1

I appologize up front if this has been asked a million times, but I didn’t seem to find any results when I went looking.

I am going to be starting a job next week as a Security Admin for an educational institution. From what I have been told there are currently over 500 rules in place on the firewall and part of my job is going to be sorting through that mess to determine what can stay and what needs to go. I am looking for ideas on ways to document what is already there and to document new rulles that get put in place. I will need to track:

  • who requested it

  • why it was needed

  • when it was put in place

  • what the rule is trying to do

  • if/when it will expire.

  • any extra notes that may be needed

Anyone have any ideas what I can use, or should I just set up a spreadsheet or database?

13 Spice ups
2

What kind of firewall? Many can export the rules as a csv, excel or pdf file. You can work better with all those rules once they can be sorted and arranged.

4 Spice ups
3

I believe they use checkpoint.

4

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk64501#Installation

http://51sec.blogspot.com/2014/09/export-checkpoint-firewall-policy-to.html#.VTlhIKbj8e0

https://sys4.de/en/blog/2013/02/19/list-all-objects-check-point-firewall/

Here are a few tutorials. Some CLI, some with 3rd party tools.

2 Spice ups
5

In the sonicwall there is a comment field, id comment what they are there for.

If you put it on paper /word, id write down that thy are there for and by who requested and by who setup.

6

If you can insert comments into the configuration, you could include that information there.

Though to keep it tidy, you may just want to record the related incident/change reference the rule was created on, so that you can look up later if needed.

7

From what everyone is saying I guess I can use the comment on the configuration to store a ticket number and document everything in a spreadsheet or database using the csv import.

8

Use something useful, like Spiceworks’ helpdesk option :slight_smile:

9

They already have a help desk system in place, but I’m not sure what it is.

10

I also take a screen shot of the rules on our SonicWall. It helps the non IT types visualize it.

1 Spice up
11

I’m in the process of doing a similar thing and starting from scratch. I’m not importing anything to the new firewall.

I’ve gone through all 140 odd rules on our old watchguard and have expanded them out completely ie source interface, source IP, source port, destination interface, destination IP, destination port, service type (ie HTTP, IDENT, DNS etc), Port Type (ie TCP/UDP).

I’ve also broken the rules into 4 groups.

  1. Internal such as DMZ - trusted, trusted - trusted

  2. Incoming from the Internet

  3. Outgoing to the Internet

  4. Firewall specific rules ie firewall management, rules terminating at the firewall

Doing this has allowed me to clean up a whole heap of redundant rules, replicated rules (ie doing the same thing as another rule), open rules, plain stupid rules etc. All in all it is going to make a much tighter and more stream lined firewall.

I have also removed the ability for other IT staff to make changes to the firewall. They can have a look at the system to see what’s going on but if they need to make a change then they need to go through a change management process that I am developing to ensure that the firewall does not grow organically and uncontrolled into the future which will hopefully help us stay as secure as we can.

If for some reason I have fallen off the face of this blue ball and am no longer able to access the system, our manager has access to the “admin” username and password so that another person can take on the role.

Good luck with your firewall clean up…500 odd rules; It sounds like you need all the luck (and caffeine) you can get!

Cheers

Pete