1 / 21

TDA 2.5

TDA 2.5. Debug tool and Known issues. Agenda. Debug Portal and Feature Traffic Flow Status Reset to Factory Default Known Issues Summary. Debug Portal and Feature. Debug Portal URL https://[TDA_IP]/html/rdqa.htm CAV Log Enable/Disable CAV Rule Enable/Disable Debug Log

xavierd
Télécharger la présentation

TDA 2.5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. TDA 2.5 Debug tool and Known issues CellinaNCSG QA

  2. Agenda • Debug Portal and Feature • Traffic Flow Status • Reset to Factory Default • Known Issues Summary Classification

  3. Debug Portal and Feature • Debug Portal URL https://[TDA_IP]/html/rdqa.htm • CAV Log Enable/Disable • CAV Rule Enable/Disable • Debug Log • Log Transmission Setting • tcpdump • Kernel Module Status • System Process Status: ATOP, ps Classification

  4. Debug Portal and Feature (Cont) • CAV Log Enable/Disable • VSAPI – VSAPI virus logging • Network Virus - Network virus logging • Potential Threat – CAV rules matching • TMUFE query – TMUFE URL query Classification

  5. Debug Portal and Feature (Cont) • Threat Detections Settings Enable Threat Detection - • VSAPI – VSAPI virus logging • Network Virus - Network virus logging • Potential Threat – CAV rules matching (OCS rules not included) Classification

  6. Debug Portal and Feature (Cont) • CAV Rule Enable/Disable • Customized activated rule set • Pattern (NCCP) update will overwrite customization Classification

  7. Debug Portal and Feature (Cont) • Debug Log • Change debug level to 4 and save • Select “export debug log” and export • Reset Debug Log • Change back to 1 after export Classification

  8. Debug Portal and Feature (Cont) • Tcpdump • When no ssh connection is allowed to TDA and need to sniffer the packet that TDA monitors • Select the target interface and start • Export file (tcpdump.tgz) • “tcpdump.cap” is the latest • Cap files are rotated • Reset after export Classification

  9. Debug Portal and Feature (Cont) • Kernel Module Status • Observe statistic count for network connection and memory usage • conntrack_count is the total connection monitored • ESTABLISHED is the total connection in TCP established state • Deployment or switch setting problem if ESTABLISHED is relatively low Classification

  10. Debug Portal and Feature (Cont) • TDA must monitor complete data flow of a TCP connection Classification

  11. Debug Portal and Feature (Cont) • SYN flood protection • Too much syn_contrack indicate TDA may be under SYN flood or DDoS attack • TDA can survive and working under packet rate < 200,000 and 1,000,000 syn packets Classification

  12. Debug Portal and Feature (Cont) • Memory protection • when user memory is used too much, TDA will drop the oldestsession • Used too much user memory (nr_pages >= 4730M) • Usually means the application is too busy and slow • tail -f /var/log/kernel.log Classification

  13. Debug Portal and Feature (Cont) • Memory protection • when kernel memory is not enough or used too much, TDA will drop the oldestsession • Used too much kernel memory (sum of nr_xx_bytes > 550M) • Usually means throughput too high Classification

  14. Debug Portal and Feature (Cont) • Connection track capacity ~#cat /proc/sys/net/toe/conntrack_max 128000 Classification

  15. Debug Portal and Feature (Cont) • Network Flow Status • TDA periodically detect if packet or connection is dropping because of TDA memory protection or traffic exceed connection track table capacity • Network Flow turns red if packet or session keeps dropping for more than 1 minutes • TDA detection will not be guaranteed under such condition Classification

  16. Debug Portal and Feature (Cont) • ATOP • Linux atop command • CPU usage • System memory • Layer 2 throughput • See which interface are connected • Process status Classification

  17. Reset to factory default • Required when moving TDA appliance from one pilot customer to another • Reset TDA’s GUID • Or it will confuse backend TMSP system • Procedure • Ensure serial console is ready • Reset TDA • In serial console, during GRUB loading, press ESC to enter the menu • Select 3) Restore to factory mode Classification

  18. Reset to factory default(Cont) Classification

  19. Known Issues Summary • Detection in FTP protocol • file download in active mode • Protocol shown “FTP” • All file types supported • file upload in active mode or passive mode • Protocol shown “File Transfer” • Only certain types of true file types are supported • zip, rar, msft, office, pdf , rtf, exe Classification

  20. Known Issues Summary • TDVA firmware update • Can not update firmware if VMI is enabled • Same as VMWare workstation • TMSP communication channel • Only HTTP proxy is supported • Only basic authentication on proxy server is supported • Does not support TDVA Lite migration to TDA 2.5 • Does not support firmware update through Firefox browser Classification

  21. Thank You Classification

More Related