You can collect the firewall diagnostic logs by running the remote diagnostic tests on an Edge.
For Edges running Release 3.4.0 or later which also have Stateful Firewall enabled, you can use the following remote diagnostic tests to obtain firewall diagnostic information:
- Flush Firewall Sessions - Run this test to reset established sessions from the firewall. Running this test on an Edge not only flushes the firewall sessions, but actively send a TCP RST for the TCP-based sessions.
Note: If you want to flush the IPv6 firewall sessions, run the Flush Firewall Sessions test from the New Orchestrator UI.
- List Active Firewall Sessions - Run this test to view the current state of the active firewall sessions (up to a maximum of 1000 sessions). You can limit the number of sessions returned by using filters: source and destination IP address, source and destination port, and Segment.
Note: You cannot see sessions that were denied as they are not active sessions. To troubleshoot those sessions you will need to check the firewall logs.Note: IPv6 firewall session information can be viewable from the New Orchestrator UI. To view IPv6 firewall session information, you must run the List Active Firewall Sessions test from the New Orchestrator UI.The Remote Diagnostics output displays the following information: Segment name, Source IP, Source Port, Destination IP, Destination Port, Protocol, Application, Firewall Policy, current TCP state of any flows, Bytes Received/Sent, and Duration. There are 11 distinct TCP states as defined in RFC 793:
- LISTEN - represents waiting for a connection request from any remote TCP and port. (This state is not shown in a Remote Diagnostic output).
- SYN-SENT - represents waiting for a matching connection request after having sent a connection request.
- SYN-RECEIVED - represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.
- ESTABLISHED - represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.
- FIN-WAIT-1 - represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.
- FIN-WAIT-2 - represents waiting for a connection termination request from the remote TCP.
- CLOSE-WAIT - represents waiting for a connection termination request from the local user.
- CLOSING - represents waiting for a connection termination request acknowledgment from the remote TCP.
- LAST-ACK - represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).
- TIME-WAIT - represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.
- CLOSED - represents no connection state at all.
For more information about how to run remote diagnostics on an Edge, see Remote Diagnostics.