Steps for diagnosing defensive filter problems

Diagnose defensive filter problems.

Perform the following step to display defensive filters:

1. Issue ipsec -F display to display active defensive filters. See z/OS Communications Server: IP System Administrator's Commands for more information about the ipsec -F command. The defensive filters installed in a stack can be displayed or the global defensive filters can be displayed. If you are running multiple stacks and you want to display defensive filters installed in a specific stack, specify the -p stacknameoption or ensure that your resolver configuration correctly identifies the stack you are interested in. To display global defensive filters, specify the -G option.

Perform the following steps to determine why defensive filters are not being successfully added to a stack:

2. Ensure that IP security is enabled for the stack. Specify IPSECURITY on the IPCONFIG statement in the TCP/IP profile. In addition, specify IPSECURITY on the IPCONFIG6 statement in the TCP/IP profile if support is needed for IPv6 defensive filters. See z/OS Communications Server: IP Configuration Reference for more information about the IPCONFIG IPSECURITY and IPCONFIG6 IPSECURITY statements.
3. Ensure that the Defense Manager daemon (DMD) is managing defensive filters for the stack. The TCP/IP stack name must be listed in the DMD configuration file to enable defensive filters for the stack. The mode specified on the DmStackConfig statement for the stack must be Active or Simulate. See z/OS Communications Server: IP Configuration Reference for more information about the DMD configuration file.
4. Ensure that the user has security product authorization to issue the ipsec command to add a defensive filter. See "ipsec command security" in z/OS Communications Server: IP System Administrator's Commands for more information about defining the necessary SERVAUTH profiles.

Perform the following step if administrative access is being denied by a defensive filter:

5. Exclude the administrator's IP address from defensive filter checking. Use the Exclude keyword on the DmStackConfig statement in the DMD configuration file to specify the administrator's IP address. See z/OS Communications Server: IP Configuration Reference for more information about the Exclude keyword in the DMD configuration file.

Perform the following steps if a stack's defensive filters are not blocking traffic:

6. Ensure that the filter's mode is set to Block. The Action field on the ipsec -F display report should indicate Defensive Block. If the Action field indicates Defensive Simulate, issue ipsec -F update to change the filter's mode. See z/OS Communications Server: IP System Administrator's Commands for more information about the ipsec -F command.
7. Ensure that the stack's mode in the DMD configuration file is set to Active. A mode of Simulate will override the individual filter's setting. It will allow a packet to match a defensive filter, generate a message, and then continue to be processed. The mode must be set to Active to cause the individual filter's mode setting to be honored. See z/OS Communications Server: IP Configuration Reference for more information about specifying a stack and its mode in the DMD configuration file. The MODIFY DISPLAY command can be issued for the DMD to display the active configuration settings. See z/OS Communications Server: IP System Administrator's Commands for more information about the MODIFY command

Perform the following step if a defensive filter is discarding traffic that should be permitted:

8. Delete the defensive filter if it is causing legitimate traffic to be discarded. Issue the ipsec -F delete command to delete the defensive filter from the stack. See z/OS Communications Server: IP System Administrator's Commands for more information about the ipsec -F command.

Perform the following steps to disable defensive filtering for a stack:

9. Update the DMD configuration file to disable defensive filters for a stack. Specify a mode of Inactive for the stack on the DmStackConfig statement. See z/OS Communications Server: IP Configuration Reference for more information about the DMD configuration file.
10. Issue the MODIFY REFRESH command for the DMD. See z/OS Communications Server: IP System Administrator's Commands for more information about the MODIFY command.
    Tip: If you are unable to update your DMD configuration file, the MODIFY FORCE_INACTIVE command can be issued for the DMD to disable defensive filtering for the stack. A later MODIFY REFRESH will use the DMD configuration file. If you want defensive filtering to remain disabled, you should update the DMD configuration file as soon as possible.
    Tip: Removing the DmStackConfig statement from the DMD configuration file will not delete existing defensive filters from the stack. If you removed the DmStackConfig statement, the defensive filters will remain in the stack until expiration. To remove the defensive filters from the stack immediately, add the DmStackConfig statement back to the DMD configuration file with a mode of Inactive or issue the MODIFY FORCE_INACTIVE command for the stack.

Perform the following step to remove all defensive filters from a stack:

11. Perform one of the following actions:
    • Issue the ipsec -F delete -N all -p stackname command to delete all existing defensive filters from the stack. This will also delete them from the DMD's persistent storage so the filters will not be reinstalled if the stack were to be stopped and restarted. Defensive filtering remains enabled for the stack and new filters can be added to the stack. See z/OS Communications Server: IP System Administrator's Commands for more information about the ipsec -F command.
    • Disable defensive filtering for a stack as described earlier. This will remove all existing defensive filters from the stack and the DMD's persistent storage. It will also prevent new defensive filters from being installed in the stack.
    Tip: The following actions will not remove defensive filters from the stack.

    • Stopping and restarting the stack. The DMD will reinstall defensive filters when the stack is restarted.
    • Stopping DMD. Existing defensive filters remain installed in the stack until expiration.