Chapter 11: Troubleshooting and Performance Monitoring

Introduction

This chapter focuses on troubleshooting PIX firewalls. Once you have mastered its command syntax and basic firewall operations, the PIX is a relatively simple device to configure. Its library of commands is small compared to that of Cisco routers and switches. In previous chapters, we covered the PIX firewall in detail, from the various models in the product line to simple and advanced configurations. This book contains information on how to integrate the PIX firewall into your existing network. As good as your PIX configuration is, problems will still crop up, and you need to know how to resolve them. The purpose of this chapter is to present a methodology that you can use to attack these problems and avoid missing critical troubleshooting steps.

Hardware and cabling problems can be a bane to an otherwise well-functioning network. A hardware problem becomes apparent if you know which indicators to monitor. The limited number of cable types that the PIX supports eases our cable troubleshooting considerably. This chapter provides technical information about these cables so you can validate them.

The PIX firewall is an IP device. Granted, it is a highly specialized device that performs vital security functions, but it is still an IP device. As such, it needs to know where to send traffic. We highlight some common connectivity problems and how you can address them. A valuable function of the PIX firewall is its ability to conserve IP address space and hide network details via Network Address Translation (NAT). If you have problems with NAT, you must be able to isolate and eliminate them.

The PIX firewall provides several access control mechanisms, from simple access lists to complex conduit statements. These access mechanisms have simultaneous loose/tight properties in that certain traffic is allowed while other traffic is denied. Your troubleshooting will not only seek to resolve access problems, but also find the right balance between permitting and denying traffic.

Entire books have been written on IPsec, and for good reason. IPsec can protect your traffic from end to end without having to be implemented at every hop along the way. IPsec configuration can be complex. You must be intimately familiar with IPsec operations in order to support and troubleshoot it. This chapter covers several key aspects of IKE and IPsec to aid your monitoring and support.

Capturing network packets on the PIX firewall can enable you to troubleshoot more effectively. The PIX firewall offers several features that you can use to capture traffic for analysis and problem isolation. Available tools include native PIX commands as well as third-party tools for network capture and packet decode.

How do you know if your PIX firewall is performing as well as it should? How would you know if it was overloaded? You need to monitor firewall performance and health proactively. The goal of monitoring is to prevent minor glitches from turning into major problems. The output of your monitoring efforts can be quite dense and arcane, so you need to know how to interpret what you are monitoring.