The first place to start is probably by doing a port scan on the firewall. This will let you know what ports the firewall is allowing through to the servers behind. Once you know this, you can then check this against your security policy to ensure that these ports are supposed to be allowed. This will help to see if the firewall is configured ok.
Once you have a list of ports that are open, you can then try to do a fingerprint to see if the OS can be identified through the firewall to the backend machine.
n map can do the port scan (various different types of scans) and also do the OS Detection.
This is probably where i would start with your testing.