Skip to main content

Question from firewall admim to the client

More
15 years 10 months ago #28779 by ntxploits
Hi all,

Let say you are working as firewall admin. One day, client A has calling you and tells that he have problem to access application in server B.
I was wondering if anyone here are working as firewall support, what are the questions that you need to ask if the incident like this happen to you? I’ll list some of them and the purpose why the information is needed, maybe you could add or give better suggestion.

1. What is the firewall name/ip address (so we know which firewall involved in this incident)
2. What is the source and destination ip address (so we can check whether the traffic hit the firewall or not)
3. traceroute result from source to destination ip. (so we know if the traffic was dropped at somewhere else)
4. what is the incident number (if you are using the ticketing system so we can keep track what happened.)
5. Has this work before? (if it worked, the possibilities of some changes has been done to the firewall or server)

Your response and advice on this matter would be the most appreciated. Thanks :)
More
15 years 10 months ago #28798 by Smurf
These all look good to me. A ping to the Firewall is always good to check basic connectivity to the firewall itself (3 as you said should identify a routing issue along the way).

Analysing the Packet Captures is also useful if you ever get to that stage.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
More
15 years 10 months ago #28801 by Chojin
Most of the time a source and destination is all you need. Rest of the information comes from logging in normal situations....

But, in real worlds (in 95+% of the companies), if you are the firewall admin, you will receive a ticket from the helpdesk.

They will have some instructions what to ask and what information to provide towards you.
If they don't provide correct information 'teach' the helpdesk what they need to ask and there are the questions you have written down in your post.

To see if your connection get blocked, you can always use "NETSTAT" to see if there is a connection waiting for the 3-way handshake, if not completed you can assume it is blocked in the FW.

Also think to create some guidelines for what is allowed for the client and what is not.

For the traceroute, it is a nice tool, but isn't realible in every situation. You can have enough ACL's on your cisco's distribution list to disallow icmp or so whatever, if a device doesn't respond it
doesn't already tell you it drops the IP packages.


@Smurf,

most firewalls don't accept ping//icmp to protect against DOS attacks and things like that.
Probably pinging the gateway is more succesfull and gives you the information 'needed' for basic troubleshooting.

CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
More
15 years 10 months ago #28802 by Smurf

@Smurf,

most firewalls don't accept ping//icmp to protect against DOS attacks and things like that.
Probably pinging the gateway is more succesfull and gives you the information 'needed' for basic troubleshooting.


In normal operation but in troubleshooting i would turn this on temporarily to ensure packets are getting received correctly.

Wayne Murphy
Firewall.cx Team Member
www.firewall.cx

Now working for a Security Company called Sec-1 Ltd in the UK, for any
Penetration Testing work visit www.sec-1.com or PM me for details.
Time to create page: 0.130 seconds