Introduction

Troubleshooting is a fact of life in computer networking. This chapter will cover different ways to track the status of packets going through your firewall. NetScreen firewalls offer a selection of tools to assist with troubleshooting network access.

When dealing with network firewalls, it is important to remember that they often change the content of the packets going through them. It is our task to keep track of the changes and make sure these changes are what we intended. Most firewalls do four main functions: packet forwarding, stateful filtering, address translation, and encryption. We tackle each of these functions differently. Troubleshooting packet forwarding can be as easy as inspecting the routing table. Address translation may require looking at a log of the traffic. Troubleshooting encryption may require analysis of a detailed packet dump. NetScreen firewalls offer specific troubleshooting tools built into the ScreenOS operating system. Commands such as ping and get route can help with simple connectivity troubleshooting. The firewall has a debug mode that has the capability to log packet headers or even the content of the packets themselves.

Remember that every firewall issue is resolvable. There is a reason behind every decision the firewall makes. We will begin by going through the process a packet makes as it makes its way through the firewall. Next we will go over the different tools available for troubleshooting. After that we will go over troubleshooting methods for VPNs (virtual private networks), NSRP (NetScreen Redundancy Protocol), and traffic shaping. Finally, we...