The old 'diag debug application ipsmonitor -1' command is now obsolete and does not show very useful data.
Do not use it unless specifically requested.
Here is how to debug IPSengine in 6.4 or later:
diag ips debug enable ? init init packet packet packet_detail packet_detail error error warn warn parse parse detect detect session session log log timeout timeout dissector dissector tcp tcp http http mail mail rpc rpc dns dns im im p2p p2p ssh ssh ssl ssl voip voip smb smb content content urlfilter urlfilter av av mime mime content_detail content_detail ipsa ipsa proxy proxy packet_dump packet_dump state state dac dac sctp sctp quic quic all all
Select the appropriate categories to filter the outputs, or select 'All'
example:
diagnose ips debug enable ssl
diagnose ips debug enable dissector
diagnose debug enable
To verify which debug parameters are enabled run the command below ;
diagnose ips debug status show
If all parameters are enabled, output will be shown like below (depending on how many IPS Engine counters running on the device. 8 of IPS engines are running on the device in the example)
IPS Engine <00333> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic IPS Engine <00497> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic IPS Engine <00498> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic IPS Engine <00499> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic IPS Engine <00500> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic IPS Engine <00501> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic IPS Engine <00502> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic IPS Engine <00503> Enabled debug actions: init packet packet_detail error warn parse detect session log dissector tcp http mail dns rpc im p2p ssh ssl voip content urlfilter av mime content_detail smb proxy packet_dump ipsa state dac sctp quic
If only one parameter is enabled, the output will be shown like below ;
diagnose ips debug enable ssl
diagnose ips debug status show
IPS Engine <00333> Enabled debug actions: ssl IPS Engine <00497> Enabled debug actions: ssl IPS Engine <00498> Enabled debug actions: ssl IPS Engine <00499> Enabled debug actions: ssl IPS Engine <00500> Enabled debug actions: ssl IPS Engine <00501> Enabled debug actions: ssl IPS Engine <00502> Enabled debug actions: ssl IPS Engine <00503> Enabled debug actions: ssl
In the case of the production environment, run this debug only during low traffic hours, especially if 'ALL' is used, due to CPU usage impact.
IPS Engine debug commands might generate too many logs depending on the inspected session counters. It is highly recommended to enable the debug commands with filters.
To filter the traffic use the command below ;
diagnose ips filter set bpf filter bpf filter
This filter is a berkeley filter which allows to use of many parameters such as source, destination ,and TCP/UDP ports.
Example 1:
To filter the traffic from source IP 1.1.1.1 and TCP port 443 ;
diagnose ips filter set 'src 1.1.1.1 and tcp port 443'
Verify the filter with the command below ;
diagnose ips filter status
DEBUG FILTER: debug level: 17179868671 filter: "host 1.1.1.1 and tcp port 443" process id: 0
Example 2:
To filter the traffic from source IP 192.168.10.10 and destination IP 8.8.8.8 and port UDP 5060
diagnose ips filter set 'src 192.168.10.10 and dst 8.8.8.8 and udp port 5060'
Verify the filter with the command below:
diagnose ips filter status DEBUG FILTER: debug level: 17179868671 filter: "src 192.168.10.10 and dst 8.8.8.8 and udp port 5060" process id: 0
Related article:
Troubleshooting Tips: Collecting IPS engine related debugs
|