Firewall Configuration Problems

By Brian Boguhn
Updated: August 29, 2011

Firewalls have come a long way. At one time, configuration was strictly text based, with the administrator typing in line after line of code to program the system properly. Today, graphical user interfaces (GUIs) exist to make the configuration process easier. That said, configuration issues can still occur even for the seasoned network administrator. This article will point out some issues that administrators have run into and talk about how they can be avoided.

HTTP and HTTPS

This one happens all the time. The firewall gets configured to allow HTTP traffic (port 80) through. Invariably, though, there is a server that requires HTTPS (port 443). Let’s say it’s an Exchange Outlook Web Access (OWA) server. A user on the outside will go to access the URL for the OWA server and won’t be able to reach it. The administrator missed the need for port 443 to be open. Opening port 443 resolves the issue immediately.

E-mail and ESMTP

This one isn’t so common, but with a Cisco PIX it can be a problem of which administrators should be aware.

The issue that will be seen is that an outside sender will report that e-mails to some of your users will often bounce. At other times the messages will go through without issue. What is going on behind thefir scenes is that if Transport Layer Security (TLS) encryption for e-mail communication is being used, then the ESMTP inspection feature (enabled by default on the PIX) drops the packets. The sender retransmits until it gives up, resulting in the bounce message. To resolve this issue, disable the ESMTP inspection feature.

Note that this is an issue with PIX firewalls running only certain firmware versions.

Incorrect NAT Configuration

Network Address Translation (NAT) involves configuring the firewall to recognize that an IP address on the internal network corresponds to an external address on the Internet. For example, an Exchange server running OWA will have a private address on the internal network, but it will also have a public address for the Internet so that users can access it from outside of the company. The firewall is programmed to translate between the two addresses, making sure that traffic from the external address is directed towards the proper internal address, and vice versa.

The issue that can arise with NAT is that one or both of the IP addresses programmed in for the translation could be incorrect or keyed in improperly. Results can be mixed. A user might see the proper initial contact, but not get a response. Or, no contact can occur at all. The easiest way to address this is simply to make sure that all of the addresses used are correct, that they are entered into the firewall correctly, and that they correspond to the proper address on each side.

IP Address Conflicts

This can occur if an IP address already in use in the internal network is assigned to the internal port of the firewall, either accidentally or because of lack of network documentation. Results in this case can vary wildly. The firewall may appear to be operating correctly as far as it is concerned. However, there could be disruptions in e-mail, web access, and other services the company relies on. Determining that an IP address is indeed the problem isn’t as straightforward as the other issues discussed above. In this case, if the firewall was working properly and some work was done which resulted in the issues occurring, backtrack through what was done and the address conflict should be apparent. The network administrator may even realize immediately that an incorrect address was used. If not, examining error logs will be the best solution in this case to identify and correct the error.

Be Prepared

This is obviously only a very small sampling of the configuration issues that can occur on a firewall. The key is to be prepared to address a configuration issue if one does occur. Make sure the network administrators are well versed in the equipment being used. Have current support contracts with the firewall vendor. It would probably also be wise to have contact with a third party consulting firm that can assist if a large issue occurs. Not every firewall problem that occurs is going to be like one that was encountered by someone else before. Having resources to fall back on when an issue does occur will be the difference in a company staying online and in business, or going dark until the issue is resolved.
 

Related Categories
Featured Research
  • Baselining Best Practices

    IT must ensure new applications are rolled out quickly, reliably, and without risk, while at the same time guaranteeing performance and availability. Read this VirtualWisdom white paper to find out how to achieve application-aligned infrastructure performance, and more. more

  • Next Generation End User Experience Management: APM

    In an era of new technologies and cloud-based application delivery models, your business success depends on your ability to ensure optimal application performance and quality user experiences at all times. This complimentary white paper from AppNeta will enlighten you to the new frontiers in end user experience management and much more. more

  • Video: Create an Integrated, Collaborative Microsoft Lync Environment

    Consider HP as your Microsoft Lync Solutions provider! more

  • Optimizing Application Delivery to the Network Edge

    Increasingly, the success of business is being tied to the network. The transformation of the network and IT can help organizations deliver and support highly available applications and services while reacting more quickly to changes in the business environment. In this complimentary white paper from IDC, learn how HP can help its customers and partners improve the overall application experience. more

  • Networking Routers Buyer's Guide for SMB & Enterprise

    This buyer's guide presents an overview of leading products on the market today and aims to improve research for companies needing to purchase or upgrade their equipment. more