topic Re: How to tell if traffic is bypassing FW or not? in Network Security

How to tell if traffic is bypassing FW or not?

mahesh18 — Tue, 12 Mar 2019 00:20:19 GMT

Hi Everyone,

We have some customer sites.

Some traffic goes through the FW and some does not touch the fw.

Is there any way that i can determine which subnets or IP address does not touch the FW means it bypass the traffic.

hope it makes sense.

Thanks

Mahesh

How to tell if traffic is bypassing FW or not?

Jennifer Halim — Thu, 08 Nov 2012 07:58:31 GMT

It's probably best to start with the routes on the FW and see if there is any routes for those subnet that do not touch the FW, then you can be sure that it is not going through the FW if there is no route back towards those subnets.

How to tell if traffic is bypassing FW or not?

saurabhgoel169 — Thu, 08 Nov 2012 14:25:41 GMT

you can check through the packet capture on cisco firewall for that subnet.... for which you have dowubt....

Re: How to tell if traffic is bypassing FW or not?

Stuart Gall — Thu, 08 Nov 2012 16:14:12 GMT

If you show access-list and the hit count is 0 the traffic is not going through

You can also add specific permits in front of general permits to narrow the issue down a bit further

Sent from Cisco Technical Support iPad App

How to tell if traffic is bypassing FW or not?

mahesh18 — Thu, 08 Nov 2012 19:04:41 GMT

Hi Jeniffer,

Thanks for reply.

ASA is not using dynamic routing protocols.

So i can look to static routes like route outside x.x.x.x and then figure out if traffic is bypassing ASA or not right?

Please confirm

Thanks

MAhesh

How to tell if traffic is bypassing FW or not?

mahesh18 — Thu, 08 Nov 2012 19:12:15 GMT

Hi Stuart,

My question was

I mean to say that we have client where certain traffic goes through the ASA and some traffic bypass the ASA - i mean never

touches the ASA.So how can we check which subnets bypass the ASA.

Thanks

MAhesh

Re: How to tell if traffic is bypassing FW or not?

Stuart Gall — Thu, 08 Nov 2012 20:53:45 GMT

Right, but your asa must have access lists right? Otherwise why is it there?

You can create entries in the inbound and outbound access lists which permit the traffic. If they are not already there.
When you do a show access-list it also shows you the hitcnt for each rule. If the traffic is going through it will increment. If not it will stay 0.
This will use less resources than a packet capture and can be left in place.

Sent from Cisco Technical Support iPad App

Re: How to tell if traffic is bypassing FW or not?

Julio Carvajal — Thu, 08 Nov 2012 21:13:55 GMT

Hello Mahesh,

You can do captures to correlate what packets reach the ASA,

Check the routing table on the devices on X subnet ( to check if the packet's have the ASA as a next hop)

Configure the ASA to decrement the TTL field ( so it's not transparent any more for the traceroute and perform traceroutes from the clients PC

Regards,

Julio

How to tell if traffic is bypassing FW or not?

Jennifer Halim — Thu, 08 Nov 2012 23:39:38 GMT

Hi Mahesh,

Yes, you are right.

Check the routing table on the ASA and see if there is any specific routes configured or all the routes are with larger mask. If most routes are specific routes configured on the ASA, then you can savely say that those subnets that are not in the routing table of the ASA does not pass through the ASA.

Hope that helps.

How to tell if traffic is bypassing FW or not?

mahesh18 — Fri, 09 Nov 2012 02:34:00 GMT

Hi Jeniffer & others

Many thanks to everyone for their reply back

Regards

Mahesh