[ATP/FLEX] How to capture packets on Nebula Firewall

Zyxel_Cooldia
Zyxel_Cooldia Posts: 1,046
Zyxel Certified Network Administrator - Security Zyxel Certified Sales Associate 50 Answers 1000 Comments
 Guru Member
edited October 20 in Maintenance

Scenario

Packet-trace is a CLI-based packet capturing tool on device. It can be used to sniffer and analyze network traffic by intercepting and displaying packets transmitted in the network interface.

This example illustrates how to capture packets in CLI mode on Nebula.

Demonstration

You may skip step 1) if you access SSH service from LAN interface of the device.

1)   Create a security policy to allow SSH service from wan interface. 

By default, it is unable to access device SSH service from wan interface when the device is managed by nebula. There is no Implicit firewall rule to allow device SSH access from wan.

Go to Firewall > Configure > Security policy.      In Implicit allow rules, there is no implicit rule to allow SSH access from wan to Device TCP 22 port

Click Add to create a security policy rule to allow SSH access from Wan.


     Action = Allow

     Protocol = TCP

     Source = Any

     Destination = Device

     Dst Port = 22

     *For security concern, we strongly suggest you add trusted IP to Source IP, instead of any.

     Click Save to commit setting to Nebula.

     

 

2)   Go to Site-wide > Configure > General settings to check local credential.

3)   SSH to device, and log in with local credential.

4)   Type CLI Router> show sdwan interface to check available interface.

Now we can start to capture packets on device to analysis and sniffer network packets. In the following examples, we use commands to capture packets on lan1 interface. You need to enter vlan3222 instead of lan1.

Basic filter syntax - packet-trace interface [interface name]

Capture packets on:

Specific interface

-Router> packet-trace interface vlan3222

Specific source IP

-Router> packet-trace interface vlan3222 src-host X.X.X.X

Specific destination IP

-Router> packet-trace interface vlan3222 dst-host X.X.X.X

Specific service port

-Router> packet-trace interface vlan3222 port XXXXX

Specific IP protocol

-Router> packet-trace interface vlan3222 ip-proto [icmp|esp|ah|tcp|udp|gre]

Protocol name can also be replaced by protocol number

eg. Protocol number 1= ICMP

Extension filter syntax - packet-trace interface [interface name] extension-filter

Apply filter for ICMP

-Router> packet-trace interface vlan3222 extension-filter icmp

Apply filter for ARP

-Router> packet-trace interface vlan3222 extension-filter arp

Apply filter for specific IP

-Router> packet-trace interface vlan3222 extension-filter host X.X.X.X

Apply filter for dst/src IP

-Router> packet-trace interface vlan3222 extension-filter [dst|src] X.X.X.X

Apply filter for subnet

-Router> packet-trace interface vlan3222 extension-filter X.X.X.X/n n=mask

Apply filter for tcp/udp service port

-Router> packet-trace interface vlan3222 extension-filter [udp|tcp port] XXXXX

Combination

And

-Router> packet-trace interface vlan3222 extension-filter host 192.168.1.33 and port 80

Or

-Router> packet-trace interface vlan3222 extension-filter dst 8.8.8.8 or dst 168.95.1.1

Except

-Rourter>packet-trace interface vlan3222 extension-filter host 8.8.8.8 and not icmp