This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Looking for a product to monitor firewall policies to detect bypass

My environment has 250 firewalls segmenting the network and protecting all internal systems from north/south as well as east/west traversal.

My management has asked me for a solution to monitor firewall policies to proactively monitor for anomalies.  The main anomaly they asre asking to monitor is firewall policy bypass.  With a CONSTANT flow of firewall change requests being processed for a busy corporate environment, there is a concern that configuration errors might create a situation where firewall rules are suddenly being bypassed.

So essentially we are looking for something to tell us when we are below a normal threshold on hits for each firewall policy.  Thresholds are generally easy to measure when things exceed them, but I have found low thresholds problematic as 0 is 0 no matter how much you want it to be fractional or gradual.

Does anyone measure firewall policy counts?  

  • You mean something like this?

    My belief is that the right-hand number (in gray) is the number of hits to a specific rule.

    I guess what I want is more clarity:

    • Are you looking for a number of hits below a certain mark during a specific timeframe? (under 250 hits in the last hour)
    • Or are you looking for something even more granular?

    I should further clarify that I don't have the current knowledge on how to create this alert, but if the information is stored in the database, an alert should be possible.  It just depends on your specific needs.

  • Thanks for the reply.  Yes, I think the granularity will probably be on a per rule basis per time of day.  Some rules may only get hit intermittently a couple times a day while others are almost continuous when stores are open and drop to zero when closed.

    This is a generic ask from a giant retailer, so every kind use case is likely, and so some will be in the former suggested category, and others will be latter.  My users want it all.

  • I'm going to say that the Network Configuration Manager (NCM) or Hybrid Cloud Observability - Advanced Edition can do this work.  The information is stored, so that's one thing in our collective favor.  The "trick" is going to be figuring out what qualifies as an alert in your use cases.

  • So we have NCM licenses for the firewalls, but it isn't in use.  We don't really need to or want to manage firewall configurations in SolarWinds, we actually have a dedicated set of teams systems and processes for that.  However if NCM is useful for this, I will investigate that.

    My current silo in SolarWinds has been to work almost entirely focused on snmp polling, a lot of custom poller work, and using swql to push the data into other applications.  I do not have hands-on yet with processing traps or syslog.  So I should do some investigation there as well.

    I've created low utilization alerts before on network interfaces, measuring zero...  Anytime you are measuring how low a zero is in a cluster, when normal traffic is perhaps 1 packet a day on one node, and 3 or 4 on the other nodes, when is zero really zero?

    Thresholds are easy when measuring "too much", but there isn't a lot of support for thresholding "not enough"

  • There are options.  You said you are getting into SWQL, and custom SWQL is an option for alerts.  It's just trying to figure out the logic behind it.