AnsweredAssumed Answered

Audit Purposes - Who has Internet Access via our Firewall?

Question asked by Aaron Pritchard on May 10, 2018
Latest reply on May 11, 2018 by Reinhard Stich

hey Mates,

 

I have a question that someone asked me;

The question has been asked, 'who has internet access?'  and by who, we are looking for a total number of users rather than name names. but names is fine.

 

Sounds very simple.

however, on an R77.30 environment that is not running IA (even if it was...), how would you analyse the policy to confirm who can exit the perimeter firewall?

Lets assume the policy is 1000 rules strong, and multiple polcies for different regions, just to prevent any answers of 'just scroll through the policy' : )

 

my inital thoughts.

Filter for 'any' in destination fields, as this has potential to leave an external interface.

but i also need to filter for any non rfc-1918 IP address configured as objects or within a nested group.

 

However source could be a /24 subnet. Essentially this has potential for 255 hosts (for an audit trail) even if only 1 server exists on the subnet.

Also what about public IP address destination, which are actually in the policy because they belong to 3rd part VPN targets? i would need to remove these from filter.

 

 

Doesnt seem like an easy task.

 

 

i have spun up R80.10, running full IA, SmartEvent and Compliance blades, and even then i cant see  good way to filter.

the best i beleive i can see if identifiying the number of users against a particular rule, which could well be the Internet Catch All Rule for example, but it doesnt give a clear picture as to any holes in the rest of the policy.

 

 

thoughts?

Outcomes