Firewall interview questions

What is a firewall?
Firewall is a device which is used to filter the traffic moving from one zone to another zone.
Basically it is placed between a trusted and an untrusted network. It deny or permit traffic that enters or
leaves network based on pre-configured policies. Firewalls protect inside networks from unauthorized
access by untrusted network.

What is packet flow of ASA, checkpoint and SRX?

ASA:

1. The packet is reached at the ingress interface.

2. Once the packet reaches the internal buffer of the interface, the input counter of the interface is
incremented by one.
3. Cisco ASA first looks at its internal connection table details in order to verify if this is a current
connection. If the packet flow matches a current connection, then the Access Control List check is
bypassed and the packet is moved forward.If packet flow does not match a current connection, then the
TCP state is verified. If it is a SYN packet or UDP (User Datagram Protocol) packet, then the connection
counter is incremented by one and the packet is sent for an ACL check. If it is not a SYN packet, the
packet is dropped and the event is logged.
4. The packet is processed as per the interface ACLs. It is verified in sequential order of the ACL entries
and if it matches any of the ACL entries, it moves forward. Otherwise, the packet is dropped and the
information is logged. The ACL hit count is incremented by one when the packet matches the ACL entry.
5. The packet is verified for the translation rules. If a packet passes through this check, then a connection
entry is created for this flow and the packet moves forward. Otherwise, the packet is dropped and the
information is logged.
6. The packet is subjected to an Inspection Check.If it passed the inspection, it is moved forward.
Otherwise, the packet is dropped and the information is logged.Additional security checks will be
implemented if a Content Security (CSC) module is involved.
7. The IP header information is translated as per the Network Address Translation/ Port Address
Translation (NAT/PAT) rule and checksums are updated accordingly. The packet is forwarded to
Advanced Inspection and Prevention Security Services Module (AIP-SSM) for IPS related security checks
when the AIP module is involved.
8. The packet is forwarded to the egress interface based on the translation rules. If no egress interface is
specified in the translation rule, then the destination interface is decided based on the global route lookup.
9. On the egress interface, the interface route lookup is performed. Remember, the egress interface is
determined by the translation rule that takes the priority.
10. Once a Layer 3 route has been found and the next hop identified, Layer 2 resolution is performed.
The Layer 2 rewrite of the MAC header happens at this stage.
11. The packet is transmitted on the wire, and interface counters increment on the egress interface.
Checkpoint Firewall packet Flow:
1. SAM rule database
2. Anti-spoofing
3. Session lookup
4. Policy lookup
5. Destination NAT
6. Routing
7. Source NAT

SRX(Juniper) Packet flow:

When traffic reach to interface, it check session table to identify the connection is already established or
not.If connection is not a new connection then it will go through fast path otherwise go through first path.
Here are the steps for first path flow processing:
a) Screen check
b) Destination NAT/ static DST NAT
C) Route lookup
d) destination zone lookup
e) Firewall policy lookup
f) NAT policy lookup
g) ALG
h) IDP, VPN other services
i) session installation

Here are the steps for fast path flow processing:

a) Screen check
b) TCP header and flag check
c)route lookup/ NAT
d)ALG processing
e) IDP and VPN services

Firewalls works at which Layers?

Firewalls work at layer 2, 3, 4 & 7

What is the difference between Stateful & Stateless Firewall?

Stateful firewall - A Stateful firewall is track the connections that pass through it and allow return traffic
by lookup connection table. It adds and maintains information about connections in state table, referred to
as a connection table.
Stateful firewall maintains following information in its State table:-
1.Source IP address.
2.Destination IP address.
3.source port
4 Destination port
5 protocol
TCP Sequence Numbers, and TCP Flags.

Stateless firewall- (Packet Filtering) Stateless firewalls on the other hand, does not look at the state of
connections but just at the packets themselves.

Explain NAT with respect to ASA?

NAT( Network address translation)  is mechanism of translating IP address or network with different IP or
with the same address.
Types of NAT:
Static NAT: one to one mapping between real address and map address. It is bi-directional.

Dynamic NAT: A group of real IPs are translated with group of mapped IP address. It is unidirectional.

PAT: A group of real IP address mapped with single IP address using unique source port. Source port is
used to build translation table.

Policy NAT: It allow us to do the translation when connection is from specific source and destination.

Identity NAT: It use to translate real IP address or network to itself. Basically it is use when we want to
bypass
NAT.

Explain Types of NAT in Checkpoint firewall?

Static NAT - One to one translation
Hide/Dynamic NAT - Allows us to NAT multiple IPs behind one IP/Interface
Automatic NAT - basic address NAT translation, which can be configured within object and we can define
only  source for translation.
Manual NAT - Allows greater flexibility over automatic NAT, here we can do define source and destination
as well. 4
Server Side NAT - destination is NAT`d by the outbound kernel. 
Client Side NAT  - destination is NAT`d by the inbound kernel.