Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 60
81. Lecture-81: Troubleshowing FortiGate Firewall.
Now, troubleshowing how we can do troubleshowing in 48 firewall first you need to know what is troubleshowing trouble showing? Should the trouble take a gun and shoot the trouble whenever you face? But don’t shoot yourself because troubleshowing is one of the hardest part of network. You will be under pressure some time. Network is not working, resources are not accessible. Managers shouting, other people shouting on you, they are accessing what the hell is this? And those things.
So, you have to be cool and calm to do troubleshowing. Don’t care about anyone. Don’t care about that. You will lose your job. I know this are very hard things to do it, but you have to plan them and resolve the issue. Troubleshowing means if there is any problem, any error, any issue in the network and to resolve them. This is called troubleshowing. But you have to blame them, you have to think and for thinking you a really small amount of time because not coming troubleshowing on the time, which you don’t have more time and as I told you, manage it is shouting, everyone is shouting. And everyone said this and they. Now, how we can approach to troubleshowing, isolate the problem, what is the issue, isolate them by layers or say more layer to layer three schueler four issue web application issue, application issue, hardware issue, biocide model from layer one to let’s say one. And whatever what you are doing, document them and whatever you troubleshoot them. Also document them.
So, document everything, whatever you’ve done, if you saw the visual, either you will not solve the issue, whatever you done, this is very important.
So, whenever you face the same issue, you document them in Excel file and also integrating system. And also you can use your word and excel at those things. You can do it just for the future use. And resolve them if you resolve again. I studied them and documented them and checked them, if you can remember something, don’t worry that you will never know what the hell are you. You are and you don’t know how to resolve this issue. Maybe it’s not coming in your mind.
So, what do you need to do? Is let them open a ticket with vendor? You know, everyone that normally you have a support from like a follower to 40. They have their own support beam and other witnesses who have their tech support team and they will do their job in two minutes way wasting your time. It’s better to escalate to your third party vendors, either to create a support ticket, either to give it to your earlier three engineer. It’s not a big issue.
Sometimes you don’t know how to solve, but maybe he knows better. Last, you had to verify that whatever you done, the changes like a being traceable to command, checking everything, monitored them for a while. Maybe you fix one issue, but they raise a new issue.
So, this way is better to monitor for a while carefully. The steps to start defining your problem, gather the facts. Consider the possibility, create action plan, implementation plan. Observe the reserve, utilize the process. Whatever I mentioned above, this is in steps to problem symptoms. Stop. Yes, problem resolved. Document fact and finish. That’s said if no restart again, utilize process observing everything and start again to most widely used command which will help you. And I sign my entire life as being interested out. There are many gomaa like a did pilot we are using for troubleshowing as well, by the way, like a TCP board, like a twenty three eighty four four four three. This is also very important command in my lab, which I use most of the time, but to most widely used command is being and is being means inspected. Internet groups are interested out to trace the road where the traffic is going, but not really any organization. It may be black, but for engineering and security engineer, you can allow these to command being interested out very important command and it will help you most of the time 80 percent. It will solve your issue because these two command can use fully qualified domain names like a Google dot com to bang Google dot com to trace routing, also IP addresses to figure out where is the issue. Just in Summarize Virgin, because you are a security engineer, you already know in more detail these come are now coming to which approach I need to solve the issue to troubleshoot one is top down approach means and same model to start from application layer GIC. Suppose, if somebody said that I cannot access internet, check their browser, check their Google Chrome, then check their Internet Explorer, maybe at work there, then click interface, then check the IP address, then check the cable, then go like this way to learn to them vaudevillians check the mail and then trick then and so on. This is called top down approach to start from the top to troubleshoot the issue. Second is bottom up approach. Suppose, if someone if they cannot access the Internet and you start to check the cable from physical, then you check the interface, then you check the IP address and then last you come to the application to check the Internet is working on not. This is called bottom up approach. I’m giving you just a quick word. If you’re not doing in detail, other method is divide and conquer. Approach, divide and conquer means divide them. If there is an issue that you will say will get this part, I will check the hardware section and this site I will check the application means you are dividing the application there in two category, starting from transport, a network layer either divide them and no one is followed the traffic path approach. Suppose, if there is an issue, start with the ping and traceroute and whenever that restaurant estab go to their device and figure out the issue. Suppose, you are going from here to here. You start traceroute here and put the address. Rotate this one. Stop here. Just come here. The issue is here. This the simple way to use the method. And Naaman engineer, they will use this method. Spada the difference approach. If you have zero experience and you don’t know spark the difference approach means check two to the one which is working and the one which is not working. And Spatola what is the difference between two devices.
So, merge them and it will start work. Another is replace component approach. Maybe someone say my monitor screen is not working. You, you plug a new cable to check, you know, power cable, then you plug another monitor, then you plug in the power cable, then you plug another extension. You are changing one one thing to see which thing is default. P1 this is called replace component approach. And these are the diagram to see the timeline, the scope of the problem. If it is limited, Top-Down method is the best one. If it is a complex to Bottom-Up method, analyze the symptom. What is the symptom? Analyze previous experience. If you have a previous experience, just start straight away. Divide and conquer the results would therefore you compare reality you to check two things if it is working on now and another one is shipping, you know, if something is not working, chain them with another one. This is also one of the method, but always think which we know, measure twice, cut once. You have to be very careful and it’s blend them before the troubleshowing. You know, this is Abraham Lincoln said that if I had a six hour to chop down a tree, I would spend the first four hour to sharpening the Xs.
So, you have to be ready. Your tool has to be ready before you attack someone rather than without tools and everything in you attack someone so they can harm you and it can be very dangerous.
So, it’s better to be ready and fully aware this outward as an observer NBP server and all those things can be very helpful and will make up for the. But if you have a backup, so your pension will be released, there will be an issue. If something goes wrong, they will.
So, it’s better to take back up all the time if NBP is working.
So, then you can figure out when the issue was arise. What was the issue. Sizzla can help you in and and B, which I told you already and do so. These are the basic thing.
82. Lecture-82: Packet Sniffing in FortiGate Firewall.
And for the Great Firewall, we can use Pictet snipper. Bechard snipper, we also call them network tape bechard gives a logical analyzer analyzing like a white shark. There’s nothing but like a white shark, which is a built-In tool for target for a while to troubleshoot the issue. You know, those children who done it five loadable instead with me then. Or we use TCP DOMS, the discipline. No one was Scarman and a five load balancer to troubleshoot any issue. And I give you a full lecture up one hour, if you remember. Same thing can happen here with Beckert Snipper and also Palo Alto. Have the same approach as well. And other one, by the way, with.
So, he snipped the. It captured the packet, it analyzed the packet, and you can see and you can find out and you can troubleshoot your issue, full commander’s diagnosed sniper back and then type interface name, then filter, which you want to filter then which were both are what how many count NBC ideas from farmer to interface interface can be like four one either internally. Wendland Demsey.
So, first you have to type this one, diagnose snipper pacard then type interface. And if you see any it means any interface you can type in as well supporting first thing to mention interface. Then there is a filter, but filter has to be close and this, you know, singlehood if you type none’s through any Piggot were both means. If you want to print only type one, if you say no IP packet as well. Type two, if you say no Ethernet packet as well, type three. And if you say all the detail, this one is the best one, type four.
So, when I type this command to keep in mind for me is to show me all the detail if I type something, filters or filter MEUs and single code type something and count how many. Pigot So, if you would say one, two, three, it will capture those bechard. But if you don’t mention anything and so then you have to press control sued to stop them, it will continuously give sharing the packet and be as Firmat if you need that time. as well so Amys absolute time and Amys absolute with local time, as well and otherwise it can be anything. These are some of the command which we will use. And I will show you now in my topology, I want to use that 190 to 168 one and it’s going to Internet. I want to troubleshoot what is the issue so far while I’m here? What I will do, I will come here. Admen, one, two, three. And I will type diagnosed. Snipper, questionmark, another one is pretty good, and after this interface and as you mentioned, look at any Isbin if you don’t know which interface you can type any supposed. Now, the filters will allow you to filter it should be in single word, but I know you can type like this with well. Look at so any traffic coming from any interference is showing you here, but I did not see any guns, so it’s continuously sending. Let me open this so I can generate some traffic from this site and able one, two, three, one, two, three, and bring it. It has to go to a date, by the way.
So, it’s showing me here and it is going ICMP equal request, but why is not going let me check my road around as there one hundred. Maybe there is no policy to allow me.
So, let me quickly create a policy to see, just to check the thing.
So, it’s better to create one policy so I can distinguish different things. Let me stop this one, by the way, because any bigot is showing me anything.
So, let me go to system policy and object firewall policy. Yeah, there is no policy land to win.
So, that’s why let me create land to win and let me allow traffic from Lane. Going to win.
Source can be anything. Destination can be anything, services can be anything and all station and ok. Also, if you want to deny traffic, you know, the implicit deny there are many picaridin, I look at six, I click on this policy and allow logs so that you can see the logs. It’s also a good way to troubleshoot better.
So, see the drop packet as well. Now I can see the traffic. Now this time I will see it on board too. I can mention four to as well now the filter is four to sniper only and now list generated traffic from here. By the way, it has to go to Internet, there is everything and it’s still not anywhere. It’s. I can see the traffic. Look at the traffic is coming from 100 to 160 at one. That one is going to start it. And it’s ICMP equal request, but it’s unlimited. If you second you can mention suppose for. Okay, what I did wrong. Ford is also for the other things, Hollywood. Okay, I will show you it has to be later on.
So, now this the way to any and specific board. No, I see no board No. Two, but the host is not in single authority and single or a host 192 168 one that one, and now generate traffic.
So, this is more specific, is it only for this host, because if I support number two from number two, this one is also coming.
So, it will show me both traffic. Let me show you from this one as well if I on the other side as well. Okay, and people being educated are eight. Okay, so this one is not showing here because I see a host, only one part one. But if I bring the top one, this one now it will show me both. This one is well and this one is Will. Look at one part, one as well, and one part to as well.
So, this is the difference to control here to break it pulled back. It has been received, so it is better to host. Now, if I need only two specific reason, if I generate traffic from one, it will not show. It’s not showing, but if I make it from here, you will see the traffic look at issuing now because I told them only for one day to capture and everything are and doing everything issuing because I did not mention them specific anything.
So, you can specify. But if I say no, I was just this one, but in another house where they want to be just dog a decade and into now this is more specific if they want to go to for that will not hold out for it will not capture. But if they want to go to control ship six and want to go to eight, it will capture it captured now.
So, specific source and specific destination put in that if the source is this one and destination is this one, gives you the and show me and controls you to stop it. After this, you can see questionmark is here, that information, you know, six type of things, so therefore show me that he did were both, you know, I just told you about this one. I’m using this method for this, the latest version.
So, they added two more as well. This the old documents. This was mentioned four, but they added two more thing as well.
So, I said, friend, they had that information with interface detail.
So, now for that, you have to put forward. And if you generate some traffic now and let’s see now, they will show you point number two, before there was no detail, there is any port anywhere. Now there is no there. Traffic is coming from this port because four means four. There’s nothing for does nothing but bring together a packet with the interface name if you see a print header and data from eating it up the packet so it will show you the item in detail.
So, make is a three three years he let me see. Three years. Yeah. And if I generate traffic again, so now it will capture it again. But this time escaped. There is an even like the one we captured with the what is called Wireshark. This is Warshak Quami. You see what Shakya there is like this one. Look it it’s different now because just a change from four to three. Nothing, two and three is nothing. But these are the Worboys command which thing you want if you say you’re the only type one, if you say data, AP pivotally. Anyways, check your cell count. How many count you are now a discontinues Ctrl C then it will break. Then pick has been captured. Let me take them for four count now the second time look at the second snipper count. How many paradisal. Only two and enter. But if I generate repeat hundred bechard still it will only capture duplicate and it’s done. No need of control. See because I told them I just need to count it as a sniper count.
So, this gives you the first to break it to see. The last question mark, are they giving me any other option, control, seize or control, e why is not suing me for let me make them like this one control. See, okay, it’s not showing me the last one because it’s a huge command.
So, let me do one thing. Oh, and I need to put the last thing which mentioned his time, so if I say so, it will mention the time as well. One. Yeah, there is time. Now look at if you see before picture, there was nothing, no time. And also if you go to the above one, it was subsequence. No. But now, as mentioned, date and time. Why? Because I put them in Amys tell me year of month to month second and Milicic. And that’s why this 2020 then is demand for is the date and the time. And these are the second and these are the millisecond.
So, this is a snipper which can help you to figure out many issue. Also the resources. Well, you can use as a source. I use as a host as well. And any you can use, you can use board number to board number three and any as well and source, you can check the airport as well. Like suppose if you say they control. See, I don’t know why it’s not. Taking liquidy Pugin. Diagnose the sniper, just pressing a sniper. Baker ward number two are any you can type any and single code and type of host, 190 to 168, one to two and board number eighty one. The traffic is only and number eighty.
So, if I do bring, it will not give. Yes. If I do, then are unable to start it with the board number eighty then it will capture. Look at now it capture that somebody from one door to is going to report and this is sinc let me close them because they’re doing continuous control ship six.
So, it means you can do it for a specific port. Maybe you have four for three. You want to investigate that one. Now let me do control. See Control Ship six is not losing by the way. It’s the way to close them. But anyway let’s wait for it. And instead of type four. Four, three. It’s open and here it will capture the picture. Now, this time is sink and seek an acknowledgement before it was showing or listening. It means I’m not going to. No, I’m going to sink. Sink acknowledgement. Fine, fine. And now acknowledge to me this way I troubleshoot troubleshooter is going to connect and it’s working and then it’s disconnected. Ctrl Controls you to close because I did not mention how many prepared to capture.
So, this is called snipper, and there are so many other ways to use them.