Chapter 14 - Troubleshooting the NetScreen Firewall

Abstract

This chapter describes various ways to troubleshoot network traffic passing through the NetScreen firewall. The chapter discusses the path a packet makes as it goes through the firewall, various tools at disposal, and tips for troubleshooting different functions available through ScreenOS. There are several troubleshooting tools built into ScreenOS. Ping allows the testing of connectivity. Traceroute allows it to find the path a packet takes through a network. The get commands on the command-line interface (CLI) show the internal tables in memory. ScreenOS also has a complete debugging system that allows it to view what happens to a packet as it goes through the firewall step by step. Snoop allows it to view the entire content of the packets that transverse the firewall. Troubleshooting virtual private networks (VPNs) requires configuration settings to agree on both ends of the VPN. Most VPN issues are due to a misconfiguration of the VPN settings on one end of the tunnel. The outgoing interface of the VPN tunnel must be set in order for the VPN to work properly. NetScreen Redundancy Protocol (NSRP) is the NetScreen method of high availability. The heartbeat interval of the cluster can be tweaked to improve failover performance. NetScreen firewalls support traffic prioritization. When troubleshooting traffic shaping, the guaranteed bandwidth of the policy should not exceed the maximum bandwidth of the outgoing interface.