Table of Contents
Various network diagnostic tools are provided by the FB2900, accessible through either the web user interface or the CLI :-
Each tool produces a textual result, and can be accessed via the CLI, where the same result text will be shown.
The diagnostic tools provided are not a substitute for external penetration testing - they are intended to aid understanding of FB2900 configuration, assist in development of your configuration, and for diagnosing problems with the behaviour of the FB2900 itself.
The FB2900 follows a defined processing flow when it comes to deciding whether to establish a new session - see Section 7.2 for an overview of session tracking, and its role in implementing firewalling. The processing flow used to decide whether to allow a session i.e. to implement firewalling requirements, is covered in Section 7.3.2.
The firewalling check diagnostic facility allows you to submit the following traffic parameters, and the FB2900 will show how the processing flow procedes given those parameters - at the end of this is a statement of whether the session will be allowed or not :-
In the web user interface, this facility is accessed by clicking on "Firewall check" in the "Diagnostics" menu. Once you have filled in the required parameters, and clicked the "Check" button, the FB2900 will produce a textual report of how the processing flow proceded (it may be helpful to also refer to the flow chart shown in Figure 7.2).
For example, if we submit parameters that describe inbound (i.e. from a WAN connection) traffic that would result from trying to access a service on a host behind the FB2900, we have implemented a 'default drop' policy firewalling method, and we have not explicitly allowed such sessions, we would see :-
Checking rule-set 1 [filters] - No matched rules in rule-set, no-match-action is DROP, no further rule-sets considered Final action is to DROP the session.