Disclosure of Invention
An object of the embodiments of the present application is to provide a network fault diagnosis method, apparatus, device, and computer readable storage medium, so as to solve the problem that the existing network fault location needs to check the data message processing flow manually and sequentially, resulting in low network fault location efficiency.
The embodiment of the application provides a network fault diagnosis method, which comprises the following steps:
acquiring session parameter information of a fault network;
screening out an effective network security policy with policy content referencing the session parameter information from the network security policies currently adopted by the fault network;
and determining fault information of the fault network according to the effective network security policy.
In the implementation process, the effective network security policy which is more likely to cause the current network fault is screened out according to the session parameter information of the fault network, the fault information of the fault network is determined according to the effective network security policy, and the key network security policy can be accurately positioned due to the fact that the network security policy range to be checked is narrowed by utilizing the session parameter information, so that the fault positioning efficiency is improved to a certain extent.
Further, the session parameter information includes at least one of source IP address information, destination IP address information, source port information, destination port information, and transport layer protocol information.
In the implementation process, policy screening is performed according to at least one of the IP address information, the destination IP address information, the source port information, the destination port information and the transport layer protocol information, so that the policy causing network failure is ensured, and the validity and the reliability of a screening result are ensured in the screened effective network security policy.
Further, the determining the fault information of the fault network according to the effective network security policy includes:
screening a target network security policy with log records from the effective network security policies;
and determining fault information of the fault network according to the target network security policy.
In the implementation process, the target network security policy with log records is screened from the effective network security policies, so that the network security policy range to be checked is further narrowed, and the network fault positioning efficiency is improved to a greater extent.
Further, the screening the target network security policy with the log record from the effective network security policies includes:
determining a detection sequence of each effective network security policy according to at least one of the session parameter information cited in each effective network security policy and the data message matching priority in the security engine module corresponding to each effective network security policy;
and sequentially judging whether the corresponding effective network security policies have corresponding log records according to the detection sequence, if so, taking the effective network security policies as target network security policies, and if not, continuing to detect the next effective network security policies.
In the implementation process, the policy detection sequence is determined through at least one of session parameter information and the matching priority of the data messages in the security engine module, the rationality of the detection sequence is ensured, and the security policy causing network failure is determined more quickly.
Further, the determining the detection sequence of each effective network security policy according to at least one of the session parameter information referenced in each effective network security policy and the matching priority of the data packet in the security engine module corresponding to each effective network security policy includes:
taking the sequence from low to high of the variety number of the session parameter information referenced in each effective network security policy as the detection sequence of each effective network security policy;
or alternatively, the first and second heat exchangers may be,
the sequence of the data message matching priority from high to low in the security engine module corresponding to each effective network security policy is used as the detection sequence of each effective network security policy;
or alternatively, the first and second heat exchangers may be,
arranging each effective network security policy according to the sequence from high to low of the data message matching priority in the security engine module corresponding to each effective network security policy, rearranging the effective network security policies with the same data message matching priority according to the sequence from low to high of the types of the referenced session parameter information, and taking the final arrangement sequence as the detection sequence of each effective network security policy;
or alternatively, the first and second heat exchangers may be,
arranging each effective network security policy according to the sequence from low to high of the types of the session parameter information cited in each effective network security policy, rearranging the effective network security policies with the same types of the cited session parameter information according to the sequence from high to low of the matching priority of the data messages in the corresponding security engine module, and taking the final arrangement sequence as the detection sequence of each effective network security policy.
In the implementation process, the policy detection sequence is determined according to the type number of session parameter information quoted in the effective network security policy and/or the data message matching priority in the corresponding security engine module, so that the rationality and reliability of the detection sequence are ensured, and the network fault positioning efficiency is further improved.
Further, the determining the fault information of the fault network according to the target network security policy includes:
and sequentially closing the target network security policies in the fault network, judging whether the network fault problem of the fault network is solved after closing a certain target network security policy, if so, taking the target network security policy as a problem policy for causing network fault, and if not, continuously detecting the next target network security policy.
In the implementation process, whether the network fault problem is solved is judged by closing the target network security policies in sequence, so that a specific policy for causing the network fault is determined.
Further, the method further comprises:
after determining the problem policy of the fault network, analyzing the problem policy to obtain a network fault report, wherein the network fault report comprises at least one of information of the problem policy, information of a security engine module corresponding to the problem policy, network fault starting time information, network fault ending time information and log information hit by the session parameter information.
In the implementation process, the network fault report is generated so as to be convenient for a user to check, and the usability is improved.
The embodiment of the application also provides a network fault diagnosis device, which comprises:
the parameter information acquisition unit is used for acquiring session parameter information of the fault network;
an effective network security policy screening unit for screening the effective network security policies with policy contents referencing the session parameter information from the network security policies currently adopted by the fault network;
and the fault information determining unit is used for determining the fault information of the fault network according to the effective network security policy.
The embodiment of the application also provides equipment, which comprises a processor and a memory, wherein the memory stores a computer program, and the processor executes the computer program to realize the network fault diagnosis method of any one of the above.
There is also provided in an embodiment of the present application a computer-readable storage medium storing a computer program that, when executed by at least one processor, implements any one of the above-described network fault diagnosis methods.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
Embodiment one:
in order to solve the problem that the existing network fault positioning needs to check the data message processing flow manually and sequentially, so that the network fault positioning efficiency is low, the embodiment of the application provides a network fault diagnosis method. Referring to fig. 1, fig. 1 is a schematic flow chart of a network fault diagnosis method provided in an embodiment of the present application, including:
s101: session parameter information of the failed network is obtained.
The session parameter in this embodiment refers to a parameter related to a network session, and optionally, the session parameter information includes at least one of source IP address information, destination IP address information, source port information, destination port information, and transport layer protocol information, and may include other information, such as interface index information, service type information, and so on, in other embodiments.
S102: and screening out the effective network security policies with the policy content referencing the session parameter information from the network security policies currently adopted by the fault network.
S103: and determining fault information of the fault network according to the effective network security policy.
In this embodiment, steps S101 to S103 may be performed by the terminal or may be performed by the server, or some steps may be performed by the terminal and some steps may be performed by the server.
In an exemplary step S103, to accurately locate the key node, a target network security policy with a log record may be first screened from the valid network security policies, and then fault information of the fault network may be determined according to the target network security policy.
The method for determining the fault information of the fault network according to the target network security policy may specifically be: and sequentially closing the target network security policies in the fault network, judging whether the network fault problem of the fault network is solved after closing a certain target network security policy, if so, taking the target network security policy as a problem policy for causing network fault, if not, opening the closed target network security policy, and continuously detecting the next target network security policy.
The target network security policy for which log records exist may be screened from the effective network security policies in this example according to the following manner, including:
determining the detection sequence of each effective network security policy according to at least one of session parameter information quoted in each effective network security policy and the matching priority of the data message in the security engine module corresponding to each effective network security policy; and then sequentially judging whether corresponding effective network security policies have corresponding log records according to the detection sequence, in the example, searching whether the corresponding log records exist in a database by using query sentences, marking the effective network security policies with the log records as target network security policies, if the corresponding log records exist, taking the effective network security policies as the target network security policies, and if not, continuing to detect the next effective network security policies.
Specifically, the detection sequence of each effective network security policy may be determined according to at least one of the number of types of session parameter information referenced in the effective network security policy, the total number of session parameter information, and the matching priority of data packets in the security engine module corresponding to each effective network security policy. It should be noted that, each security engine module may be preset with a data packet matching priority, so the detection order of the effective network security policy may be determined directly by using the data packet matching priority.
It should be noted that the manner in which the detection order of each valid network security policy is determined in this example includes, but is not limited to, any of the following manners:
mode one: the sequence from low to high according to the type number of the session parameter information referenced in each effective network security policy or the total number of the session parameter information referenced in each effective network security policy is used as the detection sequence of each effective network security policy.
Mode two: and taking the sequence of the data message matching priority from high to low in the security engine module corresponding to each effective network security policy as the detection sequence of each effective network security policy.
Mode three: and arranging the effective network security policies according to the sequence from high to low of the data message matching priority in the security engine module corresponding to the effective network security policies, aiming at the effective network security policies with the same data message matching priority, rearranging according to the sequence from low to high of the type number of the quoted session parameter information or the sequence from low to high of the total number of the quoted session parameter information, and taking the final arrangement sequence as the detection sequence of the effective network security policies.
Mode four: arranging the effective network security policies according to the sequence from low to high of the types of the referenced session parameter information or the sequence from low to high of the total quantity of the referenced session parameter information in the effective network security policies, rearranging the effective network security policies with the same types of the referenced session parameter information or the total quantity of the referenced session parameter information according to the sequence from high to low of the data message matching priority in the corresponding security engine module, and taking the final arrangement sequence as the detection sequence of the effective network security policies.
It may be appreciated that, in this example, the target network security policies in the faulty network may be sequentially closed according to the above detection sequence, that is, each time a target network security policy is determined, the fault information of the faulty network may be determined according to the target network security policy.
It should be noted that in other embodiments, the detection may be performed randomly, that is, whether the corresponding log records exist in the corresponding effective network security policies may be determined according to a random order.
In another exemplary step S103, fault location may also be performed directly according to the screened effective network security policy. The specific positioning process comprises the following steps: and sequentially closing the effective network security policies in the fault network, judging whether the network fault problem of the fault network is solved after closing a certain effective network security policy, if so, taking the effective network security policies as problem policies for causing network faults, and if not, opening the closed effective network security policies and continuously detecting the next effective network security policies. In this example, the effective network security policies may be closed in random sequence, or after determining the closing order of the effective network security policies, the effective network security policies may be closed in sequence according to the determined closing order.
The order in which the active network security policies are closed may be referred to above in determining the order of detection, namely: the closing sequence of each effective network security policy can be determined according to at least one of the type number of session parameter information referenced in the effective network security policy, the total number of session parameter information and the matching priority of the data messages in the security engine module corresponding to each effective network security policy, and the specific manner of determining the closing sequence is not repeated here.
In order to facilitate user's checking and improve usability, in this embodiment, after determining a problem policy of a failed network, the problem policy may be analyzed to generate a network failure report, where the network failure report in this embodiment includes at least one of information of the problem policy, information of a security engine module corresponding to the problem policy, information of a network failure start time, information of a network failure end time, and log information hit by session parameter information.
According to the network fault diagnosis method provided by the embodiment, the effective network security policies which are more likely to cause the current network fault are screened out according to the session parameter information of the fault network, the fault information of the fault network is determined according to the effective network security policies, and the key network security policies can be rapidly positioned due to the fact that the network security policy range to be checked is narrowed by utilizing the session parameter information, so that the fault positioning efficiency is improved to a certain extent, and in addition, the detection sequence is determined according to the session parameter information and the data message matching priority, so that the problem policies can be accurately and rapidly diagnosed.
Embodiment two:
in order to better understand the scheme provided by the invention, the embodiment provides a more specific scheme, in a networking environment with a firewall as a core, the firewall is configured with a complex network environment, when a network fault problem that a certain terminal cannot access a server occurs, the existing scheme generally includes that an inspector judges whether the network fault problem is blocked by the firewall by capturing a data packet, if the network fault problem is judged to be caused by the firewall, the inspector can only confirm the problem step by step according to a log and debug information, and can not quickly locate which policy is the blocking problem, and the scheme provided by the embodiment can intelligently complete fault investigation by combining quintuple information and priority traversal and log inquiry of a security engine module in the firewall, and the specific flow is shown in fig. 2, and includes:
s201: session parameter information of the failed network is obtained.
The session parameter information in this embodiment is quintuple information, including source IP address information, that is, the IP address of the access terminal with the network failure, destination IP address information, that is, the address of the server with blocked access, source port information, destination port information, and transport layer protocol information.
S202: and screening out the effective network security policies with the policy content referencing the session parameter information from the network security policies currently adopted by the fault network.
In step S202, network security policies may be searched through, and for each network security policy, policies hit with all session parameter information may be screened out as effective network security policies and stored in a temporary file.
S203: and arranging the effective network security policies according to the sequence from low to high of the types of the session parameter information referenced in the effective network security policies.
S204: aiming at the effective network security policies with the same types and numbers of the quoted session parameter information, rearranging the data message matching priority from high to low according to the corresponding security engine module, and taking the final arrangement sequence as the detection sequence of each effective network security policy.
S205: and sequentially judging whether corresponding log records exist in the corresponding effective network security policies according to the detection sequence, if so, turning to S206, and if not, turning to S210.
S206: and taking the effective network security policy as a target network security policy, and closing the target network security policy.
S207: judging whether the network fault problem of the fault network is solved, if so, turning to S208; if not, go to S211.
S208: and taking the target network security policy as a problem policy for causing network faults.
S209: and generating a network fault report according to the problem strategy.
S210: the next valid network security policy is detected.
S211: and recovering the closed target network security policy and detecting the next target network security policy.
Embodiment III:
referring to fig. 3, the present embodiment provides a network fault diagnosis apparatus, including:
a parameter information obtaining unit 301, configured to obtain session parameter information of the faulty network.
And an effective network security policy screening unit 302, configured to screen an effective network security policy with policy content referencing the session parameter information from network security policies currently adopted by the faulty network.
And the fault information determining unit 303 is configured to determine fault information of the faulty network according to the effective network security policy.
The session parameter in this embodiment refers to a parameter related to a network session, and optionally, the session parameter information includes at least one of source IP address information, destination IP address information, source port information, destination port information, and transport layer protocol information, and may include other information, such as interface index information, service type information, and so on, in other embodiments.
In one example, to precisely locate the critical node, the fault information determining unit 303 may first screen the target network security policy of the presence log record from the valid network security policies, then the fault information determining unit 303 determines the fault information of the fault network according to the target network security policy,
the manner in which the fault information determining unit 303 determines the fault information of the faulty network according to the target network security policy may specifically be: and sequentially closing the target network security policies in the fault network, judging whether the network fault problem of the fault network is solved after closing a certain target network security policy, if so, taking the target network security policy as a problem policy for causing network fault, if not, opening the closed target network security policy, and continuously detecting the next target network security policy.
The fault information determination unit 303 in this example may screen the target network security policy of the presence log record from the valid network security policies according to the following manner, including:
determining the detection sequence of each effective network security policy according to at least one of session parameter information quoted in each effective network security policy and the matching priority of the data message in the security engine module corresponding to each effective network security policy; and then sequentially judging whether corresponding effective network security policies have corresponding log records according to the detection sequence, in the example, searching whether the corresponding log records exist in a database by using query sentences, marking the effective network security policies with the log records as target network security policies, if the corresponding log records exist, taking the effective network security policies as the target network security policies, and if not, continuing to detect the next effective network security policies.
Specifically, the detection sequence of each effective network security policy may be determined according to at least one of the number of types of session parameter information referenced in the effective network security policy, the total number of session parameter information, and the matching priority of data packets in the security engine module corresponding to each effective network security policy. It should be noted that, each security engine module may be preset with a data packet matching priority, so the detection order of the effective network security policy may be determined directly by using the data packet matching priority.
It should be noted that the manner in which the failure information determining unit 303 determines the detection order of each effective network security policy in this example includes, but is not limited to, any one of the following manners:
mode one: the sequence from low to high according to the type number of the session parameter information referenced in each effective network security policy or the total number of the session parameter information referenced in each effective network security policy is used as the detection sequence of each effective network security policy.
Mode two: and taking the sequence of the data message matching priority from high to low in the security engine module corresponding to each effective network security policy as the detection sequence of each effective network security policy.
Mode three: and arranging the effective network security policies according to the sequence from high to low of the data message matching priority in the security engine module corresponding to the effective network security policies, aiming at the effective network security policies with the same data message matching priority, rearranging according to the sequence from low to high of the type number of the quoted session parameter information or the sequence from low to high of the total number of the quoted session parameter information, and taking the final arrangement sequence as the detection sequence of the effective network security policies.
Mode four: arranging the effective network security policies according to the sequence from low to high of the types of the referenced session parameter information or the sequence from low to high of the total quantity of the referenced session parameter information in the effective network security policies, rearranging the effective network security policies with the same types of the referenced session parameter information or the total quantity of the referenced session parameter information according to the sequence from high to low of the data message matching priority in the corresponding security engine module, and taking the final arrangement sequence as the detection sequence of the effective network security policies.
It may be appreciated that the fault information determining unit 303 of this example may sequentially close the target network security policies in the fault network according to the above detection order, that is, each time a target network security policy is determined, the fault information of the fault network may be determined according to the target network security policy.
It should be noted that, in other embodiments, the fault information determining unit 303 may also perform detection randomly, that is, determine whether the corresponding effective network security policy has a corresponding log record according to a random order.
In another example, the fault information determining unit 303 may also directly perform fault location according to the screened effective network security policy, specifically: and sequentially closing the effective network security policies in the fault network, judging whether the network fault problem of the fault network is solved after closing a certain effective network security policy, if so, taking the effective network security policies as problem policies for causing network faults, and if not, opening the closed effective network security policies and continuously detecting the next effective network security policies. In this example, the effective network security policies may be closed in random sequence, or after determining the closing order of the effective network security policies, the effective network security policies may be closed in sequence according to the determined closing order.
The order in which the active network security policies are closed may be referred to above in determining the order of detection, namely: the closing sequence of each effective network security policy can be determined according to at least one of the type number of session parameter information referenced in the effective network security policy, the total number of session parameter information and the matching priority of the data messages in the security engine module corresponding to each effective network security policy, and the specific manner of determining the closing sequence is not repeated here.
In order to facilitate user's checking and improve usability, in this embodiment, after determining a problem policy of a failed network, the problem policy may be analyzed to generate a network failure report, where the network failure report in this embodiment includes at least one of information of the problem policy, information of a security engine module corresponding to the problem policy, information of a network failure start time, information of a network failure end time, and log information hit by session parameter information.
Embodiment four:
based on the same inventive concept, this embodiment provides an apparatus, please refer to fig. 4, where the apparatus includes a processor 401 and a memory 402, a computer program is stored in the memory 402, the processor 401 and the memory 402 implement communication through a communication bus, and the processor 401 executes the computer program to implement each step of the network fault diagnosis method in the first embodiment and/or the second embodiment, which is not described herein again. It will be appreciated that the configuration shown in fig. 4 is merely illustrative, and that the apparatus may also include more or fewer components than shown in fig. 4, or have a different configuration than shown in fig. 4.
The processor 401 may be an integrated circuit chip having signal processing capabilities. The processor 401 may be a general-purpose processor, including a central processing unit (CentralProcessing Unit, CPU), a network processor (NetworkProcessor, NP), and the like; but may also be a Digital Signal Processor (DSP), application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components. Which may implement or perform the various methods, steps, and logical blocks disclosed in embodiments of the present application. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
Memory 402 may include, but is not limited to, random access Memory (Random Access Memory, RAM), read Only Memory (ROM), programmable Read Only Memory (Programmable Read-OnlyMemory, PROM), erasable Read Only Memory (Erasable Programmable Read-Only Memory, EPROM), electrically erasable Read Only Memory (Electrically Erasable Programmable Read-Only Memory, EEPROM), and the like.
The present embodiment also provides a computer readable storage medium, such as a floppy disk, an optical disk, a hard disk, a flash memory, a usb disk, an SD (Secure Digital Memory Card, secure digital Card) Card, an MMC (Multimedia Card) Card, or the like, in which one or more programs for implementing the foregoing steps are stored, and the one or more programs may be executed by the one or more processors 401, so as to implement the steps of the network fault diagnosis method in the foregoing first embodiment and/or the second embodiment, which will not be described herein.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application.