Contents

Related Topics

Troubleshoot Network Connectivity

To test and troubleshoot your network, you can use tools available on your client computer and on your Firebox. For the tests that involve commands issued from a Windows client computer, use a computer on a trusted, optional, or custom network connected to the Firebox.

Network Troubleshooting Tools

Use these tools and methods to test network connectivity and host name resolution on your network. These test methods are referenced in the troubleshooting steps in the next sections.

Ping a host from your Windows computerClosed
  1. Locate the search text box in the Windows task bar or Start menu.
  2. In the search text box, type cmd and press Enter.
    The Command Prompt window appears.
  3. At the prompt, type ping [destination IP address or host name] and press Enter.
Ping a host from the FireboxClosed

You can use the Ping diagnostic task to send ping packets from the Firebox to an IP address or host name.

To send a ping from the Firebox, in Fireware Web UI:Closed
  1. Select System Status > Diagnostics.
    The Diagnostics page appears with the Diagnostics File tab selected.
  2. Select the Network tab.
    The Network page appears.
  3. From the Task drop-down list, select the Ping command.
    The Address text box appears.
  4. In the Address text box, type an IP address or host name.
  5. Click Run Task.
    The output of the command appears in the Results pane.
  6. To stop the Ping command, click Stop Task.

For more information about diagnostic tasks in Fireware Web UI, see Run Diagnostic Tasks on Your Firebox.

To send a ping from the Firebox, in Firebox System Manager:Closed
  1. Select Tools > Diagnostic Tasks.
    The Diagnostic Tasks dialog box appears, with the Ping IPv4 task selected by default.
  2. In the Address text box, type an IP address or host name.
  3. Click Run Task.
    The output of the command appears in the Results pane.

For more information about diagnostic tasks in Firebox System Manager, see Run Diagnostic Tasks to Learn More About Log Messages.

Use nslookup to test DNS resolution from a Windows client computerClosed
  1. Locate the search text box in the Windows task bar or Start menu.
  2. In the search text box, type cmd and press Enter.
    The Command Prompt window appears.
  3. At the prompt, type nslookup [destination host name] [optional; DNS server IP address] and press Enter.
Use DNS Lookup to test DNS resolution from the FireboxClosed

You can use the DNS Lookup diagnostic task to test DNS name resolution from the Firebox to a host.

To test DNS host name resolution from the Firebox, in Fireware Web UI:Closed
  1. Select System Status > Diagnostics.
    The Diagnostics page appears with the Diagnostics File tab selected.
  2. Select the Network tab.
    The Network page appears.
  3. From the Task drop-down list, select DNS Lookup.
    The Address text box appears.
  4. In the Address text box, type the host name.
  5. Click Run Task.
    The output of the command appears in the Results pane.
  6. To stop the DNS Lookup command, click Stop Task.
To test DNS host name resolution from the Firebox, in Firebox System Manager:Closed
  1. Select Tools > Diagnostic Tasks.
  2. From the Task drop-down list, select DNS Lookup.
  3. In the Address text box, type the host name.
  4. Click Run Task.
    The output of the command appears in the Results pane.
See log messages for allowed connectionsClosed

By default, the Firebox does not create log messages for connections that are allowed by packet filter policies such as the Ping policy. It can be useful to enable logging of allowed packets for a policy such as Ping while you troubleshoot network connectivity issues.

Use these steps to edit the logging settings in a policy so that the Firebox creates log messages for connections that are allowed by the policy.

To enable logging in a policy, in Fireware Web UI:Closed
  1. Select Firewall > Firewall Policies.
    The Policies page appears.
  2. Click the name of the policy to edit.
    The Firewall Policies > Edit page appears.
  3. In the Logging section, select the Send a log message check box.
  4. Click Save to save the configuration change.
To enable logging in a policy, in Policy Manager:Closed
  1. Double click a policy to edit it.
    The Edit Policy Properties dialog box appears.
  2. Select the Properties tab.
  3. Click Logging.
  4. Select the Send a log message check box.
  5. Save the configuration to the Firebox.

After you make this change, the Firebox creates log messages for connections allowed by the policy. In Traffic Monitor, you can filter the log messages to see log messages created for connections allowed by a specific policy, or for connections to or from a specific IP address.

To see and filter log messages in Fireware Web UI:Closed
  1. Select Dashboard > Traffic Monitor.
  2. In the filter text box in the top of the page, type the term to search for only the log messages that contain that term. For example, this can be the IP address of a computer on your network, a user name, or the name of the policy for which you enabled logging.
  3. To remove the filter, click Screen shot of the Clear Filter button.

To learn more about the Traffic Monitor Dashboard, see Traffic Monitor.

To see and filter log messages in Firebox System Manager:Closed
  1. Select the Traffic Monitor tab.
  2. In the filter text box in the top of the page, type the term to search for only the log messages that contain that term. For example, this can be the IP address of a computer on your network, a user name, or the name of the policy for which you enabled logging.
  3. To remove the filter, click FSM Clear search/filter button.

To learn more about Traffic Monitor in Firebox System Manager, see Device Log Messages (Traffic Monitor).

To learn more about how to read a log message, see Read a Log Message.

Use the ipconfig command to see the network configuration on a Windows computerClosed
  1. Locate the search text box in the Windows task bar or Start menu.
  2. In the search text box, type cmd and press Enter.
    The Command Prompt window appears.
  3. To see the assigned IP address, subnet mask, and default gateway, at the prompt, type ipconfig and press Enter.
  4. To see more information, including DNS server IP addresses, type ipconfig/all and press Enter.

Troubleshoot Outbound Connections

To identify the cause of Internet connection problems from computers on your local network, start with ping tests from a local computer on your network to the Firebox or a local server on your network. If that is successful, the next step is to test routing and DNS resolution to hosts outside your local network. Use the instructions in the previous section to run the diagnostic commands used in these tests and to look at log messages.

Test 1 — Ping an Internal IP Address

From your local computer, attempt to ping other internal IP addresses on the same local network. For example try to ping a local network server, or the IP address of a Firebox internal interface. To start a ping from a Windows computer, use the instructions in the preceding section.

If you are unable to ping the internal IP address of the Firebox, this could indicate a problem with the configuration on the Firebox, or a problem with your local network configuration or cabling. To see the IP address and default gateway in local network configuration on a client computer, from the Windows command prompt, use the ipconfig command.

Look at the ipconfig command output and consider these possible causes for the ping failure:

Network configuration problem on your local computerClosed

In the ipconfig command output on the client computer, look for the IPv4 address assigned to the local computer, and the default gateway IP address. The client computer must have an IPv4 address. In most cases, the default gateway must be the IP address of the internal Firebox interface that the local network connects to.

DHCP is not enabled or is not configured correctly on the FireboxClosed

If the client computer uses DHCP to get an IP address, and the ipconfig output shows that no IP address is assigned, check the configuration of the Firebox interface the local network connects to. Make sure that DHCP server is enabled and that the DHCP address pool configured for the Firebox interface contains enough IP addresses to assign addresses to all clients that connect.

There is a rogue DHCP server on the networkClosed

If the client computer uses DHCP to get an IP address, and the IP address and gateway assigned on the client do not match the DHCP server settings configured on the Firebox interface this network connects to, it is possible that a rogue DHCP server is on your network and assigned the unexpected IP address.

The Firebox IP address or subnet mask is not configured correctlyClosed

Check the configuration of the Firebox interface the local network connects to. Make sure that the interface IP address and subnet mask are correct for your network. For more information about interface IP addresses and subnet masks, see About IP Addresses.

There is a problem with the internal routing of your network. Closed

If there is a switch or router between the client computer and the Firebox internal interface, the switch or router configuration could be the problem. To test whether the switch or router is the problem, connect the client computer directly to the Firebox internal interface, and then try to ping the Firebox again.

Physical interface or cabling failureClosed

Network connectivity issues can be caused by a damaged or disconnected cable, or a failure of a network interface on the computer, Firebox, or any connected switch or router. To detect this type of problem, look at the link and activity lights on the network interface at each end of each cable, try a different network cable, or try a to test the connection to the Firebox from a different computer on the same network segment.

For information about the indicators on your Firebox interfaces, see the Hardware Guide for your Firebox model.

Internal IP address of Firebox overlaps with another host on your network.Closed

If the problem affects all or many users on your network, it could be that there is an IP address conflict between the Firebox internal IP address and another device on your network. To test this, disconnect the cable from the Firebox interface and then try to ping the internal interface of the Firebox from a client computer. If the ping gets a response when the network is not connected to the Firebox interface, some other host on the network uses an IP address that conflicts with the IP address of the Firebox interface.

Test 2 — Ping the Default Gateway of the Firebox

If you can successfully ping the IP address of the Firebox interface, test whether traffic from the client computer can be routed to addresses outside the Firebox. To test this, from your Windows computer attempt to ping the default gateway for the Firebox external interface. This will confirm that your computer can route to a host outside the Firebox, and that your Firebox is configured to allow these ping requests.

You can see the IP address of the Firebox external default gateway in WatchGuard System Manager, or in the Interfaces dashboard in Fireware Web UI.

If your network has an Internet gateway other than the Firebox, Internet-bound traffic from clients on your network might not be routed through the Firebox. To verify that outbound traffic to the Internet goes through the Firebox, enable logging of allowed packets in the ping policy and verify that log messages are created for ping requests from your network. For details about how to do this, see the preceding Network Troubleshooting Tools section.

If your ping to the default gateway of the Firebox external interface fails, check for one of these causes:

Dynamic NAT configuration is incorrect on the FireboxClosed

If your local network does not use one of the RFC 1918 private subnets, the default dynamic NAT rules do not masquerade traffic from your private network to the internet. To see if this could be the issue, look at the log messages for your ping requests. Confirm that the src_ip_nat attribute appears and the listed IP address matches the external IP address of the Firebox.

If your Firebox is configured with Drop-in or Bridge mode, the src_ip_nat attribute does not appear in log messages for outbound traffic.

For more information about dynamic NAT and the default dynamic NAT rules, see About Dynamic NAT.

The configured policies do not allow outbound ping requestsClosed

To see if this is the cause, search the log messages for denied ping requests. The log message tells you which policy denied the traffic. By default, the Firebox configuration includes a Ping policy that allows outgoing Ping traffic.

Your computer cannot route to external hosts through the Firebox.Closed

To see if this is the case, connect your computer directly to the Firebox to bypass your internal network. Make sure your client computer has an IP address on the correct subnet to connect to the Firebox, and that the default gateway is set to the IP address of the Firebox interface the local network connects to.

Test 3 — Test DNS Resolution

If you can successfully ping the default gateway of your Firebox, the next step is to test DNS resolution. To test DNS resolution, attempt to ping a remote web host, such as www.watchguard.com. If this fails, attempt to ping a remote IP address, such as the DNS server for your ISP, or a public DNS server such as 8.8.8.8 or 4.2.2.2. If you can successfully ping a remote IP address, but cannot ping a host name, that indicates a problem with DNS resolution.

If DNS resolution fails, investigate these possible causes:

The default DNS server IP addressed used by the client is invalid or not responding.Closed

Use the Windows command line on your client computer to test DNS resolution. If you do not specify the IP address of a DNS server, the nslookup command uses the default DNS server.

First, test DNS with the default DNS server:

nslookup www.watchguard.com

Next, add the IP address to a public DNS server:

nslookup www.watchguard.com 8.8.8.8

If DNS resolution does not work with the default DNS server but works with the public DNS server, check the DNS servers used by the client computer and the Firebox.

  • To see the default DNS server used on the client computer, use the ipconfig/all command on the Windows command line. The DNS server on the client should usually be the same as the DNS server used by the Firebox.
  • To see the current DNS server IP addresses for the Firebox in Fireware Web UI, select Dashboard > Interfaces > Detail. To see the DNS servers in Firebox System Manager, expand the Interfaces status for the Firebox in the Front Panel tab.

To verify whether traffic can be routed to a DNS server, and whether a DNS server is responding you can try to ping the DNS server IP address from the client computer, and from the Firebox.

Your Firebox does not allow outbound DNS requests.Closed

If you can successfully ping the DNS server from a client computer on your network, DNS resolution fails if the Firebox configuration does not have a policy that allows outgoing DNS requests.

To further troubleshoot this, you can test DNS resolution from the Firebox as described above to see if DNS resolution works from the Firebox. If DNS resolution works from the Firebox, but does not work from clients on the internal network, it is likely that there is no policy on the Firebox to allow outbound DNS requests. To see if this is the case, examine the log messages in Traffic Monitor while you test DNS or attempt to resolve external host names. Look for log messages for denied connections with a destination port of 53.

If you disable or delete the default Outgoing policy, the Firebox does not allow outbound DNS requests unless you add another policy to allow these connections. If you delete the Outgoing policy, make sure that your other policies allow hosts on your network, or at least key servers, to connect outbound for DNS, NTP and other necessary functions.

For more information about the Outgoing policy, see About the Outgoing Policy.

See Also

Routes and Routing

About Multi-WAN

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.