Introduction

Troubleshooting is a fact of life in computer networking, so this chapter covers the different ways to track the status of packets going through your firewall. Juniper firewalls offer a selection of tools to assist with troubleshooting network access. If you re already familiar with the troubleshooting tools available on the Juniper firewalls, you won t find many surprises when working with the new SSG product line since new features in the SSG firewall have similar troubleshooting tools, as well as a similar structure, to their NetScreen predecessors.

When dealing with network firewalls, it s important to remember that they often change the content of the packets going through them. So it s our task to keep track of the changes and make sure they are what we intended. Most firewalls have four main functions: packet forwarding, stateful filtering, address translation, and encryption. We tackle each of these functions differently. For instance, troubleshooting packet forwarding can be as easy as inspecting the routing table. Address translation may require looking at a log of the traffic. Troubleshooting encryption may require analysis of a detailed packet dump. Juniper firewalls, on the other hand, offer specific troubleshooting tools built in to the ScreenOS operating system. Here, we cover the different troubleshooting facilities from ping to firewall debug commands to help you understand the full arsenal of troubleshooting capabilities the Juniper firewall provides you.

Remember that every firewall issue is resolvable. There is a reason behind every decision the firewall makes. Thus, we begin this chapter by...