Unused Rule Removal

Why it matters/Context:

Rule bases have grown exponentially creating potential risks and less efficient devices. Rules that are no longer in use due to environmental changes, server and application decommissioning, and life-cycle changes are frequently left in place on devices but no longer see usage. These rules present performance impacts to devices by bloating datasets and risk exposure as access permitted in unused rules could be exploited. By increasing device efficiency, customers can alleviate performance issues and can extend the lifespan of existing devices / defer expenses associated with expanding their infrastructure.  Removing unused rules reduces risk.  ​

​

Additionally, many Regulatory Compliance standards require that organizations track, document, and remediate rules that are no longer in use. ​

Outcomes:

1. Improvement of security policy through enhanced maturity, efficiency, and security posture​
2. Reduction of configuration database size through the removal of unused rules​
3. Improved firewall performance through the removal of unused rules​
4. Reducing complexity and therefore reducing risk and improving stability in your environment​

Pre-requisites:

1. Devices onboarded & normalized​
2. Usage logging from devices​
3. Usage retention configured, Click here to view our KB on how to configure retention.​
4. Supported FireMon Software Version. Click here to see the supported FireMon Software versions.​

Proof point/results:

1. Reduction in Unused Rules​
2. Reduction in SCI score​
3. Reduction in device complexity​
4. Improved audit results​​

Step-by-step instructions:

First create the Unused Rule Reports to use for Unused Rule Removal.

1) Log in to the Security Manager module. 

2) On the main page click  Reports -> Reports Library

3) Scroll down to the Unused Rules Report and click Run report.

4)  The Name and Description fields are prepopulated, but can be changed.

• Select the device or device group. 

5) In the options sections:

• In the query drop down select  the data set that you are looking for.
  • Default - use the FireMon customer unused rule report.
  • Saved Filter - Based on a previously saved filter.
  • Custom - Based on a SIQL query.
    • For more information on SIQL queries click here.
      
      
• If there is no usage criteria in the SIQL query or filter then select the Interval drop down, then select the applicable time span.
  
  
• Use the toggles to include additional details into the report.
  • Implicit drop rules - These are catch all rules on Firewalls that drop all traffic if it does not match any policy.
  • Rules with logging disabled - These are rules that do not have logging enabled.
  • Object Details - This allows to expand into nested objects for a more granular view.
  • Group Members -  This will include service protocols and ports that are in a service group.

6) In the Report Format select the which format that the report should be output in. The options are HTML, or PDF.

7) Once the report is generated, a blue pop up will appear in the top right of your screen. Select Open Report to open the report.

8) The report will include the number of unused security rules and all the details about those rules which can now be leveraged to remove unused rules.

More Resources:

Go to Usercenter to the Security Manager Users Guide Chapter 8: Reports -> Unused Rules Report

To view our video tutorial on this topic, CLICK HERE

If you need additional assistance after viewing this article please open a ticket with support to review your desired outcome and for assistance with troubleshooting