I am doing inventory of firewall rules from old firewalls.
Is there a way to see which rules are no longer in use for example in 3 months.
This reason is I want to remove the rules that is currenlty no longer needed which was forgotten to remove when servers was decommissioned.
I've not done this personally, but a colleague of mine was tasked to do something similar for one of our customers.
He used the right-click menu option against each rule to view the audit for that rule and once he had the format allowing the rule name to be used as a filter he then adjusted that filter to include a date range. It was a manual, and fairly tedious task, but it gave him what he wanted.
The only potential 'gotcha' is that there won't be 3 months-worth of audit present on the Firewall. The main audit log file rolls-over once a day (sometime in the early hours) and I believe the system keeps 20 historic copies of this file before it purges the oldest copy. So, at best you're going to have 20 days-worth of audit on the Firewall. If the appliance is quite busy or under strain, it is entirely possible that the audit file will roll-over more than once in a day. So the 20 historic copies may only cover a few days.
If you have Firewall Reporter (now retired) in place or have been offloading audit to a syslog service then you will probably have more data stored. But if you haven't then I doubt you'll be able to go back as far as 3 months.
To be honest the best way to approach this is to think about what your firewall should be doing (a list of the rules it needs to have). Then work through the access lists to find the rules you need, then eliminate the ones you don't (you can always dissable them).
The reason for this is that you might have a rule that's lying dormant and has never been hit (for example an ssh forward to an upatched server). Just looking through the last run rules will not protect you from the situation where somebody finds this in the future then leverages it as an attack against your organisation.
Just as a firewall should be "block everything that is not explicitely allowed" the audit for rules should be the same ie not just check stuff that's being actively used.
Otherwise you just have logs of traffic being used through rules rather than dormant rules nobody has discovered yet.
Audits are always a bit mind numbing, but there really are no shortcuts to be completely secure.
All the best.
Well in reality, the only shortcut I've discoved is the time honered one of:
If in doubt turn it off, then wait to see who squeals/complains!
Normally works a charm but only recomended in certain enviroments!
At version 8.3 the command 'cf usage' was added. You could do this then to see your rule usage:
$> cf usage show type=traffic_by_access-control_rules days=20
Access-Control-Rules Usage Report
2013-01-19 23:00:00 -0400 - 2013-03-20 16:12:55 -0400
Hits Last Used Rule Name
---- ------------------------- ------------------------------
1623 2013-03-20 15:55:03 -0400 Internet Services
19 2013-03-19 20:23:08 -0400 Deny All
14 2013-01-25 14:45:16 -0400 dnsp all to external resolvers
3 2013-03-16 04:06:27 -0400 Admin Console
I don't believe it shows rules with 0 hits.
This command below will work provided you've turned on the mysql reporting database and auditdbd:
$> cf report run_report report_name=acl_usage db=auditdb_1
ACL Rule Usage Report
ACL Rule Usage Wed Mar 20 16:26:17 2013
(audit data from Tue Mar 19 02:00:42 2013 to Wed Mar 20 01:59:42 2013)
Rule Total Checks
Internet Services 185
Deny All 11
There are other ways to do this with some simple acat commands and grep, sort, uniq, etc., at other versions.