As some vendors or technologies prefer doing thins differently than the others, migration of the configuration is not that straightforward.
This blog entry should summarize the information i've used in the past and keep as a reference for any future work.
- ASA 5500-x v8.x
- FWSM - inside the silicon
- BRKSEC-3020 describing troubleshooting with packetflow diagrams (from ciscolive website)
- BRKSEC-3021 describing silicon inside FWSM, ASA (from ciscolive website)
- BRKSEC-3660 ASA firewall inside-out (from ciscolive website)
In ASDM on all ASA firewalls there is also a packet tracer, where the flow is illustrated for troubleshooting.
- SRX - packet processing
- SRX- packet processing and NAT
- Netscreen troubleshooting
- Netscreen packet flow sequence (originated from Netscreen concepts)
The new NFTables should have the same concept (some chains might be called different differently) as IPTables, but I was unable to find anything specifically about it yet..
- Checkpoint firewall packet flow (page 13)
- Fortigate fundamentals (page 25)
There are other sources that describe similar behavior as mentioned above, or in case of Sonicwall a patent describing the process (that doesn't guarantee they also use it). But most of them look very similar, so it is easy to predict what new vendor or type of firewall would do when processing a packet.With this in mind, firewall troubleshooting becomes a simple process of checking the stages in which packet can be.