Académique Documents
Professionnel Documents
Culture Documents
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Hardware
Switch Login details.
Other network information.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Switch Login details.
VSP server IP address.
Next hop IP address.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
4. In the above snapshot 32.65.X.X is the standard IP address range for VSP server and at the en
you can see checkpoint firewall interface IP address.
3. Core switch must be VTP Master mode and all other access switches must be in Client mode.
4. If VLAN is not propagate properly in network then we need to check VTP domain name,
Password of VTP.
5. Make sure that link between Core switch and access switch must be in Trunk mode.
From trunk interface all VLAN must be recognized properly which are present on core switch.
Go to configure mode –
Interface Vlan (number )
Scope: This SOP is used for IOS up gradation of Cisco Router & Switch.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Switch/Router Login details.
IOS version copy.
TFTP server.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
To download a system image you must have an account at Cisco.com to gain access to the following
websites. If you do not have an account or have forgotten your username or password, click Cancel
at
the login dialog box, and follow the instructions that appear.
If you know the Cisco IOS release and feature set you want to download, go directly to
http://www.cisco.com/kobayashi/sw-center/index.shtml.
For more information before selecting the Cisco IOS release and feature set, go to the Software
Download Center at:
http://www.cisco.com/public/sw-center/index.shtml.
For more information about Loading and Managing System images, go to
http://www.cisco.com/en/US/docs/ios/fundamentals/configuration/guide/cf_system_images.html.
Router> enable
Example –
Directory of flash0:/
1 -rw- 48311224 Mar 2 1901 11:32:50 +00:00
c3900-universalk9-mz.SSA.XFR_20090407
2 -rw- 185667 Jan 27 2021 09:03:54 +00:00 crashinfo_20210127-090354
3 -rw- 983 Feb 14 2021 12:41:52 +00:00 running-config
260173824 bytes total (211668992 bytes free)
Router#
4-
Router# configure terminal
Router(config)# no boot system
Router(config)# boot system flash0: c2900-universalk9-mz.bin.
Router(config)# exit
Router# show version
Cisco Internetwork Operating System Software
.
.
.
Configuration register is 0x0
Router#
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
AD credentials.
Printer/Scanner IP address.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
4. If ARP entry does not show then check the interface of Switch is directly connected to Printer or
scanner.
5. The interface connected to printer is always needs to be in Access Mode for DATA Vlan.
6. Check if Printer/ Scanner is getting proper IP address from DHCP pool or not.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
AD credentials.
Meraki Dashboard login details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Steps –
1. Go to URL - https://n104.meraki.com/login/dashboard_login
2. Enter your credentials for Meraki Dashboard. (Username, Password)
In our environment we have receive multiple alert for Meraki , To work on that alerts we will used
below steps and Sample alerts –
Meraki is unreachable
1. login to Meraki dashboard and check the location first. Which is mention in alert.
2. Check the mention AP is Green or Red on the dashboard.
3. If it is red then login to Access switch. And check whether switch is learning MAC address of AP
on the switch or not.
4. If No then check switch port where AP is connected. Check switch port is in SHUTDOWN or
NOSHUTDOWN.
Check configuration of Port.
5. Then Check Power and Physical connectivity for AP.
Users are not able to connect to the Access Point via any of SSID.
Above snapshot shows Access Points are not stable and it was down for particular reason.
If we need to check which client is connected to the AP and Overall usage –
Scope: This SOP is used of DHCP & DNS issue trouble shooting.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
AD credentials.
Switch details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Generate reports from NetQos and UIM to verify the bandwidth utilization
Scope: This SOP is used for generating NetQos & UIM report.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
NetQos server login credentials.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Below screenshot shows how to capture and analyses traffic from a particular site and link.
First login to NetQos tool using Internet Explorer or Google Chrome. (Google Chrome is the
preferred application).
http://10.168.176.76
Use the User account or Administrative account to login in to the below page.
Once logged in, click the any site router from the list of routers showed in the below screenshot.
Expand the site router or interface by clicking the site you want to capture the traffic utilization.
Once we expand the site link, we will see LAN and WAN interfaces, and these information is
captured from the router by the NetQos using NetFlow and SNMP protocol.
This information also covers interface description, Speed, interface active status.
Interface Active status in the below screenshot means “NetFlow” is configured in that interface.
In the above Edmonton site, WAN interface Gig0/1.136 is configured with NetFlow and we are
going to capture traffic utilization for this interface.
Click interface “Gig 0/1.136” from the above screenshot. Below are the lists of screenshot that
appear in the same page.
The reporting page get open and displays the overview of the traffic utilization report that
covers traffic send and received using protocols, traffic send and received using TOS, traffic send
FROM local host, traffic send TO remote host and TOP Talkers.
We need to define the interval and the time-period for the report that we are generating.
Below screenshot will guide us to set the date and time and the period for which we are
generating the report.
In this example, we are generating report for the traffic utilized on 6th September from 8 am to
6 pm PST for the Edmonton site.
In the below screen, we set the date as 6th September 8 am PST to 6 pm PST and then click
“SET”
Once we set the period and date and time, the report will get generated for the traffic send and
received using protocols, traffic send and received using TOS, traffic send FROM local host,
traffic send TO remote host and TOP Talkers.
We need to define the interval and the time-period for the report that we are generating.
Below screenshot will guide us to set the date and time and the period for which we are
generating the report.
In this example, we are generating report for the traffic utilized on 6th September from 8 am to
6 pm PST for the Edmonton site.
In the below screen, we set the date as 6th September 8 am PST to 6 pm PST and then click
“SET”
Once we set the period and date and time, the report will get generated for the traffic send and
received using protocols, traffic send and received using TOS, traffic send FROM local host,
traffic send TO remote host and TOP Talkers.
The below screen shot is for the Inbound Protocol traffic. Right side we can see the total link
bandwidth as 10 Mbps and the right side of the graph shows list of protocols with their color
coding.
Report says Inbound HTTP traffic was on peak at 10 pm PST using bandwidth of 7 Mbps.
While Inbound HTTPS traffic was at peak at 10 pm PST using bandwidth of around 6 Mbps.
The below screen shot is for the Outbound Protocol traffic. Right side we can see the total link
bandwidth as 10 Mbps and the right side of the graph shows list of protocols with their color
coding.
Report says Outbound HTTPS traffic was on peak at 5:45pm PST using bandwidth of 800 Kbps.
While Outbound HTTP traffic was at peak at 9pm PST using bandwidth of around 800 Kbps.
Below TOS report is a continue of the above protocol report.
The below TOS report is based on the QOS defined in the router.
TOS inbound report says the Default traffic was on peak at 10 pm PST using bandwidth of 7
Mbps.
TOS outbound report says the traffic marked with AF21 was on peak at 10 pm PST using
bandwidth of 7 Mbps.
While the TOS outbound report says the Default traffic was on peak at 6 pm PST using
bandwidth of 750 Kbps.
While the TOS outbound report says the traffic marked with AF21 was on peak at 6 pm PST and
9 pm PST using bandwidth of 800 Kbps above.
Below screenshot shows the traffic generated FROM particular host is a continue report of the
earlier Protocol and TOS traffic report.
This screenshot shows the traffic generated FROM a particular local host. The Host generating
traffic will show either in hostname or IP address. While sending the report to end user we need
to resolve the IP address to their hostname using windows “Nslookup” or “ping –a <ip address>.
Then send the end user both IP address and their Hostname. Sample mail is addressed in the
end of the document.
The below screenshot says 132.245.3.220 host is generating the most amount of traffic.
The host 132.245.3.220 is generating 2.33 GBytes of traffic, which is alone using 20.16 % of
Edmonton site total bandwidth of 10 Mbps.
Last 2 Hrs period for the communication happened from host 132.245.3.220 to host
edmokeatingm2.na.corp.local (207.61.65.67).
Last 8 Hrs. periods for the communication happened from host 132.245.3.220 to host
edmokeatingm2.na.corp.local (207.61.65.67).
Till now this document explained us the “Overview” of the traffic utilization.
We can also take separate report based on Protocols, TOS, Hosts and Conversation by selecting
from the drop down menu as showed in the below screenshot.
The report for Protocols, TOS, Hosts and Conversation will be same as explained in this
document earlier, because “Overview” document contains the collective reports of all these
components.
By clicking “Print” option at the right top corner of the page, we can save the traffic utilization
report in a PDF format and then send it to the end user.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
AD credentials.
Switch details.
Subnet info.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Colliers have DHCP scope for three services: DATA, VOICE and WIRELESS.
If the site is a Cisco environment, then there are sites that have DATA, Voice and Wireless DHCP
scope configured in the Cisco Core switch.
If the site is a Cisco environment and the site has its own Domain Controller, then DATA and
Wireless DHCP scope is configured in Domain Controller, while Voice DHCP scope still remains in
Cisco Core switch.
If the site is a Non-Cisco environment and the site has its own Domain controller, then DATA and
Wireless DHCP scope is configured in the Domain Controller, while Voice DHCP scope is
configured in the Cisco CE router.
If the site is a Non-Cisco environment and there is no Domain controller exists, then DATA,
Wireless and Voice DHCP scope is configured in the Cisco CE router.
MPLS Link Upgrade –
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
AD credentials.
Router details.
MPLS link info.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Phase 1 –
Test & Turn Up Circuit :-
interface GigabitEthernet0/2
description 20 Mb Link to ATT AVPN
no ip address
ip flow ingress
ip flow egress
load-interval 30
shutdown
duplex full
speed 100
!
interface GigabitEthernet0/2.50
description ATT_AVPN_10.254.160.46/30_ .MMEC.940747..ATI.
bandwidth 20000
encapsulation dot1Q 50
ip address 10.254.160.45 255.255.255.252
ip flow ingress
ip flow egress
Phase 2 –
interface GigabitEthernet0/1
NO service-policy output QOS-TO-MPLS
Exit
We add this route because we dnt want to lose connectivity with ATT
Do NOT save the configuration now, in case if we want to revert back, we can restart the router.
Configure the new BGP process with new AS number…below is the sample configuration:
Now change the bandwidth shaping under QOS Policy-map configuration. The sample configuration
is as below:
policy-map QOS-TO-MPLS
class all-data
shape average 20000000
service-policy BANDWIDTH
Do NOT save the configuration now, in case if we want to revert back, we can restart the router.
Now enable the new interface Gig 0/1 and its sub-interface using “NO SHUT” command.
interface GigabitEthernet0/2
no shut
exit
interface GigabitEthernet0/2.50
no shut
service-policy output QOS-TO-MPLS
exit
Do NOT save the configuration now, in case if we want to revert back, we can restart the router.
If your site is a Cisco environment and the Cisco Core switch is running EIGRP, then check whether
EIGRP is learning External EIGRP routes in your Cisco Core switch, using command
Show ip route
Now ask the ISA to carry out following Post configuration testing.
Ping and traceroute to another MPLS site or servers.
Carry out Post Speed test and compare it with the speed test done during the Pre-testing period and
see the difference.
Lync
Outlook
Send and receive mail
IP Phone calls
Voice mails
Check the NetQos report and see whether the new 10 Mb is highlighted in to the NetQos report for
that particular site. This may take some time to get reflected into the NetQos report analyser.
Configure SNMP-Server trap command to get traps into the new interface where circuit is
terminated in the CE router. Router will not accept physical interface, as it will only accept sub-
interface, because IP address is configured inside sub-interface. Below is the sample command
snmp-server trap-source GigabitEthernet0/2.50 ----- > Enabling SNMP traps on new circuit.
This command will help GLS to get traps in their monitoring tool.
SAVE the router configuration now, once the Post-testing is completed successfully.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
VISIO software.
Network details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Controls: Tickets SLAs
Colliers Standard policy.
Outputs: VISIO diagram updated.
Updates in the ticket.
3. Select the Network Device tab in that you need to select devices as per your requirements.
4. Save the diagram with .Vdx extensions.
Coordinating with service providers for circuit outages – Log a ticket and follow-up with
service providers for resolution
We have different service provider as well as Vendor in our environment. As per requirements we
need to coordinate with them. So how to coordinate with them if any ongoing issue is there.
Suppose we need to raised ticket with any vendor we need to follow below steps-
1. Call to vendor or Service provider.
2. We have to give them details which include- Name , Organization , Location , Account Number
which is associated with them , Email , Call back number.
3. Once we create ticket with them you will receive ticket details with mail.
4. So whenever after create ticket we need to take follow up on that ticket on call we need to just
give ticket number to vendor.
4. This confirms us that location is unreachable. Now we need to check with local ISA whether
there is any power outage at location or is there any physical connection loss.
5. If any power outage at location we need to wait till power comes up.
6. If there is no power outage then we need to check the location step by step.
7. All cable connections with device needs to be check , try to ping internet connection from core
switch.
8. If ping is resolved then check trace route for global DNS (i.e. 4.2.2.2).
9. At which ip address this trace route will stop. Login to that device and check what is issue or try
to reach from that location to internet.
4. Then it will show MAC address as per given table. Select the MAC address of the access point
and click on claim.
5. Before add Meraki access point in portal select network for location.
6. Then check whether access point is shown under the prefer location.
7. The access point should show green in color. If that access point is shown as red then check
physical connection with the access point.
5. Configure the Radius server for AD credentials on Router , So user can access router with their
AD credentials.
8. Finally we need to configure Line protocol on router so Remote users can login to the device.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
AD credentials.
Router details.
Subnet info.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
EIGRP:
1. Colliers uses EIGRP to advertise the internal LAN subnets within local area network of each site.
So EIGRP is configured in both Core switch and CE router using Autonomous system number 10
using command
router eigrp 10
netwok 10.0.0.0
2. EIGRP then redistribute these internal LAN subnets into BGP to reach the MPLS cloud using
command:
router bgp 65263
redistribute eigrp 10
3. There are also sites where we have static routes configured in the Core switch and we are
redistributing those static routes into EIGRP.
4. There are also sites where we have static routes configured in the Core switch and we are
redistributing those static routes using “route-maps and prefix-list” into EIGRP after filtering the
static routes. This is explained in the earlier section of this document.
5. There are also sites where we use command as “EIGRP STUB”, “redistribute Connected”, “EIGRP
STUB Static”, using command
router eigrp 10
redistribute connected
eigrp stub static
6. EIGRP STUB command is used to configure a router as a stub where the router directs all IP
traffic to a distribution router.
7. The redistribute connected command allows the EIGRP Stub to send connected routes. If the
connected routes are not covered by a network statement, then it will be necessary to
redistribute connected routes with the redistribute connected command under the EIGRP
process. This option is enabled by default.
8. The EIGRP STUB Static command allows the EIGRP Stub to send static routes. Without this
command EIGRP will not send any static routes, including internal static routes. It will still be
necessary to redistribute static routes with the redistribute static command.
Assume if the Core switch have EIGRP advertising the internal LAN subnets internally and also
redistributing those routes to BGP.
But at the same time there are sites where we have ANIRA router implemented for failover to MPLS and
this failover get kicked-up using default route with higher distance value as 250. Once the MPLS cloud is
unreachable via BGP and thus External EIGRP stops working, ANIRA router take up the primary role. But
there are sites that have two default routes running, one for ANIRA with higher distance value and
another default route pointing to CE router inside interface with default distance value as “one”.
So when primary MPLS and BGP goes down and External EIGRP stops advertising external routes inside
LAN, then the default static route with default distance value “one” get kicked-up and tries to reach CE
router inside interface and the packet get dropped, reason as the MPLS link is down and the packet does
not get a way to reach next-hop or destination. Thus ANIRA router never turns up. So we need to
manually remove the default static route pointing to CE router inside interface with default distance
value as “one” in Core switch.
To avoid this, we can advertise default route using EIGRP instead of default static route. Because default
static route distance value is greater than Internal EIGRP which is “90”.
9. Tell the CE router, if anything that we don’t know send it to PE router using command
IP default-network 10.254.x.0
10. How to reach this default network ? In order to reach the default network we use following
command.
IP route 10.254.x.0 255.255.255.0 10.254.x.x
11. Above command says that all the packets destined for 10.254.x.0 will be sent to PE router inside
interface 10.254.x.x
13. You will see EIGRP routes marked as “D”, while default routes advertised using EIGRP will be
marked as “D*” and the gateway of last resort will be set to “PE router inside interface”.
14. Now we will be able to reach any network in MPLS cloud through CE router. But we will not be
able to reach any network in MPLS cloud through Core switch. So we need to advertise the
default network inside EIGRP using command in CE router.
router eigrp 10
network 10.254.x.0
15. Now if we check the routing table inside Core switch using command “show IP route” we will see
default route marked as “D*” . This means anything that Core switch don’t know, it has to reach
10.254.x.0 network and to reach that 10.254.x.0, it has to reach CE router inside interface.
16. Now Core switch will also be able to reach any network in the MPLS cloud.
17. This process helps to reduce the manual configuration of default static route inside the LAN.
BGP:
2. Colliers uses BGP routing protocol in CE router to form a neighbor relationshIP with its PE router
using command “neighbor 10.254.140.42 remote-as 13979”.
3. BGP running on CE router learns all the routes coming from different sites via MPLS cloud. This
can be verified using command “show IP route” or “show IP route bgp”.
4. BGP in the Colliers network is configured and running on default attribute called Autonomous
system path (AS path).
8. If the site is a Cisco LAN environment, then the internal LAN connectivity VLAN between CE
router and Core switch is advertised by CE router to PE router using BGP network command
“network 10.252.140.72 mask 255.255.255.248”
9. BGP learn rest of the internal LAN subnets from internal LAN routing protocol like EIGRP using
redistribute command “redistribute eigrp 10”, which CE router then advertises it to it neighbor
PE router.
10. If the site is Non-Cisco LAN environment, then the internal LAN connectivity and LAN subnets
are directly advertised by BGP in CE router to its neighbor PE router using BGP network
command “network 10.252.140.72 mask 255.255.255.248”
11. BGP also advertises CE router Loopback interface using network command “network
10.255.194.17 mask 255.255.255.255”
12. PE router then populate all these routes learned from CE router to all its neighbor in the MPLS
cloud, thus each and every router in the Colliers MPLS cloud will populate its routing table with
all the sites routes.
13. There are also sites where we have static routes configured in the CE router and we are
redistributing those static using “route-maps and prefix-list” into BGP after filtering the static
routes. This is explained in the earlier section of this document. Same is also applied while
filtering EIGRP routes into BGP.
14. The return traffic uses BGP from MPLS cloud to reach the site CE router and then these routes
are redistributed inside EIGRP to forward the traffic to the internal LAN subnets using
redistribute command inside EIGRP in the CE router
router eigrp 10
network 10.252.140.0 0.0.0.255
redistribute bgp 65263 metric 100000 1 255 255 1500
Scope: This SOP is used for SNMP configuration on Router & Switch.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
AD credentials.
Router & Switch details.
SNMP String, SNMP server details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
We need to configure Radius configuration Router and Layer 3 Switches. That help us to login to
device with AD credentials.
aaa new-model
!
!
aaa authentication login vtylogin group radius local-case
aaa authorization exec vtylogin group radius local
aaa accounting exec vtylogin start-stop group radius
line vty 0 15
exec-timeout 0 0
login authentication vtylogin
authorization exec vtylogin
Radius Configuration –
radius-server timeout 15
radius-server directed-request
logging userinfo
SNMP –
Netflow -
ip flow-export version 9
NTP –
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
AD credentials.
Router details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Step 1:
We need to confirm that BGP neighbor relationshIP is successfully formed between CE and PE routers
using command:
Note 1: This is a sample output from Pune MPLS router and the above Neighbor IP address and AS
number and others will differ from region to region and location to location.
1. But what we have to see here is that the above “State” should NOT be “Idle / Active”…it should
always be a “numeric number”…..In the above case it is 665.
2. The State/prefix 665 means Neighbor relationshIP is established successfully between CE and PE
routers.
3. If state/prefix is “Active” then in BGP consider it as a bad state, as the CE router is actively trying
to form a neighbor relationshIP with its neighbor PE router. In reality it means trying but not
succeeding.
4. If state/prefix is “Idle” then BGP consider it as a down state, where CE router totally failed to
form a neighbor relationshIP with its neighbor PE router.
5. We need to understand that BGP takes 60 seconds to establish a neighbor relationshIP…because
it is a slow routing protocol.
6. So if there is any issue in forming neighbor relationshIP, then CE router state/prefix will always
change from “Idle” to “Active”.
7. BGP router will wait for 180 seconds (3 keepalive messages) before declaring the neighbor dead.
8. BGP router uses 30 seconds to send updates to its neighbor, whenever changes occurs in BGP.
9. BGP uses 60 seconds to scan the network and learn the network.
10. In above case 665 means prefix number, which says Neighbor relationshIP is established and this
can also be confirmed by using command
Show IP bgp neighbor
This command will display state as “Established” in clear test.
Step 2:
Once you see that neighbor relationshIP is established, then you need to confirm whether
updates are receiving from PE router.
This can be confirmed by using command:
Show tcp brief all
11. In the above output TCB means session number. Local address means your CE router IP address
and port number (In our case CE Router). Foreign address means PE router IP address and global
port number.
13. Session 1 (63FC9B78) say BGP neighbor relationshIP is established between CE and PE router on
your local CE router at TCP port 179.
14. Session 2 (64116024) says BGP in CE router is listening or waiting to receive updates from its PE
router (10.254.220.62).
15. This indicates that your BGP neighbor relationshIP is formed and it is listening to receive
updates.
Step 3:
If above steps fails then clear the BGP neighbor relationshIP whenever you make any changes in
the BGP protocol, during configuring BGP, advertising network, forming neighbor relationshIP
etc. the command is
Clear IP bgp *
16. This clear command will clear the bgp neighbor relationshIP and will reset the BGP process and
establish a fresh neighbor relationshIP.
Step 4:
After BGP neighbor relationshIP is formed, then check the routing table whether you are
receiving the updates from the PE router using the command.
Show IP bgp
17. In above output, ”*”(asterisk) means valid route and > means best routes.
18. If we do not see > sign, that means the router have learned the routes (* sign) but not believed
the routes.
19. If you see > sign, then the routing table will automatically get updated as BGP will send the best
routes to its neighbor routing table and this can be checked using command
Show IP route
Step 5:
Step 6:
If you still fail to establish the BGP neighbor relationshIP or if you are not receiving any BGP
updates then run the below debug command.
Introduction:
This document covers the Colliers Firewall architecture and its explanation, and also tried to cover the
maximum knowledge about the Colliers Firewall architecture and its functionality and its end-to-end
communication.
This document has tried to explain using sample configuration examples that are picked from the
production devices in order to make the document explanation much easier way and better to
understand for any new team member.
Design:
Colliers Firewall support covers firewalls in North America sites connecting to Internet and VPN
connections. The updated connectivity LAN diagram for the available locations are uploaded in the
SharePoint. Colliers infrastructure includes Checkpoint firewalls, Palo Alto and ASA firewalls.
Colliers Network includes maximum number of checkpoint firewall deployed at US and CANADA offices.
Palo Alto firewalls are placed in Toronto IDC. There are few ASA firewalls installed in Chicago remote
offices and Mexico locations.
There are also NA sites, where internet traffic goes out via Network Based Firewall. Network based
firewall is deployed in MPLS cloud and managed by AT&T. If any access needs to be enabled on NBFW,
request need to be raised with AT&T. You can find the procedure to raise request with Vendor at the
end of this document.
Checkpoint firewalls in collier’s network are deployed in distributed architecture. Checkpoint firewall
architecture consist of following components.
1. Smart console :
It is a set of GUI applications that allows security administrators to configure and manage the global
security policy for the entire organization. There are quite a few clients available in the smart console,
each for a different purpose. Of all those clients the main client application used is called
SmartDashboard , which is used to configure the security policy of the network. SmartDashboard
connects to the Security Management Server which houses the actual security policy database of rules
and objects.
Ex. SmartDashboard screen from where you can create firewall policy, push policy on firewall gateway,
create firewall and network objects.
The Security Management Server contains the global security policy for an organization. This policy is
defined using the SmartDashboard—however, the policy is actually saved on the Security Management
Server. It contains the following databases: Object database, User database, Security rules and Log
database. The Security Management Server interacts with the Security Gateways by uploading security
rule sets specific to the Security Gateway and by receiving logging information from the Security
Gateways.
Colliers checkpoint infrastructure includes two management server which are in active/passive mode.
One is placed in Toronto IDC (Primary) and another is in Amsterdam IDC (Secondary).
With pre-assumption that new firewall is connected to internet and LAN network and also added in
checkpoint management with SIC, below standard rules need to be enabled on firewall
2) Blocked IP rule:-
This Rule will block IP addresses identified as blacklisted IP’s (unauthorized source). If any IP
need to be block on collier’s network, it need to be added in “Blocked-IPs” group and policy
need to be pushed on all firewalls.
3) SNMP Rule :
This rule enable access to firewall for SNMP monitoring. This rule will allow firewall to
communicate with NetQos server.
4) Stealth Rule :-
The firewall stealth rule is the explicit rule near the top of the policy denying access to the
firewall beyond what is required to manage the device
5) Clean UP rule :-
The firewall cleanup rule is the explicit rule at the bottom of a firewall policy.
Cleanup rule is required to drop all traffic that did not match any of the other rules
6) Browsing Rule :-
Browsing rule is require for office LAN network to browse internet. This rule include set of ports
which Colliers agreed to enable over internet.
7) VSP traffic :-
If the site has VSP server then then this rule need to be configured to allow VSP server to reach
Twinstrata cloud IP’s
They are nothing but the ‘firewalls’ you have always known. Security Gateways are installed/located
where the security rules must be applied. So, the security rules are created using the SmartDashboard
which is then saved on the Security Management Server and pushed on the intended Security Gateway.
Scope: This SOP is used for Implementing Checkpoint firewall gateway model 1180.
This SOP is not to be used for Implementing other than Checkpoint firewall &
checkpoint other than 1180 model.
This SOP is not to be used for Implementing Checkpoint Security Management
Server.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Smart Dashboard Login credential.
Checkpoint Firewall 1180 Box.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
6) Set the time and date manually – we will configure NTP during integration
7) Enter the device name in the next screen- replace Bucharest with the appropriate office but keep the
corp-eu-xxxxx-fw01 syntax
Press next
10) Enter the LAN IP address and disable DHCP and press nest
16) You can confirm the network settings be reviewing them on the device tab:
17) Any additional internal networks can be added on the routing page:
18) We are done the initial configuration, once completed please contact firewall.support@colliers.co,
to arrange a time for activation.
Scope: This SOP is used for Implementing Checkpoint firewall gateway model 4000
series.
This SOP is not to be used for Implementing other than Checkpoint firewall &
checkpoint other than 4000 series.
This SOP is not to be used for Implementing Checkpoint Security Management
Server.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Smart Dashboard Login credential.
Checkpoint Firewall 4400 Box.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Checkpoint 4200 appliance has different GUI. Once you have access to firewall using GUI, first you need
to assign IP address on interfaces. Go to Network Interfaces ->click on interface which you wish to assign
IP address- > Edit
Enable interface and assign IP address :
Add Route:
Go to Static Routes ->Add
Colliers checkpoint firewall usually has default route towards ISP gateway. You also need to add route to
IP subnets on LAN network.
Scope: This SOP is use to Create new checkpoint firewall gateway object on smart
Dashboard.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Login Credentials for Smart Dashboard.
Firewall IP address & hostname.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
11) Provide one time password, it must be same which you used on firewall.
12) Click Initialize.
13) Trust created between Security Gateway & SMS.
14) Click on Topology TAB, click on Get, Interfaces with topology.
1) 15 ) Click on Accept
15) Click on install policy.
VPN configuration:
Scope: This SOP is used for Implementing Site to Site VPN Configuration between
Checkpoint Gateways.
This SOP is not to be used for Implementing Site to Site VPN Configuration
other than checkpoint firewall.
This SOP is not to be used for Implementing Remote Access VPN on
Checkpoint firewall.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Phase 1, Phase2 parameters, Pre shared Key, Local & remote networks
details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
1. The first and foremost point to remember that you must have the reachability between both the
Peers. Verify that the peer IP is correct and reachable.
2. Login to Smart dashboard and go to VPN Tab as shown in Diagram :
3. Select the Site-To-Site VPN type as per your requirement :
Meshed : A Mesh is a VPN community in which a VPN site can create a VPN tunnel with any other VPN site in the
community
Star : A star is a VPN community consisting of central Security Gateways (or "hubs") and satellite Security Gateways
(or "spokes"). In this type of community, a satellite can create a tunnel only with other sites whose Security Gateways
are defined as central.
4. As you select the type, you will see the setup. Give the name and Colour of Site as per
requirement :
5. 2nd Tab – Participating gateways, where you will add the gateways which will be part of VPN
Community. Click on Add and select the appropriate gateway.
6. 3rd Tab – Encryption, here you will define the encryption parameter such as Encryption, Integrity
and IPSec Parameter’s.
7.
Select “Custom Encryption…” and define the parameter as required.
Here you will define the shared secret which will be same on both the peers.
NOTE: 1. if the Checkpoint Gateway belongs to same management server, then no need to
Specify the secret key. Peer’s Secret will be based on ICA Certificate.
2. If the Peer is Interoperable device (3rd Party like Cisco ASA., etc) or Checkpoint
gateway is managed externally, then we need to specify the shared secret.
11. Now we need to define the traffic, which will be passing through the tunnel. For this open
firewall gateway object (at present our gateway is “corp-eu-amstidc-fw01”).
Click “OK”.
12. Create a VPN Rule and call the VPN Community in VPN Column:
13. Complete the configuration on Peer end as well. Then save and Push the policy to the respected
Gateway:
14. Open Smart view tracker and check the logs for VPN Community, which should be encrypted as
shown in below Snapshot :
Backups:
Scope: This SOP is used for Taking Backup and restoration of configuration of
Checkpoint firewall.
This SOP is not to be used for Taking Backup and restoration of configuration
of other than Checkpoint firewall.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Firewall Access.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Scope: This SOP is used for Taking Backup and restoration of configuration of
Checkpoint firewall in clash mode.
This SOP is not to be used for Taking Backup and restoration of configuration
of other than Checkpoint firewall.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Firewall Access.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Commands:
Example:
Notes:
Scope: This SOP is used for applying hotfix on Checkpoint firewall 4400 series
model.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Firewall Access.
Win SCP software.
Hotfix which need to installed on firewall.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
5. once connected to checkpoint via WINSCP create folder (ex. Hostfix) under /var directory
Firewall#md5sum sim_HOTFIX_GYPSY_HF_BASE_126.tgz
Firewall#./extracted_filename
Firewall#./UnixInstallScript
( example : sim_HOTFIX_GYPSY_HF_BASE_126_990126001_1)
Scope: This SOP is used upgrading firmware on Checkpoint firewall 1100 series model.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Firewall Access.
Firmware image.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
8) The appliance will now install the upgrade and reboot when finished
9) The login screen will appear after the upgrade has finished
Scope: This SOP is used for upgrading the Checkpoint Management Server.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Checkpoint Management server Access.
Checkpoint support center access.
Win SCP software.
Hotfix which need to installed on management server.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Requirements:
Make sure there is enough free disk space to do the upgrade.
Check the space available for images in the Maintenance > Image Management page.
o Using the CLI: In expert mode, run the df -h command and check the available
space in /var/log.
1. Download the Gaia ISO image from the Check Point Support Center.
Check_Point_Install_and_Upgrade_R76.Gaia.iso
2. Burn the ISO file on a DVD.
3. Connect an external DVD drive to a USB socket on the appliance or computer.
4. Run upgrade cd
5. You are asked if you want to save a snapshot of the system before upgrade. It
always recommend to save first.
6. The pre-upgrade verifier runs. The output is stored in a text file
at /tmp/pre_upgrade_out.txt.
7. If you see the error: "Pre-upgrade verification failed" we recommend that you
review the file, fix the problems, and restart the upgrade. Do not take another system
snapshot.
8. You are asked if you want to start the upgrade. Select Yes.
The upgrade takes place.
9. After the upgrade, before rebooting, remove the DVD from the drive.
10. Type OK to reboot.
This SOP is not to be used for change of IP address for other interface on
Checkpoint firewall.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Access Login Credentials for Checkpoint Firewall & Smart Dashboard.
ISP IP address.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
4) Click on Edit button & fill the IP address, subnet mask & default gateway as per provided by ISP.
5) Click on Apply.
6) Default route will get added automatically under Routing option.
7) Now you need to reestablish SIC between security gateway & Management server. Under Home
Tab click on Security Management, click setup.
8) Click on Next.
9) System will prompt you for set-One Time Password (SIC)
10) Click Next
11) Write your SMS server IP in Management IP field & click on Connect
12) Click Finish
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Smart Dashboard Login credential.
Firewall Object should be created on smart dashboard to use in firewall
rule base.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
4) Click ok
5) New Policy Package screen appears. Type Name of Package.
6) Create the standard firewall rule as per below.
7) Click on Save button
This SOP is not used for configuration of SNP configuration on other devices.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Checkpoint firewall & SMS login credentials.
SNMP server IP, community details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Firewall Access.
Smart dashboard access
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Smart View Tracker is one of most useful tool in checkpoint console bunch, its provides a very
realistic way to find out the respective communication in current logs.
Smart View Tracker's filtering mechanism allows you to conveniently focus on log data of
interest and hide other data, by defining the appropriate criteria per-log field. Once you have
applied the filtering criteria, only entries matching the selected criteria are displayed.
The filtering options available are a function of the log field in question. For example, while
the Date field is filtered to show data that is after, before or in the range of the specified date,
the Source, Destination and Origin fields are filtered to match (or differ from) the specified
machines.
Smart View Tracker records the Firewall Rule Base rule to which a connection was
matched.
The matching rule is recorded in four columns in Smart View Tracker, as follow:
Entry Description
Interface The interface on which the packet being logged came in or went out (with direction) or
indicates "daemon" if the message came from a FireWall-1 daemon (e.g., the security
servers, fwm).
Type Log (normal rulebase logging), Alert (for alert log entries), or Control (changes to policy or
logging on a firewall).
Action The action taken on the packet (Drop, Reject, Accept, and so on).
Service The service of the packet (HTTP, Telnet, and so on), which is usually based on the destination
TCP/UDP port.
Proto The protocol of the IP packet (TCP, UDP, ICMP, and so on).
Rule No. The rule number that this connection or packet matched in the rulebase.
NAT rule num. The NAT rule number that this connection or packet matched in the rulebase.
Nat add. rule The number of an additional NAT rule if one was applied.
num.
Source Port The source port of the packet if TCP or UDP. For other protocols, this field is gibberish.
User The appropriate username if the action was an authorization or deauthorization or was the
result of an authenticated connection (with or without encryption).
Elapsed The amount of time the connection was active (Accounting mode only).
Bytes The number of bytes for the connection in question (Accounting mode only).
XlateSrc The source IP address the connection will have after NAT is applied.
XlateDst The destination IP address the connection will have after NAT is applied.
XlateSPort The source port the connection will have after NAT is applied.
XlateDport The destination port the connection will have after NAT is applied.
Partner The name of the partner site making a connection if an extranet is defined.
Community The name of the community to which this log entry relates if a VPN Community is used.
Enc Scheme The encryption scheme used for this connection (usually IKE, but may be others if managing
FireWall-1 4.1 boxes).
Entry Description
VPN Peer The gateway that sent or received the encrypted packet.
Gateway
Encryption Lists all the encryption methods used in both encryption and data integrity.
Methods
Info More information about this log entry. For most packets or connections, it will simply show
"len X," where X is the number of bytes in the packet. This entry also shows useful
information on encrypt/decrypt log entries and drops or rejects on Rule 0.
Smart View Monitor is a tool which helps to verify about any specific traffic which has been
allowed or blocked by pre-defined rules in respective Security gateway in Smart Dashboard, but
in certain cases might possibility that traffic logs not shown on Tracker in that case we can
check directly on Security Gateways with the help of following commands:
1> TCPDUMPS
2> FW MONITOR
TCPDUMPS:
A common step in troubleshooting is finding out what not to troubleshoot. With a packet
capture you can confirm things such as routing, firewall rules, and remote services.
TCPDUMP is a powerful tool for debugging on checkpoint, tcpdump feeds directly to the
screen packets crossing an interface, if dumped to a file TCPDUMPS can be read by
wireshark. you need to be in expert mode to invoke TCPDUMP.
Eg:
tcpdump -nni <interface> host <ip>
tcpdump -w <file>.cap -s 1514 -nni <interface> host <src> and host <dst> !! captures entire packet into file
tcpdump -nni <interface> host <ip> & !! & symbol puts capture in the background
tcpdump -nni <interface> \(host <ip> or host <ip>\) and \(host <ip> or host <ip>\)
FW MONITOR:
Check Point's fw monitor is a powerful built-in tool to assist with inspecting and capturing network traffic at
the packet level. The fw monitor utility captures network packets at multiple capture points along the VPN-
1/FireWall-1 inspection chain. These packets can be inspected using either Wireshark or Check Point's
CPethereal.
There are four inspection points along the passage of a packet through a firewall:
fwaccel off
Immediately after the capture, turn on SecureXL on the gateway:
fwaccel on
Routing Issues:
Sometime after all done all troubleshooting steps not able to diagnose the reason behind this
why communication is not happened, then probably the issue will have routing that the reason
traffic will not able to reach at defined destination or not able to get return traffic as well.
e.g.: Briefing here one scenario for ICMP traffic between Security Gateway & Security
Management, let’s if any communication fails, and security policy allows ICMP, then it is most
likely a routing issue on Security Gateway. Check the routing table on Security Gateway - there
has to be a route to Security Management Server's network / Security Management Server's IP
address and added if required.
Command:
netstat –rn
Services related issue:
All above troubleshooting tools and step are co-related with each other when try to
troubleshoot any issue.
Let’s when we get any issue regards to particular service/s are not working, as concerned about
the access that have already provided on required firewall but still not accessible in that case
first of all we apply filter on Smart Tracker and try to track the specific traffic which having issue
and as above mentioned in Smart Tracker section we can verify the respective traffic is it
allowed or dropped and troubleshoot accordingly.
It means we can determine any access with help of logs on Smart Tracker and treat accordingly
to allow the access and add new rule in rulebase of Security Gateway and installed the policy on
Gateway/s. Such as required services RDP, http, https, DNS, DHCP, and FTP etc.
Scope: This SOP is used for troubleshooting the various issue’s on Checkpoint firewall.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Firewall Access.
Smart dashboard access
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
There some basic keyword to monitor /check the CPU utilization of any particular
gateway.
Key words:
--- load
--- softirq
--- interrupts
Commands:
We can sort the details as per our requirement like as we can sort as per cpu usage as shown in
below screen shot (Ctrl M).
Look at the amount of "CPU", "MEM", "VSZ", "RSS", "TIME" consumed by the daemons.
Problems with memory on Security Gateway
There are some keyword we need to keep in mind while check / monitor gateways for memory
usage.
Key words:
--- memory
--- swap
Commands:
No single field that indicates a problem - need to interpret all counters together.
(C) fw tab -t connections -s
Displays summary about connections in Connections Table.
Collect the output several times to see how fast the #VALS counter changes.
Compare the #PEAK counter to the limit of Connections Table (fw tab -t connections | head -n 3
| grep limit).
As per our environment Checkpoint Appliances has been deployed in distributed environment. When
troubleshooting logging related issues in a distributed environment, we need to proceed as follows:
1. In Smart Dashboard, go to 'Policy' menu - click on 'Install Database...' - select the Security Management
Server and Log Servers - click 'OK'.
2. Ensure that you have not run out of disk space on the Security Management Server / Log Servers, to
which the logs are being sent:
On Gaia:
Command - check the "Use%" column
Run df –kh
On Windows OS:
On Desktop, open 'My Computer' - right-click on the relevant hard disk - click on 'Properties' - check the
"Free space" line.
3. If needed, delete or move the unneeded logs / files to an external storage device.
4. Is Security Gateway configured to send logs to Security Management Server / Log Server?
In Smart Dashboard, open the Security Gateway object - check each setting in the "Logs" section.
If any change was made, install policy.
5. Is Security Management Server able to communicate over SIC with Security Gateway?
In Smart Dashboard, open the Security Gateway object - on 'General Properties' pane, in "Secure
Internal Communication" section - click on "Test SIC Status...".
If this fails, then it might be due to connectivity / routing issues between the Security Gateway and the
Security Management Server.
6. Is Security Gateway able to communicate (other than SIC) with Security Management Server?
Test by sending pings from the Security Gateway to the Security Management Server.
Test by sending pings from the Security Management Server to the Security Gateway.
Note: Security policy must allow ICMP between the Security Gateway and the Security Management
Server.
If this fails, and security policy allows ICMP, then it is most likely a routing issue on Security Gateway.
Check the routing table on Security Gateway - there has to be a route to Security Management Server's
network / Security Management Server's IP address:
netstat –rn
7. Is Security Management Server listening on TCP port 257?
On Gaia:
# netstat -anp | grep ":257"
On Windows OS:
netstat -abno | findstr ":257"
8. Check the Log Policy settings in log_policy.C file on Security Management Server:
Note: Settings in this file have to match the settings in Smart Dashboard in Security Management Server
object.
On Gaia:
$FWDIR/conf/log_policy.C
On Windows OS:
%FWDIR%\conf\log_policy.C
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Firewall Access.
Smart dashboard access
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Open Shortest Path First (OSPF) is an interior gateway protocol (IGP) used to exchange routing
information between routers within a single autonomous system (AS). OSPF calculates the best path
based on true costs using assigned metric number. OSPF has a quicker convergence, and provides equal-
cost multipath routing where packets to a single destination can be sent using more than one interface.
OSPF is suitable for complex networks with a large number of routers.
(NOTE: We can run OSPF over a route-based VPN by enabling OSPF on a virtual tunnel interface)
6. Optional: For each area, you can add one or more address ranges if you want to reduce
the number of routing entries that the area advertises into the backbone.
Note - To prevent an address range from being advertised into the backbone,
selectRestrict for the address range
Scope: This SOP is used to Logs from Security Management server to FTP server.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Access to FTP server.
WinScp software running on FTP server
Login credentials for SMS
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
https://10.168.176.31/php/login.php
Scope: Adding Rule on Palo Alto Firewall that user need to access destination from
Source on Specific Ports for business purpose.
This SOP is not to be used for Adding Rules on other than Palo Alto firewall.
This SOP is not to be used for adding rule that have been explicitly denied
access in accordance with company policy.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Palo Alto firewall Access & Login credentials.
Source, Destination & Service port details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
5) Under source Tab you need to specify the Source Zone & source address as per requirement.
6) Under Destination Tab you need to specify the destination Zone & destination address as per
requirement.
7) Under service tab as per requirement add services which needs to be open for this rule
8) Select action as per requirement whether to allow or block the traffic for source to destination
on particular port.
12) Now you need to commit the changes on Panorama & Device Group. First commit the changes
on Panorama then on Device group.
How to add routes on Palo Alto firewall:
Scope: Adding Route on Palo Alto Firewall that user need to reach to destination.
This SOP is not to be used for Adding route on other than Palo Alto firewall.
This SOP is not to be used for adding route that have not been permitted in
accordance with company policy.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Palo Alto firewall Access & Login credentials.
Destination IP/Subnet & Next hop details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
1) Click on drop down menu & select the firewall object where you want to add routes.
5) Under static routes option click on Add button to add static route on particular virtual router.
6) Write name in name field, define destination address / subnet in Destination field, select
interface according to exit interface of firewall for that subnet or select Next Hop, define Admin
Distance if any then click on OK button.
Scope: Whitelisting of URLs on Palo Alto Firewall that user need to access for business
purposes & which has not been explicitly banned.
This SOP is not to be used for whitelisting of URLs on other than Palo Alto
firewall.
This SOP is not to be used for whitelisting of URLs that have been explicitly
banned in accordance with company policy e.g. Porn site etc .
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
Palo Alto firewall Access & Login credentials.
Categorization of URL has been checked.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
1) Login to Panorama.
6) Click OK.
7) Click on commit to save & apply changes on firewall.
2) Click on Add and configure below setting. We need to specify FTP server IP address on which
backup will be stored and FTP server FTP credentials :
3) Commit the changes.
There are few NA sites, where internet traffic is going out via Network based firewall managed by AT&T.
Network based firewall is situated in MPLS cloud and managed by At&T. If we need to allow any IP/Ports
or URL, we need to raise request with AT&T to enable the access.
Kindly find below contact information to log ticket with AT&T to do live troubleshooting for NBFW –
18007272222
Option 8
Option 2
Option 2
LOGIN INFO
You can login to ATT Network Based Firewall using below mentioned link –
https://www.e-access.att.com/iprotent/
If you wanted to raise a change then click on Manage my Network Security (MACD) and it will redirect to
https://srvc.mss.att.com/
REPORT’s
You can generate customized reports depends on requirement by clicking on Report Section on left
hand side as below –
HOSTNAME NBFCIL02F
IP ADDRESS 134.24.19.28
USERNAME collieXX (Where XX is initial of your first name and last name)
Service-now ticketing tool is a tool that covers both Incident and Change tickets.
Colliers-Zensar onsite service desk team raises the incident ticket and coordinates between the end user
and the technician from the start of the ticket raised and till it is resolved.
While change tickets are raised by technician himself who implements the actual change in to the
device.
https://colliers.service-now.com
Process:
All incident tickets will be raised by Zensar Service desk team via Service-now ticketing tool and assign it
to their respective support team. The end-to-end incident ticket will be followed through proper SLA
matrix.
While change tickets will be raised by the Colliers network team technician himself and get the change
ticket approved via CAB meeting that is scheduled on every Wednesday at 10 am PST.
Contact details:
CHECKPOINT
1) Firewall team can raise request with Herjavec team for any checkpoint firewall issues.
2) If we call up Herjavec, we just need to tell them that we are speaking from colliers and our name
/ email ID and they will help us with the issue. In case, if they need to go to checkpoint for help
then they would need the account id first then the serial no or the MAC address if Checkpoint to
open the case.
3) If we directly call checkpoint they would need the account id and then if they want to open a
case they would need the serial no or the certificate key of the box.
MAC / Certificate Key: Depends for which box we logging the request.
PALO ALTO
1) Firewall team can raise request with Herjavec team for any checkpoint firewall issues.
2) If we call up Herjavec, we just need to tell them that we are speaking from colliers and our name
and they will help us with the issue. In case, if they need to go to Palo Alto for help then they
would need the serial no of the box to open the case.
3) If we directly call Palo Alto, they would need the serial no of the box to open a case.
CISCO
Contact Information –
Customers and Partners: 1-800-553-6387
Technical Support: 1-800-553-2447 or 1-408-526-7209
Email – tac@cisco.com
Open TAC Case - https://tools.cisco.com/ServiceRequestTool/scm/mgmt/case?referring_site=tsmodel
RMA - http://www.cisco.com/c/en/us/support/rma_portal.html
CONTACT INFO
Checkpoint:
Online chat on checkpoint.com - Web Service Request via supportcenter.checkpoint.com (but we would
require a checkpoint id to login and raise a request)
Palo Altos:
Email: support@paloaltonetworks.com
Web Service Request via support.paloaltonetworks.com (but we would require a Palo Alto ID to login
and raise a request)
ASA Firewall
Basic ASA configuration
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
ASA device access & login credentials.
Hostname, IP address, subnet details
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
1) Configure the hostname, IP address, and zone and security level to interface.
2) Verify the ip address configured on interface.
Scope: This SOP is used to create site to site VPN on cisco ASA using WebUI.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
ASA Login credentials. ASDM access.
Phase1, phase2 parameters, Preshared key, Peer IP address, Local &
remote subnet details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
This section describes how to configure the site-to-site VPN tunnel via the Adaptive Security Device
Manager (ASDM) VPN wizard.
Network Diagram
This is the topology that is used for the examples throughout this document:
3. Configure the peer IP address. In this example, the peer IP address is set to 192.168.1.1 on Site B. If
you configure the peer IP address on Site A, it must be changed to 172.16.1.1. The interface through
which the remote end can be reached is also specified. Click Next once complete.
4. Configure the local and remote networks (traffic source and destination). This image shows the
configuration for Site B (the reverse applies for Site A):
5. On the Security page, configure the pre-shared key (it must match on both of the ends).
Click Next once complete.
6. Configure the source interface for the traffic on the ASA. The ASDM automatically creates the
Network Address Translation (NAT) rule based on the ASA version and pushes it with the rest of the
configuration in the final step.
Note: For the example that is used in this document, inside is the source of the traffic.
7. The wizard now provides a summary of the configuration that will be pushed to the ASA. Review and
verify the configuration settings, and then click Finish.
Remote Access VPN on Cisco ASA firewall
Scope: This SOP is used to create Remote Access VPN on cisco ASA using WebUI.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
ASA Login credentials. ASDM access.
Phase1, phase2 parameters, IP pool.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Login to your Cisco firewall ASA5500 ASDM and go to Wizard > IPsec VPN Wizard ... and follow up the
screens.
In "VPN Tunnel Type", choose "Remote Access"
From the drop-down list, choose "Outside" as the enabled interface for the incoming VPN tunnels. Keep
the box checked,"Enable inbound IPSec sessions to bypass interface access lists. Group policy and per-
user authorization access lists still apply to the traffic."
In Remote Access Client, Check "Microsoft Windows client using L2TP over IPSec"
Pre-shared key must be the same for the firewall and client side.
Authenticate remote users using local device user database
Add new user into the user authentication database
You will use this username and password to connect in the client side.
Add address pool
Create a pool of local addresses to be used for assigning dynamic IP addresses to remote VPN clients.
You can use 10.10.20.240 to 10.10.20.249 (may depends on your internal network).
Leave empty for attributes pushed to the client
Default for IKE Policy
Uncheck "Enable split channeling ..." and uncheck "Perfect Forwarding Secrecy(PFS)"
Verify the summary information and click "Finish" button
3. Add Transform Set
Go to Configuration > Remote Access VPN > Network (Client) Access > Advanced > IPSec > Crypto
Maps. Edit the IPSec rules and add "TRANS_ESP_3DES_SHA" and click "Ok" button.
Save the running configuration to flash and all done.
Scope: This SOP is used to trouble shoot site to site VPN config on ASA
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
ASA Login credentials.
CLI access of ASA firewall.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Use the information that is provided in this section in order to troubleshoot configuration issues.
Enter these debug commands in order to determine the location of the tunnel failure:
debug crypto ikev1 127 (Phase 1)
Enter these debug commands in order to determine the location of the tunnel failure:
debug crypto isakmp 127 (Phase 1)
Scope: This SOP is used to trouble shoot Remote Access VPN config on ASA
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
ASA Login credentials.
CLI access of ASA firewall.
Remote user details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
VPN Client Drops Connection Frequently on First Attempt or "Security VPN Connection
terminated by peer. Reason 433." or "Secure VPN Connection terminated by Peer Reason
433:(Reason Not Specified by Peer)"
Problem
Cisco VPN client users might receive this error when they attempt the connection with the head end VPN device.
"VPN client drops connection frequently on first attempt" or "Security VPN Connection terminated by peer. Reason 433." or
"Secure VPN Connection terminated by Peer Reason 433:(Reason Not Specified by Peer)" or "Attempted to assign network or
broadcast IP address, removing (x.x.x.x) from pool"
Solution 1
The problem might be with the IP pool assignment either through ASA/PIX, Radius server, DHCP server or through Radius server
acting as DHCP server. Use the debug crypto command in order to verify that the netmask and IP addresses are correct. Also,
verify that the pool does not include the network address and the broadcast address. Radius servers must be able to assign the
proper IP addresses to the clients.
Solution 2
This issue also occurs due to the failure of extended authentication. You must check the AAA server to troubleshoot this error.
Checking the server authentication password on Server and client and reloading the AAA server might resolve this issue.
Solution 3
Another workaround for this issue is to disable the threat detection feature. At times when there are multiple re-transmissions
for different incomplete Security Associations (SAs), the ASA with the threat-detection feature enabled thinks that a scanning
attack is occuring and the VPN ports are marked as the main offender. Try to disable the threat-detection feature as this can
cause a lot of overhead on the processing of ASA. Use these commands in order to disable the threat detection:
no threat-detection basic-threat
no threat-detection scanning-threat shun
no threat-detection statistics
no threat-detection rate
Note: This can be used as a workaround to verify if this fixes the actual problem. Make sure that disabling the threat detection
on the Cisco ASA actually compromises several security features such as mitigating the Scanning Attempts, DoS with Invalid SPI,
packets that fail Application Inspection and Incomplete Sessions.
Solution 4
This issue also occurs when a transform set is not properly configured. A proper configuration of the transform set resolves the
issue
Problem
Only three VPN clients can connect to ASA/PIX; connection for the fourth client fails. Upon failure, this error message is
displayed:
Secure VPN Connection terminated locally by the client.
Reason 413: User Authentication failed.
tunnel rejected; the maximum tunnel count has been reached
Solutions
In most cases, this issue is related to a simultaneous login setting within group policy and the maximum session-limit.
Try these solutions in order to resolve this issue:
For more information, refer to the Configuring Group Policies section of Selected ASDM VPN Configuration Procedures for the
Cisco ASA 5500 Series, Version 5.2.
Configure Simultaneous
Logins
If the Inherit check box in ASDM is checked, only the default number of simultaneous logins is allowed for the user. The default
value for simultaneous logins is three.
In order to resolve this issue, increase the value for simultaneous logins.
1. Launch ASDM and then navigate to Configuration > VPN > Group Policy.
2. Choose the appropriate Group and click the Edit button.
3. Once in the General tab, undo the Inherit check box for Simultaneous Logins under Connection Settings. Choose an
appropriate value in the field.
Note: The minimum value for this field is 0, which disables login and prevents user access.
Note: When you log in using the same user account from a different PC, the current session (the connection
established from another PC using the same user account) is terminated, and the new session is established. This is
the default behaviour and is independent to VPN simultaneous logins.
Configure Concentrator
Error Message
20932 10/26/2007 14:37:45.430 SEV=3 AUTH/5 RPT=1863 10.19.187.229
Authentication rejected: Reason = Simultaneous logins exceeded for user
handle = 623, server = (none), user = 10.19.187.229, domain = <not
specified>
Solution
Complete these steps in order to configure the desired number of simultaneous logins. You can also try to set the Simultaneous
Logins to 5 for this SA:
Choose Configuration > User Management > Groups > Modify 10.19.187.229 > General > Simultaneous Logins, and change the
number of logins to 5.
Scope: This SOP is used to trouble shoot performance issue of Cisco ASA firewall.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
ASA Login credentials.
CLI access of ASA firewall.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
CPU Utlilization
If you noticed the CPU utlization is high, complete these steps in order to troubleshoot:
4. Issue the show memory detail command, and verify that the memory used by the ASA is normal utilization.
5. Verify that the counts in show processes cpu-hog and show processes memory are normal.
6. Any host present inside or outside the security appliance can generate the malicious or mass traffic that can be a
broadcast/multicast traffic and cause the high CPU utilization. In order to resolve this issue, configure an access
list to deny the traffic between the hosts (end to end) and check the usage.
7. Check the duplex and speed settings in ASA interfaces. The mismatch setting with the remote infterfaces can
increase the CPU utilization.
This example shows the higher number in input error and overruns due to the speed mismatch. Use the show
interface command in order to verify the errors:
Note: Cisco recommends that you enable the ip verify reverse-path interface command on all the interfaces as
it will drop packets that do not have a valid source address, which results in less CPU usage. This applies to
FWSM facing high CPU issues.
26. Another reason for high CPU usage can be due to too many multicast routes. Issue the show mroute command in
order to check if ASA receives too many multicast routes.
27. Use the show local-host command in order to see if the network experiences a denial-of-service attack, which
can indicate a virus attack in the network.
28. High CPU might occur due to Cisco bug ID CSCsq48636 . Refer to Cisco bug
ID CSCsq48636 (registeredcustomers only) for more information.
Note: If the solution provided above does not resolve the issue, upgrade the ASA platform according to
the requirements. Refer to Cisco ASA 5500 Series Adaptive Security Appliances Data Sheet for more
information on Adaptive Security Appliance Platform capabilities and capacities. Contact
TAC (registered customers only) for further information.
High Memory Utilization
Here are some possible causes and resolutions for high memory utilization:
Event logging: Event logging can consume large amounts of memory. In order to resolve this issue, install and
log all events to an external server, such as a syslog server.
Memory Leakage: A known issue in the security appliance software can lead to high memory consumption. In
order to resolve this issue, upgrade the security appliance software.
Debugging Enabled: Debugging can consume large amounts of memory. In order to resolve this issue, disable
debugging with the undebug all command.
Blocking Ports: Blocking ports on the outside interface of a security appliance cause the security appliance to
consume high amounts of memory to block the packets through the specified ports.In order to resolve this issue,
block the offending traffic at the ISP end.
Threat-Detection: The threat detection feature consists of different levels of statistics gathering for various
threats, as well as scanning threat detection, which determines when a host is performing a scan. Turn off this
feature to consume less memory.
Complete these steps in order to view the CPU usage on the ASDM:
1. Go to Monitoring > Properties > System Resources Graphics > CPU in ASDM and choose the Graph
Window Title. Then, choose the required graphs from the list of Available Graphs and click Add as shown.
2. Once the required graph name is added under the Selected Graphs section, click Show Graphs.
The next image shows the CPU Usage graph on the ASDM. Different views of this graph are available and can
be changed by selecting the view from the View drop-down list. This output can be printed or saved to the
computer as required.
Description of Output
This table describes the fields in the show cpu usage output.
Field Description
CPU utilization for 5 seconds CPU utilization for the last five seconds
show traffic
The show traffic command shows how much traffic that passes through the ASA over a given period of
time. The results are based on the time interval since the command was last issued. For accurate results,
issue the clear traffic command first and then wait 1-10 minutes before you issue the show
traffic command. You could also issue the show traffic command and wait 1-10 minutes before you issue
the command again, but only the output from the second instance is valid.
You can use the show traffic command in order to determine how much traffic passes through your ASA.
If you have multiple interfaces, the command can help you determine which interfaces send and receive
the most data. For ASA appliances with two interfaces, the sum of the inbound and outbound traffic on
the outside interface should equal the sum of the inbound and outbound traffic on the inside interface.
Example
Ciscoasa#show traffic
outside:
received (in 124.650 secs):
295468 packets 167218253 bytes
2370 pkts/sec 1341502 bytes/sec
transmitted (in 124.650 secs):
260901 packets 120467981 bytes
2093 pkts/sec 966449 bytes/sec
inside:
received (in 124.650 secs):
261478 packets 120145678 bytes
2097 pkts/sec 963864 bytes/sec
transmitted (in 124.650 secs):
294649 packets 167380042 bytes
2363 pkts/sec 1342800 bytes/sec
If you come close to or reach the rated throughput on one of your interfaces, you need to upgrade to a
faster interface or limit the amount of traffic that goes into or out of that interface. Failure to do so can
result in dropped packets. As explained in the show interface section, you can examine the interface
counters in order to find out about throughput.
show perfmon
The show perfmon command is used to monitor the amount and types of traffic that the ASA inspects.
This command is the only way to determine the number of translations (xlates) and connections (conn)
per second. Connections are further broken down into TCP and User Datagram Protocol (UDP)
connections. See Description of Output for descriptions of the output that this command generates.
Example
Description of Output
Field Description
TCP Fixup Number of TCP packets that the ASA forwards per second
Number of SYN packets per second that have exceeded the embryonic
TCPIntercept limit set on a static
show blocks
Along with the show cpu usage command, you can use the show blocks command in order to determine
whether the ASA is overloaded.
When it comes into the ASA interface, a packet is placed on the input interface queue, passed up to the
OS, and placed in a block. For Ethernet packets, the 1550-byte blocks are used; if the packet comes in
on a 66 MHz Gigabit Ethernet card, the 16384-byte blocks are used. The ASA determines whether the
packet is permitted or denied based on the Adaptive Security Algorithm (ASA) and processes the packet
through to the output queue on the outbound interface. If the ASA cannot support the traffic load, the
number of available 1550-byte blocks (or 16384-byte blocks for 66 MHz GE) hovers close to 0 (as shown
in the CNT column of the command output). When the CNT column hits zero, the ASA attempts to
allocate more blocks, up to a maximum of 8192. If no more blocks are available, the ASA drops the
packet.
show memory
The show memory command displays the total physical memory (or RAM) for the ASA, along with the
number of bytes currently available. In order to use this information, you must first understand how the
ASA uses memory. When the ASA boots, it copies the OS from Flash into RAM and runs the OS from
RAM (just like routers). Next, the ASA copies the startup configuration from Flash and places it into RAM.
Finally, the ASA allocates RAM in order to create the block pools discussed in the show blocks section.
Once this allocation is complete, the ASA needs additional RAM only if the configuration increases in
size. In addition, the ASA stores the translation and connection entries in RAM.
During normal operation, the free memory on the ASA should change very little, if at all. Typically, the
only time you should run low on memory is if you are under attack and hundreds of thousands of
connections go through the ASA. In order to check the connections, issue the show conn count command,
which displays the current and maximum number of connections through the ASA. If the ASA runs out of
memory, it eventually crashes. Prior to the crash, you might notice memory allocation failure messages in
the syslog (%ASA-3-211001). If you run out of memory because you are under attack, contact the Cisco
Technical Assistance Center (TAC).
Example
Ciscoasa#
show memory
------------- ----------------
The show conn count command shows the current and maximum number of connections through the ASA.
A connection is a mapping of Layer 4 information from an internal address to an external address.
Connections are built up when the ASA receives a SYN packet for TCP sessions or when the first packet
in a UDP session arrives. Connections are torn down when the ASA receives the final ACK packet, which
occurs when the TCP session handshake closes or when the timeout expires in the UDP session.
Extremely high connection counts (50-100 times normal) might indicate that you are under attack. Issue
the show memory command in order to ensure that the high connection count does not cause the ASA to
run out of memory. If you are under attack, you can limit the maximum number of connections per static
entry and also limit the maximum number of embryonic connections. This action protects your internal
servers, so they do not become overwhelmed. Refer to Cisco ASA 5500 Series Adaptive Security Appliances
Command References for more information.
Example
show processes
The show processes command on the ASA displays all the active processes that run on the ASA at the
time the command is executed. This information is useful in order to determine which processes receive
too much CPU time and which processes do not receive any CPU time. In order to get this information,
issue the show processescommand twice; wait about 1 minute between each instance. For the process in
question, subtract the Runtime value displayed in the second output from the Runtime value displayed in
the first output. This result shows you how much CPU time (in milliseconds) the process received in that
interval of time. Note that some processes are scheduled to run at particular intervals, and some
processes only run when they have information to process. The 577poll process most likely has the
largest Runtime value of all your processes. This is normal because the 577poll process polls the
Ethernet interfaces in order to see if they have any data that needs to be processed.
Note: An examination of each ASA process is out of the scope of this document, but is mentioned briefly
for completeness. Refer to The ASA show processes Command for more information about the ASA
processes.
Command Summary
In summary, use the show cpu usage command in order to identify the load that the ASA is under.
Remember that the output is a running average; the ASA can have higher spikes of CPU usage that are
masked by the running average. Once the ASA reaches 80% CPU usage, the latency through the ASA
slowly increases to about 90% CPU. When CPU usage is more than 90%, the ASA starts to drop
packets.
If the CPU usage is high, use the show processes command in order to identify the processes that use the
most CPU time. Use this information in order to reduce some of the time that is consumed by the
intensive processes (such as logging).
If the CPU does not run hot, but you believe packets are still dropped, use the show interface command in
order to check the ASA interface for no buffers and collisions, possibly caused by a duplex mismatch. If
the no buffer count increments, but the CPU usage is not low, the interface cannot support the traffic that
flows through it.
If the buffers are fine, check the blocks. If the current CNT column in the show blocks output is close to 0
on the 1550-byte blocks (16384-byte blocks for 66 MHz Gig cards), the ASA most likely drops Ethernet
packets because it is too busy. In this instance, the CPU spikes high.
If you experience trouble when you make new connections through the ASA, use the show conn
count command in order to check the current count of connections through the ASA.
If the current count is high, check the show memory output in order to ensure that the ASA does not run
out of memory. If memory is low, investigate the source of the connections with the show conn or show
local-hostcommand in order to verify that your network has not experienced a denial-of-service attack.
You can use other commands in order to measure the amount of traffic that passes through the ASA.
The show traffic command displays the aggregate packets and bytes per interface, and the show
perfmon breaks the traffic down into different types that the ASA inspects.
F5 Load Balancer
To create a virtual server
Scope: This SOP is used to create Virtual Server on F5 Load Balancer using WebUI.
This SOP is not used to create Virtual Server on F5 Load Balancer using CLI
mode.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
F5 Load Balancer Login credentials.
Virtual server IP address & FQDN details, Virtual service pool, Pool
members details
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
a) On the Main tab of the navigation pane, expand Local Traffic, and click Virtual
Servers. The Virtual Servers screen opens.
. b) On the upper right portion of the screen, click the Create button.
The New Virtual Server screen opens Configure the below settings
Name: - Name of the Virtual server
Destination: - The destination Host or Network
Protocol: - As per Requirement select one of the Protocol and available form Drop down menu
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
F5 Load Balancer Login credentials.
Virtual service pool, Pool member’s details.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
e) Click Finished.
a) On the Main tab of the navigation pane, expand Local Traffic, and click Pools.
The Pools screen opens.
b) In the Members column, click the number shown. This lists the existing members of the
pool.
d) Click on update
To create an iRule
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
F5 Load Balancer Login credentials.
Name, condition, Event & Action details to create I Rule
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
a) On the Main tab of the navigation pane, expand Local Traffic, and click iRules.
The iRules screen opens.
b) In the upper right corner, click Create.
c) In the Name box Type the I rule Name and In the Definition box type the syntax
for your iRule.
d) Click Finished.
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Necessary approvals has been taken.
Certificate created.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
Navigate to System > File Management > SSL Certificates List and click Import.
In the Certificate Name box, type a name for the SSL certificate.
In the Certificate Source section, click either Upload File or Paste Text the SSL
certificate (i.e. ssl_certificate.crt, as described in Step 1).
Click Import.
: Configure an SSL Client Profile to use the Intermediate CA Certificate
Roles: User
Requestor
IT support team
Prerequisites: Service ticket has been raised.
Ticket has been assigned to the support engineer
Issue has been analyzed.
Necessary approvals has been taken.
F5 Load Balancer Login credentials.
Inputs: Service Desk ticket raised and assigned to Network WAN and Internet
Support team.
The following table lists Configuration utility pages where you can check the status of pools,
pool members, and nodes:
You can use below commands for trouble shooting various F5 Load Balancer issues.
Show sys version view system version and hotfix summary information
show sys – General system configuration
show sys license - View license information
show net arp – shows the F5s arp table
show sys cpu - CPU statistics of system overall performance and on management hosts.
show net route – routing tables and configuration