File Name: firewall questions and answers .zip
What is a Firewall? Firewall is a device that is placed between a trusted and an untrusted network. It denies or permits traffic that enters or leaves network based on pre-configured policies. Firewalls protect inside networks from unauthorized access by users on an outside network.
A firewall can also protect inside networks from each other. For example - By keeping a Management network separate from a user network. What is the difference between Gateway and Firewall? A Gateway joins two networks together and a network firewall protects a network against unauthorized incoming or outgoing access.
Network firewalls may be hardware devices or software programs. Stateful firewall - A stateful firewall is aware of the connections that pass through it.
It adds and maintains information about users connections in the state table, referred to as a connection table. It then uses this connection table to implement the security policies for users connections. What information does Stateful firewall maintain? Stateful firewall maintains the following information in its State table:- 1.
Source IP address. Destination IP address. What are the security-levels in Cisco ASA? ASA uses security levels to determine the trustworthiness of a network attached to the respective interface. The security level can be configured between 0 to where higher numbers are more trusted than lower.
By default, the ASA allows traffic from a higher security level to a lower security level only. How can we allow packets from a lower security level to a higher security level Override Security Levels? We use ACLs to allow packets from the lower security level to a higher security level. Do same security level traffic is allowed or denied in ASA? By default, the same security level traffic is not allowed. To allow it we use the command:- ASA config same-security-traffic permit inter-interface.
What is the security level of inside and outside interface by default? The security level of the inside interface by default is The security level of the outside interface by default is 0.
What protocols are inspected by ASA? If we need some network resources such as a Web server or FTP server to be available to outside users we place these resources on a separate network behind the firewall called a demilitarized zone DMZ. The firewall allows limited access to the DMZ, but because the DMZ only includes the public servers, an attack there only affects the servers and does not affect the inside network. How does a firewall process a packet?
When a packet is received on the ingress interface, the ASA checks if it matches an existing entry in the connection table. If it does, protocol inspection is carried out on that packet. Explain TCP Flags? What is the command to see timeout timers? What is the Difference between ports in ASA 8. In ASA 8. What is the command to check the connection table? How ASA works in reference to Traceroute? ASA does not decrement the TTL value in traceroute because it does not want to give its information to others for security purpose.
It forwards it without decrementing the TTL Value. It will be applied on all interfaces towards inbound. The global option is only in ASA 8. In the router, if we delete one access-control entry whole ACL will be deleted.
Name some concepts that cannot be configured on ASA? Wildcard mask concept is not present in ASA. Loopback cannot be configured on ASA.
What is the command to capture packets in ASA? How to give static route on ASA? How to give default route on ASA?
What are the different types of ACL in the Firewall? Standard ACL 2. Extended ACL 3. What is Transparent Firewall? What is the need for a Transparent Firewall? If we want to deploy a new firewall into an existing network it can be a complicated process due to various issues like IP address reconfiguration, network topology changes, current firewall etc. We can easily insert a transparent firewall in an existing segment and control traffic between two sides without having to readdress or reconfigure the devices.
What are the similarities between the switch and ASA in Transparent mode? Both learn which mac addresses are associated with which interface and store them in the local mac address table. What are the differences between a switch and ASA in Transparent mode?
ASA does not flood unknown unicast frames that are not found in the mac address table. What are the features that are not supported in Transparent mode? Dynamic Routing. What is the command to convert ASA into Transparent mode? What is the command to see mode routed or transparent? Explain Failover? Failover is a Cisco proprietary feature. It is used to provide redundancy.
It requires two identical ASAs to be connected to each other through a dedicated failover link. The health of active interfaces and units are monitored to determine if a failover has occurred or not. What are the types of Failover? What information is exchanged between ASAs over a Failover link? State - Active or standby.
Hello Messages. Network Link Status. Mac Addresses. Configuration Replication and Synchronization. What is the difference between Stateful failover and Stateless failover? Stateless Failover - When failover occurs all active connections are dropped. Clients need to re-establish connections when the new active unit takes over. After a failover occurs, the same connection information is available at the new active unit. Clients are not required to reconnect to keep the same communication session.
What are the Failover Requirements between two devices? Hardware Requirements - The two units in a failover configuration must be the same model, should have the same number and types of interfaces.
Software Requirements - The two units in a failover configuration must be in the same operating modes routed or transparent single or multiple contexts. They must have the same software version.
The standby unit does not actively pass traffic. When failover occurs, the active unit fails over to the standby unit, which then becomes active. It is only available for ASAs in multiple context mode. A Failover Group is simply a logical group of one or more security contexts. Each group is assigned to be active on a specific ASA in the failover pair.
What is the command to enable Failover? What is the command to see Failover? Explain Unit Health Monitoring in Failover? How Failover occurs? The ASA unit determines the health of the other unit by monitoring the failover link. When a unit does not receive three consecutive hello messages on the failover link, it sends hello messages on each interface, including the failover interface, to find whether or not the other unit is responsive.
Based upon the response from the other unit it takes following actions: 1.
Checkpoint Interview Questions Checkpoint Firewall is an award-winning security firewall. Several corporate organizations use it for internal network security. You have many opportunities for positions like network security engineer, network security specialist, security analyst, and more. In this blog, you can find the Checkpoint Firewall interview questions and answers. If you did not find questions you faced in your past interviews, then write those in the comment section, and we will add them. Ans: A firewall is a network security device.