Compare Products

Hide

Clear All

VS

Home> Support> Downloads>

Ruijie RG-WALL 1600 Series Next-Generation Firewall Troubleshooting Cookbook (V1.1)

2020-02-15 View:


     Product Function Related

                                       Model

Function  

S3100

S3600

M5100

M6600

X9300

Reset Button

Y

Y

N

N

N

Console Port

N

N

Y

Y

Y

Bypass Port

N

N

N

N

N

MGMT Port(RJ45)

N

N

Y

Y

Y

Hard Disk

N

Y

Y

N

Y

Redundant Power Supplies

N

N

FRPS-100

FRPS-100

Y

 



     Device Management Related

2.1    Device Login

Q: How to login firewall by using default IPaddress?

A: User can manage firewall device throughhttps web management (192.168.1.200/24). Here are the ports can be managed onfirewall with default setting:

·        RG-WALL1600-X9300 : MGMT1

·        RG-WALL1600-X8500 : MGMT1

·        RG-WALL1600-X6600 : MGMT1

·        RG-WALL1600-M5100 : MGMT

·        RG-WALL1600-S3600 : internal (1-14)

·        RG-WALL1600-S3100 : internal (1-7)

Step1: Set a static IP address for your PCwith same subnet as firewall (e.g. 192.168.1.1/24)

Step2: Connect your PC to firewall’s MGMT orinternal port.

Step3: Open https://192.168.1.200 with your browser and enter default username &password(admin/firewall)

2.2    Password Recovery

Q: How to recover device’s password withoutlosing running configuration?

A:

Step1: Mark down the software serial numberon lateral or back plane.

Step2: Use username(admin) andpassword(RGFWXXXXXXXXXXXX) which showed as above captured to login firewall viaconsole cable in 15s after the device is powered off and restarted.

Step3: Modify admin password on CLI UI.

·        RG-WALL # config system admin

·        RG-WALL (admin) # edit admin

·        RG-WALL (admin) # set pass123455@!@#         

·        RG-WALL (admin) # end

 

2.3    License Activation

Temporary License

NGFW 1600 Firewall provides temporary licenseone month for each firewall device once. Below are the procedures to activatetemporary license.

·        Collect device’s Software reg number. Claimfor temporary license to mail

 service_rj@ruijienetworks.com

·        Once we approve your request, signature databasewill be renewed when the internet is reachable.

 

Official License

·        Collect related information according to samples in thefollowing table and mail to

rgngfw3@ruijie.com.cn

 

Software SN (16 digits)

Model

Authorization Code (12 digits)

Project Name

Customer Name

Sample

DB99KKK124667235

Sample*

Sample*

Sample

Sample*

·        Ensure that the firewall is connected to theInternet and configured with the correct DNS address.

 

Troubleshooting

·        Ensure destination ports ofsignature database listed below are permitted (default source port is random).

Anti-Virus, IPS: UDP9443, TCP 8890/443

Web Filter, Spam: UDP53, 8888, 8889

·        Ensure “management-vdom”can access Internet for signature database update if VDOM feature is enabled.

·        Collect following diagnosticinformation to Ruijie Support Team

RG-WALL #printcliovrd enabl4e    ---restart CLI session after this command

RG-WALL #executeping google.com

RG-WALL #diagnosedebugenable                            

RG-WALL #diagnosedebug application update -1

RG-WALL #execupdate-now


 



     Firewall Function Related

3.1    DHCP Option Setting

In NGFW firewall, we need to use Hex toset DHCP option. Require transforming IP address to Hex number and zero inthe front of the HEX string cannot ignore.

e.g. 1.1.1.1->’01010101’. But cannot enter“1010101”

 

 

3.2    IPSEC/SSL VPN Agent

Ruijie NGFW Firewall doesn’t have officialIPSEC/SSL VPN agent for Windows or mobile phone. User can use build-in IPSEC clienton Apple device and PPTP or L2TP VPN for windows and Android platform.

 

3.3    User Authentication

Q: How to set a keepalive page forauthenticated user?

A: As there is not logout page forauthentication function, so the user can’t logout the account when they want.And user can configure the keepalive page for holding the authenticatedsession.

·        RG-WALL#config usersetting

·        RG-WALL#set auto-keepaliveenable

 

3.4    Web Filter

Q: How to block the online proxy on firewall?

A:

Step1: Select “flow based” web filter andblock the Proxy Avoidance on Ruijie categories.

 

 

Step2: Enable scan encrypted connections

Step3: Apply web filter and ssl/sshinspection.

After that, all HTTPS website will beconverted into firewall certification.

 

 

Q: Web filter feature cannot be used and itshows Ruijie Guard server failed to response.

 

A: This problem is related to signature licenseand internet connection between firewall and Ruijie Guard cloud server.

Troubleshooting

1.     Verity firewall signature license status, if web filter signature isexpired, Ruijie Guard service will be not available. For more details aboutlicense activation, please refer License Activation chapter.

2.     Ensure the destination port for web filter update is not blocked byISP or uplink device, or you can exec below setting to change port for servercommunication.

RG-WALL #printcliovrd enabl4e    ---restart CLI session after this command

RG-WALL # configsystem Ruijieguard

RG-WALL(Ruijieguard) # set port 

53     Port 53 for server communication.

8888   Port 8888 for server communication.  //default setting

3.     If above troubleshooting steps cannot solve your problem, pleasecollect following debug information for Ruijie Support.

RG-WALL #printcliovrd enabl4e    ---restart CLI session after this command

RG-WALL #diagnosedebug enable

RG-WALL #diagnosedeb rating 

                            

 

3.5    Anti-Virus

Q: Some viruses cannot be scanned even theanti-virus feature is enabled.

A: All Ruijie NGFW firewall units have thenormal antivirus signature database but some models have additional databasesyou can select for use. Which you choose depends on your network and securityneeds.

Normal

Includes viruses currently spreading as determined by the RuijieGuard Global Security Research Team. These viruses are the greatest threat. The Normal database is the default selection and it is available on every NGFW unit.

Extended

Includes the normal database in addition to recent viruses that are no-longer active. These viruses may have been spreading within the last year but have since nearly or completely disappeared.

Extreme

Includes the extended database in addition to a large collection of ‘zoo’ viruses. These are viruses that have not spread in a long time and are largely dormant today. Some zoo viruses may rely on operating systems and hardware that are no longer widely used.

 

config antivirussetting

  set default-db[normal|extended|extreme]

end

 

Q: NGFW UTM features are not working while memoryreaches to 80%.

A:  Conservemode is activated when the remaining free memory is nearly exhausted (up to80%). While conserve mode is active, the UTM does not accept new sessionsand bypass all session by default.

Conserve ModeSetting:

config system global

         setav-failopen {idledrop | off | one-shot | pass}

end

      idledrop Drop idleconnections.

      off Off.

      one-shot try tocreate new session

      pass bypass newsession(default)

3.6    IPSEC VPN

Q: IPSEC VPN tunnel cannot bring up

A:

·        Ensure that the pre-shared keys match exactly

·        Ensure that both ends use the same P1 and P2proposal settings

·        Ensure that you have allowed inbound andoutbound traffic for all necessary network services, especially if servicessuch as DNS or DHCP are having problems.

·        Check that a static route has been configuredproperly to allow routing of VPN traffic.

·        Ensure that your unit is in NAT/Route mode,rather than Transparent.

·        Check your NAT settings, enabling NAT traversalin the Phase 1 configuration while disabling NAT in the security policy. Youmight need to pin the PAT/NAT session table, or use some of kind of NAT-Tkeepalive to avoid the expiration of your PAT/NAT translation.

·        Ensure that both ends of the VPN tunnel areusing Main mode, unless multiple dial-up tunnels are being used.

·        If you have multiple dial-up IPsec VPNs, ensurethat the Peer ID is configured properly

·        and that clients have specified the correctLocal ID.

·        If you are using Perfect Forward Secrecy (PFS),ensure that it is used on both peers. You can use the diagnose vpn tunnel listcommand to troubleshoot this.

·        Ensure that the Quick Mode selectors arecorrectly configured. If part of the setup currently uses firewall addresses oraddress groups, try changing it to either specify the IP addresses or use anexpanded address range.

·        If XAUTH is enabled, ensure that the settingsare the same for both ends, and that the firewall unit is set to Enable asServer.

·        Check IPsec VPN Maximum Transmission Unit (MTU)size. A 1500 byte MTU is going to exceed the overhead of the ESP-header,including the additional ip_header,etc. You can use the diagnose vpn tunnellist command to troubleshoot this.

·        If your unit is behind a NAT device, such as arouter, configure port forwarding for UDP ports 500 and 4500.

·        Remove any Phase 1 or Phase 2 configurationsthat are not in use. If a duplicate instance of the VPN tunnel appears on theIPsec Monitor, reboot your unit to try and clear the entry.

 

If you are still unable to connect to theVPN tunnel, run the following diagnostic command in the CLI and send to Ruijiesupport.

Troubleshooting

RG-WALL#diagnosedebugenable                  

RG-WALL#diagnosedebug application ike -1 

 

3.7    PPTP/L2TP VPN

The following steps can be used to understand why a PPTP/L2TP VPNuser is experiencing disconnections from NGFW firewall, and to enable theappropriate debug depending on the type of PPTP/L2TP VPN User. Collect belowinformation and send to Ruijie support.

1.     A PPTP/l2TP VPN user connects to the NGFW firewall with localauthentication. 

RG-WALL#diag debenable

RG-WALL#diag debreset

RG-WALL#diag debconsole timestamp en

RG-WALL#diag deb appppp -1

 

2.       If thePPTP VPN User uses authentication with LDAP then enable the followingdebug with step.

diag test auth ldap(ldapservername in GUI) (username to test) (pwd user)

diag test auth ldapLDAP_Server user password

3.       If the PPTP VPNUser uses Radius then also collect the following debug.

diag test authserverradius <server_name> <chap | pap | mschap | mschap2><username> <password>

4.       Collect asniffer trace on the port of the PPTP/L2TP connection.

diag sniffer packet<port of pptp/l2tp connection> 'local_ip_addr of pc' 6

 

 



       Firewall Maintenance Related

4.1    CPU & Memory Utilization

When the CPU or Memory running in high utilization,take below actions and collect necessary information for Ruijie Support.

 

CPU:

          1.Abnormal Data like virus is dropped while passing through.

              diagnose sniffer packet any none 4 100

          2.Check the Top 5 processes

               diagnosesys top 5 99 -----press Q to quit

Memory:

          1.Check the Top 5 processes

                diagnosesys top 5 99 -----press Q to quit

          2.Check the cache if enabled the logging function

               diagnose hardware sysinfo memory

4.2    Traffic Flow Diagnose

'Debug Flow' is usually used to debug thebehavior of the traffic in a NGFW device and to check how the traffic isflowing.  The use of proper filtering can help by narrowing down to onlythe desired traffic and thus ease the debugging process.

Troubleshooting

RG-WALL#diagnose debugdisable

RG-WALL#diagnose debugflow trace stop

RG-WALL#diagnose debugflow filter clear

RG-WALL#diagnose debugreset

RG-WALL#diagnose debugflow filter addr x.x.x.x

RG-WALL#diagnose debugflow show console enable

RG-WALL#diagnose debugflow show function-name enable

RG-WALL#diagnose debugconsole timestamp enable

RG-WALL#diagnose debugflow trace start 999

RG-WALL#diagnose debugenable

 

Common Problems:

msg="iprope_in_check()check failed, drop“ ---- mismatch policy

msg="Denied byforward policy check“        ---- policydeny

msg="reversepath check fail,drop“            ----RPF check failed

 

4.3    Packets Capture

To use packet capture through the GUI, your firewallmodel must have internal storage and disk logging must be enabled. If yourdevice doesn’t support disk logging, please execute packet capture under CLI.

 

GUI Capture

 

CLI Capture

diagnose sniffer packet<interface> <'filter'> <verbose> <count>

 

4.4    Log & Report

Q: Why cannot see any logs on model M6600?

A: Logging is not enabled by default for thismodel. Because firewall M6600 doesn’t have storage disk, logs will be saved inmemory and drag down the performance if enabled. Here are steps to enable thelogging on memory and not be recommended.

    1) Tick the logging traffic option on firewall setting.

     2) Exec below command on firewall:

      RG-WALL # Config log memory setting

      RG-WALL (setting) # Set status enable

      RG-WALL (setting) #end

      RG-WALL #

 

4.5     Common Commands

 

1.    Configure an interfaceaddress.

RG-WALL # config systeminterface

RG-WALL (interface) #edit lan

RG-WALL (lan) # set ip192.168.100.99/24

RG-WALL (lan) # end

2.      Configure astatic route.

RG-WALL (static) # edit1

RG-WALL (1) # setdevice wan1

RG-WALL (1) # set dst10.0.0.0 255.0.0.0

 

RG-WALL (1) # set gateway192.168.57.1

RG-WALL (1) # end

3.      Configure adefault route.

RG-WALL (1) # setgateway 192.168.57.1

RG-WALL (1) # setdevice wan1

RG-WALL (1) # end

4.      Configure afirewall address.

RG-WALL # configfirewall address

RG-WALL (address) #edit clientnet

new entry 'clientnet'added

RG-WALL (clientnet) #set subnet 192.168.1.0 255.255.255.0

RG-WALL (clientnet) #end

5.      Configure anIP pool.

RG-WALL (ippool) # editnat-pool

new entry 'nat-pool'added

RG-WALL (nat-pool) #set startip 100.100.100.1

RG-WALL (nat-pool) #set endip 100.100.100.100

RG-WALL (nat-pool) #end

6.      Configure avirtual IP address.

RG-WALL # configfirewall vip

RG-WALL (vip) # editwebserver

new entry 'webserver'added

RG-WALL (webserver) #set extip 202.0.0.167

RG-WALL (webserver) #set extintf wan1

RG-WALL (webserver) #set mappedip 192.168.0.168

RG-WALL (webserver) #end

7.      Configurethe Internet access policy.

RG-WALL # configfirewall policy

RG-WALL (policy) # edit1     

RG-WALL (1)#set srcintfinternal //Indicates the source interface.

RG-WALL (1)#set dstintfwan1    ///Indicates the destination interface.

RG-WALL (1)#set srcaddrall        //Indicates the source address.

RG-WALL (1)#set dstaddrall       //Indicates the destination address.

RG-WALL (1)#set actionaccept      //Indicates the action.

RG-WALL (1)#setschedule always    //Indicates the schedule.

RG-WALL (1)#set serviceALL          //Indicates theservice.

RG-WALL (1)#setlogtraffic disable     //Enables or disables logs.

RG-WALL (1)#set nat enable  //Enables NAT.

8.      Configurethe mapping policy.

RG-WALL # configfirewall policy

RG-WALL (policy) #edit2

RG-WALL (2)#set srcintfwan1  //Indicates the source interface.

RG-WALL (2)#set dstintfinternal //Indicates the destination interface.

RG-WALL (2)#set srcaddrall          //Indicates thesource address.

RG-WALL (2)#set dstaddrngfw1  //Indicates the destination address used for virtual IP addressmapping, which is added beforehand.

RG-WALL (2)#set actionaccept      //Indicates the action.

RG-WALL (2)#setschedule always    //Indicates the schedule.

RG-WALL (2)#set serviceALL          //Indicates theservice.

RG-WALL (2)#setlogtraffic disable     //Enables or disables logs.

9.      Change theinternal switching interface to the routing interface.

Ensure that routing, DHCP, and firewallpolicies of the internal interface are deleted.

RG-WALL # config systemglobal

RG-WALL (global) # setinternal-switch-mode interface

RG-WALL (global) #end

10.    View the host name andmanagement port.

RG-WALL # show systemglobal

11.    View the system statusand available resources.

RG-WALL # get systemperformance status

12.    View the applicationtraffic statistics.

RG-WALL # get systemperformance firewall statistics

13.    View the ARP table.

RG-WALL # get systemarp

14.    View ARP details.

RG-WALL # diagnose iparp list

15.    Clear the ARP cache.

RG-WALL # execute clearsystem arp table

16.    View the currentsession table.

RG-WALL # diagnose syssession stat or RG-WALL # diagnose sys session full-stat

17.    View the session list.

RG-WALL # diagnose syssession list

18.    View the physicalinterface status.

RG-WALL # get systeminterface physical

19.    View settings of thedefault route.

RG-WALL # show routerstatic

20.    View the static routein the routing table.

RG-WALL # get routerinfo routing-table static

21.    View OSPFconfiguration.

RG-WALL # show routerospf

22.    View the global routingtable.

RG-WALL # get routerinfo routing-table all

23.    View HA status.

RG-WALL # get system hastatus

24.    Check synchronizationof active and standby routers.

RG-WALL # diagnose sysha showcsum

 

How do you like this document ?

Suggestion


(0/255)

Can we contact you to discuss your suggestion?

Privacy Policy
Thank you. We will inform you of our response as soon as possible.
Thank you again for your valuable input!
This page will be closed in 5 s…
Submit

Ruijie Networks websites use cookies to deliver and improve the website experience.

See our cookie policy for further details on how we use cookies and how to change your cookie settings.

Cookie Manager

When you visit any website, the website will store or retrieve the information on your browser. This process is mostly in the form of cookies. Such information may involve your personal information, preferences or equipment, and is mainly used to enable the website to provide services in accordance with your expectations. Such information usually does not directly identify your personal information, but it can provide you with a more personalized network experience. We fully respect your privacy, so you can choose not to allow certain types of cookies. You only need to click on the names of different cookie categories to learn more and change the default settings. However, blocking certain types of cookies may affect your website experience and the services we can provide you.

  • Performance cookies

    Through this type of cookie, we can count website visits and traffic sources in order to evaluate and improve the performance of our website. This type of cookie can also help us understand the popularity of the page and the activity of visitors on the site. All information collected by such cookies will be aggregated to ensure the anonymity of the information. If you do not allow such cookies, we will have no way of knowing when you visited our website, and we will not be able to monitor website performance.

  • Essential cookies

    This type of cookie is necessary for the normal operation of the website and cannot be turned off in our system. Usually, they are only set for the actions you do, which are equivalent to service requests, such as setting your privacy preferences, logging in, or filling out forms. You can set your browser to block or remind you of such cookies, but certain functions of the website will not be available. Such cookies do not store any personally identifiable information.

Accept All

View Cookie Policy Details

Contact Us

Contact Us

How can we help you?

Contact Us

Get an Order help

Contact Us

Get a tech support