Firewalls have evolved from a simplified routing and blocking technology into platforms that provide a significant insight into the traffic coming into and leaving the network. Next-generation firewalls often combine the deny/allow ruleset with IDS or IPS, as well as controlling network access to applications. This creates a significant source of evidence that can be leveraged during an incident.

Acquiring evidence from firewalls is largely dependent on the manufacturer and the specific model that is used. Incident responders should thoroughly understand the feature set and specific data that can be obtained as part of their preparation. Although features differ between vendors and models, there are some key evidence points that are near-universal:

• Connection log: The connection log provides the source and destination IP addresses and protocols of connections between internal and external systems. This is critical to determining whether any internal systems may have contacted an adversary-controlled system or are possibly being controlled. In addition to allowed connections, the logs may also provide an insight into connections that were denied. One technique that is often used by adversaries is to use tools to attempt to connect to well-known ports that are commonly in use. If these ports are closed to external connections, there will be a deny entry in the logs. Successive denies across a range of ports are indicative of reconnaissance activity.
• Remote access logs: Firewalls often serve as the Virtual Private Network (VPN) concentrator for remote access. If a remote user becomes infected via malware, they can introduce that infection into the internal network through the VPN. Remote access logs will show systems that are connected and what time they connected. This may allow incident responders to correlate activities and determine whether a remote user was the source of the infection.