Skip to main content

How to Test a Firewall?

Cybercrime is more diverse and ubiquitous today than ever before, according to the latest security statistics. A digitized corporate environment provides more potential for firms to grow by serving and reaching the public, but it also creates new risks and necessitates extensive rules and practices to safeguard digital safety and security against the unscrupulous.

One of the primary lines of defense against cyber threats is a firewall. Firewalls are also a viable approach because threat and penetration testers can easily run simulated threats to assess the security of their network.

Conducting a firewall security test on a regular basis is critical for assuring and maintaining your organization's security. Among the many advantages provided by Firewall Penetration Testing are the following:

  • Find out before it's too late: Assess and detect concerns early; taking a proactive rather than a reactive strategy will help to avoid possible security incidents and the significant expenses connected with the recovery procedure.
  • Boost overall security posture: Improve your organization's overall security posture. Ensuring that a firewall is effectively guarded implies that the assets behind it are also adequately secured, particularly from the outside.
  • Reduce your spending: The recovery procedure after an incident, as well as the associated expenditures, are often substantial. These costs can be avoided by doing firewall security testing on a regular basis to limit the risk of this happening.

There are 13 steps in firewall testing as follows:

  1. Locating the firewall
  2. Running traceroute
  3. Scanning ports
  4. Banner grabbing
  5. Access control enumeration
  6. Identifying the firewall architecture
  7. Testing the firewall policy
  8. Firewalking
  9. Port redirection
  10. Internal and external testing
  11. Testing for covert channels
  12. HTTP tunneling, and
  13. Identifying firewall specific vulnerabilities

In this article, we'll go over briefly each of these steps.

1. Firewall Location

The first step is to locate the firewall to be tested. You'll utilize packet building software to generate IP packets with TCP, UDP, or ICMP payloads.

Most people use Hping or Nmap for pen-testing. Keep in mind that the sole difference between these two tools is that Nmap can scan a range of IP addresses while Hping can only scan a single IP address at a time. So, if you want a more invasive scan, Hping might be a better choice. Using Hping improves the chances of anomalous activity being discovered.

You will repeat the scanning process to map the firewall's allowed services list.

2. Run Traceroute

Running a traceroute command against the firewall provided in the previous step identifies the network range. This step will also provide information about the path packets traverse between systems and identify all routers and devices participating in the connection establishment process. Additionally, information about traffic-filtering devices and protocols can be accessed.

Ping and traceroute serve the same purpose: to test connectivity between two sites. The main distinction is that traceroute displays each step of the path, whereas ping does not. Furthermore, because ping and traceroute employ distinct protocols and ports, one may succeed while the other fails.

The traceroute command differs slightly depending on the operating system. It's worth noting that the command name on Microsoft Windows is abbreviated to tracert. In addition, your output will include a list of distinct domain names and IP addresses as you go.

3. Port Scanning

Port scanning is the third phase in the firewall testing technique. Nmap is the most often used program since it allows for extensive customization of the scans that are performed.

In this phase, you will not only detect open ports on the firewall but also the matching services that are running on those open ports. Using Nmap, one may create a scan that includes the type of scan desired, choices for that specific scan type, scan time, and much more.

The following command will, for example, send packets with the SYN flag raised to the first 1024 ports using aggressive timing.

nmap -sS -p 0-1024 x.x.x.x -T4

Nmap can export scan findings in a variety of formats based on the preferences and requirements of the penetration tester.

Port scanning's primary purpose is to determine which ports are open, which are closed, and which are filtered.

  • When we say a port is filtered, we mean that the packets transiting through that port are subject to the firewall's filtering rules.
  • If you transmit an SYN packet to a remote host that has a port open for inbound connection requests, the remote host will react with an SYN+ACK packet
  • If a remote host's port is closed and your computer sends an SYN packet to it, the remote host will react with an RST response.

4. Banner Grabbing

The term "banner grabbing" refers to the practice of obtaining information about a system that is available on a certain network and all of the services that are running on its open ports. The Administrator can employ this strategy entirely or take a complete inventory of the system and its services on their available network.

Performing banner grabbing on the firewall will reveal information about the firewall's version. This information can then be utilized to identify available exploits that may breach the firewall.

Using Netcat, the penetration tester will create a connection request that will offer the necessary information to the tester.

Banner Grabbing can be accomplished using one of two methods.

  • Active Banner Grabbing: This is the most common and widely utilized strategy for Banner Grabbing. In this sort of Banner Grabbing, packets are sent to the remote host, and then the data is analyzed while waiting for the response. The sender can create or alter the packets based on their requirements. It entails the establishment of a TCP (Transmission Control Protocol) or equivalent connection between the original host and the remote host. Because the sender's connection is logged into the remote host, this sort of Banner Grabbing is referred to as active. While hacking, Intrusion Detection System(IDS) can detect the exploitation against the target computer or system, hence Active Banner Grabbing may not always be secure.
  • Passive Banner Grabbing: This strategy, on the other hand, is less dangerous than Active Banner Grabbing because it avoids high-level connection exposure. As the direct connection to the host is prevented, other intimidating Software and Systems are utilized as a gateway to connect. Passive Banner Grabbing can also tally all of the information available on the system, and it is far less hazardous than Active Banner Grabbing.

To conduct the Banner Grabbing approach, different instruments available are as follows:

5. Access Control Enumeration

Enumeration is defined as a process that makes an active connection to the target hosts in order to uncover potential attack vectors in the system, which may then be exploited for further system exploitation.

Every firewall uses access control lists to identify which traffic from the internal network to allow or refuse. The condition of ports on the firewall is the only indicator a penetration tester can observe while enumerating the access control list.

A penetration tester can carefully examine the state of the firewall's ports while enumerating ACL.

For example, the next command will send requests with the ACK flag to the first 1024 ports.

nmap -sA

If the results show that;

  • open: The port is listening.
  • filtered: The port has been banned by the firewall.
  • unfiltered: This port is open to traffic from the firewall.

6. Firewall Architecture

There are four frequently used architectural implementations of firewalls. There are four types of firewalls: packet filtering firewalls, screened host firewalls, dual-homed firewalls, and screened subnet firewalls.

  • Packet filtering firewalls: Most businesses use a router to connect to the Internet. This router is installed at the boundary between the internal networks of the organization and the internet service provider. These routers can be set to accept or refuse packets based on the organization's rules. This is one of the simplest and most effective strategies to reduce the internet's danger to the enterprise.
  • Screened host firewalls: This firewall is a hybrid of a packet-filtering router and a standalone firewall, such as an application proxy firewall. The router screens the packet before it enters the internal network, reducing traffic and network burden on the internal proxy.
  • Dual-homed host firewalls: This design is a more complicated version of screened host firewalls. In this architectural approach, the bastion host setup has two NICs (Network Interface Cards). One NIC is connected to the external network, while the other is connected to the internal network, providing an extra layer of security.
  • Screened subnet firewalls (with DMZ): This design frequently employs Network Address Translation. NAT is a way of mapping external IP addresses to internal IP addresses, hence providing a barrier to external attacker penetration.

Firewall ports that have been identified are issued forged packets that provide you with a port status listing. You can use Hping, Nmap, or Hping2 to collect responses on certain ports to determine the firewall's reaction and further map open ports.

Following the scan, the firewall returns action packets indicating which connections were denied, blocked, or dropped, as follows:

  • A firewall SYN/ACK packet response indicates that the port is open.
  • A security system The RAT/ACK packet return indicates that the prepared packet was rejected by the firewall.
  • A firewall return of ICMP type 3 code 13 packet indicates that the connection was terminated.
  • The lack of response indicates that the designed packet was dropped from a filtered port.

7. Test Firewall Policy

Your organization's security policy is a set of definitions designed to protect your computer network and the data that flows through it. All packets that are not explicitly authorized are denied by the firewall. When you add a policy to your firewall device configuration file, you are adding a collection of rules that instruct the firewall device to allow or refuse traffic depending on factors such as the packet's source and destination, as well as the TCP/IP port or protocol used.

A policy can also provide further instructions to the firewall device on how to handle the packet. For example, you can configure traffic-specific logging and alerting settings, or utilize NAT (Network Address Translation) to modify the source IP address and port.

This test analyzes the number of packets and data traffic across the firewall for each firewall policy that is configured. As a result, this test assists administrators in determining the firewall policy that transmitted/received the most quantity of packets/data.

There are two methods for testing firewall policies. The penetration tester compares hard copies of the extracted firewall policy configuration and the expected configuration to find potential holes, or the tester may take activities on the firewall to confirm the expected configuration.

8. Firewalking

The firewalking methodology is based on establishing which traffic kinds are permitted and then using those packet types as the foundation for additional traceroute type scanning. A common firewall configuration might be to allow just DNS requests (UDP port 53).

As a result, if we transmit traffic to UDP port 53 with the next TTL number, it will bypass the initial firewall and return information about the next host in line. Because the traceroute feature is based on the IP level handling of the TTL field, any of the various transport mechanisms (UDP, TCP, or ICMP) can be used, and thus any service based on those protocols can be faked.

The Firewalk tool is capable of performing advanced network mapping and painting an image of the network topology.

More specifically, by creating packets with specific TTL values, the penetration tester can identify open ports if the return message has exceeded TTL. If there is no response, it is safe to assume that the firewall filtered the packet and blocked the connection.

Once a firewall has been located along the way to the target host, using the firewalking process to scan that system will show any open ports. Even if the next system in line refuses to transmit information on the target port, these ports will be known. This data can be used to map the total access control lists for each firewall along the way. If each site along the line is not reviewed, there is a risk of fraudulently reporting closed ports while traffic is truly being blocked by an intermediate system.

9. Port Redirection

Port Redirection is a feature that redirects a connection request from a certain WAN port of the router to a host on the router's LAN. The router might alter the destination port while traversing the NAT.

Testing for port redirection is a crucial step that can lead to additional network compromise. If the desired port is not directly available, port redirection techniques can be employed to get around the restriction.

If the tester is successful in compromising a target system and wishes to bypass the firewall, he or she can install port redirecting software such as Fpipe or Datapipe and listen to certain port numbers.

10. Internal And External Testing

External and internal penetration tests are not necessarily required for testing the firewall, but they do provide a more realistic view of how a bad actor might attack your systems.

An external network pentest is intended to evaluate the efficiency of perimeter security policies in preventing and detecting attacks, as well as to uncover flaws in internet-facing assets such as web, mail, and FTP servers.

The tester undertakes reconnaissance on the in-scope assets during the test, obtaining intelligence on all assets in scope. For password attacks, this intelligence comprises exposed ports, vulnerabilities, and general knowledge about the organization's users. When the perimeter is successfully broken, the exterior penetration test objectives are satisfied, and the tester moves on to the internal penetration test.

An internal network pentest is used to determine what an attacker could do with initial network access. An internal network pen test can reflect insider threats, such as employees acting maliciously on purpose or unintentionally.

During an internal penetration test, the tester will either use the exploited box from an exterior penetration test or complete the assessment using a testing box or laptop on the inside of the network. The preferable way is to use a testing box or laptop, as this is often a more stable testing path than running tools over the exploited external asset.

11. Test Covert Channel

A covert channel is a concealed communication link that enables hackers to remain undetected. Covert channels are typically used to mask actions and extract important or sensitive data from a corporation. They are produced by establishing a backdoor on a compromised machine within the network.

Once installed, a reverse shell can be constructed in order to connect to the hacker's outside system. One method is to employ the well-known hacking platform Metasploit.

Covert channels are so effective because awareness of their underlying protocols is sometimes oversimplified to a general use case, despite the fact that these protocols provide full end-to-end networking functionality. Network engineers are better able to defend a network if they are aware of the existence of these hidden routes.

12. HTTP tunneling

The HTTP tunneling method encapsulates traffic with the HTTP protocol and is frequently used when access to a device is blocked due to a firewall or a proxy.

In this case, the HTTPort tool can be used to send POST requests to the HTTP server with the hostname, port number, and route specified. Because the nature of HTTPort's functionality allows it to bypass HTTP proxies, the only barrier remaining is the proxy's enabled connect methods.

13. Identify Firewall Vulnerabilities

Although having a firewall as part of your security plan is essential, firewalls can be vulnerable. A firewall vulnerability is a flaw in the design, implementation, or configuration of a firewall that can be exploited to attack the trusted network it is meant to protect. Drawbacks of a firewall system are as follows:

  • Internal dangers, such as backdoors, cannot be protected by a firewall. A disgruntled employee, for example, may conspire with an external attacker.
  • A bottleneck may occur if all connections are routed through the firewall.
  • If external devices, including laptops, USB drives, and other similar devices, are already infected and connected to the network, a firewall will be unable to protect the network.
  • The firewall is unable to protect the network completely against all types of zero-day malware.
  • A firewall will be ineffective if the network design and configuration are flawed.
  • A firewall may be incapable of preventing threats from common ports or apps.
  • Tunneled traffic may be incomprehensible to a firewall.

Common firewall vulnerabilities and misconfigurations include:

  • ICMP is allowed and the firewall can be pinged.
  • Having unnecessary services available on the firewall.
  • Having open TCP/UDP ports that aren't needed.
  • The firewall returns Deny response rather than drop for the ports that are blocked. This provides the attacker with additional information or improves the speed of the attacker's port scan.
  • Misconfiguration that allows a TCP ping of internal hosts with Internet-routable IP addresses.
  • Trusting certain IP addresses.

How to Test the Windows Firewall?

The Windows operating system includes a robust built-in Windows Firewall that stops hackers and harmful malware from accessing your computer over a network or the Internet. Although the built-in firewall is adequate for most users, others prefer to utilize free Firewall software from a third party. If you want to see how good your firewall is, use one of these three free online Firewall Test & Post Scan services, which will run probative protocol tests on it and tell you how well it is doing its job.

The best way to test the strength and functionality of a firewall system is to attempt to breach its security. ShieldsUP! scans your firewall for such flaws.

When you select a test type and agree to allow ShieldsUP! to run tests on your computer, it searches for potential weaknesses and openings that could be exploited to attack your system. If no threats are detected, your system will receive a green signal indicating that it has a flawless "TruStealth" rating.

Shields Up! allows you to test your firewall in five key categories. These are some examples:

  • Sharing of files
  • Ports in common
  • All service port
  • Browser headers are spammed by Messenger.

When the test is finished, the results are given along with solutions to help you improve your security.

Shields Up has a great feature! Is that NO INFORMATION obtained through your use of the service is retained, read, or used in any form by us or anyone else for any reason. To take the test, go to

How to Check if Your Firewall is Blocking Something?

If your internet is running properly but a specific program is unable to access an online feature or a website frequently fails to load, it is possible that your firewall is interfering. It's rather simple to check your firewall settings and inform your operating system to allow you to play your game or use a new mail software, whether you're using Windows or Mac for your home network. Whether that doesn't work, sophisticated Windows users can dig further into the settings to determine if the firewall is blocking any specific ports. Keep in mind that modifying your computer's firewall settings will not help you circumvent network firewalls, such as those used by schools to prohibit gaming.

In the utility, you may see which programs are prohibited by your Windows Firewall. It is extremely simple to complete this task:

  1. Search for Windows Firewall in Windows Search, and then pick Windows Defender Firewall from the search results.
  1. From the left list, select Allow an app or feature through Windows Defender Firewall.

 Windows Defender Firewall - Allow app of feature

Figure 1. Windows Defender Firewall - Allow app of feature

  1. The approved apps are checked under Allow applications, while the unchecked ones are prohibited by Windows Firewall.

  2. To unblock a program, click the Change settings option in the top-right corner and then select your desired application.

  3. Click the OK button to save the modification.

How to Check if Firewall is Working?

By choosing Start, then Control Panel, you can access the Control Panel.

Type Firewall into the search box and then select the Windows Firewall panel. The Windows Firewall dialog box will appear.

Windows Firewall panel - Check Firewall is working

Figure 2. Windows Firewall panel - Check Firewall is working

If a green checkmark appears next to the network location containing your License Manager PC or PCs participating in dispersed testing, it indicates that Windows Firewall is active and regulating data flows.