Firewall Fundamentals
This section walks through a simple example of troubleshooting a firewall configuration. Troubleshooting starts with the basic connectivity troubleshooting and escalates upward to more complex issues until the specific problem is identified. As mentioned previously, the first step is to verify the problem that is being reported. Consider, for example, the problem shown in Figure 13-3. The web client behind the firewall is attempting to reach a website across the Internet. For the purposes of this example, we use the site http://www.freeciv.org. Figure 13-3. Troubleshooting Example Topology
Figure 13-4 shows that the connection has failed. This failure could be for a variety of reasons, but suffices as a simple example of troubleshooting the firewall. Figure 13-4. Failed Connection to Website
One of the first steps to take is to test the connectivity. Doing so involves verifying that the firewall is up and running as well as verifying that the Internet connection is working. To verify that the firewall is operational from a hardware perspective requires a physical examination of the firewall device. The firewall power light should be on, and both inside and outside interface indicators should be on. These indicators vary depending on the specific brand of firewall. On the PIX, they are found on the interface ports themselves, as shown by the two arrows in Figure 13-5. Figure 13-5. PIX Interface Indicators
If the firewall is up and functional, the next step is to connect to the firewall and verify that the firewall software has not crashed. You can do so either using the firewall's web interface or by using the command-line interface. Figure 13-6 shows a connection into a firewall and verification that the software is up and running. Figure 13-6. Verifying Firewall Functioning
If the firewall is up and running, the next step is to test the Internet connection on the outside interface of the firewall. You can do this by pinging a system out on the Internet. Doing so is somewhat tricky because many networks filter out unsolicited ICMP requests. However, some of the larger search sites such as Yahoo! and Google do allow unsolicited ICMP requests, as shown in Figure 13-7. Figure 13-7. Testing Internet Connectivity
If pinging an external site is possible, the Internet connection is probably working fine, and the problem may be in the configuration of the firewall. However, before going that far, it would be a good idea to verify that the site being contacted is working. To do this, you need only ping the site and, failing that, connect to the specific application port using Telnet or some other connectivity utility. For web servers, the easiest way to check to determine whether the server is up is to telnet to the web server on TCP port 80, as shown in Figure 13-8. Figure 13-8. Checking Server Connectivity
In this example, the assumption is that the web server is not responding because it does not respond to a ping or to the Telnet connection to the web server port, 80. In more complex cases, you might need to review the firewall configuration to ensure that it is not blocking the traffic unnecessarily. Also, consider that in some cases it is not your end of the connection that may be problematic but the other end. In many cases, you might need to search the vendor's documentation to ensure that the firewall is configured properly or how to turn on the debugging features of the firewall. Like troubleshooting any other problem, troubleshooting a firewall is much an iterative problem. You start with the simple and obvious and work toward the more unique and esoteric if necessary. |
Категории