4 Replies Latest reply: Mar 20, 2013 4:32 PM by sliedl RSS

    Firewall rules not in use


      Hi Guys,


      I am doing inventory of firewall rules from old firewalls.

      Is there a way to see which rules are no longer in use for example in 3 months.


      This reason is I want to remove the rules that is currenlty no longer needed which was forgotten to remove when servers was decommissioned.



        • 1. Re: Firewall rules not in use

          I've not done this personally, but a colleague of mine was tasked to do something similar for one of our customers.


          He used the right-click menu option against each rule to view the audit for that rule and once he had the format allowing the rule name to be used as a filter he then  adjusted that filter to include a date range. It was a manual, and fairly tedious task, but it gave him what he wanted.


          The only potential 'gotcha' is that there won't be 3 months-worth of audit present on the Firewall. The main audit log file rolls-over once a day (sometime in the early hours) and I believe the system keeps 20 historic copies of this file before it purges the oldest copy. So, at best you're going to have 20 days-worth of audit on the Firewall. If the appliance is quite busy or under strain, it is entirely possible that the audit file will roll-over more than once in a day. So the 20 historic copies may only cover a few days.


          If you have Firewall Reporter (now retired) in place or have been offloading audit to a syslog service then you will probably have more data stored. But if you haven't then I doubt you'll be able to go back as far as 3 months.




          • 2. Re: Firewall rules not in use



            To be honest the best way to approach this is to think about what your firewall should be doing (a list of the rules it needs to have). Then work through the access lists to find the rules you need, then eliminate the ones you don't (you can always dissable them).


            The reason for this is that you might have a rule that's lying dormant and has never been hit (for example an ssh forward to an upatched server). Just looking through the last run rules will not protect you from the situation where somebody finds this in the future then leverages it as an attack against your organisation.


            Just as a firewall should be "block everything that is not explicitely allowed" the audit for rules should be the same ie not just check stuff that's being actively used.


            Otherwise you just have logs of traffic being used through rules rather than dormant rules nobody has discovered yet.


            Audits are always a bit mind numbing, but there really are no shortcuts to be completely secure.


            All the best.

            • 3. Re: Firewall rules not in use

              Well in reality, the only shortcut I've discoved is the time honered one of:


              If in doubt turn it off, then wait to see who squeals/complains!


              Normally works a charm but only recomended in certain enviroments!

              • 4. Re: Firewall rules not in use

                At version 8.3 the command 'cf usage' was added.  You could do this then to see your rule usage:


                $> cf usage show type=traffic_by_access-control_rules days=20

                Access-Control-Rules Usage Report
                2013-01-19 23:00:00 -0400 - 2013-03-20 16:12:55 -0400

                Hits Last Used                  Rule Name
                ---- -------------------------  ------------------------------
                1623 2013-03-20 15:55:03 -0400  Internet Services
                19   2013-03-19 20:23:08 -0400  Deny All
                14   2013-01-25 14:45:16 -0400  dnsp all to external resolvers
                3    2013-03-16 04:06:27 -0400  Admin Console


                I don't believe it shows rules with 0 hits.


                This command below will work provided you've turned on the mysql reporting database and auditdbd:


                $> cf report run_report report_name=acl_usage db=auditdb_1

                ACL Rule Usage Report

                ACL Rule Usage                                        Wed Mar 20 16:26:17 2013
                        (audit data from Tue Mar 19 02:00:42 2013 to Wed Mar 20 01:59:42 2013)

                Rule               Total Checks
                -----------------  ------------
                Internet Services           185
                Deny All                     11



                There are other ways to do this with some simple acat commands and grep, sort, uniq, etc., at other versions.