Firewall

4.1 Map the provided events to source technologies

📘Cisco Certified CyberOps Associate (200-201 CBROPS)

A firewall is a security device (hardware or software) that controls traffic between networks. Its main purpose is to permit or block network traffic based on defined security rules. In CyberOps, you will often encounter firewall logs and events, and understanding them helps you map activities to the source technology.

Think of a firewall as a gatekeeper for your network traffic. Every packet of data passing through is checked against rules.

1. How Firewalls Work

  • Firewalls examine network traffic (data packets) at different levels.
  • They make decisions based on security policies.
  • Types of rules include:
    • Allow: Let the traffic pass.
    • Deny/Block: Stop the traffic.
    • Log: Record the activity for later analysis.

Firewalls can be stateful or stateless:

TypeHow it Works
StatelessExamines packets individually, does not track connections.
StatefulTracks connections (sessions), only allows packets that are part of a valid session.

2. Types of Firewalls

For the exam, you need to know the main firewall types:

  1. Packet Filtering Firewall
    • Works at the network layer.
    • Checks source IP, destination IP, port numbers.
    • Fast but less intelligent; cannot inspect content inside packets.
    • Example event in logs: Denied TCP from 192.168.1.5 to 10.0.0.1 on port 22.
  2. Stateful Inspection Firewall
    • Works at network and transport layers.
    • Keeps track of active connections.
    • Only allows packets that match an existing session.
    • Example event: Allowed TCP packet part of session 12345.
  3. Next-Generation Firewall (NGFW)
    • Works at application layer too.
    • Can inspect application content, user identity, and threats.
    • Example event: Blocked access to malicious URL: http://badsite.com.
  4. Web Application Firewall (WAF)
    • Protects web applications specifically.
    • Inspects HTTP/HTTPS traffic for attacks like SQL injection or XSS.
    • Example event: Blocked SQL injection attempt from IP 203.0.113.10.

3. Firewall Event Logging

Firewalls generate logs, which are key to mapping events to firewall technology. Logs usually include:

  • Timestamp: When the event occurred.
  • Source IP: Where the traffic came from.
  • Destination IP: Where the traffic is going.
  • Port number / Protocol: Type of traffic (e.g., HTTP, SSH).
  • Action: Allowed or blocked.
  • Reason / Rule ID: Which rule caused the action.

Sample Firewall Log Event:

2026-03-07 08:15:02 DENY TCP 192.168.1.50:52314 -> 10.0.0.10:443 RuleID: 101
  • This shows that a packet from IP 192.168.1.50 to 10.0.0.10 on port 443 was blocked by RuleID 101.

4. Key Firewall Event Types

When mapping events to firewalls, here are the most important types:

  1. Allowed Traffic (Permits)
    • Normal activity.
    • Example: Employees accessing internal web servers.
  2. Blocked Traffic (Denies)
    • Suspicious or unauthorized access attempts.
    • Often analyzed for potential attacks.
  3. Intrusion Prevention Events (on NGFW)
    • Threats identified and blocked in real-time.
    • Example: Malware download attempt detected and blocked.
  4. Policy Violation Events
    • User tries to access forbidden websites or applications.
    • Example: Access to peer-to-peer file sharing blocked.
  5. Connection Attempts
    • Firewall logs connection initiation, successful or failed.
    • Helps identify scans or unusual activity.

5. Mapping Firewall Events to CyberOps Investigations

  • Firewalls are source technologies for network security events.
  • In SOC operations, mapping firewall logs helps analysts detect:
    • Port scans
    • Denial-of-service attempts
    • Unauthorized access attempts
    • Malware or ransomware traffic
  • Events are often sent to a SIEM system for correlation with other data sources (IDS, antivirus, endpoint logs).

6. Key Points to Remember for the Exam

  1. Firewalls control network traffic based on rules.
  2. They generate logs that contain:
    • Source & destination IPs
    • Ports & protocols
    • Action (allow/block)
    • Rule IDs or reasons
  3. Different types:
    • Packet filtering – simple, fast
    • Stateful – tracks sessions
    • Next-generation – app-level inspection
    • WAF – protects web applications
  4. Firewall events are mapped to source technology in SOC investigations.
  5. Look for denied traffic, allowed traffic, and intrusion prevention events in logs.

Exam Tip

  • When given an event in the exam, identify:
    1. The source technology (here, firewall).
    2. The type of firewall (packet filter, stateful, NGFW, WAF).
    3. The action taken (allow/deny/block/log).
  • This mapping is exactly what is tested in 4.1.b.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by