IP Filters [Top] [Prev] [Next] [Bottom]

Testing and Troubleshooting
IP Filters

This document describes how to use the IP filtering Event Logging System (ELS) messages to test and troubleshoot your filters. It includes the following sections:

Using Event Logging System Messages

Displaying ELS Messages for IP Filters

Turning on ELS Messages for IP Filters

Using Event Logging System Messages

The Event Logging System (ELS) manages the messages logged as a result of router activity. When an event occurs, ELS generates a message describing the event. To troubleshoot a particular problem, display those messages that relate to the problem.

In addition to the standard ELS messages for IP filtering, you can set up a filter to generate an ELS message when the filter recognizes a packet. See the elsevent and elstext options.

Using ELS commands, you can display the messages that pertain to IP filters. Displaying ELS messages lets you test a filter to see if it is passing or blocking packets as expected.

For detailed information on ELS messages, see the Event Logging System Messages Guide. This guide is part of the Nx Networks documentation set.

Displaying the ELS Prompts

To configure how you want to display ELS messages, work from the ELS config> or ELS> prompt.

If you work from the ELS config> prompt, you need to restart the router before you display ELS messages. If you work from the ELS> prompt, you do not need to restart the router, but GTSecure does not save your configuration after the next router restart.

Display the ELS config> prompt as follows:

*config

Config>event
Event Logging System user configuration

ELS config>

Display the ELS> prompt as follows:

*monitor

Monitor>event
Event Logging System user console

ELS>

Displaying ELS Messages for IP Filters

To display a list of all ELS messages for IP filters, enter list subsystems flt all at the ELS config> or ELS> prompt.

ELS>list subsystems flt all

Event      Level      Message
FLT.001    UI-ERROR   no free mem to create %s
FLT.002    U-TRACE    cant apply fltr (offset %d),pkt too shrt (ln %d)
FLT.003    U-TRACE    no mem to cache pkt (max %d)
FLT.004    C-INFO     crtng flt, sys %S 
FLT.005    C-INFO     flt che hit, sys %S 
FLT.006    C-INFO     flt match, sys %S 
FLT.007    C-INFO     flt miss, sys %S
FLT.008    C-INFO     IPDF PASS %S %S -> %S, Fltr %S match
FLT.009    C-INFO     IPDF BLOCK %S %S -> %S, Fltr %S match
FLT.010    C-INFO     IPDF BLOCK %S %S -> %S, dflt fltr 
FLT.011    C-INFO     IPDF-1: %S
FLT.012    C-INFO     IPDF-2: %S
FLT.013    C-INFO     IPDF-3: %S
FLT.014    C-INFO     IPDF-4: %S
FLT.015    C-INFO     IPDF-5: %S
FLT.016    C-INFO     IPDF-6: %S
FLT.017    C-INFO     IPDF-7: %S
FLT.018    C-INFO     IPDF-8: %S
FLT.019    C-INFO     IPDF-9: %S
FLT.020    C-INFO     IPDF-10: %S
FLT.021    C-INFO     IPDF Inst stat prf %S
FLT.022    C-INFO     IPDF Refreshing dynamic filter %S 
FLT.023    C-INFO     IPDF Inst stat flt %S
FLT.024    C-INFO     IPDF Inst dyn flt %S 
FLT.025    C-INFO     IPDF Rmv stat prf %S 
FLT.026    C-INFO     IPDF Rmv dyn prf %S 
FLT.027    C-INFO     IPDF Rmv stat flt %S 
FLT.028    C-INFO     IPDF Rmv dyn flt %S
FLT.029    C-INFO     IPDF Dynamic filter %s deleted itself
FLT.030    C-INFO     IPDF active profile %S for user %S deleted by operator 
FLT.031    C-INFO     IPDF Reinstalled profile %S for user %S
FLT.032    C-INFO     IPDF RADIUS installed profile %S for user %S 
FLT.033    C-INFO     IPDF Oper installed profile %S for user %S
FLT.034    C-INFO     IPDF Profile %S for user %S expired
FLT.035    C-INFO     IPDF Profile %S for user %S idled out

Notes:

Messages FLT.001 through FLT.007 do not apply to IP filters.
The %S, %s, and %d symbols indicate variables that either you define as part of an IP filter, or the router's system software defines. When the router displays an ELS message, it fills in the variable.
Each time a filter passes a packet, it generates message FLT.008.
Each time a filter blocks a packet, it generates message FLT.009.
If no filters in a profile recognize a packet, the software blocks the packet and generates message FLT.010.
Messages FLT.011 through FLT.020 correspond to the ten custom messages that you can set up for IP filters.

Turning on ELS Messages for IP Filters

You can enter these commands at either the ELS config> or ELS> prompt.

1. Turn off all other ELS messages. This step is optional, but lets you view just the filtering messages.

ELS>nodisplay subsystem all all

2. Turn on all IP filtering messages or turn on specific IP event messages.

To turn on all IP filtering messages, enter the following command:

ELS>display subsystem flt all

To turn a specific event message, such as on FLT.010, which lets you see packets that are blocked because no filter recognizes them, enter the following command:

ELS>display event flt.010

3. Return to the * prompt.

Ctrl P
*

If you entered the above commands at the ELS config> prompt, restart the router now.

4. Go to the ELS process.

*ELS

A scrolling list of events displays on your screen. To pause and resume the ELS message scrolling, press

Ctrl S to pause scrolling
Ctrl Q to resume scrolling

5. To go back to the * prompt, press Ctrl P.

Setting Up SNMP Traps

You can use ELS to set up an enterprise-specific trap for a remote SNMP workstation. A trap is a tool that listens for events, groups, or subsystems. For a specific trap, a trap message occurs each time the selected event occurs. For more information about SNMP, see the Nx Networks documentation set.

To set up a trap for ELS message FLT.011,

1. At the ELS config> or ELS> prompt, enter trap event flt.011.

FLT.011    C-INFO     IPDF-1: %S

2. If you are at the ELS config> prompt, restart the router.

3. At the SNMP config> prompt, enter

SNMP config> add address public ip-address of SNMP workstation
SNMP config> enable trap enterprise public
SNMP config> set community access read_trap public

Note: These commands are dynamic, which means they take effect immediately.

4. Start your trap tool on your remote SNMP workstation.

You can follow the steps above for trapping groups, subsystems, and events.

Testing a Filter

This section shows how to test filters that block packets and test filters that allow packets through the firewall. It also demonstrates how GTSecure opens a hole in the firewall once a user is authenticated.

Using the configuration in Figure 1, the following examples show

How to test a filter that blocks a user on PC-1 from establishing a Telnet session with PC-2.
How the authentication process causes GTSecure to install a profile that opens a hole in the firewall to allow the Telnet session from PC-1 to PC-2.
How to view the authentication process using ELS messages.
How to verify that GTSecure installed the profile and that the profile is allowing packets to pass as you expected.

Figure 1 Context Diagram

Testing a Filter That Blocks Packets

Interface 1 of GTSecure has filter blk_in installed. This filter blocks all incoming packets.

IP Filters>list filter block.blk_inListing Filters
Name                Dir  Address            Port          Protocol    Idle
                                                                 Action
---------------------------------------------------------------------------
blk_in               In                                    Any  Block  Off
                     ELS Event=1
                     ELS Text="blk_in: dir=%d sa=%a da=%A sp=%p dp=%P"

Follow these steps to test this filter:

1. Turn off all ELS messages and turn on ELS message FLT.011, which corresponds to ELS Event=1 in filter blk_in.

ELS>nodisplay subsystem all all
ELS>display event flt.011

2. From IP address 50.2.2.35, run Telnet to 162.4.0.2.

sparc5.netb.com# telnet 162.4.0.2
Trying 162.4.0.2 ...

3. Since there are no installed filters to specifically allow these packets, filter blk.in blocks the packets. If you display ELS messages, you can see that the software is blocking the packets as you expected.

*ELS

FLT.011: IPDF-1: blk_in: dir=in sa=50.2.2.35 da=162.4.0.2 sp=4155 dp=23
FLT.011: IPDF-1: blk_in: dir=in sa=50.2.2.35 da=162.4.0.2 sp=4155 dp=23
FLT.011: IPDF-1: blk_in: dir=in sa=50.2.2.35 da=162.4.0.2 sp=4155 dp=23

Opening a Hole in the Firewall Using the Authentication Process

This section shows how the software installs a profile based on an authentication transaction. The authentication process in this example uses a RADIUS server.

1. Add a filter to allow Telnet to interface 1 of GTSecure and attach it to interface 1.

IP Filters Config>add filter Telnet.ToRouter dir=both da=162.2.0.18 dp=telnet els=3 elstext="Telnet.ToRouter sa=%a da=%A"
IP Filters Config>set interface 1 profiles=Telnet

2. To authenticate, run Telnet to interface 1 of GTSecure. When prompted, log in and respond to the challenge using a token device, such as a CRYPTOCard.

sparc5.netb.com# telnet 162.2.0.18
Trying 162.2.0.18 ...
Connected to 162.2.0.18.
Escape character is '^]'.

login: wfkrt
Password: 
Challenge: 05530185
Enter Response: b24-f608

3. Once authenticated, GTSecure presents a list of profiles from which you can select. For example, profile 1 allows Telnet traffic to 162.4.0.2.

[1] Allow_Telnet
[2] Email,FTP
[3] Web_Server
Enter profiles to activate (comma/space separated, default = 1): 1

4. Once the user selects a profile, GTSecure installs the profile and closes the Telnet session.

Connection closed by foreign host.
sparc5.netb.com#

Viewing the Authentication Process

You can turn on ELS messages for RADIUS and IP filters and display them during the authentication process. To do so, enter the following commands:

ELS>nodisplay subsystem all all
ELS>display subsystem FLT
ELS>display subsystem RAD
ELS>exit
Monitor>Ctrl P
*ELS

ELS displays messages similar to the following. The Telnet.ToRouter filter allows an external user to establish a Telnet session with GTSecure and shows Telnet requests and responses.

FLT.013: IPDF-3: Telnet.ToRouter: sa=50.2.2.35 da=162.2.0.18 
FLT.013: IPDF-3: Telnet.ToRouter: sa=50.2.2.35 da=162.2.0.18
FLT.013: IPDF-3: Telnet.ToRouter: sa=162.2.0.18 da=50.2.2.35
RAD.001: Trying to authenticate telnet user wfkrt(50.2.2.35),net 1,intPPP/0 
RAD.010: Sending request to RADIUS server 162.2.0.200.
FLT.013: IPDF-3: Telnet.ToRouter: sa=50.2.2.35 da=162.2.0.18 
FLT.013: IPDF-3: Telnet.ToRouter: sa=162.2.0.18 da=50.2.2.35 
FLT.013: IPDF-3: Telnet.ToRouter: sa=162.2.0.18 da=50.2.2.35
FLT.013: IPDF-3: Telnet.ToRouter: sa=50.2.2.35 da=162.2.0.18 ...RAD.010: Sending request to RADIUS server 162.2.0.200.
FLT.013: IPDF-3: Telnet.ToRouter: sa=50.2.2.35 da=162.2.0.18 
RAD.002: Telnet user wfkrt(50.2.2.35) has been authenticated
FLT.013: IPDF-3: Telnet.ToRouter: sa=162.2.0.18 da=50.2.2.35 
FLT.013: IPDF-3: Telnet.ToRouter: sa=162.2.0.18 da=50.2.2.35 
FLT.013: IPDF-3: Telnet.ToRouter: sa=50.2.2.35 da=162.2.0.18  
FLT.013: IPDF-3: Telnet.ToRouter: sa=162.2.0.18 da=50.2.2.35 
FLT.013: IPDF-3: Telnet.ToRouter: sa=50.2.2.35 da=162.2.0.18  
FLT.013: IPDF-3: Telnet.ToRouter: sa=162.2.0.18 da=50.2.2.35
FLT.032: IPDF RADIUS installed profile Allow_Telnet for user wfkrt 
RAD.003: Filter profile Allow_Telnet for user wfkrt(50.2.2.35) has been
activated
FLT.013: IPDF-3: Telnet.ToRouter: sa=162.2.0.18 da=50.2.2.35 
FLT.013: IPDF-3: Telnet.ToRouter: sa=50.2.2.35 da=162.2.0.18

Verifying the Filter

This section shows how to verify that the profile Allow_Telnet works. The profile contains the following filter.

IP Filters>list filter Allow_TelnetListing Filters
Name                 Dir  Address            Port          Protocol    Idle
                                                                Action
---------------------------------------------------------------------------
PC_2                 Both isa=authenticator  idp=TELNET(23)     Pass   Off
                     ELS Event=4                           TCP
                     ELS Text="Allow_Telnet: sa=%a da=%A dp=%p"

1. Confirm that the software installed profile Allow_Telnet on interface 1 as requested during the authentication process by entering status at the IP Filters> prompt.

IP Filters>status

Listing Dynamic/Authentication Profile Status
Interface/Name     User    Address       Up    Expires   Idle   Timer  Keep 
                                         Time                         Alive
--------------------------------------------------------------------------- 
1/Allow_Telnet    wfkrt    50.2.2.35     207   Off     207      Off    Off

Total dynamic profiles installed = 1 
Total dynamic filters installed = 0

2. Run Telnet to 162.4.0.2 from 50.2.2.35.

sparc5.netb.com# telnet 162.4.0.2

Trying 162.4.0.2 ...

Connected to 162.4.0.2.

Escape character is '^]'.

3. If you display ELS message FLT.014, you can see that GTSecure is now passing the Telnet packets as a result of the Allow_Telnet profile.

ELS>nodisplay subsystem all all
ELS>display event flt.014
ELS>exit
Monitor> Ctrl P
*ELS

FLT.014: IPDF-4: Allow_Telnet: sa=50.2.2.35 da=162.4.0.2 dp=23 
FLT.014: IPDF-4: Allow_Telnet: sa=162.4.0.2 da=50.2.2.35 dp=4155 
FLT.014: IPDF-4: Allow_Telnet: sa=50.2.2.35 da=162.4.0.2 dp=23 
FLT.014: IPDF-4: Allow_Telnet: sa=162.4.0.2 da=50.2.2.35 dp=4155 
FLT.014: IPDF-4: Allow_Telnet: sa=162.4.0.2 da=50.2.2.35 dp=4155 
FLT.014: IPDF-4: Allow_Telnet: sa=50.2.2.35 da=162.4.0.2 dp=23 
FLT.014: IPDF-4: Allow_Telnet: sa=162.4.0.2 da=50.2.2.35 dp=4155 
FLT.014: IPDF-4: Allow_Telnet: sa=162.4.0.2 da=50.2.2.35 dp=4155

[Top] [Prev] [Next] [Bottom]

Testing and TroubleshootingIP Filters

Using Event Logging System Messages

Displaying the ELS Prompts

Displaying ELS Messages for IP Filters

Turning on ELS Messages for IP Filters

Testing a Filter

Using Event Logging System Messages

Displaying the ELS Prompts

Displaying ELS Messages for IP Filters

Turning on ELS Messages for IP Filters

Setting Up SNMP Traps

Testing a Filter

Figure 1 Context Diagram

Testing a Filter That Blocks Packets

Opening a Hole in the Firewall Using the Authentication Process

Viewing the Authentication Process

Verifying the Filter

Testing and Troubleshooting
IP Filters