One of the more difficult skills to cultivate is how to troubleshoot problems related to your firewall or firewall implementation. The reason for this difficulty is that firewalls, by design, tend to do some pretty significant manipulation of network traffic, thus making it difficult to determine whether whatever anomaly you are seeing is an actual problem or a design of the firewall. For example, so many firewalls are designed by default to not respond to Internet Control Message Protocol (ICMP) ping packets. Therefore, if you attempt to ping the firewall to troubleshoot a problem and you do not get a response, it can be difficult to determine whether the lack of a response is indeed a problem or actually is occurring by design. Although the question of how to troubleshoot a firewall might be unique based on your individual implementation (that is, if your firewall does not allow ICMP you cannot use ICMP as a part of your troubleshooting), a relatively common list of tasks can assist in troubleshooting problems regardless of the firewall vendor or implementation. For example, all firewalls have rulesets to permit/deny traffic. How those rulesets are manipulated is unique to each firewall, but the fact that you need to review them when troubleshooting connectivity issues is true regardless of firewall vendor or implementation. Therefore, it is a good idea to develop a troubleshooting checklist to guide you through the process of troubleshooting your firewalls and firewall implementations. This chapter presents a troubleshooting checklist and covers techniques when using that list to troubleshoot specific situations. |