1 / 9

TDA Troubleshooting sharing

TDA Troubleshooting sharing. Agenda. Login Kmod page to check con-current the TDA traffic How to check network traffic has pass-thru TDA monitor port ? How to check packets have no lost ? How to check TDA performance ? How to check TDA network interface link speed?.

phila
Download Presentation

TDA Troubleshooting sharing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TDA Troubleshooting sharing Presenter NamePresenter Title

  2. Agenda • Login Kmod page to check con-current the TDA traffic • How to check network traffic has pass-thru TDA monitor port ? • How to check packets have no lost ? • How to check TDA performance ? • How to check TDA network interface link speed? Classification

  3. Login Kmod page to check con-current the TDA traffic • Check if packet is not dropped when mirrored to TDA • https://[TDA_Management_IP]/html/kmod_main.html • “conntrack_count” : concurrent connection including all TCP state • No packet dropped :“nr_corrupt” is 0 • No packet dropped :“ESTABLISHED” is almost equal to “conntrack_count”

  4. Trouble Shooting • SYN_SENT: the number of TCP sessions that are in SYN_SENT state at the moment • ESTABLISHED : the number of TCP sessions that are in ESTABLISHED state at the moment • nr_corrupt : accumulated number of TCP sessions that are timed-out (60 seconds) in established state=> numbers of sessions that had packet dropped 1:syn : SYN_SENT 2:synack : SYN_RECV 3:ack : ESTABLISHED Data communication client server

  5. What kind of tools you should ready before go to next step. • Before you go to next page, following tools you should prepared. • A SSH client, Putty is preferred. • A OpenSSH public key that support TDA access. This key that is control release by TDA R&D team. • A network traffic analysis tool like Ethereal. Classification

  6. Debug Log • URL: https://[TDA_Management_IP]/cgi-bin/cgiSetDebugLog.cgi • It will ask you to logon TDA first to avoid non-authorized communication • Debug Level and Module Settings • Debug Level • disable,0-fatal,1-error,2-warning,3-info,4-debug • Debug Module ID • 1-cav, 3-fstream_serv, 4-mr_system_logger, 5-preconf, all • Export Debug Log • Debug Log Maintenance (Reset Debug Log) • Note • debug log will rotate when it reaches size of 10 M bytes.

  7. Rule disable/enable • Why? • TDA provide customized rule detection for customer/analyzer • How? • URL: https://[TDA_Management_IP]/cgi-bin/cav_edit.cgi • It will ask you to logon TDA first to avoid non-authorized communication • Check  Mark as  Apply (TDA takes effect immediately) • Note • Rule enable/disable setting will be overwritten after update Network Content Correlation Pattern

  8. Known threat logging disable • Why? • TDA can disable the log in database when it detects known threat (VSAPI, Network Virus) • Customer doesn’t want to see duplicate detection logs before the victim client is taken care of • How? • URL: https://[TDA_Management_IP]/cgi-bin/cav_log.cgi • It will ask you to logon TDA first to avoid non-authorized communication • Select VSAPI or Network Virus then save (TDA takes effect immediately)

  9. Q&A Classification

More Related