Friday, March 14, 2008

Firewall Issues

Sometimes i get asked, about the Rule "System Rule: Operational Issue: Firewall", and what kinds of events would trigger this.

"This rule detects operational errors (e.g. bad network connectivity, failover errors, internal software/hardware errors) reported by a firewall - this may indicate that the firewall is not functioning properly."

Well one such event, is "URL Server not responding".

In this example the customer was running Websense for their URL filtering, and basically the server died. Hence the following rule fired. This includes the IP of the Filtering Device, in this case an ASA, and the Filtering Server IP.

Now in that particular case, Internet Access would cease to function for everyone, configured to be be assesed via the Filtering Service (the default action). So you would probably be aware, something was a miss on the network.

But with the Cisco PIX/ASA, there are some other options, that can be configured in the event of the URL Filtering Solution failing.

We can configure "Allow outbound HTTP traffic when URL Server is down", great to keep Internet Access going, but not so great that users can then access any malware ridden side they please.

So another event to look out for is "URL Server not responding, ENTERING ALLOW mode"

No comments: