Troubleshooting VPN with the QIPFILTER journal

 

View this information to learn about VPN filter rules. The QIPFILTER journal is located in the QUSRSYS library and contains information about filter rule sets, as well as information about whether an IP datagram was permitted or denied. Logging is performed based on the journaling option you specify in your filter rules.

 

Parent topic:

Troubleshooting VPN
Related tasks
Getting started with VPN troubleshooting

 

How to enable the IP Packet Filter journal

Use the Packet Rules editor in iSeries™ Navigator to activate the QIPFILTER journal. You must enable the logging function for each individual filter rule. There is no function that allows logging for all IP datagrams going into or out of the system.

To enable the QIPFILTER journal, your filters must be deactivated.

The following steps describe how to enable journaling for a particular filter rule:

  1. In iSeries Navigator, expand your system > Network > IP Policies.

  2. Right-click Packet Rules and select Configuration. This displays the Packet Rules interface.

  3. Open an existing filter rule file.

  4. Double-click the filter rule you want to journal.

  5. On the General page, select FULL in the Journaling field as in the dialog box shown above. This enables logging for this particular filter rule.

  6. Click OK.

  7. Save and activate the changed filter rule file.

If an IP datagram matches the definitions of the filter rule, an entry is made in the QIPFILTER journal.

 

How to use the QIPFILTER journal

i5/OS® automatically creates the journal the first time you activate IP packet filtering. To view the entry-specific details in the journal, you can display the journal entries on the screen or you can use an output file.

By copying the journal entries to the output file, you can easily view the entries using query utilities such as Query/400 or SQL. You can also write your own HLL programs to process the entries in the output files.

The following is an example of the Display Journal (DSPJRN) command: 

DSPJRN JRN(QIPFILTER) JRNCDE((M)) ENTTYP((TF)) OUTPUT(*OUTFILE) 
    OUTFILFMT(*TYPE4) OUTFILE(mylib/myfile) ENTDTALEN(*VARLEN *CALC)

Use the following steps to copy the QIPFILTER journal entries to the output file:

  1. Create a copy of the system-supplied output file QSYS/QATOFIPF into a user library by using the Create Duplicate Object (CRTDUPOBJ) command. The following is an example of the CRTDUPOBJ command: 
    CRTDUPOBJ OBJ(QATOFIPF) FROMLIB(QSYS) OBJTYPE(*FILE) TOLIB(mylib)
     NEWOBJ(myfile)

  2. Use the Display Journal (DSPJRN) command to copy the entries from the QUSRSYS/QIPFILTER journal to the output file you created in the previous step.

If you copy the DSPJRN into an output file that does not exist, the system creates a file for you, but this file does not contain the correct field descriptions.

The QIPFILTER journal only contains permit or deny entries for filter rules where the journaling option is set to FULL. For example, if you set up only PERMIT filter rules, IP datagrams that are not explicitly permitted are denied. For those denied datagrams, no entry is added to the journal. For problem analysis you might add a filter rule that explicitly denies all other traffic and performs FULL journaling. Then, you will get DENY entries in the journal for all IP datagrams that are denied. Due to performance reasons, it is not recommended that you enable journaling for all filter rules. Once your filter sets are tested, reduce the journaling to a useful subset of entries.

See QIPFILTER journal fields for a table that describes the QIPFILTER output file.