Firewalls in an active working environment will always be susceptable to change in configuration, hosts will be added to new policies and removed later, or added to one or more of the security policies at the same time, this of course will cause some problems at some point, especially if the rule hits were not as intended to be and some server or IP will lose access to internet or DMZ.
Here we will see how to find out if the same host was added to one or more security rules by simulating a trace which is similar to packet tracer of the Cisco ASA firewalls to some extent.
How to test your configuration for a specific host to see in which policy it might be?
What if the host was used in more than security policy?
How to know If there is conflict for the same host?
There are two ways for the same test.
A. Go to Device > Troubleshooting
B. Go to Security Policy > Select “Test Policy” which can be found at the bottom bar
Both of these options will do the same thing.
So let’s see how it works.
Using option B, we are going to press on the test policy option which you can see "in the right corner of the screen"
we will start filling the details:
1. Source interface (Inside, outside, DMZ) in our case it is (Inside)
2. Destination Interface (Insidde, outside, DMZ) in our case it is (Outside)
3. Select the protocol type (TCP, UDP, ICMP) for this example we are going to use (ICMP)
once you selected the ICMP, the destination port is no longer needed.
Here as you can see below, our source will be a host that was added previsouly to a security rule named (DIRECT-INTERNET-ACCESS) and the ip address of this host is (10.211.112.2)
The destination in our policy is Google (8.8.8.8)
there is another useful option that can be seen in the screen below:
"Show all potential match rules until first allow rule"
once you entered all details as the in the screen, you can scroll-down to "excute" option and press it, right away you will see the "test result" showing the matching rule "Direct-Internet-Access"
Now you can select this rule and check out it's "result details" tab on the right.
scroll-down to the end, now you can see if the Action is "Allowed or Denied"
Type is "interzone or universal"
You can then see if there is duplicate for the same host IP with another rule that might cause a hit and prevent the host from working in another intended way, and resolve the misconfiguration.
Hope this was useful!
Samer R. Saleem
No comments:
Post a Comment