防火墙维护手册

show logging debug 7、关闭debug

undebug all 或 连击“ESC”两次 8、查看调试功能开启或者关闭状态 show debug ? 正常访问debug信息:

hostname(config)# sh log deb

2009-03-04 16:17:39, DEBUG@FLOW: core 0 (sys up 0x8e65ae ms): 001d.7294.e5f6->00 1c.5402.8c00, size 73, type 0x800, vid 0, port ethernet0/0 Switchid is 8(interface ethernet0/0) port ethernet0/0 Start l3 forward

Packet: 192.168.1.12 -> 202.106.0.20, id: 8369, ip size 59, prot: 17(UDP): 3332 -> 53

① No session found, try to create session

----------------First path creating new session----------------- --------VR:trust-vr start--------

192.168.1.12:3332->202.106.0.20:53 ② No DNAT configured for this VR

③ Get nexthop if_id: 10, flags: 0, nexthop: 10.188.9.1 ④ Found the reverse route for force revs-route setting ⑤ Matched source NAT: snat rule id:1

Matched source NAT: source port3332->port3332 --------VR:trust-vr end--------

⑥ Pak src zone trust, dst zone untrust, prot 17, dst-port 53. Policy 1 matches, ===PERMIT===

⑦ Identified as app DNS (prot=17). timeout 60.

flow0 src 192.168.1.12 --> dst 202.106.0.20 with nexthop 0.0.0.0 ifindex 0

flow1 src 202.106.0.20 --> dst 10.188.9.100 with nexthop 192.168.1.12 ifindex 8 flow0's next hop: 192.168.1.12 flow1's next hop: 10.188.9.1

crt_sess->revs_rres.nextop: 192.168.1.12, crt_sess->revs_rres.nexthop 10.188.9.1 Application 7 hasn't been registered, don't need do ALG APP inited for application 7

The following session is installed

⑧ session: id 99962, prot 17, flag a, created 9332, life 60

flow0(if id: 8 flow id: 199924 flag: 801): 192.168.1.12:3332->202.106.0.20:53 flow1(if id: 10 flow id: 199925 flag: 800): 202.106.0.20:53->10.188.9.100:3332 Session installed successfully

-----------------------First path over---------------------

防火墙维护手册

⑨ Found the session 99962

session: id 99962, prot 17, flag 4a, created 9332, life 60

flow0(if id: 8 flow id: 199924 flag: 811): 192.168.1.12:3332->202.106.0.20:53 flow1(if id: 10 flow id: 199925 flag: 810): 202.106.0.20:53->10.188.9.100:3332 Set fast code to fe proc Go to fe proc directly

Got mac: ip:10.188.9.1, mac:001c.5400.1dc1 L3 forward, out if is ethernet0/2

msw_dsa_tag_encap_from_cpu: TX packet from interface ethernet0/2, vid 0 cos 0.

? 路由问题DEBUG信息

-----------------First path creating new session----------------- --------VR:trust-vr start--------

192.168.1.12:55577->10.188.7.10:53 No DNAT configured for this VR

Failed to get route to 10.188.7.10 (找不到路由存在)

Dropped: Can't find forwarding route. Abort!!

deny session:flow0 src 192.168.1.12 --> dst 10.188.7.10 Deny session installed s uccessfully

--------VR:trust-vr end--------

-----------------------First path over (session not created) Droppped: failed to create session, drop the packet

? 策略问题DEBUG信息

-----------------First path creating new session----------------- --------VR:trust-vr start--------

192.168.1.12:4716->202.106.0.20:53 No DNAT configured for this VR

Get nexthop if_id: 10, flags: 0, nexthop: 10.188.9.1 Found the reverse route for force revs-route setting Matched source NAT: snat rule id:1

Matched source NAT: source port4716->port4716 --------VR:trust-vr end--------

Pak src zone trust, dst zone untrust, prot 17, dst-port 53.

No policy set in this ctxt, default ===DENY=== (找不到策略允许)

Dropped: Can't find policy/policy denied. Abort!!

deny session:flow0 src 192.168.1.12 --> dst 202.106.0.20 Deny session installed successfully -----------------------First path over (session not created)

? VPN问题DEBUG信息

安全网关提供VPN的Debug命令：debug vpn，通过该命令可

防火墙维护手册

以帮助我们定位VPN无法正常协商成功的原因。

针对VPN容易由于配置问题导致无法协商建立，可以通过一下命令VPN排错：

Debug vpn

Show logging debug | begin {No suitable | mismatched | failed to get sainfo}

如出现相应日志，对照上述DEBUG信息描述即可定位问题所在。 例如下面debug vpn信息 第一阶段提议不匹配：

2009-03-04 17:33:41, DEBUG@VPN: [200.0.0.2:500]: No suitable proposal found

2009-03-04 17:33:41, DEBUG@VPN: [200.0.0.2:500]: phase 1 (aggressive mode): failed to get valid proposal. 第一阶段参数没有协商成功

第一阶段预共享密钥不匹配（需要从VPN发起端查看）：

2009-03-04 19:11:45, DEBUG@VPN: [200.0.0.1:500]: Compute phase1 HASH successful! 2009-03-04 19:11:45, DEBUG@VPN: [200.0.0.1:500]: HASH mismatched 密钥不匹配 2009-03-04 19:11:45, DEBUG@VPN: [200.0.0.1:500]: Begin encryption ...

2009-03-04 19:11:45, DEBUG@VPN: [200.0.0.1:500]: Encrypted successful!

第二阶段提议不匹配：

2009-03-04 17:46:29, DEBUG@VPN: [200.0.0.2:500]: No suitable proposals found. 第二阶段参数没有协商成功

2009-03-04 17:46:29, DEBUG@VPN: [200.0.0.2:500]: ++++++++Phase 2 (quick mode) first msg receive END.++++++++

第二阶段proxy-id不匹配：

2009-03-04 18:56:13, DEBUG@VPN: [200.0.0.2:500]: failed to get sainfo.

2009-03-04 18:56:13, DEBUG@VPN: [200.0.0.2:500]: phase 2 (quick mode) : failed to get sainfo.

防火墙维护手册

2.6. 防火墙备份和恢复 2.6.1. 防火墙配置备份

通过Webui登录防火墙依次点系统?配置?配置管理框点下载按钮可以下载备份防火墙当前（current配置）或者通过配置记录框导出按钮同样可以实现防火墙配置的备份。配置记录框最多可以显示十个配置0－8和current，也就是在防火墙最多实现存10个配置包括当前运行的配置（current 配置）。

通过CLI管理配置文件，如查看当前防火墙配置或者0－8个备份配置记录。

? 查看当前配置：show configuration

? 查安全网管的当前运行配置文件current作为标记，前九次的配置信息按照时间的先后数字0到8作为标记：show configuration saved [current]