Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Libor_Kovar
Contributor

Graph-based FW rules visualization

Hello, 

is there any way, how to visualize rules and objects relations of firewall in the form of a graph ?
( I am aware of the tool for export into a html)

If no automated export, what type of a graph is suitable for it and is what is the software to do it ?

Many thanks.

 

0 Kudos
16 Replies
PhoneBoy
Admin
Admin

Never seen such a tool myself.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Where did you see such a visualization ? I honestly can not image that being of any help - CP even dropped the map view as it was not usable anymore. SmartDashboard has many visualizations concerning network traffic, protocols, users, hit rates and much more...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Bob_Zimmerman
Authority
Authority

Depending on the exact meaning of "graph" in the original post, it may not be a visualization. I've been using graph theoretical methods to analyze my firewall rules for overlap and proximity for a while.

I ingest all the rules in an access layer via the API, then convert them into a set of directed edges with one source, one destination, and one service per edge. I then build a graph from all the edges, and extract subgraphs for analysis or plotting.

It's great for finding certain classes of error in the policy. For example, I extracted all the rules referencing a three-member web server farm and found a few load balancers were only allowed to talk to two of them. They had been added by different people over the span of a year, so things were built inconsistently and nobody realized.

I started with PowerShell and GraphViz via PSGraph. I have since moved to some tools I've built myself.

tscally
Explorer

Hi Bob, I´m very interested in this. Would you like to share your scripts?

0 Kudos
Bob_Zimmerman
Authority
Authority

I don't have any of the early stuff I built for analyzing Check Point rules around anymore. The main challenge was data ingestion. Reassembling the policy from the forced pagination is incredibly annoying. Since I use a Mac, I'm now using code written in Swift for all that.

I'll see if I can toss something together in PowerShell, but it will probably take a while.

0 Kudos
the_rock
Legend
Legend

Never heard or seen one myself either. The only thing I know of is below:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Andy

0 Kudos
Amir_Senn
Employee
Employee

If you have session logs on relevant rules and SmartEvent you can do a some widgets on rule number.

For example, a statistical table with rule, src OR dst on the second column and logs on the third. I know this is not exactly what you looked for but it could still give you some statistics on highest hit rules with session logs and the most used src/dst.

Kind regards, Amir Senn
the_rock
Legend
Legend

@Amir_Senn ...would you be kind enough to attach a screenshot of what that would look like?

Tx

Andy

0 Kudos
Amir_Senn
Employee
Employee

Just doodling in SmartView for a bit, see attached.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend

Thats great, but I was more referring to the query in smart event...

0 Kudos
Amir_Senn
Employee
Employee

I didn't mention a query in SmartEvent, can you elaborate and I'll try to provide.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend

This was your response yesterday, so I assumed you meant smart event? Sorry if I misunderstood...

Andy

If you have session logs on relevant rules and SmartEvent you can do a some widgets on rule number.

For example, a statistical table with rule, src OR dst on the second column and logs on the third. I know this is not exactly what you looked for but it could still give you some statistics on highest hit rules with session logs and the most used src/dst.

Kind regards, Amir Senn
0 Kudos
Amir_Senn
Employee
Employee

SmartView is a SmartEvent application and SmartEvent only index non-connection logs.

Kind regards, Amir Senn
0 Kudos
the_rock
Legend
Legend

I thought it meant setting up some flags for smart event new report, again, sorry if I misunderstood.

Andy

0 Kudos
Amir_Senn
Employee
Employee

No problem at all=)

Kind regards, Amir Senn
0 Kudos
Libor_Kovar
Contributor

I have got an idea to use exported json files from certain checkpoint tool and convert them to the uml ad draw via https://plantuml.com/json but I have no knowledge  of either of these formats

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events