FSM is a new product, now part of the SolarWinds portfolio, which can perform analysis and reporting around security rules that are in your firewall and router configurations.
Even though the product is called “Firewall Security Manager”, it is also very much applicable to the security rules of your routers.
So think of “Firewall” as the function and not the device.
FSM has tremendous value, not only to perform firewall - the device - config analysis, but also does a great job looking at your router’s firewalling features such as ACLs and NATs…
FSM supports the following devices:
• Cisco Security Appliances: PIX, ASA, FWSM, ASA 8.3
• Cisco IOS routers: Version 12.0 to 12.14, excluding X* Series
• Juniper firewalls: Netscreen, SSG, ISG
• Check PointTM products: SmartCenter NG/NGX, Security Management R70
• Check PointTM platforms: SecurePlatform, Check Point IPSO (formerly Nokia), Crossbeam, Linux, Solaris
The product can be run standalone, or integrated with SolarWinds Network Configuration Manager (NCM). More on this integration here.
It’s worth mentioning that FSM is a feature rich product, and this blog post covers only the main features of the product.
But before we look at those, let’s talk first about whether it’s for you.
If you are more or less involved in firewalling, FSM is for you, but here is more detail, depending on what situations fits you best:
As a result, they are convoluted, redundant and sometimes possibly conflicting.
You need to clean and simplify them, without impacting the traffic.
Most of the time, before you do anything, you need to deal with already existing security rules.
A lot of security rules.
So readability is the first thing FSM will help you with.
With FSM, your visibility will upgrade from this type of view (basically text file):
to this
Notice the different tabs, which give you clear visibility on your ACLs (Security Rules), NAT Rules, Network Objects…
And if you are still emotionally attached to the long, disorganized and sometimes messy blocs of text in your configs, no worries, they are still there in the Native Configs tab:
For more, take a look at the on line demo or, as always with SolarWinds product you can download a free evaluation copy here.
Ok, this is cool, but what about the “expertise”, that was discussed at the beginning?
Read the sections below.
Let’s take a “simple” example to illustrate how FSM can help in this area:
Unless you are doing this 8h per day, it might not jump at you that there are redundant and therefore useless rules in this extract of a PIX firewall config.
Before your head hurts, let’s see below what the FSM Cleanup report advises you to do.
Line 106 is identified as redundant to preceding rule 93, which allows FTP access from all addresses.
Clearly rule 93 will match any packet that rule 106 might match, and so rule 106 never gets triggered.
Consequently it does not contribute to the behavior of the firewall and can be removed.
Was too easy? Let’s take a closer look at line 83 and its interaction with lines 80 and 81.
Are you noticing something? FSM does!
FSM’s Cleanup report tells you that 83 is shadowed by 80 and 81.
Rule 83 is allowing a group of mail services.
It is identified as shadowed by the combination of the two preceding rules 80 and 81. These two rules will match anything that rule 83 might match and therefore rule 83 does not contribute to the behavior of the firewall and is a candidate for being removed.
This seems like a redundancy case, but rule 83 is actually marked as a "shadowed" rather than "redundant" and this means that the permit action at rule 83 conflicts with the deny actions of rules 80 and 81.
This indicates that there be some intention on the part of the firewall administrator that is not being carried out here.
It turns out that rules 80 and 81 were inserted for a debugging purpose and that purpose is now long past.
The correct action here will be to remove rules 80 and 81, thus restoring the “deny” at rule 83.
Now that your configurations are cleaned-up and optimized, are they safe? Are there security holes in them?
This is what the FSM Audit report will tell you.
For example, check C31 indicates that mail services were allowed from the Internet to the internal network.
Since the mail server is on the DMZ, it is disturbing to see mail services allowed into the internal network.
Click Details to understand more about what rules create the C31 security risk.
To find out even more about why the combination of these security and transaltion rules create the risk, you can click the rule numbers and understand the full detail, and more importantly, teh recommendation.
FSM has many features in this category and it would be too long to describe them all here, so let’s just briefly describe a few:
But let’s focus a bit more on one of the most spectacular change management features of FSM: Packet Tracer!
There are 2 main use cases for packet tracer:
Now that you understand the use cases: here is the only input you need to give Packet Tracer before it can do its magic:
The result is an assessment of a) whether or not the packets will cross the network between the 2 specified addresses and b) if not: it will tell you why and where they are blocked.
Basically FSM’s Packet Tracer understands how security & translation rules, as well as routing tables and VPNs interact with your packets, and predict connectivity (or lack of).
And it does this, without injecting test packets on the network or sniffing the network.
Result:
Hopefully you got the point: FSM is a very feature rich product and brings you tons of expertise in the firewalling area (firewall and routers).
It has many other features that we’ll discuss in future blog posts.
In the meantime, you can download a free eval of FSM here, and see by yourself!
Like always with SolarWinds products, it installs super-fast and provides value in less than 1 hour.
If you have read the above, it should be obvious that FSM is a very natural extension of SolarWinds Network Configuration Manager (NCM).
The good news is: they are already integrated (NCM v7.1 recommended)!
Install both and you really have a best of breed platform to rely on, as far as managing your firewall and router configurations!
Once installed, it takes just a few clicks, before you can get tremendous value from FSM.
Download the FSM evaluation copy here, you can do all this in less than 30 minutes.
Once the FSM client is started, click on this icon
Then select the NCM import option, give the NCM URL and admin credential, select your NCM nodes from the list below (don't select those that have type=unknown, and prefer those that have ACLs in their configs)
Hit Finish and you will see your FSM Inventory tab (left panel) populated with your firewall and router devices.
Their configs are now in FSM, you are ready to start.
The best way to see what the product can do is eirther to explore or look at the Online demo.
Note that in terms of adjacencies with other SolarWinds products, FSM is also very close to LEM, the Log and Event Manager, so you might be interested in taking a look at LEM too!
Here are the main FSM resources: Online demo, home page, evaluation download, thwack area, prices, HW&SW requirements, FAQs
Videos:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.