How do you manage your firewall rulesets? Over time, firewall configuration files can become overrun with rules, and thus become large and complicated. It's not unusual for firewalls to have thousands of rules, and many of those are liable to be rendered obsolete by new rules as network and security teams add new rules to meet business needs. And, making things worse, as a firewall's configuration files grow, its performance decreases. If you want to keep your rulesets trim and your firewalls running optimally, you should perform regularly-scheduled firewall audits and then clean up your rule base accordingly.
Look Before You Leap
Ideally, you should analyze your firewall configs for two types of unnecessary rules before cleaning them up:
- Redundant rules
- Unused rules
Identifying Redundant Rules
Redundant rules are rules that have the same purpose as some other rule in the ruleset. These redundancies exist because of the structural relationship between all the rules the firewall uses:
- Firewalls evaluate their rules in a sequence defined in the rule base.
- If a rule is covered by another rule that comes before it, it will never be triggered.
- Such "coverage" is determined by the traffic that each rule allows or denies.
- When you find redundant rules, it is generally safe to remove them because the firewall will never use them.
Cleaning up the redundant rules on your firewall simplifies the configuration, making it easier to manage and less prone to errors.
Identifying Unused Rules
Unused rules are another unnecessary burden to any firewall. They make the configuration complex, but have no real reason for existing. Oftentimes, these rules have become stale due to changing business needs. To identify these rules, use the logging features available on your firewalls and look for rules that never get used:
- In most cases, logging is a feature you have to manually enable before the firewall will collect any usage logs.
- After you enable logging, allow the firewall to collect data for a reasonable time period. This period will vary depending on the number of devices and users on your network, along with the general traffic volume.
- Over time, the statistics generated from your log data will tell you what rules are never hit.
- If a rule has a zero hit-count, disable it with the appropriate documentation, and then remove it after you are confident you will not get any complaints about service availability.
In this case, your firewall's logging feature adds a level of automation to this task. Nevertheless, cleaning up the rules, whether redundant or unused, can be an onerous task.
The Cost of Manual Rule Cleanup
There are several things to consider as you prepare to clean up your firewall rules:
- If your rules use a lot of object groups, identifying redundant rules manually will be painful and time consuming. Object groups add complexity to this task because they introduce a high number of combinations you'll have to analyze to fully understand what each rule does.
- If you have a large number of firewalls, cleaning them manually can add several months to your firewall management schedule, not to mention thousands of dollars in cost.
- If you want to identify unused rules with log statistics, you'll have to put in a little time upfront to collect a sufficient amount of data.
Who has that kind of time? Clearly, an automated process would be a far better option for firewall cleanup.
SolarWinds Firewall Security Manager (FSM) provides an easy-to-use, automated solution to ensure your firewalls are free of any unnecessary rules and objects. Furthermore, FSM helps you test your cleaned up configs before you deploy them in your production environment to ensure your changes won't have an adverse effect on existing service availability, or expose the business to unauthorized traffic.