Troubleshooting

This topic describes common procedures used when troubleshooting AFA.

Tip: To view a training video that follows an Information Security Officer troubleshooting common issues that may be  preventing him from monitoring and analyzing several types of security devices, see Performing Basic AFA Troubleshooting.

Troubleshooting and maintenance permissions

Troubleshooting and day-to-day system maintenance may require permissions to perform the following steps or access the following directories:

Stop/Start/Restart services

Users may need to stop/start/restart the following services:

  • httpd
  • apache-tomcat
  • crond
  • syslog-ng
  • iptabes
Files and folders

Users may need to copy files from various locations (For example, /tmp, mv, rm, mkdir) and run chmod, chown, and chattr on the following paths:

  • /usr/share/fa/* (all sub-tree)
  • /home/afa/algosec/syslog_processor/*
  • /home/afa
  • /home/afa/.fa
  • /home/afa/.fa/firewalls/*
Run various commands

Users may be required to run the following commands:

  • crontab -e -u afa
  • vi /etc/ntp.conf
  • vi /etc/hosts
  • vi /etc/security/limits.conf
  • kill -9 / pkill -9
  • screen
  • strace

In addition, they may be required to modify the iptables configuration on the AlgoSec appliance/VM.

Sync AFA and FireFlow DB passwords

Some support cases may require performing a sync between the Firewall Analyzer and FireFlow DB passwords.

To do this, run the following commands from the root user SSH CLI:

FA_USER='afa'

FA_CONF_FILE="/home/$FA_USER/.fa/config"

FIREFLOW_SITE_CONFIG='/usr/share/fireflow/local/etc/site/FireFlow_SiteConfig.pm'

DB_ENC_PASS=`awk -F"'" '/FireFlowDatabasePasswordEncrypted/ {print $2;exit}' $FIREFLOW_SITE_CONFIG`

export PGPASSWORD=`/usr/bin/sudo -H -u $FA_USER /usr/share/fa/bin/fa_password -decrypt $DB_ENC_PASS 2>/dev/null`

psql -U postgres -c "alter user $FA_USER with password '${PGPASSWORD}';"

sed -i 's/^DB_password=.*/DB_password='$DB_ENC_PASS'/' $FA_CONF_FILE

Back to top

Entering and exiting debug mode

AlgoSec Support may request that you enter Debug mode.

Enter Debug mode

Click your username in the toolbar and then click Info.

In the Info dialog, click Enter Debug Mode.

Exit Debug mode

Click your username in the toolbar and then click Info.

In the Info dialog, click Exit Debug Mode.

Back to top

Contact technical support

Contact AlgoSec support to open a new case or update an existing case.

Open a new case from the AlgoSec Portal > Support > Submit a Support Case.

You may be requested to send one of the folloiwng sets of files:

GUI-related issues

algosec-support-gui.zip

For details, see Download general log files

If the algosec-support-gui.zip file is unavailable, send the following files instead:

  • .fa-history
  • fa-install.log
  • .ht-fa-history

For more details, see Access log and configuration files.

All other issues

algosec-support.zip

For details, see Download report log files

If the algosec-support.zip file is unavailable, send the following files instead:

  • fa-install.log
  • .fa-history
  • log.html

  • index.html
  • .ht-fa-history

For more details, see Access log and configuration files.

For more details, see the AlgoSec Portal > Support > Support Home.

Back to top

Access log and configuration files

Note: Accessing the device configuration and log files requires configuration and logs privileges. For more details, see Manage users and roles in AFA.

The following table lists log and configuration files useful when troubleshooting AFA.

File Name

Description

Location

algosec-support.zip

An archive file that includes the following report and general log files:

  • fa-history

  • fa-install.log

  • ht-fa-history

  • log.html

  • fwa_monitor.history

Note: The fwa_monitor.history file may be missing if the file report has a status of FAILED, or if you encounter problems during the installation or licensing stages.

$HOME/algosec/firewalls/<job-name>/

Where <job-name> is the Job Name of the report.

The Job Name consists of the user login name followed by a hyphen and an integer.

Example: afa-3

algosec-support-gui.zip

An archive file that includes:

  • fa-history
  • fa-install.log
  • ht-fa-history
  • map.sqlite
  • dump_nat_data

Download from AFA.

For details, see Download general log files.

log.html

The report log file.

Note: This file may be missing if the file report has a status of FAILED.

$HOME/algosec/firewalls/<job-name>/

For details, see:

algosec-support-full-ENTITY_NAME.zip

Full support data files which include:

  • report log files
  • full firewall configuration

Download from the device report.

For details, see Download full support files.

algosec-support-full-ENTITY_NAME-withlogs.zip

Full support data files which include:

  • report log files
  • full firewall configuration
  • traffic logs

Download from the device report.

For details, see Download full support files.

messages

All syslog messages. See AFA Syslog Messages (see AFA analysis syslog messages).

/var/log/
fa-install.log

The AFA installation log

/var/log/
fa-history

The AFA application's history file.

$HOME/

This file is hidden by default. To view, run:

ls -a $HOME/.fa-history

ht-fa-history

The Web interface's log file.

$HOME/public_html/algosec/

This file is hidden by default. To view, run:

ls -a $HOME/public_html/algosec/.ht-fa-history

map.sqlite

The database of the map.

$HOME/.fa/map.sqlite
dump_nat_data

Dump of NAT related tables.

index.html

The report main index file. This serves as the log file if analysis failed.

$HOME/algosec/firewalls/<job-name>/

Note: You'll need to access the log files directly if the ASMS web interface isn't available, or if the algosec-support.zip archive is missing. This may happen if a report has failed, or if you've encountered issues during installation or licensing.

For more details, see:

View report log files

Report log files are accessed from a specific AFA report.

Do the following:

  1. View the report. For details, see AFA reports.

  2. In the report menu, click Policy.

  3. In the Report Information area, click the Log File link.

The log file appears. All messages are prefixed with one of the following severity tags:

Severity Level

Description

Info

Normal information messages and notification of events. No user action is required.

Warning

AFA took corrective action to remedy a problem that was encountered.

Usually, no user action is required unless the report failed to generate, in which case the log file should be sent to AlgoSec Technical Support.

For more details, see Contact technical support.

Error

A problem that prevented the report from being generated occurred.

Contact AlgoSec Technical Support. For more details, see Contact technical support.

Fatal

A severe error condition required an immediate halt to the report generation process.

Contact AlgoSec Technical Support. For more details, see Contact technical support.

Download report log files

Report log files are accessed from a specific AFA report.

Do the following:

  1. View the report. For details, see AFA reports.

  2. In the report menu, click Policy.

  3. In the Report Information area, click AlgoSec Support File.

The zip file is downloaded to your computer.

Download full support files

Full support files are accessed from a specific AFA report.

Do the following:

  1. View the report. For details, see AFA reports.

  2. In the report menu, click Policy.

  3. In the Report Information area, click one of the following:

    • Full Support Data with traffic logs (Large)

    • Full Support Data

The zip file is downloaded to your computer.

Download general log files

General log files are useful for troubleshooting interface-related issues.

Do the following:

  1. In the toolbar, click your username, and select Info.

  2. In the Info dialog, click Download Support Files.
  3. Click Download Support Files.

The algosec-support-gui.zip file downloaded to your computer. It contains the following files:

    • catalina.out
    • configuration_access_log.<date>.txt
    • dump_nat_data
    • fa-history
    • fa-install.log
    • fa/map.sqlite
    • fwa_monitor.history
    • ha-logs.tgz
    • ht-fa-history
    • localhost_access_log.<date>.txt
    • log.html
    • ms-backuprestore.log
    • ms-batch-application.log
    • ms-configuration.log
    • ms-devicemanager.log
    • ms-mapDiagnostics.log
    • ms-watchdog.log

Back to top

 

â See also: