Why it matters/Context:
Policies can grow exponentially over time as more rules/access is added to them. This can be caused by growth by mergers, acquisitions, and turnover of staff. As more sources, destinations, services, and applications in rules are added it can create potential risks and less efficient devices. Over time, the rule is still used but portions are no longer required, making it overly complex and allowing overly-permissive access. Typically, this access is not fully disabled or cleaned up/removed. These rules present performance impacts to devices by increasing complexity, bloating datasets and risk exposure as access permitted in unused portions of rules could be exploited. By increasing device efficiency, customers can alleviate performance issues and can extend the lifespan of existing devices / defer expenses associated with expanding their infrastructure.
Additionally, by analyzing policies by usage to identify unused and highly used rules low in the policy, organizations can enhance the maturity, efficiency, and security posture of their rulesets.
Outcomes:
- Improvement of security policy through enhanced maturity, efficiency, and security posture
- Improved firewall performance through the change in the placement of highly used rules within the policy resulting in better performance on your security devices, potentially extending the service lifespan
- Reducing complexity and therefore reducing risk and improving stability in your environment
Pre-requisites:
- Devices onboarded & normalized
- Usage logging from devices
- Usage retention configured, Click here to view our KB on how to configure retention.
- Supported FireMon Software Version. Click here to see the supported FireMon Software versions.
Proof point/results:
- Reduction in device complexity
- Reduction in SCI score
- Device performance and resource utilization improvement.
Step-by-step instructions:
There are three types of reports that we can use for the Usage-Based Rule Cleanup
1) Rule Usage Report
2) Firewall Complexity Report
3) Highly Used Rules Low in the Rule Base Report
Rule Usage Report
1) Log in to the Security Manager module.
2) On the main page click Reports -> Reports Library
3) Scroll down to the Rule Usage Reports and click Run report.
4) The Name and Description fields are prepopulated, but can be changed.
-
- Select the device group or a cluster.
5) In the options sections:
- If there is no usage criteria in the SIQL query or filter then select the Interval drop down, then select the applicable time span.
- Use the Sort dropdown to select whether the output is sorted by Hit Count or Rule Number
- Use the Rule Usage drop down to select whether the output is sorted by Used Rules, Unused Rules, or Both.
- There are a number of toggles that provide more granular detail.
- Nat Rules - Displays NAT rules.
- Object Details - This allows to expand into nested objects for a more granular view
- Group Members - This will include service protocols and ports that are in a service group
- Rule Summary - Shows the status of all rules on all devices that the report is run against..
- Device Summary - Shows a list of all devices and IPs that report is run against.
6) In the Report Format select the which format that the report should be output in. The options are HTML, or PDF.
7) Once the report is generated, a blue pop up will appear in the top right of your screen. Select Open Report to open the report.
Firewall Complexity Report
1) Log in to the Security Manager module.
2) On the main page click Reports -> Reports Library
3) Scroll down to the Firewall Complexity Report and click Run report.
4) Complete the general section, The Name and Description fields are prepopulated, but can be changed.
- Select the cluster or a device name here.
5) In the Report Format select the which format that the report should be output in. The options are HTML, or PDF.
6) Once the report is generated, there will be a blue pop-up on the top right of the browser. Select Open Report to open the report.
Highly Used Rules Low in the Rule Base Report
1) Log in to the Security Manager module.
2) On the main page click Reports -> Reports Library
3) Scroll down to the Highly Used Rules Low in the Rule Base Report and click Run report.
4) The Name and Description fields are prepopulated, but can be changed. Select the device to run the report against.
5) In the options sections:
- In the Highly Used Rules Percentage field, enter the top percentile of highly used rules
to be evaluated. Example: 10% will show the top 10% of rules by usage. - In the Rule Location Percentage field, enter the percentile of least-used rules to be
evaluated.
Example: If you specify 40% as the Rule Location Percentage; rules that are in the bottom 60% of the rule base will be considered "LOW". (In a rulebase with 100 rules, rule #39 would not be included in the report regardless of hit count, since only the bottom 60% is defined as "LOW") - In the Interval drop down, then select the applicable time span.
- There are 2 options that can be enabled via a toggle for the following:
- Object Details - This allows to expand into nested objects for a more granular view.
- Group Members - This will include service protocols and ports that are in a service group.
6) In the Report Format select the which format that the report should be output in. The options are HTML, or PDF.
7) Once the report is generated, a blue pop up will appear in the top right of your screen. Select Open Report to open the report.
More Resources:
Go to Usercenter to the Security Manager Users Guide Chapter 8: Reports -> Rule Usage Report,
Firewall Complexity Report, Highly Used Rules Low in the Rule Base Report.
To view our video tutorial on this topic, Click Here
If you need additional assistance after viewing this article please open a ticket with support to review your desired outcome and for assistance with troubleshooting
Comments
0 comments
Please sign in to leave a comment.