2 Replies Latest reply on Feb 13, 2012 4:04 PM by sliedl

    difference between proxy, packet filter, app defence and Log interpretion.

      Hi all,

      Pardon my noobness. I would like to seek some expertise in clearing some of my doubts in the following queries.

       

      1. What is the difference between ping (Ping proxy), icmp (otherpacket filtering protocol), icmp (ICMP packet filtering protocol)?Which is the correct service type to set up if I want to permit icmp ping in myfirewall?

       

                - I have a situation where my ping from source to destination was notsuccessful when using (ping proxy) and (icmp packet filtering protocol).However, when I switch to (other packet filtering protocol), the pingwent through.

       

      2.      How is the audit viewing being interpreted? Does the colour codes meananything? How can I differentiate “allowed” traffic from “denied” traffic?

       

      - For example, I have a log which states “warning (orange colour code)and the remarks was that the protocol used is not supported on IPv4”, so is itallowed or denied?

       

       

       

       

      Would be good if someone can point me to some documentation and KBs online.

       


        • 1. Re: difference between proxy, packet filter, app defence and Log interpretion.
          PhilM

          I think the key piece of information we need here is the direction of the ping request. Where are you trying to ping from and what is it you are trying to ping?

           

          Is it outbound (internal -> external or internal -> DMZ) or is it inbound (DMZ -> Internal)?

           

          In the 10+ years I have been working with this Firewall I have encounted very few situtaitons where the ping proxy hasn't done exactly as intended. In fact I don't think thay I've ever had to resort to using either of the other two methods.

           

          If you are trying to ping from an external (untrusted or internet) source on a public IP address and the destination is a host sitting inside the Firewall's external boundary and is using a private address (requiring a redirect address to be used in the rule) then I doubt that will ever work at all. It certainly never has for me. You cant ping inbound from an external (or possibly) DMZ source to an internal host unless the addresses on each side are routeable.

           

          The colours in the log files do give you a hint as to what is going on. While there are many different audit record types (and I'd suggest that the Admin Guide is the best place to look for a more detailed description) I generally look out for any one of the following:-

           

          • ACL Allow
          • Nettraffic
          • ACL Deny
          • Protocol Violation

           

          You'll generally find the ACL Allow and Nettraffic records will appear in green or blue and these indicate positive actions on the Firewall (ACL Allow - a packet has triggered a rule with an "allow" action. Nettraffic - normally what you'll see as a result of an ACL Allow).

           

          ACL Deny & Protocol Violation will generally present themselves in orange/amber and/or red and are normally fairly easy to spot (if most of your traffic is being allowed, of course!) in between the green and blue entries.

           

          ACL Deny's, hopefully, speak for themselves. This is where a rule has been triggered with an explicit "Deny" action or where a connection has fallen all the way through the rule set and has hit "Deny All". Protocol Violations generally appear when a connection has been initially permitted, but the Firewall has inspected the packets and discovered that the connection does not conform to the protocol standard. This is generally associated with the protocols for which you will find explicit Application Defense categories (HTTP, FTP, STMP, etc...). Create a rule to allow the "http" service and then try to pass another protocol through on TCP port 80 - this will generate a protocol violation.

           

          If you see ACL Deny or Protocol Violation entries in the audit viewer window you can double click on them to get a detailed view of the audit record in question. This will contain details such as source, destination and protocol. But, it should also contain the name of the ACL (rule) which is behind the decision and also a more verbose reason field trying to explain why this situation has occurred.

           

          Hope this helps.

           

          -Phil.

          • 2. Re: difference between proxy, packet filter, app defence and Log interpretion.
            sliedl

            The ping proxy passes ping (icmp echo/reply).

            The ICMP packet filter passes ping (echo), info, and timestamp ICMP types (depending on what you select).

            The 'other protocol packet filter' 1-icmp passes all ICMP types.