Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Aaron_Pritchard
Contributor

Audit Purposes - Who has Internet Access via our Firewall?

hey Mates,

I have a question that someone asked me;

The question has been asked, 'who has internet access?'  and by who, we are looking for a total number of users rather than name names. but names is fine.

Sounds very simple.

however, on an R77.30 environment that is not running IA (even if it was...), how would you analyse the policy to confirm who can exit the perimeter firewall?

Lets assume the policy is 1000 rules strong, and multiple polcies for different regions, just to prevent any answers of 'just scroll through the policy' : )

my inital thoughts.

Filter for 'any' in destination fields, as this has potential to leave an external interface.

but i also need to filter for any non rfc-1918 IP address configured as objects or within a nested group.

However source could be a /24 subnet. Essentially this has potential for 255 hosts (for an audit trail) even if only 1 server exists on the subnet.

Also what about public IP address destination, which are actually in the policy because they belong to 3rd part VPN targets? i would need to remove these from filter.

Doesnt seem like an easy task.

i have spun up R80.10, running full IA, SmartEvent and Compliance blades, and even then i cant see  good way to filter.

the best i beleive i can see if identifiying the number of users against a particular rule, which could well be the Internet Catch All Rule for example, but it doesnt give a clear picture as to any holes in the rest of the policy.

thoughts?

0 Kudos
3 Replies
Daniel_Taney
Advisor

You are correct in that it doesn't sound like an easy task! I think the first question is: What are you trying to determine? Do you just want a head count of how many people go out to the Internet on a given day? Or are you looking for overly permissive rules? Because I think there could be ways to figure it out, but it would depend on exactly what you want to accomplish. 

Are you saying that you migrated everything to R80.10? or is part of your environment still on R77.30? To get a head count in R77.30, you might want to try something like going into SmartLog and putting a query together that could find the information for a given period of time. For example, are there certain internal network segments that you know your users reside on? You could start with a query to limit the source traffic to those network(s). Then, I'd go with your idea of looking for non-RFC 1918 addresses as the destination. I made a group of network objects containing all the RFC-1918 LANS to allow for easy inclusion or elimination of these IP ranges. (If you don't already have that, it could save you a lot of time in searching for things by creating one.) Then, I'd suggest limiting your sample to a day or a week to make the results more manageable. 

Once you get that query going, you can click up on the File menu and export to CSV. I'd export the results to CSV and tell it to include as many records as the export utility will allow. I think it will complain if you enter a number that is too large. The reason I ask about R77.30 vs R80 is that the behavior of the CSV Export seems to have changed in R80. Unfortunately, it doesn't seem like it will let you export large numbers of records anymore and only seems to export what is shown in the logs on screen. Unless I'm missing something with the way it is used in R80, that seems to be a huge step backwards... someone else may be able to confirm if there's a way to get the full export behavior working the same way in R80. 

Once you get the CSV, you could open it in Excel and do some data manipulation trickery to get a rough head count. For example, you could select the column that has the source IP addresses in it, click the DATA tab, select "Advanced" under Filter. In Advanced Filter, choose "Copy to another location", select "Unique Records Only" and then choose a blank column to copy the results to. Once you click OK, you should get a new column showing only unique IP addresses from the source list. In theory, this should give you a rough approximation of how many unique source addresses accessed the internet inside your selected time window. Granted, depending on DHCP lease times, this information may be a little misleading. But, if you have longer lease times, chances are machines are regularly pulling the same IP every time they are booted up. Its not an exact science, but this could get you closer to having a rough number to use.

Looking for overly permissive rules could be a little trickier. In R80+, you could try playing around with Packet Mode to simulate some Internet connection scenarios. You could see what rules would hit if you tried to go to a Google IP with traffic sourced from a certain network or host IP. You could also try playing with the search feature in the policy editor to try to filter your policy based on source or destination to see which rules might match. With 1,000 rules, this could require some tedious manual review depending on how much you could filter the policy down. 

If you were able to do the CSV export, you could also look at the rule numbers that your outbound traffic is matching on. Using the same data filter trick, you could create a list of all the unique rule numbers that matched for Internet bound traffic and then review those in the Policy to make sure the rule is doing what it is supposed to. 

Anyways... sorry for the long response! As you said, its not an easy task. But, if someone asked me for this information, this is probably how I'd begin to go about it.

Good luck!

R80 CCSA / CCSE
0 Kudos
Vladimir
Champion
Champion

I'd say it depends on a structure of your policy.

For instance, if your (host, networks and groups of thereof), rules governing access to all non-Internet destinations are separate from Access Role source-based rules for Application Control and URLF  layer with "Internet" object as a destination and are linked to AD Groups, then the answer will be found in AD Group memberships. 

0 Kudos
Reinhard_Stich
Contributor

one basic question is: what does "access to the internet" mean? full access to all websites, to all services or is one website on the internet enough to have "access to the internet"? 

basically I would check the logs and estimate the number or source-IPs that access internet-ressources through the firewall. if you can - based on the subnet - deduct server IPs.

further more you should consider if users maybe access the internet via proxy-server or terminal/citrix systems. then you need to check the logs of these systems also.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events