While we continually look for ways to simplify firewall configuration and change management tasks, a simple erroneous rule can lead to very big risks in the network. However careful we may be, redundant or shadowed rules always seem to find their way in.

 

There’s certainly a pressing need for smart and easy ways to find and fill gaps in security rules, as well as spend less time troubleshooting errors. Let us look at 3 common Juniper firewall management challenges and some tips and best practices to address them. Read on…

 

 

1. Cleaning up a Cluttered Rulebase

An important point of concern is that new rules are continually added to the firewall, but there isn’t much effort taken to remove them when they get redundant. When the task of identifying and removing unused, redundant or shadowed rules is ignored, you end up having a cluttered rulebase that can lead to security gaps and performance issues. Keep in mind the following:

  • Juniper firewall rules are defined on a Source and Destination Zone pair. Each network interface belongs to Zones that are security areas with different access policies associated with it. There may be multiple interfaces associated with a particular Zone.
  • There can be multiple objects per rule - on Source, Destination and Service. As a result, the actual number of rules becomes smaller but highly aggregated.

 

Therefore, to increase performance and efficiency, it’s crucial that unnecessary firewall rules are regularly removed. Additional policy optimization can be achieved with structural redundancy clean-up. This helps identify and remove erroneous entries in configurations that are completely useless to the functioning of the firewall.

 

2. Analyzing Firewall Logs

Juniper firewalls have references connecting back to the rules that are being triggered. Therefore, analyzing these firewall configurations and logs will effectively help isolate redundant, covered, and unused rules in these devices.

 

Firewall usage analysis is based on log records collected through the syslog interface. There are two simple ways to do this:

  • Have log data stored in a file/directory, and then use it later for analysis
  • Schedule log collection for a specific period of time, and then analyze this data.

 

Regularly schedule rule usage analysis for continuous rule-base optimization.

 

 

3. Handling the Command Line Interface (CLI)

CLI commands can be quite complex, and not everybody is adept at using them. In Juniper firewalls, the configurations are CLI-centric and are retrieved directly from the devices using SSH/Telnet connections. Unfortunately, this can be complicated, time-consuming, and error prone.

 

What's really needed is a simple-to-use interface which provides a consolidated view that is easily comprehensible and offers at-hand information to quickly identify discrepancies.

 

 

In Summary:

  1. Clean up your Juniper firewall rulebase regularly
  2. Analyze firewall logs for effective rule management
  3. Handle CLI commands from an intuitive management console

 

SolarWinds Firewall Security Manager is an easy-to-use firewall management solution that helps you better manage your Juniper and multi-vendor firewall devices from a single, intuitive interface for improved network security and administrative ease. Download a free trial today.