How to pen test a firewall externally
Firewall is a device or software which is responsible for filtering traffic of network. It can be implemented between trusted zone (Corporate Network Area) and untrusted zone (Internet). All the communication between trusted and untrusted zone flow through firewall and it grants or reject the access. I t uses different methods to filter out information.

Types of Firewall:
Packet-filtering firewalls
Operate at the router, it’s compare each received packet to a set of defined criteria (such as all IP addresses that should allow, packet type, port number, etc.) before being forwarded.
Circuit-level gateways 
Responsible to monitor the TCP handshaking going on between trusted and untrusted(Remote) hosts , to determine initiated the session is legitimate.
Stateful inspection firewalls
It’s examine each packet as well as keep track of whether that packet is part of an established TCP session. It offers more security than packet filtering or circuit level gateways.
Application-level gateways
Decide whether to drop a packet or send them through based on the application information.
Multilayer inspection firewalls 
Combine all firewall together ,use packet-filtering approach that examines all seven layers of the Open System Interconnection (OSI) model.

In external penetration testing, a security analyst tests the ports and services available on the organization’s external network. We can perform live scan of firewall using nmap. Nmap is network mapping and port scanning tool, Which offers a variety of methods that can be used to scan firewall.

Let’s understand , what is port scanning ?

Port Scanning: It is the process of attempting to connect a number of sequential ports, to acquiring information about which ports are open and what services are running behind them.

We can use nmap and check which services are open in remote host and what could be protected by it’s firewall. I have discussed some command which can be used to scan remote host,

Command to scan operating system
sudo nmap -O remote_host
Scan a specific port instead of all common ports
sudo nmap -p port_number remote_host
Scan for TCP and UDP open port
sudo nmap -n -PN -sT -sU -p- remote_host