Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
754 Views 4 Replies Latest reply: Mar 20, 2013 4:32 PM by sliedl RSS
corecycle Newcomer 7 posts since
Jan 28, 2013
Currently Being Moderated

Mar 19, 2013 9:15 PM

Firewall rules not in use

Hi Guys,

 

I am doing inventory of firewall rules from old firewalls.

Is there a way to see which rules are no longer in use for example in 3 months.

 

This reason is I want to remove the rules that is currenlty no longer needed which was forgotten to remove when servers was decommissioned.

 

Thanks

  • PhilM Champion 528 posts since
    Jan 7, 2010
    Currently Being Moderated
    1. Mar 20, 2013 4:09 AM (in response to corecycle)
    Re: Firewall rules not in use

    I've not done this personally, but a colleague of mine was tasked to do something similar for one of our customers.

     

    He used the right-click menu option against each rule to view the audit for that rule and once he had the format allowing the rule name to be used as a filter he then  adjusted that filter to include a date range. It was a manual, and fairly tedious task, but it gave him what he wanted.

     

    The only potential 'gotcha' is that there won't be 3 months-worth of audit present on the Firewall. The main audit log file rolls-over once a day (sometime in the early hours) and I believe the system keeps 20 historic copies of this file before it purges the oldest copy. So, at best you're going to have 20 days-worth of audit on the Firewall. If the appliance is quite busy or under strain, it is entirely possible that the audit file will roll-over more than once in a day. So the 20 historic copies may only cover a few days.

     

    If you have Firewall Reporter (now retired) in place or have been offloading audit to a syslog service then you will probably have more data stored. But if you haven't then I doubt you'll be able to go back as far as 3 months.

     

     

    -Phil.

  • packetmonkey Newcomer 22 posts since
    Mar 1, 2013
    Currently Being Moderated
    2. Mar 20, 2013 3:21 PM (in response to corecycle)
    Re: Firewall rules not in use

    Hello,

     

    To be honest the best way to approach this is to think about what your firewall should be doing (a list of the rules it needs to have). Then work through the access lists to find the rules you need, then eliminate the ones you don't (you can always dissable them).

     

    The reason for this is that you might have a rule that's lying dormant and has never been hit (for example an ssh forward to an upatched server). Just looking through the last run rules will not protect you from the situation where somebody finds this in the future then leverages it as an attack against your organisation.

     

    Just as a firewall should be "block everything that is not explicitely allowed" the audit for rules should be the same ie not just check stuff that's being actively used.

     

    Otherwise you just have logs of traffic being used through rules rather than dormant rules nobody has discovered yet.

     

    Audits are always a bit mind numbing, but there really are no shortcuts to be completely secure.

     

    All the best.

  • packetmonkey Newcomer 22 posts since
    Mar 1, 2013
    Currently Being Moderated
    3. Mar 20, 2013 3:27 PM (in response to packetmonkey)
    Re: Firewall rules not in use

    Well in reality, the only shortcut I've discoved is the time honered one of:

     

    If in doubt turn it off, then wait to see who squeals/complains!

     

    Normally works a charm but only recomended in certain enviroments!

  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    4. Mar 20, 2013 4:32 PM (in response to corecycle)
    Re: Firewall rules not in use

    At version 8.3 the command 'cf usage' was added.  You could do this then to see your rule usage:

     

    $> cf usage show type=traffic_by_access-control_rules days=20

    Access-Control-Rules Usage Report
    2013-01-19 23:00:00 -0400 - 2013-03-20 16:12:55 -0400

    Hits Last Used                  Rule Name
    ---- -------------------------  ------------------------------
    1623 2013-03-20 15:55:03 -0400  Internet Services
    19   2013-03-19 20:23:08 -0400  Deny All
    14   2013-01-25 14:45:16 -0400  dnsp all to external resolvers
    3    2013-03-16 04:06:27 -0400  Admin Console

     

    I don't believe it shows rules with 0 hits.

     

    This command below will work provided you've turned on the mysql reporting database and auditdbd:

     

    $> cf report run_report report_name=acl_usage db=auditdb_1

    ACL Rule Usage Report


    ==============================================================================
    ACL Rule Usage                                        Wed Mar 20 16:26:17 2013
                                                               swv8.fwdomain.com
            (audit data from Tue Mar 19 02:00:42 2013 to Wed Mar 20 01:59:42 2013)
    ==============================================================================

    Rule               Total Checks
    -----------------  ------------
    Internet Services           185
    Deny All                     11

     

     

    There are other ways to do this with some simple acat commands and grep, sort, uniq, etc., at other versions.

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points