취소
다음에 대한 결과 표시 
다음에 대한 검색 
다음을 의미합니까? 
cancel
701
VIEWS
0
Helpful
0
의견
Kai Shin
Cisco Employee
Cisco Employee

안녕하세요! 커뮤니티 여러분?

오늘은 Secure Firewall 에서 제공하는 다양한 Troubleshooting Commands 에 대해 알아보겠습니다.

 

pigtail

  • A failing configuration deployment
  • Device registration between FTD and FMC is not working
  • FMC High Availability synchronization is broken
  • The LDAP bind connection from a Realm is failing
  • FMC UI is unresponsive
  • FTD Active/Standby failover is stuck in APP-SYNC state
  • CTRL + C 입력 후 화면출력물 자동 저장 (home/admin/ 경로)

 

> expert
admin@ftd01:~$ sudo su
Password: 
root@ftd01:~#
root@ftd01:~# pigtail all

 

 

system support firewall-engine-debug

  • Debugs 기능은 CPU 성능과 장비자체 성능에 영향을 줄 수 있음 - 사용시 주의필요
  • ACP 내 rules 이 패킷과 왜 일치하는지 일치하지 않는지 프로세스 검증이 필요할 경우 사용
  • grep –i ngfwbdg /var/log/message 경로에 출력내용 저장(expert mode)

 

> system support firewall-engine-debug

Please specify an IP protocol: icmp
Please specify a client IP address: 10.0.1.100
Please specify a server IP address: 8.8.8.8
Monitoring firewall engine debug messages

10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 Deleting session
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 deleting firewall session flags = 0x10001, fwFlags = 0x100, session->logFlags = 0516008c0
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 Logging EOF as part of session delete with rule_id = 268434433 ruleAction = 2 ruleReason = 0 
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 new firewall session
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 using HW or preset rule order 2, 'All-Allow', action Allow and prefilter rule 0
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 HitCount data sent for rule id: 268434433,
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 allow action
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 Deleting session
10.0.1.100-8 > 8.8.8.8-0 1 AS 1-1 I 0 deleting firewall session flags = 0x10001, fwFlags = 0x100, session->logFlags = 0516008c0

 

 

system support trace

  • Snort 프로세스 단계에서 트래픽의 차단 검증이 필요할때 사용
  • 바로위 언급된 firewall-engine-debug 와 유사한 command 이지만 보다 더 상세한 정보를 얻을 수 있음
  • firewall-engine-debug command 를 동시에 적용할 수 있으나, 성능에 영향을 줄 수 있어 동시 사용은 권하지 않음
  • NAP, GID, SID 등의 다양한 정보 제공

 

> system support trace

Enable firewall-engine-debug too? [n]: n
Please specify an IP protocol: tcp
Please specify a client IP address: 10.0.1.100
Please specify a client port: 
Please specify a server IP address: 0.0.0.0
Please specify a server port: 

WARNING: Running trace with generic filters might cause CPU spike ! 
Monitoring packet tracer and firewall debug messages


10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 Packet: TCP, SYN, seq 2465640909
10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 Session: new snort session
10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 AppID: service unknown (0), application unknown (0)
10.0.1.100-15382 > 20.54.25.4-443 6 AS 1-1 I 1 new firewall session
10.0.1.100-15382 > 20.54.25.4-443 6 AS 1-1 I 1 using HW or preset rule order 2, 'All-Allow', action Allow and prefilter rule 0
10.0.1.100-15382 > 20.54.25.4-443 6 AS 1-1 I 1 HitCount data sent for rule id: 268434433,
10.0.1.100-15382 > 20.54.25.4-443 6 AS 1-1 I 1 allow action
10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 Firewall: allow rule, 'All-Allow', allow
10.0.1.100-15382 - 20.54.25.4-443 6 AS 1-1 CID 0 Snort id 1, NAP id 2, IPS id 1, Verdict PASS

20.54.25.4-443 - 10.0.1.100-15382 6 AS 1-1 CID 0 Packet: TCP, SYN, ACK, seq 3167416656, ack 2465640910
20.54.25.4-443 - 10.0.1.100-15382 6 AS 1-1 CID 0 AppID: service unknown (0), application unknown (0)
20.54.25.4-443 - 10.0.1.100-15382 6 AS 1-1 CID 0 Firewall: allow rule, 'All-Allow', allow
20.54.25.4-443 - 10.0.1.100-15382 6 AS 1-1 CID 0 Snort id 1, NAP id 2, IPS id 1, Verdict PASS

 

 

packet-tracer

  • 패킷이 Secure Firewall 내에서 어떻게 처리되는지 자세한 정보를 제공하는 utility - Secure Firewall Packet Process
  • 가상의 패킷을 생성하여, 다양한 프로토콜의 패킷 처리 프로세스 정보
  • Interface, source port, source IP, destination port, destination IP 를 통한 패킷생성
  • CLI/GUI 에서 기능제공

 

> packet-tracer input outside tcp 10.1.1.1 5555 10.1.10.10 3389 detailed

Phase: 1
Type: CAPTURE
Subtype: 
Result: ALLOW
Config:
Additional Information:
MAC Access list

Phase: 2
Type: ACCESS-LIST
Subtype: 
Result: ALLOW
Config:
Implicit Rule
Additional Information:
MAC Access list

Phase: 3
Type: UN-NAT
Subtype: static
Result: ALLOW
Config:
nat (outside,dmz) source dynamic any interface destination static interface Win7-vm service rdp-outside rdp-outside
Additional Information:
NAT divert to egress interface dmz
Untranslate 10.1.10.10/3389 to 192.168.103.221/3389

 

 

capture

  • Lina Engine 에서 프로세스되는 패킷들에 대한 tcpdump 정보제공
  • Interface, protocol, source IP, destination IP 를 통한 패킷필터링

 

> capture TEST interface inside match ip host 10.0.1.100 host 31.13.82.174
>
> show capture TEST

412 packets captured

   1: 12:43:17.807804       10.0.1.100.64726 > 31.13.82.174.443:  udp 1357 
   2: 12:43:17.838427       10.0.1.100.16342 > 31.13.82.174.443: S 4034083060:4034083060(0) win 64240 <mss 1460,nop,wscale 8,nop,nop,sackOK> 
   3: 12:43:17.851793       31.13.82.174.443 > 10.0.1.100.64726:  udp 1232 
   4: 12:43:17.851793       31.13.82.174.443 > 10.0.1.100.64726:  udp 1232 
   5: 12:43:17.851793       31.13.82.174.443 > 10.0.1.100.64726:  udp 1232 
   6: 12:43:17.851808       31.13.82.174.443 > 10.0.1.100.64726:  udp 1089

 

 

capture ethernet-type

  •  Supported Ethernet types include 8021Q, ARP, IP, IP6, LACP, PPPOED, PPPOES, RARP, and VLAN

 

> capture ARP ethernet-type
>
> show capture ARP
3 packets captured
   1: 12:45:23.799397       arp who-has 192.168.7.222 tell 192.168.7.222 
   2: 12:45:27.937375       arp who-has 192.168.7.10 tell 192.168.7.201 
   3: 12:45:28.532397       arp who-has 192.168.7.10 tell 192.168.7.201 
3 packets shown

 

 

capture-traffic

  • Snort Engine 에서 프로세스되는 패킷들에 대한 세부 정보제공
  • 다양한 옵션 commands 를 활용하여 필요한 정보만 볼 수 있도록 필터링 가능(-n, -s 0, -w xxx.pcap 등)

 

> capture-traffic

Please choose domain to capture traffic from:
  0 - eth0
  1 - Global

Selection? 1

Please specify tcpdump options desired.
(or enter '?' for a list of supported options)
Options: host 10.0.1.100

13:26:12.391840 IP 10.0.1.100.16529 > server-99-84-238-186.sfo5.r.cloudfront.net.https: Flags [S], seq 3205497269, win 64240, options [mss 1380,nop,wscale 8,nop,nop,sackOK], length 0
13:26:12.391840 IP 10.0.1.100.49674 > edge-star-mini-shv-01-nrt1.facebook.com.443: UDP, length 1250
13:26:12.391840 IP 10.0.1.100.49674 > edge-star-mini-shv-01-nrt1.facebook.com.443: UDP, length 76
13:26:12.391840 IP 10.0.1.100.49674 > edge-star-mini-shv-01-nrt1.facebook.com.443: UDP, length 498
13:26:12.441841 IP edge-star-mini-shv-01-nrt1.facebook.com.443 > 10.0.1.100.49674: UDP, length 1232
13:26:12.441841 IP edge-star-mini-shv-01-nrt1.facebook.com.443 > 10.0.1.100.49674: UDP, length 210

 

 

top

  • Secure Firewall 의 CPU, Memory 사용률 정보 제공
  • Lina, Snort Engine 등 다양한 프로세스들의 사용륭 정보 제공

 

> expert
root@firepower:~# top

top - 10:13:58 up  5:21,  3 users,  load average: 0.18, 0.33, 0.28
Tasks: 160 total,   1 running, 155 sleeping,   0 stopped,   4 zombie
%Cpu(s):  0.7 us,  1.3 sy,  0.4 ni, 94.3 id,  3.3 wa,  0.0 hi,  0.0 si,  0.0 st
MiB Mem :   7982.9 total,   3212.7 free,   4373.2 used,    397.0 buff/cache
MiB Swap:   5378.2 total,   5378.2 free,      0.0 used.   3384.7 avail Mem 

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                 
 2987 root      25   5  491200   6492   5148 S   6.0   0.1  18:57.05 loggerd                                                 
 3216 root       0 -20 2547216   1.0g 126548 S   3.7  13.3  11:06.11 lina                                                    
 4787 root      20   0  415592  13356   7504 S   0.7   0.2   0:43.35 sftunnel                                                
   10 root      20   0       0      0      0 I   0.3   0.0   0:03.44 rcu_sched                                               
 3011 root      20   0 1610900  29944  23620 S   0.3   0.4   0:29.27 adi                                                     
 3014 root       1 -19  217472   5876   5216 S   0.3   0.1   0:16.76 ndmain.bin                                              
 3360 root      20   0 2245060 130784  39248 S   0.3   1.6   1:36.23 SFDataCorrelato                                         
 3627 root       1 -19 2507812 865180  40248 S   0.3  10.6   0:53.82 snort                                                   
 3628 root       1 -19 2507880 865008  40296 S   0.3  10.6   0:50.23 snort                                                   
26929 admin     20   0    3564   2380   2032 R   0.3   0.0   0:00.01 top                                                     
    1 root      20   0    2292   1572   1468 S   0.0   0.0   0:02.31 init                                                    
    2 root      20   0       0      0      0 S   0.0   0.0   0:00.00 kthreadd                                                
    3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp                                                  
    4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par_gp

 

 

capture asp-drop

  • ASP(Accelerated Security Path) drop command 는 Lina Engine 에서 발생하는 drop 패킷에 대한 정보 제공 

 

 

> capture ASP type asp-drop all
> 
> show capture ASP | include "31.13.82.174”
  91: 12:41:40.346249       31.13.82.174.443 > 192.168.7.55.16329: R 3039138013:3039138013(0) win 0 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d9c37201fa flow (NA)/NA
  92: 12:41:40.581329       31.13.82.174.443 > 192.168.7.55.16327: R 3805181948:3805181948(0) ack 673309337 win 273 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d9c37201fa flow (NA)/NA
  93: 12:41:40.581375       10.0.1.100.16327 > 31.13.82.174.443: R 3213944856:3213944856(0) win 0 Drop-reason: (tcp-not-syn) First TCP packet not SYN, Drop-location: frame 0x000055d9c3727e8a flow (NA)/NA
  94: 12:41:40.581711       31.13.82.174.443 > 192.168.7.55.16327: R 3805181908:3805181908(0) win 0 Drop-reason: (acl-drop) Flow is denied by configured rule, Drop-location: frame 0x000055d9c37201fa flow (NA)/NA
 170: 12:43:22.599196       31.13.82.174.443 > 192.168.7.55.16345: R 3145129041:3145129041(0) win 0 Drop-reason: (tcp-rstfin-ooo) TCP RST/FIN out of order, Drop-location: frame 0x000055d9c45a6d7f flow (NA)/NA

 

 

 

show asp inspect-dp snort

  • 각 snort 인스턴스와 프로세스 ID로 전송된 conn 및 패킷과 snort 상태를 표시

 

> show asp inspect-dp snort

SNORT Inspect Instance Status Info

Id Pid       Cpu-Usage    Conns      Segs/Pkts  Status
          tot (usr | sys)                         
-- ----- ---------------- ---------- ---------- ----------
0  3628    0% (  0%|  0%)  33          0        READY
1  3627    0% (  0%|  0%)  32          0        READY
-- ----- ---------------- ---------- ---------- ----------
Summary    0% (  0%|  0%)  65          0    

 

 

show asp drop 

  • ASP full drop 카운터의 리스트를 표시

 

> show asp drop

Frame drop:
  No route to host (no-route)                                                 74
  Reverse-path verify failed (rpf-violated)                                    4
  Flow is denied by configured rule (acl-drop)                              3631
  First TCP packet not SYN (tcp-not-syn)                                      32
  TCP failed 3 way handshake (tcp-3whs-failed)                                 3
  TCP RST/FIN out of order (tcp-rstfin-ooo)                                   44
  Slowpath security checks failed (sp-security-failed)                       805
  Snort instance is down  (snort-down)                                        10
  FP L2 rule drop (l2_acl)                                                  4444
  Interface is down (interface-down)                                           3

Last clearing: Never
Flow drop:
Last clearing: Never

 

 

show snort statistics

  • Snort Engine 에서 트래픽을 검사할 때 다양한 Snort verdict 에 대해 일치하는 패킷 수를 표시

 

> show snort statistics 

Packet Counters:
  Passed Packets                                                  65794
  Blocked Packets                                                     0
  Injected Packets                                                    0
  Packets bypassed (Snort Down)                                       0
  Packets bypassed (Snort Busy)                                       0

Flow Counters:
  Fast-Forwarded Flows                                              591
  Blacklisted Flows                                                   0

Miscellaneous Counters:
  Start-of-Flow events                                                0
  End-of-Flow events                                                577
  Denied flow events                                                  2
  Frames forwarded to Snort before drop                               0
  Inject packets dropped                                              0
  TCP Ack bypass Packets                                              0
  TCP Meta-Ack Packets                                                0

 

 

오늘도 긴 글 읽어 주셔서 감사드리며, 다음에는 더욱 좋은 컨텐츠로 찾아 뵙겠습니다.

감사합니다!!!

시작하기

상단의 검색창에 키워드, 문구, 또는 질문을 입력하여 궁금한 내용을 찾아보세요.

이곳에서의 여러분의 여정이 훌륭하기를 바랍니다! 시스코 커뮤니티에 빠르게 익숙해지는 데 도움이 되는 몇 가지 링크를 준비했습니다.

빠른 링크