Showing results for 
Search instead for 
Did you mean: 
Create Post

NCM and FSM: Two SolarWinds Products to Make Firewall Configuration Management Easier

Level 13

I try to avoid writing blog posts that are strictly related to our products at SolarWinds, but as I was recently conceptualizing some content for our newest product, Firewall Security Manager, I learned something that's just too good not to share. FSM came to us when we acquired Athena Security a few months back. This product utilizes firewall configuration files to analyze and manage firewall rules and changes offline to eliminate any potential impact planning might have on the production network. For years, Athena Security advertised their ability to integrate with SolarWinds NCM, so they were a perfect candidate for joining our family. In this post, I'd like to illustrate just how these two products work so well together.

Integrating FSM and NCM for 360-degree Firewall Management

For those of you who don't know, SolarWinds NCM is a network configuration change management software that allows you to back up, analyze, and modify the configuration files on all of your network devices. Of course, this includes firewalls and firewall-capable routing devices, so it was natural for the team at Athena Security to leverage that functionality. With these two products, you can collect, analyze, and update your device configurations without ever having to go to the command line or manually access the device itself.

Collecting the Config Files

In FSM you have several options for collecting configurations files: you can connect directly to a Cisco or Juniper NetScreen device; you can connect to a Check Point management server; or you can import a single set of configuration files from your company's file system. You can also connect to your NCM server to import configs from several devices, regardless of vendor (assuming the devices are supported). This allows you to leverage what NCM has already done for you and streamline the initial import process in FSM.

Analyzing the Config Files

This step is where FSM really shines. After you have the config files in FSM, you can analyze your firewall rules in human-readable tables, compare different versions of configuration files, and even generate reports to tell you what rules aren't being used or open your network for security risks. Using the various tools and reports in FSM, you can easily identify what needs to be changed on what devices, and then test those changes in an offline change-modeling environment to ensure your changes won't have any adverse effects.

Updating the Device Configurations

After you have identified what needs changing, FSM generates change scripts with the proposed changes. These scripts are fully editable, so it's easy to change only what you want and customize where necessary. When you've finalized the scripts, you can manually push them out to your devices using your preferred method, or you could use NCM to do that for you. NCM allows you to execute scripts on the devices it manages, so that closes the loop we started in step 1 when we used NCM to import the device configs into FSM.

I look forward to learning more about how to use FSM and NCM together as I continue working on this product, and I'll share tips as I learn them. If you like reading articles like this on Geek Speak, please let me know in the comments.

Level 15

Helpful information.  Thanks!

Level 12

This is very interesting. Of all devices Firewalls are some of the most important. I'll have to test out FSM and see if it can provide the reporting and suggestions I need. Having a full change management system.

Level 15

I was impressed.  I downloaded the FSM eval and installed it on my workstation (it is an eval after all) and it was able to read my config from NCM.  That's as far as I got before my day ended.  Looking forward to some reporting and analysis tomorrow.  Looking at installing new firewalls and don't want to carry over dead weight from the old firewall to the new firewalls.  Hopefully, you have similar experiences.

Level 12

Thank you jkump‌ for your comments, I might have to try it out on the systems we already have in NCM. Currently we have a third party managing our main firewalls for this purpose, but if we could somehow pull the change management in-house, and just use them or someone else for monitoring, I think this might be the way to do it. I'll check it out this week if I get a chance.

About the Author
Phil3 is a self-proclaimed resident of Cascadia. He also feels like George Costanza when he writes in 3rd person: "Phil3's getting upset!"