Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Gil_Lim
Explorer

Firewall Logs analysis.

Hi All,

I would like to confirm that follow traffic is the same TCP session.

The traffic is dropped because the connection table is not synced (Blades 1 to 6) SYN-ACK packet received on member Id 2-4

 

the first traffic Accepted on PRT-VS1-TRUST-EXT as below;

Src: nsh-sci-02 (10.100.229.52) s_port: 65253 dst: 10.136.96.24 d_port:20001 -25 Jan 25, 3:53:29 a.m.

vs1.png

the traffic Accepted  next FW PRT-VS2-TRUST-InT-IAAS as below;

Src: nsh-sci-02 (10.100.229.52) s_port: 65253 dst: 10.136.96.24 d_port:20001 on Member Id: 2_ 2 -25 Jan 25, 3:53:29 a.m.

vs1-accept.png

then traffic dropped on PRT-VS2-TRUST-InT-IAAS, Member Id 2_4 was dropped packet at 25 Jan 25, 3:56:42 a.m.

vs2-dropped.png

due to 3 minutes time differece Accect(25 Jan 25, 3:53:29 a.m.) and drop(25 Jan 25, 3:56:42 a.m.), someone advised that it might not be the same TCP session.

Are there any ways to confirm that this is the same TCP connection establishment travering different firewalls ?

marker.png

 

 

 

6 Replies
PhoneBoy
Admin
Admin

Likely will require tcpdumps on both gateways to correlate the packets.

Amir_Senn
Employee
Employee

I suggest you enable "Per Session" on relevant rule.

Capture.PNG

 

This will create a session log for every session and you can see all relevant connection logs related by either:

a. Selecting the session log in logs view and select "Connections" in the lower pane.

b. By clicking on the session button on the connection log itself:

Capture2.PNG

Kind regards, Amir Senn
the_rock
Legend
Legend

Excellent advice...I always keep forgetting about it, but it definitely helps.

Andy

Lesley
Mentor Mentor
Mentor

The only way to be sure is indeed packet captures. Open them in Wireshark and analyse from their. 

But if I see the logs it looks indeed the same traffic. Only time is a bit weird. Maybe some log delay?

-------
If you like this post please give a thumbs up(kudo)! 🙂
Timothy_Hall
Legend Legend
Legend

With a packet capture, yes you could establish if that was the same packet but on different firewalls.  For a TCP-oriented connection the sequence and ACK numbers would match; you could also confirm by seeing if the IP ID header field is the same.  For non-TCP connections all you have to look at is the IP ID and maybe some checksums to see if they are identical.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
the_rock
Legend
Legend

To help out with the captures, here is great site my colleague built over the years.

Andy

https://tcpdump101.com/#

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events