Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Troubleshooting Security Policies

    Checking a Security Policy Commit Failure

    Problem

    Most policy configuration failures occur during a commit or runtime.

    Commit failures are reported directly on the CLI when you execute the CLI command commit-check in configuration mode. These errors are configuration errors, and you cannot commit the configuration without fixing these errors.

    Solution

    To fix these errors, do the following:

    1. Review your configuration data.
    2. Open the file /var/log/nsd_chk_only. This file is overwritten each time you perform a commit check and contains detailed failure information.

    Verifying a Security Policy Commit

    Problem

    Upon performing a policy configuration commit, if you notice that the system behavior is incorrect, use the following steps to troubleshoot this problem:

    Solution

    1. Operational show Commands—Execute the operational commands for security policies and verify that the information shown in the output is consistent with what you expected. If not, the configuration needs to be changed appropriately.
    2. Traceoptions—Set the traceoptions command in your policy configuration. The flags under this hierarchy can be selected as per user analysis of the show command output. If you cannot determine what flag to use, the flag option all can be used to capture all trace logs.
      user@host# set security policies traceoptions <flag all>

    You can also configure an optional filename to capture the logs.

    user@host# set security policies traceoptions <filename>

    If you specified a filename in the trace options, you can look in the /var/log/<filename> for the log file to ascertain if any errors were reported in the file. (If you did not specify a filename, the default filename is eventd.) The error messages indicate the place of failure and the appropriate reason.

    After configuring the trace options, you must recommit the configuration change that caused the incorrect system behavior.

    Debugging Policy Lookup

    Problem

    When you have the correct configuration, but some traffic was incorrectly dropped or permitted, you can enable the lookup flag in the security policies traceoptions. The lookup flag logs the lookup related traces in the trace file.

    Solution

    user@host# set security policies traceoptions <flag lookup>
     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page