1 00:00:00,060 --> 00:00:01,710 In this video, we're going to discuss 2 00:00:01,710 --> 00:00:04,410 firewall issues and how to troubleshoot network issues 3 00:00:04,410 --> 00:00:06,300 involving incorrect firewall setting 4 00:00:06,300 --> 00:00:09,090 and block services, ports or addresses. 5 00:00:09,090 --> 00:00:11,700 First, let's talk about the purpose of a firewall. 6 00:00:11,700 --> 00:00:14,250 Remember, firewalls are network security devices 7 00:00:14,250 --> 00:00:15,780 that monitor and filter incoming 8 00:00:15,780 --> 00:00:17,310 and outgoing network traffic 9 00:00:17,310 --> 00:00:19,260 based upon established rule sets. 10 00:00:19,260 --> 00:00:21,720 Essentially, firewalls act as an inspection point 11 00:00:21,720 --> 00:00:24,030 and barrier between a private internal network 12 00:00:24,030 --> 00:00:25,170 and the public internet 13 00:00:25,170 --> 00:00:26,790 or other private internal networks 14 00:00:26,790 --> 00:00:28,650 if you're using screen subnets. 15 00:00:28,650 --> 00:00:29,940 Now, firewalls can exist 16 00:00:29,940 --> 00:00:31,350 as either host-based firewalls 17 00:00:31,350 --> 00:00:33,030 or network-based firewalls. 18 00:00:33,030 --> 00:00:35,100 A host-based firewall is a piece of software 19 00:00:35,100 --> 00:00:36,600 that runs on an individual computer 20 00:00:36,600 --> 00:00:38,610 or device that's connected to your network 21 00:00:38,610 --> 00:00:40,590 and performs the functions of a firewall 22 00:00:40,590 --> 00:00:43,020 to protect that one single device. 23 00:00:43,020 --> 00:00:44,880 For example, if you're running a Windows client 24 00:00:44,880 --> 00:00:46,380 or server, you can utilize 25 00:00:46,380 --> 00:00:48,390 the built-in Windows Defender Firewall 26 00:00:48,390 --> 00:00:49,650 to (indistinct) host-based 27 00:00:49,650 --> 00:00:51,990 two-way network traffic filtering and inspection, 28 00:00:51,990 --> 00:00:54,240 as well as blocking unauthorized network traffic 29 00:00:54,240 --> 00:00:56,790 from flowing into or out of your device. 30 00:00:56,790 --> 00:00:59,640 A network-based firewall is a network security device 31 00:00:59,640 --> 00:01:02,130 that's deployed in line with the network traffic flow, 32 00:01:02,130 --> 00:01:04,379 just before the border or gateway router, 33 00:01:04,379 --> 00:01:06,480 in order to monitor and filter incoming 34 00:01:06,480 --> 00:01:08,610 and outgoing network traffic based upon 35 00:01:08,610 --> 00:01:10,230 your established rule sets. 36 00:01:10,230 --> 00:01:12,540 In general, regardless of whether the issue resides 37 00:01:12,540 --> 00:01:13,830 on a host-based firewall 38 00:01:13,830 --> 00:01:15,330 or a network-based firewall, 39 00:01:15,330 --> 00:01:17,280 the network connectivity issues experience 40 00:01:17,280 --> 00:01:20,250 will be caused by one of three different situations. 41 00:01:20,250 --> 00:01:22,410 First, access to protected resources 42 00:01:22,410 --> 00:01:24,810 from unprotected networks isn't working. 43 00:01:24,810 --> 00:01:27,300 Second, access to unprotected resources 44 00:01:27,300 --> 00:01:29,460 from protected networks isn't working. 45 00:01:29,460 --> 00:01:31,530 Or third, access to the firewall 46 00:01:31,530 --> 00:01:33,870 and its configurations isn't working. 47 00:01:33,870 --> 00:01:35,730 Basically, the problems can be broken down 48 00:01:35,730 --> 00:01:38,220 into either traffic is not going through the firewall 49 00:01:38,220 --> 00:01:40,410 or traffic is not going to the firewall. 50 00:01:40,410 --> 00:01:43,020 And in either case, it's not working properly. 51 00:01:43,020 --> 00:01:45,120 So to troubleshoot these issues, 52 00:01:45,120 --> 00:01:47,460 you should use your seven-step troubleshooting method 53 00:01:47,460 --> 00:01:49,320 and understand the OSI model 54 00:01:49,320 --> 00:01:52,050 to troubleshoot each layer, from layer one physical, 55 00:01:52,050 --> 00:01:54,990 all the way up until you identify the issues. 56 00:01:54,990 --> 00:01:56,190 Now, for example, 57 00:01:56,190 --> 00:01:58,410 is the firewall properly cabled into the network 58 00:01:58,410 --> 00:01:59,580 at the right position? 59 00:01:59,580 --> 00:02:02,340 If so, does the link lights on the network interface card 60 00:02:02,340 --> 00:02:04,020 show up that the link is established 61 00:02:04,020 --> 00:02:05,550 between the router and the firewall? 62 00:02:05,550 --> 00:02:08,490 If it does, layer one is probably not your issue. 63 00:02:08,490 --> 00:02:10,050 Next, we go to layer two 64 00:02:10,050 --> 00:02:11,610 and we determine if the router and firewall 65 00:02:11,610 --> 00:02:14,550 are communicating using ARP and their MAC addresses. 66 00:02:14,550 --> 00:02:16,770 If they are, we're going to move up to layer three 67 00:02:16,770 --> 00:02:19,200 and determine if the firewall has a valid IP address, 68 00:02:19,200 --> 00:02:21,750 subnet mask and default gateway, and that way, 69 00:02:21,750 --> 00:02:23,970 it can communicate properly on the network. 70 00:02:23,970 --> 00:02:25,200 Once we've done all that, 71 00:02:25,200 --> 00:02:27,720 we can now inspect the firewall itself for issues. 72 00:02:27,720 --> 00:02:30,270 Usually, when traffic isn't flowing to or through 73 00:02:30,270 --> 00:02:32,520 the firewall, the issue is going to be related 74 00:02:32,520 --> 00:02:33,990 to a misconfigured rule set 75 00:02:33,990 --> 00:02:36,750 as part of your access control list, or ACL. 76 00:02:36,750 --> 00:02:39,120 Now, the access control list is simply a collection 77 00:02:39,120 --> 00:02:42,060 of permit and deny conditions, which we call rules, 78 00:02:42,060 --> 00:02:43,170 and they're going to provide security 79 00:02:43,170 --> 00:02:44,970 by blocking unauthorized users 80 00:02:44,970 --> 00:02:46,380 and allowing authorized users 81 00:02:46,380 --> 00:02:48,390 to access specific resources. 82 00:02:48,390 --> 00:02:49,710 To inspect the firewall rules 83 00:02:49,710 --> 00:02:51,720 on a network-based firewall, you're going to use 84 00:02:51,720 --> 00:02:54,330 the command show access-lists 85 00:02:54,330 --> 00:02:55,320 to display the contents 86 00:02:55,320 --> 00:02:56,850 of the current access control list 87 00:02:56,850 --> 00:02:59,100 on a Cisco device, as an example. 88 00:02:59,100 --> 00:03:00,870 Each device is going to have a different command, 89 00:03:00,870 --> 00:03:03,390 but for Cisco, it's show access-lists. 90 00:03:03,390 --> 00:03:05,010 Now, let's say, for example, you're trying 91 00:03:05,010 --> 00:03:06,750 to figure out why the network clients 92 00:03:06,750 --> 00:03:08,820 in the internet filter group are not able 93 00:03:08,820 --> 00:03:12,180 to access Google, Facebook or Dion Training's websites. 94 00:03:12,180 --> 00:03:14,190 You might log into your firewall or router 95 00:03:14,190 --> 00:03:16,410 and check the current ACL restrictions. 96 00:03:16,410 --> 00:03:18,990 In this example, you can see there's a deny statement 97 00:03:18,990 --> 00:03:21,390 in line 20 for the internet filter group, 98 00:03:21,390 --> 00:03:23,733 and it states that all TCP network traffic, 99 00:03:25,303 --> 00:03:28,530 any IP over any port, should be blocked by this rule. 100 00:03:28,530 --> 00:03:30,510 Basically, any clients that have been added 101 00:03:30,510 --> 00:03:32,910 to the internet filter group will be unable to connect 102 00:03:32,910 --> 00:03:35,610 to any website because they're using TCP 103 00:03:35,610 --> 00:03:38,340 to connect over port 80 or port 443 104 00:03:38,340 --> 00:03:40,080 when they're trying to go to a website. 105 00:03:40,080 --> 00:03:42,510 Similarly, if we have a client in the 101 group 106 00:03:42,510 --> 00:03:45,300 and it's having timing issues, we could look at our ACL 107 00:03:45,300 --> 00:03:46,920 and see what the root cause is. 108 00:03:46,920 --> 00:03:49,890 Looking at line 10 within the 101 access control list, 109 00:03:49,890 --> 00:03:53,190 states to deny any UDP traffic from any IP 110 00:03:53,190 --> 00:03:57,180 to any IP that uses NTP, which is port 123, 111 00:03:57,180 --> 00:03:59,340 and used for the network time protocol. 112 00:03:59,340 --> 00:04:02,790 Problem here is that NTP operates using UDP traffic. 113 00:04:02,790 --> 00:04:04,980 So this single line in the ACL will break 114 00:04:04,980 --> 00:04:07,350 all NTP functionality for any devices 115 00:04:07,350 --> 00:04:09,390 assigned to group 101. 116 00:04:09,390 --> 00:04:12,240 So when you're writing or editing an ACL rule, 117 00:04:12,240 --> 00:04:13,590 always be careful to think through 118 00:04:13,590 --> 00:04:15,750 what you're intending to do with that rule. 119 00:04:15,750 --> 00:04:18,839 First, you need to ensure there's no typos in your rules 120 00:04:18,839 --> 00:04:20,550 because this will cause a lot of issues 121 00:04:20,550 --> 00:04:22,019 that will result in traffic being blocked 122 00:04:22,019 --> 00:04:23,430 when it really shouldn't be. 123 00:04:23,430 --> 00:04:25,170 Second, verify the protocol 124 00:04:25,170 --> 00:04:26,760 and port numbers that you're referencing 125 00:04:26,760 --> 00:04:28,980 in your rule and ensure they're correct. 126 00:04:28,980 --> 00:04:31,470 Do you really want to block TCP or UDP? 127 00:04:31,470 --> 00:04:32,760 Make that decision. 128 00:04:32,760 --> 00:04:35,460 Do you want to block a specific port or all ports? 129 00:04:35,460 --> 00:04:37,470 All of this is important to consider. 130 00:04:37,470 --> 00:04:40,320 Third, verify the source and destination addresses 131 00:04:40,320 --> 00:04:41,850 are referenced by the rule. 132 00:04:41,850 --> 00:04:44,370 Did you include the correct IP address or network IP 133 00:04:44,370 --> 00:04:45,870 and the correct subnet mask? 134 00:04:45,870 --> 00:04:49,680 A simple typo like 0.0.255.255, 135 00:04:49,680 --> 00:04:53,550 instead of 0.0.0.255, is going to cost 136 00:04:53,550 --> 00:04:56,370 65,636 IPs to be blocked, 137 00:04:56,370 --> 00:04:59,820 instead of the 256 IPs you were intending to block. 138 00:04:59,820 --> 00:05:01,830 Fourth, verify the order of the rules 139 00:05:01,830 --> 00:05:03,420 is being applied correctly. 140 00:05:03,420 --> 00:05:06,150 Remember, ACLs are always processed in order, 141 00:05:06,150 --> 00:05:08,520 from the top of the list to the bottom of the list. 142 00:05:08,520 --> 00:05:10,890 Your most specific rules need to be first, 143 00:05:10,890 --> 00:05:13,590 and your most generic rules need to be at the end. 144 00:05:13,590 --> 00:05:14,820 Let's consider this example 145 00:05:14,820 --> 00:05:17,070 and see if we can determine why a network client 146 00:05:17,070 --> 00:05:18,540 can't connect to Google servers 147 00:05:18,540 --> 00:05:20,790 at 8.8.8.8 from within 148 00:05:20,790 --> 00:05:22,980 the DionTraining group of clients. 149 00:05:22,980 --> 00:05:25,350 Now, first, we're going to pull up the access control list 150 00:05:25,350 --> 00:05:27,450 and look for the DionTraining group rules. 151 00:05:27,450 --> 00:05:28,920 Under these rules, we look under 152 00:05:28,920 --> 00:05:30,540 the rules pertaining to this issue. 153 00:05:30,540 --> 00:05:32,490 In this case, we can't reach the server 154 00:05:32,490 --> 00:05:34,740 located at 8.8.8.8. 155 00:05:34,740 --> 00:05:36,900 So if we look at rule 20, 156 00:05:36,900 --> 00:05:38,942 we're going to see there's a permit rule 157 00:05:38,942 --> 00:05:41,610 for all TCP traffic going from any IP 158 00:05:41,610 --> 00:05:44,310 going to the server at 8.8.8.8 159 00:05:44,310 --> 00:05:47,280 if it's over port 80, which is used for web traffic. 160 00:05:47,280 --> 00:05:49,230 So based on this rule alone, 161 00:05:49,230 --> 00:05:51,450 the traffic should be able to reach the server. 162 00:05:51,450 --> 00:05:53,160 Now, let's see what other rules we have 163 00:05:53,160 --> 00:05:55,710 for servers at 8.8.8.8. 164 00:05:55,710 --> 00:05:58,860 Now, we have one rule at line 40, and it again says 165 00:05:58,860 --> 00:06:02,310 to permit traffic over TCP from any IP 166 00:06:02,310 --> 00:06:05,970 to the server at 8.8.8.8 using port 25. 167 00:06:05,970 --> 00:06:09,210 So we're going to allow email traffic over SMTP 168 00:06:09,210 --> 00:06:10,770 to be sent from any of our clients 169 00:06:10,770 --> 00:06:13,380 to the server at 8.8.8.8. 170 00:06:13,380 --> 00:06:16,410 Again, this seems fine and we shouldn't have an issue. 171 00:06:16,410 --> 00:06:19,830 Now, remember, ACL rules are implied in order, 172 00:06:19,830 --> 00:06:21,330 and once it finds a matching rule, 173 00:06:21,330 --> 00:06:24,090 it's going to stop as it goes down the access list. 174 00:06:24,090 --> 00:06:26,100 So look at it from the beginning. 175 00:06:26,100 --> 00:06:28,170 The first rule is line 10. 176 00:06:28,170 --> 00:06:30,870 It says to deny any TCP traffic 177 00:06:30,870 --> 00:06:34,080 from any IP address to any IP address, 178 00:06:34,080 --> 00:06:35,730 and this applies to all ports 179 00:06:35,730 --> 00:06:37,380 because none were specified. 180 00:06:37,380 --> 00:06:39,300 So if I'm trying to visit the server 181 00:06:39,300 --> 00:06:43,140 at 8.8.8.8, will rule 10 match this packet? 182 00:06:43,140 --> 00:06:47,220 Is it going to go from any IP to any IP using TCP? 183 00:06:47,220 --> 00:06:48,810 Yes. Yes, it is. 184 00:06:48,810 --> 00:06:50,790 Therefore, the traffic is going to be blocked, 185 00:06:50,790 --> 00:06:52,370 and it will never get to rule 20 186 00:06:52,370 --> 00:06:54,690 or rule 40 that specifically allow traffic 187 00:06:54,690 --> 00:06:57,240 to this server at 8.8.8.8 188 00:06:57,240 --> 00:06:59,550 over port 80 or port 25. 189 00:06:59,550 --> 00:07:02,370 So instead, we can change the order of this ACL, 190 00:07:02,370 --> 00:07:03,930 and we're going to put the more specific lines, 191 00:07:03,930 --> 00:07:05,820 like 20 and 40, at the top. 192 00:07:05,820 --> 00:07:08,310 So we're going to make them 10 and 20, respectfully. 193 00:07:08,310 --> 00:07:10,320 Then we're going to take the current line 10 194 00:07:10,320 --> 00:07:12,240 and move it to the bottom of our list. 195 00:07:12,240 --> 00:07:14,070 So to make this easier to see, 196 00:07:14,070 --> 00:07:15,300 I'm creating a new group here 197 00:07:15,300 --> 00:07:16,830 called DionTrainingNew 198 00:07:16,830 --> 00:07:18,660 at the bottom of this ACL. 199 00:07:18,660 --> 00:07:20,340 Here you can see the difference in the order 200 00:07:20,340 --> 00:07:23,400 from DionTraining group to the DionTrainingNew group. 201 00:07:23,400 --> 00:07:26,520 So notice I now have our most specific ACLs 202 00:07:26,520 --> 00:07:29,010 listed at 10 and 20, and a more generic one 203 00:07:29,010 --> 00:07:32,400 at line 30, which is for the any IP to any IP, 204 00:07:32,400 --> 00:07:34,080 but for a specific port. 205 00:07:34,080 --> 00:07:36,600 Then I have my most generic rules at the bottom, 206 00:07:36,600 --> 00:07:38,160 lines 40 and 50. 207 00:07:38,160 --> 00:07:40,380 This is going to block all traffic for UDP 208 00:07:40,380 --> 00:07:42,270 and all traffic for TCP. 209 00:07:42,270 --> 00:07:44,190 Remember, when you're troubleshooting issues 210 00:07:44,190 --> 00:07:46,380 with firewalls, always check your ACLs 211 00:07:46,380 --> 00:07:48,000 to ensure they're in the right sequence 212 00:07:48,000 --> 00:07:49,890 and that you haven't mistyped anything in them, 213 00:07:49,890 --> 00:07:52,170 because this can lead to a lot of connectivity issues 214 00:07:52,170 --> 00:07:53,700 and the wrong traffic being blocked 215 00:07:53,700 --> 00:07:55,620 or being allowed through your firewall. 216 00:07:55,620 --> 00:07:57,930 Similarly, when you're dealing with software firewalls, 217 00:07:57,930 --> 00:07:59,550 like the Windows Defender Firewall, 218 00:07:59,550 --> 00:08:01,770 it's important to look not just at the IP addresses 219 00:08:01,770 --> 00:08:03,060 and ports that are being blocked, 220 00:08:03,060 --> 00:08:05,340 but also, you need to look at the applications 221 00:08:05,340 --> 00:08:06,960 and services themself. 222 00:08:06,960 --> 00:08:08,790 Under your Windows Defender Firewall, 223 00:08:08,790 --> 00:08:10,050 you're going to see inbound rules 224 00:08:10,050 --> 00:08:11,610 and outbound rules listed. 225 00:08:11,610 --> 00:08:13,350 Under each type, you're going to see the name 226 00:08:13,350 --> 00:08:14,730 of the application or service 227 00:08:14,730 --> 00:08:16,590 and whether it's allowed or denied. 228 00:08:16,590 --> 00:08:19,080 Then you're going to see if any specific IP addresses 229 00:08:19,080 --> 00:08:20,790 or ports are being allowed or blocked 230 00:08:20,790 --> 00:08:22,920 with those applications and services. 231 00:08:22,920 --> 00:08:24,300 Just like in the earlier examples 232 00:08:24,300 --> 00:08:26,550 with network firewalls, a simple typo here 233 00:08:26,550 --> 00:08:28,260 can cause a lot of connectivity problems 234 00:08:28,260 --> 00:08:30,000 for your clients and your servers. 235 00:08:30,000 --> 00:08:31,830 So always double-check your ACLs 236 00:08:31,830 --> 00:08:33,120 to ensure they're blocking and allowing 237 00:08:33,120 --> 00:08:34,740 exactly what you want them to do, 238 00:08:34,740 --> 00:08:35,890 and in the right order.