Troubleshoot Network Connectivity

To test and troubleshoot your network, you can use tools available on your client computer and on your Firebox. For the tests that involve commands issued from a Windows client computer, use a computer on a trusted, optional, or custom network connected to the Firebox.

Network Troubleshooting Tools

Use these tools and methods to test network connectivity and host name resolution on your network. These test methods are referenced in the troubleshooting steps in the next sections.

  1. Locate the search text box in the Windows task bar or Start menu.
  2. In the search text box, type cmd and press Enter.
    The Command Prompt window opens.
  3. At the prompt, type ping [destination IP address or host name] and press Enter.

You can use the Ping diagnostic task to send ping packets from the Firebox to an IP address or host name.

  1. Select System Status > Diagnostics.
    The Diagnostics page opens with the Diagnostics File tab selected.
  2. Select the Network tab.
    The Network page opens.
  3. From the Task drop-down list, select the Ping command.
    The Address text box opens.
  4. In the Address text box, type an IP address or host name.
  5. Click Run Task.
    The output of the command shows in the Results pane.
  6. To stop the Ping command, click Stop Task.

For more information about diagnostic tasks in Fireware Web UI, go to Run Diagnostic Tasks on Your Firebox.

  1. Select Tools > Diagnostic Tasks.
    The Diagnostic Tasks dialog box opens, with the Ping IPv4 task selected by default.
  2. In the Address text box, type an IP address or host name.
  3. Click Run Task.
    The output of the command shows in the Results pane.

For more information about diagnostic tasks in Firebox System Manager, go to Run Diagnostic Tasks to Learn More About Log Messages.

  1. Locate the search text box in the Windows task bar or Start menu.
  2. In the search text box, type cmd and press Enter.
    The Command Prompt window opens.
  3. At the prompt, type nslookup [destination host name] [optional; DNS server IP address] and press Enter.

You can use the DNS Lookup diagnostic task to test DNS name resolution from the Firebox to a host.

  1. Select System Status > Diagnostics.
    The Diagnostics page shows with the Diagnostics File tab selected.
  2. Select the Network tab.
    The Network page opens.
  3. From the Task drop-down list, select DNS Lookup.
    The Address text box opens.
  4. In the Address text box, type the host name.
  5. Click Run Task.
    The output of the command shows in the Results pane.
  6. To stop the DNS Lookup command, click Stop Task.
  1. Select Tools > Diagnostic Tasks.
  2. From the Task drop-down list, select DNS Lookup.
  3. In the Address text box, type the host name.
  4. Click Run Task.
    The output of the command shows in the Results pane.

By default, the Firebox does not create log messages for connections that are allowed by packet filter policies such as the Ping policy. It can be useful to enable logging of allowed packets for a policy such as Ping while you troubleshoot network connectivity issues.

Use these steps to edit the logging settings in a policy so that the Firebox creates log messages for connections that are allowed by the policy.

  1. Select Firewall > Firewall Policies.
    The Policies page opens.
  2. Click the name of the policy to edit.
    The Firewall Policies > Edit page opens.
  3. In the Logging section, select the Send a log message check box.
  4. Click Save to save the configuration change.
  1. Double-click a policy to edit it.
    The Edit Policy Properties dialog box opens.
  2. Select the Properties tab.
  3. Click Logging.
  4. Select the Send a log message check box.
  5. Save the configuration to the Firebox.

After you make this change, the Firebox creates log messages for connections allowed by the policy. In Traffic Monitor, you can filter the log messages to view log messages created for connections allowed by a specific policy, or for connections to or from a specific IP address.

  1. Select Dashboard > Traffic Monitor.
  2. In the filter text box in the top of the page, type the term to search for only the log messages that contain that term. For example, this can be the IP address of a computer on your network, a user name, or the name of the policy for which you enabled logging.
  3. To remove the filter, click Screen shot of the Clear Filter button.

To learn more about the Traffic Monitor Dashboard, go to Traffic Monitor.

  1. Select the Traffic Monitor tab.
  2. In the filter text box in the top of the page, type the term to search for only the log messages that contain that term. For example, this can be the IP address of a computer on your network, a user name, or the name of the policy for which you enabled logging.
  3. To remove the filter, click FSM Clear search/filter button.

To learn more about Traffic Monitor in Firebox System Manager, go to Device Log Messages (Traffic Monitor).

To learn more about how to read a log message, go to Read a Log Message.

  1. Locate the search text box in the Windows task bar or Start menu.
  2. In the search text box, type cmd and press Enter.
    The Command Prompt window opens.
  3. To view the assigned IP address, subnet mask, and default gateway, at the prompt, type ipconfig and press Enter.
  4. For more information, including DNS server IP addresses, type ipconfig/all and press Enter.

Troubleshoot Outbound Connections

To identify the cause of Internet connection problems from computers on your local network, start with ping tests from a local computer on your network to the Firebox or a local server on your network. If that is successful, the next step is to test routing and DNS resolution to hosts outside your local network. Use the instructions in the previous section to run the diagnostic commands used in these tests and to look at log messages.

Test 1 — Ping an Internal IP Address

From your local computer, try to ping other internal IP addresses on the same local network. For example try to ping a local network server, or the IP address of a Firebox internal interface. To start a ping from a Windows computer, use the instructions in the preceding section.

If you are cannot ping the internal IP address of the Firebox, this could indicate a problem with the configuration on the Firebox, or a problem with your local network configuration or cabling. To view the IP address and default gateway in local network configuration on a client computer, from the Windows command prompt, use the ipconfig command.

Look at the ipconfig command output and consider these possible causes for the ping failure:

In the ipconfig command output on the client computer, look for the IPv4 address assigned to the local computer, and the default gateway IP address. The client computer must have an IPv4 address. In most cases, the default gateway must be the IP address of the internal Firebox interface that the local network connects to.

If the client computer uses DHCP to get an IP address, and the ipconfig output shows that no IP address is assigned, verify the configuration of the Firebox interface the local network connects to. Make sure that DHCP server is enabled and that the DHCP address pool configured for the Firebox interface contains enough IP addresses to assign addresses to all clients that connect.

If the client computer uses DHCP to get an IP address, and the IP address and gateway assigned on the client do not match the DHCP server settings configured on the Firebox interface this network connects to, it is possible that a rogue DHCP server is on your network and assigned the unexpected IP address.

Verify the configuration of the Firebox interface the local network connects to. Make sure that the interface IP address and subnet mask are correct for your network. For more information about interface IP addresses and subnet masks, go to About IP Addresses.

If there is a switch or router between the client computer and the Firebox internal interface, the switch or router configuration could be the problem. To test whether the switch or router is the problem, connect the client computer directly to the Firebox internal interface, and then try to ping the Firebox again.

Network connectivity issues can be caused by a damaged or disconnected cable, or a failure of a network interface on the computer, Firebox, or any connected switch or router. To detect this type of problem, look at the link and activity lights on the network interface at each end of each cable, try a different network cable, or try a to test the connection to the Firebox from a different computer on the same network segment.

For information about the indicators on your Firebox interfaces, go to the Hardware Guide for your Firebox model.

If the problem affects all or many users on your network, it could be that there is an IP address conflict between the Firebox internal IP address and another device on your network. To test this, disconnect the cable from the Firebox interface and then try to ping the internal interface of the Firebox from a client computer. If the ping gets a response when the network is not connected to the Firebox interface, some other host on the network uses an IP address that conflicts with the IP address of the Firebox interface.

Test 2 — Ping the Default Gateway of the Firebox

If you can successfully ping the IP address of the Firebox interface, test whether traffic from the client computer can be routed to addresses outside the Firebox. To test this, from your Windows computer try to ping the default gateway for the Firebox external interface. This confirms that your computer can route to a host outside the Firebox, and that your Firebox is configured to allow these ping requests.

You can view the IP address of the Firebox external default gateway in WatchGuard System Manager, or in the Interfaces dashboard in Fireware Web UI.

If your network has an Internet gateway other than the Firebox, Internet-bound traffic from clients on your network might not be routed through the Firebox. To verify that outbound traffic to the Internet goes through the Firebox, enable logging of allowed packets in the ping policy and verify that log messages are created for ping requests from your network. For details about how to do this, go to the preceding Network Troubleshooting Tools section.

If your ping to the default gateway of the Firebox external interface fails, verify these possible causes:

If your local network does not use one of the RFC 1918 private subnets, the default dynamic NAT rules do not masquerade traffic from your private network to the internet. To discover if this could be the issue, look at the log messages for your ping requests. Confirm that the src_ip_nat attribute shows and the listed IP address matches the external IP address of the Firebox.

If your Firebox is configured with Drop-in or Bridge mode, the src_ip_nat attribute does not appear in log messages for outbound traffic.

For more information about dynamic NAT and the default dynamic NAT rules, go to About Dynamic NAT.

To discover if this is the cause, search the log messages for denied ping requests. The log message tells you which policy denied the traffic. By default, the Firebox configuration includes a Ping policy that allows outgoing Ping traffic.

To discover if this is the case, connect your computer directly to the Firebox to bypass your internal network. Make sure your client computer has an IP address on the correct subnet to connect to the Firebox, and that the default gateway is set to the IP address of the Firebox interface the local network connects to.

Test 3 — Test DNS Resolution

If you can successfully ping the default gateway of your Firebox, the next step is to test DNS resolution. To test DNS resolution, try to ping a remote web host, such as www.watchguard.com. If this fails, try to ping a remote IP address, such as the DNS server for your ISP, or a public DNS server such as 8.8.8.8 or 4.2.2.2. If you can successfully ping a remote IP address, but cannot ping a host name, that indicates a problem with DNS resolution.

If DNS resolution fails, investigate these possible causes:

Use the Windows command line on your client computer to test DNS resolution. If you do not specify the IP address of a DNS server, the nslookup command uses the default DNS server.

First, test DNS with the default DNS server:

nslookup www.watchguard.com

Next, add the IP address to a public DNS server:

nslookup www.watchguard.com 8.8.8.8

If DNS resolution does not work with the default DNS server but works with the public DNS server, verify the DNS servers used by the client computer and the Firebox.

  • To find the default DNS server used on the client computer, use the ipconfig/all command on the Windows command line. The DNS server on the client should usually be the same as the DNS server used by the Firebox.
  • To find the current DNS server IP addresses for the Firebox in Fireware Web UI, select Dashboard > Interfaces > Detail. To view the DNS servers in Firebox System Manager, expand the Interfaces status for the Firebox in the Front Panel tab.

To verify whether traffic can be routed to a DNS server, and whether a DNS server is responding you can try to ping the DNS server IP address from the client computer, and from the Firebox.

If you can successfully ping the DNS server from a client computer on your network, DNS resolution fails if the Firebox configuration does not have a policy that allows outgoing DNS requests.

To further troubleshoot, you can test DNS resolution from the Firebox as previously described to discover if DNS resolution works from the Firebox. If DNS resolution works from the Firebox, but does not work from clients on the internal network, it is likely that there is no policy on the Firebox to allow outbound DNS requests. To confirm if this is the case, examine the log messages in Traffic Monitor while you test DNS or try to resolve external host names. Look for log messages for denied connections with a destination port of 53.

If you disable or delete the default Outgoing policy, the Firebox does not allow outbound DNS requests unless you add another policy to allow these connections. If you delete the Outgoing policy, make sure that your other policies allow hosts on your network, or at least key servers, to connect outbound for DNS, NTP and other necessary functions.

For more information about the Outgoing policy, go to About the Outgoing Policy.

Troubleshoot Traffic Flooding

Traffic flooding occurs when the Firebox receives a high volume of traffic and it cannot examine and then allow permitted network traffic. This can cause traffic or Internet connectivity to fail. To address traffic flooding, the Firebox drops connections that exceed the values that you specify in the Default Packet Handling settings. For more information, go to About Default Packet Handling Options.

If you experience traffic flooding and dropped packets, you can:

  1. Specify the relevant logging and notification settings by dangerous activity type (Fireware Web UI v12.8 and higher). Make sure that you enable logging for each type of dangerous activity. By default, the Firebox sends a log message when an event occurs that matches the default packet handling settings. If you want more log message data to analyze, you can increase the log message rate. For more information, go to the Dangerous Activity Logging and Notification Settings section of About Default Packet Handling Options.

  2. Use Traffic Monitor to view the Firebox log messages and identify which default packet handling setting caused the Firebox to drop connections.
    In this example, UDP flooding caused the Firebox to drop connections:

    2023-03-29 10:55:22 Member2 Deny 10.0.1.104 10.0.1.157 8211/udp 8211 8211 130-NPS-AP 3002-CO-WAN udp flooding 582 64 (Internal Policy) proc_id="firewall" rc="101" msg_id="3000-0148" Traffic

  3. Use the generated log messages to determine the acceptable number of packets per second received threshold for your network. Based on the presence of these log messages, you can increase the threshold and then verify if the log messages continue. For more information, go to About Flood Attacks.

  4. (Optional) You can download log message data and other system information from your Firebox in a diagnostic log message file (support.tgz) that you can send to your Support representative. However, for the diagnostic log message file to contain relevant information, you must capture the information while the flood takes place or immediately after. For more information, go to Download a Diagnostic Log Message File in Fireware Web UI.

Related Topics

Routes and Routing

About Multi-WAN