Viewing used Firewall Rules in nDepth

sparkey

Hello, 

I am looking to find out what rules our corporate Firewall is using, so I can start disabling old rules that are not in use anymore. Currently, I am using the rule buider in nDepth to do this by using the Alert Group Any Alert>ToolAlias>*FW* which does capture all logs from our Firewall. Is there a way to filter this down more to just show what firewall rules are being fired?

 

Thanks,

phil3

Hi, sparkey.

When you get the nDepth search results, do they include the types of alerts you're looking for? If not, it might be that your firewall doesn't log that level of detail.

Another (perhaps easier) way to see this data is to use the default Firewall filter on the Monitor tab. If your tool alias contains "FW" instead of "Firewall," though, you'll have to change the conditions of the filter. Check out the following KB for more information about working with filters: Creating Filters for Real-time Monitoring in Your LEM Console. (Note: You can edit existing filters by selecting it and then clicking Edit from the gear menu at the top of the Filters pane.)

Once you've found the alerts you want to see, try refining your filter or search using a definitive field/value combination. For example, if the EventInfo field says something like, "XYZ Rule Fired," try a condition like, EventInfo = *Rule Fired* where the asterisks are wildcard characters that allow your filter to show alerts whether the rule that fired is "XYZ" or "ABC."

Let me know whether this helps or if you have any other questions.

Thanks.