Run Network Diagnostic Tasks on a Cloud-Managed Firebox

Applies To: Cloud-managed Fireboxes

To run network diagnostics tasks for a cloud-managed Firebox, you can connect to Fireware Web UI on the Firebox. For information about Fireware Web UI, see About Fireware Web UI for a Cloud-Managed Firebox.

You can use network diagnostics to test and troubleshoot network connectivity from the Firebox. This is useful if the Firebox cannot connect to WatchGuard Cloud.

Run Network Diagnostics Tasks

To run Network Diagnostics tasks on the Firebox, you must connect to the Firebox and log in to Fireware Web UI.

To log in to Fireware Web UI for a cloud-managed Firebox:

  1. From a computer on a network connected to the cloud-managed Firebox, open a web browser.
  2. In the web browser, go to https://<firebox IP address>>:8080.
    The Fireware Web UI login page opens.
  3. Log in with the user name admin and the admin user account password you set for this device in WatchGuard Cloud.

To run network diagnostic tasks:

  1. In Fireware Web UI, select Diagnostics.
    The Diagnostics page opens with the Diagnostics File tab selected.
  2. On the Diagnostics page, select the Network tab.

Screen shot of the Fireware Web UI Diagnostics page, Network tab

  1. Run a diagnostic task, as described in the next sections.

Run a Basic Diagnostics Command

  1. From the Task drop-down list, select a command:
    • Ping
    • traceroute
    • DNS Lookup
    • TCP Dump
      If you select Ping, traceroute, or DNS Lookup, the Address text box appears. 
      If you select TCP Dump, the Interface text box appears.
  2. If you select Ping, traceroute, or DNS Lookup, in the Address text box, type an IP address or host name.
    If you select TCP Dump, from the Interface drop-down list, select an interface.
  3. Click Run Task.
    The output of the command appears in the Results window and the Stop Task button appears.
  4. To stop the diagnostic task, click Stop Task.

Use Command Arguments

  1. From the Task drop-down list, select a command:
    • Ping
    • traceroute
    • DNS Lookup
    • TCP Dump
  2. Select the Advanced Options check box.
    The Arguments text box is enabled and the Address or Interface text box is disabled.
  3. In the Arguments text box, type the command arguments.
    To see the available arguments for a command, leave the Arguments text box empty.
  4. Click Run Task.
    The output of the command appears in the Results window and the Stop Task button appears.
  5. To stop the diagnostic task, click Stop Task.

Find the IP Address for a Host Name

From your Firebox, you can use the DNS Lookup task to find which IP address a host name resolves to.

  1. From the Task drop-down list, select DNS Lookup.
    The Address text box appears.
  2. In the Address text box, type the host name.
  3. Click Run Task.
    The IP address for the host name you specified appears in the Results list.

Download a PCAP File

From the Diagnostics page, you can download a packet capture (PCAP) file to help you diagnose problems with the traffic on your network. The PCAP file captures the results of the most recent TCP dump task that you run so you can review the protocols found in the task results outside of the Diagnostics page. If you do not save the TCP dump results to a PCAP file, the results of the TCP dump task are cleared when you run a new diagnostic task.

When you enable the Advanced Options to include arguments in the TCP dump task, you must always specify an interface. This can be a physical interface on the Firebox (such as, eth0), a Link Aggregation interface (such as, bond0), a wireless interface (such as, ath0), or a VLAN interface (such as, vlan10). If you specify a VLAN or bridge interface, and the traffic matches a proxy rule, TCP dump only captures the first incoming packet on that interface. To capture all packets, you must run the TCP dump task on the physical interface from where the packets originate.

When you create the PCAP file with the TCP dump data, you choose whether to save the file or open it. To open the PCAP file, use a third-party application, such as Wireshark. You can then review the protocols included in the file and resolve issues in your network configuration.

The maximum size of the PCAP file is 30 MB. If your Firebox has limited memory, the size of the PCAP file is constrained relative to the memory available on your device.

To save the TCP dump data directly to a PCAP file:

  1. From the Task drop-down list, select TCP Dump.
    The Interface drop-down list appears.
  2. Select the Advanced Options check box.
    The advanced options appear.

Screen shot of the TCP Dump task settings to generate a PCAP file

  1. In the Arguments text box, type the parameters for the search. Parameters are case sensitive.
    For example, to capture PCAP data for the default external interface, type -ieth0 or -i eth0.
  2. Select the Stream data to a file check box.
  3. Click Run Task.
    The task runs and the Stop Task button and Open or Save File dialog box appear.
  4. Save or open the PCAP file.
    If you choose to save the PCAP file, specify a location to save the file and a name for the file.
    If you choose to open the PCAP file, select the third-party application to use to open the file.
  5. Click OK.
  6. When the TCP dump has collected enough results, click Stop Task.

See Also

About WatchGuard Cloud

Recover the Firebox Connection to WatchGuard Cloud