cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
476
Views
0
Helpful
7
Replies

Testing Firewall before cutover from production

titusroz03
Level 1
Level 1

Hello All,

I have a brand new Firewall 3105 and we have completed the initial setup and inside and outside interface,route and nat configs. Before the cutover of production traffic from existing firewall I need to test the traffic with Sample policy in the new firewall. 

Inside interface is connected to Nexus switch which has a P2P vlan which connects between switch and firewall-inside and all the traffic are pointed towards the firewall inside. I am in plan of creating a Test network and do a PBR for that network alone to get to next hop pointed towards the Inside of new firewall.

But not sure if this will work as expected, any suggestions from your side..?

7 Replies 7

you have two side
the IN you can solve as you mention by PBR 
the OUT how you can solve it ?
MHM

dont use packet tracer to test because the always you will get drop for last phase since the ARP is missing from FW. 
test new FW in maintenance window it better 

MHM 

are you joking? if have a 10000 line firewall config.. you want to wait for the maint window and mess it up... use packet-tracer to verify if your firewall rules are going to work.. atleast check the heavy hitters.. a great way to test out the rules..

Packet tracer Shows allow for any IP since the traffic is inspected on Snort engine.

OUT has default route to exit internet in Firewall. PBR is only on inside switch to allow the test subnet 

i.e. the New FW have connect to internet ?

if Yes then in window redirect traffic to new FW and check

MHM

ccieexpert
Spotlight
Spotlight

yes PBR should work as long as you can send the traffic to the firewall inside.. and the outside interface of the firewall is connect to the internet ..maybe using a temporary public ip... Also if the interface is just up both inside and inside.. you can do packet-tracer and will show if a specific policy is working and what policy is matching. this way you dont have to have actual traffic source... https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/212474-working-with-firepower-threat-defense-f.html

Review Cisco Networking for a $25 gift card