Sessions, Traffic Flow, and Networking Flashcards
(24 cards)
Session Table Summary Commands
get sys session status
get sys session list
Session Table Detailed commands
clear previous filter:
diagnose sys session filter clear
diagnose sys session filter ?
src - Source IP address
nsrc - NAT’d source ip address
dst - Destination IP address
proto - Protocol Number
list entries matching the filter:
diagnose sys session list
Clearing Session Table Entries
Set the filter with necessary command, check the filter with the list command, and then to clear the entries that match the filter:
diagnose sys session clear
This is used to force configuration changes onto sessions since the change wont effect existing ones. Clearing them ends the session and any new sessions with use the new changes made.
TCP Protocol States
First digit shows the server-side state, and second digit is client-side state
0 - None
1 - Established
2 - SYN_SENT
3 - SYN & SYN/ACK
4 - FIN_WAIT
5 - TIME_WAIT
6 - CLOSE
7 - CLOSE_WAIT
8 - LAST_ACK
9 - LISTEN
ICMP and UDP Protocol States
Even though UDP is stateless, FGT still uses two proto_state values:
0 - UDP traffic one way only
1 - UDP traffic both ways
ICMP has no state. proto_state is always 00
Common Session Flags
log - is being logged
local - is to/from local stack
ndr - will be checked by IPS signature
nds - will be checked by IPS anomoly
npu - can be offloaded to NPU
wccp - web caching
npd - session cannot be offloaded to NPU
redir - is being processed by an application layer proxy
authed - was successfully authenticated
auth - requires or required authentication
May_Dirty Sessions
New firewall session after matching a policy with accept action is flagged as may dirty after firewall policy lookup is performed.
Lookup process:
First original packet (route and policy lookup)
First reply packet (route lookup)
Nothing else unless flagged as dirty
Dirty Sessions
Session is flagged as dirty after a routing, firewall policy, or interface change.
Each direction of a dirty session must be re-evaluated and session routing information is flushed if routing was changed.
Routing change and SNAT Session
By default, SNAT sessions are not flagged as dirty after a routing change (except if the route in use is removed from the FIB)
To force reevaluation:
config system global
set snat-route-change enable
end
Firewall Policy Changes and Sessions
Policy changes can lead to High CPU utilization
To select which sessions in the VDOM are flagged as dirty:
config system settings
set firewall-session-dirty check-all (default) | check-new | check-policy-option
end
check-all: All impacted sessions are flagged
check-new: New sessions are flagged while existing ones are not
check-policy-option: follow firewall policy-level configuration
for Firewall-policy configuration:
config firewall policy
edit (id)
set firewall-session-dirty check-all(default) | check-new
end
Persistent flag means:
firewall-session-dirty is set to check-new and the session shown is an existing session. The may_dirty flag is missing for this session
Advanced Packet Capture Options:
diagnose sniffer packet (interface) ‘(filter)’ (level) (count) (tsformat) (frame size)
count - stops packet capture after this many packets
tsformat- changes timestamp format. a - absolute UTC time or l - local time
frame size - sets the frame size that is printer before truncation (defaults to interface MTU)
Advanced Packet Capture Verbosity levels
1 - IP headers
2 - IP headers and IP payload
3 - IP headers, IP payload, and ethernet headers
4 - IP headers and port name
5 - IP headers, IP payload and port names
6 - IP headers, IP payload, ethernet headers, and port name
4 is usually used to check how traffic is flowing and the FGT is not dropping packets.
3 or 6 is normally used to convert the output to PCAP format and for later analysis with a tool, such as wireshark
In output, the line # packets dropped by kernel means:
It is the number of packets matching the filter that could not be captured by the sniffer. Therefore, you must use a more specific filter
Debug flow Sumary
AKA internal sniffer
Multistep commands -
to enable display of function names:
diagnose debug flow show function-name enable
to enable display of firewall policy matching decisions:
diagnose debug flow show iprope enable
to specify a filter:
diagnose debug flow filter (filter)
to enable output:
diagnose debug enable
to start the trace:
diagnose debug flow trace start (count)
to stop the trace:
diagnose debug flow trace stop
Common debug flow block message: Denied by forward policy check (policy 0)
No firewall policy allows the traffic
A firewall policy allows the traffic, but a disclaimer is enabled - you must accept the disclaimer first
Common debug flow block message: Denied by quota check
Packet dropped because of traffic shaping
Common debug flow block message: No matching IPsec selector, drop
Packet dropped because source or destination IP address is not included in IPsec phase 2 quick-mode selectors
Common debug flow block message: reverse path check fail, drop
Packet dropped because of reverse path forwarding check
Common debug flow block message: iprope_in_check() check failed, drop
Packet is destined to a FGT IP address (management traffic) but:
The service is not enabled
The service is using a different TCP port
The source IP address is not included in the trusted host list
The packet matches a local-in policy with action deny
Hardware Acceleration with sniffers
The sniffer or debug flow doesn’t pick up offloaded traffic
You can temporarily disable NPs for troubleshooting purposes, for a single firewall, or for the entire NPU
After disabling, the CPU processes all packets and the sniffers pick up the packets
Disable Hardware Acceleration on Firewall Policy:
config firewall policy
edit (id)
set auto-asic-offload disable
end
set to enable once finished
Disable Hardware Acceleration Globally
To disable a single NPU:
diagnose npu (processor-name) fastpath disable (id)
processor name can be np6, np6xlite or np6lite
id is the id of the NPU processor
can find the id using diagnose npu np6 port-list
to disable NP6/NP7 offloading for all traffic:
config system npu
set fastpath disable
end
Session Helper Pinhole sessions
The session helper created a temporary expected session for the data channel connection the comes from the server. This means the admin does not have to manually create firewall policies to allow incoming TCP sessions (which use random port numbers). It basically opens the door for the incoming connection
can find these sessions using command:
diagnose sys session list expectation
can also see if the session helper is being used in a debug flow output with the message: run helper-ftp
