IBM 3.8 5.4 Troubleshooting the firewall

Chapter 5. Troubleshooting techniques 171

5.4 Troubleshooting the firewall

This section describes some of the important points to consider if things go

wrong in the firewall environment. The firewall is an important entity when it

comes to Tivoli network management across firewalls. There is every chance

that some troubleshooting will be required on the firewall to check that firewall

rules are properly set up to allow the permitted traffic and deny the unwanted

traffic.

These are some points to consider from the firewall point of v iew if things go

wrong in this environment:

1. The firewall log is an important source of information, and this is the one to

check first for everything that goes wrong with the firewall environment. The

firewall log provides information with the date and time of each log entry,

along with some reasoning for the particular log entry. So, you need to

analyze the log for any possible problem causes.

2. IBM SecureWay firewall log entries are associated with some tags to identify

them, called ICA tags. The IBM SecureWay firewall reference manual that

comes with firewall installation gives the troubleshooting information with

respect to each ICA tag that is related to some error condition.

3. The problem could be due to some incorrectly configured firewall rules. Check

the firewall rules and make sure that everything is set up according to these

requirements. This may seem simple, but do make sure you have the firewall

rules set up properly for Target Proxy/Relay/Controller Proxy communication.

These rule settings must be documented in the standard security

documentation, as advised in Chapter 2, “Implementation planning” on

page 57.

4. Check to see if there are any alerts generated by the firewall for any possible

problem cause.

5. Take the iptrace on the firewall machine and see that the required traffic has

no problem passing through the firewall. If any problem is found with required

traffic across the firewall, check to see if the rules defined are correct or have

anything to do this.

6. Some firewall implementations close ports on open connections if they have

not been used within a time period. In such cases, it is important that you

come to an understanding with the firewall administrators on what firewall

policies have to be in place. Take into account that communication between

Target Proxies, Relays, and Controller Proxies are established at startup time.

7. Some firewalls are equipped with in built debugging tools. These tools can

collect some sort of debug information when a particular activity is carried out.

This debug information, in turn, can help analyze and correct the problem.