NETASQ Technical Support Training Session 1
Support Best Practices
© NETASQ 2006
Summary • • • • • • •
Quick Overview of NETASQ Technical Support Support and incident levels Support Methodology RMA management Diagnosis tools and commands Sales escalation process Action Plan
NETASQ – CORPORATE PRESENTATION
2
Quick Overview of Technical Support TAC team TAC Manager
Matthieu Bonenfant
4 highly-skilled technicians
Farid Ichalalene
Laurent Georgeton
Laurent Lecouvé
Stéphane Rochoy
+ 2 trainees NETASQ – CORPORATE PRESENTATION
3
Quick overview of Technical Support TAC access information for NCSC NETASQ’s TAC is open non-stop from 8am to 7pm CET from Monday to Friday. TAC is closed during French official days-off. Tickets can be created 24/7 on NETASQ’s website but will be managed only during working hours. For urgent cases, Support Centers and EXPERT certified partners can use the following phone number : +33 3 20 61 90 45. To provide higher quality and reactivity, authentication is required and the corresponding ticket will be automatically displayed on technician’s screen. Email access to
[email protected] will be blocked if no incident number is given.
NETASQ – CORPORATE PRESENTATION
4
Support and incident levels Support Level explanations Level 1 : concerns all operations linked to setting and modifiying configurations. Escalation to Level 2 occurs when the support center has verified that configuration is valid. Level 2 : concerns solving problems about advanced configuration and the diagnostic of potential malfunctions of NETASQ products. Level 3 : consists in the transmission of a problem to NETASQ R&D service in order to develop a patch. Only NETASQ TAC is authorized to escalate an incident to level 3. NB : level 3 escalations only concern incidents on products which has received the latest updates.
NETASQ – CORPORATE PRESENTATION
5
Support and incident levels Incident Criticity levels •
SEV1 / Critical Severity: The client’s network is down and / or his core business is severely impacted because of an IPS-Firewall malfunction. There is no temporary solution to circumvent the problem. > SLA = within 4 working hours*.
•
SEV2 / Major Severity: Existing network activity is severely degraded and the client’s core business is negatively impacted. > SLA = within 4 working hours*.
•
SEV3 / Minor Severity: A malfunction has been detected that does not impact client’s core business. > SLA = within 24 working hours*.
•
SEV4 / Information: You would like some information or the problem is in relation to a future intervention. > SLA = within 72 working hours*.
* First contact following the opening of an incident report with TAC (CET: 8H – 19H) NETASQ – CORPORATE PRESENTATION
6
Support Methodology 1 – Retrieve initial information Serial number Phone number and email of the contact Company name Description of the problem (to determine if it is supposed to be a critical or non-critical problem)
NETASQ – CORPORATE PRESENTATION
7
Support Methodology 2 - Maintenance checking In order to benefit from technical support and updates, a NETASQ product must have a valid maintenance contract (support expiration date equals update expiration date). If not, the customer has to renew his contract. To do verify maintenance contract, go to the Firewall/Information menu in Firewall Manager if you have access to the firewall, or consult license information in the VITAL application.
NETASQ – CORPORATE PRESENTATION
8
Support Methodology 3 – Issue understanding It seems obvious but it’s necessary to listen carefully to the customer’s problem - Let the client or partner express his wishes in his own words.
• Don’t hesitate to rephrase problem in more accurate terms in order to a full understanding of the client’s problem and to address it efficiently. Ask for all the relevant information needed (appliance version, access to the firewall, network topology, logs and alarms…)
NETASQ – CORPORATE PRESENTATION
9
Support Methodology 4 – Documentation and FAQ Before beginning analysis, consult NETASQ documentation and technical FAQ available from your partner account. The customer’s issue may be explained in our FAQ. If the solution is indicated inside a public documentation (manual for exemple), don’t hesitate to provide the customer or partner with a reference to the related document. NETASQ – CORPORATE PRESENTATION
10
Support Methodology 5 – Configuration backup and updates Before any changes in the configuration, do or ask for a configuration backup of the appliance. This backup will be used in case of a mistake during troubleshooting. Be sure that the appliance is in the last minor version supported for the major version installed this appliance. Be sure also that this major version is still supported.
NETASQ – CORPORATE PRESENTATION
11
Support Methodology 6 – Diagnosis With the information provided by the customer, you must be able to do a diagnosis for LEVEL1 tickets. The tools needed for diagnosis will be explained later.
NETASQ – CORPORATE PRESENTATION
12
Support Methodology 7 – Escalation to NETASQ (1/2) If the problem is a LEVEL2 or LEVEL3 tickets, you will have to provide all required informations to NETASQ. You can escalate the incident to NETASQ by creating a ticket from our WEB site using your CNEP number or our phone system using your phone code. You should have received this phone code, if not please contact us.
NETASQ – CORPORATE PRESENTATION
13
Support Methodology 7 – Escalation to NETASQ (2/2) The following information are MANDATORY when a ticket is created : - Expert certification number - Serial number of the appliance for which the incident is being made. - Valid email address - Telephone number - IPS-Firewall and administration tool versions - IPS-Firewall configuration (full) - IPS-Firewall Technical Report (taken when the problem was occuring) - Network topology - Detailed problem description
If information is missing, NETASQ will have to ask for it and we will lose time in the ticket management.
NETASQ – CORPORATE PRESENTATION
14
Support Methodology 8 - Follow up of incidents Even if the incident is escalated to NETASQ, you still are the link between customer (or partner) and NETASQ. You have to follow your ticket and keep informed the partner or the customer. Follow up of NETASQ tickets is done primarily via the incident manager available on the NETASQ web site in your Partner secure-access area. Different types of information are transmitted to indicate status of requests being processed. The explanation regarding status information is provided in the Support Charter document (available on NETASQ WEBsite). NETASQ – CORPORATE PRESENTATION
15
RMA Management Different types of exchanges Standard exchange : Subscribers to « Initial » maintenance contracts benefit from the exchange of their appliance. The replacement IPS-Firewall will be sent within about 10 working days after reception of the defective product by the After-sales service. Express exchange : Subscribers to « Privilege » maintenance contracts benefit from the anticipated exchange of their appliance. (NETASQ will send the replacement appliance without waiting to have received the defective one): – In France: within 24 working after return has been authorized. Authorization must occur before 15:00 hours (CET) – Around the world: delivery dates will vary in relation to the destination.
Advance exchange : Our partners can supply their clients with advanced exchange services (D+1 internationally, H+4, H+1, 24x7). In order to take advantage of these services, please contact your NETASQ sales representative. NETASQ – CORPORATE PRESENTATION
16
RMA Management How to start a product exchange Exchanges have to be managed by NCSC. A tool for managing Standard and Express exchanges or Advanced exchanges with swap stock is available to NCSC. This tool is accessible using the following link : https://www.netasq.com/extranet and allows you to generate RMA without the need for any action from NETASQ’s TAC. However, if in doubt or if you encounter problems, it is possible to send a technical support request with NETASQ’s TAC in order to obtain a diagnosis or a handwritten RMA.
NETASQ – CORPORATE PRESENTATION
17
RMA Management Additional information No backup, restoration or update will be done by NETASQ on appliances coming in for after-sales servicing. NETASQ offers no guarantee on the version of the replacement product (good reason to keep customers’ firewalls up-to-date). Start-up of the replacement IPS-Firewall is the client’s responsibility. At reception of the replacement appliance, NETASQ will have already transferred license and recorded information to it. You will be able to retrieve the license from the Client Corner on the website by using the original appliance’s authentication information. For more information, please consult our terms of agreement at http://www.netasq.com NETASQ – CORPORATE PRESENTATION
18
Diagnosis tools and commands How to send or retrieve files from firewall If SSH service is activated, it is possible to use the SCP protocol to exchange files with the firewall. OpenSSH integrates a SCP client that can be used as follow : stephaner@stephaner$ scp
[email protected]:/log/logs.tgz . SSH passphrase: logs.tgz 100% 751KB 751.0KB/s 00:01 stephaner@stephaner$
, where
[email protected]:/log/logs.tgz is the source, and dot (.) is the destination (it means the current directory on the SSH client station) . NETASQ – CORPORATE PRESENTATION
19
Diagnosis tools and commands How to generate a technical report using sysinfo Sysinfo command will output informations regarding FW status. IT HAS TO BE GENERATED WHEN THE PROBLEM IS OCCURING. This command is useful for problem debugging and can be used with events scheduler (eventd). The report generated using Sysinfo command will provide : - Model, export branch and version of the firewall - Status of High Availability - Statistics related to Ethernet interfaces - Last 10 alarms, Last 10 serverd commands, Last 10 system events - Network configuration - Active NAT rules and active NAT sessions, Active Filtering rules - Routing table - Last messages from kernel NETASQ – CORPORATE PRESENTATION
20
Diagnosis tools and commands Options related to Sysinfo Several options related to Sysinfo command will bring additional information. In doubt use the -a to get the maximum amount of information. -arp : provides the content of the ASQ cache -host : provides the content of the hosts table -conn : provides the content of the connections table -raid : provides information regarding RAID status -a : provide all the additional information NETASQ – CORPORATE PRESENTATION
21
Diagnosis tools and commands How to collect logs On products with hard disks, logs are stored in the /log directory. You can collect last logs using following commands F200XA004370400501>cd /log F200XA004370400501>tar czvf logs.tgz l_*[^0-9x] F200XA004370400501> The file /log/logs.tgz will contain last logs. This file is compressed in GZip format and you can retrieve it using SCP. NETASQ – CORPORATE PRESENTATION
22
Diagnosis tools and commands How to edit a file Three file editors are available : vi, joe and jmacs
Save Quit
vi
joe
jmacs
:w :q
Ctrl-K-Ctrl-D Ctrl-C
Ctrl-X-Ctrl-S Ctrl-X-Ctrl-C
NETASQ – CORPORATE PRESENTATION
23
Diagnosis tools and commands How to log ASQ activity ASQ integrate a verbose mode. This mode will enable ASQ activity storage inside a file. F200XA004370400501>cd /etc F200XA004370400501>cp syslog.conf syslog.conf.bak F200XA004370400501>jmacs syslog.conf Locate following line : kern.* /dev/console Replace /dev/console by /dbg/kern.log. Save then Quit jmacs. F200XA004370400501>touch /dbg/kern.log F200XA004370400501>killall -HUP syslogd || syslogd F200XA004370400501>setconf /Firewall/ConfigFiles/ASQ/00 Stateful Verbose 1 F200XA004370400501>enasq
NETASQ – CORPORATE PRESENTATION
24
Diagnosis tools and commands How to log ASQ activity On F25, F50 and F200, it is recommended to deactivate kernel message redirection on console (to limit risks of freeze). F200XA004370400501>setconf /Firewall/ConfigFiles/system Console Default 0 F200XA004370400501>enconsole F200XA004370400501>reboot F200XA004370400501>cd /etc F200XA004370400501>cp syslog.conf syslog.conf.bak F200XA004370400501>jmacs syslog.conf Locate the following line : kern.* /dev/console Replace /dev/console by /dbg/kern.log. Save then Quit jmacs. F200XA004370400501>touch /dbg/kern.log F200XA004370400501>killall -HUP syslogd || syslogd F200XA004370400501>setconf /Firewall/ConfigFiles/ASQ/00 Stateful Verbose 1 F200XA004370400501>enasq
NETASQ – CORPORATE PRESENTATION
25
Diagnosis tools and commands How to log ASQ activity Verbose mode deactivation F200XA004370400501>setconf /Firewall/ConfigFiles/ASQ/00 Stateful Verbose 0 F200XA004370400501>enasq F200XA004370400501>killall syslogd F200XA004370400501>cd /etc ; cp syslog.conf.bak syslog.conf F200XA004370400501>setconf /Firewall/ConfigFiles/system Console Default 1 F200XA004370400501>enconsole F200XA004370400501>reboot
NETASQ – CORPORATE PRESENTATION
26
Diagnosis tools and commands How to use the events scheduler : eventd Eventd can be used to schedule commands or scripts depending on certain conditions. Eventd configuration is done via the file : /Firewall/ConfigFiles/Event/rules. Scheduled tasks can be viewed in /var/tmp/eventd.rules (entries in this file can be used as syntax examples) Each section is related to an event and several fields can be configured : - Period : Period between two execution of the event - Start : Date/hour of the execution of the event - Exec : Command or script to execute - Description : Description of the event
NETASQ – CORPORATE PRESENTATION
27
Diagnosis tools and commands How to do a traffic dump : tcpdump Tcpdump is used to dump and display frames sent to and received by firewall’s interfaces. You can use ifinfo command to know interfaces names. This command can be used as follow to listen traffic going through sis0 interface excluding arp and SSH traffic. F200XA004370400501>tcpdump -ni sis0 -s0 not arp and not port 22 tcpdump: listening on sis0 11:41:20.444692 10.1.45.1.62516 > 255.255.255.255.62516: udp 49 11:41:22.988592 10.1.42.253 > 66.102.9.99: icmp: echo request 11:41:23.031961 66.102.9.99 > 10.1.42.253: icmp: echo reply 11:41:23.990683 10.1.42.253 > 66.102.9.99: icmp: echo request 11:41:24.021504 66.102.9.99 > 10.1.42.253: icmp: echo reply 11:41:24.992674 10.1.42.253 > 66.102.9.99: icmp: echo request 11:41:25.026709 66.102.9.99 > 10.1.42.253: icmp: echo reply NETASQ – CORPORATE PRESENTATION
28
Diagnosis tools and commands How to do a traffic dump : tcpdump If you want to know if firewall block or alter packets, you should do a dump on both incoming and outgoing interfaces simultaneously. F200XA004370400501>tcpdump -i sis0 -s0 -w /dbg/sis0.pcap & tcpdump -i sis1 -s0 -w /dbg/sis1.pcap & tcpdump: listening on sis0 tcpdump: listening on sis1
NETASQ – CORPORATE PRESENTATION
29
Diagnosis tools and commands How to do a traffic dump : tcpdump Options of the tcpdump command : -i ifname : ask for dump traffic going through ifname interface -s snaplen : ask to cut packets when its size exceeds snaplen -s0 : ask not to cut packets -w filename : save dumped packets inside filename file (PCAP format) NETASQ – CORPORATE PRESENTATION
30
NETASQ Action Plan for H2-2006 ONLY ONE GOAL : IMPROVE CUSTOMER SATISFACTION Improve Communication Manage Support Centers Manage Quality of Service for Support Increase TAC team’s efficiency
NETASQ – CORPORATE PRESENTATION
31
NETASQ Action Plan for H2-2006 Actions (1/2) Monitoring of Ticket Queue regarding SLAs
> 15/10
Improvement of ticket management tool performance
> 27/10
Communication when a bug is fixed in a minor release
> 30/10
Issue alarms published on WEB site and sent to NCSCs
> 30/10
First WEBEX training session for NCSCs
> 27/10
First monthly NCSC newsletter
> 05/11
New tools (Knowledge Base, Support Getting Started Guide)
> 15/11
NETASQ – CORPORATE PRESENTATION
32
NETASQ Action Plan for H2-2006 Actions (2/2) Support WEB site improvement (customer tickets, messages) > 30/11 New RMA management process without fax
> 30/11
Second WEBEX training session for NCSCs
> 24/11
First Support Case Study for NCSC
> 15/12
Third WEBEX training session for NCSCs
> 22/12
EXPERT+ training renewed
> 30/12
Newsgroup for Support Centers
> 30/12 NETASQ – CORPORATE PRESENTATION
33
