Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ihenock1011
Advisor

Best Practice for Expired rule

Hi All,

I'm interested in learning best practices for handling time-based firewall rules. In a scenario where a rule is set to automatically expire after a specific timeframe (e.g., 3 days), what's the recommended approach: deleting the rule or keeping it for audit purposes?

Thanks

3 Replies
the_rock
Legend
Legend

I always advise people to disable it for the time being and push policy, so that way if audit happens, at least its there, but not active. Then, you can delete it afterwards.

Andy

Lesley
Leader Leader
Leader

Depends on the audit. Both ways are good in my opinion.

Clean them up makes the rulebase more clean and better overview. 

Also it is in general recommended to remove 0 hit or disabled rules and clean them up.

But on the other side if traffic has been allowed in the past and you have to show the rule that allowed the traffic you need to still have it. 

You can put the expired time rules within a special section title. Then at least you have them in one spot and with one click you can hide them. 

Some audits require you to keep data for years so it all depends in the audit. 

Btw audits go hand in hand with the compliance blade. With this blade you can select certain ISO etc's you want to reflect and it will check the firewall setup. Most of them show that you have to clean disabled and 0 hit rules. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend

All valid points.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events