Troubleshooting guide

ManualsBrandsBay Networks ManualsComputer equipmentBayRS

161

162

163

164

165

166

167

168

169

170

Appendix A: State Tables for VPN-1/FireWall-1 4.0 Security Server and Authentication tables

Advanced Technical Reference Guide 4.1 • June 2000 163

Example

attributes: sync expires 60

<00000002, c0a80c01; 00000005, 00000384; 57/60>

<00000002, c0a80c01, 00000001; 00000005, 00000384, 8029dc98; 55/60>

<000000002, c0a80c01, c073cd59, 00000050, 00000006, 00000000; 00000005,

00000384; 53/60>

<000000002, c0a80c01, c073cd59, 00000050, 00000006, 00000000, 00000001;

00000005, 00000384, 8029dc98; 47/60>

The client_auth table uses one of the following formats.

In the case of standard sign on (line 1 in the above example):

<rule number, IP address that is now authenticated for access; # of allowed sessions left, seconds until next

client authentication ; time left/total time>

Standard sign on entries include the rule number and source IP address as the two keys, and the values are the

number of allowed session and the time until the client’s next authentication.

In the case of specific sign on (line 3 in the above example):

<rule number, IP address that is now authenticated for access; destination IP address that can be accessed,

destination port, IP protocol, RPC connection; # of allowed sessions left, time until user reauthentication; time

left/total time>

The RPC connection field is set to 1 if the connection is an RPC connection; otherwise it is set to 0.

Specific sign-on entries have the same values, but the keys are: <rule #, src, dst, dport, ip_p, is_rpc>.

Each of the above entries will have an additional field whose value is 1 if it corresponds to a Single Sign-On

using UAM. In that case the entry will also have an additional value which is a pointer to a buffer where the

user ID is stored. (Fields 3 and 6 in line 2 above and fields 7 and 10 in line 4 above).

client_was_auth table

The client_was_auth table includes information about the port to which each user-authenticated connection

should be folded.

Example

attributes: refresh expires 1800

<c0a80e1f, 00000017; 00008235; 1759/1800>

The client_was_auth table uses the following format:

<source IP address, original destination port (authenticated service port number); folded destination port; time

left/total time>

proxied_conns table

The proxied_conns table helps to keep alive proxied (folded) connections after a reinstallation of policy, by

storing the connection information in this table.

Example

attributes: keep

<c0a83005, 0000044d, c0a83001, 00000442, 00000006; 00000150, 00000000,

00000000>

<00000000, 00000555, c0a81e16, 00000015, 00000006; 00000150, c0a83005,

0000044d>