1 Reply Latest reply on Sep 6, 2012 3:11 AM by PhilM

    Migrating Perimeter Firewall from Proxy to IP Filtering

      Hi All,

       

      One of our clients is considering moving from Proxy Fitering to IP filtering on their perimiter firewall.

      I wont get into the reasons here but just that there is a requirement.

       

      I'd like to know if anyone has any experience doing this and if there is any documentation, any advice on an approach, lessons learned, etc.

       

      There are around 25 000 users, 300 sites behind the firewall and there are thousands of rules.

      Firewall is a 4150F.

       

      I would also like to know the impact and whether this can be done without any downtime.

       

      Many Thanks

      Regards,

      Marc

        • 1. Re: Migrating Perimeter Firewall from Proxy to IP Filtering
          PhilM

          Knowing which version of Firewall software your  is running on this appliance will help with making recommedations.

           

          Of the two currently supported versions (v7 & v8) there are fundamental differences as to how they differentiate proxies from IP filters.

           

          In either case, I don't think you'll find that there's going to be a quick solution to this if, as you say, there are thousands of rules. This is because the Firewall doesn't operate in either "proxy" or "IP filter" mode at the top level. The scalability of this solution is such that you have complete control, on a rule-by-rule basis essentially, as to how the solution is going to behave.

           

          In v7 proxy vs IP filter can be handled in one of two ways. Primarily the service(s) defined and used within the rules determine behaviour. When a service is created, the primary decision is whether that service should operate as a circuit-level proxy (no layer 7 intelligence, but still more intelligent than an IP filter service), application-level proxy (by inheriting the behvaiour of one of the Firewall's application services - HTTP, FTP, SMTP, etc...) or an IP filter (basic TCP, UDP, ICMP or other IP protocol type). In addition to this, however, there is a setting in the rule screen itself. It takes the form of a slider-bar, allowing you to pick one of three settings. You can't make a rule which is using an IP filter service more intelligent, but by chaning this slider bar you can make a rule which is using a circuit or application-level proxy service less intelligent. By moving this slider-bar to the lowest of the three available settings you are, in effect, turning it into an IP filter rule.

           

          In v8 this slider-bar has been removed and the "application" definitions (as they are now called in this release) have no notion of proxy/IP filter bahviour. Instead each rule is assigned an application defense group setting and an application defense group must include a "generic" application defense definition. There are two generic defenses supplied 'out of the box' - "minimal proxy" and "connection settings". There are also two defense groups by default with the same names. Connection Settings = IP Filter, in short. So whereas in v7 you would change the slider-bar to affect the rule's intelligence level, with v8 it is determined by whether you assign an application defense group which contains the generic defense definition of "minimal proxy" or "connection settings".

           

          It is no-doubt going to be a tedious process, but you should be able to modify the rules in real time and experience no tangible downtime that I am aware of. I won't stake my reputation on that and will leave it to one of the McAfee guys to say whether that is the case or not. But when working with my customers we have regularly made behavioural changes like this on the fly wihtout it affecting performance - though it is normally to address something which wasn't behaving properly in the first place. Therefore the change wasn't necessarily going to make the situation any worse than it already was.

           

          -Phil.