Sometimes a firewall type and even brand can sometimes be discovered just using a port scan. It may require a misconfiguration for this to work but some firewalls listen on certain ports for management, traffic between active/standby and active/active units, logging etc. Banner grabbing is one way to identify if the port is actually used for the service that fits that port.

Firewalking
An effective way to determine the configuration of a firewall is through firewalking which is the process of probing a firewall to determine the configuration of ACLs by sending TCP and UDP packets to the firewall. The trick is investigating the hop count from the attacker to the firewall and then, during the firewalking, set the TTL to that hop count plus one to just make the packets pass through the firewall or elicit a response stating otherwise.

To do firewalking you need the following three components

• Firewalking Host - The system the attacker is using that is in place on the outside of the firewall.
• Gateway Host - The system on the target network that is connected to the Internet, through which the packets will pass on the way to the target network.
• Destination Host - The target server on the network that the probes are addressed to.

Once you have completed the firewalking process you should be fairly confident what kind of firewall the target network is hiding behind.