When using the Firewall on a TransPort router, is often needed to check if the expected traffic is matching the configured rules.
This article will give the steps in order to do this analysis, basing on the details level/action you need to achieve
I only need to see if the rule is matched by some packet
You can check if a specific rule is matched simply browsing to Configuration - Security > Firewall and check the value "Hits" on the line of the rule you want to check. You can also reset all the Hits values clicking on "Reset Hit Counters". Also, every time you modify a rule, his Hit counter is automatically reset:
I need to see which packets are matching the rule
Is the Hits counter is not enough for your purpose, you can then check WHICH traffic is matching the rule, adding the "log" keyword to the rule:
When the log option is specified, the unit will place an entry in the FWLOG.TXT file each time it processes a packet that matches the rule. The FW log trace can be checked going to Management - Network Status > Firewall Trace.
Every log will normally detail the rule that was matched along with a summary of the packet contents:
I need to see which packet are matching the rule checking also the body content of them
If you need more info about the packet that match the rule, you can insert also the "body" option after the "log":
In that case, the complete IP packet is entered into the log file so that when the log file is displayed, a more detailed decode of the IP packet is shown. The FW log trace can be checked going to Management - Network Status > Firewall Trace:
I need to see when the rule is matched relating to other events occurring
In order to do this, the "event" needs to be specified in the rule:
With that configuration, the log output will be copied to the EVENTLOG.TXT pseudo-file as well as the FWLOG.TXT file.
The event log entry will contain the line number and hit count for the rule that caused the packet to be logged.
It is very useful in many cases, in the example below is used to easy check that traffic is sent to the primary/backup link in failover scenario.
You can check the eventlog browsing to Management - Event Log:
I need to generate an SNMP trap for every packet matching the rule
In order to have an SNMP trap generated when a packet matches the rule, you have to insert the sub-option "snmp" after the "log" field. If the body option has also been specified, some of the IP packet information is also included
The SNMP trap will contain similar information to the normal log entry.
I need to send a Syslog Message for every packet matching the rule
In order to have a syslog message sent to the configured syslog manager IP address when a packet matches the rule, you have to insert the sub-option "syslog" after the "log" field. If the body option has also been specified, some of the IP packet information is also included.
This message will contain the same information as that entered into the log file, but in a different format. For example using Tftp64 Syslog server software you can see:
Note that the size of the syslog message is limited to the maximum of 1024 bytes. The syslog message is sent with default priority value of 14, which expands out to facility of USER, and priority INFO.
Feb 27, 2019