Vendor troubles..
-
/Mini Rant
Had a site call in, they use our vendor's Security team to run their firewall, because "we dont support firewalls anymore. we have people to do that so why would we do that ? "
everything has to be difficult.anyway, they've been having issues with cc processing. By default in the log file, it runs a tracert so you can see where it's dropping.
It's not leaving the firewall according to this log file, so we open a ticket with them .
They're claiming it's not the firewall, and that Ping and Tracert are blocked from leaving the firewall so it's not an accurate test ; and it's not accurate to say it's not leaving the firewall due to Tracert and ping using HTTPS that's blocked.How the hell am I supposed to verify it's actually leaving the site then ?they can't take credit cards, and these fucking people are telling me that the firewall isn't the issue but I have no real way to test that other than completely bypassing the firewall..
I asked them how I'm supposed to troubleshoot when they take away my layer 3 troubleshooting tools such as tracert (to show the hops = layer 3, right? ) .
/end minirant.
What way to do I have to test connection to the processor when PInga nd Tracert are blocked by the firewall?
-
@WrCombs said in Vendor troubles..:
How the hell am I supposed to verify it's actually leaving the site then ?
telnet
This is always the case. You can't test with different protocols for others. E.g. you can use a test for X to see if Y is allowed. ICMP (Ping and Traceroute, which are really both Ping) is a different protocol stack than TCP/IP. So while it's a useful tool to test some things, they are correct that it tells you nothing about what you are trying to test.
Ping is used to test routing, not firewalls. You are testing a firewall, not routing.
-
If CC's use HTTPS from a machine to destination X:Y (where X is IP and Y is port), then to test you either need a complicated testing harness or just use telnet, which is the standard tool we all use. From the machine in question...
telnet X Y -
@WrCombs said in Vendor troubles..:
I asked them how I'm supposed to troubleshoot when they take away my layer 3 troubleshooting tools such as tracert (to show the hops = layer 3, right? )
That's correct, that's layer 3 (routing.) But what's expected to be the case is layer 4 (ports).
-
-
That took all day to post.
-
Wouldn't
test-netconnection destination:portwork as well for this, assuming @WrCombs is on windows? -
@DustinB3403 said in Vendor troubles..:
test-netconnection
Should, yes.
https://docs.microsoft.com/en-us/powershell/module/nettcpip/test-netconnection?view=win10-ps
-
-
@scottalanmiller said in Vendor troubles..:
Good video.
The only addition I'd like to make is that you want to do ping first. Not primarily to see if its working or not, but to test DNS / hostname resolution.
If you ping abcxyz123.com and you can see that it's gets the IP address, you know that there you don't have a problem with the hostname resolution.
Next step after testing with (ping, telnet, wget etc) is to get serious and test tcpdump/wireshark. Basically recording network traffic to analyze what happens.
BTW, on windows telnet is not enabled/installed by default.
-
@Pete-S said in Vendor troubles..:
BTW, on windows telnet is not enabled/installed by default.
Hey I knew that one! lol I ran into that in the past, I just didn't know what telnet was used for.
-
@WrCombs said in Vendor troubles..:
@Pete-S said in Vendor troubles..:
BTW, on windows telnet is not enabled/installed by default.
Hey I knew that one! lol I ran into that in the past, I just didn't know what telnet was used for.
Sort of... everything, lol.
-
@scottalanmiller said in Vendor troubles..:
@WrCombs said in Vendor troubles..:
@Pete-S said in Vendor troubles..:
BTW, on windows telnet is not enabled/installed by default.
Hey I knew that one! lol I ran into that in the past, I just didn't know what telnet was used for.
Sort of... everything, lol.
well, I see that now, I watched the video then did my own research for it.
