Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies
Troubleshoot issues on your NGFWs.
| Where Can I Use This? | What Do I Need? |
|---|
Troubleshoot your NGFWs from Strata Cloud Manager without having to move
between various firewall interfaces. If you experience connectivity issues after
deploying and configuring your NGFWs, you can get an aggregate view of your routing and
tunnel states, and drill down to specifics to find anomalies and problematic
configurations.
Troubleshoot your identity-based policy rules and dynamically defined
endpoints. You can check the status of specific NGFWs and expose possible mismatches
between how you expect a policy to work and its actual enforcement behavior.
Troubleshooting lets you drill down on issue that might arise
within these networking and identity features–track down and resolve connectivity issues
or policy enforcement anomalies:
Network Troubleshooting
Identity and Policy Troubleshooting
Go to to start troubleshooting your firewalls.
Or, you can go to the feature you want to troubleshoot and select the
Troubleshooting button to get started.
View and sort troubleshooting jobs you've run by Status, Action, Search Target, and
Timestamp.
| Feature | Feature Location | Available Actions | Action Scope | Job Output Organized By: |
|---|
| Session Browser
(Firewall) | | Filter by:- Firewalls
- Rule Name
- Source Zone
- Source Address
- Source User
- Source Port
- Destination Zone
- Destination Address
- Destination Port
- App-ID
| Firewalls you specify |
- Session ID
- Start Time
- Zones
- Source
- Destination
- Ports
- Protocol
- Application
- Ingress
- Egress
- Bytes
|
| DNS
Proxy (Network) | |
- Show DNS Proxy Cache
- Search the DNS Proxy Cache
| Firewalls you specify |
- Domain Name
- IP Address
- Type–IPv4 Address Record (A), IPv6 Address Record (AAAA),
Canonical Name Record (CNAME), Mail Exchange Record (MX), and
Pointer to a canonical name (PTR)
- Class: Internet (IN TCP/IP), Chaos (CH), and Hesiod (HS)
- Time-to-live (TTL) in seconds
- Hits–Number of times the record was requested since the last
reboot
|
| NAT
(Network) | | Show the NAT Rule IP Pool | Firewalls you specify |
- Rule
- Type
- Used
- Available
- Memory Size Ratio
|
| User
Groups (Identity) | |
- Show User Group
- Search User Group
| Firewalls you specify |
|
| Dynamic Address
Groups (Identity) | |
- Show All Dynamic Address Groups
- Search for a Dynamic Address Group (Chosen from a list)
| Firewalls you specify |
|
| Dynamic User
Groups (Identity) | |
- Search by Dynamic User Group
- Search by Username
| Firewalls you specify |
- Members (Username) and / or Dynamic User Group
|
| User ID
(Identity) | |
- Show All User IP Mapping
- Search For User IP Mapping
| Firewalls you specify |
- IP
- User
- From
- Idle Timeout
- Max Timeout
|
Export Metadata for Troubleshooting
To provide technical support with the information they need to better assist you,
AIOps for NGFW enables you to export your deployment data to your
local machine. This data arrives in JSON files that are compressed in the gzip
format.
Select Help > Export Tenant Metadata.
Prepare Metadata.
Download your metadata file.
The metadata file name
contains your Customer Support Portal (CSP) ID, your AIOps for NGFW tenant ID,
and the timestamp for the export:
<csp-tenant-timestamp>.gzip.
