Hot Downloads

Welcome, Guest
Username: Password: Remember me

TOPIC: Question from firewall admim to the client

Question from firewall admim to the client 7 years 10 months ago #28779

  • ntxploits
  • ntxploits's Avatar
  • Offline
  • New Member
  • Posts: 3
  • Karma: 0
Hi all,

Let say you are working as firewall admin. One day, client A has calling you and tells that he have problem to access application in server B.
I was wondering if anyone here are working as firewall support, what are the questions that you need to ask if the incident like this happen to you? I’ll list some of them and the purpose why the information is needed, maybe you could add or give better suggestion.

1. What is the firewall name/ip address (so we know which firewall involved in this incident)
2. What is the source and destination ip address (so we can check whether the traffic hit the firewall or not)
3. traceroute result from source to destination ip. (so we know if the traffic was dropped at somewhere else)
4. what is the incident number (if you are using the ticketing system so we can keep track what happened.)
5. Has this work before? (if it worked, the possibilities of some changes has been done to the firewall or server)

Your response and advice on this matter would be the most appreciated. Thanks :)
The administrator has disabled public write access.

Re: Question from firewall admim to the client 7 years 10 months ago #28798

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
These all look good to me. A ping to the Firewall is always good to check basic connectivity to the firewall itself (3 as you said should identify a routing issue along the way).

Analysing the Packet Captures is also useful if you ever get to that stage.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.

Re: Question from firewall admim to the client 7 years 10 months ago #28801

  • Chojin
  • Chojin's Avatar
  • Offline
  • Senior Member
  • Posts: 251
  • Karma: 0
Most of the time a source and destination is all you need. Rest of the information comes from logging in normal situations....

But, in real worlds (in 95+% of the companies), if you are the firewall admin, you will receive a ticket from the helpdesk.

They will have some instructions what to ask and what information to provide towards you.
If they don't provide correct information 'teach' the helpdesk what they need to ask and there are the questions you have written down in your post.

To see if your connection get blocked, you can always use "NETSTAT" to see if there is a connection waiting for the 3-way handshake, if not completed you can assume it is blocked in the FW.

Also think to create some guidelines for what is allowed for the client and what is not.

For the traceroute, it is a nice tool, but isn't realible in every situation. You can have enough ACL's on your cisco's distribution list to disallow icmp or so whatever, if a device doesn't respond it
doesn't already tell you it drops the IP packages.


@Smurf,

most firewalls don't accept ping//icmp to protect against DOS attacks and things like that.
Probably pinging the gateway is more succesfull and gives you the information 'needed' for basic troubleshooting.
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
The administrator has disabled public write access.

Re: Question from firewall admim to the client 7 years 10 months ago #28802

  • Smurf
  • Smurf's Avatar
  • Offline
  • Moderator
  • Posts: 1390
  • Karma: 1
@Smurf,

most firewalls don't accept ping//icmp to protect against DOS attacks and things like that.
Probably pinging the gateway is more succesfull and gives you the information 'needed' for basic troubleshooting.

In normal operation but in troubleshooting i would turn this on temporarily to ensure packets are getting received correctly.
Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
The administrator has disabled public write access.
Time to create page: 0.082 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup