cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Any tool to build a rulebase from an "Any-Any Accept" rule?

Jump to solution

Hello everyone,

A customer recently placed a firewall to control all inter-VLAN traffic and they unfortunately are not aware (as it usually is) what kind of traffic is generated between the VLANs as it was running through a switch until now.

We started building the rulebase depending on their necessities but I still believe that is far from ideal. To avoid any major issues we had to leave the last rule as ACCEPT.  At this point, the only way seems to analyze the logs of this rule and keep adding new rules which brings me to the real question and I sincerely apologize if this is stupid but is there any quick way or a tool (I know Tufin can analyze the existing rulebase) to do this?

(I searched the forum but couldn't find any Q or A that might be directly related)

 

Thanks in advance,

0 Kudos
2 Solutions

Accepted Solutions
Admin
Admin

Re: Any tool to build a rulebase from an "Any-Any Accept" rule?

Jump to solution

Policy Management would be the best place to put this.
The central question is: what is valid, acceptable traffic and what is not?
No tool is going to be able to tell you that.

What you can do in SmartView/SmartLog is look at the top sources/destinations on this rule.
From there, you can drill down and see what is generating the most traffic and start making appropriate rules around that, perhaps after asking a few questions about what the particular host is doing and why.

Screen Shot 2019-05-11 at 3.40.41 PM.png

0 Kudos
Highlighted

Re: Any tool to build a rulebase from an "Any-Any Accept" rule?

Jump to solution

There is a couple of comercial tools that can help you with that: Algosec, for instance, has an optimization tool that analyzes firewalls logs and gives you proposals of rules. I guess Tufin does something similar.

The other option is a manual study of the exported logs with some other tools as Splunk or building a module with Access... Little by little you can resume the traffic.

Anyway, a Any/Any/accept rule has several problems if the TCP-out-of-state is not enable becouse logs will show even the SYN-ACK packets as being the first ones if there is some kind of assimetrical traffic. Be aware of that.

6 Replies

Re: Any tool to build a rulebase from an "Any-Any Accept" rule?

Jump to solution

Hi Bekir,

My starting point would be to configure of the gateway's interfaces in monitor mode along with a SPAN port on the switch so that inter-VLAN traffic can be mirrored to the Gateway and analysed without affecting the production environment (see sk101670 for more info).

Once the traffic has been analysed over a period of time, you would then be in a better position to construct a more suited rule base.

I hope this helps.

0 Kudos

Re: Any tool to build a rulebase from an "Any-Any Accept" rule?

Jump to solution

Thank you for the prompt response Nick. I already have all the logs I need but it's millions of lines for even weekly traffic.

I was wondering if there's any tool (including 3rd party ones of course) to make this daunting task easier (i.e. finding patterns and making recommendations)       😃

0 Kudos

Re: Any tool to build a rulebase from an "Any-Any Accept" rule?

Jump to solution

Hi Bekir,

Now that your request is a bit clearer, the answer is no, I would be really surprised if such a tool exists!

In addition to what Phoneboy said, I believe you could also do the following:

- Provided that the logs can be exported in CSV format, you could start importing samples into Excel, apply a filter or a pivot table and then analyse the traffic on the basis of specific criteria such as source subnets/networks etc.

- Assuming you have captured some of the traffic involved, you could analyse it in Wireshark with the use of multiple display filters (based on say protocols).

This is what I would do anyway. I also strongly believe that this is work you would have to do with the customer as well unless you know their environment and critical services inside out. Once again though, the answer is no I'm afraid, there is no easy way to go about this.

I hope this helps.

0 Kudos
Admin
Admin

Re: Any tool to build a rulebase from an "Any-Any Accept" rule?

Jump to solution

Policy Management would be the best place to put this.
The central question is: what is valid, acceptable traffic and what is not?
No tool is going to be able to tell you that.

What you can do in SmartView/SmartLog is look at the top sources/destinations on this rule.
From there, you can drill down and see what is generating the most traffic and start making appropriate rules around that, perhaps after asking a few questions about what the particular host is doing and why.

Screen Shot 2019-05-11 at 3.40.41 PM.png

0 Kudos
Highlighted

Re: Any tool to build a rulebase from an "Any-Any Accept" rule?

Jump to solution

There is a couple of comercial tools that can help you with that: Algosec, for instance, has an optimization tool that analyzes firewalls logs and gives you proposals of rules. I guess Tufin does something similar.

The other option is a manual study of the exported logs with some other tools as Splunk or building a module with Access... Little by little you can resume the traffic.

Anyway, a Any/Any/accept rule has several problems if the TCP-out-of-state is not enable becouse logs will show even the SYN-ACK packets as being the first ones if there is some kind of assimetrical traffic. Be aware of that.

Re: Any tool to build a rulebase from an "Any-Any Accept" rule?

Jump to solution

Great advices all around, thank you everyone. Especially Phoneboy and Jose 😃

I'm aware that I shouldn't be "allowing" all traffic but the customer will be deciding everything at the end of the day.

I already started analyzing the traffic with the help of Tufin and building a rulebase on its proposals, mostly based on subnets but I will come back to them and change into more restricted rules. And final step will be changing the last rule to drop and add additional rules if we experience any major issues / outages.

Thank you again.

0 Kudos