Security Configuration Guide: Zone-Based Policy Firewall, Cisco IOS XE Release 3S
Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support
Downloads: This chapterpdf (PDF - 1.11MB) The complete bookPDF (PDF - 6.98MB) | The complete bookePub (ePub - 1.26MB) | The complete bookMobi (Mobi - 2.87MB) | Feedback

Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support

Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support

The Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support feature supports the following functionalities for Application Layer Gateway (ALG), and Application Inspection and Control (AIC):

  • Packet tracing

  • Conditional debugging

  • Debug logs

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support

Packet Tracing

Packet tracing provides the ability to generate Control Plane Policing (CPP) statistics for a specified packet flow, with minimal effect on router throughput. It also traces the path of each packet in the flow, which helps in determining the input interface, features used, and the output path.

Application layer gateway (ALG) generates statistics and keeps a log of the path along which the packets travel.

Conditional Debugging

In a typical Application layer gateway (ALG)-enabled scenario where certain connections from the source address or destination address fail, debugging displays a list of messages for all the traffic that passes through the ALG. Enabling conditional debugging ensures that debug messages related to specified connections are displayed on the console. Prior to the introduction of this feature, debugging used to display many messages for all traffic that passes through the ALG.

Debug Logs

The following severity levels have been added:

  1. Error: Error and firewall packet drop conditions.

    Examples:
    • Unable to send a packet

    • ALG error condition

  2. Warning: Warning debug messages.

  3. Info: Information about an event.

    Examples:
    • Packet drop due to policy configuration, malformed packets, or hardcoded limit and threshold

    • State machine transition

    • ALG check status

    • Packet pass and drop status

  4. Verbose: All log messages.

    Examples:
    • Data structures

    • Event details


Note


Both the ALG-AIC functional debug flag and the severity level must be set. If only the severity level is set and the ALG-AIC functional debug flag is not set, the debug log will not be enabled. If only the ALG-AIC functional debug flag is set, the Info level, which is the default severity level, is logged.


Additional References for Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support

Technical Assistance

Description Link

The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

http:/​/​www.cisco.com/​support

Feature Information for Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Table 1 Feature Information for Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support

Feature Name

Releases

Feature Information

Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support

Cisco IOS XE 3.13S

The Zone-Based Firewall ALG and AIC Conditional Debugging and Packet Tracing Support feature supports the following functionalities:

  • Packet tracing

  • Conditional debugging

  • Debug logs