win7-vm service rdp-outside rdp-outside
Additional Information:
NAT divert to egress interface dmz
Untranslate 10.1.10.10/3389 to 192.168.103.221/3389
capture
> capture TEST interface inside match ip host 10.0.1.100 host 31.13.82.174
>
> show capture TEST
412 packets captured
1: 12:43:17.807804 10.0.1.100.64726 > 31.13.82.174.443: udp 1357
2: 12:43:17.838427 10.0.1.100.16342 > 31.13.82.174.443: S 4034083060:4034083060(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK>
3: 12:43:17.851793 31.13.82.174.443 > 10.0.1.100.64726: udp 1232
4: 12:43:17.851793 31.13.82.174.443 > 10.0.1.100.64726: udp 1232
5: 12:43:17.851793 31.13.82.174.443 > 10.0.1.100.64726: udp 1232
6: 12:43:17.851808 31.13.82.174.443 > 10.0.1.100.64726: udp 1089
capture ethernet-type
> capture ARP ethernet-type
>
> show capture ARP
3 packets captured
1: 12:45:23.799397 arp who-has 192.168.7.222 tell 192.168.7.222
2: 12:45:27.937375 arp who-has 192.168.7.10 tell 192.168.7.201
3: 12:45:28.532397 arp who-has 192.168.7.10 tell 192.168.7.201
3 packets shown
capture-traffic
> capture-traffic
Please choose domain to capture traffic from:
0 - eth0
1 - Global
Selection? 1
Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: host 10.0.1.100
13:26:12.391840 IP 10.0.1.100.16529 > server-99-84-238-186.sfo5.r.cloudfront.net.https: Flags [S], seq 3205497269, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
13:26:12.391840 IP 10.0.1.100.49674 > edge-star-mini-shv-01-nrt1.facebook.com.443: UDP, length 1250
13:26:12.391840 IP 10.0.1.100.49674 > edge-star-mini-shv-01-nrt1.facebook.com.443: UDP, length 76
13:26:12.391840 IP 10.0.1.100.49674 > edge-star-mini-shv-01-nrt1.facebook.com.443: UDP, length 498
13:26:12.441841 IP edge-star-mini-shv-01-nrt1.facebook.com.443 > 10.0.1.100.49674: UDP, length 1232
13:26:12.441841 IP edge-star-mini-shv-01-nrt1.facebook.com.443 > 10.0.1.100.49674: UDP, length 210
top
> expert
root@firepower:~# top
top - 10:13:58 up 5:21, 3 users, load average: 0.18, 0.33, 0.28
Tasks: 160 total, 1 running, 155 sleeping, 0 stopped, 4 zombie
%Cpu(s): 0.7 us, 1.3 sy, 0.4 ni, 94.3 id, 3.3 wa, 0.0 hi, 0.0 si, 0.0 st
MiB Mem : 7982.9 total, 3212.7 free, 4373.2 used, 397.0 buff/cache
MiB Swap: 5378.2 total, 5378.2 free, 0.0 used. 3384.7 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
2987 root 25 5 491200 6492 5148 S 6.0 0.1 18:57.05 loggerd
3216 root 0 -20 2547216 1.0g 126548 S 3.7 13.3 11:06.11 lina
4787 root 20 0 415592 13356 7504 S 0.7 0.2 0:43.35 sftunnel
10 root 20 0 0 0 0 I 0.3 0.0 0:03.44 rcu_sched
3011 root 20 0 1610900 29944 23620 S 0.3 0.4 0:29.27 adi
3014 root 1 -19 217472 5876 5216 S 0.3 0.1 0:16.76 ndmain.bin
3360 root 20 0 2245060 130784 39248 S 0.3 1.6 1:36.23 SFDataCorrelato
3627 root 1 -19 2507812 865180 40248 S 0.3 10.6 0:53.82 snort
3628 root 1 -19 2507880 865008 40296 S 0.3 10.6 0:50.23 snort
26929 admin 20 0 3564 2380 2032 R 0.3 0.0 0:00.01 top
1 root 20 0 2292 1572 1468 S 0.0 0.0 0:02.31 init
2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
3 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_gp
4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 rcu_par_gp
capture asp-drop
> capture ASP type asp-drop all
>
> show capture ASP | include "31.13.82.174”
91: 12:41:40.346249 31.13.82.174.443 > 192.168.7.55.16329: R 3039138013:3039138013(0) win 0 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d9c37201fa flow (NA)/NA
92: 12:41:40.581329 31.13.82.174.443 > 192.168.7.55.16327: R 3805181948:3805181948(0) ack 673309337 win 273 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d9c37201fa flow (NA)/NA
93: 12:41:40.581375 10.0.1.100.16327 > 31.13.82.174.443: R 3213944856:3213944856(0) win 0 Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000055d9c3727e8a flow (NA)/NA
94: 12:41:40.581711 31.13.82.174.443 > 192.168.7.55.16327: R 3805181908:3805181908(0) win 0 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d9c37201fa flow (NA)/NA
170: 12:43:22.599196 31.13.82.174.443 > 192.168.7.55.16345: R 3145129041:3145129041(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order, Drop-location: frame 0x000055d9c45a6d7f flow (NA)/NA
show asp inspect-dp snort
> show asp inspect-dp snort
SNORT Inspect Instance Status Info
Id Pid Cpu-Usage Conns Segs/Pkts Status
tot (usr | sys)
-- ----- ---------------- ---------- ---------- ----------
0 3628 0% ( 0%| 0%) 33 0 READY
1 3627 0% ( 0%| 0%) 32 0 READY
-- ----- ---------------- ---------- ---------- ----------
Summary 0% ( 0%| 0%) 65 0
show asp drop
> show asp drop
Frame drop:
No route to host (no-route) 74
Reverse-path verify failed (rpf-violated) 4
Flow is denied by configured rule (acl-drop) 3631
First TCP packet not SYN (tcp-not-syn) 32
TCP failed 3 way handshake (tcp-3whs-failed) 3
TCP RST/FIN out of order (tcp-rstfin-ooo) 44
Slowpath security checks failed (sp-security-failed) 805
Snort instance is down (snort-down) 10
FP L2 rule drop (l2_acl) 4444
Interface is down (interface-down) 3
Last clearing: Never
Flow drop:
Last clearing: Never
show snort statistics
> show snort statistics
Packet Counters:
Passed Packets 65794
Blocked Packets 0
Injected Packets 0
Packets bypassed (Snort Down) 0
Packets bypassed (Snort Busy) 0
Flow Counters:
Fast-Forwarded Flows 591
Blacklisted Flows 0
Miscellaneous Counters:
Start-of-Flow events 0
End-of-Flow events 577
Denied flow events 2
Frames forwarded to Snort before drop 0
Inject packets dropped 0
TCP Ack bypass Packets 0
TCP Meta-Ack Packets 0
오늘도 긴 글 읽어 주셔서 감사드리며, 다음에는 더욱 좋은 컨텐츠로 찾아 뵙겠습니다.
감사합니다!!!
상단의 검색창에 키워드, 문구, 또는 질문을 입력하여 궁금한 내용을 찾아보세요.
이곳에서의 여러분의 여정이 훌륭하기를 바랍니다! 시스코 커뮤니티에 빠르게 익숙해지는 데 도움이 되는 몇 가지 링크를 준비했습니다.