Overview
The tool described in this note was created to simplify the parsing of logs for the identification of security modules and a rule name that blocks a connection. It is not suited to identify non-security-related connection drops/rejections. Currently, this tool is only available for the CLI.
Tool and usage options
The tool is called dpi_session_drop_log.py. It is located in the /opt/versa/scripts/ directory.
Enable debug
Before you can use the tool, you need to enable detailed debug for the security sessions. Example:
You can use any of the 3 debug levels for the tool to work: debug/info/notice
If you get an error message stating like this:
Just do the following to overcome the limitation:
NOTE: Please don’t forget to synchronize the configuration to the appliance at the end of troubleshooting in the Versa Director.
Tool usage options
Now, as you enabled the debug, the system will start populating internal logs whenever a user hits any security rule.
To view all security events which cause packet-drop since the moment you enable debug, run the command as it shown in the example below:
From the output above you can see the session toward vk.com was blocked by the URL Filtering module. Also, the rule, which was hit is called RIVERBED-RULE-TEST.
There are multiple options in the tool, which you can use. You can see the help menu by running the following command:
As you can see from the help menu above, you can filter the logs by the Source/Destination IP/Port, VRF ID (from VSMD), Tenant ID (from VSMD), session ID and action taken.
List of the available modules:
idp-packet | IPS/IDS module for packet-based attacks |
vparse | Internal DPI module |
policy | Action taken by the Deny/Reject NGFW rule |
appid | It can drop SIP/FTP packets if there is an application parsing issue |
idp | IPS/IDS module |
captive-portal | Captive Portal module |
urlf | URL Filtering module |
filefilter | File Filtering module |
av | Antivirus module |
iprep | IP Filtering module |
devid | Device ID module |
To view the filtering output in the real time as you test it, please use the following command:
In the example above you can see 2 sessions that were blocked. One of them was dropped by the NGFW rule, and the second, was blocked by the URL Filtering module. Unfortunately, there is no way for the tool to show the rule-name for the NGFW rule, but it’s the only module that doesn’t show the rule.
PS: Please don’t forget to synchronize configuration back to the appliance after you are done troubleshooting:
