Chapter 5. Troubleshooting techniques 171
5.4 Troubleshooting the firewall
This section describes some of the important points to consider if things go
wrong in the firewall environment. The firewall is an important entity when it
comes to Tivoli network management across firewalls. There is every chance
that some troubleshooting will be required on the firewall to check that firewall
rules are properly set up to allow the permitted traffic and deny the unwanted
traffic.
These are some points to consider from the firewall point of view if things go
wrong in this environment:
1. The firewall log is an important source of information, and this is the one to
check first for everything that goes wrong with the firewall environment. The
firewall log provides information with the date and time of each log entry,
along with some reasoning for the particular log entry. So, you need to
analyze the log for any possible problem causes.
2. IBM SecureWay firewall log entries are associated with some tags to identify
them, called ICA tags. The IBM SecureWay firewall reference manual that
comes with firewall installation gives the troubleshooting information with
respect to each ICA tag that is related to some error condition.
3. The problem could be due to some incorrectly configured firewall rules. Check
the firewall rules and make sure that everything is set up according to these
requirements. This may seem simple, but do make sure you have the firewall
rules set up properly for Target Proxy/Relay/Controller Proxy communication.
These rule settings must be documented in the standard security
documentation, as advised in Chapter 2, “Implementation planning” on
page 57.
4. Check to see if there are any alerts generated by the firewall for any possible
problem cause.
5. Take the iptrace on the firewall machine and see that the required traffic has
no problem passing through the firewall. If any problem is found with required
traffic across the firewall, check to see if the rules defined are correct or have
anything to do this.
6. Some firewall implementations close ports on open connections if they have
not been used within a time period. In such cases, it is important that you
come to an understanding with the firewall administrators on what firewall
policies have to be in place. Take into account that communication between
Target Proxies, Relays, and Controller Proxies are established at startup time.
7. Some firewalls are equipped with in built debugging tools. These tools can
collect some sort of debug information when a particular activity is carried out.
This debug information, in turn, can help analyze and correct the problem.