I am pleasantly surprised Solarwinds forayed in to Firewall management as well, which has been a big pain area for us. We have seen dozens of demos from various companies selling products dedicated for rules management. The feature list here covers almost everything that other dedicated players have got to offer.

But I am particularly skeptic about packet tracing (claims of understanding routing) but I want to try first and see...

Thanks for your comment thamizh85. Let us know how your test goes.

What are the most important features that you value in a product like this and your favorite use cases?

IOW, can you elaborate on the " big pain area"?

Thanks again

This is fantastic news and we've been waiting for this for some time .  Now we will just need to wait a bit longer as Juniper SRX firewalls don't appear to be supported?

No they are not, but there are talks. Would love your feedback on the product, even if what you can do in your env't will be limited due to SRX. No Juniper FW's in your network?

Just found out that MS SQL isnt supported which has stopped our trial in its steps Is there any plan to migrate to SQL from firebird?

Not at this time, but we'll take good note of this problem. 169709

Can you elaborate on why not supporting MS SQL is a blocker? The database under FSM is fairly transparent, does not require any particular care.

Is this a strict policy in your company?

Currently we use offbox SQL and SQL is our standard database environment.  We wouldnt want to run the database on our Poller (where we would install FSM) and we wouldnt want to install Firebird on our SQL server which only leaves us the option to create a new dedicated Firebird server.  This dedicated server would require additional administration and would move away from our attempts to try and standardise on technologies to make administration simpler and more effective (which most of the Solarwinds suite help do very well).

Makes sense.

Note that some current users consider the product as a desktop product and are happy to run the DB on the same desktop as the client.

FSM is not as intensive, DB-wise as NCM, so the "desktop" approach certainly works is some environments.

But this probably works better if you don't have too many devices in the database and if you have only 1 or 2 users (i.e. clients) max, using the product.

Above that, having the DB on a dedicated DB server, probably makes more sense.

How many users woul dyou typically have for such a product and how many devices (fw and routers involved in security)?

I'm yet to read into the detailed licensing of FWs vs FW policies as if its FWs it could be 10+ where as if its policies it could be less than 5 (everything being HA etc).  As for users in our organisation I would safely guess no more than 5 that would actively use it.

FSM is licensed by number of "devices" that you import into the FSM inventory. Typically, you would import all firewalls (that FSM supports) and routers involved in security (that have NAT, ACL.. statements in their configs).

Note that the Packet Tracer feature, looks at routing tables of all routers that are on the path that you want to test. So those intermediary routers needs to be imported as well, if you plan to use this feature.

As far as the price, you can go to the OnLine Quote page here

Any plans to add Modern Juniper devices, AKA the SRX line of Firewalls?  NCM supports them.

SSG are on their way out of support.

We definitely have thoughts about SRX.

What SRX series do you run? Are they all running the same v of JunOS?

Tks for Input.

Our biggest pain area has been overly permissive rules for which we do not have sufficient information to trim down. If the FSM can provide breakdown of the rule usage (based on syslogs) we can monitor for a certain period and remove unused accesses.

The next pain area would be excessive rule base, which can be broken down to smaller problems:

1. Duplicate rules

2. Shadowing rules

Also, there are some improvements to be made outside Firewall management (in terms of changing the topology such that so many rules need not be created on a single firewall)

Hi All,

Is there any documentation of FSM said Hardware and Software Requirement for implementing FSM? If yes, please share to me.

thanks

Yes there is, here

Tks for input. Opened a requirement for MFE (170676).

The first 3 use cases are well covered by the optimize/object rule cleanup function.

Can you elaborate on your last point. Feel free to contact me offline with that, if you have a few minutes to give an example.

Thanks fcaron

We use a mix of Juniper SSG/ISG Netscreen firewalls, and SRX running JUNOS 10.4r10.7.  We will soon start using Palo Alto firewalls, the "true" successor of the Netscreen Firewall.  They are expensive, however.  We currently use Nipper for this functionality.  How does your product differ?

Tks for input.
Nipper is a configuration audit tool that looks at settings and security checks based on pattern matches against individual rules. It is very much like what NCM compliance checks are doing.

The limit of this approach is the same as what you can generally deduct by understanding the syntax but not the semantics.

Sure you can have some sophisticated syntax checks using regex (for ex), but at the end of te day, the product still does not understand what an ACL really does.

E.g. detecting that 2 ACLs are actually contradicting each-other, is virtually impossible with syntax-based systems.

FSM can detect redundant, conflicting ACLs and recommend the device console statement to use to clean your ACLs (it's caklled the "Cleanup" feature.

FSM also goes beyond just syntax checking, by understanding how ACL, Natting and Routing work together to affect traffic flow through the device (semantic level checks that take device behavior into account), and taking into account directionality of flow.

It also has the capability to analyze object groups.

FSM does allow customers to define their own checks, which I don't think Nipper can do.

FSM is actually a good complement of Nipper, in this regards.

NCM would be a good replacement for Nipper because:

- it also has syntax-based /  pattern matching capabilities

- offers tons of config management capabilities (download, upload, bulk-changes...)

- makes downloaded configs available for FSM , so you have only one system that talks to your devices, you build your repository of config in a single place...

I would agree that NCM has the potential to be a replacement for Nipper, but is lacking default rule sets, especially for non-Cisco devices.  Building these rule sets is non-trivial. 

I agree that creating new rules is usually non-trivial and can be time consuming.

Could you give examples of rule sets that NCM should have?

Are there any plans on adding support for McAfee Firewall Enterprise (Sidewinder) in the near future? Also, I see that Cisco IOS ver 15 isn't listed as being supported. Is that a typo or is support for 15 code still being worked on?

FSM sounds like it has some great, valuable features, but until it supports MFE and Cisco 15 code I won't be able to demo it...

Both MacAfee and IOS 15 are on the radar, but nothing confirmed (173262, 170676)

Thanks for input.

Are there any plans to introduce Cisco Nexus support? The ACL syntax of the Nexus OS isn't that much different from IOS, so from a layman's point of view it would be easy to incorporate into the product.

We have opened a req (179095).

Is Nexus support a nice to have or a must have for you, in teh FSM context?

Thanks for your feedback.

I don't use the product, but with Nexus quickly becoming the next standard platform for Cisco and Virtualization this is going to be a must.  The VM worlds is growing and the Virtual DataCenter is now a reality, so it was only a matter of time before virtual switching fully takes off and Nexus is adopted wide spread like the Catalyst series of switches were.

I think it's safe to say that SolarWinds should consider having full implementation/support of the Nexus line of Cisco products.  Cisco is coming back in a huge way in switching as they collapse a lot of un-needed products and businesses.

They are the only company right now that is offering 250 ns (nano second) port to port speed for anywork load unicast/multicast with any feature enabled.

If we are going down this road, then we'd like Juniper EX Switch support as well as SRX support.  Since JUNOS is the same across all Juniper products, this should be a walk in the park

Ya good point.  I can't see why the big platform providers wouldn't be naturally supported from the get go across all products.  Cisco, Juniper, Brocade, Huawei are widely used across the world, and should be naturally supported across all products.  I know there are a couple others, but I see these 4 products in almost every environment I have been in.

Interesting view, thank you. Captured that.

Thanks Richard.

The big candidates that we have at this point, for FSM are (in no particular order): Juniper SRX, Palo Alto, Fortinet, Watchguard, MacAfee, SonicWall and SideWinder.

This is the first request that we have for Brocade and Huawei, again talking FSM here.

Yup.. I kind of got off topic and went a bit broad talking about coverage across different products from SolarWinds.  Sorry about that.

I don't think Brocade for this matter has any reason to be a part of FSM (could be wrong since I only use Brocade switching for SAN's but I don't think they offer FireWall solutions), but Huawei on the other hand is big overseas, and would be good to support for your overseas customers in FSM as well as the other product suites.

Thats a good list for the FSM that you have.  I would ask to add CheckPoint to that as well, and F5.  F5 is making a huge push into security. There DataCenter firewall and WAF (Web Application Firewall) are both are ICSA certified, and there DataCenter firewall blows almost everything out of the water in shear Throughput and concurrent connections it can handle.

Thanks Richard.

Checkpoint is not on the list, because we support it already in FSM. This list is what we have, as candidates for add'al support,.

Today, FSM supports this:

• Cisco Security Appliances: PIX, ASA up to 8.4 including 8.3, FWSM

• Cisco IOS routers: Version 12.0 to 12.14, excluding X* Series

• Juniper firewalls: Netscreen, SSG, ISG

• Check PointTM products: SmartCenter NG/NGX, Security Management R70

• Check PointTM platforms: SecurePlatform, Check Point IPSO (formerly Nokia), Crossbeam, Linux, Solaris

Very nice!  Was unaware of the CheckPoint support already since I don't get to use the product currently, but that helps me give more information and reason to push for the product in my next budget meeting when I try to sell them on SEUM, Storage Manager, and VM Manager as well!

Good work!  Hopefully I can get them to let me engage in a POC for FSM.

Great to hear. FSM has a free eval, does not take much to look at it, especially if you have NCM. Getting your configs in FSM from NCM is basically 2 clicks.

Not so quick.  While Juniper will tell you JUNOS is JUNOS, that's not really true.  Many of the commands differ between platforms and versions.  Firewall rules and SFlow rules are very different between platforms.

I spent a bunch of time with NCM 7.1 yesterday and today.  To really make compliance doable, you need a way to be able to import rules from a spreadsheet.  Not sure about the advanced search, but basic search would be easy to import from a CSV file.  Using the GUI is painful.  At the very least there need to be a duplicate button to speed things up. 

<must resist taking bait>

smartd, I'm way past my days of debating things like this in forums.  I will say I learned on Cisco, last two jobs were Cisco.  My current job is Cisco and  now moving to Juniper for the exact reason I said, among others.

If switches are going to be included in FSM, I feel the EX line is the easiest to include.

No debate here.  We are a Juniper shop.  Drives me crazy that Solarwinds is a Cisco first product.  We have over 100 EX 32 and EX42 switches, 5 EX8200s, over 100 SRX, 40 Netscreen firewalls, and 92 Trapeze/Juniper WXC controllers. 

I'm happy to say I pulled the plug on my last PIX years ago.  Good riddance. Use Netscreen on almost all perimeters since it handles Active/Passive clustering so well.

The focus of my comment is that SRX and EX configuration code is not alike.  Wish it was.  Also, Sflow implementation has evolved over Junos releases.  Getting it working has been trial and error for me.  Probably hasn't changed as much as IP-SLA has in Cisco, however. 🙂

Ahh, the joys of reading text on a page and inferring the meaning.  I'm now adding you to my list of Juniper resources .

PM me if you have time with how the junos set commands are different.  We have EX switches and just deployed SRX firewalls, but I personally haven't done the SRX, so now I'm really curious.

Only thing I wish, but isn't a deal breaker by anymeans... I wish JunOS wasn't Linux command based.  Now on there front of resources and memory management in their routers they are top notch and blow Cisco out of the water, but ease of configuration is something they lack and require a bit of knowledge of the Linux file system and structuring.

Juniper also doesn't oversubscribe as badly as Cisco more so in their PIX/ASA, but as I always say in regards to Cisco and firewalls.  The ASA is EOL and you haven't heard about a new Firewall taking its place from Cisco.. Why??  Should tell you really quick why to stay away from them at this point...

Yes, Nexus is a must for us. All our ACL's live on our Nexus switches in the DC. So, without Nexus support the product is virtually useless for us. (Except maybe to manage the (very few) ACL's in our campus infrastructure.

Great exchange and very informative.

By the way, talking about SRX (and mayve EX moving forward), we need examples of configs for dev to assess the work, in case we decide to include SRX in the plan.

If anybody can help, please let me know.

"The ASA is EOL and you haven't heard about a new Firewall taking its place from Cisco.."
I can't find any info on this, other than the 5500. Do you mean ASA or ACE?

Ya, thats one broad statement and should have been a little clearer and not so narrow.

The ASA 5500 is EOL.  They are still putting out the 5500-x series of ASA, but are still running the older ASA features with just higher throughput, but still lack in NextGen features.  This is what I meant as in no annoucement of NextGen firewall features in the new line of ASA to compete with the likes of Palo-Alto/Checkpoint, and a few other new players.

Sorry to confuse and throw bold statements.

http://www.cisco.com/en/US/products/ps6120/prod_eol_notices_list.html

No worries, thanks Richard.

BTW, the statement you made about Cisco not announcing a Next Gen firewalling tech, we keep hearing from Juniper SSG customers, who won't move to SRX because if they need to retrain their engineers, why not adopting state of the art (i.e. NG) firewalling tech from Palo Alto or SonicWall.

As someone who is pretty comfortable with cisco asdm and cli, id love to see this product dive more into the auditing and alerting areas.  The basic function is nice but its hard to spend money for something I can already do for free, but it looks like you are heading in a good direction.

Tks a lot for your feedback.

Keep in mid that what is highlighted above is just a subset of the main features, the product actually does more. It does not do too much in the alerting area (it's more an analytics tools), but it does quite a bit on the auditing side of things.

Would be great to have your feedback, based on the actual product eval and not only this blog post.