cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Welcome Firewall Security Manager (FSM) to the SolarWinds family

Level 15

What is Firewall Security Manager (FSM)?

FSM is a new product, now part of the SolarWinds portfolio, which can perform analysis and reporting around security rules that are in your firewall and router configurations.

Even though the product is called “Firewall Security Manager”, it is also very much applicable to the security rules of your routers.

So think of “Firewall” as the function and not the device.

FSM has tremendous value, not only to perform firewall - the device - config analysis, but also does a great job looking at your router’s firewalling features such as ACLs and NATs…

FSM supports the following devices:

• Cisco Security Appliances: PIX, ASA, FWSM, ASA 8.3

• Cisco IOS routers: Version 12.0 to 12.14, excluding X* Series

• Juniper firewalls: Netscreen, SSG, ISG

• Check PointTM products: SmartCenter NG/NGX, Security Management R70

• Check PointTM platforms: SecurePlatform, Check Point IPSO (formerly Nokia), Crossbeam, Linux, Solaris

The product can be run standalone, or integrated with SolarWinds Network Configuration Manager (NCM). More on this integration here.

It’s worth mentioning that FSM is a feature rich product, and this blog post covers only the main features of the product.

But before we look at those, let’s talk first about whether it’s for you.

FAQs: Who is Firewall Security Manager (FSM) designed for?

If you are more or less involved in firewalling, FSM is for you, but here is more detail, depending on what situations fits you best:

  • I already own NCM, so why do I need FSM?
  • Firewalling and security really are not my forte, how can FSM help?
  • Security is my bag already, what does FSM buy me?

I already own NCM, so why do I need FSM?

  • You spend time around security statements in your configs, and you find them very hard to read, making them difficult to understand and risky to modify.
  • Security statements in your configs have a long history and/or are modified by several people.

As a result, they are convoluted, redundant and sometimes possibly conflicting.
You need to clean and simplify them, without impacting the traffic.

  • You need security reports to advise you on the current security level of your configs and advise you on how to improve, above and beyond the compliance checks of NCM.
  • NCM is great for helping you roll-out an ACL or NAT change, but does not understand the effect that this change will have on the traffic.
    In addition, the traffic on an end-to-end path is impacted by the combined effect of multiple firewalls and routers, and you need a tool that helps predicting the impact that one or more combined changes can have, from an end-to-end point of view.

Firewalling and security really are not my forte, how can FSM help?

  • You need expert advice on firewalls and routers security so you don’t have to spend time becoming proficient in standards such as NSA, NIST, SANS or PCI or creating firewall compliance checks completely from scratch.
  • You need a safe environment to experiment your changes, try several scenarios, and predict their end-to-end effect BEFORE pushing them live.
    When you are satisfied with the predicted behavior, you want assistance in implementing these changes, and be able to roll back easily in case of problem.

Security is my bag already, what does FSM buy me?

  • Even though you are proficient in this area, security is a complex domain and you’d like a tool that could help double check you work before your deploy to production.
  • Auditors and/or security meetings require frequent reports on your current security levels and creating these report manually is an arduous task you’d love to automate.
  • Your network is complex and you find it difficult to predict the effect of a change in firewall security rules, from an end-to-end perspective.
  • User requests are driving you to make frequent changes to your security objects and you need a simple but effective change management process, allowing your users to request changes via a simple Web interface, which you can then review, implement, test and deploy.

Under the hood: What can Firewall Security Manager (FSM) do?

ACL editor that improves readability

Most of the time, before you do anything, you need to deal with already existing security rules.

A lot of security rules.

So readability is the first thing FSM will help you with.

With FSM, your visibility will upgrade from this type of view (basically text file):

ACL editor raw view.PNG  to this ACL editor Firewall Security Manager view.PNG

Notice the different tabs, which give you clear visibility on your ACLs (Security Rules), NAT Rules, Network Objects…

And if you are still emotionally attached to the long, disorganized and sometimes messy blocs of text in your configs, no worries, they are still there in the Native Configs tab:

ACL editor raw view in FSM tab.PNG

For more, take a look at the on line demo or, as always with SolarWinds product you can download a free evaluation copy here.

Ok, this is cool, but what about the “expertise”, that was discussed at the beginning?

Read the sections below.

Access Control List Cleanup

Let’s take a “simple” example to illustrate how FSM can help in this area:

ACL cleanup raw configuration.PNG

Unless you are doing this 8h per day, it might not jump at you that there are redundant and therefore useless rules in this extract of a PIX firewall config.

Before your head hurts, let’s see below what the FSM Cleanup report advises you to do.

ACL cleanup report extract.PNG

Line 106 is identified as redundant to preceding rule 93, which allows FTP access from all addresses.

Clearly rule 93 will match any packet that rule 106 might match, and so rule 106 never gets triggered.

Consequently it does not contribute to the behavior of the firewall and can be removed.

Was too easy? Let’s take a closer look at line 83 and its interaction with lines 80 and 81.

ACL cleanup report extract shadowed rule.PNG
Are you noticing something? FSM does!
FSM’s Cleanup report tells you that 83 is shadowed by 80 and 81.

Rule 83 is allowing a group of mail services.

It is identified as shadowed by the combination of the two preceding rules 80 and 81.  These two rules will match anything that rule 83 might match and therefore rule 83 does not contribute to the behavior of the firewall and is a candidate for being removed.

This seems like a redundancy case, but rule 83 is actually marked as a "shadowed" rather than "redundant" and this means that the permit action at rule 83 conflicts with the deny actions of rules 80 and 81.

This indicates that there be some intention on the part of the firewall administrator that is not being carried out here.

It turns out that rules 80 and 81 were inserted for a debugging purpose and that purpose is now long past.

The correct action here will be to remove rules 80 and 81, thus restoring the “deny” at rule 83.

Configuration Security Audit

Now that your configurations are cleaned-up and optimized, are they safe? Are there security holes in them?

This is what the FSM Audit report will tell you.

Security Audit reporting.PNG

For example, check C31 indicates that mail services were allowed from the Internet to the internal network.

Since the mail server is on the DMZ, it is disturbing to see mail services allowed into the internal network.

Click Details to understand more about what rules create the C31 security risk.

Security Audit reporting details.PNG

To find out even more about why the combination of these security and transaltion rules create the risk, you can click the rule numbers and understand the full detail, and more importantly, teh recommendation.

Change Management

FSM has many features in this category and it would be too long to describe them all here, so let’s just briefly describe a few:

  • Configuration Diffs highlights all changes in subsequent versions of your configs (FSM keeps the history)
  • Change Advisor has a web interface that allows your network users to submit config change requests. These requests can then be reviewed by network engineers/firewall administrators, implemented, tested before they go live and then, be pushed in production.
  • You even have a Change Modeling environment, that makes copies of your configs in a special context called a “session”, which you can use to prototype any number of changes, without touching your master versions of the configs (those that currently run in the devices).

But let’s focus a bit more on one of the most spectacular change management features of FSM: Packet Tracer!

There are 2 main use cases for packet tracer:

  • You are making a change in your security rules, and you want to be sure that you are not inadvertently breaking connectivity between 2 points of your network.
    Have your configs reviewed by FSM, and get a prediction of whether or not your config changes will do something wrong, before they go in production.
  • Somebody comes to you and asks for help figuring-out why a portion of your network can’t exchange some type of traffic with another area.
    Have FSM look at the end-to-end path between these 2 sites and tell you what happens.

Now that you understand the use cases: here is the only input you need to give Packet Tracer before it can do its magic:

ACL change management virtual packet tracer input.PNG

The result is an assessment of a) whether or not the packets will cross the network between the 2 specified addresses and b) if not: it will tell you why and where they are blocked.

Basically FSM’s Packet Tracer understands how security & translation rules, as well as routing tables and VPNs interact with your packets, and predict connectivity (or lack of).

And it does this, without injecting test packets on the network or sniffing the network.

Result:

  • Less config mistakes.
    Ever heard the statistic that 80% of network faults were not HW issues but config changes not properly controlled and understood? Here is a product that will help you in this regards…
  • Faster troubleshooting.

Others

Hopefully you got the point: FSM is a very feature rich product and brings you tons of expertise in the firewalling area (firewall and routers).

It has many other features that we’ll discuss in future blog posts.

In the meantime, you can download a free eval of FSM here, and see by yourself!

Like always with SolarWinds products, it installs super-fast and provides value in less than 1 hour.

NCM integration

If you have read the above, it should be obvious that FSM is a very natural extension of SolarWinds Network Configuration Manager (NCM).

The good news is: they are already integrated (NCM v7.1 recommended)!

  • FSM can get device configurations directly from NCM’s database. No need to duplicate those configs in 2 separate products.
  • FSM can execute changes (e.g. cleanup scripts) on devices via NCM’s scripting feature. You maintain your device credentials in only one product and not 2.

Install both and you really have a best of breed platform to rely on, as far as managing your firewall and router configurations!

Once installed, it takes just a few clicks, before you can get tremendous value from FSM.

Want to try now?

Download the FSM evaluation copy here, you can do all this in less than 30 minutes.

Once the FSM client is started, click on this icon

FSM import button.PNG

Then select the NCM import option, give the NCM URL and admin credential, select your NCM nodes from the list below (don't select those that have type=unknown, and prefer those that have ACLs in their configs)

FSM integration with NCM.PNG

Hit Finish and you will see your FSM Inventory tab (left panel) populated with your firewall and router devices.

Their configs are now in FSM, you are ready to start.

The best way to see what the product can do is eirther to explore or look at the Online demo.

Note that in terms of adjacencies with other SolarWinds products, FSM is also very close to LEM, the Log and Event Manager, so you might be interested in taking a look at LEM too!

Resources

Here are the main FSM resources: Online demo, home page, evaluation download, thwack area, prices, HW&SW requirements, FAQs

Videos:

80 Comments
Level 12

I am pleasantly surprised Solarwinds forayed in to Firewall management as well, which has been a big pain area for us. We have seen dozens of demos from various companies selling products dedicated for rules management. The feature list here covers almost everything that other dedicated players have got to offer.

But I am particularly skeptic about packet tracing (claims of understanding routing) but I want to try first and see...

Level 15

Thanks for your comment thamizh85. Let us know how your test goes.

What are the most important features that you value in a product like this and your favorite use cases?

IOW, can you elaborate on the " big pain area"?

Thanks again

Level 14

This is fantastic news and we've been waiting for this for some time .  Now we will just need to wait a bit longer as Juniper SRX firewalls don't appear to be supported?

Level 15

No they are not, but there are talks. Would love your feedback on the product, even if what you can do in your env't will be limited due to SRX. No Juniper FW's in your network?

Level 12

Just found out that MS SQL isnt supported which has stopped our trial in its steps Is there any plan to migrate to SQL from firebird?

Level 15

Not at this time, but we'll take good note of this problem. 169709

Can you elaborate on why not supporting MS SQL is a blocker? The database under FSM is fairly transparent, does not require any particular care.

Is this a strict policy in your company?

Level 12

Currently we use offbox SQL and SQL is our standard database environment.  We wouldnt want to run the database on our Poller (where we would install FSM) and we wouldnt want to install Firebird on our SQL server which only leaves us the option to create a new dedicated Firebird server.  This dedicated server would require additional administration and would move away from our attempts to try and standardise on technologies to make administration simpler and more effective (which most of the Solarwinds suite help do very well).

Level 15

Makes sense.

Note that some current users consider the product as a desktop product and are happy to run the DB on the same desktop as the client.

FSM is not as intensive, DB-wise as NCM, so the "desktop" approach certainly works is some environments.

But this probably works better if you don't have too many devices in the database and if you have only 1 or 2 users (i.e. clients) max, using the product.

Above that, having the DB on a dedicated DB server, probably makes more sense.

How many users woul dyou typically have for such a product and how many devices (fw and routers involved in security)?

Level 12

I'm yet to read into the detailed licensing of FWs vs FW policies as if its FWs it could be 10+ where as if its policies it could be less than 5 (everything being HA etc).  As for users in our organisation I would safely guess no more than 5 that would actively use it.

Level 15

FSM is licensed by number of "devices" that you import into the FSM inventory. Typically, you would import all firewalls (that FSM supports) and routers involved in security (that have NAT, ACL.. statements in their configs).

Note that the Packet Tracer feature, looks at routing tables of all routers that are on the path that you want to test. So those intermediary routers needs to be imported as well, if you plan to use this feature.

As far as the price, you can go to the OnLine Quote page here

Level 9

Any plans to add Modern Juniper devices, AKA the SRX line of Firewalls?  NCM supports them.

SSG are on their way out of support.

Level 15

We definitely have thoughts about SRX.

What SRX series do you run? Are they all running the same v of JunOS?

Tks for Input.

Level 14

Great product!  We have many ASAs and our primary core firewalls are McAfee Firewall Enterprise appliances (MFE 1100e, 2150e, 4150e).  Please consider adding support for the MFEs. We could surely use it but without MFE support it will be a hard sell to our security group.

Level 12

Our biggest pain area has been overly permissive rules for which we do not have sufficient information to trim down. If the FSM can provide breakdown of the rule usage (based on syslogs) we can monitor for a certain period and remove unused accesses.

The next pain area would be excessive rule base, which can be broken down to smaller problems:

1. Duplicate rules

2. Shadowing rules

Also, there are some improvements to be made outside Firewall management (in terms of changing the topology such that so many rules need not be created on a single firewall)

Level 7

Hi All,

Is there any documentation of FSM said Hardware and Software Requirement for implementing FSM? If yes, please share to me.

thanks

Level 15

Yes there is, here

Level 15

Tks for input. Opened a requirement for MFE (170676).

Level 15

The first 3 use cases are well covered by the optimize/object rule cleanup function.

Can you elaborate on your last point. Feel free to contact me offline with that, if you have a few minutes to give an example.

Level 7

Thanks fcaron

Level 14

Thanks Francois.

Level 13

We use a mix of Juniper SSG/ISG Netscreen firewalls, and SRX running JUNOS 10.4r10.7.  We will soon start using Palo Alto firewalls, the "true" successor of the Netscreen Firewall.  They are expensive, however.  We currently use Nipper for this functionality.  How does your product differ?

Level 15

Tks for input.
Nipper is a configuration audit tool that looks at settings and security checks based on pattern matches against individual rules. It is very much like what NCM compliance checks are doing.

The limit of this approach is the same as what you can generally deduct by understanding the syntax but not the semantics.

Sure you can have some sophisticated syntax checks using regex (for ex), but at the end of te day, the product still does not understand what an ACL really does.

E.g. detecting that 2 ACLs are actually contradicting each-other, is virtually impossible with syntax-based systems.

FSM can detect redundant, conflicting ACLs and recommend the device console statement to use to clean your ACLs (it's caklled the "Cleanup" feature.

FSM also goes beyond just syntax checking, by understanding how ACL, Natting and Routing work together to affect traffic flow through the device (semantic level checks that take device behavior into account), and taking into account directionality of flow.

It also has the capability to analyze object groups.

FSM does allow customers to define their own checks, which I don't think Nipper can do.

FSM is actually a good complement of Nipper, in this regards.

NCM would be a good replacement for Nipper because:

- it also has syntax-based /  pattern matching capabilities

- offers tons of config management capabilities (download, upload, bulk-changes...)

- makes downloaded configs available for FSM , so you have only one system that talks to your devices, you build your repository of config in a single place...

Level 13

I would agree that NCM has the potential to be a replacement for Nipper, but is lacking default rule sets, especially for non-Cisco devices.  Building these rule sets is non-trivial. 

Level 15

I agree that creating new rules is usually non-trivial and can be time consuming.

Could you give examples of rule sets that NCM should have?

Are there any plans on adding support for McAfee Firewall Enterprise (Sidewinder) in the near future? Also, I see that Cisco IOS ver 15 isn't listed as being supported. Is that a typo or is support for 15 code still being worked on?

FSM sounds like it has some great, valuable features, but until it supports MFE and Cisco 15 code I won't be able to demo it...

Level 15

Both MacAfee and IOS 15 are on the radar, but nothing confirmed (173262, 170676)

Thanks for input.

Level 8

Are there any plans to introduce Cisco Nexus support? The ACL syntax of the Nexus OS isn't that much different from IOS, so from a layman's point of view it would be easy to incorporate into the product.

Level 15

We have opened a req (179095).

Is Nexus support a nice to have or a must have for you, in teh FSM context?

Thanks for your feedback.

Level 13

I don't use the product, but with Nexus quickly becoming the next standard platform for Cisco and Virtualization this is going to be a must.  The VM worlds is growing and the Virtual DataCenter is now a reality, so it was only a matter of time before virtual switching fully takes off and Nexus is adopted wide spread like the Catalyst series of switches were.

I think it's safe to say that SolarWinds should consider having full implementation/support of the Nexus line of Cisco products.  Cisco is coming back in a huge way in switching as they collapse a lot of un-needed products and businesses.

They are the only company right now that is offering 250 ns (nano second) port to port speed for anywork load unicast/multicast with any feature enabled.

Level 14

If we are going down this road, then we'd like Juniper EX Switch support as well as SRX support.  Since JUNOS is the same across all Juniper products, this should be a walk in the park

Level 13

Ya good point.  I can't see why the big platform providers wouldn't be naturally supported from the get go across all products.  Cisco, Juniper, Brocade, Huawei are widely used across the world, and should be naturally supported across all products.  I know there are a couple others, but I see these 4 products in almost every environment I have been in.

Level 15

Interesting view, thank you. Captured that.

Level 15

Thanks Richard.

The big candidates that we have at this point, for FSM are (in no particular order): Juniper SRX, Palo Alto, Fortinet, Watchguard, MacAfee, SonicWall and SideWinder.

This is the first request that we have for Brocade and Huawei, again talking FSM here.

Level 13

Yup.. I kind of got off topic and went a bit broad talking about coverage across different products from SolarWinds.  Sorry about that.

I don't think Brocade for this matter has any reason to be a part of FSM (could be wrong since I only use Brocade switching for SAN's but I don't think they offer FireWall solutions), but Huawei on the other hand is big overseas, and would be good to support for your overseas customers in FSM as well as the other product suites.

Thats a good list for the FSM that you have.  I would ask to add CheckPoint to that as well, and F5.  F5 is making a huge push into security. There DataCenter firewall and WAF (Web Application Firewall) are both are ICSA certified, and there DataCenter firewall blows almost everything out of the water in shear Throughput and concurrent connections it can handle.

Level 15

Thanks Richard.

Checkpoint is not on the list, because we support it already in FSM. This list is what we have, as candidates for add'al support,.

Today, FSM supports this:

• Cisco Security Appliances: PIX, ASA up to 8.4 including 8.3, FWSM

• Cisco IOS routers: Version 12.0 to 12.14, excluding X* Series

• Juniper firewalls: Netscreen, SSG, ISG

• Check PointTM products: SmartCenter NG/NGX, Security Management R70

• Check PointTM platforms: SecurePlatform, Check Point IPSO (formerly Nokia), Crossbeam, Linux, Solaris

Level 13

Very nice!  Was unaware of the CheckPoint support already since I don't get to use the product currently, but that helps me give more information and reason to push for the product in my next budget meeting when I try to sell them on SEUM, Storage Manager, and VM Manager as well!

Good work!  Hopefully I can get them to let me engage in a POC for FSM.

Level 15

Great to hear. FSM has a free eval, does not take much to look at it, especially if you have NCM. Getting your configs in FSM from NCM is basically 2 clicks.

Level 13

Not so quick.  While Juniper will tell you JUNOS is JUNOS, that's not really true.  Many of the commands differ between platforms and versions.  Firewall rules and SFlow rules are very different between platforms.

Level 13

I spent a bunch of time with NCM 7.1 yesterday and today.  To really make compliance doable, you need a way to be able to import rules from a spreadsheet.  Not sure about the advanced search, but basic search would be easy to import from a CSV file.  Using the GUI is painful.  At the very least there need to be a duplicate button to speed things up. 

Level 14

<must resist taking bait>

smartd, I'm way past my days of debating things like this in forums.  I will say I learned on Cisco, last two jobs were Cisco.  My current job is Cisco and  now moving to Juniper for the exact reason I said, among others.

If switches are going to be included in FSM, I feel the EX line is the easiest to include.

Level 13

No debate here.  We are a Juniper shop.  Drives me crazy that Solarwinds is a Cisco first product.  We have over 100 EX 32 and EX42 switches, 5 EX8200s, over 100 SRX, 40 Netscreen firewalls, and 92 Trapeze/Juniper WXC controllers. 

I'm happy to say I pulled the plug on my last PIX years ago.  Good riddance. Use Netscreen on almost all perimeters since it handles Active/Passive clustering so well.

The focus of my comment is that SRX and EX configuration code is not alike.  Wish it was.  Also, Sflow implementation has evolved over Junos releases.  Getting it working has been trial and error for me.  Probably hasn't changed as much as IP-SLA has in Cisco, however. 🙂

Level 14

Ahh, the joys of reading text on a page and inferring the meaning.  I'm now adding you to my list of Juniper resources .

PM me if you have time with how the junos set commands are different.  We have EX switches and just deployed SRX firewalls, but I personally haven't done the SRX, so now I'm really curious.

Level 13

Only thing I wish, but isn't a deal breaker by anymeans... I wish JunOS wasn't Linux command based.  Now on there front of resources and memory management in their routers they are top notch and blow Cisco out of the water, but ease of configuration is something they lack and require a bit of knowledge of the Linux file system and structuring.

Juniper also doesn't oversubscribe as badly as Cisco more so in their PIX/ASA, but as I always say in regards to Cisco and firewalls.  The ASA is EOL and you haven't heard about a new Firewall taking its place from Cisco.. Why??  Should tell you really quick why to stay away from them at this point...

Level 8

Yes, Nexus is a must for us. All our ACL's live on our Nexus switches in the DC. So, without Nexus support the product is virtually useless for us. (Except maybe to manage the (very few) ACL's in our campus infrastructure.

Level 15

Great exchange and very informative.

By the way, talking about SRX (and mayve EX moving forward), we need examples of configs for dev to assess the work, in case we decide to include SRX in the plan.

If anybody can help, please let me know.

Level 15

"The ASA is EOL and you haven't heard about a new Firewall taking its place from Cisco.."
I can't find any info on this, other than the 5500. Do you mean ASA or ACE?

Level 13

Ya, thats one broad statement and should have been a little clearer and not so narrow.

The ASA 5500 is EOL.  They are still putting out the 5500-x series of ASA, but are still running the older ASA features with just higher throughput, but still lack in NextGen features.  This is what I meant as in no annoucement of NextGen firewall features in the new line of ASA to compete with the likes of Palo-Alto/Checkpoint, and a few other new players.

Sorry to confuse and throw bold statements.

http://www.cisco.com/en/US/products/ps6120/prod_eol_notices_list.html

Level 15

No worries, thanks Richard.

BTW, the statement you made about Cisco not announcing a Next Gen firewalling tech, we keep hearing from Juniper SSG customers, who won't move to SRX because if they need to retrain their engineers, why not adopting state of the art (i.e. NG) firewalling tech from Palo Alto or SonicWall.

Level 12

As someone who is pretty comfortable with cisco asdm and cli, id love to see this product dive more into the auditing and alerting areas.  The basic function is nice but its hard to spend money for something I can already do for free, but it looks like you are heading in a good direction.

Level 15

Tks a lot for your feedback.

Keep in mid that what is highlighted above is just a subset of the main features, the product actually does more. It does not do too much in the alerting area (it's more an analytics tools), but it does quite a bit on the auditing side of things.

Would be great to have your feedback, based on the actual product eval and not only this blog post.

About the Author
Francois has joined the SW product management team in Dec 2010. He has been in the network management space for about 15 years, first in a startup company, then in one of the big 4 and back to a human-size company. Despite his bizarre accent, he is a decent guy to talk to.