NeT Firewall vs. Competitors: Performance, Security, and Pricing

Troubleshooting Common NeT Firewall Issues: Step-by-Step Fixes

Below are practical, ordered troubleshooting steps for the most common NeT Firewall problems. Apply each section’s checks and fixes in sequence until the issue is resolved.

1. Firewall won’t start or crashes on boot

1. Check system logs
   • View NeT Firewall logs (location: /var/log/netfw/ or the appliance GUI Logs).
   • Look for errors with timestamps around boot.
2. Confirm configuration validity
   • Restore to last-known-good config: export current config, then import the working backup.
3. Disk space and memory
   • Ensure at least 10% free disk and sufficient RAM. On Linux: df -h and free -m.
4. Corrupted binaries or updates
   • Reinstall the NeT Firewall package or apply vendor-recommended recovery image.
5. If appliance-based
   • Power-cycle and check hardware health (SMART, PSU, fans). Contact vendor for RMA if hardware fails.

2. Network traffic not passing (blocked unexpectedly)

1. Verify interface and link status
   • Confirm physical links and VLAN configs. Use ip link/ifconfig or GUI interface status.
2. Check rule order and implicit deny
   • NeT Firewall applies rules top-down; ensure allow rules precede broad denies.
3. Inspect logs for dropped packets
   • Filter logs for “DROP” or “DENY” with source/destination details and rule IDs.
4. Test with packet captures
   • Run tcpdump on relevant interfaces to confirm whether packets reach the firewall.
5. Temporarily set permissive policy
   • Apply a short-term allow-all policy to determine if rules are the cause, then reapply tight rules incrementally.

3. VPN connections fail to establish

1. Validate credentials and PSKs
   • Confirm user credentials, certificates, and pre-shared keys are current and correctly uploaded.
2. Check phase 1 and 2 parameters
   • Ensure IKE version, encryption, hashing, and lifetime settings match the peer.
3. NAT traversal and MTU issues
   • Enable NAT-T if behind NAT; reduce MTU or enable MSS clamping if fragmentation occurs.
4. Log and debug IKE
   • Enable debug for IKE/IPsec and review handshakes for mismatches or auth failures.
5. Test end-to-end
   • From each endpoint, ping the opposite tunnel endpoint and trace the IKE messages.

4. Slow throughput or high latency

1. Baseline test
   • Measure throughput using iperf3 across the path to isolate whether the firewall is the bottleneck.
2. Inspect CPU and connection tracking
   • High CPU or conntrack table exhaustion causes slowdowns. Check top and conntrack counters.
3. Bypass deep inspection
   • Temporarily disable deep packet inspection/antivirus to see if throughput improves.
4. Check MTU and fragmentation
   • Mismatched MTU can cause retransmits. Adjust MTU and enable MSS clamping.
5. QoS and prioritization
   • Verify QoS rules aren’t throttling key traffic; adjust queues and priorities.

5. Management/UI inaccessible

1. Confirm management interface reachability
   • Ping or curl the management IP from a trusted host.
2. Firewall admin access rules
   • Ensure SSH/HTTPS/GUI ports are allowed from management networks.
3. Certificate or browser errors
   • Replace expired admin certificates or accept the appliance self-signed cert temporarily.
4. Service restart
   • Restart management services (e.g., systemctl restart netfw-web or via appliance console).
5. Fallback to console
   • Use local serial/console access to reset admin password or network config if remote access fails.

6. False positives from IDS/IPS or web filtering

1. Review recent signatures and updates
   • New signatures can increase false positives; review changelog and disable problematic signatures.
2. Whitelisting
   • Add known-safe sources or URLs to allowlists with scope-limited rules.
3. Tuning sensitivity
   • Lower IDS/IPS sensitivity only after evaluating risk and testing.
4. Create exceptions by application/user
   • Use user- or application-aware policies to reduce collateral blocking.

7. Certificate and HTTPS inspection problems

1. Ensure root CA deployed
   • Install the firewall’s inspection CA to client trust stores and browsers.
2. Bypass sensitive traffic
   • Exclude banking/healthcare sites where interception is disallowed or causes failures.
3. Match TLS versions and ciphers
   • Update cipher suites to accommodate modern clients; disable deprecated protocols carefully.
4. Monitor TLS handshake logs
   • Inspect TLS/SSL errors in logs to identify mismatched settings or expired certs.

8. Licensing and feature activation errors

1. Verify license status
   • Check license validity and feature entitlements in the licensing page.
2. Time and date
   • Ensure system clock is accurate (use NTP); license checks may fail with incorrect time.
3. Reapply or reissue license
   • Upload license file or contact vendor portal to reissue if corrupted.

Quick troubleshooting checklist (apply in order)

1. Verify physical connectivity and link status.
2. Confirm basic management access (ping, SSH, GUI).
3. Review logs for drops, denials, or errors.
4. Temporarily relax policies to isolate rule issues.
5. Run packet captures and iperf/trace tests.
6. Check CPU, memory, disk, and conntrack usage.
7. Reboot or restart services if safe.
8. Restore known-good config or escalate to vendor support.

When to escalate to vendor support

• Hardware failures (SMART/PSU/fan errors).
• Corrupted firmware or failed upgrades.
• Unrecoverable license or cryptographic key issues.
• Complex traffic interception bugs after standard troubleshooting.

If you want, I can convert any of the sections above into CLI commands or a step-by-step runbook tailored to your NeT Firewall model and OS — tell me the model and firmware version.