History Page. Barracuda NextGen Firewall F

Transcription

1 The Firewall > History page is very useful for troubleshooting. It provides information for all traffic that has passed through the Barracuda NG Firewall. It also provides messages that state why traffic was denied, blocked, dropped, or unsuccessful. You can filter the entries on the page to only list certain sessions. You can also set limits for the size of cache entries, and you can configure source and destination IP addresses to be translated to hostnames. In this article: Viewing Session Details On the Firewall > History page, the details for all sessions are listed. You can view additional details for a specific session by double-clicking it. The following information is provided for each session: AID Info Org (Origin) Interface Source 1 / 7 The access ID (AID) including an icon that indicates if the connection was successful: Red Icon Blocked connection. Green Icon Established connections. The AID also includes consecutive numbering for both blocked and established connections. For blocked connections, the AID includes the letter B. The origin, as specified by the following abbreviations: LIN Local In. The incoming traffic on the box firewall. LOUT Local Out. The outgoing traffic from the box firewall. LB Loopback. The traffic via the loopback interface. FWD Forwarding. The outbound traffic via the forwarding firewall. IFWD Inbound Forwarding. The inbound traffic to the firewall. PXY Proxy. The outbound traffic via the proxy. IPXY Inbound Proxy. The inbound traffic via the proxy. TAP Transparent Application Proxying. The traffic via stream forwarding. LRD Local Redirect. Redirected traffic configured in forwarding ruleset. The incoming interface. The source IP address of the requesting client. Destination The IP address of the requested destination. Proto Port Service Count Last Rule Info User MAC The protocol that was used. For example, TCP, UDP, and ICMP. The port of the requested destination. The assigned (dynamic) service. The number of tries. The length of time that has passed since the last connection attempt. The name of the matching rule. A message indicating why the session failed or was denied, blocked, or dropped. For more details on these messages, see the s Overview. An TF-sync entry indicates that the session is synced. This entry appears the backup machine when the firewall service is on standby. The name of the user, if the session was handled by a firewall rule that requires authentication. The MAC address of the interface.

2 Src NAT Dst NAT Out-IF Out Route Next Hop The bind address. The IP of the connection address. The outgoing interface; tunnel and transport is visualized. Unicast or local. The next hop. A hext hop address might appear in a Local Redirect action. This routing information comes from the reverse direction lookup (how packets are routed from loopback to client). Configure the History Entries For the Firewall > History page, you can configure source and destination IP addresses to be translated to hostnames. You can also set limits for the size of cache entries and the number of entries that are displayed on the page. Hostnames First, enable reverse IP lookups on the General Firewall Configuration page. Then enable IP addresses to be translated to hostnames on the Firewall > History page To enable reverse IP lookups: 1. Open the General Firewall Configuration page (Config > Box > Infrastructure Services > General Firewall Configuration). 2. In the left pane, click History Cache. 3. Enable DNS Resolve IPs. 4. Click Send Changes and then click Activate. On the Firewall > History page, select the Resolve IP Addresses check box. Cache Sizes To set limits for the size of cache entries: Open the General Firewall Configuration page (Config > Box > Infrastructure Services > General Firewall Configuration). In the left pane, click History Cache. Specify the limits for each cache entry type. Click Send Changes and then click Activate. Restart the service. Maximum Cache Entries To limit the number of entries on the Firewall > History page, select a limit from the Max Entries list in the top right of the page. Then click Refresh. Filtering the List of Sessions To filter the list of sessions, click Filter in the top right of the page. The following filter settings then appear: Cache Selection From the Cache Selection list, you can select the following options: Option Access Rule Block 2 / 7 Filters For All allowed and successfully established connections. All denied connections. Packet Drop All dropped connections.

3 Fail ARP Scan All failed connections. All ARP requests. All SCAN tasks. Traffic Selection From the Traffic Selection list, you can select the following options: Option Filters For Forward Traffic on the Forwarding Firewall. Loopback Traffic over the loopback interface. Local In Incoming traffic on the box firewall. Local Out Outgoing traffic from the box firewall. Additional Properties You can also filter traffic by other properties such as IP addresses, interfaces, and firewall rules. Click the plus sign (+) next to the Traffic Selection list to add the following settings for improved filtering: Setting Filters For Rule A firewall rule. Proto A protocol. Source A source IP address or range. Destination A destination IP address or range. Interface An interface. For example, eth0. Addr. An IP address. Srv. A service. Port A port. Src-Interface A source interface. Dest-Interface A destination interface. You can use the asterisk (*) and question mark (?) as wildcard characters in the filter settings. Managing Sessions To manage sessions, you can right-click sessions and select the following options: Option Remove Selected Flush Cache Removes the selected access cache entries. Removes all entries from the access cache. Save Cache Selection Policy Permanently saves settings for the Cache Selection filter. Group by s Overview Groups access cache entries by the selected column. The following tables provides details on the messages that you might see in the Info column of the Firewall > History page for the following types of traffic: Denied Traffic 3 / 7

4 Deny by Dynamic Rule Deny by Rule Deny by Rule Destination Deny by Rule Service Deny by Rule Source Deny by Rule Time Deny Local Loop Deny No Address Translation possible The session request matched a dynamic rule that denies sessions. The session matched a rule that explicitly denies session requests. The session matched a rule with the Destination Policy set to DENY. The session watched a rule with the Service Policy set to DENY. The session matched a rule with the Source Policy set to DENY. The session matched a rule with the Time Policy set to DENY. A passing rule matched, but the destination is a local system IP address. Targeted local IP addresses must be redirected. The session matched a rule containing an address translation table that does not specify how to translate the source IP address. Blocked Traffic Block Broadcast 4 / 7 Block by Dynamic Rule Block by Rule Block by Rule Destination Block by Rule Interface Block by Rule Service Broadcasts are not propagated. The session matched a dynamic rule that blocks session. The session matched a rule that explicitly blocks session requests. The session matched a rule with the Destination Policy set to The session matched a rule with the Interface Policy set to The session matched a rule with the Service Policy set to Block by Rule Source The session matched a rule with the Source Policy set to Block by Rule Time Block Echo Session Limit Block Local Loop Block Multicast Block No Address Translation possible Block no Rule Match Block Other Session Limit Block Pending Session Limit Block Rule Limit Block Rule Source Limit Block Size Limit The session matched a rule with the Time Policy set to The number of total Echo sessions was exceeded for a request. A passing rule matched, but the destination is a local system IP address. Targeted local IP addresses must be redirected. Use the Local Redirect action for IP redirection to a local IP address. Multicasts are not propagated. The session matched a rule containing an address translation table that does not specify how to translate the source IP address. No rule matched the requested session. The default action is to block the request. The number of total other protocol sessions was exceeded for a request. The source IP address exceeded the limit for pending sessions. All pending sessions over the limit are blocked. The limit of allowed sessions for the matching rule was exceeded. The limit of allowed sessions per source IP address for the matching rule was exceeded. A packet which exceeds the specified ping size limit was received. The default limit is configured in the ICMP service object [1]. To reduce the number of sessions that are blocked for this reason, increase the Max Ping Size for the object. For ICMP Echo, the default limit is bytes.

5 Block Source Echo Session Limit Block Source Session Limit Block UDP Session Limit Forwarding is disabled The limit for ECHO sessions per source IP address was exceeded. The limit for sessions per source IP address was exceeded. The limit for UDP sessions was exceeded. A forwarding firewall service does not exist or is inactive. Dropped Traffic Forwarding not Active ICMP Header Checksum is ICMP Header is Incomplete ICMP Packet is Ignored ICMP Reply Without a Request ICMP Type is IP Header Checksum is IP Header Contains Source Routing IP Header has IP Options IP Header is Incomplete A packet could be assigned to the session but the forwarding firewall service is blocked. All forwarding traffic was temporarily dropped. The ICMP header checksum did not verify. The ICMP header of the packet is shorter that the minimum ICMP header length (8 bytes) or shorter than the indicated ICMP header length. An ICMP packet contains a type other than UNREACHABLE or TIME_EXCEEDED and is ignored. An ICMP Echo Reply packet was received but does not have an associated Echo session. The ICMP header contained an unknown ICMP type. The IP header checksum did not verify. The source routing IP option is set. IP Header Version is The IP version is different than 4. IP Packet is Incomplete No socket for packet Packet Belongs to no Active Session Rate Limit Reverse Routing Interface Size Limit Source is an IP Class Source is Broadcast Source is Local Address Source is Loopback The IP option encoding is malformed or contains unknown IP options. The packet is shorter than the minimum IP header length (20 bytes) or shorter than the indicated header length. The packet is smaller that the indicated total packet length. An outgoing TCP or UDP packet could not be assigned to an active socket on the system (RAW socket sending). A received ICMP packet could not be assigned to an active session. An Echo Request packet could be assigned to an existing Echo session but exceeded the request rate limit. The interval value is displayed in increments of tens (ms) The minimum offset between solitary pings (default: 10 ms) was not met. The default values are configured in the ICMP service object [2]. To reduce the number of sessions that are blocked for this reason, decrease the Min Delay for the object. The reverse routing path differs from the path the packet was received; the receiving interface differs from sending interface. IP spoofing protection. An Echo Request/Reply packet could be assigned to an existing Echo session but exceeded the configured size limit. The x.x.x IP addresses are not allowed. The source address is a broadcast address. The source address is an IP address that is active on the local system and therefore not expected as a sender address. The source address is a loopback address (127.x.x.x). 5 / 7

6 Source is Multicast TCP Header Checksum is TCP Header has TCP FLAGS TCP Header has TCP Options TCP Header is Incomplete TCP Packet Belongs to no Active Session UDP Header Checksum is UDP Header is Incomplete Unknown ARP Operation Session Creation Load Possible MAC Spoofing The source address is a multicast address. The TCP header checksum did not verify. The TCP header contains useless combinations of TCP flags (SYN+RST, SYN+FIN). TCP options encoding is malformed. The TCP header of the packet is shorter that the minimum TCP header length (20 bytes) or shorter than the indicated TCP header length. A received TCP packet could not be assigned to an active TCP session and is not an initial TCP packet (SYN packet). The UDP header checksum did not verify. The UDP header of the packet is shorter that the minimum UDP header length (8 bytes) or shorter than the indicated UDP header length. The 'operation' field for an ARP packet is neither a request nor a reply. A packet, triggering a new session evaluation, was dropped because the limit for actual CPU usage when creating/evaluating the session was exceeded. The system detected a possible MAC spoofing attempt. Failed Traffic Accept Timeout Connect Timeout Denied by Filter Fragmentation Needed Host Access Denied Host Unreachable Host Unreachable for TOS Network Access Denied Network Unreachable Network Unreachable for TOS No Route to Host Port Unreachable Protocol Unreachable Routing Triangle Source Route Failed Unknown Network Error The accept timeout for TCP session establishment was exceeded (TCP only). Possible IP spoofing attempt. The connection timeout for TCP session establishment was exceeded (TCP only). The destination IP address was not reachable. A next hop was denied forwarding by a filter rule. The destination cannot be reached with the specified MTU size without fragmentation. Only occurs if Path-MTU-Discovery is used by the source or the destination. Access to the destination address was denied by one of the next hops. The destination is accessed through a direct route but does not respond to an ARP request. The requested IP address is not reachable for the specified Type of Service. Access to the destination network was denied by one of the next hops. The network for the destination of a request is not reachable; there is no routing entry on one of the next hops. The requested network is not reachable for the requested Type of Service. The local system has no routing entry for the requested destination. The destination system does not service the requested port number. The destination system does not support the requested protocol. A SYN followed by an ACK is registered without a SYN-ACK of the destination. This is an indication of a triangle route in the network. Source routing was requested but could not be performed. Will not occur, because source routed packets are dropped. Default network error. 6 / 7

7 Links 7 / 7