NGFW Validation — Complete Guide

How to test your Next-Generation Firewall and IPS with live attack simulations.

⚠️ Prerequisites — SSL Decryption Required

ITSecTools runs over HTTPS (port 443). Your firewall must have SSL Decryption (DPI-SSL) enabled for the itsectools.com domain. Without decryption, the firewall cannot see the attack payloads inside the encrypted tunnel and all tests will show as "allowed."

1. IPS Signature Testing

Sends real attack payloads through your network to verify that your IPS engine detects and blocks them. These are active traffic tests, not static vulnerability scans.

Tests Executed

  • SQL Injection (SQLi) — Injects SQL query manipulation payloads into HTTP query strings. Tests classic SQLi signature detection.
  • Cross-Site Scripting (XSS) — Injects script execution payloads into parameters. Tests client-side script injection detection.
  • Directory Traversal — Sends directory traversal sequences in the URL path. Tests path traversal signature detection.

How to Use

  1. Navigate to NGFW Validation.
  2. Click Execute on the Intrusion Prevention (IPS) Signature card.
  3. Watch the console output — each test shows whether it was Blocked or Allowed.
  4. The summary line shows SUMMARY: X/3 attacks blocked.

2. Advanced Evasion Techniques (AET)

Tests whether your firewall can detect attacks hidden behind encoding, obfuscation, and header injection — techniques that bypass basic IPS signature matching.

Tests Executed

  • Log4j JNDI Injection — Embeds JNDI lookup payloads in HTTP headers. Tests deep packet inspection of non-standard headers (CVE-2021-44228).
  • Hex/URL-Encoded SQLi — Sends SQL injection entirely in hex/URL encoding. Tests if the IPS normalizes and decodes complex character representations.
  • Shellshock RCE — Injects Bash function vectors in custom HTTP headers. Tests Shellshock signature detection (CVE-2014-6271).

3. Command & Control (C2) Beacon Simulation

Simulates outbound C2 traffic patterns that a compromised endpoint would generate. Tests your firewall's application control and outbound traffic policies.

Tests Executed

  • OOB Data Exfiltration — Embeds sensitive system file paths in outbound query parameters. Tests DLP and Application Control.
  • Web Shell Beacon — Sends Linux enumeration commands to an external server. Tests interactive shell traffic detection.
  • ActiveX Dropper Delivery — Server returns an HTA payload with ActiveX file-write patterns. Tests response-body content inspection for dropper delivery.

4. Run All Tests

Executes all three test suites (IPS, AET, and C2C) sequentially in one shot. Uses the configured IP Shun Cooldown Delay between suites to ensure each test is individually inspected by the firewall.

How It Works

  • Runs IPS (3 tests) → AET (3 tests) → C2C (3 tests) = 9 total attacks.
  • Pauses between suites using the selected cooldown delay.
  • Displays a combined summary: TOTAL: X/9 attacks blocked.

5. Network IP Flooder

Fires 30 continuous IPS attack patterns in rapid succession without delay — stress-testing your firewall's ability to detect and block high-volume attack traffic. Each request uses a unique URL path to avoid browser connection reuse.

⚠️ Warning: This test may trigger aggressive IP shunning on your firewall. If your NGFW shuns the source IP after the first detection, subsequent attacks will be silently dropped without generating individual log entries. All attacks will still be blocked — but the firewall logs may show fewer entries than 30.

Attack Patterns (13 unique, cycled to 30)

  • SQL Injection (4 variants) — UNION SELECT with different target tables and schemas.
  • XSS + Path Traversal (1 variant) — Combined cookie-theft script with encoded traversal.
  • Path Traversal (5 variants) — URL-encoded, double-encoded, UTF-8 overlong, double-dot, and Windows-style traversals.
  • System File Disclosure (3 variants) — Traversal-prefixed access to /etc/shadow, /var/log/auth.log, and /proc/self/environ.

How Detection Works

  • HTTP 403/503 — Firewall block page returned before response delivery.
  • Connection dropped/timeout — Firewall terminated the TCP connection or IP was shunned.
  • Body terminated by firewall — HTTP 200 headers arrived but the NGFW killed the response stream mid-delivery.
  • Payload reached destination (HTTP 200) — Attack was not detected. Review your IPS signatures.

6. IP Shun Cooldown Delay

Most NGFWs temporarily blacklist (shun) a source IP after detecting an attack. During the shun window, all subsequent packets are dropped at the kernel level without inspection — meaning no individual log entries are generated.

Configuring the Delay

  • ~1s — Fastest execution. Best for firewalls with no shunning or very short shun windows.
  • 6s (default) — Recommended for most Forcepoint NGFW configurations.
  • 15s / 30s — Use if only the first attack in each suite generates a log.

Note: The IP Shun Cooldown applies to IPS, AET, C2C, and Run All Tests. The Network IP Flooder runs without delay by design.

7. Understanding Console Output

[14:32:01] Test: SQL Injection vector injected into HTTP query strings...
[14:32:01] Result: Success - Blocked by firewall (HTTP 403)
[14:32:02] Result: Failed - Payload reached destination (HTTP 200)
[14:32:03] Result: Success - Connection dropped/timeout
[14:32:04] INFO: SUMMARY: 2/3 attacks blocked successfully.

Result Interpretation

  • Blocked (HTTP 403/503 or Connection Reset) — Your firewall detected and stopped the attack. ✅ This is the expected result.
  • Allowed (HTTP 200 or Opaque) — The attack payload reached its destination undetected. ⚠️ Your IPS may need tuning or the signature set may need updating.
  • Error — An unexpected status code was returned. May indicate a misconfiguration.
Open NGFW Validation →