Hello Guys, here are the answers to the most frequently asked questions in an interview about Network firewalls. you will get here the answers of all the Firewall related Question asked in the interview.
2. 2
WWW.Prohackers.in
What is a Firewall?
Firewall is a device that is placed between a trusted and an untrusted network. It
deny or permit traffic that enters or leaves network based on pre-configured
policies. Firewalls protect inside networks from unauthorized access by users on an
outside network. A firewall can also protect inside networks from each other for
example by keeping a Management network separate from a user network.
What is the difference between Gateway and Firewall?
A Gateway joins two networks together and a network firewall protects a network
against unauthorized incoming or outgoing access. Network firewalls may be
hardware devices or software programs.
Firewalls work at which Layers?
Firewalls work at layer 3, 4 & 7.
What is the difference between Stateful & Stateless Firewall?
Stateful firewall – A Stateful firewall is aware of the connections that pass
through it. It adds and maintains information about a user’s connections in a state
table, referred to as a connection table. It than uses this connection table to
implement the security policies for users connections. Example of stateful firewall
are PIX, ASA, Checkpoint.
Stateless firewalls – (Packet Filtering) Stateless firewalls on the other hand, does
not look at the state of connections but just at the packets themselves.
What information does Stateful Firewall Maintains?
Stateful firewall maintains following information in its State table:-
1.Source IP address.
2. Destination IP address.
3. IP protocol like TCP, UDP.
4. IP protocol information such as TCP/UDP Port Numbers, TCP Sequence Numbers,
and TCP Flags.
How can we allow packets from lower security level to higher security level
(Override Security Levels)?
We use ACLs to allow packets from lower security level to higher security level.
3. 3
WWW.Prohackers.in
What is the security level of Inside and Outside Interface by default?
Security Level of Inside interface by default is 100. Security Level of Outside
Interface by default is 0.
Explain DMZ (Demilitarized Zone)?
If we need some network resources such as a Web server or FTP server to be
available to outside users we place these resources on a separate network behind
the firewall called a demilitarized zone (DMZ). The firewall allows limited access to
the DMZ, but because the DMZ only includes the public servers, an attack there
only affects the servers and does not affect the inside network.
How does a firewall process a packet?
When a packet is received on the ingress interface, Firewall checks if it matches
an existing entry in the connection table. If it does, protocol inspection is carried
out on that packet.
If it does not match an existing connection and the packet is either a TCP-SYN
packet or UDP packet, the packet is subjected to ACL checks. The reason it needs
to be a TCP-SYN packet is because a SYN packet is the first packet in the TCP 3-
way handshake. Any other TCP packet that isn’t part of an existing connection is
likely an attack.
If the packet is allowed by ACLs and is also verified by translation rules, the
packet goes through protocol inspection.
What are the values for timeout of TCP session, UDP session, ICMP session?
TCP session – 60 minutes
UDP session – 2 minutes
ICMP session – 2 seconds
Explain TCP Flags?
While troubleshooting TCP connections through the Firewall, the connection flags
shown for each TCP connection provide information about the state of TCP
connections to the Firewall.
What are the different types of ACL in Firewall?
1.Standard ACL
2.Extended ACL
4. 4
WWW.Prohackers.in
3.Ethertype ACL (Transparent Firewall)
4.Webtype ACL (SSL VPN)
What is Transparent Firewall?
In Transparent Mode, Firewall acts as a Layer 2 device like a bridge or switch and
forwards Ethernet frames based on destination mac-address.
What is the need of Transparent Firewall?
If we want to deploy a new firewall into an existing network it can be a complicated
process due to various issues like IP address reconfiguration, network topology
changes, current firewall etc. We can easily insert a transparent firewall in an
existing segment and control traffic between two sides without having to
readdress or reconfigure the devices.
Explain Ether-Type ACL?
In Transparent mode, unlike TCP/IP traffic for which security levels are used to
permit or deny traffic all non-IP traffic is denied by default. We create Ether-
Type ACL to allow NON-IP traffic. We can control traffic like BPDU, IPX etc. with
Ether-Type ACL.
What is Policy NAT?
Policy NAT allows you to NAT by specifying both the source and destination
addresses in an extended access list. We can also optionally specify the source and
destination ports. Regular NAT can only consider the source addresses, not the
destination address.
In Static NAT it is called as Static Policy NAT.
In Dynamic NAT it is called as Dynamic Policy NAT.
Give the order of preference between different types of NAT?
1. Nat exemption.
2. Existing translation in Xlate.
3.Static NAT
– Static Identity NAT
– Static Policy NAT
– Static NAT
5. 5
WWW.Prohackers.in
– Static PAT
4. Dynamic NAT
– NAT Zero
– Dynamic Policy NAT
– Dynamic NAT
– Dynamic PAT
What is the difference between Auto NAT & Manual NAT?
Auto NAT (Network Object NAT) – It only considers the source address while
performing NAT. So, Auto NAT is only used for Static or Dynamic NAT. Auto NAT
is configured within an object.
Manual NAT (Twice NAT) – Manual NAT considers either only the source address
or the source and destination address while performing NAT. It can be used for
almost all types of NAT like NAT exempt, policy NAT etc.
Unlike Auto NAT that is configured within an object, Manual NAT is configured
directly from the global configuration mode.
Give NAT Order in terms of Auto NAT & Manual NAT?
NAT is ordered in 3 sections.
Section 1 – Manual NAT
Section 2 – Auto NAT
Section 3 – Manual Nat After-Auto
6. 6
WWW.Prohackers.in
Thanks for reading this presentation
Please give us your feedback at
info@prohackers.in
asttitvakanoujia@hotmail.com
Your feedback is most valuable for us for improving the presentation
You can also suggest the topic on which you want the presentation
Website: www.prohackers.in
FB page: www.facebook.com/theprohackers2017
Join FB Group: www.facebook.com/groups/group.prohackers/
Watch us on: www.youtube.com//channel/UCcyYSi1sh1SmyMlGfB-Vq6A
***Thanks***