210 likes | 246 Views
TDA 2.5. Debug tool and Known issues. Agenda. Debug Portal and Feature Traffic Flow Status Reset to Factory Default Known Issues Summary. Debug Portal and Feature. Debug Portal URL https://[TDA_IP]/html/rdqa.htm CAV Log Enable/Disable CAV Rule Enable/Disable Debug Log
E N D
TDA 2.5 Debug tool and Known issues CellinaNCSG QA
Agenda • Debug Portal and Feature • Traffic Flow Status • Reset to Factory Default • Known Issues Summary Classification
Debug Portal and Feature • Debug Portal URL https://[TDA_IP]/html/rdqa.htm • CAV Log Enable/Disable • CAV Rule Enable/Disable • Debug Log • Log Transmission Setting • tcpdump • Kernel Module Status • System Process Status: ATOP, ps Classification
Debug Portal and Feature (Cont) • CAV Log Enable/Disable • VSAPI – VSAPI virus logging • Network Virus - Network virus logging • Potential Threat – CAV rules matching • TMUFE query – TMUFE URL query Classification
Debug Portal and Feature (Cont) • Threat Detections Settings Enable Threat Detection - • VSAPI – VSAPI virus logging • Network Virus - Network virus logging • Potential Threat – CAV rules matching (OCS rules not included) Classification
Debug Portal and Feature (Cont) • CAV Rule Enable/Disable • Customized activated rule set • Pattern (NCCP) update will overwrite customization Classification
Debug Portal and Feature (Cont) • Debug Log • Change debug level to 4 and save • Select “export debug log” and export • Reset Debug Log • Change back to 1 after export Classification
Debug Portal and Feature (Cont) • Tcpdump • When no ssh connection is allowed to TDA and need to sniffer the packet that TDA monitors • Select the target interface and start • Export file (tcpdump.tgz) • “tcpdump.cap” is the latest • Cap files are rotated • Reset after export Classification
Debug Portal and Feature (Cont) • Kernel Module Status • Observe statistic count for network connection and memory usage • conntrack_count is the total connection monitored • ESTABLISHED is the total connection in TCP established state • Deployment or switch setting problem if ESTABLISHED is relatively low Classification
Debug Portal and Feature (Cont) • TDA must monitor complete data flow of a TCP connection Classification
Debug Portal and Feature (Cont) • SYN flood protection • Too much syn_contrack indicate TDA may be under SYN flood or DDoS attack • TDA can survive and working under packet rate < 200,000 and 1,000,000 syn packets Classification
Debug Portal and Feature (Cont) • Memory protection • when user memory is used too much, TDA will drop the oldestsession • Used too much user memory (nr_pages >= 4730M) • Usually means the application is too busy and slow • tail -f /var/log/kernel.log Classification
Debug Portal and Feature (Cont) • Memory protection • when kernel memory is not enough or used too much, TDA will drop the oldestsession • Used too much kernel memory (sum of nr_xx_bytes > 550M) • Usually means throughput too high Classification
Debug Portal and Feature (Cont) • Connection track capacity ~#cat /proc/sys/net/toe/conntrack_max 128000 Classification
Debug Portal and Feature (Cont) • Network Flow Status • TDA periodically detect if packet or connection is dropping because of TDA memory protection or traffic exceed connection track table capacity • Network Flow turns red if packet or session keeps dropping for more than 1 minutes • TDA detection will not be guaranteed under such condition Classification
Debug Portal and Feature (Cont) • ATOP • Linux atop command • CPU usage • System memory • Layer 2 throughput • See which interface are connected • Process status Classification
Reset to factory default • Required when moving TDA appliance from one pilot customer to another • Reset TDA’s GUID • Or it will confuse backend TMSP system • Procedure • Ensure serial console is ready • Reset TDA • In serial console, during GRUB loading, press ESC to enter the menu • Select 3) Restore to factory mode Classification
Reset to factory default(Cont) Classification
Known Issues Summary • Detection in FTP protocol • file download in active mode • Protocol shown “FTP” • All file types supported • file upload in active mode or passive mode • Protocol shown “File Transfer” • Only certain types of true file types are supported • zip, rar, msft, office, pdf , rtf, exe Classification
Known Issues Summary • TDVA firmware update • Can not update firmware if VMI is enabled • Same as VMWare workstation • TMSP communication channel • Only HTTP proxy is supported • Only basic authentication on proxy server is supported • Does not support TDVA Lite migration to TDA 2.5 • Does not support firmware update through Firefox browser Classification
Thank You Classification