- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Firewall Logs analysis.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Firewall Logs analysis.
Hi All,
I would like to confirm that follow traffic is the same TCP session.
The traffic is dropped because the connection table is not synced (Blades 1 to 6) SYN-ACK packet received on member Id 2-4
the first traffic Accepted on PRT-VS1-TRUST-EXT as below;
Src: nsh-sci-02 (10.100.229.52) s_port: 65253 dst: 10.136.96.24 d_port:20001 -25 Jan 25, 3:53:29 a.m.
the traffic Accepted next FW PRT-VS2-TRUST-InT-IAAS as below;
Src: nsh-sci-02 (10.100.229.52) s_port: 65253 dst: 10.136.96.24 d_port:20001 on Member Id: 2_ 2 -25 Jan 25, 3:53:29 a.m.
then traffic dropped on PRT-VS2-TRUST-InT-IAAS, Member Id 2_4 was dropped packet at 25 Jan 25, 3:56:42 a.m.
due to 3 minutes time differece Accect(25 Jan 25, 3:53:29 a.m.) and drop(25 Jan 25, 3:56:42 a.m.), someone advised that it might not be the same TCP session.
Are there any ways to confirm that this is the same TCP connection establishment travering different firewalls ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Likely will require tcpdumps on both gateways to correlate the packets.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I suggest you enable "Per Session" on relevant rule.
This will create a session log for every session and you can see all relevant connection logs related by either:
a. Selecting the session log in logs view and select "Connections" in the lower pane.
b. By clicking on the session button on the connection log itself:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Excellent advice...I always keep forgetting about it, but it definitely helps.
Andy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The only way to be sure is indeed packet captures. Open them in Wireshark and analyse from their.
But if I see the logs it looks indeed the same traffic. Only time is a bit weird. Maybe some log delay?
If you like this post please give a thumbs up(kudo)! 🙂
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With a packet capture, yes you could establish if that was the same packet but on different firewalls. For a TCP-oriented connection the sequence and ACK numbers would match; you could also confirm by seeing if the IP ID header field is the same. For non-TCP connections all you have to look at is the IP ID and maybe some checksums to see if they are identical.
March 27th with sessions for both the EMEA and Americas time zones
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To help out with the captures, here is great site my colleague built over the years.
Andy
