My environment has 250 firewalls segmenting the network and protecting all internal systems from north/south as well as east/west traversal.
My management has asked me for a solution to monitor firewall policies to proactively monitor for anomalies. The main anomaly they asre asking to monitor is firewall policy bypass. With a CONSTANT flow of firewall change requests being processed for a busy corporate environment, there is a concern that configuration errors might create a situation where firewall rules are suddenly being bypassed.
So essentially we are looking for something to tell us when we are below a normal threshold on hits for each firewall policy. Thresholds are generally easy to measure when things exceed them, but I have found low thresholds problematic as 0 is 0 no matter how much you want it to be fractional or gradual.
Does anyone measure firewall policy counts?