topic Re: Rule Base & Object Cleanup tools in General Topics

Rule Base & Object Cleanup tools

Scott_Bily — Tue, 03 Jan 2023 14:26:24 GMT

Just looking for some general feedback from others on what is being used for rule base and object cleanup. Are you using an external vendor products, or are there other tools/tricks out there.

We currently use the Tufin Secure Track product,(we did a comparison between Firemon, AlgoSec & Tufin as few years back).

But to be honest we have found that we are not really using most of the features of the Tufin product.

Currently the main feature(which I really, really like), is the reporting feature that is used for Rulebase & Object Cleanup. Where if you had a firewall rule with multiple hosts or multiple services in it, it would basically give you a hit count/ per object on the rule. So it was very easy to identify if a particular host or service was getting any hits over a period of time.

The point is that it makes it very easy to find an object that is unused per rule vs. just being an unused object for the entire policy which can be identified in Smart Console.

If there was an easy way to accomplish this same thing another way, I don't think we would even need Tufin.

Wondering what others are doing, and if there are maybe tools out there that I am not aware of for helping with policy cleanup tasks.

Thanks

Re: Rule Base & Object Cleanup tools

G_W_Albrecht — Tue, 03 Jan 2023 15:00:31 GMT

CP has hit count by rule - so you have to split into one each for multiple hosts or multiple services.

Re: Rule Base & Object Cleanup tools

the_rock — Tue, 03 Jan 2023 15:26:57 GMT

What I always do is export rules in csv format and search for disabled/rules with 0 hits.

Andy

Re: Rule Base & Object Cleanup tools

Scott_Bily — Tue, 03 Jan 2023 16:08:29 GMT

That only helps with part of the cleanup journey tho. I'm my example I am not targeting 0 hit rules. For example if there are 2 application servers and we were given a list of service(ports) that are required for communications. Tufin would tell us that in that 1 rule, the % of hits per service. So it gave me an easy way to see that FTP as an example was not really being used over a period of time.
I could create individual rules for the same src & dst hosts for each specific service(port). But I feel that's a little unpractical, and that not how most of our rules were created. And I could also accomplish the same thing by exporting all the logs for a specific rule. But in this method I am limited to my log retention policy which is only about 4 -5 weeks of data.

Re: Rule Base & Object Cleanup tools

CE_SE — Wed, 04 Jan 2023 00:11:10 GMT

Check Point also has a Professional Service called SmartOptimize that I would recommend which would accomplish these tasks and much more. Your account team should be able to provide you specifics if interested.

Service Features are as follows.

• Detailed reports
• Recommendations
provided by expert
Professional Services
Consultants
• Rulebase Optimization
• Database Optimization
• System Health
• Risk analysis
• In-depth hit count analysis
• Optional onsite services

Re: Rule Base & Object Cleanup tools

Scott_Paisley — Mon, 09 Jan 2023 14:27:02 GMT

Hi. Is that using the APG, or some other Tufin report? Thanks

Re: Rule Base & Object Cleanup tools

George_Ellis — Mon, 23 Jan 2023 15:57:41 GMT

A caution with hit counts, are your failover and disaster recovery rules tagged? Has your team specifically addressed this? Examples might be rule or object comments that state they are for DR. You might name the objects with 'dr' in them. Or create a separate rule just for the dr. That way, when you go solving by hitcount=0, you don't delete something that will bite you later.