Firewall Questions
and Answers:
========================
What is a
Firewall?
Firewall is a device that is placed between a trusted and an untrusted network. It deny or permit traffic that enters or leaves network based on pre-configured policies. Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other. For example - By keeping a Management network separate from a user network.
Firewall is a device that is placed between a trusted and an untrusted network. It deny or permit traffic that enters or leaves network based on pre-configured policies. Firewalls protect inside networks from unauthorized access by users on an outside network. A firewall can also protect inside networks from each other. For example - By keeping a Management network separate from a user network.
What is the
difference between Gateway and Firewall?
A Gateway joins two networks together and a network firewall protects a network against unauthorized incoming or outgoing access.
A Gateway joins two networks together and a network firewall protects a network against unauthorized incoming or outgoing access.
Network firewalls may be hardware devices or
software programs.
Firewalls
works at which Layers?
Firewalls work at layer 3, 4 & 7.
Firewalls work at layer 3, 4 & 7.
What is the
difference between Stateful & Stateless Firewall?
Stateful firewall - A Statefull firewall is aware of the connections that pass through it. It adds and maintains information about user’s connections in state table, referred to as a connection table. It than uses this connection table to implement the security policies for user’s connections. Example of statefull firewall are PIX, ASA, Checkpoint.
Stateful firewall - A Statefull firewall is aware of the connections that pass through it. It adds and maintains information about user’s connections in state table, referred to as a connection table. It than uses this connection table to implement the security policies for user’s connections. Example of statefull firewall are PIX, ASA, Checkpoint.
Stateless firewalls - (Packet Filtering) Stateless firewalls on the other hand, does not look at the state of connections but just at the packets themselves.
Example of a packet filtering firewall is the Extended Access Control Lists on Cisco IOS Routers.
What
information does Stateful Firewall Maintains?
Stateful firewall maintains following information in its State table:-
1.Source IP address.
2.Destination IP address.
3.IP protocol like TCP, UDP.
4.IP protocol information such as TCP/UDP Port Numbers, TCP Sequence Numbers, and TCP Flags.
Stateful firewall maintains following information in its State table:-
1.Source IP address.
2.Destination IP address.
3.IP protocol like TCP, UDP.
4.IP protocol information such as TCP/UDP Port Numbers, TCP Sequence Numbers, and TCP Flags.
What
are the security-levels in Cisco ASA?
ASA uses Security levels to determine the Trustworthiness of a network attached to the respective interface. The security level can be configured between 0 to 100 where higher numbers are more trusted than lower. By default, the ASA allows traffic from a higher security level to a lower security level only.
ASA uses Security levels to determine the Trustworthiness of a network attached to the respective interface. The security level can be configured between 0 to 100 where higher numbers are more trusted than lower. By default, the ASA allows traffic from a higher security level to a lower security level only.
How
can we allow packets from lower security level to higher security level
(Override Security Levels)?
We use ACLs to allow packets from lower security level to higher security level.
We use ACLs to allow packets from lower security level to higher security level.
How
is same Security level traffic allowed or denied in ASA?
By default same security level traffic is not allowed. To allow it we use command: -
ASA(config)# same-security-traffic permit inter-interface.
By default same security level traffic is not allowed. To allow it we use command: -
ASA(config)# same-security-traffic permit inter-interface.
What
is the security level of Inside and Outside Interface by default?
Security Level of Inside interface by default is 100. Security Level of Outside Interface by default is 0.
Security Level of Inside interface by default is 100. Security Level of Outside Interface by default is 0.
What
protocols are inspected by ASA?
By default, TCP and UDP are inspected by ASA.
By default, TCP and UDP are inspected by ASA.
Does
ASA inspects ICMP?
No, ASA does not inspect ICMP by default.
No, ASA does not inspect ICMP by default.
Explain
DMZ (Demilitarized Zone) Server?
If we need some network resources such as a Web server or FTP server to be available to outside users we place these resources on a separate network behind the firewall called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the inside network.
If we need some network resources such as a Web server or FTP server to be available to outside users we place these resources on a separate network behind the firewall called a demilitarized zone (DMZ). The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the inside network.
How
does a firewall process a packet?
When a packet is received on the ingress interface, the ASA checks if it matches an existing entry in the connection table. If it does, protocol inspection is carried out on that packet.
------------------------------------------------------------------------------------
If it does not match an existing connection and the packet is either a TCP-SYN packet or UDP packet, the packet is subjected to ACL checks.The reason it needs to be a TCP-SYN packet is because a SYN packet is the first packet in the TCP 3-way handshake. Any other TCP packet that isn’t part of an existing connection is likely an attack.
------------------------------------------------------------------------------------
If the packet is allowed by ACLs and is also verified by translation rules, the packet goes through protocol inspection.
------------------------------------------------------------------------------------
Then, the IP header is translated if NAT is used and if the NAT rule specifies an egress interface, the ASA will virtually forward the packet to this egress interface and then perform a route lookup.
------------------------------------------------------------------------------------
If a route is found that specifies the egress interface, then the Layer-2 header of the packet is re-written and the packet is forwarded out the egress interface.
When a packet is received on the ingress interface, the ASA checks if it matches an existing entry in the connection table. If it does, protocol inspection is carried out on that packet.
------------------------------------------------------------------------------------
If it does not match an existing connection and the packet is either a TCP-SYN packet or UDP packet, the packet is subjected to ACL checks.The reason it needs to be a TCP-SYN packet is because a SYN packet is the first packet in the TCP 3-way handshake. Any other TCP packet that isn’t part of an existing connection is likely an attack.
------------------------------------------------------------------------------------
If the packet is allowed by ACLs and is also verified by translation rules, the packet goes through protocol inspection.
------------------------------------------------------------------------------------
Then, the IP header is translated if NAT is used and if the NAT rule specifies an egress interface, the ASA will virtually forward the packet to this egress interface and then perform a route lookup.
------------------------------------------------------------------------------------
If a route is found that specifies the egress interface, then the Layer-2 header of the packet is re-written and the packet is forwarded out the egress interface.
What
are the values for timeout of TCP session, UDP session, ICMP session?
TCP session - 60 minutes
UDP session - 2 minutes
ICMP session - 2 seconds
TCP session - 60 minutes
UDP session - 2 minutes
ICMP session - 2 seconds
Explain
TCP Flags?
While troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide information about the state of TCP connections to the ASA.
While troubleshooting TCP connections through the ASA, the connection flags shown for each TCP connection provide information about the state of TCP connections to the ASA.
What
is the command to see timeout timers?
# sh run timeout
# sh run timeout
What
is the command to check connection table?
# sh conn
# sh conn
How
ASA works in reference to Traceroute?
ASA does not decrement the TTL value in traceroute because it does not want to give its information to others for security purpose. It forwards it without decrementing the TTL Value.
ASA does not decrement the TTL value in traceroute because it does not want to give its information to others for security purpose. It forwards it without decrementing the TTL Value.
What
if we apply ACL as global in ASA?
It will be applied on all interfaces towards inbound. Global option is only in ASA 8.4 not in ASA 8.2
It will be applied on all interfaces towards inbound. Global option is only in ASA 8.4 not in ASA 8.2
What
is the difference in ACL on ASA than on Router?
In router, if we delete one access-control entry whole ACL will be deleted. In ASA, if we will delete one access-control entry whole ACL will not be deleted.
In router, if we delete one access-control entry whole ACL will be deleted. In ASA, if we will delete one access-control entry whole ACL will not be deleted.
Name
some concepts that cannot be configured on ASA?
Line VTY cannot be configured on ASA.
Wildcard mask concept is not present in ASA.
Loopback cannot be configured on ASA.
Line VTY cannot be configured on ASA.
Wildcard mask concept is not present in ASA.
Loopback cannot be configured on ASA.
What
is the command to capture packets in ASA?
To capture packet from inside interface:- # capture abc interfacer inside
To see it:- # sh capture abc
To capture packet from inside interface:- # capture abc interfacer inside
To see it:- # sh capture abc
What
is the command to see timeout timers?
# sh run timeout
# sh run timeout
What
is the command to enable HTTP on ASA?
# http server enable
# http server enable
How
to give static route on ASA?
# route outside <Destination IP> <Subnet Mask> < Next Hop>
# route outside <Destination IP> <Subnet Mask> < Next Hop>
How
to give default route on ASA?
# route outside 0 0 < Next Hop>
# route outside 0 0 < Next Hop>
What
are the different types of ACL in Firewall?
1.Standard ACL
2.Extended ACL
3.Ethertype ACL (Transparent Firewall)
4.Webtype ACL (SSL VPN)
1.Standard ACL
2.Extended ACL
3.Ethertype ACL (Transparent Firewall)
4.Webtype ACL (SSL VPN)
What
is Tranparent Firewall?
In Transparent Mode, ASA acts as a Layer 2 device like a bridge or switch and forwards Ethernet frames based on destination MAC-address.
In Transparent Mode, ASA acts as a Layer 2 device like a bridge or switch and forwards Ethernet frames based on destination MAC-address.
What
is the need of Transparent Firewall?
If we want to deploy a new firewall into an existing network it can be a complicated process due to various issues like IP address reconfiguration, network topology changes, current firewall etc. We can easily insert a transparent firewall in an existing segment and control traffic between two sides without having to readdress or reconfigure the devices.
If we want to deploy a new firewall into an existing network it can be a complicated process due to various issues like IP address reconfiguration, network topology changes, current firewall etc. We can easily insert a transparent firewall in an existing segment and control traffic between two sides without having to readdress or reconfigure the devices.
What
are the similarities between switch and ASA (in Transparent mode)?
Both learns which mac addresses are associated with which interface and store them in local mac address table.
Both learns which mac addresses are associated with which interface and store them in local mac address table.
What
are the differences between switch and ASA (in Transparent mode) ?
ASA does not floods unknown unicast frames that are not found in mac address table.
ASA does not floods unknown unicast frames that are not found in mac address table.
ASA does not
participate in STP.
Switch process traffic at layer 1 & layer 2 while ASA can process traffic from layer 1 to layer 7.
Switch process traffic at layer 1 & layer 2 while ASA can process traffic from layer 1 to layer 7.
What
are the features that are not supported in Transparent mode?
1.Dynamic Routing.
2.Multicasting.
3.QOS.
4.VPNs like IPSec and WebVPN cannot be terminated.
5.ASA cannot act as DHCP relay agent.
1.Dynamic Routing.
2.Multicasting.
3.QOS.
4.VPNs like IPSec and WebVPN cannot be terminated.
5.ASA cannot act as DHCP relay agent.
Explain
Ether-Type ACL?
In Transparent mode, unlike TCP/IP traffic for which security levels are used to permit or deny traffic all non-IP traffic is denied by default. We create Ether-Type ACL to allow NON-IP traffic. We can control traffic like BPDU, IPX etc with Ether-Type ACL.
In Transparent mode, unlike TCP/IP traffic for which security levels are used to permit or deny traffic all non-IP traffic is denied by default. We create Ether-Type ACL to allow NON-IP traffic. We can control traffic like BPDU, IPX etc with Ether-Type ACL.
What
is the command to convert ASA into Transparent mode?
# firewall transparent
# firewall transparent
What
is the command to see mode (routed or transparent)?
# sh firewall
# sh firewall
Explain
Failover?
Failover is a cisco proprietary feature. It is used to provide redundancy. It requires two identical ASAs to be connected to each other through a dedicated failover link. Health of active interfaces and units are monitored to determine if failover has occurred or not.
Failover is a cisco proprietary feature. It is used to provide redundancy. It requires two identical ASAs to be connected to each other through a dedicated failover link. Health of active interfaces and units are monitored to determine if failover has occurred or not.
What
are type of Failover?
1.Active/Standby Failover.
2.Active/Active Failover.
1.Active/Standby Failover.
2.Active/Active Failover.
What
information is exchanged between ASAs over a Failover link?
1.State - Active or standby.
2.Hello Messages.
3.Network Link Status.
4.Mac Addresses.
5.Configuration Replication and Synchronization.
1.State - Active or standby.
2.Hello Messages.
3.Network Link Status.
4.Mac Addresses.
5.Configuration Replication and Synchronization.
What
is the difference between Stateful failover and Stateless failover?
Stateless Failover - When failover occurs all active connections are dropped. Clients need to re-establish connections when the new active unit takes over.
Stateful Failover - The active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Clients are not required to reconnect to keep the same communication session.
Stateless Failover - When failover occurs all active connections are dropped. Clients need to re-establish connections when the new active unit takes over.
Stateful Failover - The active unit continually passes per-connection state information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Clients are not required to reconnect to keep the same communication session.
What
Information Active unit passes to the standby unit in Stateful Failover?
NAT translation table, TCP connection states, The ARP table, The Layer 2 bridge table (when running in transparent firewall mode), ICMP connection state etc.
NAT translation table, TCP connection states, The ARP table, The Layer 2 bridge table (when running in transparent firewall mode), ICMP connection state etc.
What
are the Failover Requirements between two devices?
Hardware Requirements - The two units in a failover configuration must be the same model, should have same number and types of interfaces.
Software Requirements - The two units in a failover configuration must be in the same operating modes (routed or transparent single or multiple context). They must have the same software version.
Hardware Requirements - The two units in a failover configuration must be the same model, should have same number and types of interfaces.
Software Requirements - The two units in a failover configuration must be in the same operating modes (routed or transparent single or multiple context). They must have the same software version.
Explain
Active/Standby Failover?
In Active/Standby Failover, one unit is the active unit which passes traffic. The standby unit does not actively pass traffic. When Failover occurs, the active unit fails over to the standby unit, which then becomes active. We can use Active/Standby Failover for ASAs in both single or multiple context mode.
In Active/Standby Failover, one unit is the active unit which passes traffic. The standby unit does not actively pass traffic. When Failover occurs, the active unit fails over to the standby unit, which then becomes active. We can use Active/Standby Failover for ASAs in both single or multiple context mode.
Explain
Active/Active Failover?
It is only available for ASAs in multiple context mode. In an Active/Active Failover configuration, both ASAs can pass network traffic. In Active/Active Failover, we divide the security contexts on the ASA into Failover Groups. A Failover Group is simply a logical group of one or more security contexts. Each group is assigned to be active on a specific ASA in the failover pair. When Failover occurs, it occurs at the Failover group level.
It is only available for ASAs in multiple context mode. In an Active/Active Failover configuration, both ASAs can pass network traffic. In Active/Active Failover, we divide the security contexts on the ASA into Failover Groups. A Failover Group is simply a logical group of one or more security contexts. Each group is assigned to be active on a specific ASA in the failover pair. When Failover occurs, it occurs at the Failover group level.
What
is the command to enable Failover?
# Failover
# Failover
What
is the command to see Failover?
# sh failover
# sh failover
Explain
Unit Health Monitoring in Failover? How Failover occurs?
The ASA unit determines the health of the other unit by monitoring the failover link. When a unit does not receive three consecutive hello messages on the failover link, it sends hello messages on each interface, including the failover interface, to find whether or not the other unit is responsive.
Based upon the response from the other unit it takes following actions:-
1.If the ASA receives a response on the failover interface, then it does not failover.
2.If the ASA does not receive a response on the failover link, but it does receive a response on another interface, then the unit does not failover. The failover link is marked as failed.
3.If the ASA does not receive a response on any interface, then the standby unit switches to active mode and classifies the other unit as failed.
The ASA unit determines the health of the other unit by monitoring the failover link. When a unit does not receive three consecutive hello messages on the failover link, it sends hello messages on each interface, including the failover interface, to find whether or not the other unit is responsive.
Based upon the response from the other unit it takes following actions:-
1.If the ASA receives a response on the failover interface, then it does not failover.
2.If the ASA does not receive a response on the failover link, but it does receive a response on another interface, then the unit does not failover. The failover link is marked as failed.
3.If the ASA does not receive a response on any interface, then the standby unit switches to active mode and classifies the other unit as failed.
How
active unit is determined in Active/Standby Failover?
1.If a unit boots and detects another unit already running as active, it becomes the standby unit.
2.If a unit boots and does not detect active unit, it becomes the active unit.
3.If both units boot simultaneously, then the primary unit becomes the active unit, and the secondary
unit becomes the standby unit.
1.If a unit boots and detects another unit already running as active, it becomes the standby unit.
2.If a unit boots and does not detect active unit, it becomes the active unit.
3.If both units boot simultaneously, then the primary unit becomes the active unit, and the secondary
unit becomes the standby unit.
Name
some commands replicated to standby unit?
All configuration commands except for mode, firewall, and failover lan unit are replicated to standby unit.
# copy running-config startup-config
# write memory
All configuration commands except for mode, firewall, and failover lan unit are replicated to standby unit.
# copy running-config startup-config
# write memory
Name
some commands that are not replicated to standby unit?
All forms of the copy command except for # copy running-config startup-config
all forms of the write command except for # write memory
All forms of the copy command except for # copy running-config startup-config
all forms of the write command except for # write memory
Explain
Active/Standby Failover & Active/Active Failover in terms of preemption?
In Active/Standby Failover there is no preemption.
In Active/Active Failover preemption is optional.
In Active/Standby Failover there is no preemption.
In Active/Active Failover preemption is optional.
Explain
Security Context?
We can partition a Single ASA into multiple virtual devices, known as Security Contexts. Each Context acts as an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices.
We can partition a Single ASA into multiple virtual devices, known as Security Contexts. Each Context acts as an independent device, with its own security policy, interfaces, and administrators. Multiple contexts are similar to having multiple standalone devices.
What
features are supported in multiple context mode?
Routing tables, Firewall features, IPS, and Management.
Routing tables, Firewall features, IPS, and Management.
What
features are not supported in multiple context mode?
VPN and Dynamic Routing Protocols.
VPN and Dynamic Routing Protocols.
Explain
System area?
When we boot up in multiple mode from the CLI, we are taken into the system area. The system area is used to create and manage the contexts, configure the physical properties of the interfaces, create VLANs for trunking, create resource classes to restrict the context system resource usage.
When we boot up in multiple mode from the CLI, we are taken into the system area. The system area is used to create and manage the contexts, configure the physical properties of the interfaces, create VLANs for trunking, create resource classes to restrict the context system resource usage.
What
is the admin context?
When the appliance boots up, one context is automatically created called Admin Context which defaults to being the administrative context. Any context can be made administrative context. One of the contexts on our appliance must be the administrative context. An “*” beside a context name indicates that the context is the administrative context.
When the appliance boots up, one context is automatically created called Admin Context which defaults to being the administrative context. Any context can be made administrative context. One of the contexts on our appliance must be the administrative context. An “*” beside a context name indicates that the context is the administrative context.
How
ASA classifies packets?
The packet that enters is to be processed by which context is classified by ASA as follows:-
1.Unique Interfaces - If only one context is associated with the ingress interface, the ASA classifies the packet into that context.
2.Unique MAC Addresses - If multiple contexts share an interface, then the interface MAC address is used as classifier. ASA lets us assign a different MAC address in each context to the same shared interface. By default, shared interfaces do not have unique MAC addresses. We can set the MAC addresses manually or we can automatically generate MAC addresses by # mac-address auto command.
3.NAT Configuration - If we do not use unique MAC addresses, then the mapped addresses in our NAT configuration are used to classify packets.
The packet that enters is to be processed by which context is classified by ASA as follows:-
1.Unique Interfaces - If only one context is associated with the ingress interface, the ASA classifies the packet into that context.
2.Unique MAC Addresses - If multiple contexts share an interface, then the interface MAC address is used as classifier. ASA lets us assign a different MAC address in each context to the same shared interface. By default, shared interfaces do not have unique MAC addresses. We can set the MAC addresses manually or we can automatically generate MAC addresses by # mac-address auto command.
3.NAT Configuration - If we do not use unique MAC addresses, then the mapped addresses in our NAT configuration are used to classify packets.
What
is the command to switch to multiple context Mode?
# mode multiple
After entering this command the appliance will reboot itself and our current configuration is automatically backed up to flash in case we want to switch back to single mode. The file is called “old_running.cfg.”
# mode multiple
After entering this command the appliance will reboot itself and our current configuration is automatically backed up to flash in case we want to switch back to single mode. The file is called “old_running.cfg.”
What
is the command to switch back to single mode?
# mode single
# mode single
What
are different types of NAT in ASA?
Static NAT - A consistent mapping between a real and mapped IP address. It allows Bidirectional traffic initiation.
Dynamic NAT - A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses on a first come first served basis. It allows only Unidirectional traffic initiation.
Dynamic Port Address Translation (PAT) - A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.
Identity NAT - A real address is statically translated to itself, essentially bypassing NAT.
Static NAT - A consistent mapping between a real and mapped IP address. It allows Bidirectional traffic initiation.
Dynamic NAT - A group of real IP addresses are mapped to a (usually smaller) group of mapped IP addresses on a first come first served basis. It allows only Unidirectional traffic initiation.
Dynamic Port Address Translation (PAT) - A group of real IP addresses are mapped to a single IP address using a unique source port of that IP address.
Identity NAT - A real address is statically translated to itself, essentially bypassing NAT.
What
is Policy NAT?
Policy NAT allows you to NAT by specifying both the source and destination addresses in an extended access list. We can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, not the destination address.
In Static NAT it is called as Static Policy NAT.
In Dynamic NAT it is called as Dynamic Policy NAT.
Policy NAT allows you to NAT by specifying both the source and destination addresses in an extended access list. We can also optionally specify the source and destination ports. Regular NAT can only consider the source addresses, not the destination address.
In Static NAT it is called as Static Policy NAT.
In Dynamic NAT it is called as Dynamic Policy NAT.
Give
the order of preference between different types of NAT?
1.Nat exemption.
2.Existing translation in Xlate.
3.Static NAT
- Static Identity NAT
- Static Policy NAT
- Static NAT
- Static PAT
4.Dynamic NAT
- NAT Zero
- Dynamic Policy NAT
- Dynamic NAT
- Dynamic PAT
1.Nat exemption.
2.Existing translation in Xlate.
3.Static NAT
- Static Identity NAT
- Static Policy NAT
- Static NAT
- Static PAT
4.Dynamic NAT
- NAT Zero
- Dynamic Policy NAT
- Dynamic NAT
- Dynamic PAT
What
is the difference between Auto NAT & Manual NAT?
Auto NAT (Network Object NAT) - It only considers the source address while performing NAT. So, Auto NAT is only used for Static or Dynamic NAT. Auto NAT is configured within an object.
Manual NAT (Twice NAT) - Manual NAT considers either only the source address or the source and destination address while performing NAT. It can be used for almost all types of NAT like NAT exempt, policy NAT etc.
Unlike Auto NAT that is configured within an object, Manual NAT is configured directly from the global configuration mode.
Auto NAT (Network Object NAT) - It only considers the source address while performing NAT. So, Auto NAT is only used for Static or Dynamic NAT. Auto NAT is configured within an object.
Manual NAT (Twice NAT) - Manual NAT considers either only the source address or the source and destination address while performing NAT. It can be used for almost all types of NAT like NAT exempt, policy NAT etc.
Unlike Auto NAT that is configured within an object, Manual NAT is configured directly from the global configuration mode.
Give NAT Order in
terms of Auto NAT & Manual NAT?
NAT is ordered in 3 sections.
Section 1 – Manual NAT
Section 2 – Auto NAT
Section 3 – Manual Nat After-Auto
NAT is ordered in 3 sections.
Section 1 – Manual NAT
Section 2 – Auto NAT
Section 3 – Manual Nat After-Auto
What
are the command to see NAT Translations?
# sh xlate
# sh nat
What is the command to see both NAT Table and Connection Table?
# sh local-host
# sh xlate
# sh nat
What is the command to see both NAT Table and Connection Table?
# sh local-host
No comments:
Post a Comment
Note: only a member of this blog may post a comment.