Troubleshooting Firewall Security Issues

Despite the firewall’s ongoing ability to control traffic in and out of a network perimeter, the ability of modern firewalls to keep threats outside of their ever-tighter network zones has led to far deeper complexity. The potential firewall issues faced by any firewall setting are varied and unique – ranging from timed-out connections to broken VPN functionality and authentication problems.
To establish how you need to troubleshoot them, it’s useful to roughly categorize the common issues into their main categories.

Request a Demo Miercom 2024 Security Benchmark

The Various Causes of Firewall Security Issues

At its core, a firewall demands policies; these firewall rules are what separates the traffic that’s allowed through from the potentially-malicious traffic you need to keep out. While each firewall is unique, this policy-creation process takes many forms:

Each rule is uniquely identified by name, and applies a specific security ruling to traffic transiting across a specific context. 

Often, this will include:

  • An allowed source
  • Destination zone

The traffic is categorized by matching source and destination zones and addresses, alongside the service carried in the protocol headers of the traffic.

However, when these firewall rulesets are badly written, the firewall can fail in one of two ways:

  • The first is to be overly-restrictive, dropping traffic that is genuinely legitimate.
  • The second is the opposite, allowing malicious connectivity – and essentially undoing the whole point of a firewall.

Sometimes, an admin can be so overwhelmed by individual rule structures – and the risk of breaking employee connectivity so high – that they simply employ ‘to anywhere, with any service’ rules. This is insecure – as are ‘allow all outbound P2P’ rules, which sacrifice a firewall’s ability to block infected devices’ connections to C2 servers.

Some errors abound from firewall configuration rules that attempt to overreach:

For instance, in the past, attackers have attempted to obfuscate malware delivery by segmenting packets across smaller components. This unusual packet fragmentation occasionally allowed malware to sneak into the confines of a network. So, some admins began blocking all fragmented packets.

VPN Interoperability Issues

However, today, fragmented packets on the Internet often occur not because of attacks, but because of virtual private networking (VPN) technologies that encapsulate packets within other packets.

Fragmented packets being blocked by firewalls is a common cause of VPN interoperability issues. Some firewalls can reassemble fragments, although this requires additional memory – and could potentially open up a firewall to IP fragmentation attacks. So, sometimes it’s best to limit reassembly to internal systems, and only for specified packet sizes – or to rely on stateful inspection.

This is one reason for the rise of the Next Gen Firewall (NGFW) – rather than just the data packet’s origin and destination, NGFWs are able to dig deeper into the context behind a connection.

How To Troubleshoot a Policy Problem

To assess whether it is a policy issue that’s affecting performance, take a quick look at the active policies that are limiting traffic.

Check Logs (and Documentation)

When data isn’t passing through a firewall, the logs should be your first point of call. Any time traffic is stopped, there’s an entry in the logs that points to the rule that caused its denial.

Documentation is your best friend when you’re trawling through these logs – with each vendor having their own style and syntax, it’s best to go in armed. More advanced firewalls will give you options to jump directly to a failed policy. It’s here you can assess whether something was blocked directly, or due to an implicit denial.

Check Routing Tables

A routing table is how access switches and routers know where to forward data to: these should all be modified to redirect traffic via the firewall endpoint. Routing tables therefore give you a lot of information as to whether the route you want is present: trying to move data across a route that doesn’t exist is going to produce errors.

Sometimes there are multiple routes advertised from multiple route sources to the same destination.

Dynamic routing protocols allow switches to choose the route with the lowest administrative distance. For example, EIGRP has a lower administrative distance than OSPF or IS-IS. The best way to configure a firewall is via explicit access lists that match the desired routes. 

Similar to the last point – if documentation helps you understand the logs you’re reading, then an up-to-date understanding of your organization’s network topology will make this far easier to discern.

Backend Issues

While it’s often the rules that represent a point of contention, it can sometimes be a firewall configuration issue deeper within a network’s own hardware – or even the surrounding network. 

When enterprises undergo a period of scaling, they can begin to outgrow their old firewall solution. Because firewalls monitor all traffic passing through them, they each have a maximum quantity of traffic that can be managed – start to reach this limit, and traffic will begin to massively slow down.

When judging firewall throughput capacity, it’s tempting to look at the solution’s Maximum Firewall Throughput on the tech specs – however, note that the gigabytes per second value here is the firewall’s raw processing speed, with no security services added.

A more realistic definition of your tool’s real-world throughput is the NGFW Throughput spec.

It’s not necessarily on every provider’s datasheets, as it’s limited to more advanced firewalls, but this gives you a capacity for when intrusion prevention and application control services are running.

How to Troubleshoot Backend Issues

To assess whether it’s a backend problem, it’s first wise to check that it’s not the application or server you’re trying to access. If the issue persists across the board, it’s time to dig a bit deeper into the firewall’s processes.

Check Real-Time CPU Usage

Depending on your provider, it’s possible to check your firewall’s real time CPU usage with a CLI command (similar to the ‘top’ command on Linux).

Not only does this provide you with a view of your own firewall’s resources, but itself establishes whether there’s a resource problem: if the commit takes much longer than normal, it’s another piece of proof toward high CPU usage.

Check the firewall Interface for Any Other Physical Errors

Similar to finding CPU usage, your firewall will have a command that shows all interface errors: often displayed as error counters, this provides a way to pinpoint exactly where an external hardware problem is.

If you pass traffic through the dodgy interface, the error count will increase accordingly, allowing you to establish issues at the physical layer. If it does, it may be necessary to change the faulty physical equipment (like cables or SFP) connected to the port.

Check Policy Order

Some firewalls check rules sequentially until a match is found. Sometimes, slow performance can be due to bloated rule lists that force a firewall to work all the way down this list.

To cut processing times, prioritize the more specific rules, and work your way down to the general ones.

For instance, if you need to block a particular IP address while allowing a larger subnet, the rule denying that IP should precede the one allowing the subnet. Finally, it’s a best practice to conclude with a general “deny all” rule – ensuring that any traffic not explicitly permitted is automatically blocked.

Managing these rulesets may seem like a burden, but the hours invested pay for themselves when compared against a security breach.

Check VPN Protocols

Some communication protocols are more latency-intensive than others: when your wider network relies on a VPN, for instance, these protocols can make the difference between:

  • Reasonable response times
  • Frustrating latency

IPSEC VPNs are reported to drop far less speed than their SSL counterparts; but remember to allow access to UDP Port 500 via the firewall.

If your hardware still cannot keep up with the load, applications will continue to run slowly and network performance will suffer. If you’ve checked every other potential cause of slowdown, it may be time to look for an upgrade.

Prevent Firewall Security Issues with Check Point Quantum

Check Point’s Quantum firewalls offer far more than basic Access Control Lists – they collate firewall reinforcement with in-depth Intrusion Prevention System (IPS), Anti-Bot, and URL Filtering to defend against known threats.

This is further enhanced by award-winning sandboxing technology and threat nullification, that collectively prevent zero-days far more cohesively than any singular firewall.

To see how Check Point Quantum delivers future-proof throughput at cost-effective prices, schedule a demo today.

Get Started

Next Generation Firewall

Quantum Force

Gen V Cyber Security

Miercom 2024 Security Benchmark

Network Security Solutions

Related Topics

5 Firewall Features you Must-Have

8 Firewall Best Practices

Firewall Configuration

High Availability (HA) Firewall

×
  Feedback
This website uses cookies for its functionality and for analytics and marketing purposes. By continuing to use this website, you agree to the use of cookies. For more information, please read our Cookies Notice.
OK