Troubleshooting Network Problems Using Security and Analytics Logging Events
Here is a basic framework you can use to troubleshoot network problems using the Events Viewer.
This scenario assumes that your network operations team has had a report that a user can't access a resource on the network. Based on the user reporting the issue and their location, the network operations team has a reasonable idea of which firewall controls their access to resources.
Note | This scenario also assumes that an FDM-managed device is the firewall managing the network traffic. Security Analytics and Logging does not collect logging information from other device types. |
Procedure
Step 1 | Click the Historical tab. |
Step 2 | Start filtering events by Time Range. By default, the Historical tab shows the last hour of events. If that is the correct time range, enter the current date and time as the End time. If that is not the correct time range, enter a start and end time encompassing the time of the reported issue. |
Step 3 | Enter the IP address of the firewall that you suspect is controlling the user's
access in the Sensor ID field. If it could be more than
one firewall, filter events using attribute:value pairs in the search
bar. Make two entries and combine them with an OR statement. For example:
|
Step 4 | Enter the user's IP address in the Source IP field in the Events filter bar. |
Step 5 | If the user can't access a resource, try entering that resource's IP address in the Destination IP field. |
Step 6 | Expand the events in the results and look at their details. Here are some details to look at:
|
Step 7 | If the rule action is preventing access, look at the FirewallRule and FirewallPolicy fields to identify the rule in the policy that is blocking access. |