ScreenOS Firewalls (NOT SRX)
Reply
Visitor
johnb069
Posts: 5
Registered: ‎05-11-2009
0

Firewall policy scanning tools?

Is there a tool that can scan firewall policies checking for redundancies in ports, ip addresses, etc.?

 

Thank you!

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Firewall policy scanning tools?

There are some products like FireMon and Athena FirePac which claim to be compatible with Netscreen-series firewalls for rule analysis, auditing, cleanup, etc.

 

I've not used either of them so I can't testify firsthand to their effectiveness.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Firewall policy scanning tools?

Hi,

 

All these features are integrated in NSM. NSM can analyze dozens of the object types (policies, addresses, accounts, IP pools etc., etc.) and their dependences and perform a full ot partial cleanup. Auditing, versioning, history etc. are also very advanced features of NSM.

 

Kind regards,
Edouard
Contributor
William
Posts: 15
Registered: ‎10-16-2009
0

Re: Firewall policy scanning tools?

I wrote a Python script about a month ago that looks for redundant address book entries and address book entries not referenced by any policies. It doesn't audit policies for correctness though.

 

Let me know if this is something anyone might be interested in and I can attempt to get it up on github.

Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Firewall policy scanning tools?


echidov wrote:

Hi,

 

All these features are integrated in NSM. NSM can analyze dozens of the object types (policies, addresses, accounts, IP pools etc., etc.) and their dependences and perform a full ot partial cleanup. Auditing, versioning, history etc. are also very advanced features of NSM.

 


Would you elaborate a bit on that?  I've never found NSM able to do more than tell me if a duplicate of an object (address, service, etc.) exists or find ojects that aren't used or referenced anywhere in policies.  Can it tell me that a certain policy or object that's configured in a policy hasn't had a hit in 60 or 90 days or give me a monthly report that suggests what polices or objects may be stale and should be cleaned out?  Can it tell me if my policy checking could be optimized by reordering rules to put the heaviest-hit policies at the top?  How about if an address group contains both a host and a network object that also includes that host?

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Firewall policy scanning tools?

Hi,

 

NSM can much more than finding of unused or duplicate objects. Alone a single device update performs a cleanup. Several types of objects that are defined on the FW but do not exist in the new device configuration are removed from the FW configuration.

Have you already tried to play with the Report Manager? So you can generate a "Top FW/VPN rules" report and use it for optimizing of the FW rulebase. Just define a time period, a number of rules to be analyzed and, if required, a filtering condition. The rules that do not appear on the report have zero hits during the selected time period. The rules that generate the most log entries can be moved to the top of the ruleset.

To learn more on the top listeners and senders you can use Destination Watch List and Source Watch List reports under "My reports". You can also create own reports based on any combination of the fields contained in the log entries, e.g. to recognize potentially inactive/useless objects.

I do not have an answer for the last question in your post. I would sort the objects on "IP/Domain names" and have a look on all objects that appear more than once in the same group.

 

Kind regards,
Edouard
Distinguished Expert
keithr
Posts: 979
Registered: ‎09-10-2009
0

Re: Firewall policy scanning tools?

@echidov

 

In my years of experience with NSM, I have never had great success with the reporting features of it.  Even viewing logs is painfully slow, to the point of being unusable at times.  The idea that "if a rule doesn't show up the report, you can probably delete it" is a bit presumptuous, and I don't think I'd base any actual configuration decisions off of that.  Something more definitive like "this policy has not had a hit in 90 days" or "this policy has 100 destination address objects configured, but these 15 of them have not been hit in 90 days" is much more desireable.

 

NSM was designed for management of devices, and all the reporting / logging / etc. was bolted on as time went on.  The software has been around for what... 10 years or so... and it still can't perform like a decent piece of software on a 8-core CPU with 16GB of RAM.  The fact that I have to constantly wait for screen redraws, scrolling to catch up, and objects to expnd is absolutely absurd given the speed of comptuer hardware these days.  It's the most brutally, painfully, horribly slow and poorly-designed program I can imagine.  I wouldn't wish it on my worst enemy, and for someone looking for a tool specificly for rule analysis purposes, I would not steer them toward NSM.  It's in a "maintain it minimally until we can kill it" cycle now, with efforts being put on Space (will Juniper ever learn how to hire decent software devs?  Don't they learn their lessons?).  Look at all the threads in the Managment forum -- NSM is waning and support and updates for it are getting less frequent and less effective.  I think many users are still waiting for features and support for stuff that has been promised for months upon months, but I'd have to go back and look again for all the specifics.

 

Yes, this is a Juniper forum, but smart decisions are based on more than what brand name is pasted on a product.  Rather than towing the "Juniper makes a widget for that!" party line, I look for the tools that fit the job for each situation I run into.  I prefer using the best tools to solve each problem I am presented with, and vendor loyalty only goes so far if their products don't measure up.  NSM tried to be a swiss army knife, and ended up being a wheelbarrow, hammer, bicycle, rubber hose, and singing bass all bolted together.

 

To the original poster -- find the tool, whether it be NSM or something else, that solves the issues you are trying to solve within your parameters for cost, value, performance, features, and usability.  I'd recommend you evaluate the various tools, I'm sure all the companies (including Juniper) would be happy to set up a demo for you to get a first-hand look at the products and what they can do.  Pick the solution that fits your needs the best.

-kr


---
If this solves your problem, please mark this post as "Accepted Solution."
Kudos are always appreciated.
Distinguished Expert
echidov
Posts: 858
Registered: ‎11-02-2009
0

Re: Firewall policy scanning tools?

Hi,

 

I am also not very happy with NSM. It has taken a lot of time and efforts  to adjust myself to this monster application that can virtually everything but nothing good enough at the same time. I had to disable the name resolution to make log browsing acceptably fast, spent a lot of time for tuning of system parameters on the servers and clients. As for me, this is not a good idea to programm such an application in Java.

Unfortunately I could not find another solution that might cover my needs and had to develop my own "best practice".  I do use the reporting tools but not in this direct way: "delete if not seen in the report". The reports help me to localize the potentially useless objects and investigate them additionally by creating e.g. more specific reports or activating the alarm threshold of 1 bps in these policies.

But I agree, it would be nice to have a handy and fast tool for solving the routine tasks.

Kind regards,
Edouard
Contributor
William
Posts: 15
Registered: ‎10-16-2009
0

Re: Firewall policy scanning tools?

[ Edited ]

I posted my Python script on GitHub http://bit.ly/AA3Bjk for anyone who would like to try it out.

 

 

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.